More hardening and migration from Drone to Woodpecker
This commit is contained in:
81
app.py
81
app.py
@@ -1,15 +1,26 @@
|
||||
from flask import Flask, request, Response, jsonify
|
||||
import jinja2
|
||||
import re
|
||||
import html
|
||||
import time
|
||||
from functools import wraps
|
||||
from collections import defaultdict, deque
|
||||
from werkzeug.middleware.proxy_fix import ProxyFix
|
||||
|
||||
app = Flask(__name__)
|
||||
# Never run in debug in production
|
||||
app.config['DEBUG'] = False
|
||||
app.config['TESTING'] = False
|
||||
# Trust one proxy (e.g. Traefik); ensure proxy overwrites X-Forwarded-For with real client IP
|
||||
app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1)
|
||||
# Reject request bodies larger than this (bytes); protects when Content-Length is missing/wrong
|
||||
app.config['MAX_CONTENT_LENGTH'] = 4096
|
||||
# Only allow safe HTTP methods (block TRACE, CONNECT, etc.)
|
||||
ALLOWED_HTTP_METHODS = {'GET', 'POST', 'HEAD', 'OPTIONS'}
|
||||
|
||||
env = jinja2.Environment(
|
||||
loader=jinja2.FileSystemLoader('templates'),
|
||||
autoescape=jinja2.select_autoescape(['xml'])
|
||||
# Escape all template output (XML); .j2 extension may not match select_autoescape(['xml'])
|
||||
autoescape=True,
|
||||
)
|
||||
|
||||
# Security configuration
|
||||
@@ -38,30 +49,39 @@ rate_limit_storage = defaultdict(deque)
|
||||
RATE_LIMIT_REQUESTS = 100 # requests per window
|
||||
RATE_LIMIT_WINDOW = 3600 # 1 hour window
|
||||
|
||||
def _prune_stale_rate_limits():
|
||||
"""Remove IPs with no requests in the current window to bound memory (M4)."""
|
||||
if len(rate_limit_storage) <= 1000:
|
||||
return
|
||||
current_time = time.time()
|
||||
stale = [
|
||||
ip for ip, timestamps in rate_limit_storage.items()
|
||||
if not timestamps or timestamps[-1] < current_time - RATE_LIMIT_WINDOW
|
||||
]
|
||||
for ip in stale:
|
||||
del rate_limit_storage[ip]
|
||||
|
||||
|
||||
def rate_limit(max_requests=RATE_LIMIT_REQUESTS, window=RATE_LIMIT_WINDOW):
|
||||
"""Simple rate limiting decorator"""
|
||||
"""Simple rate limiting decorator. Uses request.remote_addr (set by ProxyFix from trusted proxy)."""
|
||||
def decorator(f):
|
||||
@wraps(f)
|
||||
def decorated_function(*args, **kwargs):
|
||||
# Get client IP
|
||||
client_ip = request.headers.get('X-Forwarded-For', request.remote_addr)
|
||||
if client_ip:
|
||||
client_ip = client_ip.split(',')[0].strip()
|
||||
|
||||
client_ip = request.remote_addr or 'unknown'
|
||||
current_time = time.time()
|
||||
|
||||
|
||||
_prune_stale_rate_limits()
|
||||
|
||||
# Clean old requests outside the window
|
||||
while (rate_limit_storage[client_ip] and
|
||||
while (rate_limit_storage[client_ip] and
|
||||
rate_limit_storage[client_ip][0] < current_time - window):
|
||||
rate_limit_storage[client_ip].popleft()
|
||||
|
||||
|
||||
# Check if limit exceeded
|
||||
if len(rate_limit_storage[client_ip]) >= max_requests:
|
||||
return jsonify({'error': 'Rate limit exceeded'}), 429
|
||||
|
||||
# Add current request
|
||||
|
||||
rate_limit_storage[client_ip].append(current_time)
|
||||
|
||||
return f(*args, **kwargs)
|
||||
return decorated_function
|
||||
return decorator
|
||||
@@ -83,12 +103,14 @@ def validate_host(f):
|
||||
return decorated_function
|
||||
|
||||
def validate_request_size(max_size=1024):
|
||||
"""Decorator to validate request size"""
|
||||
"""Decorator to validate request size. POST without Content-Length is rejected (H2)."""
|
||||
def decorator(f):
|
||||
@wraps(f)
|
||||
def decorated_function(*args, **kwargs):
|
||||
content_length = request.content_length
|
||||
if content_length and content_length > max_size:
|
||||
if request.method == 'POST' and content_length is None:
|
||||
return jsonify({'error': 'Content-Length required for POST'}), 411
|
||||
if content_length is not None and content_length > max_size:
|
||||
return jsonify({'error': 'Request too large'}), 413
|
||||
return f(*args, **kwargs)
|
||||
return decorated_function
|
||||
@@ -101,6 +123,9 @@ def add_security_headers(response):
|
||||
response.headers['X-XSS-Protection'] = '1; mode=block'
|
||||
response.headers['Referrer-Policy'] = 'strict-origin-when-cross-origin'
|
||||
response.headers['Content-Security-Policy'] = "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'"
|
||||
response.headers['Permissions-Policy'] = 'geolocation=(), microphone=(), camera=()'
|
||||
# HSTS: enforce HTTPS (Traefik terminates TLS)
|
||||
response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains; preload'
|
||||
return response
|
||||
|
||||
def sanitize_domain(domain):
|
||||
@@ -115,6 +140,29 @@ def sanitize_domain(domain):
|
||||
return None
|
||||
return sanitized
|
||||
|
||||
# Reject unsafe HTTP methods before any route logic
|
||||
@app.before_request
|
||||
def reject_unsafe_methods():
|
||||
if request.method not in ALLOWED_HTTP_METHODS:
|
||||
return jsonify({'error': 'Method not allowed'}), 405
|
||||
|
||||
|
||||
# Safe error handlers: no stack traces or internal details
|
||||
@app.errorhandler(404)
|
||||
def not_found(e):
|
||||
return jsonify({'error': 'Not found'}), 404
|
||||
|
||||
|
||||
@app.errorhandler(500)
|
||||
def internal_error(e):
|
||||
return jsonify({'error': 'Internal server error'}), 500
|
||||
|
||||
|
||||
@app.errorhandler(413)
|
||||
def request_entity_too_large(e):
|
||||
return jsonify({'error': 'Request too large'}), 413
|
||||
|
||||
|
||||
# Register security headers middleware
|
||||
@app.after_request
|
||||
def after_request(response):
|
||||
@@ -282,6 +330,7 @@ def index():
|
||||
|
||||
@app.route('/ping')
|
||||
@rate_limit(max_requests=10, window=60) # 10 requests per minute for health check
|
||||
@validate_host
|
||||
def ping():
|
||||
return "✅ Mail Autoconfig Service is running."
|
||||
|
||||
|
||||
Reference in New Issue
Block a user