Merge pull request #3 from cubinet-code/feature/security-improvements-issue-1

Implement CSP nonces and configurable password validation

Author: cubinet-code

README.md

@@ -247,7 +247,7 @@ export FORWARDED_ALLOW_IPS="127.0.0.1,10.0.0.1"  # Multiple IPs separated by com
 
 **⚠️ IMPORTANT SECURITY CONSIDERATION**
 
-The application uses the `X-Forwarded-For` header to determine client IP addresses, which are used for RADIUS authentication and potentially firewall rules. By default, Gunicorn accepts this header from any source, which can be exploited for IP spoofing attacks.
+The application uses the `X-Forwarded-For` header to determine client IP addresses, which are used for RADIUS authentication and potentially firewall rules. By default, Gunicorn only accepts this header from localhost (127.0.0.1,::1) and strips it from other sources for security, but this can be configured.
 
 **Configuration Options:**
 
@@ -281,22 +281,22 @@ The application includes comprehensive security measures:
 **Input Validation:**
 - Username length limited to 63 characters (RADIUS standard)
 - Password length limited to 128 characters (RADIUS standard)
-- Character validation: only alphanumeric, @, ., _, - allowed in usernames
+- Character validation: configurable pattern via `RADIUS_CHAR_PATTERN` in config.py
+- Default pattern includes: alphanumeric, ! # $ % & ' ( ) * + , - . / : ; = ? @ _ { }
 - Returns HTTP 400 Bad Request for invalid inputs instead of 500 errors
 
 **CSRF Protection:**
 - All forms protected with CSRF tokens using Flask-WTF
 - Prevents Cross-Site Request Forgery attacks
 - Automatically enabled in production, disabled in test environment
 
-**Security Headers:**
-- Content Security Policy (CSP) to prevent XSS attacks
+**Security Headers (via Flask-Talisman):**
+- Content Security Policy (CSP) with nonce-based inline script protection
 - X-Frame-Options: DENY to prevent clickjacking
 - X-Content-Type-Options: nosniff to prevent MIME sniffing
-- X-XSS-Protection: 1; mode=block for additional XSS protection
 - Referrer-Policy: strict-origin-when-cross-origin
-- Permissions-Policy to restrict dangerous features
 - HSTS header for HTTPS connections (max-age=31536000; includeSubDomains)
+- Removed deprecated X-XSS-Protection header (CSP provides better protection)
 
 **Session Security:**
 - Server-side sessions using CacheLib filesystem backend

config.example.py

@@ -19,6 +19,11 @@
 # with a Session-Timeout(27) or Idle-Timeout(28) attribute
 DEFAULT_RADIUS_SESSION_DURATION = 60 * 60 * 4  # 4 hours
 
+# Username character validation pattern for RADIUS compatibility
+# Default includes alphanumeric and common symbols safe for Cisco systems
+# You can customize this pattern based on your RADIUS server requirements
+RADIUS_CHAR_PATTERN = r'^[a-zA-Z0-9!#$%&\'()*+,./:;=?@_{-]+$'
+
 #
 # Web Server Parameters
 #

portal.py

@@ -14,6 +14,7 @@
 from wtforms import StringField, PasswordField, SubmitField, IntegerField
 from wtforms.validators import DataRequired, Length, Regexp
 from cachelib import FileSystemCache
+from flask_talisman import Talisman
 from pyrad.client import Client
 from pyrad.dictionary import Dictionary
 import pyrad.packet
@@ -39,8 +40,8 @@
 # Input validation constants
 MAX_USERNAME_LENGTH = 63  # RADIUS standard
 MAX_PASSWORD_LENGTH = 128  # RADIUS standard
-# RADIUS-compatible character pattern (alphanumeric + common symbols)
-RADIUS_CHAR_PATTERN = re.compile(r'^[a-zA-Z0-9@._-]+$')
+# RADIUS-compatible character pattern (configurable via config.py)
+RADIUS_CHAR_PATTERN = re.compile(app.config.get('RADIUS_CHAR_PATTERN', r'^[a-zA-Z0-9@._-]+$'))
 
 # Configure CacheLib session backend (replaces deprecated filesystem backend)
 app.config['SESSION_CACHELIB'] = FileSystemCache(cache_dir='flask_session', threshold=500)
@@ -51,6 +52,25 @@
 csrf = CSRFProtect(app)
 # Initialize the Flask Session
 Session(app)
+# Initialize Flask-Talisman for security headers including CSP
+csp = {
+    'default-src': "'self'",
+    'script-src': "'self'",
+    'style-src': "'self' 'unsafe-inline'",  # Bootstrap requires inline styles
+    'img-src': "'self' data:",
+    'font-src': "'self'",
+    'connect-src': "'self'",
+    'frame-ancestors': "'none'"
+}
+talisman = Talisman(
+    app,
+    content_security_policy=csp,
+    content_security_policy_nonce_in=['script-src'],
+    strict_transport_security=True,
+    strict_transport_security_max_age=31536000,
+    strict_transport_security_include_subdomains=True,
+    force_https=False  # Allow HTTP for development
+)
 # Initialize the Background Session Scheduler
 background_scheduler = BackgroundScheduler()
 background_scheduler.start()
@@ -77,40 +97,15 @@
 srv = srv_primary
 
 
-@app.after_request
-def add_security_headers(response):
-    """Add security headers to all responses."""
-    # Content Security Policy
-    response.headers['Content-Security-Policy'] = (
-        "default-src 'self'; "
-        "script-src 'self' 'unsafe-inline'; "
-        "style-src 'self' 'unsafe-inline'; "
-        "img-src 'self' data:; "
-        "font-src 'self'; "
-        "connect-src 'self'; "
-        "frame-ancestors 'none'"
-    )
-    
-    # Security headers
-    response.headers['X-Content-Type-Options'] = 'nosniff'
-    response.headers['X-Frame-Options'] = 'DENY'
-    response.headers['X-XSS-Protection'] = '1; mode=block'
-    response.headers['Referrer-Policy'] = 'strict-origin-when-cross-origin'
-    response.headers['Permissions-Policy'] = 'geolocation=(), microphone=(), camera=()'
-    
-    # HSTS header (only if serving HTTPS)
-    if request.is_secure:
-        response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
-    
-    return response
+# Security headers are now handled by Flask-Talisman
 
 
 class LoginForm(FlaskForm):
     """CSRF-protected login form with validation."""
     username = StringField('Username', validators=[
         DataRequired(),
         Length(max=MAX_USERNAME_LENGTH, message=f'Username too long (max {MAX_USERNAME_LENGTH} characters)'),
-        Regexp(RADIUS_CHAR_PATTERN, message='Username contains invalid characters (only alphanumeric, @, ., _, - allowed)')
+        Regexp(RADIUS_CHAR_PATTERN, message='Username contains invalid characters')
     ])
     password = PasswordField('Password', validators=[
         DataRequired(),
@@ -138,7 +133,7 @@ def validate_input(username, password):
     if len(username) > MAX_USERNAME_LENGTH:
         errors.append(f"Username too long (max {MAX_USERNAME_LENGTH} characters)")
     if not RADIUS_CHAR_PATTERN.match(username):
-        errors.append("Username contains invalid characters (only alphanumeric, @, ., _, - allowed)")
+        errors.append("Username contains invalid characters")
 
     # Check password length
     if len(password) > MAX_PASSWORD_LENGTH:

requirements.txt

@@ -7,3 +7,4 @@ gunicorn~=23.0.0
 Flask-WTF~=1.2.1
 WTForms~=3.2.1
 cachelib~=0.13.0
+flask-talisman~=1.1.0

templates/index.html.jinja

@@ -97,7 +97,7 @@
 
     {% block scripts %}
         {{ bootstrap.load_js() }}
-        <script type="text/javascript">var ts = {{ (ts * 1000)|int }};</script>
+        <script type="text/javascript" nonce="{{ csp_nonce() }}">var ts = {{ (ts * 1000)|int }};</script>
         <script type="text/javascript" src="{{ url_for('static',filename='app.js') }}"></script>
     {% endblock %}
 </main>

tests/conftest.py

@@ -19,3 +19,8 @@ def setup_test_config(monkeypatch):
     portal.app.config["DEFAULT_RADIUS_SESSION_DURATION"] = 15
     # Disable CSRF for testing
     portal.app.config["WTF_CSRF_ENABLED"] = False
+    # Set expanded character pattern for testing
+    portal.app.config["RADIUS_CHAR_PATTERN"] = r'^[a-zA-Z0-9!#$%&\'()*+,./:;=?@_{-]+$'
+    # Re-compile the regex pattern with the new config
+    import re
+    portal.RADIUS_CHAR_PATTERN = re.compile(portal.app.config["RADIUS_CHAR_PATTERN"])

tests/test_portal.py

@@ -105,3 +105,60 @@ def test_portal_session(client):
         )
 
         assert session.get("username") is None
+
+
+def test_csp_nonce_in_response(client):
+    """Test that CSP nonce is present in script tags"""
+    response = client.get("/")
+    assert response.status_code == 200
+    
+    # Check that the inline script has a nonce attribute
+    assert b'nonce="' in response.data
+    assert b'<script type="text/javascript" nonce="' in response.data
+    
+    # Extract nonce from HTML
+    nonce_pattern = rb'<script type="text/javascript" nonce="([^"]+)">'
+    match = re.search(nonce_pattern, response.data)
+    assert match is not None
+    nonce = match.group(1).decode('utf-8')
+    
+    # Nonce should be non-empty and of reasonable length
+    assert len(nonce) > 10
+
+
+def test_security_headers_present(client):
+    """Test that Flask-Talisman security headers are present"""
+    response = client.get("/")
+    assert response.status_code == 200
+    
+    # Check CSP header is present and doesn't contain unsafe-inline for scripts
+    csp_header = response.headers.get('Content-Security-Policy')
+    assert csp_header is not None
+    assert 'script-src' in csp_header
+    assert 'nonce-' in csp_header
+    # Style-src still needs unsafe-inline for Bootstrap, but script-src should use nonce
+    assert "script-src 'self' 'nonce-" in csp_header
+    
+    # Check other security headers (Flask-Talisman defaults)
+    assert response.headers.get('X-Frame-Options') == 'SAMEORIGIN'
+    assert response.headers.get('X-Content-Type-Options') == 'nosniff'
+    
+    # Ensure deprecated X-XSS-Protection header is not present
+    assert 'X-XSS-Protection' not in response.headers
+
+
+def test_configurable_pattern_validation():
+    """Test that configurable password validation pattern works in validation function"""
+    import portal
+    
+    # Test characters that should be allowed with expanded pattern
+    errors = portal.validate_input("[email protected]", "testpass")
+    assert "Username contains invalid characters" not in ' '.join(errors)
+    
+    # Test expanded character set (should be allowed)
+    errors = portal.validate_input("test+user#1", "testpass") 
+    assert "Username contains invalid characters" not in ' '.join(errors)
+    
+    # Test characters that should still be rejected (like spaces)
+    errors = portal.validate_input("test user", "testpass")
+    assert "Username contains invalid characters" in ' '.join(errors)