git.squeep.com Git - akkoma/blob - lib/pleroma/plugs/http_security_plug.ex

   1 # Pleroma: A lightweight social networking server
   2 # Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
   3 # SPDX-License-Identifier: AGPL-3.0-only
   4
   5 defmodule Pleroma.Plugs.HTTPSecurityPlug do
   6   alias Pleroma.Config
   7   import Plug.Conn
   8
   9   require Logger
  10
  11   def init(opts), do: opts
  12
  13   def call(conn, _options) do
  14     if Config.get([:http_security, :enabled]) do
  15       conn
  16       |> merge_resp_headers(headers())
  17       |> maybe_send_sts_header(Config.get([:http_security, :sts]))
  18     else
  19       conn
  20     end
  21   end
  22
  23   defp headers do
  24     referrer_policy = Config.get([:http_security, :referrer_policy])
  25     report_uri = Config.get([:http_security, :report_uri])
  26
  27     headers = [
  28       {"x-xss-protection", "1; mode=block"},
  29       {"x-permitted-cross-domain-policies", "none"},
  30       {"x-frame-options", "DENY"},
  31       {"x-content-type-options", "nosniff"},
  32       {"referrer-policy", referrer_policy},
  33       {"x-download-options", "noopen"},
  34       {"content-security-policy", csp_string()}
  35     ]
  36
  37     if report_uri do
  38       report_group = %{
  39         "group" => "csp-endpoint",
  40         "max-age" => 10_886_400,
  41         "endpoints" => [
  42           %{"url" => report_uri}
  43         ]
  44       }
  45
  46       [{"reply-to", Jason.encode!(report_group)} | headers]
  47     else
  48       headers
  49     end
  50   end
  51
  52   static_csp_rules = [
  53     "default-src 'none'",
  54     "base-uri 'self'",
  55     "frame-ancestors 'none'",
  56     "style-src 'self' 'unsafe-inline'",
  57     "font-src 'self'",
  58     "manifest-src 'self'"
  59   ]
  60
  61   @csp_start [Enum.join(static_csp_rules, ";") <> ";"]
  62
  63   defp csp_string do
  64     scheme = Config.get([Pleroma.Web.Endpoint, :url])[:scheme]
  65     static_url = Pleroma.Web.Endpoint.static_url()
  66     websocket_url = Pleroma.Web.Endpoint.websocket_url()
  67     report_uri = Config.get([:http_security, :report_uri])
  68
  69     img_src = "img-src 'self' data: blob:"
  70     media_src = "media-src 'self'"
  71
  72     # Strict multimedia CSP enforcement only when MediaProxy is enabled
  73     {img_src, media_src} =
  74       if Config.get([:media_proxy, :enabled]) &&
  75            !Config.get([:media_proxy, :proxy_opts, :redirect_on_failure]) do
  76         sources = build_csp_multimedia_source_list()
  77         {[img_src, sources], [media_src, sources]}
  78       else
  79         {[img_src, " https:"], [media_src, " https:"]}
  80       end
  81
  82     connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
  83
  84     connect_src =
  85       if Pleroma.Config.get(:env) == :dev do
  86         [connect_src, " http://localhost:3035/"]
  87       else
  88         connect_src
  89       end
  90
  91     script_src =
  92       if Pleroma.Config.get(:env) == :dev do
  93         "script-src 'self' 'unsafe-eval'"
  94       else
  95         "script-src 'self'"
  96       end
  97
  98     report = if report_uri, do: ["report-uri ", report_uri, ";report-to csp-endpoint"]
  99     insecure = if scheme == "https", do: "upgrade-insecure-requests"
 100
 101     @csp_start
 102     |> add_csp_param(img_src)
 103     |> add_csp_param(media_src)
 104     |> add_csp_param(connect_src)
 105     |> add_csp_param(script_src)
 106     |> add_csp_param(insecure)
 107     |> add_csp_param(report)
 108     |> :erlang.iolist_to_binary()
 109   end
 110
 111   defp build_csp_multimedia_source_list do
 112     media_proxy_whitelist =
 113       Enum.reduce(Config.get([:media_proxy, :whitelist]), [], fn host, acc ->
 114         add_source(acc, host)
 115       end)
 116
 117     media_proxy_base_url =
 118       if Config.get([:media_proxy, :base_url]),
 119         do: URI.parse(Config.get([:media_proxy, :base_url])).host
 120
 121     upload_base_url =
 122       if Config.get([Pleroma.Upload, :base_url]),
 123         do: URI.parse(Config.get([Pleroma.Upload, :base_url])).host
 124
 125     s3_endpoint =
 126       if Config.get([Pleroma.Upload, :uploader]) == Pleroma.Uploaders.S3,
 127         do: URI.parse(Config.get([Pleroma.Uploaders.S3, :public_endpoint])).host
 128
 129     captcha_method = Config.get([Pleroma.Captcha, :method])
 130
 131     captcha_endpoint =
 132       if Config.get([Pleroma.Captcha, :enabled]) &&
 133            captcha_method != "Pleroma.Captcha.Native",
 134          do: Config.get([captcha_method, :endpoint])
 135
 136     []
 137     |> add_source(media_proxy_base_url)
 138     |> add_source(upload_base_url)
 139     |> add_source(s3_endpoint)
 140     |> add_source(media_proxy_whitelist)
 141     |> add_source(captcha_endpoint)
 142   end
 143
 144   defp add_source(iodata, nil), do: iodata
 145   defp add_source(iodata, source), do: [[?\s, source] | iodata]
 146
 147   defp add_csp_param(csp_iodata, nil), do: csp_iodata
 148
 149   defp add_csp_param(csp_iodata, param), do: [[param, ?;] | csp_iodata]
 150
 151   def warn_if_disabled do
 152     unless Config.get([:http_security, :enabled]) do
 153       Logger.warn("
 154                                  .i;;;;i.
 155                                iYcviii;vXY:
 156                              .YXi       .i1c.
 157                             .YC.     .    in7.
 158                            .vc.   ......   ;1c.
 159                            i7,   ..        .;1;
 160                           i7,   .. ...      .Y1i
 161                          ,7v     .6MMM@;     .YX,
 162                         .7;.   ..IMMMMMM1     :t7.
 163                        .;Y.     ;$MMMMMM9.     :tc.
 164                        vY.   .. .nMMM@MMU.      ;1v.
 165                       i7i   ...  .#MM@M@C. .....:71i
 166                      it:   ....   $MMM@9;.,i;;;i,;tti
 167                     :t7.  .....   0MMMWv.,iii:::,,;St.
 168                    .nC.   .....   IMMMQ..,::::::,.,czX.
 169                   .ct:   ....... .ZMMMI..,:::::::,,:76Y.
 170                   c2:   ......,i..Y$M@t..:::::::,,..inZY
 171                  vov   ......:ii..c$MBc..,,,,,,,,,,..iI9i
 172                 i9Y   ......iii:..7@MA,..,,,,,,,,,....;AA:
 173                iIS.  ......:ii::..;@MI....,............;Ez.
 174               .I9.  ......:i::::...8M1..................C0z.
 175              .z9;  ......:i::::,.. .i:...................zWX.
 176              vbv  ......,i::::,,.      ................. :AQY
 177             c6Y.  .,...,::::,,..:t0@@QY. ................ :8bi
 178            :6S. ..,,...,:::,,,..EMMMMMMI. ............... .;bZ,
 179           :6o,  .,,,,..:::,,,..i#MMMMMM#v.................  YW2.
 180          .n8i ..,,,,,,,::,,,,.. tMMMMM@C:.................. .1Wn
 181          7Uc. .:::,,,,,::,,,,..   i1t;,..................... .UEi
 182          7C...::::::::::::,,,,..        ....................  vSi.
 183          ;1;...,,::::::,.........       ..................    Yz:
 184           v97,.........                                     .voC.
 185            izAotX7777777777777777777777777777777777777777Y7n92:
 186              .;CoIIIIIUAA666666699999ZZZZZZZZZZZZZZZZZZZZ6ov.
 187
 188 HTTP Security is disabled. Please re-enable it to prevent users from attacking
 189 your instance and your users via malicious posts:
 190
 191       config :pleroma, :http_security, enabled: true
 192       ")
 193     end
 194   end
 195
 196   defp maybe_send_sts_header(conn, true) do
 197     max_age_sts = Config.get([:http_security, :sts_max_age])
 198     max_age_ct = Config.get([:http_security, :ct_max_age])
 199
 200     merge_resp_headers(conn, [
 201       {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains"},
 202       {"expect-ct", "enforce, max-age=#{max_age_ct}"}
 203     ])
 204   end
 205
 206   defp maybe_send_sts_header(conn, _), do: conn
 207 end