Security: enable Content-Security-Policy header

fallen · fallen · commit 7c29b913cdc1 · 2020-01-04T17:10:53.000+01:00
diff --git a/pytition/petition/static/css/petition.css b/pytition/petition/static/css/petition.css
@@ -173,7 +173,8 @@ nav.navbar {
 .reassurance {
     padding-bottom: 30px;
     padding-top: 20px;
-    font-size: 11px
+    font-size: 11px;
+    text-align: justify
 }
 
 input[type=email],
diff --git a/pytition/petition/templates/layouts/base.html b/pytition/petition/templates/layouts/base.html
@@ -55,9 +55,9 @@
     </div>
 
     <!-- jQuery (necessary for Bootstrap's JavaScript plugins) -->
-    <script src="{% static "vendor/jquery-3.3.1/jquery-3.3.1.min.js" %}"></script>
-    <script src="{% static "vendor/popper-1.14.6/popper.min.js" %}"></script>
-    <script src="{% static "vendor/bootstrap-4.3.1/js/bootstrap.min.js" %}"></script>
+    <script src="{% static "vendor/jquery-3.3.1/jquery-3.3.1.min.js" %}" nonce="{{request.csp_nonce}}"></script>
+    <script src="{% static "vendor/popper-1.14.6/popper.min.js" %}" nonce="{{request.csp_nonce}}"></script>
+    <script src="{% static "vendor/bootstrap-4.3.1/js/bootstrap.min.js" %}" nonce="{{request.csp_nonce}}"></script>
     {% block extrajs %}
     {% endblock %}
 </body>
diff --git a/pytition/petition/templates/layouts/edit_layout.html b/pytition/petition/templates/layouts/edit_layout.html
@@ -2,13 +2,15 @@
 {% load i18n %}
 {% load static %}
 {% load petition_extras %}
+{% load media_csp %}
+
 {% block media %}
     {{ block.super }}
-    {{ content_form.media }}
-    {{ email_form.media }}
-    {{ newsletter_form.media }}
-    {{ social_network_form.media }}
-    {{ style_form.media }}
+    {% media_csp content_form %}
+    {% media_csp email_form %}
+    {% media_csp newsletter_form %}
+    {% media_csp social_network_form %}
+    {% media_csp style_form %}
 {% endblock %}
 
 {% block content %}
diff --git a/pytition/petition/templates/layouts/wizard_layout.html b/pytition/petition/templates/layouts/wizard_layout.html
@@ -3,12 +3,14 @@
 {% load widget_tweaks %}
 {% load petition_extras %}
 {% load static %}
+{% load media_csp %}
+
 {% block media %}
-    {{ form.media }}
+    {% media_csp form %}
 {% endblock %}
 {% block extracss %}
   {{ block.super }}
-    <link href="{% static 'vendor/smartwizard/dist/css/smart_wizard_theme_arrows.css' %}" rel="stylesheet" type="text/css" />
+    <link href="{% static 'vendor/smartwizard/dist/css/smart_wizard_theme_arrows.css' %}" rel="stylesheet" type="text/css" nonce="{{ request.csp_nonce }}"/>
 {% endblock %}
 
 {% block content %}
diff --git a/pytition/petition/templates/petition/account_settings.html b/pytition/petition/templates/petition/account_settings.html
@@ -132,7 +132,7 @@ <h5 class="modal-title" id="org_leave_modal_label">{% trans "Leaving an organiza
 
 {% block extrajs %}
 {{ block.super }}
-<script>
+<script nonce="{{request.csp_nonce}}">
 $(function() {
     {% if not password_change_form_submitted %}
    $('#password_change_form').find('form input').removeClass('is-valid').removeClass('is-invalid');
diff --git a/pytition/petition/templates/petition/edit_petition.html b/pytition/petition/templates/petition/edit_petition.html
@@ -2,13 +2,15 @@
 {% load i18n %}
 {% load static %}
 {% load petition_extras %}
+{% load media_csp %}
+
 {% block media %}
     {{ block.super }}
-    {{ content_form.media }}
-    {{ email_form.media }}
-    {{ newsletter_form.media }}
-    {{ social_network_form.media }}
-    {{ style_form.media }}
+    {% media_csp content_form %}
+    {% media_csp email_form %}
+    {% media_csp newsletter_form %}
+    {% media_csp social_network_form %}
+    {% media_csp style_form %}
 {% endblock %}
 
 {% block extracss %}
@@ -128,7 +130,7 @@
 
 {% block extrajs %}
     {{ block.super }}
-<script>
+<script nonce="{{request.csp_nonce}}">
 $(function (){
 $('a[data-toggle="list"]').on('shown.bs.tab', function(e){
     const paneID = $(e.target).attr('href');
diff --git a/pytition/petition/templates/petition/new_petition_step1.html b/pytition/petition/templates/petition/new_petition_step1.html
@@ -39,8 +39,8 @@
 
 {% block extrajs %}
     {{ block.super }}
-    <script type="text/javascript" src="{%  static 'vendor/smartwizard/dist/js/jquery.smartWizard.min.js' %}"></script>
-    <script type="text/javascript">
+    <script type="text/javascript" src="{%  static 'vendor/smartwizard/dist/js/jquery.smartWizard.min.js' %}" nonce="{{request.csp_nonce}}"></script>
+    <script type="text/javascript" nonce="{{request.csp_nonce}}">
     $(document).ready(function(){
       $('#smartwizard').smartWizard({
                                     theme: 'arrows',
diff --git a/pytition/petition/templates/petition/new_petition_step2.html b/pytition/petition/templates/petition/new_petition_step2.html
@@ -3,8 +3,11 @@
 {% load widget_tweaks %}
 {% load petition_extras %}
 {% load static %}
+{% load media_csp %}
+
 {% block media %}
-    {{ form.media }}
+    <script src="{% static "vendor/jquery-3.3.1/jquery-3.3.1.min.js" %}" nonce="{{request.csp_nonce}}"></script>
+    {% media_csp form %}
 {% endblock %}
 
 {% block wizard_content %}
@@ -46,8 +49,8 @@
 
 {% block extrajs %}
     {{ block.super }}
-    <script type="text/javascript" src="{%  static 'vendor/smartwizard/dist/js/jquery.smartWizard.min.js' %}"></script>
-    <script type="text/javascript">
+    <script type="text/javascript" src="{%  static 'vendor/smartwizard/dist/js/jquery.smartWizard.min.js' %}" nonce="{{request.csp_nonce}}"></script>
+    <script type="text/javascript" nonce="{{request.csp_nonce}}">
     $(document).ready(function(){
       $('#smartwizard').smartWizard({
                                     theme: 'arrows',
diff --git a/pytition/petition/templates/petition/new_petition_step3.html b/pytition/petition/templates/petition/new_petition_step3.html
@@ -3,8 +3,10 @@
 {% load widget_tweaks %}
 {% load petition_extras %}
 {% load static %}
+{% load media_csp %}
+
 {% block media %}
-    {{ form.media }}
+    {% media_csp form %}
 {% endblock %}
 
 {% block wizard_content %}
@@ -55,8 +57,8 @@ <h4 class="card-title"> {{ title }}</h4>
 
 {% block extrajs %}
     {{ block.super }}
-    <script type="text/javascript" src="{%  static 'vendor/smartwizard/dist/js/jquery.smartWizard.min.js' %}"></script>
-    <script type="text/javascript">
+    <script type="text/javascript" src="{%  static 'vendor/smartwizard/dist/js/jquery.smartWizard.min.js' %}" nonce="{{request.csp_nonce}}"></script>
+    <script type="text/javascript" nonce="{{request.csp_nonce}}">
     $(document).ready(function(){
       $('#smartwizard').smartWizard({
                                     theme: 'arrows',
diff --git a/pytition/petition/templates/petition/org_base.html b/pytition/petition/templates/petition/org_base.html
@@ -45,7 +45,7 @@ <h4><span class="oi oi-layers"></span> {% trans "Petition templates" %} ({{ org.
 
 {% block extrajs %}
 {{ block.super }}
-<script>
+<script nonce="{{request.csp_nonce}}">
    {% include "petition/orga.js" %}
 </script>
 {% endblock extrajs %}
diff --git a/pytition/petition/templates/petition/petition_change_form.html b/pytition/petition/templates/petition/petition_change_form.html
@@ -3,7 +3,7 @@
 {% load petition_extras %}
 
 {% block extrahead %}{{ block.super }}
-<script type="text/javascript" src="{% url 'admin:jsi18n' %}"></script>
+<script type="text/javascript" src="{% url 'admin:jsi18n' %}" nonce="{{request.csp_nonce}}"></script>
 {{ media }}
 {% endblock %}
 
@@ -84,7 +84,7 @@ <h2><a href="{% url urlname %}?petition__id__exact={{ original.id }}&confirmed__
 {% block admin_change_form_document_ready %}
     <script type="text/javascript"
             id="django-admin-form-add-constants"
-            src="{% static 'admin/js/change_form.js' %}"
+            src="{% static 'admin/js/change_form.js' %}" nonce="{{request.csp_nonce}}"
             {% if adminform and add %}
                 data-model-name="{{ opts.model_name }}"
             {% endif %}>
diff --git a/pytition/petition/templates/petition/petition_detail.html b/pytition/petition/templates/petition/petition_detail.html
@@ -50,8 +50,8 @@
 {% endblock %}
 
 {% block extracss %}
-<link href="{% static "css/petition.css" %}" rel="stylesheet" type="text/css">
-<style type="text/css">
+<link href="{% static "css/petition.css" %}" rel="stylesheet" type="text/css" nonce="{{ request.csp_nonce }}">
+<style type="text/css" nonce="{{request.csp_nonce}}">
 {% if petition.bgcolor != "#FFFFFF" %}
 body {
   background-color: {{ petition.bgcolor }};
@@ -66,7 +66,7 @@
 {% endblock %}
 
 {% block extrajshead %}
-<script>
+<script nonce="{{request.csp_nonce}}">
 dataLayer = [];
 </script>
 {% endblock %}
@@ -169,7 +169,7 @@ <h1 class="jumbotron-heading">{{ petition.title|html_sanitize|striptags|safe }}
               </form>
             </div>
             <div class="reassurance" id="reassurance">
-              <p style="text-align:justify">
+              <p>
                 {{ petition.sign_form_footer }}
               </p>
             </div>
@@ -186,7 +186,7 @@ <h1 class="jumbotron-heading">{{ petition.title|html_sanitize|striptags|safe }}
 {% endblock main_content %}
 
 {% block extrajs %}
-<script type="text/javascript" src="{% static "js/petition.js" %}"></script>
+<script type="text/javascript" src="{% static "js/petition.js" %}" nonce="{{request.csp_nonce}}"></script>
 {% endblock %}
 
 {% block footer %}
diff --git a/pytition/petition/templates/petition/signature_change_form.html b/pytition/petition/templates/petition/signature_change_form.html
@@ -2,7 +2,7 @@
 {% load i18n admin_urls static admin_modify %}
 
 {% block extrahead %}{{ block.super }}
-<script type="text/javascript" src="{% url 'admin:jsi18n' %}"></script>
+<script type="text/javascript" src="{% url 'admin:jsi18n' %}" nonce="{{request.csp_nonce}}></script>
 {{ media }}
 {% endblock %}
 
@@ -75,7 +75,7 @@
 {% block admin_change_form_document_ready %}
     <script type="text/javascript"
             id="django-admin-form-add-constants"
-            src="{% static 'admin/js/change_form.js' %}"
+            src="{% static 'admin/js/change_form.js' %}" nonce="{{request.csp_nonce}}
             {% if adminform and add %}
                 data-model-name="{{ opts.model_name }}"
             {% endif %}>
diff --git a/pytition/petition/templates/petition/signature_data.html b/pytition/petition/templates/petition/signature_data.html
@@ -110,7 +110,7 @@ <h2>{% trans "Signatures" %}</h2>
 
 {% block extrajs %}
     {{ block.super }}
-    <script>
+    <script nonce="{{request.csp_nonce}}">
     $(function() {
         $("#re-send-all").on("click", function() {
             $("#action").val("re-send-all");
@@ -122,4 +122,4 @@ <h2>{% trans "Signatures" %}</h2>
         });
     });
     </script>
-{% endblock extrajs %}
+{% endblock extrajs %}
diff --git a/pytition/petition/templates/petition/user_base.html b/pytition/petition/templates/petition/user_base.html
@@ -34,7 +34,7 @@ <h4><a href="{% url "user_profile" user.username %}"><span class="oi oi-person">
 
 {% block extrajs %}
 {{ block.super }}
-<script>
+<script nonce="{{request.csp_nonce}}">
   {% include "petition/user.js" %}
 </script>
 {% endblock %}
diff --git a/pytition/petition/views.py b/pytition/petition/views.py
@@ -105,9 +105,10 @@ def search(request):
         }
     )
 
-
+from csp.decorators import csp_replace
 # /<int:petition_id>/
 # Show information on a petition
+@csp_replace(STYLE_SRC='unsafe-inline')
 def detail(request, petition_id):
     petition = petition_from_id(petition_id)
     check_petition_is_accessible(request, petition)
@@ -869,6 +870,10 @@ def org_set_user_perms(request, orgslugname, user_name):
 
 # Class Based Controller
 # PATH : subroutes of /wizard
+from csp.decorators import csp
+
+@method_decorator(csp(DEFAULT_SRC=["'self'"], SCRIPT_SRC=["'self'", "'unsafe-eval'", "'unsafe-inline'"],
+                      STYLE_SRC=["'self'", "'unsafe-inline'"]), name='dispatch')
 @method_decorator(login_required, name='dispatch')
 class PetitionCreationWizard(SessionWizardView):
     def get_template_names(self):
@@ -1396,9 +1401,10 @@ def org_create(request):
     ctx.update({'form': form})
     return render(request, "petition/org_create.html", ctx)
 
-
+from csp.decorators import csp_update
 # GET /org/<slug:orgslugname>/<slug:petitionname>
 # Show a petition
+@csp_replace(STYLE_SRC="'unsafe-inline'", INCLUDE_NONCE_IN=('script-src',))
 def slug_show_petition(request, orgslugname=None, username=None, petitionname=None):
     try:
         pytitionuser = get_session_user(request)
diff --git a/pytition/pytition/settings/base.py b/pytition/pytition/settings/base.py
@@ -45,9 +45,11 @@
     'django.contrib.staticfiles',
     'widget_tweaks',
     'formtools',
+    'csp_helpers',
 ]
 
 MIDDLEWARE = [
+    'csp.middleware.CSPMiddleware',
     'django.middleware.security.SecurityMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.locale.LocaleMiddleware',
@@ -197,7 +199,7 @@
             set_mce_changed(ed);
        });}""",
 }
-TINYMCE_INCLUDE_JQUERY = True
+TINYMCE_INCLUDE_JQUERY = False
 
 SITE_NAME = "Pytition"
 ALLOW_REGISTER = True
@@ -224,5 +226,13 @@
 
 LANGUAGES = global_settings.LANGUAGES + [('oc', gettext_lazy('Occitan'))]
 
+# Content Security Policy configuration
+CSP_INCLUDE_NONCE_IN=('script-src', 'style-src')
+CSP_DEFAULT_SRC=["'none'"]
+CSP_SCRIPT_SRC=["'strict-dynamic'"]
+CSP_IMG_SRC=['*']
+CSP_STYLE_SRC=["'self'"]
+CSP_FONT_SRC=["'self'"]
+
 if DEFAULT_INDEX_THUMBNAIL == "":
     print("Please set a default index thumbnail or your index page will not be very beautiful")
diff --git a/requirements.txt b/requirements.txt
@@ -9,3 +9,5 @@ beautifulsoup4~=4.6.3
 django-formtools==2.1
 bcrypt
 lxml
+django-csp
+django-csp-helpers

Original file line number	Diff line number	Diff line change
`@@ -173,7 +173,8 @@ nav.navbar {`
`173`	`173`	`.reassurance {`
`174`	`174`	`padding-bottom: 30px;`
`175`	`175`	`padding-top: 20px;`
`176`		`- font-size: 11px`
	`176`	`+ font-size: 11px;`
	`177`	`+ text-align: justify`
`177`	`178`	`}`
`178`	`179`
`179`	`180`	`input[type=email],`