GuardianUnivalle-Benito-Yucra 0.1.9__py3-none-any.whl → 0.1.11__py3-none-any.whl

GuardianUnivalle_Benito_Yucra/detectores/detector_sql.py

@@ -1,3 +1,4 @@
+# detector_sql.py
 import re
 import json
 import time
@@ -11,10 +12,11 @@ from django.core.signing import TimestampSigner, BadSignature, SignatureExpired
 # ---------- Configuración de logging ----------
 logger = logging.getLogger("sqlidefense")
 logger.setLevel(logging.INFO)
-handler = logging.StreamHandler()  # Por consola; en producción puede ser FileHandler
-formatter = logging.Formatter("%(asctime)s - %(levelname)s - %(message)s")
-handler.setFormatter(formatter)
-logger.addHandler(handler)
+if not logger.handlers:
+    handler = logging.StreamHandler()  # en prod usa FileHandler/RotatingFileHandler
+    formatter = logging.Formatter("%(asctime)s - %(levelname)s - %(message)s")
+    handler.setFormatter(formatter)
+    logger.addHandler(handler)
 
 # ---------- Patrones de ataques SQL ----------
 PATTERNS = [
@@ -43,13 +45,14 @@ PATTERNS = [
 
 # ---------- Bloqueo temporal por IP ----------
 TEMP_BLOCK = {}  # {ip: timestamp}
-BLOCK_DURATION = 30  # segundos
+BLOCK_DURATION = getattr(settings, "SQL_DEFENSE_BLOCK_TTL", 30)  # segundos
 
-# ---------- Configuración para bypass ----------
-BYPASS_MAX_AGE = getattr(settings, "SQLI_BYPASS_MAX_AGE", 30)  # segundos
+# ---------- Excepciones y bypass ----------
+EXEMPT_PATHS = getattr(settings, "SQLI_EXEMPT_PATHS", ["/api/login/"])
 BYPASS_HEADER = "HTTP_X_SQLI_BYPASS"
+BYPASS_MAX_AGE = getattr(settings, "SQLI_BYPASS_MAX_AGE", 30)  # segundos (muy corto)
 
-# --- JWT soporte (si simplejwt está instalado) ---
+# JWT support (optional)
 try:
     from rest_framework_simplejwt.backends import TokenBackend
 
@@ -60,25 +63,24 @@ except Exception:
 
 # ---------- Helpers ----------
 def extract_payload_text(request) -> str:
-    """Extrae todo el contenido que podría contener inyecciones"""
     parts = []
-
-    # Query params
-    if request.META.get("QUERY_STRING"):
-        parts.append(request.META.get("QUERY_STRING"))
-
-    # Body
+    content_type = request.META.get("CONTENT_TYPE", "")
     try:
-        content_type = request.META.get("CONTENT_TYPE", "")
         if "application/json" in content_type:
             body_json = json.loads(request.body.decode("utf-8") or "{}")
+            # 🔒 quitar campos sensibles antes de loguear/analizar
+            for key in getattr(settings, "SQL_DEFENSE_SENSITIVE_KEYS", []):
+                if key in body_json:
+                    body_json[key] = "***"
             parts.append(json.dumps(body_json))
         else:
             parts.append(request.body.decode("utf-8", errors="ignore"))
     except Exception:
         pass
 
-    # Headers
+    if request.META.get("QUERY_STRING"):
+        parts.append(request.META.get("QUERY_STRING"))
+
     parts.append(request.META.get("HTTP_USER_AGENT", ""))
     parts.append(request.META.get("HTTP_REFERER", ""))
 
@@ -86,7 +88,6 @@ def extract_payload_text(request) -> str:
 
 
 def detect_sqli_text(text: str) -> Tuple[bool, list]:
-    """Detecta ataques SQL en el texto"""
     matches = []
     for patt, message in PATTERNS:
         if patt.search(text):
@@ -95,17 +96,13 @@ def detect_sqli_text(text: str) -> Tuple[bool, list]:
 
 
 def get_client_ip(request):
-    """Obtiene la IP del cliente"""
-    x_forwarded_for = request.META.get("HTTP_X_FORWARDED_FOR")
-    if x_forwarded_for:
-        ip = x_forwarded_for.split(",")[0].strip()
-    else:
-        ip = request.META.get("REMOTE_ADDR", "0.0.0.0")
-    return ip
+    xff = request.META.get("HTTP_X_FORWARDED_FOR")
+    if xff:
+        return xff.split(",")[0].strip()
+    return request.META.get("REMOTE_ADDR", "0.0.0.0")
 
 
 def is_valid_jwt(request) -> bool:
-    """Valida si la petición trae un JWT válido en Authorization: Bearer <token>"""
     if not SIMPLEJWT_AVAILABLE:
         return False
     auth = request.META.get("HTTP_AUTHORIZATION", "")
@@ -126,7 +123,6 @@ def is_valid_jwt(request) -> bool:
 
 
 def is_valid_signed_bypass(request) -> bool:
-    """Valida si la petición trae un token firmado válido y no expirado"""
     signed = request.META.get(BYPASS_HEADER, "")
     if not signed:
         return False
@@ -145,43 +141,40 @@ def is_valid_signed_bypass(request) -> bool:
 # ---------- Middleware ----------
 class SQLIDefenseStrongMiddleware(MiddlewareMixin):
     def process_request(self, request):
+        path = request.path or ""
         client_ip = get_client_ip(request)
 
-        # Revisa si la IP está temporalmente bloqueada
+        # 1) Rutas exentas
+        EXEMPT_PATHS = getattr(settings, "SQLI_EXEMPT_PATHS", [])
+        for p in EXEMPT_PATHS:
+            if path.startswith(p):
+                return None
+
+        # 2) IP bloqueada temporalmente
         if client_ip in TEMP_BLOCK:
             if time.time() - TEMP_BLOCK[client_ip] < BLOCK_DURATION:
                 logger.warning(f"IP bloqueada temporalmente: {client_ip}")
                 return JsonResponse(
-                    {
-                        "detail": "Acceso temporalmente bloqueado por actividad sospechosa",
-                        "alerts": ["IP bloqueada temporalmente"],
-                    },
-                    status=403,
+                    {"detail": "Acceso temporalmente bloqueado"}, status=403
                 )
             else:
                 del TEMP_BLOCK[client_ip]
 
-        # --- Nuevo: bypass por JWT válido o token firmado válido ---
-        if is_valid_jwt(request):
-            return None
-        if is_valid_signed_bypass(request):
-            return None
-
-        # --- Detección de SQLi ---
+        # 3) Extraer payload
         text = extract_payload_text(request)
         if not text:
             return None
 
+        # 4) Detectar SQLi
         flagged, matches = detect_sqli_text(text)
         if flagged:
-            # Bloquea temporalmente la IP
             TEMP_BLOCK[client_ip] = time.time()
             logger.warning(
                 f"Intento de ataque detectado desde IP: {client_ip}, detalles: {matches}, payload: {text}"
             )
             return JsonResponse(
                 {
-                    "detail": "Request bloqueado: posible intento de inyección SQL detectado",
+                    "detail": "Request bloqueado: posible inyección SQL",
                     "alerts": matches,
                 },
                 status=403,

{guardianunivalle_benito_yucra-0.1.9.dist-info → guardianunivalle_benito_yucra-0.1.11.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: GuardianUnivalle-Benito-Yucra
-Version: 0.1.9
+Version: 0.1.11
 Summary: Middleware y detectores de seguridad (SQLi, XSS, CSRF, DoS, Keylogger) para Django/Flask
 Author-email: Andres Benito Calle Yucra <benitoandrescalle035@gmail.com>
 License: MIT

{guardianunivalle_benito_yucra-0.1.9.dist-info → guardianunivalle_benito_yucra-0.1.11.dist-info}/RECORD

@@ -7,14 +7,14 @@ GuardianUnivalle_Benito_Yucra/criptografia/kdf.py,sha256=_sbepEY1qHEKga0ExrX2WRg
 GuardianUnivalle_Benito_Yucra/detectores/detector_csrf.py,sha256=EAYfLkHuxGC5rXSu4mZJ4yZDCbwBpTX8xZWGKz7i5wA,692
 GuardianUnivalle_Benito_Yucra/detectores/detector_dos.py,sha256=lMWmCw6nccCEnek53nVjpoBCeiBqLdrSXxqRuI7VP2I,696
 GuardianUnivalle_Benito_Yucra/detectores/detector_keylogger.py,sha256=rEDG-Q_R56OsG2ypfHVBK7erolYjdvATnAxB3yvPXts,729
-GuardianUnivalle_Benito_Yucra/detectores/detector_sql.py,sha256=BG2XaxgvQK5c6X5Mdz8g4dthuSvC8NMMiDt03MknoJQ,6346
+GuardianUnivalle_Benito_Yucra/detectores/detector_sql.py,sha256=jyFZYi_VjEF6jvDuUmDOGo5D5IgTzDtprfyaAO-jypU,6095
 GuardianUnivalle_Benito_Yucra/detectores/detector_xss.py,sha256=66V_xuxNOZEwluvWOT4-6pk5MJ3zWE1IwcVkBl7MZSg,719
 GuardianUnivalle_Benito_Yucra/middleware_web/middleware_web.py,sha256=23pLLYqliUoMrIC6ZEwz3hKXeDjWfHSm9vYPWGmDDik,495
 GuardianUnivalle_Benito_Yucra/mitigacion/limitador_peticion.py,sha256=ipMOebYhql-6mSyHs0ddYXOcXq9w8P_IXLlpiIqGncw,246
 GuardianUnivalle_Benito_Yucra/mitigacion/lista_bloqueo.py,sha256=6AYWII4mrmwCLHCvGTyoBxR4Oasr4raSHpFbVjqn7d8,193
 GuardianUnivalle_Benito_Yucra/puntuacion/puntuacion_amenaza.py,sha256=Wx5XfcII4oweLvZsTBEJ7kUc9pMpP5-36RfI5C5KJXo,561
-guardianunivalle_benito_yucra-0.1.9.dist-info/licenses/LICENSE,sha256=5e4IdL542v1E8Ft0A24GZjrxZeTsVK7XrS3mZEUhPtM,37
-guardianunivalle_benito_yucra-0.1.9.dist-info/METADATA,sha256=PxiYZRLFPPf_PRvcBC_PmfPt-IYkGAMQSUqB0df89_g,1892
-guardianunivalle_benito_yucra-0.1.9.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-guardianunivalle_benito_yucra-0.1.9.dist-info/top_level.txt,sha256=HTWfZM64WAV_QYr5cnXnLuabQt92dvlxqlR3pCwpbDQ,30
-guardianunivalle_benito_yucra-0.1.9.dist-info/RECORD,,
+guardianunivalle_benito_yucra-0.1.11.dist-info/licenses/LICENSE,sha256=5e4IdL542v1E8Ft0A24GZjrxZeTsVK7XrS3mZEUhPtM,37
+guardianunivalle_benito_yucra-0.1.11.dist-info/METADATA,sha256=yvOtVZ2eIA8Ztxo2_FjVU97mGetiT8KEr1QQ1iDHExA,1893
+guardianunivalle_benito_yucra-0.1.11.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+guardianunivalle_benito_yucra-0.1.11.dist-info/top_level.txt,sha256=HTWfZM64WAV_QYr5cnXnLuabQt92dvlxqlR3pCwpbDQ,30
+guardianunivalle_benito_yucra-0.1.11.dist-info/RECORD,,