From 950df1fba2dcf45e163f7b225fa676fc0c828607 Mon Sep 17 00:00:00 2001
From: Tim Tomes <tjt1980@gmail.com>
Date: Fri, 17 May 2024 15:20:24 -0400
Subject: [PATCH] Added a Content Security Policy and the ability to enable it
 via the PwnedAdmin Config application.

---
 database/cs/04-pwnedhub-admin.sql   |  2 +-
 database/ctf/04-pwnedhub-admin.sql  |  2 +-
 database/init/04-pwnedhub-admin.sql |  2 +-
 pwnedhub/__init__.py                | 10 ++++++++--
 pwnedhub/templates/layout.html      | 10 +++++-----
 pwnedhub/templates/messages.html    |  2 +-
 pwnedhub/templates/notes.html       |  2 +-
 pwnedhub/templates/tools.html       |  2 +-
 8 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/database/cs/04-pwnedhub-admin.sql b/database/cs/04-pwnedhub-admin.sql
index ce8113c..95570dc 100644
--- a/database/cs/04-pwnedhub-admin.sql
+++ b/database/cs/04-pwnedhub-admin.sql
@@ -41,7 +41,7 @@ CREATE TABLE `configs` (
 
 LOCK TABLES `configs` WRITE;
 /*!40000 ALTER TABLE `configs` DISABLE KEYS */;
-INSERT INTO `configs` VALUES (1,'CSRF_PROTECT','Profile CSRF Protection (PwnedHub)','security control',1),(2,'OSCI_PROTECT','Tools OSCI Protection (PwnedHub)','security control',0),(3,'SQLI_PROTECT','Login SQLi Protection (PwnedHub)','security control',0),(4,'CORS_RESTRICT','Restricted CORS (PwnedAPI)','security control',1),(5,'JWT_VERIFY','Verify JWT Signatures (PwnedAPI)','security control',1),(6,'JWT_ENCRYPT','Encrypt JWTs (PwnedAPI)','security control',0),(7,'BEARER_AUTH_ENABLE','Bearer Token Authentication (PwnedAPI)','feature',1),(8,'OIDC_ENABLE','OpenID Connect Authentication (PwnedHub)','feature',0),(9,'SSO_ENABLE','SSO Authentication (PwnedHub)','feature',0),(10,'OOB_RESET_ENABLE','Out-of-Band Password Reset (PwnedHub)','feature',0),(11,'CTF_MODE','CTF Mode (Warning: Disables this interface!)','feature',0);
+INSERT INTO `configs` VALUES (1,'CSRF_PROTECT','Profile CSRF Protection (PwnedHub)','security control',1),(2,'OSCI_PROTECT','Tools OSCI Protection (PwnedHub)','security control',0),(3,'SQLI_PROTECT','Login SQLi Protection (PwnedHub)','security control',0),(4,'CSP_PROTECT','Content Security Policy (PwnedHub)','security control',0),(5,'CORS_RESTRICT','Restricted CORS (PwnedAPI)','security control',1),(6,'JWT_VERIFY','Verify JWT Signatures (PwnedAPI)','security control',1),(7,'JWT_ENCRYPT','Encrypt JWTs (PwnedAPI)','security control',0),(8,'BEARER_AUTH_ENABLE','Bearer Token Authentication (PwnedAPI)','feature',1),(9,'OIDC_ENABLE','OpenID Connect Authentication (PwnedHub)','feature',0),(10,'SSO_ENABLE','SSO Authentication (PwnedHub)','feature',0),(11,'OOB_RESET_ENABLE','Out-of-Band Password Reset (PwnedHub)','feature',0),(12,'CTF_MODE','CTF Mode (Warning: Disables this interface!)','feature',0);
 /*!40000 ALTER TABLE `configs` ENABLE KEYS */;
 UNLOCK TABLES;
 
diff --git a/database/ctf/04-pwnedhub-admin.sql b/database/ctf/04-pwnedhub-admin.sql
index 4ce07f7..a400765 100644
--- a/database/ctf/04-pwnedhub-admin.sql
+++ b/database/ctf/04-pwnedhub-admin.sql
@@ -41,7 +41,7 @@ CREATE TABLE `configs` (
 
 LOCK TABLES `configs` WRITE;
 /*!40000 ALTER TABLE `configs` DISABLE KEYS */;
-INSERT INTO `configs` VALUES (1,'CSRF_PROTECT','Profile CSRF Protection (PwnedHub)','security control',0),(2,'OSCI_PROTECT','Tools OSCI Protection (PwnedHub)','security control',1),(3,'SQLI_PROTECT','Login SQLi Protection (PwnedHub)','security control',1),(4,'CORS_RESTRICT','Restricted CORS (PwnedAPI)','security control',0),(5,'JWT_VERIFY','Verify JWT Signatures (PwnedAPI)','security control',1),(6,'JWT_ENCRYPT','Encrypt JWTs (PwnedAPI)','security control',0),(7,'BEARER_AUTH_ENABLE','Bearer Token Authentication (PwnedAPI)','feature',0),(8,'OIDC_ENABLE','OpenID Connect Authentication (PwnedHub)','feature',0),(9,'SSO_ENABLE','SSO Authentication (PwnedHub)','feature',0),(10,'OOB_RESET_ENABLE','Out-of-Band Password Reset (PwnedHub)','feature',1),(11,'CTF_MODE','CTF Mode (Warning: Disables this interface!)','feature',1);
+INSERT INTO `configs` VALUES (1,'CSRF_PROTECT','Profile CSRF Protection (PwnedHub)','security control',0),(2,'OSCI_PROTECT','Tools OSCI Protection (PwnedHub)','security control',1),(3,'SQLI_PROTECT','Login SQLi Protection (PwnedHub)','security control',1),(4,'CSP_PROTECT','Content Security Policy (PwnedHub)','security control',1),(5,'CORS_RESTRICT','Restricted CORS (PwnedAPI)','security control',0),(6,'JWT_VERIFY','Verify JWT Signatures (PwnedAPI)','security control',1),(7,'JWT_ENCRYPT','Encrypt JWTs (PwnedAPI)','security control',0),(8,'BEARER_AUTH_ENABLE','Bearer Token Authentication (PwnedAPI)','feature',0),(9,'OIDC_ENABLE','OpenID Connect Authentication (PwnedHub)','feature',0),(10,'SSO_ENABLE','SSO Authentication (PwnedHub)','feature',0),(11,'OOB_RESET_ENABLE','Out-of-Band Password Reset (PwnedHub)','feature',1),(12,'CTF_MODE','CTF Mode (Warning: Disables this interface!)','feature',1);
 /*!40000 ALTER TABLE `configs` ENABLE KEYS */;
 UNLOCK TABLES;
 
diff --git a/database/init/04-pwnedhub-admin.sql b/database/init/04-pwnedhub-admin.sql
index ce8113c..95570dc 100644
--- a/database/init/04-pwnedhub-admin.sql
+++ b/database/init/04-pwnedhub-admin.sql
@@ -41,7 +41,7 @@ CREATE TABLE `configs` (
 
 LOCK TABLES `configs` WRITE;
 /*!40000 ALTER TABLE `configs` DISABLE KEYS */;
-INSERT INTO `configs` VALUES (1,'CSRF_PROTECT','Profile CSRF Protection (PwnedHub)','security control',1),(2,'OSCI_PROTECT','Tools OSCI Protection (PwnedHub)','security control',0),(3,'SQLI_PROTECT','Login SQLi Protection (PwnedHub)','security control',0),(4,'CORS_RESTRICT','Restricted CORS (PwnedAPI)','security control',1),(5,'JWT_VERIFY','Verify JWT Signatures (PwnedAPI)','security control',1),(6,'JWT_ENCRYPT','Encrypt JWTs (PwnedAPI)','security control',0),(7,'BEARER_AUTH_ENABLE','Bearer Token Authentication (PwnedAPI)','feature',1),(8,'OIDC_ENABLE','OpenID Connect Authentication (PwnedHub)','feature',0),(9,'SSO_ENABLE','SSO Authentication (PwnedHub)','feature',0),(10,'OOB_RESET_ENABLE','Out-of-Band Password Reset (PwnedHub)','feature',0),(11,'CTF_MODE','CTF Mode (Warning: Disables this interface!)','feature',0);
+INSERT INTO `configs` VALUES (1,'CSRF_PROTECT','Profile CSRF Protection (PwnedHub)','security control',1),(2,'OSCI_PROTECT','Tools OSCI Protection (PwnedHub)','security control',0),(3,'SQLI_PROTECT','Login SQLi Protection (PwnedHub)','security control',0),(4,'CSP_PROTECT','Content Security Policy (PwnedHub)','security control',0),(5,'CORS_RESTRICT','Restricted CORS (PwnedAPI)','security control',1),(6,'JWT_VERIFY','Verify JWT Signatures (PwnedAPI)','security control',1),(7,'JWT_ENCRYPT','Encrypt JWTs (PwnedAPI)','security control',0),(8,'BEARER_AUTH_ENABLE','Bearer Token Authentication (PwnedAPI)','feature',1),(9,'OIDC_ENABLE','OpenID Connect Authentication (PwnedHub)','feature',0),(10,'SSO_ENABLE','SSO Authentication (PwnedHub)','feature',0),(11,'OOB_RESET_ENABLE','Out-of-Band Password Reset (PwnedHub)','feature',0),(12,'CTF_MODE','CTF Mode (Warning: Disables this interface!)','feature',0);
 /*!40000 ALTER TABLE `configs` ENABLE KEYS */;
 UNLOCK TABLES;
 
diff --git a/pwnedhub/__init__.py b/pwnedhub/__init__.py
index c8c142f..41f1e2d 100644
--- a/pwnedhub/__init__.py
+++ b/pwnedhub/__init__.py
@@ -1,7 +1,7 @@
-from flask import Flask, request, render_template, Blueprint, __version__
+from flask import Flask, request, render_template, g, Blueprint, __version__
 from flask_session import Session
 from flask_sqlalchemy import SQLAlchemy
-from pwnedhub.utils import get_current_utc_time
+from pwnedhub.utils import get_current_utc_time, generate_nonce
 from urllib.parse import unquote
 from redis import Redis
 import rq
@@ -52,10 +52,16 @@ def render_mobile():
             if not request.endpoint.startswith('static'):
                 return render_template('mobile.html')
 
+    @app.before_request
+    def add_nonce():
+        g.nonce = generate_nonce()
+
     @app.after_request
     def add_header(response):
         response.headers['X-Powered-By'] = 'Flask/{}'.format(__version__)
         response.headers['X-XSS-Protection'] = '1; mode=block'
+        if Config.get_value('CSP_PROTECT'):
+            response.headers['Content-Security-Policy'] = f"script-src 'unsafe-inline' 'nonce-{g.nonce}'; script-src-attr 'unsafe-inline'; object-src 'none'; base-uri 'none'"
         return response
 
     StaticBlueprint = Blueprint('common', __name__, static_url_path='/static/common', static_folder='../common/static')
diff --git a/pwnedhub/templates/layout.html b/pwnedhub/templates/layout.html
index ae232f0..bb8319d 100644
--- a/pwnedhub/templates/layout.html
+++ b/pwnedhub/templates/layout.html
@@ -9,10 +9,10 @@
     <link rel="stylesheet" type="text/css" href="{{ url_for('common.static', filename='css/custom-flex.css') }}">
     <link rel="stylesheet" type="text/css" href="{{ url_for('common.static', filename='css/custom-utility.css') }}">
     <link rel="stylesheet" type="text/css" href="{{ url_for('common.static', filename='css/pwnedhub.css') }}">
-    <script type="text/javascript" src="{{ url_for('static', filename='js/jquery-1.6.2.min.js') }}"></script>
-    <script type="text/javascript" src="{{ url_for('static', filename='js/pwnedhub.js') }}"></script>
-    <script type="text/javascript" src="{{ url_for('static', filename='js/showdown.js') }}"></script>
-    <script type="text/javascript" src="{{ url_for('static', filename='js/purify.min.js') }}"></script>
+    <script nonce="{{ g.nonce }}" type="text/javascript" src="{{ url_for('static', filename='js/jquery-1.6.2.min.js') }}"></script>
+    <script nonce="{{ g.nonce }}" type="text/javascript" src="{{ url_for('static', filename='js/pwnedhub.js') }}"></script>
+    <script nonce="{{ g.nonce }}" type="text/javascript" src="{{ url_for('static', filename='js/showdown.js') }}"></script>
+    <script nonce="{{ g.nonce }}" type="text/javascript" src="{{ url_for('static', filename='js/purify.min.js') }}"></script>
 </head>
 <body class="flex-column">
     <div id="flash" class="flash"></div>
@@ -84,7 +84,7 @@
         </div>
     </footer>
     {% if get_flashed_messages() %}
-    <script>
+    <script nonce="{{ g.nonce }}">
         {% for message in get_flashed_messages()|unique %}
         showFlash("{{ message }}");
         {% endfor %}
diff --git a/pwnedhub/templates/messages.html b/pwnedhub/templates/messages.html
index 3b00b7b..dec0b9c 100644
--- a/pwnedhub/templates/messages.html
+++ b/pwnedhub/templates/messages.html
@@ -32,7 +32,7 @@
     </form>
     </div>
 </div>
-<script>
+<script nonce="{{ g.nonce }}">
 function reply(id) {
     var template = "<blockquote>" + document.getElementById("comment-" + id).innerHTML + "</blockquote>\n\n";
     var reply = document.getElementById("reply")
diff --git a/pwnedhub/templates/notes.html b/pwnedhub/templates/notes.html
index dea29c6..18f318e 100644
--- a/pwnedhub/templates/notes.html
+++ b/pwnedhub/templates/notes.html
@@ -15,7 +15,7 @@
         <div id="pane-2" class="flex-grow markdown"></div>
     </div>
 </div>
-<script>
+<script nonce="{{ g.nonce }}">
 var notes = document.getElementById("notes")
 var view = document.getElementById("tab-two")
 var key = "{{ g.user.username|safe }}-notes";
diff --git a/pwnedhub/templates/tools.html b/pwnedhub/templates/tools.html
index 6ced97a..c4f22ad 100644
--- a/pwnedhub/templates/tools.html
+++ b/pwnedhub/templates/tools.html
@@ -16,7 +16,7 @@
         <div id="spinner" class="spinner"></div>
     </div>
 </div>
-<script>
+<script nonce="{{ g.nonce }}">
 function info(e) {
     var tid = e.options[e.selectedIndex].value;
     // get the description