From cf6820aa2b643f5576df6cc322314d7379024cef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adolfo=20G=C3=B3mez=20Garc=C3=ADa?= <dkmaster@dkmon.com>
Date: Mon, 5 Sep 2022 12:48:54 +0200
Subject: [PATCH] Fixed security

---
 .../src/uds/core/util/middleware/security.py  | 22 +++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/server/src/uds/core/util/middleware/security.py b/server/src/uds/core/util/middleware/security.py
index b6a32411..79762c36 100644
--- a/server/src/uds/core/util/middleware/security.py
+++ b/server/src/uds/core/util/middleware/security.py
@@ -34,6 +34,7 @@ logger = logging.getLogger(__name__)
 from django.http import HttpResponse
 
 from uds.core.util.config import GlobalConfig
+from uds.core.auths.auth import isTrustedSource
 
 if typing.TYPE_CHECKING:
     from django.http import HttpRequest
@@ -56,8 +57,18 @@ class UDSSecurityMiddleware:
 
     def __call__(self, request: 'HttpRequest') -> 'HttpResponse':
         # If bot, break now
-        ua = request.META.get('HTTP_USER_AGENT', 'Connection Maybe a bot. No user agent detected.')
-        if bot.search(ua):
+        ua = request.META.get(
+            'HTTP_USER_AGENT', 'Connection Maybe a bot. No user agent detected.'
+        )
+        # Simple ip check, to allow "trusted" ips to access UDS
+        ip = (
+            request.META.get(
+                'REMOTE_ADDR',
+                request.META.get('HTTP_X_FORWARDED_FOR', '').split(",")[-1],
+            )
+            or '0.0.0.0'
+        )
+        if not isTrustedSource(ip) and bot.search(ua):
             # Return emty response if bot is detected
             logger.info(
                 'Denied Bot %s from %s to %s',
@@ -71,10 +82,13 @@ class UDSSecurityMiddleware:
             return HttpResponse(content='Forbbiden', status=403)
 
         response = self.get_response(request)
-        
+
         if GlobalConfig.ENHANCED_SECURITY.getBool():
             # Legacy browser support for X-XSS-Protection
             response.headers.setdefault('X-XSS-Protection', '1; mode=block')
             # Add Content-Security-Policy, see https://www.owasp.org/index.php/Content_Security_Policy
-            response.headers.setdefault('Content-Security-Policy', "default-src 'self' 'unsafe-inline' 'unsafe-eval' uds: udss:; img-src 'self' https: data:;")
+            response.headers.setdefault(
+                'Content-Security-Policy',
+                "default-src 'self' 'unsafe-inline' 'unsafe-eval' uds: udss:; img-src 'self' https: data:;",
+            )
         return response