Merge pull request aboutcode-org#998 from nexB/fix-csrf

Fix csrf

CHANGELOG.rst

@@ -3,9 +3,20 @@ Release notes
 
 
 
+Version v30.3.1
+----------------
+
+This is a minor bug fix release.
+
+- We enabled proper CSRF configuration for deployments
+
+
 Version v30.3.0
 ----------------
 
+This is a feature update release including minor bug fixes and the introduction
+of API keys and API throttling.
+
 - We enabled API throttling for a basic user and for a staff user 
   they can have unlimited access on API.
 

setup.cfg

@@ -1,6 +1,6 @@
 [metadata]
 name = vulnerablecode
-version = 30.3.0
+version = 30.3.1
 license = Apache-2.0 AND CC-BY-SA-4.0
 
 # description must be on ONE line https://github.com/pypa/setuptools/issues/1390

vulnerabilities/templates/navbar.html

@@ -44,24 +44,24 @@
                     <div class="dropdown-menu navbar-hover-div" role="menu">
                     <div class="dropdown-content">
                         <div class="dropdown-item about-hover-div">
-                            A free and open vulnerabilities database and the packages they impact.
-                            And the tools to aggregate and correlate these vulnerabilities.
+
+                            VulnerableCode is a free and open database of software package vulnerabilities.
                             <ul>
                                 <li>
-                                    Sponsored by NLnet <a href="https://nlnet.nl/project/vulnerabilitydatabase/">
-                                    https://nlnet.nl/project/vulnerabilitydatabase/</a> for
-                                    <a href="https://www.aboutcode.org/">https://www.aboutcode.org/</a>
+                                    Live chat at <a href="https://gitter.im/aboutcode-org/vulnerablecode">
+                                    https://gitter.im/aboutcode-org/vulnerablecode</a>
                                 </li>
                                 <li>
-                                    Chat at <a href="https://gitter.im/aboutcode-org/vulnerablecode">
-                                    https://gitter.im/aboutcode-org/vulnerablecode</a>
+                                    Source code and support at <a href="https://github.com/nexB/vulnerablecode">https://github.com/nexB/vulnerablecode</a>
                                 </li>
                                 <li>
                                     Docs at <a href=https://vulnerablecode.readthedocs.org/>
                                     https://vulnerablecode.readthedocs.org/</a>
                                 </li>
                                 <li>
-                                    Source code and issues at <a href="https://github.com/nexB/vulnerablecode">https://github.com/nexB/vulnerablecode</a>
+                                    Sponsored by NLnet <a href="https://nlnet.nl/project/vulnerabilitydatabase/">
+                                    https://nlnet.nl/project/vulnerabilitydatabase/</a> for
+                                    <a href="https://www.aboutcode.org/">https://www.aboutcode.org/</a>
                                 </li>
                             </ul>
                         </div>

vulnerabilities/views.py

@@ -141,6 +141,33 @@ def get(self, request):
         return render(request=request, template_name=self.template_name, context=context)
 
 
+email_template = """
+Dear VulnerableCode.io user:
+
+We have received a request to send a VulnerableCode.io API key to this email address.
+Here is your API key:
+
+   Token {auth_token}
+
+If you did NOT request this API key, you can either ignore this email or contact us at [email protected] and let us know in the forward that you did not request an API key.
+
+The API root is at https://public.vulnerablecode.io/api
+To learn more about using the VulnerableCode.io API, please refer to the live API documentation at https://public.vulnerablecode.io/api/docs
+To learn about VulnerableCode, refer to the general documentation at https://vulnerablecode.readthedocs.io
+
+--
+Sincerely,
+The nexB support Team.
+
+VulnerableCode is a free and open database of software package vulnerabilities
+and the tools to aggregate and correlate these vulnerabilities.
+
+Chat at https://gitter.im/aboutcode-org/vulnerablecode
+Docs at https://vulnerablecode.readthedocs.org/
+Source code and issues at https://github.com/nexB/vulnerablecode
+"""
+
+
 class ApiUserCreateView(generic.CreateView):
     model = models.ApiUser
     form_class = ApiUserCreationForm
@@ -155,15 +182,15 @@ def form_valid(self, form):
             return redirect(self.get_success_url())
 
         send_mail(
-            subject="VulnerableCode.io API key token",
-            message=f"Here is your VulnerableCode.io API key token: {self.object.auth_token}",
+            subject="VulnerableCode.io API key request",
+            message=email_template.format(auth_token=self.object.auth_token),
             from_email=env.str("FROM_EMAIL", default=""),
             recipient_list=[self.object.email],
             fail_silently=True,
         )
 
         messages.success(
-            self.request, f"API key token sent to your email address {self.object.email}."
+            self.request, f"Your API key token has been sent to your email: {self.object.email}."
         )
 
         return response

vulnerablecode/__init__.py

@@ -12,7 +12,7 @@
 import warnings
 from pathlib import Path
 
-__version__ = "30.3.0"
+__version__ = "30.3.1"
 
 
 def command_line():

vulnerablecode/settings.py

@@ -34,12 +34,10 @@
 
 ALLOWED_HOSTS = env.list("ALLOWED_HOSTS", default=[".localhost", "127.0.0.1", "[::1]"])
 
-VULNERABLECODE_REQUIRE_AUTHENTICATION = env.bool(
-    "VULNERABLECODE_REQUIRE_AUTHENTICATION", default=False
-)
-
 VULNERABLECODE_PASSWORD_MIN_LENGTH = env.int("VULNERABLECODE_PASSWORD_MIN_LENGTH", default=14)
 
+CSRF_TRUSTED_ORIGINS = env.list("CSRF_TRUSTED_ORIGINS", default=[])
+
 # SECURITY WARNING: do not run with debug turned on in production
 DEBUG = env.bool("VULNERABLECODE_DEBUG", default=False)