diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-07-15 16:55:49 +0200 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-07-15 16:55:49 +0200 |
| commit | 68c45ad53b34301c1a0c59352a839db13e1f2420 (patch) | |
| tree | 7a2c4ffcb6cc489ddd30aaaa23d242941cde24ed /modules | |
| parent | 5868f9c64f0a2e9c03f6abee35ed0f0f09d30fe4 (diff) | |
| download | Nix-68c45ad53b34301c1a0c59352a839db13e1f2420.tar.gz Nix-68c45ad53b34301c1a0c59352a839db13e1f2420.tar.zst Nix-68c45ad53b34301c1a0c59352a839db13e1f2420.zip | |
Add CSP reports
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/private/environment.nix | 10 | ||||
| -rw-r--r-- | modules/private/websites/tools/tools/default.nix | 3 | ||||
| -rw-r--r-- | modules/private/websites/tools/tools/landing/report_csp_violation.php | 25 |
3 files changed, 27 insertions, 11 deletions
diff --git a/modules/private/environment.nix b/modules/private/environment.nix index 3a805c6..b8c4dd2 100644 --- a/modules/private/environment.nix +++ b/modules/private/environment.nix | |||
| @@ -1077,6 +1077,16 @@ in | |||
| 1077 | type = attrsOf str; | 1077 | type = attrsOf str; |
| 1078 | description = "Mapping 'name'.php => script for webhooks"; | 1078 | description = "Mapping 'name'.php => script for webhooks"; |
| 1079 | }; | 1079 | }; |
| 1080 | csp_reports = mkOption { | ||
| 1081 | description = "CSP report configuration"; | ||
| 1082 | type = submodule { | ||
| 1083 | options = { | ||
| 1084 | report_uri = mkOption { type = str; description = "URI to report CSP violations to"; }; | ||
| 1085 | policies = mkOption { type = attrsOf str; description = "CSP policies to apply"; }; | ||
| 1086 | postgresql = mkPsqlOptions "CSP reports"; | ||
| 1087 | }; | ||
| 1088 | }; | ||
| 1089 | }; | ||
| 1080 | commento = mkOption { | 1090 | commento = mkOption { |
| 1081 | description = "Commento configuration"; | 1091 | description = "Commento configuration"; |
| 1082 | type = submodule { | 1092 | type = submodule { |
diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix index 7a9a125..93d1122 100644 --- a/modules/private/websites/tools/tools/default.nix +++ b/modules/private/websites/tools/tools/default.nix | |||
| @@ -112,6 +112,7 @@ in { | |||
| 112 | '' | 112 | '' |
| 113 | Timeout 600 | 113 | Timeout 600 |
| 114 | ProxyTimeout 600 | 114 | ProxyTimeout 600 |
| 115 | Header always set Content-Security-Policy-Report-Only "${config.myEnv.tools.csp_reports.policies.inline}" | ||
| 115 | <Directory "/var/lib/ftp/devtools.immae.eu"> | 116 | <Directory "/var/lib/ftp/devtools.immae.eu"> |
| 116 | DirectoryIndex index.php index.htm index.html | 117 | DirectoryIndex index.php index.htm index.html |
| 117 | AllowOverride all | 118 | AllowOverride all |
| @@ -304,6 +305,8 @@ in { | |||
| 304 | }; | 305 | }; |
| 305 | phpEnv = { | 306 | phpEnv = { |
| 306 | CONTACT_EMAIL = config.myEnv.tools.contact; | 307 | CONTACT_EMAIL = config.myEnv.tools.contact; |
| 308 | CSP_REPORT_URI = with config.myEnv.tools.csp_reports.postgresql; | ||
| 309 | "\"host=${socket} dbname=${database} user=${user} password=${password}\""; | ||
| 307 | }; | 310 | }; |
| 308 | phpPackage = pkgs.php72; | 311 | phpPackage = pkgs.php72; |
| 309 | }; | 312 | }; |
diff --git a/modules/private/websites/tools/tools/landing/report_csp_violation.php b/modules/private/websites/tools/tools/landing/report_csp_violation.php index 13a3234..30140b2 100644 --- a/modules/private/websites/tools/tools/landing/report_csp_violation.php +++ b/modules/private/websites/tools/tools/landing/report_csp_violation.php | |||
| @@ -1,19 +1,22 @@ | |||
| 1 | <?php | 1 | <?php |
| 2 | $email_address = 'ismael@bouya.org'; | 2 | http_response_code(204); |
| 3 | $email_subject = 'Content-Security-Policy violation'; | ||
| 4 | 3 | ||
| 5 | $current_domain = $_SERVER['SERVER_NAME']; | 4 | $dbconn = pg_connect(getenv("CSP_REPORT_URI")) or die(); |
| 6 | $email_subject = $email_subject . ' on ' . $current_domain; | ||
| 7 | 5 | ||
| 8 | http_response_code(204); | 6 | function _get(&$var, $default=null) { |
| 7 | return isset($var) ? $var : $default; | ||
| 8 | } | ||
| 9 | 9 | ||
| 10 | $json_data = file_get_contents('php://input'); | 10 | $json_data = file_get_contents('php://input'); |
| 11 | if ($json_data = json_decode($json_data, true)) { | ||
| 12 | $report = _get($json_data["csp-report"], Array()); | ||
| 13 | $blocked_uri = _get($report["blocked-uri"], ""); | ||
| 14 | $document_uri = _get($report["document-uri"], ""); | ||
| 15 | $original_policy = _get($report["original-policy"], ""); | ||
| 16 | $referrer = _get($report["referrer"], ""); | ||
| 17 | $violated_directive = _get($report["violated-directive"], ""); | ||
| 11 | 18 | ||
| 12 | if ($json_data = json_decode($json_data)) { | 19 | $query = pg_prepare($dbconn, "insert_query", 'INSERT INTO csp_reports (blocked_uri, document_uri, original_policy, referrer, violated_directive, total_count, last) VALUES ($1, $2, $3, $4, $5, 1, NOW()) ON CONFLICT ON CONSTRAINT csp_report_unique DO UPDATE SET total_count = csp_reports.total_count + 1, last = NOW(), referrer = EXCLUDED.referrer, original_policy = EXCLUDED.original_policy'); |
| 13 | $json_data = json_encode($json_data, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES); | ||
| 14 | 20 | ||
| 15 | $message = "The following Content-Security-Policy violation occurred on " . | 21 | pg_execute($dbconn, "insert_query", Array($blocked_uri, $document_uri, $original_policy, $referrer, $violated_directive)); |
| 16 | $current_domain . ":\n\n" . | ||
| 17 | $json_data; | ||
| 18 | mail($email_address, $email_subject, $message, 'Content-Type: text/plain;charset=utf-8'); | ||
| 19 | } | 22 | } |