From 9d28aebed338b8790115061282b0933a2635e663 Mon Sep 17 00:00:00 2001 From: Helder Souza <42891390+helllllllder@users.noreply.github.com> Date: Thu, 26 May 2022 15:51:45 -0300 Subject: [PATCH] Feature/add csp (#719) * Develop (#709) (#710) * Fix: Remove ai from project (#707) * remove document deletion from delete_nlp_logs task * inconsistency number and debug errors fixed * add user_email to remove_authorizations_project * Feature/health check blocklist (#708) * remove document deletion from delete_nlp_logs task * add a blocklist for not saving logs depending on the authorization user * inconsistency number and debug errors fixed * change the REPOSITORY_BLOCK_USER_LOGS values from users to repository authorizations * change readme * pass on sonarcloud * change admins settings * transform uuid into string * convert uuid into string at test_blocked_user * add regex remotion of special characters from username when creating from keycloak * add django_csp and settings * configure csp * fix settings * black * fix csp settings * fix csp settings --- bothub/settings.py | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/bothub/settings.py b/bothub/settings.py index edb5e3e1..a4ee2ac6 100644 --- a/bothub/settings.py +++ b/bothub/settings.py @@ -103,6 +103,8 @@ CSP_SCRIPT_SRC_ELEM=(tuple, "CSP_SCRIPT_SRC_ELEM"), CSP_FRAME_SRC=(tuple, "CSP_FRAME_SRC"), CSP_CONNECT_SRC=(tuple, "CSP_CONNECT_SRC"), + CSP_WORKER_SRC=(tuple, "CSP_WORKER_SRC"), + CSP_IMG_SRC=(tuple, "CSP_IMG_SRC"), ) # Build paths inside the project like this: os.path.join(BASE_DIR, ...) @@ -312,19 +314,26 @@ # CSP headers -CSP_DEFAULT_SRC = env.tuple("CSP_DEFAULT_SRC", default=("'self'",)) -CSP_FRAME_ANCESTORS = env.tuple("CSP_FRAME_ANCESTORS", default=("'self'", "*.weni.ai")) +DEFAULT_CSP_SETTINGS = ("'self'",) +DEFAULT_CSP_WENI_SETTINGS = DEFAULT_CSP_SETTINGS + ("*.weni.ai",) + +CSP_DEFAULT_SRC = env.tuple("CSP_DEFAULT_SRC", default=DEFAULT_CSP_SETTINGS) +CSP_FRAME_ANCESTORS = env.tuple( + "CSP_FRAME_ANCESTORS", default=DEFAULT_CSP_WENI_SETTINGS +) CSP_FONT_SRC = env.tuple("CSP_FONT_SRC", default=CSP_DEFAULT_SRC) CSP_STYLE_SRC = env.tuple( - "CSP_STYLE_SRC", default=("'self'", "'unsafe-inline'", "'unsafe-eval'") + "CSP_STYLE_SRC", default=DEFAULT_CSP_SETTINGS + ("'unsafe-inline'", "'unsafe-eval'") ) CSP_STYLE_SRC_ELEM = env.tuple("CSP_STYLE_SRC_ELEM", default=CSP_STYLE_SRC) -CSP_SCRIPT_SRC = env.tuple( - "CSP_SCRIPT_SRC", default=("'self'", "'unsafe-inline'", "'unsafe-eval'") -) +CSP_SCRIPT_SRC = env.tuple("CSP_SCRIPT_SRC", default=CSP_STYLE_SRC) CSP_SCRIPT_SRC_ELEM = env.tuple("CSP_SCRIPT_SRC_ELEM", default=CSP_SCRIPT_SRC) CSP_FRAME_SRC = env.tuple("CSP_FRAME_SRC", default=CSP_DEFAULT_SRC) CSP_CONNECT_SRC = env.tuple("CSP_CONNECT_SRC", default=CSP_DEFAULT_SRC) +CSP_WORKER_SRC = env.tuple( + "CSP_WORKER_SRC", default=DEFAULT_CSP_WENI_SETTINGS + ("blob:", "data:") +) +CSP_IMG_SRC = env.tuple("CSP_IMG_SRC", default=CSP_WORKER_SRC) # Logging