Open Martlark opened 5 years ago
theacodes
commented
5 years ago I'm a little fuzzy on this because its been a while, but talisman does allow override CSP on a per-route basis so there's already that possibility. Also, if your admin routes are part of a blueprint is there a way, in Flask, to attach Talisman to just that one blueprint? (I think so, though I'm unsure).
Martlark
commented
5 years ago If there is a way to add an annotation to all the admin views I can’t see how. It is certainly not a simple thing to add an annotation to every endpoint in a view. You can roll your own flask-admin views, but that seems an excessive amount of work, especially when you have dozens of models to manage. There will be other packages where covering an entire endpoint/url pattern is more sensible than fiddling around in the internals of packages to add individual annotations.
Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10
From: Thea Flowers notifications@github.com Sent: Saturday, May 18, 2019 2:20:14 AM To: GoogleCloudPlatform/flask-talisman Cc: Andrew Rowe; Author Subject: Re: [GoogleCloudPlatform/flask-talisman] Rules based policy switching (#40)
I'm a little fuzzy on this because its been a while, but talisman does allow override CSP on a per-route basis so there's already that possibility. Also, if your admin routes are part of a blueprint is there a way, in Flask, to attach Talisman to just that one blueprint? (I think so, though I'm unsure).
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/GoogleCloudPlatform/flask-talisman/issues/40?email_source=notifications&email_token=AA6JUB3TUGWBGLHLHW3ZBOLPV3LL5A5CNFSM4HNRKLHKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVVGUHA#issuecomment-493513244, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AA6JUB2CWEBAVDGWV6UUICTPV3LL5ANCNFSM4HNRKLHA.
davidism
commented
5 years ago You should switch on request.blueprint in before_request. That's an accepted way to do actions for groups of routes.
Flask-Admin might have something specific to decorating their routes as well, or may be open to improving that.
Martlark
commented
5 years ago I'm sure there is some flask clever way to use annotations or blueprints to apply cps to certain routes using the existing talisman api, but, many packages are opaque in the way they implement routes/blueprints. For some Flask apps it would be more convenient to use a url regex pattern. I'll argue some time in the far future that annotations per route are burdensome.
errorfourten
commented
4 years ago Just leaving it here in case it helps future users, but for Flask-Admin, I opted to include the sha256 hashes instead. Found that they were more convenient to configure.
For "return modelActions.execute('delete');", you can use 'sha256-ftmTNsdfRKq6ZNyHL+p7dI9xRqueDTpseN1IaUUgQW4='
For "return faHelpers.safeConfirm('Are you sure you want to delete this record?');", you can use 'sha256-gikCNhEl+fhjSb8779qEr3zNPPm8nyTyg8MPyBYs+Tw='
These are the only scripts I have found that needed hashing.
bcduggan
commented
3 years ago For others looking to integrate Talisman and Flask Admin with Bootstrap 4. This solution might also allow applying Talisman options on a per-route basis to Admin views using some metadata in MyAppAdminViewMeta. But I didn't go that far.
It sounds like this backflip might not be necessary after Flask Admin migrates to Bootstrap 5.
You should switch on
request.blueprintinbefore_request. That's an accepted way to do actions for groups of routes.
Flask Admin generates Blueprints for model views. It doesn't prefix the new Blueprint names with the the index Blueprint name ("admin", by default). So this method probably won't work for most people.
Flask-Admin might have something specific to decorating their routes as well, or may be open to improving that.
I was able to apply Talisman options to Admin view functions by subclassing AdminMetaView and using that metaclass in the app's index and model views:
from flask_admin.base import AdminIndexView, AdminViewMeta
from flask_admin.contrib.sqla import ModelView
class MyAppAdminViewMeta(AdminViewMeta):
talisman_view_options = {
"content_security_policy": {
"style-src": [
"'self'",
"'sha256-l/KYA9Q1I/ILRvd2rVApM7Asyv9CvBGrs03cA30BVGo='",
"'sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY='",
"'sha256-ZdHxw9eWtnxUb3mk6tBS+gIiVUPE3pGM470keHPDFlE='",
],
"script-src": [
"'self'",
"'sha256-ftmTNsdfRKq6ZNyHL+p7dI9xRqueDTpseN1IaUUgQW4='",
"'sha256-gikCNhEl+fhjSb8779qEr3zNPPm8nyTyg8MPyBYs+Tw='",
],
}
}
def __init__(cls, classname, bases, fields):
super().__init__(classname, bases, fields)
for p in dir(cls):
attr = getattr(cls, p)
if hasattr(attr, "_urls"):
setattr(
attr, "talisman_view_options", cls.talisman_view_options,
)
setattr(cls, p, attr)
class MyAppIndexView(AdminIndexView, metaclass=MyAppAdminViewMeta):
pass
class MyAppModelView(ModelView, metaclass=MyAppAdminViewMeta):
passA more general solution to apply Talisman options on a per-route basis would be to use the rules in app.url_map to find the associated endpoint in app.view_functions and set the talisman_view_options attribute on those functions. But setattr() threw an AttributeError when I tried this on Flask Admin methods in a before_request-decorated function.
I have a need to use flask-admin in a CSP protected app. As flask-admin is package it is not practicable to apply a csp exception annotation to each of it's routes. In my current application I have this bit of code:
I'd like to add a policy with an associated regex to match against the route it should be implemented against.
Is this sensible to add into talisman as a feature enhancement via pull request I'll author?