Added sedcurity middleware also

2021-09-04 22:17:41 +02:00 · 2021-09-04 22:17:41 +02:00 · f90bf3a421
commit f90bf3a421
parent df815776da
2 changed files with 68 additions and 3 deletions
--- a/server/src/uds/core/util/middleware/redirect.py
+++ b/server/src/uds/core/util/middleware/redirect.py
@ -26,6 +26,7 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 import logging
+import typing

 from django.urls import reverse
 from django.http import HttpResponseRedirect
@ -33,6 +34,9 @@ from uds.core.util.config import GlobalConfig

 logger = logging.getLogger(__name__)

+if typing.TYPE_CHECKING:
+    from django.http import HttpRequest, HttpResponse
+

 class RedirectMiddleware:
    """
@ -41,7 +45,7 @@ class RedirectMiddleware:
    Some paths will not be redirected, to avoid problems, but they are advised to use SSL (this is for backwards compat)
    """

-    NO_REDIRECT = [
+    NO_REDIRECT: typing.ClassVar[typing.List[str]] = [
        'rest',
        'pam',
        'guacamole',
@ -55,10 +59,14 @@ class RedirectMiddleware:
        'uds/rest/tunnel',
    ]

-    def __init__(self, get_response):
+    get_response: typing.Any  # typing.Callable[['HttpRequest'], 'HttpResponse']
+
+    def __init__(
+        self, get_response: typing.Callable[['HttpRequest'], 'HttpResponse']
+    ) -> None:
        self.get_response = get_response

-    def __call__(self, request):
+    def __call__(self, request: 'HttpRequest') -> 'HttpResponse':
        full_path = request.get_full_path()
        redirect = True
        for nr in RedirectMiddleware.NO_REDIRECT:
--- a/server/src/uds/core/util/middleware/security.py
+++ b/server/src/uds/core/util/middleware/security.py
@ -0,0 +1,57 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (c) 2021 Virtual Cable S.L.U.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+#    * Redistributions of source code must retain the above copyright notice,
+#      this list of conditions and the following disclaimer.
+#    * Redistributions in binary form must reproduce the above copyright notice,
+#      this list of conditions and the following disclaimer in the documentation
+#      and/or other materials provided with the distribution.
+#    * Neither the name of Virtual Cable S.L. nor the names of its contributors
+#      may be used to endorse or promote products derived from this software
+#      without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+import logging
+import typing
+
+logger = logging.getLogger(__name__)
+
+from django.http import HttpResponseForbidden
+
+if typing.TYPE_CHECKING:
+    from django.http import HttpRequest, HttpResponse
+
+
+class UDSSecurityMiddleware:
+    '''
+    This class contains all the security checks done by UDS in order to add some extra protection.
+    '''
+    get_response: typing.Any  # typing.Callable[['HttpRequest'], 'HttpResponse']
+
+    def __init__(
+        self, get_response: typing.Callable[['HttpRequest'], 'HttpResponse']
+    ) -> None:
+        self.get_response = get_response
+
+    def __call__(self, request: 'HttpRequest') -> 'HttpResponse':
+        # Old browsers does not sends the sec-fetch* headers, count them as fine
+        # This is just only a layer on the top of the security headers
+        if request.headers.get('Sec-Fetch-Site', 'none') in ('same-origin', 'same-site', 'none'):
+            return self.get_response(request)
+
+        # If Sec-Fetch-Site header is present, but not allowed (that is, not same origin), return 403
+        return HttpResponseForbidden('Forbidden Cross Origin request')