From 68c45ad53b34301c1a0c59352a839db13e1f2420 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Wed, 15 Jul 2020 16:55:49 +0200
Subject: Add CSP reports

---
 modules/private/websites/tools/tools/default.nix   |  3 +++
 .../tools/tools/landing/report_csp_violation.php   | 25 ++++++++++++----------
 2 files changed, 17 insertions(+), 11 deletions(-)

(limited to 'modules/private/websites/tools')

diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix
index 7a9a125..93d1122 100644
--- a/modules/private/websites/tools/tools/default.nix
+++ b/modules/private/websites/tools/tools/default.nix
@@ -112,6 +112,7 @@ in {
         ''
           Timeout 600
           ProxyTimeout 600
+          Header always set Content-Security-Policy-Report-Only "${config.myEnv.tools.csp_reports.policies.inline}"
           <Directory "/var/lib/ftp/devtools.immae.eu">
             DirectoryIndex index.php index.htm index.html
             AllowOverride all
@@ -304,6 +305,8 @@ in {
         };
         phpEnv = {
           CONTACT_EMAIL = config.myEnv.tools.contact;
+          CSP_REPORT_URI = with config.myEnv.tools.csp_reports.postgresql;
+            "\"host=${socket} dbname=${database} user=${user} password=${password}\"";
         };
         phpPackage = pkgs.php72;
       };
diff --git a/modules/private/websites/tools/tools/landing/report_csp_violation.php b/modules/private/websites/tools/tools/landing/report_csp_violation.php
index 13a3234..30140b2 100644
--- a/modules/private/websites/tools/tools/landing/report_csp_violation.php
+++ b/modules/private/websites/tools/tools/landing/report_csp_violation.php
@@ -1,19 +1,22 @@
 <?php
-$email_address = 'ismael@bouya.org';
-$email_subject = 'Content-Security-Policy violation';
+http_response_code(204);
 
-$current_domain = $_SERVER['SERVER_NAME'];
-$email_subject = $email_subject . ' on ' . $current_domain;
+$dbconn = pg_connect(getenv("CSP_REPORT_URI")) or die();
 
-http_response_code(204);
+function _get(&$var, $default=null) {
+  return isset($var) ? $var : $default;
+}
 
 $json_data = file_get_contents('php://input');
+if ($json_data = json_decode($json_data, true)) {
+  $report = _get($json_data["csp-report"], Array());
+  $blocked_uri = _get($report["blocked-uri"], "");
+  $document_uri = _get($report["document-uri"], "");
+  $original_policy = _get($report["original-policy"], "");
+  $referrer = _get($report["referrer"], "");
+  $violated_directive = _get($report["violated-directive"], "");
 
-if ($json_data = json_decode($json_data)) {
-  $json_data = json_encode($json_data, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES);
+  $query = pg_prepare($dbconn, "insert_query", 'INSERT INTO csp_reports (blocked_uri, document_uri, original_policy, referrer, violated_directive, total_count, last) VALUES ($1, $2, $3, $4, $5, 1, NOW()) ON CONFLICT ON CONSTRAINT csp_report_unique DO UPDATE SET total_count = csp_reports.total_count + 1, last = NOW(), referrer = EXCLUDED.referrer, original_policy = EXCLUDED.original_policy');
 
-  $message = "The following Content-Security-Policy violation occurred on " .
-    $current_domain . ":\n\n" .
-    $json_data;
-  mail($email_address, $email_subject, $message, 'Content-Type: text/plain;charset=utf-8');
+  pg_execute($dbconn, "insert_query", Array($blocked_uri, $document_uri, $original_policy, $referrer, $violated_directive));
 }
-- 
cgit v1.2.3