From 51cdc9a4854d2dca1616893f7ac5a8dd076b853e Mon Sep 17 00:00:00 2001 From: "Benjamin W. Broersma" Date: Sat, 9 Mar 2024 14:45:16 +0100 Subject: [PATCH] security.txt full url in finding Fixes #1314 --- ...aintestappsecpriv_securitytxt_found_url.py | 27 +++++++++++++++++++ checks/models.py | 4 +++ checks/tasks/appsecpriv.py | 3 ++- checks/tasks/securitytxt.py | 2 ++ translations/en/main.po | 2 +- translations/nl/main.po | 2 +- 6 files changed, 37 insertions(+), 3 deletions(-) create mode 100644 checks/migrations/0016_domaintestappsecpriv_securitytxt_found_url.py diff --git a/checks/migrations/0016_domaintestappsecpriv_securitytxt_found_url.py b/checks/migrations/0016_domaintestappsecpriv_securitytxt_found_url.py new file mode 100644 index 000000000..9c4f5756a --- /dev/null +++ b/checks/migrations/0016_domaintestappsecpriv_securitytxt_found_url.py @@ -0,0 +1,27 @@ +# AddField Generated by Django 3.2.24 on 2024-03-09 12:49 +# Manually created SQL migration to handle old reports + +from django.db import migrations # , models + + +class Migration(migrations.Migration): + dependencies = [ + ("checks", "0015_auto_20240212_1616"), + ] + + operations = [ + # migrations.AddField( + # model_name='domaintestappsecpriv', + # name='securitytxt_found_url', + # field=models.CharField(max_length=8000, null=True), + # ), + migrations.RunSQL( + sql=[ + "ALTER TABLE checks_domaintestappsecpriv ADD COLUMN securitytxt_found_url VARCHAR(8000);", + "UPDATE checks_domaintestappsecpriv SET securitytxt_found_url=securitytxt_found_host WHERE securitytxt_enabled;", + ], + reverse_sql=[ + "ALTER TABLE checks_domaintestappsecpriv DROP COLUMN securitytxt_found_url;", + ], + ), + ] diff --git a/checks/models.py b/checks/models.py index fbf40c1ff..8ba42e38b 100644 --- a/checks/models.py +++ b/checks/models.py @@ -721,6 +721,8 @@ class DomainTestAppsecpriv(BaseTestModel): securitytxt_recommendations = ListField(default=[]) securitytxt_score = models.IntegerField(null=True) securitytxt_found_host = models.CharField(null=True, max_length=255) + # 8000 from https://www.rfc-editor.org/rfc/rfc9110#section-4.1-5 + securitytxt_found_url = models.CharField(null=True, max_length=8000) def __dir__(self): return [ @@ -753,6 +755,7 @@ def __dir__(self): "securitytxt_recommendations", "securitytxt_score", "securitytxt_found_host", + "securitytxt_found_url", ] def get_web_api_details(self): @@ -772,6 +775,7 @@ def get_web_api_details(self): "securitytxt_errors": self.securitytxt_errors, "securitytxt_recommendations": self.securitytxt_recommendations, "securitytxt_found_host": self.securitytxt_found_host, + "securitytxt_found_url": self.securitytxt_found_url, } class Meta: diff --git a/checks/tasks/appsecpriv.py b/checks/tasks/appsecpriv.py index 2cbaccdf4..bf4f850be 100644 --- a/checks/tasks/appsecpriv.py +++ b/checks/tasks/appsecpriv.py @@ -125,6 +125,7 @@ def save_results(model, results, addr, domain): model.securitytxt_errors = result.get("securitytxt_errors") model.securitytxt_recommendations = result.get("securitytxt_recommendations") model.securitytxt_found_host = result.get("securitytxt_found_host") + model.securitytxt_found_url = result.get("securitytxt_found_url") model.content_security_policy_enabled = result.get("content_security_policy_enabled") model.content_security_policy_score = result.get("content_security_policy_score") model.content_security_policy_values = result.get("content_security_policy_values") @@ -190,7 +191,7 @@ def build_report(model, category): default_message = [ { "msgid": "retrieved-from", - "context": {"hostname": model.securitytxt_found_host}, + "context": {"url": model.securitytxt_found_url}, } ] else: diff --git a/checks/tasks/securitytxt.py b/checks/tasks/securitytxt.py index f1754c328..25e667c05 100644 --- a/checks/tasks/securitytxt.py +++ b/checks/tasks/securitytxt.py @@ -138,6 +138,7 @@ def parser_format(parser_messages): "securitytxt_enabled": False, "securitytxt_score": scoring.WEB_APPSECPRIV_SECURITYTXT_BAD, "securitytxt_found_host": result.found_host, + "securitytxt_found_url": None, "securitytxt_errors": result.errors, "securitytxt_recommendations": [], } @@ -151,6 +152,7 @@ def parser_format(parser_messages): "securitytxt_enabled": True, "securitytxt_score": score, "securitytxt_found_host": result.found_host, + "securitytxt_found_url": result.found_url, "securitytxt_errors": errors, "securitytxt_recommendations": parser_format(parser.recommendations), } diff --git a/translations/en/main.po b/translations/en/main.po index 7a4039e44..0405d8d45 100644 --- a/translations/en/main.po +++ b/translations/en/main.po @@ -2021,7 +2021,7 @@ msgid "detail tech data http-securitytxt requested-from" msgstr "security.txt requested from {hostname}." msgid "detail tech data http-securitytxt retrieved-from" -msgstr "security.txt retrieved from {hostname}." +msgstr "security.txt retrieved from {url}." msgid "detail tech data http-securitytxt signed_format_issue" msgstr "" diff --git a/translations/nl/main.po b/translations/nl/main.po index 96d4406d2..267a95964 100644 --- a/translations/nl/main.po +++ b/translations/nl/main.po @@ -2040,7 +2040,7 @@ msgid "detail tech data http-securitytxt requested-from" msgstr "security.txt opgevraagd van {hostname}." msgid "detail tech data http-securitytxt retrieved-from" -msgstr "security.txt opgehaald van {hostname}." +msgstr "security.txt opgehaald van {url}." msgid "detail tech data http-securitytxt signed_format_issue" msgstr ""