fixed 'is onionr client' security exit attribute error and improved public security module formatting

master
Kevin Froman 2020-02-19 18:02:20 -06:00
parent 6fe2da7b09
commit 080933639c
1 changed files with 24 additions and 18 deletions

View File

@ -1,9 +1,12 @@
''' """Onionr - Private P2P Communication.
Onionr - Private P2P Communication
Process incoming requests to the public api server for certain attacks Process incoming requests to the public api server for certain attacks
''' """
''' from flask import Blueprint, request, abort, g
from onionrservices import httpheaders
from onionrutils import epoch
from utils import gettransports
"""
This program is free software: you can redistribute it and/or modify This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or the Free Software Foundation, either version 3 of the License, or
@ -16,11 +19,9 @@
You should have received a copy of the GNU General Public License You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>. along with this program. If not, see <https://www.gnu.org/licenses/>.
''' """
from flask import Blueprint, request, abort, g
from onionrservices import httpheaders
from onionrutils import epoch
from utils import gettransports
class PublicAPISecurity: class PublicAPISecurity:
def __init__(self, public_api): def __init__(self, public_api):
public_api_security_bp = Blueprint('publicapisecurity', __name__) public_api_security_bp = Blueprint('publicapisecurity', __name__)
@ -28,13 +29,14 @@ class PublicAPISecurity:
@public_api_security_bp.before_app_request @public_api_security_bp.before_app_request
def validate_request(): def validate_request():
'''Validate request has the correct hostname''' """Validate request has the correct hostname"""
# If high security level, deny requests to public (HS should be disabled anyway for Tor, but might not be for I2P) # If high security level, deny requests to public
# (HS should be disabled anyway for Tor, but might not be for I2P)
transports = gettransports.get() transports = gettransports.get()
if public_api.config.get('general.security_level', default=1) > 0: if public_api.config.get('general.security_level', default=1) > 0:
abort(403) abort(403)
if request.host not in transports: if request.host not in transports:
# Disallow connection if wrong HTTP hostname, in order to prevent DNS rebinding attacks # Abort conn if wrong HTTP hostname, to prevent DNS rebinding
abort(403) abort(403)
public_api.hitCount += 1 # raise hit count for valid requests public_api.hitCount += 1 # raise hit count for valid requests
try: try:
@ -47,14 +49,18 @@ class PublicAPISecurity:
@public_api_security_bp.after_app_request @public_api_security_bp.after_app_request
def send_headers(resp): def send_headers(resp):
'''Send api, access control headers''' """Send api, access control headers"""
resp = httpheaders.set_default_onionr_http_headers(resp) resp = httpheaders.set_default_onionr_http_headers(resp)
# Network API version # Network API version
resp.headers['X-API'] = public_api.API_VERSION resp.headers['X-API'] = public_api.API_VERSION
# Delete some HTTP headers for Onionr user agents # Delete some HTTP headers for Onionr user agents
NON_NETWORK_HEADERS = ('Content-Security-Policy', 'X-Frame-Options', NON_NETWORK_HEADERS = ('Content-Security-Policy', 'X-Frame-Options',
'X-Content-Type-Options', 'Feature-Policy', 'Clear-Site-Data', 'Referrer-Policy') 'X-Content-Type-Options', 'Feature-Policy',
'Clear-Site-Data', 'Referrer-Policy')
try:
if g.is_onionr_client: if g.is_onionr_client:
for header in NON_NETWORK_HEADERS: del resp.headers[header] for header in NON_NETWORK_HEADERS: del resp.headers[header]
except AttributeError:
abort(403)
public_api.lastRequest = epoch.get_rounded_epoch(roundS=5) public_api.lastRequest = epoch.get_rounded_epoch(roundS=5)
return resp return resp