From 5e088c1c724d4031c45a627d5475ebd688c6b767 Mon Sep 17 00:00:00 2001 From: Mickael E Date: Fri, 6 Apr 2018 11:58:13 -0400 Subject: [PATCH 1/2] Add CSP for securedrop.org using django-csp Add django-csp to requirements and middleware Whitelisted inline scripts by hash and style to deny inline scripts and style. Excluded /admin path for CSP as it was making very heavy use of inline JS. unsafe-eval is required for client/common/js/common.js:645 and /client/tor/js/torEntry.js:89. We should consider fixing this, as it would allow XSS should user-supplied code finds it's way to an eval method. --- dev-requirements.txt | 1 + requirements.in | 1 + requirements.txt | 1 + securedrop/settings/base.py | 35 +++++++++++++++++++++++++++++++++++ 4 files changed, 38 insertions(+) diff --git a/dev-requirements.txt b/dev-requirements.txt index 29676850a..fd589ede6 100644 --- a/dev-requirements.txt +++ b/dev-requirements.txt @@ -14,6 +14,7 @@ defusedxml==0.5.0 django-allauth-2fa==0.4.4 django-allauth==0.34.0 django-anymail[mailgun]==1.4 +django-csp==3.4 django-debug-toolbar==1.9.1 django-modelcluster==3.1 django-otp==0.4.1.1 diff --git a/requirements.in b/requirements.in index bd06f8161..b8e1ef239 100644 --- a/requirements.in +++ b/requirements.in @@ -24,5 +24,6 @@ wagtail-metadata unittest-xml-reporting django-allauth==0.34.0 django-allauth-2fa +django-csp zxcvbn-python safety diff --git a/requirements.txt b/requirements.txt index 4ef29780f..f4d816fe9 100644 --- a/requirements.txt +++ b/requirements.txt @@ -13,6 +13,7 @@ defusedxml==0.5.0 # via python3-openid django-allauth-2fa==0.4.4 django-allauth==0.34.0 django-anymail[mailgun]==1.4 +django-csp==3.4 django-modelcluster==3.1 django-otp==0.4.1.1 # via django-allauth-2fa django-recaptcha==1.3.1 diff --git a/securedrop/settings/base.py b/securedrop/settings/base.py index 6f56a6ddc..31ea386fa 100644 --- a/securedrop/settings/base.py +++ b/securedrop/settings/base.py @@ -109,6 +109,9 @@ # flow is reset if another page is loaded between login and successfully # entering two-factor credentials. 'allauth_2fa.middleware.AllauthTwoFactorMiddleware', + + # Middleware for content security policy + 'csp.middleware.CSPMiddleware', ] ROOT_URLCONF = 'securedrop.urls' @@ -346,3 +349,35 @@ }, }, } + +# Content Security Policy +# script: +# unsafe-eval for client/common/js/common.js:645 and /client/tor/js/torEntry.js:89 +# jquery for wagtail/django debug +# All for inline scripts in wagtail (admin) login page line 44 and 92 +# style: +# #1 through #8needed for inline style for svg in sliding-nav: +# #9 and #10 hashes needed for inline style for modernizr on admin page +# #11 needed for wagtail admin + +CSP_DEFAULT_SRC = ("'self'",) +CSP_SCRIPT_SRC = ( + "'self'", + 'http://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js', + "'unsafe-eval'", +) +CSP_STYLE_SRC = ( + "'self'", + "'sha256-kRJHclfjr7e5UYWHxtr0Bzdv2BiUtaSbDQe69HgEqXM='", + "'sha256-cMOfJ1K7bmWDFQ9IoI+B6fO37u9xMiBgP1rpm79IayM='", + "'sha256-Pf5JUUfhnnTVCCmSWFJ3qi/1j67vD2TeYvr7T6LxfqY='", + "'sha256-aJumNcjgS5IN0N559UWLFNCtnIIo3CqO862elt0w1A0='", + "'sha256-Rg1ua3eExI+in3cF/PWaHTHMjpiLQz/jTlIXr2kBY38='", + "'sha256-Zbh/ZO0Ff1YEynn0zSl56u5itxZmwkCVF3PgnnOm8u4='", + "'sha256-4ieA95gpQdpg9JDmuID1CQF8dJ/U0JnDqE4GQecAIdg='", + "'sha256-LAw02AamnUpPKuSLFUcg9Kh2SLuqSmaXiiV45Y21f84='", +) +CSP_IMG_SRC = ("'self'",) +CSP_FRAME_SRC = ("'self'",) +CSP_CONNECT_SRC = ("'self'",) +CSP_EXCLUDE_URL_PREFIXES = ("/admin", ) From 714f37fb254a03f5d032a4913a2dcc78688839e1 Mon Sep 17 00:00:00 2001 From: Harris Lapiroff Date: Tue, 17 Apr 2018 15:48:28 -0400 Subject: [PATCH 2/2] Remove jQuery CDN from CSP No longer needed since --- securedrop/settings/base.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/securedrop/settings/base.py b/securedrop/settings/base.py index 31ea386fa..6363bf76b 100644 --- a/securedrop/settings/base.py +++ b/securedrop/settings/base.py @@ -353,7 +353,6 @@ # Content Security Policy # script: # unsafe-eval for client/common/js/common.js:645 and /client/tor/js/torEntry.js:89 -# jquery for wagtail/django debug # All for inline scripts in wagtail (admin) login page line 44 and 92 # style: # #1 through #8needed for inline style for svg in sliding-nav: @@ -363,7 +362,6 @@ CSP_DEFAULT_SRC = ("'self'",) CSP_SCRIPT_SRC = ( "'self'", - 'http://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js', "'unsafe-eval'", ) CSP_STYLE_SRC = (