csp report

CITATION.cff

@@ -24,10 +24,5 @@ keywords:
   - dxcluster
   - spiderweb
 license: GPL-3.0
-<<<<<<< HEAD
 version: v2.4.5.1
-date-released: 2023-11-12
-=======
-version: v2.4.5.1
-date-released: 2023-11-12
->>>>>>> staging
+date-released: 2023-11-14

cfg/webapp_log_config.ini

@@ -12,7 +12,7 @@ level=INFO
 handlers=stream_handler,file_handler
 
 [logger_webapp]
-level=INFO
+level=DEBUG
 handlers=stream_handler,file_handler
 qualname=webapp
 propagate=0

docs/CHANGELOG.md

@@ -1,4 +1,9 @@
 ### Change log
+Date: 14/11/2023 
+Release: v2.4.5.1
+- security issue #46
+
+___
 Date: 12/11/2023 
 Release: v2.4.5.1
 - managed telnet password

requirements.txt

@@ -1,40 +1,28 @@
-astroid==2.12.14
-blinker==1.6.2
-charset-normalizer==2.1.1
-click==8.1.3
-dill==0.3.6
-docopt-ng==0.8.1
-easywatch==0.0.5
-Flask==2.3.3
-Flask-Consent==0.0.3
-Flask-Minify==0.41
-Flask-WTF==1.1.1
+blinker==1.7.0
+charset-normalizer==3.3.2
+click==8.1.7
+Flask==3.0.0
+Flask-Minify==0.42
+Flask-WTF==1.2.1
 htmlmin==0.1.12
 idna==3.4
-isort==5.11.4
 itsdangerous==2.1.2
 Jinja2==3.1.2
 jsmin==3.0.1
-lazy-object-proxy==1.9.0
 lesscpy==0.15.1
-markup==0.2
-MarkupSafe==2.1.1
-mccabe==0.7.0
-mysql-connector-python==8.2.0
-numpy==1.24.1
-pandas==1.5.2
-platformdirs==2.6.2
+MarkupSafe==2.1.3
+mysql-connector-python>=8.2.0
+numpy==1.26.1
+pandas==2.1.3
 ply==3.11
 protobuf==4.21.12
 python-dateutil==2.8.2
-pytz==2022.7
-rcssmin==1.1.1
+pytz==2023.3.post1
+rcssmin==1.1.2
 requests==2.31.0
 six==1.16.0
-tomlkit==0.11.6
+tzdata==2023.3
 urllib3==2.0.7
-watchdog==3.0.0
-Werkzeug==2.3.8
-wrapt==1.14.1
-WTForms==3.0.1
-xxhash==3.1.0
+Werkzeug==3.0.1
+WTForms==3.1.1
+xxhash==3.4.1

scripts/build.sh

@@ -131,6 +131,7 @@ if [ "$1" == "-r" ]; then
 
 	echo 'force some requirements...'
 	sed -i 's/mysql-connector-python==8.0.31/mysql-connector-python>=8.0.31/' ../requirements.txt
+	sed -i 's/mysql-connector-python==8.2.0/mysql-connector-python>=8.2.0/' ../requirements.txt
 
 	if ! sed -i '13,20s/level=DEBUG/level=INFO/g' ${app_ini}; then               
 		echo 'ERROR settimg loglevel=INFO '

static/js/dev/callsign_search.js

@@ -6,11 +6,9 @@ function myCallsignSearch(event) {
 
 	var callsign=document.getElementById('callsignInput').value;
 
-	//construct query parameters
 	//replacing space and tab in callsign and set location href to the specific page
 	if (callsign.replace(/\s/g, '').length > 0) {
 		location.href = ('/callsign.html?c=').concat((callsign.trim()).toUpperCase());
-		//form.action="index.html";
 	}
 }
 

static/pwa/service-worker.js

@@ -4,7 +4,7 @@ const CACHE_NAME = 'pwa-spiderweb_v2.4.5.1'
 // Dichiarazione della costante per gli URL da mettere in cache
 const URLS_TO_CACHE = [
 	'/static/images/background.webp',
-	'/static/css/rel/style.min.css',
+	'/static/css/dev/style.css',
 	'/static/images/icons/favicon.ico',
 	'/static/images/icons/icon-144x144.png',
 	'/static/images/icons/icon-152x152.png',
@@ -18,9 +18,9 @@ const URLS_TO_CACHE = [
 	'/static/images/icons/icon-96x96.png',
 	'/static/images/icons/icon-apple.png',
 	'/static/images/icons/spider_ico_master.svg',
-	'/static/js/rel/callsign_inline.min.js',
-	'/static/js/rel/callsign_search.min.js',
-	'/static/js/rel/common.min.js',
+	'/static/js/dev/callsign_inline.js',
+	'/static/js/dev/callsign_search.js',
+	'/static/js/dev/common.js',
 	'/index.html',	
 	'/plots.html',		
 	'/privacy.html',

templates/_base.html

@@ -14,7 +14,7 @@
 	<link rel="icon" href="/static/images/icons/spider_ico_master.svg" type="image/svg+xml">
 	<link rel="apple-touch-icon" href="/static/images/icons/icon-apple.png">
 	<link rel="manifest" href="/static/pwa/manifest.webmanifest">
-	<link rel="stylesheet" href="/static/css/rel/style.min.css">
+	<link rel="stylesheet" href="/static/css/dev/style.css">
 	<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/css/bootstrap.min.css"
 		integrity="sha384-rbsA2VBKQhggwzxH7pPCaAqO46MgnOM80zW1RWuH61DGLwZJEdK2Kadq2F9CUG65" crossorigin="anonymous">
 	<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/flag-icon-css/6.15.0/css/flag-icons.min.css"
@@ -94,20 +94,20 @@
 			<span id="version">v2.4.5.1</span>
 		</div>
 	</footer>
-	<script async src="static/js/rel/load-sw.min.js"></script>
+	<script async src="static/js/dev/load-sw.js"></script>
 	<script nonce="{{ inline_script_nonce }}">
 		{% block app_data %}
 		var my_callsign = '{{mycallsign}}';
 		{% endblock app_data %}
 	</script>
-	<script defer src="static/js/rel/common.min.js"></script>
+	<script defer src="static/js/dev/common.js"></script>
 	<script defer src="https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/js/bootstrap.bundle.min.js"
 		integrity="sha384-kenU1KFdBIe4zVF0s0G1M5b4hcpxyD9F7jL+jjXkk+Q2h455rYXK/7HAuoJl+0I4"
 		crossorigin="anonymous"></script>
 
 	</body>
 	{% block app_scripts %}
-	<script async src="static/js/rel/callsign_search.min.js"></script>
+	<script async src="static/js/dev/callsign_search.js"></script>
 	{% endblock app_scripts %}
 	{% block inline_scripts %}
 	{% endblock inline_scripts %}
@@ -137,7 +137,7 @@
 		</div>
 	</div>
 
-	<script defer src="static/js/rel/cookie_consent.min.js"></script>
+	<script defer src="static/js/dev/cookie_consent.js"></script>
 	{% endif %}
 	{% endblock cookie %}
 	<!-- Back to top button -->

templates/callsign.html

@@ -16,5 +16,5 @@
 	var callsign = '{{callsign}}';
 {% endblock app_data %}
 {% block inline_scripts %}
-	<script defer src="static/js/rel/callsign_inline.min.js"></script>
+	<script defer src="static/js/dev/callsign_inline.js"></script>
 {% endblock %}

templates/index.html

@@ -311,8 +311,8 @@ var band_frequencies={{bands["bands"]|tojson|safe}};
 {% endblock app_data %}
 {% block app_scripts %}
 {{ super() }}
-<script defer src="static/js/rel/table.min.js"></script>
+<script defer src="static/js/dev/table.js"></script>
 {% endblock %}
 {% block inline_scripts %}
-<script defer src="static/js/rel/index_inline.min.js"></script>
+<script defer src="static/js/dev/index_inline.js"></script>
 {% endblock %}

templates/plots.html

@@ -89,5 +89,5 @@ var band_frequencies={{bands["bands"]|tojson|safe}};
 <script defer src="https://cdnjs.cloudflare.com/ajax/libs/echarts/5.4.3/echarts.min.js"
 integrity="sha512-EmNxF3E6bM0Xg1zvmkeYD3HDBeGxtsG92IxFt1myNZhXdCav9MzvuH/zNMBU1DmIPN6njrhX1VTbqdJxQ2wHDg=="
 crossorigin="anonymous" referrerpolicy="no-referrer"></script>
-<script defer src="static/js/rel/plot.min.js"></script>
+<script defer src="static/js/dev/plot.js"></script>
 {% endblock app_scripts %}

webapp.py

@@ -464,6 +464,14 @@ def get_world_dx_spots_live():
         response = flask.Response(status=204)
     return response
 
+@app.route("/csp-reports", methods=['POST'])
+@csrf.exempt
+def csp_reports():
+    report_data = request.get_data(as_text=True)
+    logger.warning("CSP Report:")
+    logger.warning(report_data)
+    response=flask.Response(status=204)
+    return response
 
 @app.context_processor
 def inject_template_scope():
@@ -487,9 +495,6 @@ def add_security_headers(resp):
     resp.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
     resp.headers["Cache-Control"] = "public, no-cache"
     resp.headers["Pragma"] = "no-cache"
-
-    
-    
     resp.headers["Content-Security-Policy"] = "\
     default-src 'self';\
     script-src 'self' cdnjs.cloudflare.com cdn.jsdelivr.net 'nonce-"+inline_script_nonce+"';\
@@ -504,7 +509,10 @@ def add_security_headers(resp):
     manifest-src 'self';\
     media-src 'self';\
     worker-src 'self';\
+    worker-src 'self';\
+    report-uri /csp-reports;\
     "
+
     return resp
    
     #script-src 'self' cdnjs.cloudflare.com cdn.jsdelivr.net 'nonce-sedfGFG32xs';\