Added a Content Security Policy and the ability to enable it via the …

…PwnedAdmin Config application.
practisec · May 17, 2024 · 950df1f · 950df1f
1 parent 8b8ac4f
commit 950df1f
Show file tree

Hide file tree

Showing 8 changed files with 19 additions and 13 deletions.
diff --git a/database/cs/04-pwnedhub-admin.sql b/database/cs/04-pwnedhub-admin.sql
@@ -41,7 +41,7 @@ CREATE TABLE `configs` (
 
 LOCK TABLES `configs` WRITE;
 /*!40000 ALTER TABLE `configs` DISABLE KEYS */;
-INSERT INTO `configs` VALUES (1,'CSRF_PROTECT','Profile CSRF Protection (PwnedHub)','security control',1),(2,'OSCI_PROTECT','Tools OSCI Protection (PwnedHub)','security control',0),(3,'SQLI_PROTECT','Login SQLi Protection (PwnedHub)','security control',0),(4,'CORS_RESTRICT','Restricted CORS (PwnedAPI)','security control',1),(5,'JWT_VERIFY','Verify JWT Signatures (PwnedAPI)','security control',1),(6,'JWT_ENCRYPT','Encrypt JWTs (PwnedAPI)','security control',0),(7,'BEARER_AUTH_ENABLE','Bearer Token Authentication (PwnedAPI)','feature',1),(8,'OIDC_ENABLE','OpenID Connect Authentication (PwnedHub)','feature',0),(9,'SSO_ENABLE','SSO Authentication (PwnedHub)','feature',0),(10,'OOB_RESET_ENABLE','Out-of-Band Password Reset (PwnedHub)','feature',0),(11,'CTF_MODE','CTF Mode (Warning: Disables this interface!)','feature',0);
+INSERT INTO `configs` VALUES (1,'CSRF_PROTECT','Profile CSRF Protection (PwnedHub)','security control',1),(2,'OSCI_PROTECT','Tools OSCI Protection (PwnedHub)','security control',0),(3,'SQLI_PROTECT','Login SQLi Protection (PwnedHub)','security control',0),(4,'CSP_PROTECT','Content Security Policy (PwnedHub)','security control',0),(5,'CORS_RESTRICT','Restricted CORS (PwnedAPI)','security control',1),(6,'JWT_VERIFY','Verify JWT Signatures (PwnedAPI)','security control',1),(7,'JWT_ENCRYPT','Encrypt JWTs (PwnedAPI)','security control',0),(8,'BEARER_AUTH_ENABLE','Bearer Token Authentication (PwnedAPI)','feature',1),(9,'OIDC_ENABLE','OpenID Connect Authentication (PwnedHub)','feature',0),(10,'SSO_ENABLE','SSO Authentication (PwnedHub)','feature',0),(11,'OOB_RESET_ENABLE','Out-of-Band Password Reset (PwnedHub)','feature',0),(12,'CTF_MODE','CTF Mode (Warning: Disables this interface!)','feature',0);
 /*!40000 ALTER TABLE `configs` ENABLE KEYS */;
 UNLOCK TABLES;
 

diff --git a/database/ctf/04-pwnedhub-admin.sql b/database/ctf/04-pwnedhub-admin.sql
@@ -41,7 +41,7 @@ CREATE TABLE `configs` (
 
 LOCK TABLES `configs` WRITE;
 /*!40000 ALTER TABLE `configs` DISABLE KEYS */;
-INSERT INTO `configs` VALUES (1,'CSRF_PROTECT','Profile CSRF Protection (PwnedHub)','security control',0),(2,'OSCI_PROTECT','Tools OSCI Protection (PwnedHub)','security control',1),(3,'SQLI_PROTECT','Login SQLi Protection (PwnedHub)','security control',1),(4,'CORS_RESTRICT','Restricted CORS (PwnedAPI)','security control',0),(5,'JWT_VERIFY','Verify JWT Signatures (PwnedAPI)','security control',1),(6,'JWT_ENCRYPT','Encrypt JWTs (PwnedAPI)','security control',0),(7,'BEARER_AUTH_ENABLE','Bearer Token Authentication (PwnedAPI)','feature',0),(8,'OIDC_ENABLE','OpenID Connect Authentication (PwnedHub)','feature',0),(9,'SSO_ENABLE','SSO Authentication (PwnedHub)','feature',0),(10,'OOB_RESET_ENABLE','Out-of-Band Password Reset (PwnedHub)','feature',1),(11,'CTF_MODE','CTF Mode (Warning: Disables this interface!)','feature',1);
+INSERT INTO `configs` VALUES (1,'CSRF_PROTECT','Profile CSRF Protection (PwnedHub)','security control',0),(2,'OSCI_PROTECT','Tools OSCI Protection (PwnedHub)','security control',1),(3,'SQLI_PROTECT','Login SQLi Protection (PwnedHub)','security control',1),(4,'CSP_PROTECT','Content Security Policy (PwnedHub)','security control',1),(5,'CORS_RESTRICT','Restricted CORS (PwnedAPI)','security control',0),(6,'JWT_VERIFY','Verify JWT Signatures (PwnedAPI)','security control',1),(7,'JWT_ENCRYPT','Encrypt JWTs (PwnedAPI)','security control',0),(8,'BEARER_AUTH_ENABLE','Bearer Token Authentication (PwnedAPI)','feature',0),(9,'OIDC_ENABLE','OpenID Connect Authentication (PwnedHub)','feature',0),(10,'SSO_ENABLE','SSO Authentication (PwnedHub)','feature',0),(11,'OOB_RESET_ENABLE','Out-of-Band Password Reset (PwnedHub)','feature',1),(12,'CTF_MODE','CTF Mode (Warning: Disables this interface!)','feature',1);
 /*!40000 ALTER TABLE `configs` ENABLE KEYS */;
 UNLOCK TABLES;
 

diff --git a/database/init/04-pwnedhub-admin.sql b/database/init/04-pwnedhub-admin.sql
@@ -41,7 +41,7 @@ CREATE TABLE `configs` (
 
 LOCK TABLES `configs` WRITE;
 /*!40000 ALTER TABLE `configs` DISABLE KEYS */;
-INSERT INTO `configs` VALUES (1,'CSRF_PROTECT','Profile CSRF Protection (PwnedHub)','security control',1),(2,'OSCI_PROTECT','Tools OSCI Protection (PwnedHub)','security control',0),(3,'SQLI_PROTECT','Login SQLi Protection (PwnedHub)','security control',0),(4,'CORS_RESTRICT','Restricted CORS (PwnedAPI)','security control',1),(5,'JWT_VERIFY','Verify JWT Signatures (PwnedAPI)','security control',1),(6,'JWT_ENCRYPT','Encrypt JWTs (PwnedAPI)','security control',0),(7,'BEARER_AUTH_ENABLE','Bearer Token Authentication (PwnedAPI)','feature',1),(8,'OIDC_ENABLE','OpenID Connect Authentication (PwnedHub)','feature',0),(9,'SSO_ENABLE','SSO Authentication (PwnedHub)','feature',0),(10,'OOB_RESET_ENABLE','Out-of-Band Password Reset (PwnedHub)','feature',0),(11,'CTF_MODE','CTF Mode (Warning: Disables this interface!)','feature',0);
+INSERT INTO `configs` VALUES (1,'CSRF_PROTECT','Profile CSRF Protection (PwnedHub)','security control',1),(2,'OSCI_PROTECT','Tools OSCI Protection (PwnedHub)','security control',0),(3,'SQLI_PROTECT','Login SQLi Protection (PwnedHub)','security control',0),(4,'CSP_PROTECT','Content Security Policy (PwnedHub)','security control',0),(5,'CORS_RESTRICT','Restricted CORS (PwnedAPI)','security control',1),(6,'JWT_VERIFY','Verify JWT Signatures (PwnedAPI)','security control',1),(7,'JWT_ENCRYPT','Encrypt JWTs (PwnedAPI)','security control',0),(8,'BEARER_AUTH_ENABLE','Bearer Token Authentication (PwnedAPI)','feature',1),(9,'OIDC_ENABLE','OpenID Connect Authentication (PwnedHub)','feature',0),(10,'SSO_ENABLE','SSO Authentication (PwnedHub)','feature',0),(11,'OOB_RESET_ENABLE','Out-of-Band Password Reset (PwnedHub)','feature',0),(12,'CTF_MODE','CTF Mode (Warning: Disables this interface!)','feature',0);
 /*!40000 ALTER TABLE `configs` ENABLE KEYS */;
 UNLOCK TABLES;
 

diff --git a/pwnedhub/__init__.py b/pwnedhub/__init__.py
@@ -1,7 +1,7 @@
-from flask import Flask, request, render_template, Blueprint, __version__
+from flask import Flask, request, render_template, g, Blueprint, __version__
 from flask_session import Session
 from flask_sqlalchemy import SQLAlchemy
-from pwnedhub.utils import get_current_utc_time
+from pwnedhub.utils import get_current_utc_time, generate_nonce
 from urllib.parse import unquote
 from redis import Redis
 import rq
@@ -52,10 +52,16 @@ def render_mobile():
             if not request.endpoint.startswith('static'):
                 return render_template('mobile.html')
 
+    @app.before_request
+    def add_nonce():
+        g.nonce = generate_nonce()
+
     @app.after_request
     def add_header(response):
         response.headers['X-Powered-By'] = 'Flask/{}'.format(__version__)
         response.headers['X-XSS-Protection'] = '1; mode=block'
+        if Config.get_value('CSP_PROTECT'):
+            response.headers['Content-Security-Policy'] = f"script-src 'unsafe-inline' 'nonce-{g.nonce}'; script-src-attr 'unsafe-inline'; object-src 'none'; base-uri 'none'"
         return response
 
     StaticBlueprint = Blueprint('common', __name__, static_url_path='/static/common', static_folder='../common/static')

diff --git a/pwnedhub/templates/layout.html b/pwnedhub/templates/layout.html
@@ -9,10 +9,10 @@
     <link rel="stylesheet" type="text/css" href="{{ url_for('common.static', filename='css/custom-flex.css') }}">
     <link rel="stylesheet" type="text/css" href="{{ url_for('common.static', filename='css/custom-utility.css') }}">
     <link rel="stylesheet" type="text/css" href="{{ url_for('common.static', filename='css/pwnedhub.css') }}">
-    <script type="text/javascript" src="{{ url_for('static', filename='js/jquery-1.6.2.min.js') }}"></script>
-    <script type="text/javascript" src="{{ url_for('static', filename='js/pwnedhub.js') }}"></script>
-    <script type="text/javascript" src="{{ url_for('static', filename='js/showdown.js') }}"></script>
-    <script type="text/javascript" src="{{ url_for('static', filename='js/purify.min.js') }}"></script>
+    <script nonce="{{ g.nonce }}" type="text/javascript" src="{{ url_for('static', filename='js/jquery-1.6.2.min.js') }}"></script>
+    <script nonce="{{ g.nonce }}" type="text/javascript" src="{{ url_for('static', filename='js/pwnedhub.js') }}"></script>
+    <script nonce="{{ g.nonce }}" type="text/javascript" src="{{ url_for('static', filename='js/showdown.js') }}"></script>
+    <script nonce="{{ g.nonce }}" type="text/javascript" src="{{ url_for('static', filename='js/purify.min.js') }}"></script>
 </head>
 <body class="flex-column">
     <div id="flash" class="flash"></div>
@@ -84,7 +84,7 @@
         </div>
     </footer>
     {% if get_flashed_messages() %}
-    <script>
+    <script nonce="{{ g.nonce }}">
         {% for message in get_flashed_messages()|unique %}
         showFlash("{{ message }}");
         {% endfor %}

diff --git a/pwnedhub/templates/messages.html b/pwnedhub/templates/messages.html
@@ -32,7 +32,7 @@
     </form>
     </div>
 </div>
-<script>
+<script nonce="{{ g.nonce }}">
 function reply(id) {
     var template = "<blockquote>" + document.getElementById("comment-" + id).innerHTML + "</blockquote>\n\n";
     var reply = document.getElementById("reply")

diff --git a/pwnedhub/templates/notes.html b/pwnedhub/templates/notes.html
@@ -15,7 +15,7 @@
         <div id="pane-2" class="flex-grow markdown"></div>
     </div>
 </div>
-<script>
+<script nonce="{{ g.nonce }}">
 var notes = document.getElementById("notes")
 var view = document.getElementById("tab-two")
 var key = "{{ g.user.username|safe }}-notes";

diff --git a/pwnedhub/templates/tools.html b/pwnedhub/templates/tools.html
@@ -16,7 +16,7 @@
         <div id="spinner" class="spinner"></div>
     </div>
 </div>
-<script>
+<script nonce="{{ g.nonce }}">
 function info(e) {
     var tid = e.options[e.selectedIndex].value;
     // get the description