Feature: CSP broad and insecure checks show the directives

Author: rfc-st

README.md

@@ -6,7 +6,7 @@
 <a target="_blank" href="https://devguide.python.org/versions/" title="Minimum Python version required to run this tool"><img src="https://img.shields.io/badge/Python-%3E%3D3.9-blue?labelColor=343b41"></a>
 <a target="_blank" href="LICENSE" title="License of this tool"><img src="https://img.shields.io/badge/License-MIT-blue.svg?labelColor=343b41"></a>
 <a target="_blank" href="https://github.com/rfc-st/humble/releases" title="Latest release of this tool"><img src="https://img.shields.io/github/v/release/rfc-st/humble?display_name=release&label=Latest%20Release&labelColor=343b41"></a>
-<a target="_blank" href="https://github.com/rfc-st/humble/commits/master" title="Latest commit of this tool"><img src="https://img.shields.io/badge/Latest_Commit-2025--03--21-blue.svg?labelColor=343b41"></a>
+<a target="_blank" href="https://github.com/rfc-st/humble/commits/master" title="Latest commit of this tool"><img src="https://img.shields.io/badge/Latest_Commit-2025--03--22-blue.svg?labelColor=343b41"></a>
 <a target="_blank" href="https://pkg.kali.org/pkg/humble" title="Official tool in Kali Linux"><img src="https://img.shields.io/badge/Kali%20Linux-Tool-blue?labelColor=343b41"></a>
 <br />
 <a target="_blank" href="#" title="Featured on:"><img src="https://img.shields.io/badge/Featured%20on:-343b41"></a>

humble.py

@@ -150,7 +150,7 @@
 XML_STRING = ('Ref: ', 'Value: ', 'Valor: ')
 
 current_time = datetime.now().strftime("%Y/%m/%d - %H:%M:%S")
-local_version = datetime.strptime('2025-03-21', '%Y-%m-%d').date()
+local_version = datetime.strptime('2025-03-22', '%Y-%m-%d').date()
 
 
 class SSLContextAdapter(requests.adapters.HTTPAdapter):
@@ -750,19 +750,20 @@ def print_global_metrics(analytics_l, analytics_s, analytics_w,
             totals_m.items()}
 
 
-def csp_analyze_content(csp_header, l_csp_broad_s, l_csp_ins_s, i_cnt):
-    csp_broad, csp_deprecated, csp_insecure = set(), set(), set()
+def csp_analyze_content(csp_header, i_cnt):
+    csp_deprecated = set()
     csp_dirs = {dir.split()[0].strip() for dir in csp_header.split(';') if
                 dir.strip()}
     csp_dirs_vals = [dir.strip() for dir in csp_header.split(';')]
     for csp_dir in csp_dirs_vals:
-        csp_broad |= ({value for value in l_csp_broad_s if f' {value} ' in
-                       f' {csp_dir} '})
         csp_deprecated |= ({value for value in t_csp_dep if value in csp_dir})
-        csp_insecure |= ({value for value in l_csp_ins_s if value in csp_dir})
     csp_check_missing(csp_dirs)
-    csp_print_warnings(csp_broad, csp_deprecated, csp_insecure)
-    if any(insecv in dir for dir in csp_dirs_vals for insecv in t_csp_insecv):
+    csp_print_warnings(csp_deprecated)
+    if any(broadv in dir for dir in csp_dirs_vals for broadv in t_csp_broad):
+        csp_print_broad(csp_dirs_vals, i_cnt)
+    if any(insecv in dir for dir in csp_dirs_vals for insecv in t_csp_insecs):
+        csp_print_insecure(csp_dirs_vals)
+    if any(unsafv in dir for dir in csp_dirs_vals for unsafv in t_csp_insecv):
         csp_print_unsafe(csp_dirs_vals, i_cnt)
 
 
@@ -811,12 +812,9 @@ def csp_check_ip(csp_h):
         print_details('[icsipa_h]', '[icsipa]', 'm', i_cnt)
 
 
-def csp_print_warnings(csp_broad, csp_deprecated, csp_insecure):
+def csp_print_warnings(csp_deprecated):
     csp_print_deprecated(csp_deprecated) if csp_deprecated else None
-    csp_print_insecure(csp_insecure) if csp_insecure else None
-    csp_print_broad(csp_broad) if csp_broad else None
-    i_cnt[0] += sum(bool(csp) for csp in (csp_broad, csp_deprecated,
-                                          csp_insecure))
+    i_cnt[0] += sum(bool(csp) for csp in (csp_deprecated))
     return i_cnt
 
 
@@ -826,11 +824,22 @@ def csp_print_deprecated(csp_deprecated):
                           '[icsi_d_r]')
 
 
-def csp_print_insecure(csp_insecure):
-    print_detail_r('[icsh_h]', is_red=True) if args.brief else \
-        csp_print_details(csp_insecure, '[icsh_h]', '[icsh]', '[icsh_b]')
+def csp_print_insecure(csp_dirs_vals):
+    csp_insecure_v = {value for value in t_csp_insecs if
+                      any(value in dir for dir in csp_dirs_vals)}
+    csp_insecure_dirs = {dir_vals.split()[0] for dir_vals in csp_dirs_vals
+                         if any(unsafe_val in dir_vals for unsafe_val in
+                                t_csp_insecs)}
+    print_detail_r('[icsh_h]', is_red=True)
     if not args.brief:
-        print("")
+        csp_values = ', '.join(f"'{value}'" for value in csp_insecure_v)
+        print_detail_l('[icsp_s]' if len(csp_insecure_dirs) > 1 else
+                       '[icsp_si]')
+        print(f" {', '.join(f"'{dir}'" for dir in
+                            sorted(csp_insecure_dirs))}.")
+        print_detail_l('[icsh]')
+        print(csp_values)
+        print_detail('[icsh_b]', num_lines=2)
 
 
 def csp_print_missing(csp_ref, csp_ref_brief):
@@ -841,9 +850,21 @@ def csp_print_missing(csp_ref, csp_ref_brief):
         print_details(csp_ref_brief, csp_ref, 'd', i_cnt)
 
 
-def csp_print_broad(csp_broad):
-    print_detail_r('[icsw_h]', is_red=True) if args.brief else \
-        csp_print_details(csp_broad, '[icsw_h]', '[icsw]', '[icsw_b]')
+def csp_print_broad(csp_dirs_vals, i_cnt):
+    csp_broad_v = set(token for dir_vals in csp_dirs_vals if dir_vals.strip()
+                      for token in dir_vals.split()[1:]
+                      if f" {token} " in t_csp_broad)
+    csp_broad_dirs = {dir_vals.split()[0] for dir_vals in csp_dirs_vals
+                      if any(f" {token} " in t_csp_broad for token in
+                             dir_vals.split()[1:])}
+    print_detail_r('[icsw_h]', is_red=True)
+    if not args.brief:
+        print_detail_l('[icsp_s]' if len(csp_broad_dirs) > 1 else '[icsp_si]')
+        print(f" {', '.join(f"'{dir}'" for dir in sorted(csp_broad_dirs))}.")
+        print_detail_l('[icsw]')
+        print(', '.join(f"'{value}'" for value in csp_broad_v))
+        print_detail('[icsw_b]', num_lines=1)
+    i_cnt[0] += 1
 
 
 def csp_print_details(csp_values, csp_title, csp_desc, csp_refs):
@@ -2154,8 +2175,9 @@ def custom_help_formatter(prog):
 
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 # https://www.w3.org/TR/CSP2/ & https://www.w3.org/TR/CSP3/
-t_csp_broad = ('*',  'blob:', 'data:', 'ftp:', 'filesystem:', 'https:',
-               'https://*', 'https://*.*', 'schemes:', 'wss:', 'wss://')
+t_csp_broad = (' * ',  ' blob: ', ' data: ', ' ftp: ', 'filesystem:',
+               ' https: ', ' https://* ', ' https://*.* ', ' mailto: ',
+               'schemes:', ' tel: ', ' wss: ', 'wss://')
 t_csp_equal = ('nonce', 'sha', 'style-src-elem', 'report-to', 'report-uri')
 t_csp_dep = ('block-all-mixed-content', 'disown-opener', 'plugin-types',
              'prefetch-src', 'referrer', 'report-uri', 'require-sri-for')
@@ -2450,7 +2472,7 @@ def custom_help_formatter(prog):
         print_details('[icsi_h]', '[icsi]', 'd', i_cnt)
     if ('=' in csp_h) and not (any(elem in csp_h for elem in t_csp_equal)):
         print_details('[icsn_h]', '[icsn]', 'd', i_cnt)
-    csp_analyze_content(csp_h, t_csp_broad, t_csp_insecs, i_cnt)
+    csp_analyze_content(csp_h, i_cnt)
     if t_csp_checks[0] in csp_h and t_csp_checks[1] not in headers:
         print_details('[icspi_h]', '[icspi]', 'm', i_cnt)
     if t_csp_checks[2] in csp_h: