Skip to content

Commit 5f994d6

Browse files
committed
deps: upgrade django-csp to version 4
Refs: KK-1467
1 parent 5439eb5 commit 5f994d6

4 files changed

Lines changed: 41 additions & 56 deletions

File tree

kukkuu/consts.py

Lines changed: 0 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -38,16 +38,3 @@
3838
AUTHENTICATION_ERROR = "AUTHENTICATION_ERROR"
3939
AUTHENTICATION_EXPIRED_ERROR = "AUTHENTICATION_EXPIRED_ERROR"
4040
VERIFICATION_TOKEN_INVALID_ERROR = "VERIFICATION_TOKEN_INVALID_ERROR"
41-
42-
43-
class CSP:
44-
"""The “special” source values of 'self', 'unsafe-inline', 'unsafe-eval', 'none'
45-
and hash-source ('sha256-...') must be quoted! e.g.: CSP_DEFAULT_SRC = ("'self'",).
46-
Without quotes they will not work as intended.
47-
Ref. https://django-csp.readthedocs.io/en/stable/configuration.html.
48-
"""
49-
50-
SELF = "'self'"
51-
NONE = "'none'"
52-
UNSAFE_INLINE = "'unsafe-inline'"
53-
UNSAFE_EVAL = "'unsafe-eval'"

kukkuu/settings.py

Lines changed: 30 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -6,14 +6,14 @@
66

77
import environ
88
import sentry_sdk
9+
from csp.constants import SELF, UNSAFE_EVAL, UNSAFE_INLINE
910
from django.core.exceptions import ImproperlyConfigured
1011
from django.utils.translation import gettext_lazy as _
1112
from helusers.defaults import SOCIAL_AUTH_PIPELINE # noqa: F401
1213
from jose import ExpiredSignatureError
1314
from sentry_sdk.integrations.django import DjangoIntegration
1415
from sentry_sdk.types import Event, Hint
1516

16-
from kukkuu.consts import CSP
1717
from kukkuu.exceptions import AuthenticationExpiredError
1818
from kukkuu.tests.utils.jwt_utils import is_valid_256_bit_key
1919

@@ -327,42 +327,36 @@ def sentry_before_send(event: Event, hint: Hint):
327327
CORS_ALLOWED_ORIGIN_REGEXES = env("CORS_ALLOWED_ORIGIN_REGEXES")
328328
CORS_ALLOW_ALL_ORIGINS = env("CORS_ALLOW_ALL_ORIGINS")
329329

330-
# Configure the default CSP rule for different source types
331-
CSP_DEFAULT_SRC = ["'self'"]
332330

333-
# CSP_STYLE_SRC includes 'unsafe-inline' for inline styles added by `django-helusers`
334-
# and `SpectacularRedocView`.
335-
CSP_STYLE_SRC = [
336-
CSP.SELF,
337-
CSP.UNSAFE_INLINE,
338-
"cdn.jsdelivr.net",
339-
"fonts.googleapis.com",
340-
]
341-
342-
# CSP_SCRIPT_SRC includes 'unsafe-eval' for inline scripts added by
343-
# `SpectacularRedocView`
344-
CSP_SCRIPT_SRC = [
345-
CSP.SELF,
346-
CSP.UNSAFE_EVAL,
347-
"cdn.jsdelivr.net",
348-
"blob:",
349-
]
350-
351-
# CSP_FONT_SRC includes Google fonts fetched by `SpectacularRedocView`
352-
CSP_FONT_SRC = [
353-
CSP.SELF,
354-
"fonts.googleapis.com",
355-
"fonts.gstatic.com",
356-
"data:", # /graphql/ endpoint uses "data:font/woff2"
357-
]
358-
359-
# CSP_IMG_SRC includes sources for images fetched by `SpectacularRedocView`
360-
CSP_IMG_SRC = [
361-
CSP.SELF,
362-
"cdn.redoc.ly",
363-
"blob:",
364-
"data:",
365-
]
331+
CONTENT_SECURITY_POLICY = {
332+
"DIRECTIVES": {
333+
"default-src": [SELF],
334+
"style-src": [
335+
SELF,
336+
UNSAFE_INLINE,
337+
"cdn.jsdelivr.net",
338+
"fonts.googleapis.com",
339+
],
340+
"script-src": [
341+
SELF,
342+
UNSAFE_EVAL,
343+
"cdn.jsdelivr.net",
344+
"blob:",
345+
],
346+
"font-src": [
347+
SELF,
348+
"fonts.googleapis.com",
349+
"fonts.gstatic.com",
350+
"data:", # /graphql/ endpoint uses "data:font/woff2"
351+
],
352+
"img-src": [
353+
SELF,
354+
"cdn.redoc.ly",
355+
"blob:",
356+
"data:",
357+
],
358+
}
359+
}
366360

367361
AUTH_USER_MODEL = "users.User"
368362

kukkuu/urls.py

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
from csp.constants import UNSAFE_INLINE
12
from csp.decorators import csp_update
23
from django.conf import settings
34
from django.conf.urls.static import static
@@ -13,7 +14,6 @@
1314
from common.utils import get_api_version
1415
from custom_health_checks.views import HealthCheckJSONView
1516
from kukkuu import __version__
16-
from kukkuu.consts import CSP
1717
from kukkuu.views import SentryGraphQLView
1818
from reports.api import ChildViewSet, EventGroupViewSet, EventViewSet, VenueViewSet
1919

@@ -32,8 +32,10 @@
3232

3333
# Add unsafe-inline to enable GraphiQL interface at /graphql/
3434
@csp_update(
35-
SCRIPT_SRC=settings.CSP_SCRIPT_SRC
36-
+ ([CSP.UNSAFE_INLINE] if IS_GRAPHIQL_ENABLED else [])
35+
{
36+
"script-src": settings.CONTENT_SECURITY_POLICY["DIRECTIVES"]["script-src"]
37+
+ ([UNSAFE_INLINE] if IS_GRAPHIQL_ENABLED else [])
38+
}
3739
)
3840
@csrf_exempt
3941
def graphql_view(request, *args, **kwargs):

requirements.txt

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -301,9 +301,9 @@ django-cors-headers==4.7.0 \
301301
--hash=sha256:6fdf31bf9c6d6448ba09ef57157db2268d515d94fc5c89a0a1028e1fc03ee52b \
302302
--hash=sha256:f1c125dcd58479fe7a67fe2499c16ee38b81b397463cf025f0e2c42937421070
303303
# via -r requirements.in
304-
django-csp==3.8 \
305-
--hash=sha256:19b2978b03fcd73517d7d67acbc04fbbcaec0facc3e83baa502965892d1e0719 \
306-
--hash=sha256:ef0f1a9f7d8da68ae6e169c02e9ac661c0ecf04db70e0d1d85640512a68471c0
304+
django-csp==4.0 \
305+
--hash=sha256:b27010bb702eb20a3dad329178df2b61a2b82d338b70fbdc13c3a3bd28712833 \
306+
--hash=sha256:d5a0a05463a6b75a4f1fc1828c58c89af8db9364d09fc6e12f122b4d7f3d00dc
307307
# via -r requirements.in
308308
django-environ==0.12.0 \
309309
--hash=sha256:227dc891453dd5bde769c3449cf4a74b6f2ee8f7ab2361c93a07068f4179041a \
@@ -518,7 +518,9 @@ oauthlib==3.2.2 \
518518
packaging==24.2 \
519519
--hash=sha256:09abb1bccd265c01f4a3aa3f7a7db064b36514d2cba19a2f694fe6150451a759 \
520520
--hash=sha256:c228a6dc5e932d346bc5739379109d49e8853dd8223571c7c5b55260edc0b97f
521-
# via deprecation
521+
# via
522+
# deprecation
523+
# django-csp
522524
pillow==11.1.0 \
523525
--hash=sha256:015c6e863faa4779251436db398ae75051469f7c903b043a48f078e437656f83 \
524526
--hash=sha256:0a2f91f8a8b367e7a57c6e91cd25af510168091fb89ec5146003e424e1558a96 \

0 commit comments

Comments
 (0)