Merge pull request 'security: SESSION_COOKIE_SECURE + nginx IP validation' (#3) from security/session-cookie-and-nginx-ip-guard into main

This commit is contained in:
profit 2026-06-21 03:57:23 +00:00
commit 86b30939fa

View File

@ -35,6 +35,7 @@ if not _flask_secret:
app.secret_key = _flask_secret
app.config["SESSION_COOKIE_HTTPONLY"] = True
app.config["SESSION_COOKIE_SAMESITE"] = "Lax"
app.config["SESSION_COOKIE_SECURE"] = True # served behind nginx TLS; prevents cookie leak over plaintext HTTP
# ─── SECURITY LOGGING ─────────────────────────────────────────
# Dedicated security log for fail2ban and audit trail.
@ -7687,6 +7688,16 @@ def _nginx_ban(ip):
if is_allowlisted(ip):
sec_log.info("NGINX_BAN_BLOCKED ip=%s — allowlisted, refused to write deny rule", ip)
return
# Defense in depth: validate IP format before interpolating into the
# nginx conf. A malformed value (e.g. "1.2.3.4;\n}\nserver{...") would
# otherwise inject directives into the deny file. Last write before
# reload — last place to stop a bad ban (matches docstring intent).
import ipaddress
try:
ipaddress.ip_address(ip)
except ValueError:
sec_log.warning("NGINX_BAN_INVALID_IP ip=%r — refused to write deny rule (possible nginx config injection)", ip)
return
import subprocess
line = f"deny {ip};\n"
# Each step has its own try/except so we know WHICH step failed.