forked from shaba/openuds
Added sedcurity middleware also
This commit is contained in:
Adolfo Gómez García
parent
df815776da
commit
f90bf3a421
@ -26,6 +26,7 @@
|
|||||||
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
import logging
|
import logging
|
||||||
|
import typing
|
||||||
|
|
||||||
from django.urls import reverse
|
from django.urls import reverse
|
||||||
from django.http import HttpResponseRedirect
|
from django.http import HttpResponseRedirect
|
||||||
@ -33,6 +34,9 @@ from uds.core.util.config import GlobalConfig
|
|||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
if typing.TYPE_CHECKING:
|
||||||
|
from django.http import HttpRequest, HttpResponse
|
||||||
|
|
||||||
|
|
||||||
class RedirectMiddleware:
|
class RedirectMiddleware:
|
||||||
"""
|
"""
|
||||||
@ -41,7 +45,7 @@ class RedirectMiddleware:
|
|||||||
Some paths will not be redirected, to avoid problems, but they are advised to use SSL (this is for backwards compat)
|
Some paths will not be redirected, to avoid problems, but they are advised to use SSL (this is for backwards compat)
|
||||||
"""
|
"""
|
||||||
|
|
||||||
NO_REDIRECT = [
|
NO_REDIRECT: typing.ClassVar[typing.List[str]] = [
|
||||||
'rest',
|
'rest',
|
||||||
'pam',
|
'pam',
|
||||||
'guacamole',
|
'guacamole',
|
||||||
@ -55,10 +59,14 @@ class RedirectMiddleware:
|
|||||||
'uds/rest/tunnel',
|
'uds/rest/tunnel',
|
||||||
]
|
]
|
||||||
|
|
||||||
def __init__(self, get_response):
|
get_response: typing.Any # typing.Callable[['HttpRequest'], 'HttpResponse']
|
||||||
|
|
||||||
|
def __init__(
|
||||||
|
self, get_response: typing.Callable[['HttpRequest'], 'HttpResponse']
|
||||||
|
) -> None:
|
||||||
self.get_response = get_response
|
self.get_response = get_response
|
||||||
|
|
||||||
def __call__(self, request):
|
def __call__(self, request: 'HttpRequest') -> 'HttpResponse':
|
||||||
full_path = request.get_full_path()
|
full_path = request.get_full_path()
|
||||||
redirect = True
|
redirect = True
|
||||||
for nr in RedirectMiddleware.NO_REDIRECT:
|
for nr in RedirectMiddleware.NO_REDIRECT:
|
||||||
|
|||||||
57
server/src/uds/core/util/middleware/security.py
Normal file
57
server/src/uds/core/util/middleware/security.py
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
#
|
||||||
|
# Copyright (c) 2021 Virtual Cable S.L.U.
|
||||||
|
# All rights reserved.
|
||||||
|
#
|
||||||
|
# Redistribution and use in source and binary forms, with or without modification,
|
||||||
|
# are permitted provided that the following conditions are met:
|
||||||
|
#
|
||||||
|
# * Redistributions of source code must retain the above copyright notice,
|
||||||
|
# this list of conditions and the following disclaimer.
|
||||||
|
# * Redistributions in binary form must reproduce the above copyright notice,
|
||||||
|
# this list of conditions and the following disclaimer in the documentation
|
||||||
|
# and/or other materials provided with the distribution.
|
||||||
|
# * Neither the name of Virtual Cable S.L. nor the names of its contributors
|
||||||
|
# may be used to endorse or promote products derived from this software
|
||||||
|
# without specific prior written permission.
|
||||||
|
#
|
||||||
|
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||||
|
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||||
|
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||||
|
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
||||||
|
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||||
|
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||||
|
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
||||||
|
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||||||
|
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||||
|
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
import logging
|
||||||
|
import typing
|
||||||
|
|
||||||
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
from django.http import HttpResponseForbidden
|
||||||
|
|
||||||
|
if typing.TYPE_CHECKING:
|
||||||
|
from django.http import HttpRequest, HttpResponse
|
||||||
|
|
||||||
|
|
||||||
|
class UDSSecurityMiddleware:
|
||||||
|
'''
|
||||||
|
This class contains all the security checks done by UDS in order to add some extra protection.
|
||||||
|
'''
|
||||||
|
get_response: typing.Any # typing.Callable[['HttpRequest'], 'HttpResponse']
|
||||||
|
|
||||||
|
def __init__(
|
||||||
|
self, get_response: typing.Callable[['HttpRequest'], 'HttpResponse']
|
||||||
|
) -> None:
|
||||||
|
self.get_response = get_response
|
||||||
|
|
||||||
|
def __call__(self, request: 'HttpRequest') -> 'HttpResponse':
|
||||||
|
# Old browsers does not sends the sec-fetch* headers, count them as fine
|
||||||
|
# This is just only a layer on the top of the security headers
|
||||||
|
if request.headers.get('Sec-Fetch-Site', 'none') in ('same-origin', 'same-site', 'none'):
|
||||||
|
return self.get_response(request)
|
||||||
|
|
||||||
|
# If Sec-Fetch-Site header is present, but not allowed (that is, not same origin), return 403
|
||||||
|
return HttpResponseForbidden('Forbidden Cross Origin request')
|
||||||
Loading…
Reference in New Issue
Block a user