fix: ensure CSP nonces are Base64 encoded (#9907)

Author: paulbalandan

system/HTTP/ContentSecurityPolicy.php

@@ -303,7 +303,7 @@ public function enabled(): bool
     public function getStyleNonce(): string
     {
         if ($this->styleNonce === null) {
-            $this->styleNonce = bin2hex(random_bytes(12));
+            $this->styleNonce = base64_encode(random_bytes(12));
             $this->styleSrc[] = 'nonce-' . $this->styleNonce;
         }
 
@@ -316,7 +316,7 @@ public function getStyleNonce(): string
     public function getScriptNonce(): string
     {
         if ($this->scriptNonce === null) {
-            $this->scriptNonce = bin2hex(random_bytes(12));
+            $this->scriptNonce = base64_encode(random_bytes(12));
             $this->scriptSrc[] = 'nonce-' . $this->scriptNonce;
         }
 

tests/system/CommonFunctionsTest.php

@@ -731,7 +731,7 @@ public function testDWithCSP(): void
         $cliDetection        = Kint::$cli_detection;
         Kint::$cli_detection = false;
 
-        $this->expectOutputRegex('/<script class="kint-rich-script" nonce="[0-9a-z]{24}">/u');
+        $this->expectOutputRegex('/<script class="kint-rich-script" nonce="[a-zA-Z0-9+\/-_]+[=]{0,2}">/u');
         d('string');
 
         // Restore settings
@@ -754,7 +754,7 @@ public function testTraceWithCSP(): void
 
         Kint::$cli_detection = false;
 
-        $this->expectOutputRegex('/<style class="kint-rich-style" nonce="[0-9a-z]{24}">/u');
+        $this->expectOutputRegex('/<style class="kint-rich-style" nonce="[a-zA-Z0-9+\/-_]+[=]{0,2}">/u');
         trace();
     }
 

tests/system/HTTP/ContentSecurityPolicyTest.php

@@ -578,18 +578,20 @@ public function testGetScriptNonce(): void
     {
         $this->prepare();
 
-        $nonce = $this->csp->getScriptNonce();
-
-        $this->assertMatchesRegularExpression('/\A[0-9a-z]{24}\z/', $nonce);
+        $this->assertMatchesRegularExpression(
+            '/\A[a-zA-Z0-9+\/-_]+[=]{0,2}\z/',
+            $this->csp->getScriptNonce(),
+        );
     }
 
     public function testGetStyleNonce(): void
     {
         $this->prepare();
 
-        $nonce = $this->csp->getStyleNonce();
-
-        $this->assertMatchesRegularExpression('/\A[0-9a-z]{24}\z/', $nonce);
+        $this->assertMatchesRegularExpression(
+            '/\A[a-zA-Z0-9+\/-_]+[=]{0,2}\z/',
+            $this->csp->getStyleNonce(),
+        );
     }
 
     #[PreserveGlobalState(false)]

tests/system/Helpers/HTMLHelperTest.php

@@ -337,7 +337,7 @@ public function testScriptTagWithCsp(): void
         $html   = script_tag($target);
 
         $this->assertMatchesRegularExpression(
-            '!<script nonce="\w+?" src="http://site.com/js/mystyles.js".*?>!u',
+            '!<script nonce="[a-zA-Z0-9+\/-_]+[=]{0,2}" src="http://site.com/js/mystyles.js".*?>!u',
             $html,
         );
 

tests/system/Helpers/URLHelper/MiscUrlTest.php

@@ -493,7 +493,7 @@ public function testSafeMailtoWithCsp(): void
 
         $html = safe_mailto('foo@example.jp', 'Foo');
 
-        $this->assertMatchesRegularExpression('/<script .*?nonce="\w+?".*?>/u', $html);
+        $this->assertMatchesRegularExpression('/<script .*?nonce="[a-zA-Z0-9+\/]+[=]{0,2}".*?>/u', $html);
     }
 
     /**

tests/system/Honeypot/HoneypotTest.php

@@ -107,7 +107,7 @@ public function testAttachHoneypotAndContainerWithCSP(): void
         $this->response->setBody('<head></head><body><form></form></body>');
         $this->honeypot->attachHoneypot($this->response);
 
-        $regex = '!<head><style nonce="[0-9a-f]+">#hpc { display:none }</style></head><body><form><div style="display:none" id="hpc"><label>Fill This Field</label><input type="text" name="honeypot" value=""></div></form></body>!u';
+        $regex = '!<head><style nonce="[a-zA-Z0-9+\/-_]+[=]{0,2}">#hpc { display:none }</style></head><body><form><div style="display:none" id="hpc"><label>Fill This Field</label><input type="text" name="honeypot" value=""></div></form></body>!u';
         $this->assertMatchesRegularExpression($regex, $this->response->getBody());
     }
 

tests/system/View/ParserPluginTest.php

@@ -151,7 +151,7 @@ public function testCspScriptNonceWithCspEnabled(): void
         $template = 'aaa {+ csp_script_nonce +} bbb';
 
         $this->assertMatchesRegularExpression(
-            '/aaa nonce="[0-9a-z]{24}" bbb/',
+            '/aaa nonce="[a-zA-Z0-9+\/-_]+[=]{0,2}" bbb/',
             $this->parser->renderString($template),
         );
     }

user_guide_src/source/changelogs/v4.6.5.rst

@@ -31,6 +31,7 @@ Bugs Fixed
 **********
 
 - **Database:** Fixed a bug where ``Seeder::call()`` did not pass the database connection to child seeders, causing them to use the default connection instead of the one specified via ``Database::seeder('group')``.
+- **HTTP:** Updated the Content Security Policy nonce generation to use base64 encoding instead of hexadecimal, ensuring compatibility with CSP specifications.
 
 See the repo's
 `CHANGELOG.md <https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md>`_