GuardianUnivalle-Benito-Yucra 0.1.9__tar.gz → 0.1.10__tar.gz

{guardianunivalle_benito_yucra-0.1.9 → guardianunivalle_benito_yucra-0.1.10}/GuardianUnivalle_Benito_Yucra/detectores/detector_sql.py

@@ -1,3 +1,4 @@
+# detector_sql.py
 import re
 import json
 import time
@@ -11,10 +12,11 @@ from django.core.signing import TimestampSigner, BadSignature, SignatureExpired
 # ---------- Configuración de logging ----------
 logger = logging.getLogger("sqlidefense")
 logger.setLevel(logging.INFO)
-handler = logging.StreamHandler()  # Por consola; en producción puede ser FileHandler
-formatter = logging.Formatter("%(asctime)s - %(levelname)s - %(message)s")
-handler.setFormatter(formatter)
-logger.addHandler(handler)
+if not logger.handlers:
+    handler = logging.StreamHandler()  # en prod usa FileHandler/RotatingFileHandler
+    formatter = logging.Formatter("%(asctime)s - %(levelname)s - %(message)s")
+    handler.setFormatter(formatter)
+    logger.addHandler(handler)
 
 # ---------- Patrones de ataques SQL ----------
 PATTERNS = [
@@ -43,13 +45,14 @@ PATTERNS = [
 
 # ---------- Bloqueo temporal por IP ----------
 TEMP_BLOCK = {}  # {ip: timestamp}
-BLOCK_DURATION = 30  # segundos
+BLOCK_DURATION = getattr(settings, "SQL_DEFENSE_BLOCK_TTL", 30)  # segundos
 
-# ---------- Configuración para bypass ----------
-BYPASS_MAX_AGE = getattr(settings, "SQLI_BYPASS_MAX_AGE", 30)  # segundos
+# ---------- Excepciones y bypass ----------
+EXEMPT_PATHS = getattr(settings, "SQLI_EXEMPT_PATHS", ["/api/login/"])
 BYPASS_HEADER = "HTTP_X_SQLI_BYPASS"
+BYPASS_MAX_AGE = getattr(settings, "SQLI_BYPASS_MAX_AGE", 30)  # segundos (muy corto)
 
-# --- JWT soporte (si simplejwt está instalado) ---
+# JWT support (optional)
 try:
     from rest_framework_simplejwt.backends import TokenBackend
 
@@ -60,25 +63,24 @@ except Exception:
 
 # ---------- Helpers ----------
 def extract_payload_text(request) -> str:
-    """Extrae todo el contenido que podría contener inyecciones"""
     parts = []
-
-    # Query params
-    if request.META.get("QUERY_STRING"):
-        parts.append(request.META.get("QUERY_STRING"))
-
-    # Body
+    content_type = request.META.get("CONTENT_TYPE", "")
     try:
-        content_type = request.META.get("CONTENT_TYPE", "")
         if "application/json" in content_type:
             body_json = json.loads(request.body.decode("utf-8") or "{}")
+            # 🔒 quitar campos sensibles antes de loguear/analizar
+            for key in getattr(settings, "SQL_DEFENSE_SENSITIVE_KEYS", []):
+                if key in body_json:
+                    body_json[key] = "***"
             parts.append(json.dumps(body_json))
         else:
             parts.append(request.body.decode("utf-8", errors="ignore"))
     except Exception:
         pass
 
-    # Headers
+    if request.META.get("QUERY_STRING"):
+        parts.append(request.META.get("QUERY_STRING"))
+
     parts.append(request.META.get("HTTP_USER_AGENT", ""))
     parts.append(request.META.get("HTTP_REFERER", ""))
 
@@ -86,7 +88,6 @@ def extract_payload_text(request) -> str:
 
 
 def detect_sqli_text(text: str) -> Tuple[bool, list]:
-    """Detecta ataques SQL en el texto"""
     matches = []
     for patt, message in PATTERNS:
         if patt.search(text):
@@ -95,17 +96,13 @@ def detect_sqli_text(text: str) -> Tuple[bool, list]:
 
 
 def get_client_ip(request):
-    """Obtiene la IP del cliente"""
-    x_forwarded_for = request.META.get("HTTP_X_FORWARDED_FOR")
-    if x_forwarded_for:
-        ip = x_forwarded_for.split(",")[0].strip()
-    else:
-        ip = request.META.get("REMOTE_ADDR", "0.0.0.0")
-    return ip
+    xff = request.META.get("HTTP_X_FORWARDED_FOR")
+    if xff:
+        return xff.split(",")[0].strip()
+    return request.META.get("REMOTE_ADDR", "0.0.0.0")
 
 
 def is_valid_jwt(request) -> bool:
-    """Valida si la petición trae un JWT válido en Authorization: Bearer <token>"""
     if not SIMPLEJWT_AVAILABLE:
         return False
     auth = request.META.get("HTTP_AUTHORIZATION", "")
@@ -126,7 +123,6 @@ def is_valid_jwt(request) -> bool:
 
 
 def is_valid_signed_bypass(request) -> bool:
-    """Valida si la petición trae un token firmado válido y no expirado"""
     signed = request.META.get(BYPASS_HEADER, "")
     if not signed:
         return False
@@ -145,43 +141,48 @@ def is_valid_signed_bypass(request) -> bool:
 # ---------- Middleware ----------
 class SQLIDefenseStrongMiddleware(MiddlewareMixin):
     def process_request(self, request):
+        path = request.path or ""
         client_ip = get_client_ip(request)
+        if any(
+            request.path.startswith(p)
+            for p in getattr(settings, "SQL_DEFENSE_EXEMPT_PATHS", [])
+        ):
+            return None
+        # 1) Si la ruta está exenta -> no inspeccionar
+        for p in EXEMPT_PATHS:
+            if path.startswith(p):
+                return None
 
-        # Revisa si la IP está temporalmente bloqueada
+        # 2) Si la IP está temporalmente bloqueada
         if client_ip in TEMP_BLOCK:
             if time.time() - TEMP_BLOCK[client_ip] < BLOCK_DURATION:
                 logger.warning(f"IP bloqueada temporalmente: {client_ip}")
                 return JsonResponse(
-                    {
-                        "detail": "Acceso temporalmente bloqueado por actividad sospechosa",
-                        "alerts": ["IP bloqueada temporalmente"],
-                    },
-                    status=403,
+                    {"detail": "Acceso temporalmente bloqueado"}, status=403
                 )
             else:
                 del TEMP_BLOCK[client_ip]
 
-        # --- Nuevo: bypass por JWT válido o token firmado válido ---
+        # 3) Bypass: JWT válido o token firmado corto (p. ej. inmediatamente después del login)
         if is_valid_jwt(request):
             return None
         if is_valid_signed_bypass(request):
             return None
 
-        # --- Detección de SQLi ---
+        # 4) Detectar SQLi
         text = extract_payload_text(request)
         if not text:
             return None
 
         flagged, matches = detect_sqli_text(text)
         if flagged:
-            # Bloquea temporalmente la IP
             TEMP_BLOCK[client_ip] = time.time()
             logger.warning(
                 f"Intento de ataque detectado desde IP: {client_ip}, detalles: {matches}, payload: {text}"
             )
             return JsonResponse(
                 {
-                    "detail": "Request bloqueado: posible intento de inyección SQL detectado",
+                    "detail": "Request bloqueado: posible inyección SQL",
                     "alerts": matches,
                 },
                 status=403,

{guardianunivalle_benito_yucra-0.1.9 → guardianunivalle_benito_yucra-0.1.10}/GuardianUnivalle_Benito_Yucra.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: GuardianUnivalle-Benito-Yucra
-Version: 0.1.9
+Version: 0.1.10
 Summary: Middleware y detectores de seguridad (SQLi, XSS, CSRF, DoS, Keylogger) para Django/Flask
 Author-email: Andres Benito Calle Yucra <benitoandrescalle035@gmail.com>
 License: MIT

{guardianunivalle_benito_yucra-0.1.9 → guardianunivalle_benito_yucra-0.1.10}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: GuardianUnivalle-Benito-Yucra
-Version: 0.1.9
+Version: 0.1.10
 Summary: Middleware y detectores de seguridad (SQLi, XSS, CSRF, DoS, Keylogger) para Django/Flask
 Author-email: Andres Benito Calle Yucra <benitoandrescalle035@gmail.com>
 License: MIT

{guardianunivalle_benito_yucra-0.1.9 → guardianunivalle_benito_yucra-0.1.10}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "GuardianUnivalle-Benito-Yucra"  # usar mayúsculas consistente
-version = "0.1.9"
+version = "0.1.10"
 description = "Middleware y detectores de seguridad (SQLi, XSS, CSRF, DoS, Keylogger) para Django/Flask"
 authors = [
     { name = "Andres Benito Calle Yucra", email = "benitoandrescalle035@gmail.com" }