logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma

http_security_plug.ex (7306B)

    

  1. # Pleroma: A lightweight social networking server

  2. # Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>

  3. # SPDX-License-Identifier: AGPL-3.0-only

  4. 

  5. defmodule Pleroma.Plugs.HTTPSecurityPlug do

  6.   alias Pleroma.Config

  7.   import Plug.Conn

  8. 

  9.   require Logger

  10. 

  11.   def init(opts), do: opts

  12. 

  13.   def call(conn, _options) do

  14.     if Config.get([:http_security, :enabled]) do

  15.       conn

  16.       |> merge_resp_headers(headers())

  17.       |> maybe_send_sts_header(Config.get([:http_security, :sts]))

  18.     else

  19.       conn

  20.     end

  21.   end

  22. 

  23.   defp headers do

  24.     referrer_policy = Config.get([:http_security, :referrer_policy])

  25.     report_uri = Config.get([:http_security, :report_uri])

  26. 

  27.     headers = [

  28.       {"x-xss-protection", "1; mode=block"},

  29.       {"x-permitted-cross-domain-policies", "none"},

  30.       {"x-frame-options", "DENY"},

  31.       {"x-content-type-options", "nosniff"},

  32.       {"referrer-policy", referrer_policy},

  33.       {"x-download-options", "noopen"},

  34.       {"content-security-policy", csp_string()}

  35.     ]

  36. 

  37.     if report_uri do

  38.       report_group = %{

  39.         "group" => "csp-endpoint",

  40.         "max-age" => 10_886_400,

  41.         "endpoints" => [

  42.           %{"url" => report_uri}

  43.         ]

  44.       }

  45. 

  46.       [{"reply-to", Jason.encode!(report_group)} | headers]

  47.     else

  48.       headers

  49.     end

  50.   end

  51. 

  52.   static_csp_rules = [

  53.     "default-src 'none'",

  54.     "base-uri 'self'",

  55.     "frame-ancestors 'none'",

  56.     "style-src 'self' 'unsafe-inline'",

  57.     "font-src 'self'",

  58.     "manifest-src 'self'"

  59.   ]

  60. 

  61.   @csp_start [Enum.join(static_csp_rules, ";") <> ";"]

  62. 

  63.   defp csp_string do

  64.     scheme = Config.get([Pleroma.Web.Endpoint, :url])[:scheme]

  65.     static_url = Pleroma.Web.Endpoint.static_url()

  66.     websocket_url = Pleroma.Web.Endpoint.websocket_url()

  67.     report_uri = Config.get([:http_security, :report_uri])

  68. 

  69.     img_src = "img-src 'self' data: blob:"

  70.     media_src = "media-src 'self'"

  71. 

  72.     # Strict multimedia CSP enforcement only when MediaProxy is enabled

  73.     {img_src, media_src} =

  74.       if Config.get([:media_proxy, :enabled]) &&

  75.            !Config.get([:media_proxy, :proxy_opts, :redirect_on_failure]) do

  76.         sources = build_csp_multimedia_source_list()

  77.         {[img_src, sources], [media_src, sources]}

  78.       else

  79.         {[img_src, " https:"], [media_src, " https:"]}

  80.       end

  81. 

  82.     connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]

  83. 

  84.     connect_src =

  85.       if Config.get(:env) == :dev do

  86.         [connect_src, " http://localhost:3035/"]

  87.       else

  88.         connect_src

  89.       end

  90. 

  91.     script_src =

  92.       if Config.get(:env) == :dev do

  93.         "script-src 'self' 'unsafe-eval'"

  94.       else

  95.         "script-src 'self'"

  96.       end

  97. 

  98.     report = if report_uri, do: ["report-uri ", report_uri, ";report-to csp-endpoint"]

  99.     insecure = if scheme == "https", do: "upgrade-insecure-requests"

  100. 

  101.     @csp_start

  102.     |> add_csp_param(img_src)

  103.     |> add_csp_param(media_src)

  104.     |> add_csp_param(connect_src)

  105.     |> add_csp_param(script_src)

  106.     |> add_csp_param(insecure)

  107.     |> add_csp_param(report)

  108.     |> :erlang.iolist_to_binary()

  109.   end

  110. 

  111.   defp build_csp_from_whitelist([], acc), do: acc

  112. 

  113.   defp build_csp_from_whitelist([last], acc) do

  114.     [build_csp_param_from_whitelist(last) | acc]

  115.   end

  116. 

  117.   defp build_csp_from_whitelist([head | tail], acc) do

  118.     build_csp_from_whitelist(tail, [[?\s, build_csp_param_from_whitelist(head)] | acc])

  119.   end

  120. 

  121.   # TODO: use `build_csp_param/1` after removing support bare domains for media proxy whitelist

  122.   defp build_csp_param_from_whitelist("http" <> _ = url) do

  123.     build_csp_param(url)

  124.   end

  125. 

  126.   defp build_csp_param_from_whitelist(url), do: url

  127. 

  128.   defp build_csp_multimedia_source_list do

  129.     media_proxy_whitelist =

  130.       [:media_proxy, :whitelist]

  131.       |> Config.get()

  132.       |> build_csp_from_whitelist([])

  133. 

  134.     captcha_method = Config.get([Pleroma.Captcha, :method])

  135.     captcha_endpoint = Config.get([captcha_method, :endpoint])

  136. 

  137.     base_endpoints =

  138.       [

  139.         [:media_proxy, :base_url],

  140.         [Pleroma.Upload, :base_url],

  141.         [Pleroma.Uploaders.S3, :public_endpoint]

  142.       ]

  143.       |> Enum.map(&Config.get/1)

  144. 

  145.     [captcha_endpoint | base_endpoints]

  146.     |> Enum.map(&build_csp_param/1)

  147.     |> Enum.reduce([], &add_source(&2, &1))

  148.     |> add_source(media_proxy_whitelist)

  149.   end

  150. 

  151.   defp add_source(iodata, nil), do: iodata

  152.   defp add_source(iodata, []), do: iodata

  153.   defp add_source(iodata, source), do: [[?\s, source] | iodata]

  154. 

  155.   defp add_csp_param(csp_iodata, nil), do: csp_iodata

  156. 

  157.   defp add_csp_param(csp_iodata, param), do: [[param, ?;] | csp_iodata]

  158. 

  159.   defp build_csp_param(nil), do: nil

  160. 

  161.   defp build_csp_param(url) when is_binary(url) do

  162.     %{host: host, scheme: scheme} = URI.parse(url)

  163. 

  164.     if scheme do

  165.       [scheme, "://", host]

  166.     end

  167.   end

  168. 

  169.   def warn_if_disabled do

  170.     unless Config.get([:http_security, :enabled]) do

  171.       Logger.warn("

  172.                                  .i;;;;i.

  173.                                iYcviii;vXY:

  174.                              .YXi       .i1c.

  175.                             .YC.     .    in7.

  176.                            .vc.   ......   ;1c.

  177.                            i7,   ..        .;1;

  178.                           i7,   .. ...      .Y1i

  179.                          ,7v     .6MMM@;     .YX,

  180.                         .7;.   ..IMMMMMM1     :t7.

  181.                        .;Y.     ;$MMMMMM9.     :tc.

  182.                        vY.   .. .nMMM@MMU.      ;1v.

  183.                       i7i   ...  .#MM@M@C. .....:71i

  184.                      it:   ....   $MMM@9;.,i;;;i,;tti

  185.                     :t7.  .....   0MMMWv.,iii:::,,;St.

  186.                    .nC.   .....   IMMMQ..,::::::,.,czX.

  187.                   .ct:   ....... .ZMMMI..,:::::::,,:76Y.

  188.                   c2:   ......,i..Y$M@t..:::::::,,..inZY

  189.                  vov   ......:ii..c$MBc..,,,,,,,,,,..iI9i

  190.                 i9Y   ......iii:..7@MA,..,,,,,,,,,....;AA:

  191.                iIS.  ......:ii::..;@MI....,............;Ez.

  192.               .I9.  ......:i::::...8M1..................C0z.

  193.              .z9;  ......:i::::,.. .i:...................zWX.

  194.              vbv  ......,i::::,,.      ................. :AQY

  195.             c6Y.  .,...,::::,,..:t0@@QY. ................ :8bi

  196.            :6S. ..,,...,:::,,,..EMMMMMMI. ............... .;bZ,

  197.           :6o,  .,,,,..:::,,,..i#MMMMMM#v.................  YW2.

  198.          .n8i ..,,,,,,,::,,,,.. tMMMMM@C:.................. .1Wn

  199.          7Uc. .:::,,,,,::,,,,..   i1t;,..................... .UEi

  200.          7C...::::::::::::,,,,..        ....................  vSi.

  201.          ;1;...,,::::::,.........       ..................    Yz:

  202.           v97,.........                                     .voC.

  203.            izAotX7777777777777777777777777777777777777777Y7n92:

  204.              .;CoIIIIIUAA666666699999ZZZZZZZZZZZZZZZZZZZZ6ov.

  205. 

  206. HTTP Security is disabled. Please re-enable it to prevent users from attacking

  207. your instance and your users via malicious posts:

  208. 

  209.       config :pleroma, :http_security, enabled: true

  210.       ")

  211.     end

  212.   end

  213. 

  214.   defp maybe_send_sts_header(conn, true) do

  215.     max_age_sts = Config.get([:http_security, :sts_max_age])

  216.     max_age_ct = Config.get([:http_security, :ct_max_age])

  217. 

  218.     merge_resp_headers(conn, [

  219.       {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains"},

  220.       {"expect-ct", "enforce, max-age=#{max_age_ct}"}

  221.     ])

  222.   end

  223. 

  224.   defp maybe_send_sts_header(conn, _), do: conn

  225. end