[django] zavedeni CSP #82

+ rozdeleni settings na local, base a production

Pipfile

@@ -20,11 +20,12 @@ sentry-sdk = "~=0.14.0"
 uritemplate = "~=3.0.0"
 vulture = "~=1.2"
 whitenoise = "~=5.0"
+django-csp = "~=3.5"
 
 [dev-packages]
 behave-django = "~=1.3.0"
 black = "~=19.3b0"
-coverage = "~=5.0.3"
+coverage = "~=5.1"
 codecov = "~=2.0.16"
 selenium = "~=3.141.0"
 mypy = "~=0.770"

frontend/src/index.tsx

@@ -1,3 +1,5 @@
+import { config } from "@fortawesome/fontawesome-svg-core"
+import "@fortawesome/fontawesome-svg-core/styles.css"
 import * as Sentry from "@sentry/browser"
 import "bootstrap/dist/css/bootstrap.css"
 import * as React from "react"
@@ -12,6 +14,9 @@ import history from "./global/history"
 import "./index.css"
 import Main from "./Main"
 
+// opatreni kvuli CSP pro FontAwesome, viz https://fontawesome.com/how-to-use/on-the-web/other-topics/security
+config.autoAddCss = false
+
 // CI provede substituci stringu za URL, promenna prostredi ale musi existovat, jinak nefunguje (proto podminka)
 if (isHosted()) {
     Sentry.init({

manage.py

@@ -7,7 +7,7 @@
 
 if __name__ == "__main__":
     # nastaveni vychoziho souboru s nastavenim
-    os.environ.setdefault("DJANGO_SETTINGS_MODULE", "up.settings")
+    os.environ.setdefault("DJANGO_SETTINGS_MODULE", "up.settings.local")
     try:
         from django.core.management import execute_from_command_line
     except ImportError as exc:

mypy.ini

@@ -13,7 +13,7 @@ warn_unreachable = True
 warn_unused_ignores = True
 
 [mypy.plugins.django-stubs]
-django_settings_module = "up.settings"
+django_settings_module = "up.settings.local"
 
 [mypy-*.migrations.*]
 # Django migrations should not produce any errors:

scripts/shell/release_tasks.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
 
-export DJANGO_SETTINGS_MODULE=up.production_settings
+export DJANGO_SETTINGS_MODULE=up.settings.production
 python manage.py collectstatic --noinput
 python manage.py migrate

tests/ui_environment.py

@@ -1,16 +1,16 @@
+from django.conf import settings
 from selenium import webdriver
 from selenium.webdriver.firefox.options import Options
 
 from tests import fixtures
-from up.settings import HEADLESS
 
 SCREEN_WIDTH = 1920
 SCREEN_HEIGHT = 1080
 
 
 def before_all(context):
     options = Options()
-    options.headless = HEADLESS
+    options.headless = settings.HEADLESS
     context.browser = webdriver.Firefox(options=options)
     context.browser.set_window_size(SCREEN_WIDTH, SCREEN_HEIGHT)
 

up/settings.py → up/settings/base.py

@@ -1,5 +1,6 @@
 """
-Výchozí konfigurace Django projektu.
+Základní konfigurace Django projektu.
+Je základem pro konfigurace v souborech local.py a production.py.
 """
 import os
 import sys
@@ -8,7 +9,7 @@
 import environ
 
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
-BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+BASE_DIR = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
 
 # env promenne
 env = environ.Env(
@@ -46,7 +47,6 @@
 # Django konstanty
 DEBUG = env("DEBUG")
 SECRET_KEY = env("SECRET_KEY")
-ALLOWED_HOSTS = ["*"]
 
 # Application definition
 INSTALLED_APPS = [
@@ -88,6 +88,7 @@
 
 MIDDLEWARE = [
     "django.middleware.security.SecurityMiddleware",
+    "csp.middleware.CSPMiddleware",
     "whitenoise.middleware.WhiteNoiseMiddleware",
     "debug_toolbar.middleware.DebugToolbarMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
@@ -172,3 +173,27 @@
 X_FRAME_OPTIONS = "DENY"
 SECURE_CONTENT_TYPE_NOSNIFF = True
 SECURE_BROWSER_XSS_FILTER = True
+
+# CSP
+# CSP pro Google Analytics, viz https://developers.google.com/tag-manager/web/csp#universal_analytics_google_analytics
+CSPURL_GOOGLE_ANALYTICS = "https://www.google-analytics.com"
+CSPURL_GOOGLE_ANALYTICS_SSL = "https://ssl.google-analytics.com"
+# CSP pro Google Fonts
+CSPURL_GOOGLE_FONTS_STYLE = "fonts.googleapis.com"
+CSPURL_GOOGLE_FONTS_FONT = "fonts.gstatic.com"
+# CSP pro Sentry
+CSPURL_SENTRY = "https://sentry.io"
+
+CSP_SELF = "'self'"
+
+# CSP konfigurace
+CSP_DEFAULT_SRC = ("'none'",)
+CSP_STYLE_SRC = (
+    CSP_SELF,
+    "'unsafe-inline'",
+    CSPURL_GOOGLE_FONTS_STYLE,
+)  # 'unsafe-inline' kvuli inline CSS v Sentry feedback formulari
+CSP_CONNECT_SRC = (CSP_SELF, CSPURL_GOOGLE_ANALYTICS, CSPURL_SENTRY)
+CSP_SCRIPT_SRC = (CSP_SELF, CSPURL_SENTRY, CSPURL_GOOGLE_ANALYTICS, CSPURL_GOOGLE_ANALYTICS_SSL)
+CSP_FONT_SRC = (CSP_SELF, CSPURL_GOOGLE_FONTS_FONT)
+CSP_IMG_SRC = (CSP_SELF, CSPURL_GOOGLE_ANALYTICS, "data:")

up/settings/local.py

@@ -0,0 +1,15 @@
+"""
+Lokální (vývojová) konfigurace Django projektu.
+Rozšiřuje základní konfiguraci ze souboru base.py.
+"""
+from .base import *  # lgtm [py/polluting-import]
+
+# Django konstanty
+ALLOWED_HOSTS = ["*"]
+
+# CSP
+CSPURL_LOCALHOST = ("*:3000",)
+
+CSP_STYLE_SRC = CSP_STYLE_SRC + CSPURL_LOCALHOST
+CSP_CONNECT_SRC = CSP_CONNECT_SRC + CSPURL_LOCALHOST + ("ws://*:3000",)
+CSP_SCRIPT_SRC = CSP_SCRIPT_SRC + CSPURL_LOCALHOST + ("'unsafe-eval'", "'unsafe-inline'")

up/production_settings.py → up/settings/production.py

@@ -1,12 +1,12 @@
 """
 Produkční konfigurace Django projektu.
 Používá se pro nasazené aplikace, případně pro simulaci nasazené aplikace na lokálu (MANUAL_PRODUCTION).
-Rozšiřuje výchozí konfiguraci ze souboru settings.py.
+Rozšiřuje základní konfiguraci ze souboru base.py.
 """
 import sentry_sdk
 from sentry_sdk.integrations.django import DjangoIntegration
 
-from .settings import *  # lgtm [py/polluting-import]
+from .base import *  # lgtm [py/polluting-import]
 
 # pro korektni build a fungovani na Travisu
 if os.getenv("TRAVIS"):

up/wsgi.py

@@ -6,6 +6,6 @@
 
 from django.core.wsgi import get_wsgi_application
 
-os.environ.setdefault("DJANGO_SETTINGS_MODULE", "up.settings")
+os.environ.setdefault("DJANGO_SETTINGS_MODULE", "up.settings.local")
 
 application = get_wsgi_application()