use subresource integrity attributes to guard against CDNs being used…

… as an attack vector; drop external resources that we can't protect this way (fonts); fixes mail-in-a-box#234
TKaxv-7S · Sep 18, 2015 · 6c8ee18 · 6c8ee18
1 parent 787beab
commit 6c8ee18
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 9 deletions.
diff --git a/management/templates/index.html b/management/templates/index.html
@@ -9,11 +9,8 @@
 
         <meta name="robots" content="noindex, nofollow">
 
-        <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css">
+        <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css" integrity="sha256-MfvZlkHCEqatNoGiOXveE8FIwMzZg4W85qfrfIFBfYc=" crossorigin="anonymous">
         <style>
-            @import url(https://fonts.googleapis.com/css?family=Raleway:400,700);
-            @import url(https://fonts.googleapis.com/css?family=Ubuntu:300);
-
 	    body {
 		overflow-y: scroll;
                 padding-bottom: 20px;
@@ -24,7 +21,7 @@
             }
 
             h1, h2, h3, h4 {
-              font-family: Raleway, sans-serif;
+              font-family: sans-serif;
               font-weight: bold;
             }
 
@@ -66,8 +63,7 @@
 	       margin-bottom: 1em;
 	    }
         </style>
-        <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap-theme.min.css">
-        <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css">
+        <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap-theme.min.css" integrity="sha256-bHQiqcFbnJb1Qhh61RY9cMh6kR0gTuQY6iFOBj1yj00=" crossorigin="anonymous">
     </head>
     <body>
 
@@ -195,8 +191,8 @@ <h4 class="modal-title" id="errorModalTitle"> </h4>
           </div>
         </div>
 
-        <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
-        <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js"></script>
+        <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js" integrity="sha256-rsPUGdUPBXgalvIj4YKJrrUlmLXbOb6Cp7cdxn1qeUc=" crossorigin="anonymous"></script>
+        <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js" integrity="sha256-Sk3nkD6mLTMOF0EOpNtsIry+s1CsaqQC1rVLTAy+0yc=" crossorigin="anonymous"></script>
 
         <script>
 var global_modal_state = null;

diff --git a/tools/update-subresource-integrity.py b/tools/update-subresource-integrity.py
@@ -0,0 +1,24 @@
+#!/usr/bin/python3
+# Updates subresource integrity attributes in management/templates/index.html
+# to prevent CDN-hosted resources from being used as an attack vector. Run this
+# after updating the Bootstrap and jQuery <link> and <script> to compute the
+# appropriate hash and insert it into the template.
+
+import re, urllib.request, hashlib, base64
+
+fn = "management/templates/index.html"
+
+with open(fn, 'r') as f:
+	content = f.read()
+
+def make_integrity(url):
+	resource = urllib.request.urlopen(url).read()
+	return "sha256-" + base64.b64encode(hashlib.sha256(resource).digest()).decode('ascii')
+
+content = re.sub(
+	r'<(link rel="stylesheet" href|script src)="(.*?)" integrity="(.*?)"',
+	lambda m : '<' + m.group(1) + '="' + m.group(2) + '" integrity="' + make_integrity(m.group(2)) + '"',
+	content)
+
+with open(fn, 'w') as f:
+	f.write(content)