def test_incs001_csp_hashes_inline_scripts(dash_duo, add_hashes,
hash_algorithm, expectation):
app = Dash(__name__)
app.layout = html.Div([
dcc.Input(id="input_element", type="text"),
html.Div(id="output_element")
])
app.clientside_callback(
"""
function(input) {
return input;
}
""",
Output("output_element", "children"),
[Input("input_element", "value")],
)
with expectation:
csp = {
"default-src":
"'self'",
"script-src": ["'self'"] +
(app.csp_hashes(hash_algorithm) if add_hashes else []),
}
flask_talisman.Talisman(app.server,
content_security_policy=csp,
force_https=False)
dash_duo.start_server(app)
dash_duo.find_element("#input_element").send_keys("xyz")
assert dash_duo.wait_for_element("#output_element").text == "xyz"
def setup_application(app):
flask_talisman.Talisman(app, content_security_policy=None)
Bootstrap(app)
boltons.fileutils.mkdir_p(app.instance_path)
_register_views(app)
_setup_login_manager(app)
def create_app(*args, **kwargs) -> flask.Flask:
"""Create a Flask app with secure default behaviours.
:return: A Flask application.
:rtype: Flask
"""
app = flask.Flask(*args, **kwargs)
configure_app(app)
# Both these extensions can be used as view decorators. Bit worried that
# this circular reference will cause memory leaks.
talisman_kwargs = get_talisman_config(app.config)
app.talisman = flask_talisman.Talisman(app, **talisman_kwargs)
app.csrf = flask_seasurf.SeaSurf(app)
return app
def build_flask_app(project_name, app_name, openapi):
"""
Create a new Flask backend application
app_name is the Python application name, used as Flask import_name
project_name is a "nice" name, used to identify the application
"""
assert os.path.exists(openapi), "Missing openapi file {}".format(openapi)
logger.debug("Initializing", app=app_name, openapi=openapi)
# Start OpenAPI app
app = connexion.App(import_name=app_name)
app.name = project_name
app.add_api(openapi)
# Enable security
security = flask_talisman.Talisman()
security.init_app(app.app, **TALISMAN_CONFIG)
# Enable wildcard CORS
cors = flask_cors.CORS()
cors.init_app(app.app, origins=["*"])
# Add exception Json renderer
for code, exception in werkzeug.exceptions.default_exceptions.items():
app.app.register_error_handler(exception, handle_default_exceptions)
# Redirect root to API
app.add_url_rule(
"/", "root",
lambda: flask.redirect(app.options.openapi_console_ui_path))
# Dockerflow checks
app.add_url_rule("/__heartbeat__", view_func=heartbeat_response)
app.add_url_rule("/__lbheartbeat__", view_func=lbheartbeat_response)
app.add_url_rule("/__version__", view_func=get_version)
logger.debug("Initialized", app=app.name)
return app
def init_app(app):
allow_from = app.config.get('TALISMAN_FRAME_OPTIONS_ALLOW_FROM', None)
if isinstance(allow_from, (list, tuple)):
allow_from = " ".join(allow_from)
if allow_from:
frame_options = flask_talisman.ALLOW_FROM
else:
frame_options = flask_talisman.SAMEORIGIN
flask_talisman.Talisman(
app,
content_security_policy=app.config.get(
'TALISMAN_CONTENT_SECURITY_POLICY',
flask_talisman.DEFAULT_CSP_POLICY),
force_https_permanent=app.config.get(
'TALISMAN_FORCE_HTTPS_PERMANENT',
True,
),
frame_options=frame_options,
frame_options_allow_from=allow_from,
)
#!/usr/bin/env python3
###
# arberweb
# Arber Xhindoli github:@arberx
###
import flask
import flask_talisman
import arberweb.config
# app is a single object used by all the code modules in this package
app = flask.Flask(__name__) # pylint: disable=invalid-name
# enforce https, currently allow fetching of all external resources
# TODO: stricter csp: https://github.com/GoogleCloudPlatform/flask-talisman
flask_talisman.Talisman(app, content_security_policy=None)
# Read settings from config module (arberweb/config.py)
app.config.from_object('arberweb.config')
# Overlay settings read from file specified by environment variable. This is
# useful for using different on development and production machines.
# Reference: http://flask.pocoo.org/docs/0.12/config/
app.config.from_envvar('ARBERWEB_SETTINGS', silent=True)
# (Reference http://flask.pocoo.org/docs/0.12/patterns/packages/)
import arberweb.views # noqa: E402 pylint: disable=wrong-import-position
'script-src': '\'self\' \'unsafe-inline\'',
'style-src': '\'self\' \'unsafe-inline\'',
'img-src': '\'self\'',
'connect-src': '\'self\'',
}
DEFAULT_CONFIG = dict(
force_https=True,
force_https_permanent=False,
force_file_save=False,
frame_options=flask_talisman.talisman.SAMEORIGIN,
frame_options_allow_from=None,
strict_transport_security=True,
strict_transport_security_preload=False,
strict_transport_security_max_age=flask_talisman.talisman.ONE_YEAR_IN_SECS,
strict_transport_security_include_subdomains=True,
content_security_policy=DEFAULT_CSP_POLICY,
content_security_policy_report_uri=None,
content_security_policy_report_only=False,
session_cookie_secure=True,
session_cookie_http_only=True,
)
security = flask_talisman.Talisman()
def init_app(app):
config = app.config.get('SECURITY', DEFAULT_CONFIG)
security.init_app(app, **config)
return security
from __future__ import absolute_import from flask_caching import Cache from flask_limiter import Limiter from flask_limiter.util import get_remote_address import flask_marshmallow import flask_migrate import flask_sqlalchemy import flask_talisman cache = Cache() db = flask_sqlalchemy.SQLAlchemy() limiter = Limiter(key_func=get_remote_address) ma = flask_marshmallow.Marshmallow() migrate = flask_migrate.Migrate() talisman = flask_talisman.Talisman()
flask_talisman.Talisman(
app,
content_security_policy={
"default-src": ["'self'"],
"script-src": [
"'self'",
"www.gstatic.com",
"cdn.firebase.com",
"apis.google.com",
"use.fontawesome.com",
],
"style-src": [
"'self'",
"fonts.googleapis.com",
"cdn.firebase.com",
"cdnjs.cloudflare.com",
"use.fontawesome.com",
],
"font-src": ["fonts.gstatic.com"],
"img-src": [
"'self'",
"www.gstatic.com",
# Required for user avatars from GitHub, Google.
"*.githubusercontent.com",
"*.googleusercontent.com",
],
"connect-src": ["'self'", "www.googleapis.com"],
"frame-src": ["https://conducthotline-fb.firebaseapp.com/"],
},
)
