Qt Metrics 2 (v0.4): Security improvements

Added applicable security headers to protect the site against
typical attacts (checked e.g. with http://cyh.herokuapp.com/cyh).
Moved inline JavaScript code to separate file (because of
applying the CSP).
Moved jQuery and Bootstrap to local lib directories instead
of using CDNs (to get simple and strict CSP rules).

Change-Id: If08f7ccf6a53923405a1305c76ff2da7c21b094b
Reviewed-by: Lukas Reschke <lukas@owncloud.com>
Reviewed-by: Simon Hausmann <simon.hausmann@theqtcompany.com>
Reviewed-by: Tony Sarajärvi <tony.sarajarvi@theqtcompany.com>

6 files changed, 74 insertions, 22 deletions

diff --git a/non-puppet/qtmetrics2/.htaccess b/non-puppet/qtmetrics2/.htaccess
index 93af3b1..095fd43 100644
--- a/non-puppet/qtmetrics2/.htaccess
+++ b/non-puppet/qtmetrics2/.htaccess
@@ -32,13 +32,25 @@
 #############################################################################
 
 # Qt Metrics configuration
-# @version   0.1
-# @since     13-05-2015
+# @version   0.2
+# @since     17-06-2015
 # @author    Juha Sippola
 
 # Turn on the rewriting engine
 RewriteEngine On
 
+# Set security headers
+<IfModule mod_headers.c>
+    # Apply Content Security Policy
+    Header set Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src *"
+    # Provide protection against MIME type confusion attacks
+    Header set X-Content-Type-Options "nosniff"
+    # Provide protection against clickjacking
+    Header set X-Frame-Options "SAMEORIGIN"
+    # Provide protection against Cross-Site Scripting
+    Header set X-XSS-Protection "1; mode=block"
+</IfModule>
+
 # If the requested file does not exist, show link to index.php
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule ^ index.php [QSA,L]
diff --git a/non-puppet/qtmetrics2/index.php b/non-puppet/qtmetrics2/index.php
index 353568e..8d77195 100644
--- a/non-puppet/qtmetrics2/index.php
+++ b/non-puppet/qtmetrics2/index.php
@@ -34,8 +34,8 @@
 
 /**
  * Qt Metrics API
- * @version   0.2
- * @since     12-06-2015
+ * @version   0.3
+ * @since     16-06-2015
  * @author    Juha Sippola
  */
 
@@ -130,6 +130,7 @@ $app->get('/test/flaky', function() use($app)
 
 $app->get('/testset/:testset', function($testset) use($app)
 {
+    $testset = strip_tags($testset);
     $ini = Factory::conf();
     $breadcrumb = array(
         array('name' => 'home', 'link' => Slim\Slim::getInstance()->urlFor('root'))
diff --git a/non-puppet/qtmetrics2/scripts/about.js b/non-puppet/qtmetrics2/scripts/about.js
new file mode 100644
index 0000000..0762687
--- /dev/null
+++ b/non-puppet/qtmetrics2/scripts/about.js
@@ -0,0 +1,44 @@
+/*
+#############################################################################
+##
+## Copyright (C) 2015 The Qt Company Ltd.
+## Contact: http://www.qt.io/licensing/
+##
+## This file is part of the Quality Assurance module of the Qt Toolkit.
+##
+## $QT_BEGIN_LICENSE:LGPL21$
+## Commercial License Usage
+## Licensees holding valid commercial Qt licenses may use this file in
+## accordance with the commercial license agreement provided with the
+## Software or, alternatively, in accordance with the terms contained in
+## a written agreement between you and The Qt Company. For licensing terms
+## and conditions see http://www.qt.io/terms-conditions. For further
+## information use the contact form at http://www.qt.io/contact-us.
+##
+## GNU Lesser General Public License Usage
+## Alternatively, this file may be used under the terms of the GNU Lesser
+## General Public License version 2.1 or version 3 as published by the Free
+## Software Foundation and appearing in the file LICENSE.LGPLv21 and
+## LICENSE.LGPLv3 included in the packaging of this file. Please review the
+## following information to ensure the GNU Lesser General Public License
+## requirements will be met: https://www.gnu.org/licenses/lgpl.html and
+## http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html.
+##
+## As a special exception, The Qt Company gives you certain additional
+## rights. These rights are described in The Qt Company LGPL Exception
+## version 1.1, included in the file LGPL_EXCEPTION.txt in this package.
+##
+## $QT_END_LICENSE$
+##
+#############################################################################
+
+/**
+ * Show About window
+ * @version   0.1
+ * @since     16-06-2015
+ * @author    Juha Sippola
+ */
+
+$(function(){
+    $("#about").load("templates/about.php");
+});
diff --git a/non-puppet/qtmetrics2/templates/about.php b/non-puppet/qtmetrics2/templates/about.php
index 2b8d627..3f3df1e 100644
--- a/non-puppet/qtmetrics2/templates/about.php
+++ b/non-puppet/qtmetrics2/templates/about.php
@@ -34,8 +34,8 @@
 
 /**
  * About window content
- * @version   0.3
- * @since     16-06-2015
+ * @version   0.4
+ * @since     17-06-2015
  * @author    Juha Sippola
  */
 
@@ -44,4 +44,4 @@
 <p>This is Qt Metrics revision 2 with redesigned UI and database.</p>
 <p>These pages are still <strong>under construction</strong> and therefore the views and functionality is limited.</p>
 <p>See the <a href="https://wiki.qt.io/Qt_Metrics_2_Backlog" target="_blank">backlog</a> for development items currently identified or in progress.</p>
-<p><small>Version 0.3 (16-Jun-2015)</small></p>
+<p><small>Version 0.4 (17-Jun-2015)</small></p>
diff --git a/non-puppet/qtmetrics2/templates/footer.php b/non-puppet/qtmetrics2/templates/footer.php
index 1edd731..d460212 100644
--- a/non-puppet/qtmetrics2/templates/footer.php
+++ b/non-puppet/qtmetrics2/templates/footer.php
@@ -34,8 +34,8 @@
 
 /**
  * Footer section of html page including the scripts
- * @version   0.1
- * @since     02-06-2015
+ * @version   0.2
+ * @since     16-06-2015
  * @author    Juha Sippola
  */
 
@@ -55,16 +55,12 @@
     ======================================================================= -->
 
     <!-- jQuery and Bootstrap -->
-    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>
-    <script src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js"></script>
-    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/js/bootstrap.min.js"></script>
+    <script src="lib/jQuery/jquery-1.11.3.min.js"></script>
+    <script src="lib/jQuery-UI/jquery-ui.min.js"></script>
+    <script src="lib/Bootstrap/js/bootstrap.min.js"></script>
 
     <!-- IE10 viewport hack for Surface/desktop Windows 8 bug -->
     <script src="scripts/ie10-viewport-bug-workaround.js"></script>
 
     <!-- About window -->
-    <script>
-        $(function(){
-            $("#about").load("templates/about.php");
-        });
-    </script>
+    <script src="scripts/about.js"></script>
diff --git a/non-puppet/qtmetrics2/templates/header.php b/non-puppet/qtmetrics2/templates/header.php
index 5f06f7e..6b20508 100644
--- a/non-puppet/qtmetrics2/templates/header.php
+++ b/non-puppet/qtmetrics2/templates/header.php
@@ -34,8 +34,8 @@
 
 /**
  * Header section of html page including the meta data and style sheets
- * @version   0.1
- * @since     08-06-2015
+ * @version   0.2
+ * @since     17-06-2015
  * @author    Juha Sippola
  */
 
@@ -58,10 +58,10 @@
     <base href="<?php echo Slim\Slim::getInstance()->urlFor('root'); ?>" />
 
     <!-- jQuery UI CSS -->
-    <link rel="stylesheet" href="https://code.jquery.com/ui/1.11.4/themes/smoothness/jquery-ui.css">
+    <link rel="stylesheet" href="lib/jQuery-UI-themes/themes/smoothness/jquery-ui.css">
 
     <!-- Bootstrap core CSS -->
-    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css">
+    <link rel="stylesheet" href="lib/Bootstrap/css/bootstrap.min.css">
 
     <!-- Custom styles for the Bootstrap templates used -->
     <link rel="stylesheet" href="styles/bootstrap_custom.css">
@@ -77,7 +77,6 @@
 </head>
 
 <body>
-
     <nav class="navbar navbar-inverse navbar-fixed-top">
         <div class="container">
             <div class="navbar-header">