]> git.immae.eu Git - perso/Immae/Config/Nix.git/commitdiff
projects / perso / Immae / Config / Nix.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5868f9c)
Add CSP reports
authorIsmaël Bouya <ismael.bouya@normalesup.org>
Wed, 15 Jul 2020 14:55:49 +0000 (16:55 +0200)
committerIsmaël Bouya <ismael.bouya@normalesup.org>
Wed, 15 Jul 2020 14:55:49 +0000 (16:55 +0200)
modules/private/environment.nix patch | blob | blame | history
modules/private/websites/tools/tools/default.nix patch | blob | blame | history
modules/private/websites/tools/tools/landing/report_csp_violation.php patch | blob | blame | history

diff --git a/modules/private/environment.nix b/modules/private/environment.nix
index 3a805c601b7693cf87f3f68ab95e5dfc96bd1180..b8c4dd2325a89497decbdc876f0b73f1dc05601e 100644 (file)
--- a/modules/private/environment.nix
+++ b/modules/private/environment.nix
@@ -1077,6 +1077,16 @@ in
             type = attrsOf str;
             description = "Mapping 'name'.php => script for webhooks";
           };
+          csp_reports = mkOption {
+            description = "CSP report configuration";
+            type = submodule {
+              options = {
+                report_uri = mkOption { type = str; description = "URI to report CSP violations to"; };
+                policies = mkOption { type = attrsOf str; description = "CSP policies to apply"; };
+                postgresql = mkPsqlOptions "CSP reports";
+              };
+            };
+          };
           commento = mkOption {
             description = "Commento configuration";
             type = submodule {
diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix
index 7a9a125715341923868830f54ede5a1ed6a9d66e..93d11222785fd860c64dcd7320d1221f35f7b6d8 100644 (file)
--- a/modules/private/websites/tools/tools/default.nix
+++ b/modules/private/websites/tools/tools/default.nix
@@ -112,6 +112,7 @@ in {
         ''
           Timeout 600
           ProxyTimeout 600
+          Header always set Content-Security-Policy-Report-Only "${config.myEnv.tools.csp_reports.policies.inline}"
           <Directory "/var/lib/ftp/devtools.immae.eu">
             DirectoryIndex index.php index.htm index.html
             AllowOverride all
@@ -304,6 +305,8 @@ in {
         };
         phpEnv = {
           CONTACT_EMAIL = config.myEnv.tools.contact;
+          CSP_REPORT_URI = with config.myEnv.tools.csp_reports.postgresql;
+            "\"host=${socket} dbname=${database} user=${user} password=${password}\"";
         };
         phpPackage = pkgs.php72;
       };
diff --git a/modules/private/websites/tools/tools/landing/report_csp_violation.php b/modules/private/websites/tools/tools/landing/report_csp_violation.php
index 13a323426d78e7bb282b4c40184503549f1a334c..30140b2e68308cfa5f8777b680bb46cc38776719 100644 (file)
--- a/modules/private/websites/tools/tools/landing/report_csp_violation.php
+++ b/modules/private/websites/tools/tools/landing/report_csp_violation.php
@@ -1,19 +1,22 @@
 <?php
-$email_address = 'ismael@bouya.org';
-$email_subject = 'Content-Security-Policy violation';
+http_response_code(204);
 
-$current_domain = $_SERVER['SERVER_NAME'];
-$email_subject = $email_subject . ' on ' . $current_domain;
+$dbconn = pg_connect(getenv("CSP_REPORT_URI")) or die();
 
-http_response_code(204);
+function _get(&$var, $default=null) {
+  return isset($var) ? $var : $default;
+}
 
 $json_data = file_get_contents('php://input');
+if ($json_data = json_decode($json_data, true)) {
+  $report = _get($json_data["csp-report"], Array());
+  $blocked_uri = _get($report["blocked-uri"], "");
+  $document_uri = _get($report["document-uri"], "");
+  $original_policy = _get($report["original-policy"], "");
+  $referrer = _get($report["referrer"], "");
+  $violated_directive = _get($report["violated-directive"], "");
 
-if ($json_data = json_decode($json_data)) {
-  $json_data = json_encode($json_data, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES);
+  $query = pg_prepare($dbconn, "insert_query", 'INSERT INTO csp_reports (blocked_uri, document_uri, original_policy, referrer, violated_directive, total_count, last) VALUES ($1, $2, $3, $4, $5, 1, NOW()) ON CONFLICT ON CONSTRAINT csp_report_unique DO UPDATE SET total_count = csp_reports.total_count + 1, last = NOW(), referrer = EXCLUDED.referrer, original_policy = EXCLUDED.original_policy');
 
-  $message = "The following Content-Security-Policy violation occurred on " .
-    $current_domain . ":\n\n" .
-    $json_data;
-  mail($email_address, $email_subject, $message, 'Content-Type: text/plain;charset=utf-8');
+  pg_execute($dbconn, "insert_query", Array($blocked_uri, $document_uri, $original_policy, $referrer, $violated_directive));
 }
My infrastructure configuration