diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-07-15 16:55:49 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-07-15 16:55:49 +0200 |
commit | 68c45ad53b34301c1a0c59352a839db13e1f2420 (patch) | |
tree | 7a2c4ffcb6cc489ddd30aaaa23d242941cde24ed | |
parent | 5868f9c64f0a2e9c03f6abee35ed0f0f09d30fe4 (diff) | |
download | Nix-68c45ad53b34301c1a0c59352a839db13e1f2420.tar.gz Nix-68c45ad53b34301c1a0c59352a839db13e1f2420.tar.zst Nix-68c45ad53b34301c1a0c59352a839db13e1f2420.zip |
Add CSP reports
-rw-r--r-- | modules/private/environment.nix | 10 | ||||
-rw-r--r-- | modules/private/websites/tools/tools/default.nix | 3 | ||||
-rw-r--r-- | modules/private/websites/tools/tools/landing/report_csp_violation.php | 25 |
3 files changed, 27 insertions, 11 deletions
diff --git a/modules/private/environment.nix b/modules/private/environment.nix index 3a805c6..b8c4dd2 100644 --- a/modules/private/environment.nix +++ b/modules/private/environment.nix | |||
@@ -1077,6 +1077,16 @@ in | |||
1077 | type = attrsOf str; | 1077 | type = attrsOf str; |
1078 | description = "Mapping 'name'.php => script for webhooks"; | 1078 | description = "Mapping 'name'.php => script for webhooks"; |
1079 | }; | 1079 | }; |
1080 | csp_reports = mkOption { | ||
1081 | description = "CSP report configuration"; | ||
1082 | type = submodule { | ||
1083 | options = { | ||
1084 | report_uri = mkOption { type = str; description = "URI to report CSP violations to"; }; | ||
1085 | policies = mkOption { type = attrsOf str; description = "CSP policies to apply"; }; | ||
1086 | postgresql = mkPsqlOptions "CSP reports"; | ||
1087 | }; | ||
1088 | }; | ||
1089 | }; | ||
1080 | commento = mkOption { | 1090 | commento = mkOption { |
1081 | description = "Commento configuration"; | 1091 | description = "Commento configuration"; |
1082 | type = submodule { | 1092 | type = submodule { |
diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix index 7a9a125..93d1122 100644 --- a/modules/private/websites/tools/tools/default.nix +++ b/modules/private/websites/tools/tools/default.nix | |||
@@ -112,6 +112,7 @@ in { | |||
112 | '' | 112 | '' |
113 | Timeout 600 | 113 | Timeout 600 |
114 | ProxyTimeout 600 | 114 | ProxyTimeout 600 |
115 | Header always set Content-Security-Policy-Report-Only "${config.myEnv.tools.csp_reports.policies.inline}" | ||
115 | <Directory "/var/lib/ftp/devtools.immae.eu"> | 116 | <Directory "/var/lib/ftp/devtools.immae.eu"> |
116 | DirectoryIndex index.php index.htm index.html | 117 | DirectoryIndex index.php index.htm index.html |
117 | AllowOverride all | 118 | AllowOverride all |
@@ -304,6 +305,8 @@ in { | |||
304 | }; | 305 | }; |
305 | phpEnv = { | 306 | phpEnv = { |
306 | CONTACT_EMAIL = config.myEnv.tools.contact; | 307 | CONTACT_EMAIL = config.myEnv.tools.contact; |
308 | CSP_REPORT_URI = with config.myEnv.tools.csp_reports.postgresql; | ||
309 | "\"host=${socket} dbname=${database} user=${user} password=${password}\""; | ||
307 | }; | 310 | }; |
308 | phpPackage = pkgs.php72; | 311 | phpPackage = pkgs.php72; |
309 | }; | 312 | }; |
diff --git a/modules/private/websites/tools/tools/landing/report_csp_violation.php b/modules/private/websites/tools/tools/landing/report_csp_violation.php index 13a3234..30140b2 100644 --- a/modules/private/websites/tools/tools/landing/report_csp_violation.php +++ b/modules/private/websites/tools/tools/landing/report_csp_violation.php | |||
@@ -1,19 +1,22 @@ | |||
1 | <?php | 1 | <?php |
2 | $email_address = 'ismael@bouya.org'; | 2 | http_response_code(204); |
3 | $email_subject = 'Content-Security-Policy violation'; | ||
4 | 3 | ||
5 | $current_domain = $_SERVER['SERVER_NAME']; | 4 | $dbconn = pg_connect(getenv("CSP_REPORT_URI")) or die(); |
6 | $email_subject = $email_subject . ' on ' . $current_domain; | ||
7 | 5 | ||
8 | http_response_code(204); | 6 | function _get(&$var, $default=null) { |
7 | return isset($var) ? $var : $default; | ||
8 | } | ||
9 | 9 | ||
10 | $json_data = file_get_contents('php://input'); | 10 | $json_data = file_get_contents('php://input'); |
11 | if ($json_data = json_decode($json_data, true)) { | ||
12 | $report = _get($json_data["csp-report"], Array()); | ||
13 | $blocked_uri = _get($report["blocked-uri"], ""); | ||
14 | $document_uri = _get($report["document-uri"], ""); | ||
15 | $original_policy = _get($report["original-policy"], ""); | ||
16 | $referrer = _get($report["referrer"], ""); | ||
17 | $violated_directive = _get($report["violated-directive"], ""); | ||
11 | 18 | ||
12 | if ($json_data = json_decode($json_data)) { | 19 | $query = pg_prepare($dbconn, "insert_query", 'INSERT INTO csp_reports (blocked_uri, document_uri, original_policy, referrer, violated_directive, total_count, last) VALUES ($1, $2, $3, $4, $5, 1, NOW()) ON CONFLICT ON CONSTRAINT csp_report_unique DO UPDATE SET total_count = csp_reports.total_count + 1, last = NOW(), referrer = EXCLUDED.referrer, original_policy = EXCLUDED.original_policy'); |
13 | $json_data = json_encode($json_data, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES); | ||
14 | 20 | ||
15 | $message = "The following Content-Security-Policy violation occurred on " . | 21 | pg_execute($dbconn, "insert_query", Array($blocked_uri, $document_uri, $original_policy, $referrer, $violated_directive)); |
16 | $current_domain . ":\n\n" . | ||
17 | $json_data; | ||
18 | mail($email_address, $email_subject, $message, 'Content-Type: text/plain;charset=utf-8'); | ||
19 | } | 22 | } |