Example #1
0
    def __init__(self, config):
        """Initialize web server

        Args:
            config: TBD
        """

        if not isinstance(config, dict):
            raise TypeError("config is %s; expected dict()" % type(config))
        if not config:
            raise ValueError("config is empty")

        self.defaultConfig = deepcopy(config)
        dbh = SpiderFootDb(self.defaultConfig)
        # 'config' supplied will be the defaults, let's supplement them
        # now with any configuration which may have previously been
        # saved.
        sf = SpiderFoot(self.defaultConfig)
        self.config = sf.configUnserialize(dbh.configGet(), self.defaultConfig)

        if self.config['__webaddr'] == "0.0.0.0":  # nosec
            addr = "<IP of this host>"
        else:
            addr = self.config['__webaddr']

        self.docroot = self.config['__docroot'].rstrip('/')

        cherrypy.config.update({
            'error_page.404': self.error_page_404,
            'request.error_response': self.error_page
        })

        secure_headers = SecureHeaders(
            server="server",
            cache=False,
            csp="default-src 'self' ; script-src 'self' 'unsafe-inline' blob: ; style-src 'self' 'unsafe-inline' ; img-src 'self' data:"
        )

        cherrypy.config.update({
            "tools.response_headers.on": True,
            "tools.response_headers.headers": secure_headers.cherrypy()
        })

        if (cherrypy.server.ssl_certificate is None or cherrypy.server.ssl_private_key is None):
            url = "http://%s:%s%s" % (addr, self.config['__webport'], self.docroot)
        else:
            url = "https://%s:%s%s" % (addr, self.config['__webport'], self.docroot)

        print("")
        print("")
        print("*************************************************************")
        print(" Use SpiderFoot by starting your web browser of choice and ")
        print(" browse to %s" % url)
        print("*************************************************************")
        print("")
        print("")
Example #2
0
def secure_app():
    secure_headers = SecureHeaders()

    async def secure(request, response):
        secure_headers.sanic(response)

    app.register_middleware(secure, "response")
Example #3
0
    def __init__(self, config):
        if not isinstance(config, dict):
            raise TypeError("config is %s; expected dict()" % type(config))
        if not config:
            raise ValueError("config is empty")

        self.defaultConfig = deepcopy(config)
        dbh = SpiderFootDb(self.defaultConfig)
        # 'config' supplied will be the defaults, let's supplement them
        # now with any configuration which may have previously been
        # saved.
        sf = SpiderFoot(self.defaultConfig)
        self.config = sf.configUnserialize(dbh.configGet(), self.defaultConfig)

        if self.config['__webaddr'] == "0.0.0.0":  # nosec
            addr = "<IP of this host>"
        else:
            addr = self.config['__webaddr']

        self.docroot = self.config['__docroot'].rstrip('/')

        cherrypy.config.update({
            'error_page.404': self.error_page_404,
            'request.error_response': self.error_page
        })

        secure_headers = SecureHeaders(
            csp=
            "default-src 'self'; script-src 'self' 'unsafe-inline' blob: ; style-src 'self' 'unsafe-inline'"
        )

        cherrypy.config.update({
            "tools.response_headers.on":
            True,
            "tools.response_headers.headers":
            secure_headers.cherrypy()
        })

        print("")
        print("")
        print("*************************************************************")
        print(" Use SpiderFoot by starting your web browser of choice and ")
        print(" browse to http://" + addr + ":" +
              str(self.config['__webport']) + self.docroot)
        print("*************************************************************")
        print("")
        print("")
Example #4
0
    def __init__(self, web_config, config):
        """Initialize web server

        Args:
            web_config: config settings for web interface (interface, port, root path)
            config: SpiderFoot config
        """

        if not isinstance(config, dict):
            raise TypeError(f"config is {type(config)}; expected dict()")
        if not config:
            raise ValueError("config is empty")

        if not isinstance(web_config, dict):
            raise TypeError(f"web_config is {type(web_config)}; expected dict()")
        if not config:
            raise ValueError("web_config is empty")

        self.docroot = web_config.get('root', '/').rstrip('/')

        # 'config' supplied will be the defaults, let's supplement them
        # now with any configuration which may have previously been saved.
        self.defaultConfig = deepcopy(config)
        dbh = SpiderFootDb(self.defaultConfig)
        sf = SpiderFoot(self.defaultConfig)
        self.config = sf.configUnserialize(dbh.configGet(), self.defaultConfig)

        cherrypy.config.update({
            'error_page.404': self.error_page_404,
            'request.error_response': self.error_page
        })

        secure_headers = SecureHeaders(
            server="server",
            cache=False,
            csp="default-src 'self' ; script-src 'self' 'unsafe-inline' blob: ; style-src 'self' 'unsafe-inline' ; img-src 'self' data:"
        )

        cherrypy.config.update({
            "tools.response_headers.on": True,
            "tools.response_headers.headers": secure_headers.cherrypy()
        })
Example #5
0
def setup(app):
    csp_value = (
        SecurePolicies.CSP()
        .default_src(SecurePolicies.CSP().Values.none)
        .base_uri(SecurePolicies.CSP().Values.self_)
        .block_all_mixed_content()
        .connect_src(SecurePolicies.CSP().Values.self_)
        .frame_src(SecurePolicies.CSP().Values.none)
        .img_src(SecurePolicies.CSP().Values.self_, "data:", "https:")
        .font_src(
            SecurePolicies.CSP().Values.self_,
            "https://fonts.gstatic.com/s/",
            "https://fonts.googleapis.com/css2",
        )
        .manifest_src(SecurePolicies.CSP().Values.self_)
        .worker_src(SecurePolicies.CSP().Values.self_, "blob:")
    )
    feature_value = (
        SecurePolicies.Feature()
        .geolocation(SecurePolicies.Feature.Values.none)
        .vibrate(SecurePolicies.Feature.Values.none)
    )
    if app["config"].get("https", False):
        csp_value = csp_value.upgrade_insecure_requests()
        hsts_value = (
            SecurePolicies.HSTS()
            .include_subdomains()
            .preload()
            .max_age(SecurePolicies.Seconds.one_month)
        )
    else:
        hsts_value = None
    if app["config"].get("sentry_csp_url", False):
        csp_value = csp_value.report_uri(app["config"]["sentry_csp_url"])
    else:
        csp_value = csp_value.report_uri("/csp")
    xxp_value = SecurePolicies.XXP().enabled_block()

    xfo_value = SecurePolicies.XFO().deny()

    referrer_value = SecurePolicies.Referrer().no_referrer()

    cache_value = SecurePolicies.Cache().no_store().must_revalidate().proxy_revalidate()

    app["secure_headers"] = SecureHeaders(
        csp=csp_value,
        hsts=hsts_value,
        xfo=xfo_value,
        xxp=xxp_value,
        referrer=referrer_value,
        feature=feature_value,
        cache=cache_value,
    )
Example #6
0
    def __init__(self, config):
        self.defaultConfig = deepcopy(config)
        dbh = SpiderFootDb(self.defaultConfig)
        # 'config' supplied will be the defaults, let's supplement them
        # now with any configuration which may have previously been
        # saved.
        sf = SpiderFoot(self.defaultConfig)
        self.config = sf.configUnserialize(dbh.configGet(), self.defaultConfig)

        if self.config['__webaddr'] == "0.0.0.0":
            addr = "<IP of this host>"
        else:
            addr = self.config['__webaddr']

        self.docroot = self.config['__docroot'].rstrip('/')

        cherrypy.config.update({
            'error_page.404': self.error_page_404,
            'request.error_response': self.error_page
        })

        secure_headers = SecureHeaders()

        cherrypy.config.update({
            "tools.response_headers.on":
            True,
            "tools.response_headers.headers":
            secure_headers.cherrypy()
        })

        print("")
        print("")
        print("*************************************************************")
        print(" Use SpiderFoot by starting your web browser of choice and ")
        print(" browse to http://" + addr + ":" +
              str(self.config['__webport']) + self.docroot)
        print("*************************************************************")
        print("")
        print("")
Example #7
0
from flask import Flask
from flask_restful import Api
from resources.home import Home
from secure import SecureHeaders

from resources.quote import Quote

secure_headers = SecureHeaders()

app = Flask(__name__)
api = Api(app)


@app.after_request
def set_secure_headers(response):
    secure_headers.flask(response)
    return response


api.add_resource(Home, '/')
api.add_resource(Quote, '/quote/<int:_id>')\

if '__main__' == __name__:
    app.run(port=5000, debug=True)
    
Example #8
0
    get_valid_extensions,
    get_js_vendored,
    get_css_vendored,
    url_for_vendored,
)
from .proxy_fix import ASGIProxyFix
from .tasks import (
    run_deferred_async,
    check_pending_payments,
    invoice_listener,
    internal_invoice_listener,
    webhook_handler,
)
from .settings import WALLET

secure_headers = SecureHeaders(hsts=False, xfo=False)


def create_app(config_object="lnbits.settings") -> QuartTrio:
    """Create application factory.
    :param config_object: The configuration object to use.
    """
    app = QuartTrio(__name__, static_folder="static")
    app.config.from_object(config_object)
    app.asgi_http_class = ASGIProxyFix

    cors(app)
    Compress(app)

    check_funding_source(app)
    register_assets(app)
Example #9
0
from json import JSONDecodeError
from logging import getLogger
from time import time

from aiohttp import web
from aiohttp.web_exceptions import HTTPException
from connexion.exceptions import ProblemException, OAuthProblem, Unauthorized
from connexion.problem import problem as connexion_problem
from secure import SecureHeaders

from api.configuration import api_conf
from api.util import raise_if_exc
from wazuh.core.exception import WazuhTooManyRequests, WazuhPermissionError

# API secure headers
secure_headers = SecureHeaders(server="Wazuh", csp="none", xfo="DENY")

logger = getLogger('wazuh-api')
pool = concurrent.futures.ThreadPoolExecutor()


@web.middleware
async def set_user_name(request, handler):
    if 'token_info' in request:
        request['user'] = request['token_info']['sub']
    return await handler(request)


@web.middleware
async def set_secure_headers(request, handler):
    resp = await handler(request)
Example #10
0
    async def run_server(self):
        secure_headers = SecureHeaders()
        app = Quart(__name__)
        db_client = self.db_client
        event_loop = asyncio.get_event_loop()
        config_data = self.bot.config_data
        app.config["SECRET_KEY"] = config_data["base"][
            "webserver_secret_session_key"]
        app.config["RECAPTCHA_USE_SSL"] = True
        app.config['RECAPTCHA_PUBLIC_KEY'] = config_data["captcha"]["sitekey"]
        app.config['RECAPTCHA_PRIVATE_KEY'] = config_data["captcha"][
            "privatekey"]
        app.config['RECAPTCHA_DATA_ATTRS'] = {"theme": 'dark'}
        configuration = asyncio_hypercorn.Config().from_mapping({
            "host":
            self.bot.config_data["base"]["verification_domain"],
            "port":
            8000,
            "use_reloader":
            True,
            "secret_key":
            config_data["base"]["webserver_secret_session_key"]
        })
        event_loop.create_task(asyncio_hypercorn.serve(app, configuration))

        class VerifyForm(FlaskForm):
            recaptcha = RecaptchaField()

        @app.errorhandler(404)
        async def err_404_handler(error):
            return await render_template("not_found.html")

        @app.route("/privacy", methods=["GET"])
        async def return_privacy_statement():
            """Returns a plain html privacy statement to the end user."""
            owner_id = self.bot.config_data["base"]["owner_id"]
            owner_name_str = str(self.__cache_owner_object(owner_id))
            return await render_template("privacy_statement.html",
                                         owner_name=owner_name_str)

        @app.route("/<uuid:verif_id>", methods=["GET", "POST"])
        async def handle_verification(verif_id):
            """Verification page that contains a recaptcha "form" where users must verify their humanity
            in order to gain access to the server.

            Page will 404 with an improper uuid, or a uuid that has already been verified.

            Needs rate limiting to mitigate crash attempts."""
            verif_form = VerifyForm()

            if verif_form.validate_on_submit():
                member_rec_obj = await self.verify_member(str(verif_id))
                ppmp_bool = await db_client.templebot.ppmp_notice.find_one(
                    {"_id": member_rec_obj["user_id"]})
                ppmp_str = "<ppmp_status>"
                if ppmp_bool:
                    ppmp_str = "Enabled"
                else:
                    ppmp_str = "Disabled"
                return await render_template("verification_success.html",
                                             ppmp_status=ppmp_str)

            if db_client is None:
                return Response(
                    "Error occurred while fetching results, try again.", 503)
            members_collection = db_client.templebot.members
            member_record = await members_collection.find_one(
                {"_id": str(verif_id)})
            if member_record is None or member_record["verified"] is True:
                abort(404)

            # Now we have a valid user record, let's use our verification page template to help them verify
            return await render_template("verification.html",
                                         form=verif_form,
                                         verif_uuid=verif_id)

        @app.after_request
        async def apply_secure_headers(response):
            """Applies security headers"""
            secure_headers.quart(response)
            return response
Example #11
0
from flask import Flask, render_template, url_for, flash, redirect
from forms import RegistrationForm, LoginForm, Newcredentialssetup, Get_passwordform, reset_credsform, securityques
from secure import SecureHeaders
import backend
import hashlib
from flask_httpauth import HTTPBasicAuth
from flask_sslify import SSLify
sc = SecureHeaders(csp=True, hsts=True, xfo='Deny')
auth = HTTPBasicAuth()
app = Flask(__name__)
app.secret_key = "1234"

sslify = SSLify(app)


@app.after_request
def set_secure_headers(response):
    sc.flask(response)
    return response


@auth.verify_password
def f(a, b):
    us = hashlib.sha224(a.encode()).hexdigest()
    p = hashlib.sha224(b.encode()).hexdigest()

    if backend.check_user(us, p):
        return True
    else:
        return False
Example #12
0
    def apply_to(app):
        secure_headers = SecureHeaders()

        @app.middleware("response")
        async def set_secure_headers(request, response):
            secure_headers.sanic(response)
Example #13
0
                    message_traceback="message_traceback", team_builder=True)
        else:

            for attr, value in request_params.items():
                # print(attr,value)
                if value is not '':
                    query = query.filter(
                        getattr(Player, attr).like("%%%s%%" % value))
            players = query.all()
            # print("PLAYERS=", players)
            tmpl = env.get_template('index.html')
            return tmpl.render(players=players, search=True)


if __name__ == '__main__':
    # cherrypy.server.httpserver = CPHTTPServer(cherrypy.server)
    conf = {
        '/': {
            # 'server.socket_port': 8080,
            # 'tools.proxy.on': True,
            'tools.sessions.on': True,
            'tools.staticdir.root': os.path.abspath(os.getcwd()),
            'tools.response_headers.on': True,
            'tools.response_headers.headers': SecureHeaders.cherrypy()
        },
        '/static': {
            'tools.staticdir.on': True,
            'tools.staticdir.dir': './static'
        }
    }
    cherrypy.quickstart(Root(), '/', conf)
Example #14
0
from starlette.applications import Starlette
from starlette.responses import JSONResponse, PlainTextResponse
from starlette.routing import Route
from starlette.middleware import Middleware
from starlette.middleware.cors import CORSMiddleware
from sse_starlette.sse import EventSourceResponse
import uvicorn
from datetime import datetime
import asyncio
from secure import SecureHeaders, SecureCookie

csp_disabled = SecureHeaders(csp="script-src 'self'; object-src 'self'")


async def home(request):
    return JSONResponse({"message": "Hello world"})


async def getNow(request):
    now = datetime.now().strftime("%Y/%m/%d %H:%M:%S")
    return JSONResponse({"time": now})


async def getCurrentTime(count):
    for i in range(count):
        yield datetime.now().strftime("%Y/%m/%d %H:%M:%S " + str(i))
        await asyncio.sleep(2)


async def timeSSE(request):
    gen = getCurrentTime(5)
Example #15
0
        SecurePolicies.CSP().Values.self_).script_src(
            SecurePolicies.CSP().Values.self_,
            SecurePolicies.CSP().Values.unsafe_inline,
            "cdn.jsdelivr.net/npm/[email protected]/",
            "cdn.jsdelivr.net/npm/[email protected]/",
            "cdn.jsdelivr.net/npm/[email protected]/",
            "cdnjs.cloudflare.com/ajax/libs/moment.js/",
            "cdn.jsdelivr.net/npm/cookieconsent@3/").style_src(
                SecurePolicies.CSP().Values.self_,
                SecurePolicies.CSP().Values.unsafe_inline,
                "cdn.jsdelivr.net/npm/[email protected]/",
                "cdn.jsdelivr.net/npm/cookieconsent@3/").form_action(
                    SecurePolicies.CSP().Values.self_).connect_src(
                        SecurePolicies.CSP().Values.self_).img_src(
                            SecurePolicies.CSP().Values.self_, "data:"))
secure_headers = SecureHeaders(server="None", feature=True, csp=csp_value)


def app_before_request(*args, **kwargs):
    """
    Redirect any non-https requests to https, and www and Herolu subdomain to
    naked domain. Inspired by flask-talisman's _force_https and
    https://julien.danjou.info/correct-http-scheme-in-wsgi-with-cloudflare/
    """
    proto = None
    cf_visitor = request.headers.get("Cf-Visitor")
    if cf_visitor:
        try:
            cf_visitor = json.loads(cf_visitor)
        except ValueError:
            pass
Example #16
0
    LookUpError,
    MultipleObjectsReturned,
    InvalidQueryError,
)
from starlette.exceptions import HTTPException as StarletteHTTPException

from bot_trainer.exceptions import AppException
from bot_trainer.utils import Utility
from .routers import auth, bot, augment, history, user, account
from bot_trainer.api.models import Response
from bot_trainer.api.processor import AccountProcessor
from fastapi.middleware.cors import CORSMiddleware
from pymongo.errors import PyMongoError
from secure import SecureHeaders

secure_headers = SecureHeaders(xfo=False)

app = FastAPI()
app.add_middleware(
    CORSMiddleware,
    allow_origins=["*"],
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)


@app.middleware("http")
async def add_secure_headers(request: Request, call_next):
    response = await call_next(request)
    secure_headers.starlette(response)