pypproxy 0.1.0__py3-none-any.whl

pypproxy/security/header_checker.py

@@ -0,0 +1,308 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+
+
+@dataclass
+class HeaderCheckResult:
+    header: str
+    present: bool
+    value: str
+    passed: bool
+    severity: str  # info, low, medium, high
+    detail: str
+
+    def to_dict(self) -> dict:
+        return {
+            "header": self.header,
+            "present": self.present,
+            "value": self.value,
+            "passed": self.passed,
+            "severity": self.severity,
+            "detail": self.detail,
+        }
+
+
+def check_security_headers(resp_headers: dict[str, list[str]]) -> list[HeaderCheckResult]:
+    """Analyse response headers for security issues."""
+    flat = {k.lower(): ", ".join(v) for k, v in resp_headers.items()}
+    results: list[HeaderCheckResult] = []
+
+    results.extend(
+        [
+            _check_hsts(flat),
+            _check_csp(flat),
+            _check_x_frame(flat),
+            _check_x_content_type(flat),
+            _check_x_xss(flat),
+            _check_referrer_policy(flat),
+            _check_permissions_policy(flat),
+            _check_cors(flat),
+            _check_server(flat),
+            _check_x_powered_by(flat),
+            _check_cache_control(flat),
+            _check_set_cookie(flat),
+        ]
+    )
+
+    return results
+
+
+def _check_hsts(h: dict) -> HeaderCheckResult:
+    key = "strict-transport-security"
+    val = h.get(key, "")
+    if not val:
+        return HeaderCheckResult(
+            key,
+            False,
+            "",
+            False,
+            "high",
+            "Missing HSTS header. Clients may connect over plain HTTP.",
+        )
+    max_age = 0
+    for part in val.split(";"):
+        part = part.strip().lower()
+        if part.startswith("max-age="):
+            import contextlib
+
+            with contextlib.suppress(ValueError):
+                max_age = int(part.split("=")[1])
+    passed = max_age >= 31536000
+    return HeaderCheckResult(
+        key,
+        True,
+        val,
+        passed,
+        "medium" if not passed else "info",
+        f"max-age={max_age} ({'≥1 year OK' if passed else '<1 year, consider increasing'})",
+    )
+
+
+def _check_csp(h: dict) -> HeaderCheckResult:
+    key = "content-security-policy"
+    val = h.get(key, "")
+    if not val:
+        return HeaderCheckResult(
+            key, False, "", False, "high", "Missing CSP. XSS attacks are not mitigated."
+        )
+    issues = []
+    if "unsafe-inline" in val:
+        issues.append("'unsafe-inline' allows inline scripts")
+    if "unsafe-eval" in val:
+        issues.append("'unsafe-eval' allows eval()")
+    if "default-src *" in val or "script-src *" in val:
+        issues.append("Wildcard source too permissive")
+    passed = len(issues) == 0
+    detail = "OK" if passed else "; ".join(issues)
+    return HeaderCheckResult(
+        key, True, val[:80], passed, "medium" if not passed else "info", detail
+    )
+
+
+def _check_x_frame(h: dict) -> HeaderCheckResult:
+    key = "x-frame-options"
+    val = h.get(key, "")
+    if not val:
+        # check CSP frame-ancestors instead
+        csp = h.get("content-security-policy", "")
+        if "frame-ancestors" in csp:
+            return HeaderCheckResult(
+                key,
+                False,
+                "",
+                True,
+                "info",
+                "Not present, but CSP frame-ancestors found (acceptable)",
+            )
+        return HeaderCheckResult(
+            key,
+            False,
+            "",
+            False,
+            "medium",
+            "Missing X-Frame-Options. Clickjacking may be possible.",
+        )
+    val_up = val.upper()
+    passed = "DENY" in val_up or "SAMEORIGIN" in val_up
+    return HeaderCheckResult(
+        key,
+        True,
+        val,
+        passed,
+        "info" if passed else "medium",
+        "OK" if passed else f"Unexpected value: {val}",
+    )
+
+
+def _check_x_content_type(h: dict) -> HeaderCheckResult:
+    key = "x-content-type-options"
+    val = h.get(key, "")
+    passed = val.lower() == "nosniff"
+    if not val:
+        return HeaderCheckResult(
+            key, False, "", False, "low", "Missing. Browser may MIME-sniff responses."
+        )
+    return HeaderCheckResult(
+        key,
+        True,
+        val,
+        passed,
+        "info" if passed else "low",
+        "OK" if passed else f"Should be 'nosniff', got: {val}",
+    )
+
+
+def _check_x_xss(h: dict) -> HeaderCheckResult:
+    key = "x-xss-protection"
+    val = h.get(key, "")
+    if not val:
+        return HeaderCheckResult(
+            key,
+            False,
+            "",
+            True,
+            "info",
+            "Not present (modern browsers ignore this; rely on CSP instead)",
+        )
+    passed = "1; mode=block" in val or val == "0"
+    return HeaderCheckResult(
+        key, True, val, passed, "info", "OK" if passed else f"Unusual value: {val}"
+    )
+
+
+def _check_referrer_policy(h: dict) -> HeaderCheckResult:
+    key = "referrer-policy"
+    val = h.get(key, "")
+    safe = {
+        "no-referrer",
+        "no-referrer-when-downgrade",
+        "strict-origin",
+        "strict-origin-when-cross-origin",
+    }
+    passed = any(s in val.lower() for s in safe)
+    if not val:
+        return HeaderCheckResult(
+            key, False, "", False, "low", "Missing. Full URL may be leaked in Referer header."
+        )
+    return HeaderCheckResult(
+        key,
+        True,
+        val,
+        passed,
+        "info" if passed else "low",
+        "OK" if passed else f"Consider stricter policy, got: {val}",
+    )
+
+
+def _check_permissions_policy(h: dict) -> HeaderCheckResult:
+    key = "permissions-policy"
+    val = h.get(key, h.get("feature-policy", ""))
+    present = bool(val)
+    return HeaderCheckResult(
+        key,
+        present,
+        val[:80] if val else "",
+        present,
+        "info" if present else "low",
+        "OK" if present else "Consider adding Permissions-Policy to restrict browser features",
+    )
+
+
+def _check_cors(h: dict) -> HeaderCheckResult:
+    key = "access-control-allow-origin"
+    val = h.get(key, "")
+    if not val:
+        return HeaderCheckResult(
+            key, False, "", True, "info", "Not present (CORS not enabled for this endpoint)"
+        )
+    passed = val != "*"
+    return HeaderCheckResult(
+        key,
+        True,
+        val,
+        passed,
+        "high" if not passed else "info",
+        "Wildcard ACAO allows cross-origin access from any domain" if not passed else "OK",
+    )
+
+
+def _check_server(h: dict) -> HeaderCheckResult:
+    key = "server"
+    val = h.get(key, "")
+    if not val:
+        return HeaderCheckResult(key, False, "", True, "info", "Server header not exposed (good)")
+    # Check for version disclosure
+    import re
+
+    has_version = bool(re.search(r"[0-9]+\.[0-9]+", val))
+    passed = not has_version
+    return HeaderCheckResult(
+        key,
+        True,
+        val,
+        passed,
+        "low" if not passed else "info",
+        "Version number disclosed in Server header" if not passed else "No version disclosed",
+    )
+
+
+def _check_x_powered_by(h: dict) -> HeaderCheckResult:
+    key = "x-powered-by"
+    val = h.get(key, "")
+    passed = not val
+    return HeaderCheckResult(
+        key,
+        bool(val),
+        val,
+        passed,
+        "low" if not passed else "info",
+        "Technology stack disclosed" if not passed else "Not present (good)",
+    )
+
+
+def _check_cache_control(h: dict) -> HeaderCheckResult:
+    key = "cache-control"
+    val = h.get(key, "")
+    if not val:
+        return HeaderCheckResult(
+            key,
+            False,
+            "",
+            False,
+            "low",
+            "Missing Cache-Control. Sensitive responses may be cached.",
+        )
+    sensitive_ok = "no-store" in val or "private" in val
+    return HeaderCheckResult(
+        key,
+        True,
+        val,
+        True,
+        "info",
+        f"{'Contains no-store/private' if sensitive_ok else 'Consider no-store for sensitive endpoints'}",
+    )
+
+
+def _check_set_cookie(h: dict) -> HeaderCheckResult:
+    key = "set-cookie"
+    val = h.get(key, "")
+    if not val:
+        return HeaderCheckResult(key, False, "", True, "info", "No Set-Cookie header")
+    issues = []
+    val_lower = val.lower()
+    if "secure" not in val_lower:
+        issues.append("Missing 'Secure' flag (cookie sent over HTTP)")
+    if "httponly" not in val_lower:
+        issues.append("Missing 'HttpOnly' flag (accessible via JavaScript)")
+    if "samesite" not in val_lower:
+        issues.append("Missing 'SameSite' attribute (CSRF risk)")
+    passed = len(issues) == 0
+    return HeaderCheckResult(
+        key,
+        True,
+        val[:80],
+        passed,
+        "medium" if not passed else "info",
+        "; ".join(issues) if issues else "OK",
+    )

pypproxy/security/int_overflow.py

@@ -0,0 +1,193 @@
+from __future__ import annotations
+
+import json
+import re
+import time
+from dataclasses import dataclass
+from typing import Any
+from urllib.parse import parse_qs, urlencode
+
+import httpx
+
+from pypproxy.store.models import Entry
+
+
+@dataclass
+class OverflowPayload:
+    label: str
+    description: str
+    value: Any
+
+
+@dataclass
+class OverflowResult:
+    param: str
+    payload: OverflowPayload
+    status_code: int = 0
+    response_body: bytes = b""
+    duration_ms: int = 0
+    error: str = ""
+    suspicious: bool = False
+
+    def to_dict(self) -> dict:
+        import base64
+
+        return {
+            "param": self.param,
+            "label": self.payload.label,
+            "description": self.payload.description,
+            "value": str(self.payload.value),
+            "status_code": self.status_code,
+            "response_body": base64.b64encode(self.response_body).decode()
+            if self.response_body
+            else "",
+            "duration_ms": self.duration_ms,
+            "error": self.error,
+            "suspicious": self.suspicious,
+        }
+
+
+_INT_PAYLOADS = [
+    OverflowPayload("plus_one", "+1 from original", None),  # filled dynamically
+    OverflowPayload("minus_one", "-1 from original", None),
+    OverflowPayload("zero", "Zero value", 0),
+    OverflowPayload("negative", "Large negative", -2147483648),
+    OverflowPayload("max_int32", "Max int32", 2147483647),
+    OverflowPayload("max_int32_plus1", "Max int32 + 1 (overflow)", 2147483648),
+    OverflowPayload("max_int64", "Max int64", 9223372036854775807),
+    OverflowPayload("max_uint32", "Max uint32", 4294967295),
+    OverflowPayload("long_num", "Very long number", 99999999999999999999),
+    OverflowPayload("float", "Float (0.1)", 0.1),
+    OverflowPayload("neg_float", "Negative float", -0.1),
+    OverflowPayload("sci_notation", "Scientific notation", "1e308"),
+    OverflowPayload("nan", "NaN string", "NaN"),
+    OverflowPayload("inf", "Infinity string", "Infinity"),
+]
+
+
+def _extract_int_params(entry: Entry) -> dict[str, int]:
+    """Find integer-valued parameters in query string and JSON body."""
+    params: dict[str, int] = {}
+
+    # query string
+    if entry.query:
+        import contextlib
+
+        for k, vs in parse_qs(entry.query).items():
+            for v in vs:
+                with contextlib.suppress(ValueError):
+                    params[f"query:{k}"] = int(v)
+
+    # JSON body
+    if entry.req_body:
+        try:
+            data = json.loads(entry.req_body.decode("utf-8", errors="replace"))
+            _collect_ints(data, "", params)
+        except Exception:
+            pass
+
+    return params
+
+
+def _collect_ints(obj: Any, prefix: str, out: dict[str, int]) -> None:
+    if isinstance(obj, dict):
+        for k, v in obj.items():
+            _collect_ints(v, f"body:{prefix}{k}", out)
+    elif isinstance(obj, list):
+        for i, v in enumerate(obj):
+            _collect_ints(v, f"{prefix}[{i}].", out)
+    elif isinstance(obj, int) and not isinstance(obj, bool):
+        out[prefix.rstrip(".")] = obj
+
+
+def _apply_to_query(query: str, param_key: str, new_value: Any) -> str:
+    key = param_key.removeprefix("query:")
+    qs = parse_qs(query)
+    qs[key] = [str(new_value)]
+    return urlencode(qs, doseq=True)
+
+
+def _apply_to_body(body: bytes, param_key: str, new_value: Any) -> bytes:
+    key_path = param_key.removeprefix("body:")
+    try:
+        data = json.loads(body.decode("utf-8", errors="replace"))
+        _set_nested(data, key_path, new_value)
+        return json.dumps(data).encode()
+    except Exception:
+        return body
+
+
+def _set_nested(obj: Any, key_path: str, value: Any) -> None:
+    parts = re.split(r"[.\[\]]", key_path)
+    parts = [p for p in parts if p]
+    for part in parts[:-1]:
+        if isinstance(obj, dict):
+            obj = obj.get(part, {})
+        elif isinstance(obj, list):
+            obj = obj[int(part)]
+    last = parts[-1]
+    if isinstance(obj, dict):
+        obj[last] = value
+
+
+async def run_checks(entry: Entry, timeout: int = 30) -> list[OverflowResult]:
+    int_params = _extract_int_params(entry)
+    if not int_params:
+        return []
+
+    results: list[OverflowResult] = []
+    url_base = f"{entry.scheme}://{entry.host}{entry.path}"
+    req_headers = {k: ", ".join(v) for k, v in entry.req_headers.items()}
+
+    for param_key, original_value in int_params.items():
+        payloads = []
+        for p in _INT_PAYLOADS:
+            pl = OverflowPayload(p.label, p.description, p.value)
+            if p.label == "plus_one":
+                pl.value = original_value + 1
+            elif p.label == "minus_one":
+                pl.value = original_value - 1
+            payloads.append(pl)
+
+        for payload in payloads:
+            if param_key.startswith("query:"):
+                new_query = _apply_to_query(entry.query, param_key, payload.value)
+                url = url_base + ("?" + new_query if new_query else "")
+                req_body = entry.req_body
+            else:
+                url = url_base + ("?" + entry.query if entry.query else "")
+                req_body = _apply_to_body(entry.req_body, param_key, payload.value)
+
+            start = time.monotonic()
+            try:
+                async with httpx.AsyncClient(verify=False, timeout=timeout, http2=True) as client:
+                    resp = await client.request(
+                        method=entry.method,
+                        url=url,
+                        headers=req_headers,
+                        content=req_body,
+                    )
+                status_code = resp.status_code
+                resp_body = resp.content[:512]
+                error = ""
+                suspicious = status_code in (500, 502, 503)
+            except Exception as e:
+                status_code = 0
+                resp_body = b""
+                error = str(e)
+                suspicious = False
+
+            dur = int((time.monotonic() - start) * 1000)
+            results.append(
+                OverflowResult(
+                    param=param_key,
+                    payload=payload,
+                    status_code=status_code,
+                    response_body=resp_body,
+                    duration_ms=dur,
+                    error=error,
+                    suspicious=suspicious,
+                )
+            )
+
+    return results