adamalton / django-csp-reports Goto Github PK

View Code? Open in Web Editor NEW

47.0 4.0 20.0 118 KB

Django app for handling browser reports from Content Security Policy violations

License: MIT License

Python 99.41% Makefile 0.59%

python django-csp django

django-csp-reports's Introduction

Django Content Security Policy Reports

A Django app for handling reports from web browsers of violations of your website's content security policy.

This app does not handle the setting of the Content-Security-Policy HTTP headers, but deals with handling the reports that web browsers may submit to your site (via the report-uri) when the stated content security policy is violated.

It is recommended that you use an app such as django-csp (Github) to set the Content-Security-Policy headers.

So What Does This Thing Do?

It receives the reports from the browser and does any/all of the following with them:

Logs them using the python logging module.
Sends them to you via email.
Saves them to the database via a Django model.
Runs any of your own custom functions on them.
Can generate a summary of a reports.

Supported Django Versions

Supports Python 3.5 to 3.10 and Django 2.2 to 4.x (latest).

Python 2.7 support is available in version 1.4 and/or the python2.7-support branch.

How Do I Use This Thing?

Install this app into your Django project, e.g. pip install django-csp-reports.
Add 'cspreports' to your INSTALLED_APPS.
Include cspreports.urls in your URL config somewhere, e.g. urlpatterns = [path('csp/', include('cspreports.urls'))].
In your Content-Security-Policy HTTP headers, set reverse('report_csp') as the report-uri. (Note, with django-csp, you will want to set CSP_REPORT_URI = reverse_lazy('report_csp') in settings.py).
Set all/any of the following in settings.py as you so desire, hopefully they are self-explanatory:
- CSP_REPORTS_EMAIL_ADMINS (bool defaults to True).
- CSP_REPORTS_LOG (bool, whether or not to log the reporting using the python logging module, defaults to True).
- CSP_REPORTS_LOG_LEVEL (str, one of the Python logging module's available log functions, defaults to 'warning').
- CSP_REPORTS_SAVE (bool defaults to True). Determines whether the reports are saved to the database.
- CSP_REPORTS_ADDITIONAL_HANDLERS (iterable defaults to []).
  - Each value should be a dot-separated string path to a function which you want be called when a report is received.
  - Each function is passed the HttpRequest of the CSP report.
- CSP_REPORTS_FILTER_FUNCTION (str of dotted path to a callable, defaults to None).
  - If set, the specificed function is passed each HttpRequest object of the CSP report before it's processed. Only requests for which the function returns True are processed.
  - You may want to set this to "cspreports.filters.filter_browser_extensions" as a starting point.
- CSP_REPORTS_LOGGER_NAME (str defaults to CSP Reports). Specifies the logger name that will be used for logging CSP reports, if enabled.
- CSP_REPORTS_MODEL (<app_label>.<model_name> defaults to "cspreports.CSPReport"). Specifies the model to be used for storing the CSP reports. You can easily extend the model by implementing the abstract base class cspreports.models.CSPReportBase and adding your additional fields to it:
```
# your_app.model.py
from cspreports.models import CSPReportBase

class CustomCSPReport(CSPReportBase):
    # Add your fields here
    pass
```
```
# settings.py

CSP_REPORTS_MODEL = "your_app.CustomCSPReport"
```
Set a cron to generate summaries.
Enjoy.

Commands

`clean_cspreports`

Deletes old reports from the database.

Options:

--limit - timestamp that all reports created since will not be deleted. Defaults to 1 week. Accepts any string that can be parsed as a datetime.

`make_csp_summary`

Generates a summary of CSP reports.

By default includes reports from yesterday (00:00:00 to midnight). The summary shows the top 10 violation sources (i.e. pages from which violations were reported), the top 10 blocked URIs (banned resources which the pages tried to load), and the top 10 invalid reports (which the browser provided an invalid CSP report).

Options:

--since - timestamp of the oldest reports to include. Accepts any string that can be parsed as a datetime.
--to - timestamp of the newest reports to include. Accepts any string that can be parsed as a datetime.
--top - limit of how many examples to show. Default is 10.

django-csp-reports's People

Contributors

Stargazers

Watchers

django-csp-reports's Issues

Provide support for django 2.1

Support for django 2.1 would be very helpful since we want to migrate our projekt to django 2.1

Extra migration file when changing DEFAULT_AUTO_FIELD in Django 3.2

when migrating an existing Django project from
django 2.2 to django 3.2

and specifying in settings :
DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'

this will generate a migration file inside 'cspreports' module.
IMHO i think this migration should not happen

Migrations Outdated

The migrations have unsynced changes.

Enforce coding standards

Enforce isort, flake8, pydocstyle...

Store record fields individually

CSP reports are stored as they came in, which makes it very impossible to filter using SQL.

I propose additional model fields:

valid - whether CSP report is valid (i.e. can be split into fields)

CSP 1.0 fields according to https://www.w3.org/TR/2012/CR-CSP-20121115/#report-uri - will be NULL for invalid CSP reports

document_uri
referrer
blocked-uri
violated-directive
original-policy

CSP 2.0 fields accoring to https://www.w3.org/TR/CSP2/#violation-reports - will be NULL for invalid CSP reports or if not present in the report

effective-directive
status-code
source-file
line-number
column-number

CSP 3.0 fields https://www.w3.org/TR/CSP/#deprecated-serialize-violation

disposition - will be NULL for invalid CSP reports or CSP < 3.0 reports

Add django 5.0 compatibility.

Any PYPI updates?

Current pypi version was released 18 months ago and doesn't work with django>=1.9

Update Django admin interface

Suggestions

Show individual fields
Prevent users from creating/updating reports

Warning with default_app_config

when launching unit test in my Django project (Django 3.2)

coverage run $(which pytest)

i get the following warning

RemovedInDjango41Warning: 'cspreports' defines default_app_config = 'cspreports.apps.CSPReportsConfig'. Django now detects this configuration automatically. You can remove default_app_config.

(declared in cspreports/init.py)
nevertheless when i run other command with manage.py (manage.py runserver, manage.py makemigrations, ...) i don't have this warning

Summary command

Add a command to print summary about the CSP reports.

Usage

make_csp_summary [--since date] [--to date] [--top number]

by default prints the summary of yesterday's reports. --since and --to modify the interval. --top defines the size of each limit section, 10 by default.

Content

Total number of reports, number of invalid reports.
Top sources (document_uri) + examples (source, blocked URI)
Top violated directives + examples (source, blocked URI)
Top blocked URIs + examples (source, blocked URI)
Examples of invalid reports

URIs will be merged regardless of query and fragment.

Think about

Summary customization

RemovedInDjango110Warning

.../.env/src/django-csp-reports/cspreports/urls.py:7: RemovedInDjango110Warning: Support for string view arguments to url() is deprecated and will be removed in Django 1.10 (got report_csp). Pass the callable instead.
  url(r'^report/$', 'report_csp', name='report_csp'),

.../.env/src/django-csp-reports/cspreports/urls.py:7: RemovedInDjango110Warning: django.conf.urls.patterns() is deprecated and will be removed in Django 1.10. Update your urlpatterns to be a list of django.conf.urls.url() instances instead.
  url(r'^report/$', 'report_csp', name='report_csp'),

Summary template is missing from pypi package

The cspreports/summary.txt is missing from the version 1.5 pypi package.

I'd guess because of the manifest in this recent commit: 414d23d

Run tests in CI

It would be nice to have tests run in CI.

Refactor string representations

#31 introduced a string representation property for report which should be used where the nice report is required.

Ideas

Drop CSPReport.json_as_html and keep only CSPReportAdmin.json_as_html.
Refactor utils to pass around a report instance and not only request.

Question about security issues

First, thank you for maintaining this! I'm eager to try it with my site.

I have a question - Is there any validation done on the CSP reports? I didn't see any, and I'm wondering if this doesn't open a site up to various security issues?

For instance, what if we set log_report and then start sending thousands of massive reports, i.e., huge JSON objects, at the same time? Couldn't that immediately eat up a server's RAM?

It appears that there's some amount of validation in the save_report function in terms of requiring that the report match the desired keys, and some fields are limited by choices, but I'm wondering whether directives shouldn't be more fully validated? I'm not well versed on CSP RFC's so if you know of a place that shows good validation or a repo that might do it already I'd love to take a look and make a PR if I'm able.

I suppose one thing to do short-term is to use log_reports and simply add a custom filter that verifies the size of the log is below a certain threshold of kb?

Mainly opening this issue to see if maintainers have ideas that would be useful in making sure that the endpoint doesn't open up any vulnerabilities. Thanks again for maintaining this repo!

With Python 3 Django generates a new migration for ordering

Under Python3, Django wants to generate a new version of this migration:

https://github.com/adamalton/django-csp-reports/blob/master/cspreports/migrations/0002_auto_20141011_1800.py#L16

However, the only difference is that

        options={'ordering': (b'-created',)},

becomes:

         options={'ordering': ('-created',)},

The issue is discussed here:

https://code.djangoproject.com/ticket/23226#comment:18

The solution is to edit the migration to use '-created' and not b'-created', which works for both versions.

Thanks!

Replace utils.Config with third party library

Application settings are not handled by Django, but there are several apps which tries to solve that. I suggest to use https://github.com/Genida/django-appsettings to handle CSP settings.

django 2.0> support

Hi,
Can you remove the limitation on djano <1.11.99 or check compatibility with django 2.0>

Make CSP Model Customable

Hey,

thanks for the project so far! :)

I could like to add an acknowledge function to the reports (instead of deleting them). Therefore I would have to add a field to the csp model (or create a construct with an extra table pointing at acknowledged reports, which would be kinda clumsy to use in django admin).

My use case is probably only one example of how one would adjust the model to it's individual needs.

I would offer to create a PR to enable customization of the used model doing the following steps:

I would propose to add a setting for specifying the used csp model and transform the current model into an abstract base class with default implementation. That's a pattern you often find in django's third party packages.
Before doing that, I could refactor the settings access and gather app settings in one central module, if that's appreciated.

Please tell me, what you think about it :)

Update tests

Add codecov
Check all tests run