aboutsummaryrefslogtreecommitdiff
path: root/modules/private
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2020-07-15 16:55:49 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2020-07-15 16:55:49 +0200
commit68c45ad53b34301c1a0c59352a839db13e1f2420 (patch)
tree7a2c4ffcb6cc489ddd30aaaa23d242941cde24ed /modules/private
parent5868f9c64f0a2e9c03f6abee35ed0f0f09d30fe4 (diff)
downloadNix-68c45ad53b34301c1a0c59352a839db13e1f2420.tar.gz
Nix-68c45ad53b34301c1a0c59352a839db13e1f2420.tar.zst
Nix-68c45ad53b34301c1a0c59352a839db13e1f2420.zip
Add CSP reports
Diffstat (limited to 'modules/private')
-rw-r--r--modules/private/environment.nix10
-rw-r--r--modules/private/websites/tools/tools/default.nix3
-rw-r--r--modules/private/websites/tools/tools/landing/report_csp_violation.php25
3 files changed, 27 insertions, 11 deletions
diff --git a/modules/private/environment.nix b/modules/private/environment.nix
index 3a805c6..b8c4dd2 100644
--- a/modules/private/environment.nix
+++ b/modules/private/environment.nix
@@ -1077,6 +1077,16 @@ in
1077 type = attrsOf str; 1077 type = attrsOf str;
1078 description = "Mapping 'name'.php => script for webhooks"; 1078 description = "Mapping 'name'.php => script for webhooks";
1079 }; 1079 };
1080 csp_reports = mkOption {
1081 description = "CSP report configuration";
1082 type = submodule {
1083 options = {
1084 report_uri = mkOption { type = str; description = "URI to report CSP violations to"; };
1085 policies = mkOption { type = attrsOf str; description = "CSP policies to apply"; };
1086 postgresql = mkPsqlOptions "CSP reports";
1087 };
1088 };
1089 };
1080 commento = mkOption { 1090 commento = mkOption {
1081 description = "Commento configuration"; 1091 description = "Commento configuration";
1082 type = submodule { 1092 type = submodule {
diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix
index 7a9a125..93d1122 100644
--- a/modules/private/websites/tools/tools/default.nix
+++ b/modules/private/websites/tools/tools/default.nix
@@ -112,6 +112,7 @@ in {
112 '' 112 ''
113 Timeout 600 113 Timeout 600
114 ProxyTimeout 600 114 ProxyTimeout 600
115 Header always set Content-Security-Policy-Report-Only "${config.myEnv.tools.csp_reports.policies.inline}"
115 <Directory "/var/lib/ftp/devtools.immae.eu"> 116 <Directory "/var/lib/ftp/devtools.immae.eu">
116 DirectoryIndex index.php index.htm index.html 117 DirectoryIndex index.php index.htm index.html
117 AllowOverride all 118 AllowOverride all
@@ -304,6 +305,8 @@ in {
304 }; 305 };
305 phpEnv = { 306 phpEnv = {
306 CONTACT_EMAIL = config.myEnv.tools.contact; 307 CONTACT_EMAIL = config.myEnv.tools.contact;
308 CSP_REPORT_URI = with config.myEnv.tools.csp_reports.postgresql;
309 "\"host=${socket} dbname=${database} user=${user} password=${password}\"";
307 }; 310 };
308 phpPackage = pkgs.php72; 311 phpPackage = pkgs.php72;
309 }; 312 };
diff --git a/modules/private/websites/tools/tools/landing/report_csp_violation.php b/modules/private/websites/tools/tools/landing/report_csp_violation.php
index 13a3234..30140b2 100644
--- a/modules/private/websites/tools/tools/landing/report_csp_violation.php
+++ b/modules/private/websites/tools/tools/landing/report_csp_violation.php
@@ -1,19 +1,22 @@
1<?php 1<?php
2$email_address = 'ismael@bouya.org'; 2http_response_code(204);
3$email_subject = 'Content-Security-Policy violation';
4 3
5$current_domain = $_SERVER['SERVER_NAME']; 4$dbconn = pg_connect(getenv("CSP_REPORT_URI")) or die();
6$email_subject = $email_subject . ' on ' . $current_domain;
7 5
8http_response_code(204); 6function _get(&$var, $default=null) {
7 return isset($var) ? $var : $default;
8}
9 9
10$json_data = file_get_contents('php://input'); 10$json_data = file_get_contents('php://input');
11if ($json_data = json_decode($json_data, true)) {
12 $report = _get($json_data["csp-report"], Array());
13 $blocked_uri = _get($report["blocked-uri"], "");
14 $document_uri = _get($report["document-uri"], "");
15 $original_policy = _get($report["original-policy"], "");
16 $referrer = _get($report["referrer"], "");
17 $violated_directive = _get($report["violated-directive"], "");
11 18
12if ($json_data = json_decode($json_data)) { 19 $query = pg_prepare($dbconn, "insert_query", 'INSERT INTO csp_reports (blocked_uri, document_uri, original_policy, referrer, violated_directive, total_count, last) VALUES ($1, $2, $3, $4, $5, 1, NOW()) ON CONFLICT ON CONSTRAINT csp_report_unique DO UPDATE SET total_count = csp_reports.total_count + 1, last = NOW(), referrer = EXCLUDED.referrer, original_policy = EXCLUDED.original_policy');
13 $json_data = json_encode($json_data, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES);
14 20
15 $message = "The following Content-Security-Policy violation occurred on " . 21 pg_execute($dbconn, "insert_query", Array($blocked_uri, $document_uri, $original_policy, $referrer, $violated_directive));
16 $current_domain . ":\n\n" .
17 $json_data;
18 mail($email_address, $email_subject, $message, 'Content-Type: text/plain;charset=utf-8');
19} 22}