bug fixes, upgrade deps, security fixes (#75)

* Update README.md

* Update CONTRIBUTING.md

* fixes and more strict security headers

Author: eshaan7

.dockerignore

@@ -3,4 +3,5 @@ venv/
 *.pyc
 .vscode/
 *.db
-.idea/
+.idea/
+.github/

.travis.yml

@@ -21,7 +21,6 @@ install:
   - "pip install -r src/requirements.txt"
   - "python src/create_db.test.py"
 
-before_script:
-  - black . --check
 script:
+  - black . --check
   - flake8 . --count --max-line-length=88 --show-source --statistics

app.json

@@ -16,10 +16,6 @@
     }
   ],
   "env": {
-    "SECRET_KEY": {
-      "description": "Flask app instance's SECRET_KEY",
-      "generator": "secret"
-    },
     "ADMIN_PASS": {
       "description": "Administrator password",
       "generator": "secret"

docker-compose.yml

@@ -8,12 +8,12 @@ services:
       - "8000"
     environment:
       - DEBUG=False
-      - SECRET_KEY=changeme
+      - SSL_ENABLED=False
       - DB_USER=eshaan
       - DB_PASSWORD=eshaan
       - DB_NAME=rtbctf
       - DB_PORT=5432
-      - WORKERS=8
+      - WORKERS=4
       - ADMIN_PASS=admin
     depends_on:
       - postgres

src/FlaskRTBCTF/__init__.py

@@ -11,6 +11,7 @@
     admin_manager,
     mail,
     inject_app_context,
+    inject_security_headers,
 )
 from FlaskRTBCTF.users.routes import users
 from FlaskRTBCTF.ctf.routes import ctf
@@ -26,6 +27,7 @@ def create_app(config_class=Config):
     app = Flask(__name__)
     app.config.from_object(Config)
     app.context_processor(inject_app_context)
+    app.after_request(inject_security_headers)
 
     for _ext in _extensions:
         _ext.init_app(app)

src/FlaskRTBCTF/config.py

@@ -1,21 +1,26 @@
 import os
-
-from .utils import handle_secret_key
+import secrets
 
 # Flask related Configurations
 # Note: DO NOT FORGET TO CHANGE 'SECRET_KEY' !
 
 
 class Config:
-    DEBUG = True  # Turn DEBUG OFF before deployment
-    SECRET_KEY = handle_secret_key()
+    DEBUG = False  # Turn DEBUG OFF before deployment
+    SECRET_KEY = secrets.token_hex(16)
     SQLALCHEMY_DATABASE_URI = os.environ.get("DATABASE_URL") or "sqlite:///site.db"
     # For local use, one can simply use SQLlite with: 'sqlite:///site.db'
     # For deployment on Heroku use: `os.environ.get('DATABASE_URL')`
     # in all other cases: `os.environ.get('SQLALCHEMY_DATABASE_URI')`
     SQLALCHEMY_TRACK_MODIFICATIONS = False
     FLASK_ADMIN_SWATCH = ("journal", "paper", "yeti", "cosmo")[3]
     # TEMPLATES_AUTO_RELOAD = True
+    # Session handling
+    SESSION_COOKIE_HTTPONLY = True
+    SESSION_COOKIE_SAMESITE = "Strict"
+    SESSION_COOKIE_SECURE = (
+        True if os.environ.get("SSL_ENABLED", False) == "True" else False
+    )
     MAIL_SERVER = "smtp.googlemail.com"
     MAIL_PORT = 587
     MAIL_USE_TLS = True

src/FlaskRTBCTF/main/forms.py

@@ -29,13 +29,13 @@ def setup(self):
             try:
                 settings = Settings.query.get(1)
 
+                settings.dummy = False
                 settings.ctf_name = self.ctf_name.data
                 settings.organization_name = self.organization_name.data
                 settings.from_date = self.from_date.data
                 settings.from_time = self.from_time.data
                 settings.to_date = self.to_date.data
                 settings.to_time = self.to_time.data
-                settings.dummy = False
 
                 db.session.commit()
 

src/FlaskRTBCTF/templates/layout.html

@@ -6,7 +6,7 @@
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
     <meta http-equiv="X-UA-Compatible" content="ie=edge">
     <!-- Favicon -->
-  	<link rel='shortcut icon' type='image/x-icon' href="{{ url_for('static', filename='favicon.ico')}}"/>
+  	<link rel="shortcut icon" type="image/x-icon" href="{{ url_for('static', filename='favicon.ico')}}"/>
     <!-- Bootstrap CSS -->
     <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css" integrity="sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh" crossorigin="anonymous">
     <!-- Font Awesome -->
@@ -88,7 +88,13 @@ <h3>{{ settings.organization_name }}</h3>
               <p class="text-muted">
                 <ul class="list-group">
                   {% for w in websites %}
-                    <a target="_blank" href="{{ w.url }}" class="list-group-item list-group-item-action">{{ w.name }}</a>
+                    <a target="_blank" 
+                       href="{{ w.url }}" 
+                       class="list-group-item list-group-item-action" 
+                       rel="noreferrer noopener"
+                    >
+                      {{ w.name }}
+                    </a>
                   {% endfor %}
                 </ul>
               </p>

src/FlaskRTBCTF/utils/__init__.py

@@ -5,9 +5,9 @@
 from .helpers import (
     handle_admin_pass,
     handle_admin_email,
-    handle_secret_key,
     is_past_running_time,
     inject_app_context,
+    inject_security_headers,
     clear_points_cache,
     clear_rating_cache,
 )

src/FlaskRTBCTF/utils/helpers.py

@@ -10,14 +10,6 @@
 from ..main.models import Settings, Website
 
 
-def handle_secret_key(default="you-will-never-guess"):
-    sk = os.environ.get("SECRET_KEY", default)
-    if not sk:
-        sk = secrets.token_hex(16)
-        os.environ["SECRET_KEY"] = sk
-    return sk
-
-
 def handle_admin_pass(default="admin"):
     passwd = os.environ.get("ADMIN_PASS", default)
     if not passwd:
@@ -40,6 +32,14 @@ def inject_app_context():
     return dict(settings=settings, websites=websites)
 
 
+def inject_security_headers(response):
+    response.headers["X-Frame-Options"] = "SAMEORIGIN"
+    # response.headers["Content-Security-Policy"] = "default-src 'self'"
+    response.headers["X-Content-Type-Options"] = "nosniff"
+    response.headers["X-XSS-Protection"] = "1; mode=block"
+    return response
+
+
 @cache.cached(timeout=60, key_prefix="past_running_time")
 def is_past_running_time():
     end_date_time = Settings.get_settings().running_time_to