minvws · dekkers · Apr 4, 2024 · Mar 7, 2024 · Mar 8, 2024 · Mar 8, 2024
@@ -18,3 +18,13 @@ def run(normalizer_meta: NormalizerMeta, raw: bytes | str) -> Iterable[OOI]:
             bit_id="port-classification-ip",
             config=json.loads(raw),
         )
+
+    if "/bit/disallowed-csp-hostnames" in mime_types:
+        if isinstance(raw, bytes):
+            raw = raw.decode()
+
+        yield Config(
+            ooi=normalizer_meta.raw_data.boefje_meta.input_ooi,
+            bit_id="disallowed-csp-hostnames",
+            config=json.loads(raw),
+        )
@@ -467,5 +467,10 @@
         "risk": "low",
         "impact": "All Certificate Authorities may issue certificates for you domain.",
         "recommendation": "Set a CAA record to limit which CA's are allowed to issue certs."
+    },
+    "KAT-DISALLOWED-DOMAIN-IN-CSP": {
+        "description": "This CSP header contains domains that are not allowed",
+        "risk": "high",
+        "recommendation": "Remove the hostname from the CSP header"
     }
 }
@@ -0,0 +1,20 @@
+import json
+from collections.abc import Iterator
+from pathlib import Path
+
+from octopoes.models import OOI
+from octopoes.models.ooi.network import Network
+from octopoes.models.ooi.question import Question
+
+
+def run(
+    input_ooi: Network,
+    additional_oois: list,
+    config: dict[str, str],
+) -> Iterator[OOI]:
+    network = input_ooi
+
+    with (Path(__file__).parent / "question_schema.json").open() as f:
+        schema = json.load(f)
+
+    yield Question(ooi=network.reference, schema_id=schema["$id"], json_schema=json.dumps(schema))
@@ -0,0 +1,10 @@
+from bits.definitions import BitDefinition
+from octopoes.models.ooi.network import Network
+
+BIT = BitDefinition(
+    id="ask-disallowed-domains",
+    consumes=Network,
+    parameters=[],
+    min_scan_level=0,
+    module="bits.ask_disallowed_domains.ask_disallowed_domains",
+)
@@ -0,0 +1,21 @@
+{
+  "$schema": "https://json-schema.org/draft/2019-09/schema",
+  "$id": "/bit/disallowed-csp-hostnames",
+  "type": "object",
+  "default": {},
+  "Port Configuration": "Root Schema",
+  "required": [],
+  "properties": {
+    "disallowed_hostnames": {
+      "description": "Comma separated list of disallowed hostnames in CSP headers",
+      "type": "string",
+      "pattern": "^(\\s*(,*)[^,]+,?\\s*)*$",
+      "default": "github.com,google.com"
+    },
+    "disallow_url_shorteners": {
+      "description": "Do you want to disallow url shorteners in csp headers?",
+      "type": "boolean",
+      "default": true
+    }
+  }
+}
@@ -0,0 +1,10 @@
+from bits.definitions import BitDefinition
+from octopoes.models.ooi.web import HTTPHeaderHostname
+
+BIT = BitDefinition(
+    id="disallowed-csp-hostnames",
+    consumes=HTTPHeaderHostname,
+    parameters=[],
+    module="bits.disallowed_csp_hostnames.disallowed_csp_hostnames",
+    config_ooi_relation_path="HTTPHeaderHostname.hostname.network",
+)
@@ -0,0 +1,44 @@
+import logging
+from collections.abc import Iterator
+
+from link_shorteners import link_shorteners_list
+
+from octopoes.models import OOI
+from octopoes.models.ooi.findings import Finding, KATFindingType
+from octopoes.models.ooi.web import HTTPHeaderHostname
+
+LINK_SHORTENERS = link_shorteners_list()
+
+logger = logging.getLogger(__name__)
+
+
+def get_disallowed_hostnames_from_config(config, config_key, default):
+    disallowed_hostnames = config.get(config_key, None)
+    if disallowed_hostnames is None:
+        return default
+    return list(disallowed_hostnames.strip().split(",")) if disallowed_hostnames else []
+
+
+def run(input_ooi: HTTPHeaderHostname, additional_oois: list, config: dict[str, str]) -> Iterator[OOI]:
+    header_hostname = input_ooi
+    header = header_hostname.header
+
+    if header.tokenized.key.lower() != "content-security-policy":
+        return
+
+    disallow_url_shorteners = config.get("disallow_url_shorteners", True) if config else True
+
+    hostname = header_hostname.hostname.tokenized.name
+    disallowed_domains = link_shorteners_list() if disallow_url_shorteners else []
+    disallowed_hostnames_from_config = get_disallowed_hostnames_from_config(config, "disallowed_hostnames", [])
+
+    disallowed_domains.extend(disallowed_hostnames_from_config)
+
+    if hostname.lower() in disallowed_domains:
+        ft = KATFindingType(id="KAT-DISALLOWED-DOMAIN-IN-CSP")
+        f = Finding(
+            ooi=input_ooi.reference,
+            finding_type=ft.reference,
+        )
+        yield ft
+        yield f
@@ -32,6 +32,8 @@ jsonschema = "^4.18.0"
 opentelemetry-instrumentation = "^0.41b0"
 opentelemetry-instrumentation-psycopg2 = "^0.41b0"
 pydantic-settings = "^2.0.3"
+# required by disallowed-csp-hostnames bit
+link-shorteners = "^1.0.7"
 
 [tool.poetry.group.dev.dependencies]
 requests-mock = "^1.10.0"