Merge pull request #21 from Jsweb-Tech/fix/vulnerable-fixes

fix: security bug fixes

Author: Jones-peter

.pre-commit-config.yaml

@@ -0,0 +1,76 @@
+# Pre-commit hooks for JsWeb
+# Install: pip install pre-commit && pre-commit install
+# Run manually: pre-commit run --all-files
+
+repos:
+  # Standard pre-commit hooks
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+      - id: trailing-whitespace
+        args: [--markdown-linebreak-ext=md]
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-added-large-files
+        args: ['--maxkb=1000']
+      - id: check-json
+      - id: check-toml
+      - id: check-merge-conflict
+      - id: debug-statements
+      - id: mixed-line-ending
+
+  # Black - code formatting
+  - repo: https://github.com/psf/black
+    rev: 24.8.0
+    hooks:
+      - id: black
+        language_version: python3.11
+        args: [--line-length=127]
+
+  # isort - import sorting
+  - repo: https://github.com/PyCQA/isort
+    rev: 5.13.2
+    hooks:
+      - id: isort
+        args: [--profile=black, --line-length=127]
+
+  # Flake8 - linting
+  - repo: https://github.com/PyCQA/flake8
+    rev: 7.0.0
+    hooks:
+      - id: flake8
+        args: [--max-line-length=127, --extend-ignore=E203,W503]
+        additional_dependencies: [flake8-bugbear, flake8-comprehensions]
+
+  # MyPy - type checking (optional, can be slow)
+  - repo: https://github.com/pre-commit/mirrors-mypy
+    rev: v1.11.2
+    hooks:
+      - id: mypy
+        args: [--ignore-missing-imports, --no-strict-optional]
+        additional_dependencies: [types-all]
+        exclude: ^(tests/|docs/)
+        # Set to manual stage if too slow
+        # stages: [manual]
+
+  # Bandit - security linting
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.7.9
+    hooks:
+      - id: bandit
+        args: [-r, jsweb/, -f, screen]
+        exclude: ^tests/
+
+  # Prettier - for YAML, JSON, Markdown formatting
+  - repo: https://github.com/pre-commit/mirrors-prettier
+    rev: v4.0.0-alpha.8
+    hooks:
+      - id: prettier
+        types_or: [yaml, markdown, json]
+
+# Configuration
+default_language_version:
+  python: python3.11
+
+# Performance: cache validation results
+default_stages: [commit, push]

CONTRIBUTING.md

@@ -1,7 +1,28 @@
-# Contributing to JsWeb.
+# Contributing to JsWeb
 
 First off, thank you for considering contributing. It's people like you that make open-source such a great community. Any contributions you make are **greatly appreciated**.
 
+## Development Setup
+
+To contribute to JsWeb, you'll need to set up your development environment:
+
+```bash
+# 1. Fork and clone the repository
+git clone https://github.com/Jsweb-Tech/jsweb.git
+cd jsweb
+
+# 2. Create a virtual environment
+python -m venv venv
+venv\Scripts\activate  # Windows
+# source venv/bin/activate  # macOS/Linux
+
+# 3. Install JsWeb in editable mode with dev dependencies
+pip install -e ".[dev]"
+
+# 4. Install pre-commit hooks
+pre-commit install
+```
+
 ## How to Contribute
 
 We use a standard workflow for contributions. If you have an improvement, please follow these steps:
@@ -15,6 +36,7 @@ We use a standard workflow for contributions. If you have an improvement, please
 
 3.  **Make Your Changes and Commit**
     * Write your code and make sure to add comments and docstrings where necessary.
+    * Run tests and linters before committing (see below).
     * Commit your changes with a clear and descriptive commit message.
     * `git commit -m 'feat: Add some AmazingFeature'`
 
@@ -25,6 +47,36 @@ We use a standard workflow for contributions. If you have an improvement, please
 5.  **Open a Pull Request**
     * Go to the original repository and you will see a prompt to create a Pull Request from your new branch.
     * Provide a clear title and description for your changes, explaining what you've added or fixed.
+    * Fill out the PR template completely.
+
+## Testing & Code Quality
+
+Before submitting your PR, ensure your code passes all checks:
+
+```bash
+# Run tests
+pytest Tests/
+
+# Run code formatters
+black .
+isort .
+
+# Run linters
+flake8 jsweb/
+
+# Or run all pre-commit checks at once
+pre-commit run --all-files
+```
+
+## Branch Protection
+
+The `main` branch is protected and requires:
+* ✅ Pull request with at least 1-2 approving reviews
+* ✅ All CI checks must pass (tests, linting, type checking)
+* ✅ Branch must be up-to-date with main
+* ✅ Code owner review for core changes
+
+**Note:** You cannot push directly to `main`. All changes must go through pull requests.
 
 ## Reporting Bugs
 

jsweb/app.py

@@ -109,7 +109,9 @@ async def _asgi_app_handler(self, scope, receive, send):
                 raise TypeError(f"View function did not return a Response object (got {type(response).__name__})")
 
             if hasattr(req, 'new_csrf_token_generated') and req.new_csrf_token_generated:
-                response.set_cookie("csrf_token", req.csrf_token, httponly=False, samesite='Lax')
+                # Set CSRF token cookie with strict security settings
+                # Note: httponly=False is required so JavaScript can read it for AJAX requests
+                response.set_cookie("csrf_token", req.csrf_token, httponly=False, samesite='Strict', secure=False)
 
             await response(scope, receive, send)
             return

jsweb/middleware.py

@@ -2,7 +2,6 @@
 import logging
 from .static import serve_static
 from .response import Forbidden
-import json
 
 logger = logging.getLogger(__name__)
 
@@ -58,13 +57,13 @@ async def __call__(self, scope, receive, send):
             cookie_token = req.cookies.get("csrf_token")
             submitted_token = None
 
-            # 1. Check header first (Best practice for AJAX/APIs)
+            
             submitted_token = req.headers.get("x-csrf-token")
 
-            # 2. If no header token, check the body based on content type
+        
             if not submitted_token:
                 content_type = req.headers.get("content-type", "")
-                
+
                 if "application/json" in content_type:
                     try:
                         # Request.json() safely returns {} for empty/invalid bodies
@@ -73,7 +72,7 @@ async def __call__(self, scope, receive, send):
                     except Exception:
                         # If JSON parsing fails, we treat it as no token found
                         pass
-                
+
                 elif "application/x-www-form-urlencoded" in content_type or "multipart/form-data" in content_type:
                     try:
                         # Request.form() safely returns {} for empty/non-form bodies
@@ -83,11 +82,14 @@ async def __call__(self, scope, receive, send):
                         # If form parsing fails, we treat it as no token found
                         pass
 
-            # 3. Perform the validation
+            
             # Both the cookie token and the submitted token MUST be present and match.
             if not cookie_token or not submitted_token or not secrets.compare_digest(submitted_token, cookie_token):
+                # Log CSRF failure with context (but never log the actual tokens)
+                client_ip = scope.get("client", ["unknown"])[0]
                 logger.warning(
-                    f"CSRF validation failed for {req.method} {req.path}. "
+                    f"CSRF validation failed - Method: {req.method}, "
+                    f"Path: {req.path}, Client IP: {client_ip}, "
                     f"Cookie set: {'Yes' if cookie_token else 'No'}, "
                     f"Token submitted: {'Yes' if submitted_token else 'No'}."
                 )
@@ -170,7 +172,7 @@ async def __call__(self, scope, receive, send):
         if scope["type"] != "http":
             await self.app(scope, receive, send)
             return
-            
+
         from .database import db_session
         try:
             await self.app(scope, receive, send)
@@ -180,3 +182,69 @@ async def __call__(self, scope, receive, send):
             raise
         finally:
             db_session.remove()
+
+
+class SecurityHeadersMiddleware(Middleware):
+    """
+    Middleware to inject security headers into all HTTP responses.
+
+    This middleware adds essential security headers to protect against common web
+    vulnerabilities including XSS, clickjacking, MIME sniffing, and more.
+
+    Headers added:
+    - X-Content-Type-Options: nosniff
+    - X-Frame-Options: DENY
+    - X-XSS-Protection: 1; mode=block
+    - Strict-Transport-Security: max-age=31536000; includeSubDomains
+    - Referrer-Policy: strict-origin-when-cross-origin
+    - Content-Security-Policy: default-src 'self'
+
+    Args:
+        app: The ASGI application to wrap.
+        custom_headers (dict, optional): Custom security headers to override defaults.
+    """
+
+    DEFAULT_HEADERS = {
+        "x-content-type-options": "nosniff",
+        "x-frame-options": "DENY",
+        "x-xss-protection": "1; mode=block",
+        "strict-transport-security": "max-age=31536000; includeSubDomains",
+        "referrer-policy": "strict-origin-when-cross-origin",
+        # Conservative CSP - can be customized per-application
+        "content-security-policy": "default-src 'self'",
+    }
+
+    def __init__(self, app, custom_headers=None):
+        super().__init__(app)
+        self.headers = {**self.DEFAULT_HEADERS, **(custom_headers or {})}
+
+    async def __call__(self, scope, receive, send):
+        """
+        Injects security headers into the HTTP response.
+
+        Args:
+            scope (dict): The ASGI connection scope.
+            receive (callable): An awaitable callable to receive events.
+            send (callable): An awaitable callable to send events.
+        """
+        if scope["type"] != "http":
+            await self.app(scope, receive, send)
+            return
+
+        async def send_wrapper(message):
+            if message["type"] == "http.response.start":
+                # Add security headers to response
+                headers = list(message.get("headers", []))
+
+                # Only add headers if they don't already exist
+                existing_header_names = {name.decode().lower() for name, _ in headers}
+
+                for header_name, header_value in self.headers.items():
+                    if header_name.lower() not in existing_header_names:
+                        headers.append([header_name.encode(), header_value.encode()])
+
+                message["headers"] = headers
+
+            await send(message)
+
+        await self.app(scope, receive, send_wrapper)

jsweb/request.py

@@ -5,6 +5,9 @@
 
 from werkzeug.formparser import parse_form_data
 
+# Maximum request body size (10MB default, configurable)
+MAX_REQUEST_BODY_SIZE = 10 * 1024 * 1024  # 10 MB
+
 
 class Request:
     """
@@ -78,6 +81,7 @@ async def body(self):
 
         Raises:
             RuntimeError: If the stream was already consumed by `stream()`.
+            ValueError: If the request body exceeds MAX_REQUEST_BODY_SIZE.
         """
         if self._body is None:
             if self._is_stream_consumed:
@@ -86,8 +90,21 @@ async def body(self):
                     "Always use body() if you need to access the body multiple times."
                 )
             chunks = []
+            total_size = 0
+
             async for chunk in self.stream():
+                chunk_size = len(chunk)
+                total_size += chunk_size
+
+                
+                if total_size > MAX_REQUEST_BODY_SIZE:
+                    raise ValueError(
+                        f"Request body size ({total_size} bytes) exceeds maximum allowed "
+                        f"size of {MAX_REQUEST_BODY_SIZE} bytes"
+                    )
+
                 chunks.append(chunk)
+
             self._body = b"".join(chunks)
         return self._body
 

jsweb/response.py

@@ -115,6 +115,7 @@ def __init__(
         self.body = body
         self.status_code = status_code
         self.headers = headers or {}
+        self._cookies = []  # Store cookies separately to support multiple Set-Cookie headers
 
         final_content_type = content_type or self.default_content_type
         if "content-type" not in self.headers:
@@ -162,10 +163,8 @@ def set_cookie(
         if httponly:
             cookie_val += "; HttpOnly"
 
-        if "Set-Cookie" in self.headers:
-            self.headers["Set-Cookie"] += f"\n{cookie_val}"
-        else:
-            self.headers["Set-Cookie"] = cookie_val
+        # Store cookies separately to properly support multiple Set-Cookie headers
+        self._cookies.append(cookie_val)
 
     def delete_cookie(self, key: str, path: str = "/", domain: str = None):
         """
@@ -194,10 +193,17 @@ async def __call__(self, scope, receive, send):
         if "content-length" not in self.headers:
             self.headers["content-length"] = str(len(body_bytes))
 
+        # Build headers list, properly handling multiple Set-Cookie headers
+        headers_list = [[k.encode(), v.encode()] for k, v in self.headers.items()]
+
+        # Add each cookie as a separate Set-Cookie header (proper HTTP specification)
+        for cookie in self._cookies:
+            headers_list.append([b"set-cookie", cookie.encode()])
+
         await send({
             "type": "http.response.start",
             "status": self.status_code,
-            "headers": [[k.encode(), v.encode()] for k, v in self.headers.items()],
+            "headers": headers_list,
         })
         await send({
             "type": "http.response.body",