def __init__(self, config):
"""Initialize web server
Args:
config: TBD
"""
if not isinstance(config, dict):
raise TypeError("config is %s; expected dict()" % type(config))
if not config:
raise ValueError("config is empty")
self.defaultConfig = deepcopy(config)
dbh = SpiderFootDb(self.defaultConfig)
# 'config' supplied will be the defaults, let's supplement them
# now with any configuration which may have previously been
# saved.
sf = SpiderFoot(self.defaultConfig)
self.config = sf.configUnserialize(dbh.configGet(), self.defaultConfig)
if self.config['__webaddr'] == "0.0.0.0": # nosec
addr = "<IP of this host>"
else:
addr = self.config['__webaddr']
self.docroot = self.config['__docroot'].rstrip('/')
cherrypy.config.update({
'error_page.404': self.error_page_404,
'request.error_response': self.error_page
})
secure_headers = SecureHeaders(
server="server",
cache=False,
csp="default-src 'self' ; script-src 'self' 'unsafe-inline' blob: ; style-src 'self' 'unsafe-inline' ; img-src 'self' data:"
)
cherrypy.config.update({
"tools.response_headers.on": True,
"tools.response_headers.headers": secure_headers.cherrypy()
})
if (cherrypy.server.ssl_certificate is None or cherrypy.server.ssl_private_key is None):
url = "http://%s:%s%s" % (addr, self.config['__webport'], self.docroot)
else:
url = "https://%s:%s%s" % (addr, self.config['__webport'], self.docroot)
print("")
print("")
print("*************************************************************")
print(" Use SpiderFoot by starting your web browser of choice and ")
print(" browse to %s" % url)
print("*************************************************************")
print("")
print("")
def secure_app():
secure_headers = SecureHeaders()
async def secure(request, response):
secure_headers.sanic(response)
app.register_middleware(secure, "response")
def __init__(self, config):
if not isinstance(config, dict):
raise TypeError("config is %s; expected dict()" % type(config))
if not config:
raise ValueError("config is empty")
self.defaultConfig = deepcopy(config)
dbh = SpiderFootDb(self.defaultConfig)
# 'config' supplied will be the defaults, let's supplement them
# now with any configuration which may have previously been
# saved.
sf = SpiderFoot(self.defaultConfig)
self.config = sf.configUnserialize(dbh.configGet(), self.defaultConfig)
if self.config['__webaddr'] == "0.0.0.0": # nosec
addr = "<IP of this host>"
else:
addr = self.config['__webaddr']
self.docroot = self.config['__docroot'].rstrip('/')
cherrypy.config.update({
'error_page.404': self.error_page_404,
'request.error_response': self.error_page
})
secure_headers = SecureHeaders(
csp=
"default-src 'self'; script-src 'self' 'unsafe-inline' blob: ; style-src 'self' 'unsafe-inline'"
)
cherrypy.config.update({
"tools.response_headers.on":
True,
"tools.response_headers.headers":
secure_headers.cherrypy()
})
print("")
print("")
print("*************************************************************")
print(" Use SpiderFoot by starting your web browser of choice and ")
print(" browse to http://" + addr + ":" +
str(self.config['__webport']) + self.docroot)
print("*************************************************************")
print("")
print("")
def __init__(self, web_config, config):
"""Initialize web server
Args:
web_config: config settings for web interface (interface, port, root path)
config: SpiderFoot config
"""
if not isinstance(config, dict):
raise TypeError(f"config is {type(config)}; expected dict()")
if not config:
raise ValueError("config is empty")
if not isinstance(web_config, dict):
raise TypeError(f"web_config is {type(web_config)}; expected dict()")
if not config:
raise ValueError("web_config is empty")
self.docroot = web_config.get('root', '/').rstrip('/')
# 'config' supplied will be the defaults, let's supplement them
# now with any configuration which may have previously been saved.
self.defaultConfig = deepcopy(config)
dbh = SpiderFootDb(self.defaultConfig)
sf = SpiderFoot(self.defaultConfig)
self.config = sf.configUnserialize(dbh.configGet(), self.defaultConfig)
cherrypy.config.update({
'error_page.404': self.error_page_404,
'request.error_response': self.error_page
})
secure_headers = SecureHeaders(
server="server",
cache=False,
csp="default-src 'self' ; script-src 'self' 'unsafe-inline' blob: ; style-src 'self' 'unsafe-inline' ; img-src 'self' data:"
)
cherrypy.config.update({
"tools.response_headers.on": True,
"tools.response_headers.headers": secure_headers.cherrypy()
})
def setup(app):
csp_value = (
SecurePolicies.CSP()
.default_src(SecurePolicies.CSP().Values.none)
.base_uri(SecurePolicies.CSP().Values.self_)
.block_all_mixed_content()
.connect_src(SecurePolicies.CSP().Values.self_)
.frame_src(SecurePolicies.CSP().Values.none)
.img_src(SecurePolicies.CSP().Values.self_, "data:", "https:")
.font_src(
SecurePolicies.CSP().Values.self_,
"https://fonts.gstatic.com/s/",
"https://fonts.googleapis.com/css2",
)
.manifest_src(SecurePolicies.CSP().Values.self_)
.worker_src(SecurePolicies.CSP().Values.self_, "blob:")
)
feature_value = (
SecurePolicies.Feature()
.geolocation(SecurePolicies.Feature.Values.none)
.vibrate(SecurePolicies.Feature.Values.none)
)
if app["config"].get("https", False):
csp_value = csp_value.upgrade_insecure_requests()
hsts_value = (
SecurePolicies.HSTS()
.include_subdomains()
.preload()
.max_age(SecurePolicies.Seconds.one_month)
)
else:
hsts_value = None
if app["config"].get("sentry_csp_url", False):
csp_value = csp_value.report_uri(app["config"]["sentry_csp_url"])
else:
csp_value = csp_value.report_uri("/csp")
xxp_value = SecurePolicies.XXP().enabled_block()
xfo_value = SecurePolicies.XFO().deny()
referrer_value = SecurePolicies.Referrer().no_referrer()
cache_value = SecurePolicies.Cache().no_store().must_revalidate().proxy_revalidate()
app["secure_headers"] = SecureHeaders(
csp=csp_value,
hsts=hsts_value,
xfo=xfo_value,
xxp=xxp_value,
referrer=referrer_value,
feature=feature_value,
cache=cache_value,
)
def __init__(self, config):
self.defaultConfig = deepcopy(config)
dbh = SpiderFootDb(self.defaultConfig)
# 'config' supplied will be the defaults, let's supplement them
# now with any configuration which may have previously been
# saved.
sf = SpiderFoot(self.defaultConfig)
self.config = sf.configUnserialize(dbh.configGet(), self.defaultConfig)
if self.config['__webaddr'] == "0.0.0.0":
addr = "<IP of this host>"
else:
addr = self.config['__webaddr']
self.docroot = self.config['__docroot'].rstrip('/')
cherrypy.config.update({
'error_page.404': self.error_page_404,
'request.error_response': self.error_page
})
secure_headers = SecureHeaders()
cherrypy.config.update({
"tools.response_headers.on":
True,
"tools.response_headers.headers":
secure_headers.cherrypy()
})
print("")
print("")
print("*************************************************************")
print(" Use SpiderFoot by starting your web browser of choice and ")
print(" browse to http://" + addr + ":" +
str(self.config['__webport']) + self.docroot)
print("*************************************************************")
print("")
print("")
from flask import Flask
from flask_restful import Api
from resources.home import Home
from secure import SecureHeaders
from resources.quote import Quote
secure_headers = SecureHeaders()
app = Flask(__name__)
api = Api(app)
@app.after_request
def set_secure_headers(response):
secure_headers.flask(response)
return response
api.add_resource(Home, '/')
api.add_resource(Quote, '/quote/<int:_id>')\
if '__main__' == __name__:
app.run(port=5000, debug=True)
get_valid_extensions,
get_js_vendored,
get_css_vendored,
url_for_vendored,
)
from .proxy_fix import ASGIProxyFix
from .tasks import (
run_deferred_async,
check_pending_payments,
invoice_listener,
internal_invoice_listener,
webhook_handler,
)
from .settings import WALLET
secure_headers = SecureHeaders(hsts=False, xfo=False)
def create_app(config_object="lnbits.settings") -> QuartTrio:
"""Create application factory.
:param config_object: The configuration object to use.
"""
app = QuartTrio(__name__, static_folder="static")
app.config.from_object(config_object)
app.asgi_http_class = ASGIProxyFix
cors(app)
Compress(app)
check_funding_source(app)
register_assets(app)
from json import JSONDecodeError
from logging import getLogger
from time import time
from aiohttp import web
from aiohttp.web_exceptions import HTTPException
from connexion.exceptions import ProblemException, OAuthProblem, Unauthorized
from connexion.problem import problem as connexion_problem
from secure import SecureHeaders
from api.configuration import api_conf
from api.util import raise_if_exc
from wazuh.core.exception import WazuhTooManyRequests, WazuhPermissionError
# API secure headers
secure_headers = SecureHeaders(server="Wazuh", csp="none", xfo="DENY")
logger = getLogger('wazuh-api')
pool = concurrent.futures.ThreadPoolExecutor()
@web.middleware
async def set_user_name(request, handler):
if 'token_info' in request:
request['user'] = request['token_info']['sub']
return await handler(request)
@web.middleware
async def set_secure_headers(request, handler):
resp = await handler(request)
async def run_server(self):
secure_headers = SecureHeaders()
app = Quart(__name__)
db_client = self.db_client
event_loop = asyncio.get_event_loop()
config_data = self.bot.config_data
app.config["SECRET_KEY"] = config_data["base"][
"webserver_secret_session_key"]
app.config["RECAPTCHA_USE_SSL"] = True
app.config['RECAPTCHA_PUBLIC_KEY'] = config_data["captcha"]["sitekey"]
app.config['RECAPTCHA_PRIVATE_KEY'] = config_data["captcha"][
"privatekey"]
app.config['RECAPTCHA_DATA_ATTRS'] = {"theme": 'dark'}
configuration = asyncio_hypercorn.Config().from_mapping({
"host":
self.bot.config_data["base"]["verification_domain"],
"port":
8000,
"use_reloader":
True,
"secret_key":
config_data["base"]["webserver_secret_session_key"]
})
event_loop.create_task(asyncio_hypercorn.serve(app, configuration))
class VerifyForm(FlaskForm):
recaptcha = RecaptchaField()
@app.errorhandler(404)
async def err_404_handler(error):
return await render_template("not_found.html")
@app.route("/privacy", methods=["GET"])
async def return_privacy_statement():
"""Returns a plain html privacy statement to the end user."""
owner_id = self.bot.config_data["base"]["owner_id"]
owner_name_str = str(self.__cache_owner_object(owner_id))
return await render_template("privacy_statement.html",
owner_name=owner_name_str)
@app.route("/<uuid:verif_id>", methods=["GET", "POST"])
async def handle_verification(verif_id):
"""Verification page that contains a recaptcha "form" where users must verify their humanity
in order to gain access to the server.
Page will 404 with an improper uuid, or a uuid that has already been verified.
Needs rate limiting to mitigate crash attempts."""
verif_form = VerifyForm()
if verif_form.validate_on_submit():
member_rec_obj = await self.verify_member(str(verif_id))
ppmp_bool = await db_client.templebot.ppmp_notice.find_one(
{"_id": member_rec_obj["user_id"]})
ppmp_str = "<ppmp_status>"
if ppmp_bool:
ppmp_str = "Enabled"
else:
ppmp_str = "Disabled"
return await render_template("verification_success.html",
ppmp_status=ppmp_str)
if db_client is None:
return Response(
"Error occurred while fetching results, try again.", 503)
members_collection = db_client.templebot.members
member_record = await members_collection.find_one(
{"_id": str(verif_id)})
if member_record is None or member_record["verified"] is True:
abort(404)
# Now we have a valid user record, let's use our verification page template to help them verify
return await render_template("verification.html",
form=verif_form,
verif_uuid=verif_id)
@app.after_request
async def apply_secure_headers(response):
"""Applies security headers"""
secure_headers.quart(response)
return response
from flask import Flask, render_template, url_for, flash, redirect
from forms import RegistrationForm, LoginForm, Newcredentialssetup, Get_passwordform, reset_credsform, securityques
from secure import SecureHeaders
import backend
import hashlib
from flask_httpauth import HTTPBasicAuth
from flask_sslify import SSLify
sc = SecureHeaders(csp=True, hsts=True, xfo='Deny')
auth = HTTPBasicAuth()
app = Flask(__name__)
app.secret_key = "1234"
sslify = SSLify(app)
@app.after_request
def set_secure_headers(response):
sc.flask(response)
return response
@auth.verify_password
def f(a, b):
us = hashlib.sha224(a.encode()).hexdigest()
p = hashlib.sha224(b.encode()).hexdigest()
if backend.check_user(us, p):
return True
else:
return False
def apply_to(app):
secure_headers = SecureHeaders()
@app.middleware("response")
async def set_secure_headers(request, response):
secure_headers.sanic(response)
message_traceback="message_traceback", team_builder=True)
else:
for attr, value in request_params.items():
# print(attr,value)
if value is not '':
query = query.filter(
getattr(Player, attr).like("%%%s%%" % value))
players = query.all()
# print("PLAYERS=", players)
tmpl = env.get_template('index.html')
return tmpl.render(players=players, search=True)
if __name__ == '__main__':
# cherrypy.server.httpserver = CPHTTPServer(cherrypy.server)
conf = {
'/': {
# 'server.socket_port': 8080,
# 'tools.proxy.on': True,
'tools.sessions.on': True,
'tools.staticdir.root': os.path.abspath(os.getcwd()),
'tools.response_headers.on': True,
'tools.response_headers.headers': SecureHeaders.cherrypy()
},
'/static': {
'tools.staticdir.on': True,
'tools.staticdir.dir': './static'
}
}
cherrypy.quickstart(Root(), '/', conf)
from starlette.applications import Starlette
from starlette.responses import JSONResponse, PlainTextResponse
from starlette.routing import Route
from starlette.middleware import Middleware
from starlette.middleware.cors import CORSMiddleware
from sse_starlette.sse import EventSourceResponse
import uvicorn
from datetime import datetime
import asyncio
from secure import SecureHeaders, SecureCookie
csp_disabled = SecureHeaders(csp="script-src 'self'; object-src 'self'")
async def home(request):
return JSONResponse({"message": "Hello world"})
async def getNow(request):
now = datetime.now().strftime("%Y/%m/%d %H:%M:%S")
return JSONResponse({"time": now})
async def getCurrentTime(count):
for i in range(count):
yield datetime.now().strftime("%Y/%m/%d %H:%M:%S " + str(i))
await asyncio.sleep(2)
async def timeSSE(request):
gen = getCurrentTime(5)
SecurePolicies.CSP().Values.self_).script_src(
SecurePolicies.CSP().Values.self_,
SecurePolicies.CSP().Values.unsafe_inline,
"cdn.jsdelivr.net/npm/[email protected]/",
"cdn.jsdelivr.net/npm/[email protected]/",
"cdn.jsdelivr.net/npm/[email protected]/",
"cdnjs.cloudflare.com/ajax/libs/moment.js/",
"cdn.jsdelivr.net/npm/cookieconsent@3/").style_src(
SecurePolicies.CSP().Values.self_,
SecurePolicies.CSP().Values.unsafe_inline,
"cdn.jsdelivr.net/npm/[email protected]/",
"cdn.jsdelivr.net/npm/cookieconsent@3/").form_action(
SecurePolicies.CSP().Values.self_).connect_src(
SecurePolicies.CSP().Values.self_).img_src(
SecurePolicies.CSP().Values.self_, "data:"))
secure_headers = SecureHeaders(server="None", feature=True, csp=csp_value)
def app_before_request(*args, **kwargs):
"""
Redirect any non-https requests to https, and www and Herolu subdomain to
naked domain. Inspired by flask-talisman's _force_https and
https://julien.danjou.info/correct-http-scheme-in-wsgi-with-cloudflare/
"""
proto = None
cf_visitor = request.headers.get("Cf-Visitor")
if cf_visitor:
try:
cf_visitor = json.loads(cf_visitor)
except ValueError:
pass
LookUpError,
MultipleObjectsReturned,
InvalidQueryError,
)
from starlette.exceptions import HTTPException as StarletteHTTPException
from bot_trainer.exceptions import AppException
from bot_trainer.utils import Utility
from .routers import auth, bot, augment, history, user, account
from bot_trainer.api.models import Response
from bot_trainer.api.processor import AccountProcessor
from fastapi.middleware.cors import CORSMiddleware
from pymongo.errors import PyMongoError
from secure import SecureHeaders
secure_headers = SecureHeaders(xfo=False)
app = FastAPI()
app.add_middleware(
CORSMiddleware,
allow_origins=["*"],
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)
@app.middleware("http")
async def add_secure_headers(request: Request, call_next):
response = await call_next(request)
secure_headers.starlette(response)