npm - @aegis-scan/skills - Versions diffs - 0.4.0 → 0.5.1 - Mend

@aegis-scan/skills 0.4.0 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (386) hide show

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/django/auth-cookies-pattern.md ADDED Viewed

@@ -0,0 +1,295 @@
+---
+license: MIT (snippet)
+provider: Django + django-csp (Open-Source)
+last-checked: 2026-05-05
+purpose: Django Auth-Cookies + django-csp + DSGVO-konforme Session-Konfiguration.
+---
+# Django — Auth-Cookies + CSP-Pattern
+## Trigger / Detection
+Repo enthaelt:
+- `django.contrib.auth` aktiviert
+- `django-csp` Package (`csp.middleware.CSPMiddleware` in MIDDLEWARE)
+- `LOGIN_URL`, `LOGIN_REDIRECT_URL` in settings
+- Optional: `django-allauth` / `dj-rest-auth` / `django-axes`
+## Default-Verhalten (was passiert ohne Konfiguration)
+- Default-Login schickt UserExists-Errors → User-Enumeration moeglich
+- `SESSION_COOKIE_AGE = 1209600` (2 Wochen Default) → zu lang fuer DSGVO
+- Failed-Login-Logging mit Klartext-Username
+- CSP-Default ohne nonce → Inline-Scripts unsicher
+- `LOGIN_RATE_LIMIT` nicht gesetzt → Brute-Force-Vektor
+## Compliance-Risiken
+| Risiko | Norm | Severity | Fix |
+|---|---|---|---|
+| Session-Lifetime zu lang | Art. 5 lit. e DSGVO | MITTEL | `SESSION_COOKIE_AGE = 3600` (1h) + Refresh |
+| Failed-Login mit Klartext-Username in Logs | Art. 5 lit. f | HOCH | Custom-Logger mit User-Hash |
+| User-Enumeration via Login-Form | Art. 32 DSGVO | HOCH | Generic-Error-Message |
+| CSP `unsafe-inline` global | Art. 32 DSGVO | KRITISCH | Nonce-basierte CSP |
+| Brute-Force ohne Lockout | Art. 32 DSGVO | KRITISCH | `django-axes` Middleware |
+| Klartext-Password im Form-Log bei Validation-Fehler | Art. 5 lit. f | KRITISCH | Logging-Filter mit Pattern-Stripping |
+## Code-Pattern (sanitized)
+```python
+# File: settings.py
+import os
+# Auth + Sessions
+SESSION_COOKIE_AGE = 60 * 60  # 1 Stunde
+SESSION_COOKIE_SECURE = not DEBUG
+SESSION_COOKIE_HTTPONLY = True
+SESSION_COOKIE_SAMESITE = 'Lax'
+SESSION_EXPIRE_AT_BROWSER_CLOSE = False
+SESSION_SAVE_EVERY_REQUEST = True  # Sliding-Expiration
+# CSRF
+CSRF_COOKIE_SECURE = not DEBUG
+CSRF_COOKIE_SAMESITE = 'Lax'
+CSRF_COOKIE_HTTPONLY = False  # JS muss CSRF-Header setzen
+CSRF_USE_SESSIONS = False  # Cookie-basiert, kein DB-Roundtrip
+# Password
+AUTH_PASSWORD_VALIDATORS = [
+    {'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator'},
+    {
+        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
+        'OPTIONS': {'min_length': 12},
+    },
+    {'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator'},
+    {'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator'},
+]
+# Argon2 als Default-Hasher
+PASSWORD_HASHERS = [
+    'django.contrib.auth.hashers.Argon2PasswordHasher',
+    'django.contrib.auth.hashers.PBKDF2PasswordHasher',
+    'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
+    'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
+]
+# Brute-Force-Schutz (django-axes)
+AXES_FAILURE_LIMIT = 5
+AXES_COOLOFF_TIME = 0.5  # 30 Minuten
+AXES_LOCK_OUT_AT_FAILURE = True
+AXES_RESET_ON_SUCCESS = True
+AXES_LOCKOUT_PARAMETERS = ['ip_address', 'username']
+# CSP
+MIDDLEWARE = [
+    # ...
+    'csp.middleware.CSPMiddleware',
+    'axes.middleware.AxesMiddleware',
+]
+CSP_DEFAULT_SRC = ("'self'",)
+CSP_SCRIPT_SRC = ("'self'", 'https://<placeholder-eu-analytics-host>')
+CSP_CONNECT_SRC = ("'self'", 'https://<placeholder-eu-analytics-host>')
+CSP_IMG_SRC = ("'self'", 'data:', 'https://<placeholder-eu-image-cdn>')
+CSP_STYLE_SRC = ("'self'", "'unsafe-inline'")
+CSP_FONT_SRC = ("'self'", 'https://<placeholder-eu-font-cdn>')
+CSP_INCLUDE_NONCE_IN = ['script-src', 'style-src']
+CSP_REPORT_URI = '/api/csp-report'
+AUTHENTICATION_BACKENDS = [
+    'axes.backends.AxesBackend',
+    'django.contrib.auth.backends.ModelBackend',
+]
+```
+```python
+# File: app/views/auth.py
+import time
+import logging
+from django.contrib.auth import authenticate, login as django_login, logout as django_logout
+from django.contrib.auth.decorators import login_required
+from django.http import JsonResponse, HttpResponseBadRequest
+from django.views.decorators.http import require_POST
+from django.views.decorators.csrf import csrf_protect
+from django.views.decorators.cache import never_cache
+logger = logging.getLogger('auth')
+@require_POST
+@csrf_protect
+@never_cache
+def login(request):
+    import json
+    try:
+        body = json.loads(request.body)
+    except json.JSONDecodeError:
+        return HttpResponseBadRequest('Invalid JSON')
+    username = body.get('username', '').strip()
+    password = body.get('password', '')
+    if not username or not password:
+        return JsonResponse({'error': 'Login-Daten ungueltig'}, status=401)
+    # Konstante Zeit (Timing-Attack-Schutz)
+    start = time.time()
+    user = authenticate(request, username=username, password=password)
+    elapsed = time.time() - start
+    if elapsed < 0.2:
+        time.sleep(0.2 - elapsed)
+    if user is None:
+        # Generic-Error: kein User-Enumeration
+        logger.info('login_failed', extra={'username_hash': _hash_user(username)})
+        return JsonResponse({'error': 'Login-Daten ungueltig'}, status=401)
+    if not user.is_active:
+        return JsonResponse({'error': 'Login-Daten ungueltig'}, status=401)
+    django_login(request, user)
+    logger.info('login_success', extra={'user_id': user.id})
+    return JsonResponse({
+        'user': {'id': user.id, 'email': user.email},
+        'expires_in': 3600,
+    })
+@require_POST
+@login_required
+def logout(request):
+    logger.info('logout', extra={'user_id': request.user.id})
+    django_logout(request)
+    return JsonResponse({}, status=204)
+def _hash_user(username: str) -> str:
+    import hashlib
+    return hashlib.sha256(username.encode()).hexdigest()[:16]
+```
+```python
+# File: app/logging_filters.py
+import logging
+import re
+EMAIL_RE = re.compile(r'[\w.+-]+@[\w-]+\.[\w-]+')
+PASSWORD_KEY_RE = re.compile(r'(["\']?password["\']?\s*[:=]\s*["\'])([^"\']+)(["\'])', re.IGNORECASE)
+class PiiFilter(logging.Filter):
+    def filter(self, record: logging.LogRecord) -> bool:
+        if hasattr(record, 'msg'):
+            msg = str(record.msg)
+            msg = EMAIL_RE.sub('[EMAIL_REDACTED]', msg)
+            msg = PASSWORD_KEY_RE.sub(r'\1[PASSWORD_REDACTED]\3', msg)
+            record.msg = msg
+        return True
+# Settings.py:
+LOGGING = {
+    'version': 1,
+    'disable_existing_loggers': False,
+    'filters': {
+        'pii_filter': {'()': 'app.logging_filters.PiiFilter'},
+    },
+    'handlers': {
+        'console': {
+            'class': 'logging.StreamHandler',
+            'filters': ['pii_filter'],
+        },
+    },
+    'root': {'handlers': ['console'], 'level': 'INFO'},
+}
+```
+```python
+# File: app/middleware/recent_auth.py
+import time
+from django.shortcuts import redirect
+from django.urls import reverse
+class RequireRecentAuthForSensitive:
+    SENSITIVE_PATHS = ['/account/email-change', '/account/password-change', '/account/2fa']
+    RECENT_WINDOW = 5 * 60  # 5 Minuten
+    def __init__(self, get_response):
+        self.get_response = get_response
+    def __call__(self, request):
+        if request.user.is_authenticated and request.path in self.SENSITIVE_PATHS:
+            recent = request.session.get('recent_auth_at', 0)
+            if time.time() - recent > self.RECENT_WINDOW:
+                request.session['return_to'] = request.path
+                return redirect(reverse('confirm-password'))
+        return self.get_response(request)
+```
+## AVV / DPA
+- Datenbank (User-Tabelle, axes_accessattempt) — AVV mit IP-Hash-Garantie
+- Mailer (Reset-Mails / 2FA) — AVV
+- Optional: SSO-Provider (Auth0 EU / Keycloak self-host) — AVV mit TIA bei Drittland
+## DSE-Wording-Vorlage
+```markdown
+### Login-Sicherheit und Session-Verwaltung
+Beim Login verarbeiten wir folgende Daten:
+- E-Mail / Username (zur Identifizierung)
+- Password (gehasht via Argon2, niemals im Klartext)
+- Hash der IP-Adresse (Brute-Force-Schutz, max. 5 Fehlversuche binnen 30 Min.)
+- Session-Cookie (Lifetime: 1 Stunde, Sliding-Expiration)
+**Failed-Login-Schutz (django-axes):**
+- 5 fehlgeschlagene Versuche je IP/Username = 30 Minuten Lockout
+- Speicherung: Hash der IP + Username, kein Klartext-Password
+**Rechtsgrundlage:** Art. 6 Abs. 1 lit. b DSGVO (Vertrag) +
+Art. 6 Abs. 1 lit. f DSGVO (Sicherheit).
+**Speicherdauer Login-Logs:** 30 Tage, danach Loeschung.
+```
+## Verify-Commands (Live-Probe)
+```bash
+# 1. Login mit falschen Credentials = Generic Error
+curl -X POST https://<placeholder-domain>/api/login \
+  -H "Content-Type: application/json" \
+  -H "X-CSRFToken: <placeholder-csrf>" \
+  -d '{"username":"nonexistent","password":"WRONG"}' -i
+# Erwartung: 401 mit "Login-Daten ungueltig"
+# 2. Brute-Force-Lockout nach 5 Versuchen (django-axes)
+for i in {1..6}; do
+  curl -X POST https://<placeholder-domain>/api/login \
+    -d '{"username":"test","password":"wrong"}' -s -o /dev/null -w "%{http_code}\n"
+done
+# Erwartung: nach 5 Versuchen: 403 (axes-Lockout)
+# 3. Session-Lifetime kurz (1h)
+curl -i https://<placeholder-domain>/api/login \
+  -d '{"username":"<placeholder>","password":"<placeholder>"}' \
+  | grep -i "set-cookie:.*sessionid.*max-age"
+# Erwartung: max-age=3600
+# 4. CSP-Header korrekt
+curl -sI https://<placeholder-domain>/ | grep -i "content-security-policy"
+# Erwartung: default-src 'self'; script-src 'self' https://<placeholder-eu-analytics-host>; ...
+# 5. Logs ohne PII
+tail -100 /var/log/django.log | grep -E '[\w.+-]+@[\w-]+\.[\w-]+' | head -5
+# Erwartung: 0 Treffer oder ausschliesslich [EMAIL_REDACTED]
+```
+## Cross-References
+- AEGIS-Scanner: `auth-flow-checker.ts`, `csp-config-checker.ts`, `bcrypt-argon-checker.ts`, `rate-limit-checker.ts`
+- Skill-Reference: `references/dsgvo.md` Art. 32 (Sicherheit)
+- BSI-Grundschutz: ORP.4 Identitaets- und Berechtigungsmanagement
+- Audit-Pattern: `references/audit-patterns.md` Phase 7 (Security-Headers), Phase 9 (Auth-Audit)

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/django/cookie-banner-pattern.md ADDED Viewed

@@ -0,0 +1,318 @@
+---
+license: MIT (snippet)
+provider: Django (Open-Source)
+last-checked: 2026-05-05
+purpose: Django Middleware Pattern fuer Consent-Cookie-Read + Conditional Tracker-Render.
+---
+# Django — Cookie-Banner Middleware Pattern
+## Trigger / Detection
+Repo enthaelt:
+- `django` in `requirements.txt` / `pyproject.toml`
+- `settings.py` mit `MIDDLEWARE` Liste
+- `urls.py` URL-Routing
+- Optional: `django-cookie-consent` Package
+## Default-Verhalten (was passiert ohne Konfiguration)
+- Django-Default-Session-Cookies ohne `SESSION_COOKIE_SECURE = True` in DEBUG
+- `csrftoken` Cookie ohne `SameSite=Lax`-Hinweis
+- Tracker-Tags hardcoded in `base.html` Template
+- `CSRF_COOKIE_HTTPONLY = False` Default → JS kann CSRF-Token lesen (notwendig)
+- Default-Logger schreibt Klartext-IP via `request.META['REMOTE_ADDR']`
+## Compliance-Risiken
+| Risiko | Norm | Severity | Fix |
+|---|---|---|---|
+| Tracker-Tag in `base.html` | § 25 TDDDG | KRITISCH | `{% if request.consent.analytics %}` Conditional |
+| `SESSION_COOKIE_SECURE = False` | Art. 32 DSGVO | KRITISCH | True in production settings |
+| `SESSION_COOKIE_SAMESITE` ungesetzt | Art. 32 DSGVO | HOCH | `'Lax'` setzen |
+| Klartext-IP in Logs | Art. 5 lit. f | HOCH | Custom Logging-Filter |
+| Drittland-Tracker via CDN | Art. 44 DSGVO | KRITISCH | EU-Provider + AVV |
+## Code-Pattern (sanitized)
+```python
+# File: app/middleware/consent.py
+import json
+from typing import Callable
+from django.http import HttpRequest, HttpResponse
+DEFAULT_CONSENT = {
+    'necessary': True,
+    'analytics': False,
+    'marketing': False,
+    'version': '1.0',
+}
+class ConsentMiddleware:
+    def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]) -> None:
+        self.get_response = get_response
+    def __call__(self, request: HttpRequest) -> HttpResponse:
+        raw = request.COOKIES.get('cookie_consent')
+        consent = dict(DEFAULT_CONSENT)
+        if raw:
+            try:
+                parsed = json.loads(raw)
+                if isinstance(parsed, dict):
+                    consent.update({k: v for k, v in parsed.items() if k in DEFAULT_CONSENT})
+            except (json.JSONDecodeError, ValueError):
+                pass
+        request.consent = consent
+        return self.get_response(request)
+```
+```python
+# File: app/views/consent.py
+import hashlib
+import json
+from datetime import datetime, timezone, timedelta
+from django.conf import settings
+from django.http import JsonResponse, HttpResponseBadRequest
+from django.views.decorators.http import require_POST
+from django.views.decorators.csrf import csrf_protect
+from app.models import ConsentLog
+@require_POST
+@csrf_protect
+def store_consent(request):
+    try:
+        body = json.loads(request.body)
+    except json.JSONDecodeError:
+        return HttpResponseBadRequest('Invalid JSON')
+    if not isinstance(body.get('analytics'), bool) or not isinstance(body.get('marketing'), bool):
+        return HttpResponseBadRequest('Invalid payload')
+    consent = {
+        'necessary': True,
+        'analytics': body['analytics'],
+        'marketing': body['marketing'],
+        'version': '1.0',
+        'timestamp': datetime.now(timezone.utc).isoformat(),
+    }
+    # Server-Log
+    ip = (request.META.get('HTTP_X_FORWARDED_FOR') or request.META.get('REMOTE_ADDR', '')).split(',')[0].strip()
+    salt = getattr(settings, 'IP_HASH_SALT', '')
+    ip_hash = hashlib.sha256(f'{ip}{salt}'.encode()).hexdigest()[:16]
+    ConsentLog.objects.create(
+        ip_hash=ip_hash,
+        user_agent=(request.META.get('HTTP_USER_AGENT') or '')[:200],
+        consent=consent,
+    )
+    response = JsonResponse({}, status=204)
+    response.set_cookie(
+        'cookie_consent',
+        json.dumps(consent),
+        max_age=int(timedelta(days=365).total_seconds()),
+        secure=not settings.DEBUG,
+        httponly=False,  # Banner-JS muss lesen
+        samesite='Lax',
+        path='/',
+    )
+    return response
+```
+```python
+# File: app/models/consent_log.py
+from django.db import models
+class ConsentLog(models.Model):
+    ip_hash = models.CharField(max_length=16)
+    user_agent = models.CharField(max_length=200)
+    consent = models.JSONField()
+    timestamp = models.DateTimeField(auto_now_add=True)
+    class Meta:
+        indexes = [models.Index(fields=['timestamp'])]
+    def __str__(self) -> str:
+        return f'ConsentLog #{self.pk} @ {self.timestamp.isoformat()}'
+```
+```python
+# File: settings.py (Auszug)
+MIDDLEWARE = [
+    'django.middleware.security.SecurityMiddleware',
+    'django.contrib.sessions.middleware.SessionMiddleware',
+    'django.middleware.common.CommonMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',
+    'app.middleware.consent.ConsentMiddleware',
+    # ...
+]
+# Cookie-Security
+SESSION_COOKIE_SECURE = not DEBUG
+SESSION_COOKIE_SAMESITE = 'Lax'
+SESSION_COOKIE_HTTPONLY = True
+CSRF_COOKIE_SECURE = not DEBUG
+CSRF_COOKIE_SAMESITE = 'Lax'
+# HSTS (nur in production)
+if not DEBUG:
+    SECURE_HSTS_SECONDS = 31536000
+    SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+    SECURE_HSTS_PRELOAD = True
+    SECURE_SSL_REDIRECT = True
+    SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+# Salt fuer IP-Hash
+IP_HASH_SALT = os.environ['IP_HASH_SALT']
+```
+```python
+# File: urls.py
+from django.urls import path
+from app.views.consent import store_consent
+urlpatterns = [
+    path('api/consent-log', store_consent, name='consent-store'),
+    # ...
+]
+```
+```html
+<!-- File: templates/cookies/banner.html -->
+{% if not request.COOKIES.cookie_consent %}
+<aside id="cookie-banner" role="dialog" aria-label="Cookie-Einwilligung" class="cookie-banner">
+    <p>
+        Wir nutzen Cookies fuer notwendige Funktionen. Mit Ihrer Einwilligung
+        zusaetzlich fuer Webanalyse. Details:
+        <a href="{% url 'legal-privacy' %}">Datenschutzerklaerung</a>.
+    </p>
+    <div class="cookie-actions">
+        <button type="button" data-action="reject-all" class="btn-secondary">Nur Notwendige</button>
+        <button type="button" data-action="accept-all" class="btn-primary">Alle akzeptieren</button>
+    </div>
+</aside>
+<script>
+(() => {
+    const csrf = document.querySelector('[name=csrfmiddlewaretoken]')?.value
+        || document.cookie.match(/csrftoken=([^;]+)/)?.[1];
+    const submit = (analytics, marketing) => {
+        fetch('{% url "consent-store" %}', {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'X-CSRFToken': csrf,
+            },
+            body: JSON.stringify({ analytics, marketing }),
+        }).then(() => {
+            document.getElementById('cookie-banner').remove();
+            if (analytics) {
+                const s = document.createElement('script');
+                s.src = 'https://<placeholder-eu-analytics-host>/script.js';
+                s.async = true;
+                document.head.appendChild(s);
+            }
+        });
+    };
+    document.querySelector('[data-action="reject-all"]').onclick = () => submit(false, false);
+    document.querySelector('[data-action="accept-all"]').onclick = () => submit(true, true);
+})();
+</script>
+{% endif %}
+```
+```html
+<!-- File: templates/base.html -->
+<!DOCTYPE html>
+<html lang="de">
+<head>
+    <meta charset="UTF-8">
+    <title>{% block title %}<placeholder-site-name>{% endblock %}</title>
+    {% csrf_token %}
+    {# Tracker NUR conditional #}
+    {% if request.consent.analytics %}
+        <script src="https://<placeholder-eu-analytics-host>/script.js" async></script>
+    {% endif %}
+</head>
+<body>
+    {% block content %}{% endblock %}
+    {% include 'cookies/banner.html' %}
+</body>
+</html>
+```
+## AVV / DPA
+- Hosting-Provider (Heroku EU / Render / Fly.io) — Art. 28 DSGVO
+- Datenbank (Postgres) — AVV mit EU-Region
+- Analytics-Provider (Plausible EU / Matomo) — AVV
+- Mailer (SendGrid EU / Postmark / Mailjet) — AVV
+## DSE-Wording-Vorlage
+```markdown
+### Cookies (Django-Anwendung)
+Diese Webseite verwendet folgende Cookies:
+**Notwendige Cookies (kein Opt-Out):**
+- `sessionid` — Session-Verwaltung, Session-Dauer
+- `csrftoken` — CSRF-Schutz, 12 Monate
+- `cookie_consent` — Speicherung Ihrer Einwilligung, 12 Monate
+**Analyse-Cookies (Opt-In):**
+- gesetzt durch <placeholder-analytics-provider>
+- Speicherdauer: <placeholder-days> Tage
+- EU-Hosting: <placeholder-eu-country>
+**Rechtsgrundlage:** § 25 TDDDG i.V.m. Art. 6 Abs. 1 lit. a DSGVO.
+**Widerruf:** [Cookie-Einstellungen](#cookie-settings) im Footer.
+```
+## Verify-Commands (Live-Probe)
+```bash
+# 1. Banner sichtbar fuer neue Visitors
+curl -sS https://<placeholder-domain>/ | grep -ic "cookie-banner"
+# 2. Cookie-Security-Flags
+curl -sI https://<placeholder-domain>/ | grep -iE "set-cookie:.*sessionid"
+# Erwartung: HttpOnly; Secure; SameSite=Lax
+# 3. HSTS aktiv
+curl -sI https://<placeholder-domain>/ | grep -i "strict-transport-security"
+# Erwartung: max-age=31536000; includeSubDomains; preload
+# 4. Tracker-Conditional Rendering
+curl -sS -H 'Cookie: cookie_consent=%7B%22analytics%22%3Afalse%7D' https://<placeholder-domain>/ \
+  | grep -ic "<placeholder-eu-analytics-host>"
+# Erwartung: 0
+curl -sS -H 'Cookie: cookie_consent=%7B%22analytics%22%3Atrue%7D' https://<placeholder-domain>/ \
+  | grep -ic "<placeholder-eu-analytics-host>"
+# Erwartung: >=1
+# 5. CSRF-Schutz erzwungen
+curl -X POST https://<placeholder-domain>/api/consent-log \
+  -H "Content-Type: application/json" -d '{"analytics":false,"marketing":false}' -i
+# Erwartung: 403 Forbidden (CSRF token missing)
+```
+## Cross-References
+- AEGIS-Scanner: `cookie-flags-checker.ts`, `csrf-config-checker.ts`, `consent-flow-checker.ts`
+- Skill-Reference: `references/dsgvo.md` § 25 TDDDG, Art. 7 DSGVO
+- BGH-Rechtsprechung: `references/bgh-urteile.md` BGH I ZR 7/16
+- OLG Koeln 6 U 80/23 (Button-Gleichwertigkeit)
+- Audit-Pattern: `references/audit-patterns.md` Phase 2 (Cookie-Audit)