forked from juerkkil/secheaders
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathutils.py
155 lines (112 loc) · 4.92 KB
/
utils.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
import re
from typing import Tuple
from constants import EVAL_WARN, EVAL_OK
def eval_x_frame_options(contents: str) -> Tuple[int, list]:
if contents.lower() in ['deny', 'sameorigin']:
return EVAL_OK, []
return EVAL_WARN, []
def eval_content_type_options(contents: str) -> Tuple[int, list]:
if contents.lower() == 'nosniff':
return EVAL_OK, []
return EVAL_WARN, []
def eval_x_xss_protection(contents: str) -> Tuple[int, list]:
# This header is deprecated but still used quite a lot
#
# value '1' is dangerous because it can be used to block legit site features. If this header is defined, either
# one of the below values if recommended
if contents.lower() in ['1; mode=block', '0']:
return EVAL_OK, []
return EVAL_WARN, []
def eval_sts(contents: str) -> Tuple[int, list]:
if re.match("^max-age=[0-9]+\\s*(;|$)\\s*", contents.lower()):
return EVAL_OK, []
return EVAL_WARN, []
def eval_csp(contents: str) -> Tuple[int, list]:
UNSAFE_RULES = {
"script-src": ["*", "'unsafe-eval'", "data:", "'unsafe-inline'"],
"frame-ancestors": ["*"],
"form-action": ["*"],
"object-src": ["*"],
}
# There are no universal rules for "safe" and "unsafe" CSP directives, but we apply some common sense here to
# catch some obvious lacks or poor configuration
csp_unsafe = False
csp_notes = []
csp_parsed = csp_parser(contents)
for rule in UNSAFE_RULES:
if rule not in csp_parsed:
if '-src' in rule and 'default-src' in csp_parsed:
# fallback to default-src
for unsafe_src in UNSAFE_RULES[rule]:
if unsafe_src in csp_parsed['default-src']:
csp_unsafe = True
csp_notes.append("Directive {} not defined, and default-src contains unsafe source {}".format(
rule, unsafe_src))
elif 'default-src' not in csp_parsed:
csp_notes.append("No directive {} nor default-src defined in the Content Security Policy".format(rule))
csp_unsafe = True
else:
for unsafe_src in UNSAFE_RULES[rule]:
if unsafe_src in csp_parsed[rule]:
csp_notes.append("Unsafe source {} in directive {}".format(unsafe_src, rule))
csp_unsafe = True
if csp_unsafe:
return EVAL_WARN, csp_notes
return EVAL_OK, []
def eval_version_info(contents: str) -> Tuple[int, list]:
# Poor guess whether the header value contain something that could be a server banner including version number
if len(contents) > 3 and re.match(".*[^0-9]+.*\\d.*", contents):
return EVAL_WARN, []
return EVAL_OK, []
def eval_permissions_policy(contents: str) -> Tuple[int, list]:
# Configuring Permission-Policy is very case-specific and it's difficult to define a particular recommendation.
# We apply here a logic, that access to privacy-sensitive features and payments API should be restricted.
pp_parsed = permissions_policy_parser(contents)
notes = []
pp_unsafe = False
RESTRICTED_PRIVACY_POLICY_FEATURES = ['camera', 'geolocation', 'microphone', 'payment']
for feature in RESTRICTED_PRIVACY_POLICY_FEATURES:
if feature not in pp_parsed or '*' in pp_parsed.get(feature):
pp_unsafe = True
notes.append("Privacy-sensitive feature '{}' is not restricted to specific origins.".format(feature))
if pp_unsafe:
return EVAL_WARN, notes
return EVAL_OK, []
def eval_referrer_policy(contents: str) -> Tuple[int, list]:
if contents.lower().strip() in [
'no-referrer',
'no-referrer-when-downgrade',
'origin',
'origin-when-cross-origin',
'same-origin',
'strict-origin',
'strict-origin-when-cross-origin',
]:
return EVAL_OK, []
return EVAL_WARN, ["Unsafe contents: {}".format(contents)]
def csp_parser(contents: str) -> dict:
csp = {}
directives = contents.split(";")
for directive in directives:
directive = directive.strip().split()
if directive:
csp[directive[0]] = directive[1:] if len(directive) > 1 else []
return csp
def permissions_policy_parser(contents: str) -> dict:
policies = contents.split(",")
retval = {}
for policy in policies:
match = re.match('^(\\w*)=(\\(([^\\)]*)\\)|\\*|self)$', policy)
if match:
feature = match.groups()[0]
feature_policy = match.groups()[2] if match.groups()[2] is not None else match.groups()[1]
retval[feature] = feature_policy.split()
return retval
def print_ok(msg: str):
OK_COLOR = '\033[92m'
END_COLOR = '\033[0m'
print("{} ... [ {}OK{} ]".format(msg, OK_COLOR, END_COLOR))
def print_warning(msg: str):
WARN_COLOR = '\033[93m'
END_COLOR = '\033[0m'
print("{} ... [ {}WARN{} ]".format(msg, WARN_COLOR, END_COLOR))