Release v0.13.0: Security hardening, Docker fixes, and API improvements

Author: fabriziosalmi

.gitignore

@@ -7,3 +7,4 @@ __pycache__
 data/secure_proxy.db
 secure_proxy.db
 data/secure_proxy.db
+.env

backend/Dockerfile

@@ -8,7 +8,7 @@ RUN pip install --no-cache-dir -r requirements.txt
 
 # Install curl for healthcheck (Docker CLI removed for security)
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends curl && \
+    apt-get install -y --no-install-recommends --fix-missing curl && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 

backend/app/app.py

@@ -86,7 +86,7 @@ class DomainSchema(Schema):
 def init_db():
     # Create data directory if it doesn't exist
     data_dir = os.path.dirname(DATABASE_PATH)
-    if not os.path.exists(data_dir):
+    if data_dir and not os.path.exists(data_dir):
         os.makedirs(data_dir, exist_ok=True)
 
     conn = sqlite3.connect(DATABASE_PATH)
@@ -1354,6 +1354,52 @@ def signal_handler(sig, frame):
 except Exception as e:
     logger.error(f"Error applying initial settings: {str(e)}")
 
+@app.route('/api/logs', methods=['GET'])
+@auth.login_required
+def get_logs():
+    """Get proxy logs with pagination and sorting"""
+    try:
+        # Get query parameters
+        limit = request.args.get('limit', 25, type=int)
+        offset = request.args.get('offset', 0, type=int)
+        sort_by = request.args.get('sort', 'timestamp')
+        order = request.args.get('order', 'desc')
+        
+        # Validate sort column to prevent SQL injection
+        valid_columns = ['timestamp', 'source_ip', 'destination', 'status', 'bytes', 'method']
+        if sort_by not in valid_columns:
+            sort_by = 'timestamp'
+            
+        # Validate order
+        if order.lower() not in ['asc', 'desc']:
+            order = 'desc'
+            
+        conn = get_db()
+        cursor = conn.cursor()
+        
+        # Get total count
+        cursor.execute("SELECT COUNT(*) FROM proxy_logs")
+        total_count = cursor.fetchone()[0]
+        
+        # Get logs
+        query = f"SELECT * FROM proxy_logs ORDER BY {sort_by} {order.upper()} LIMIT ? OFFSET ?"
+        cursor.execute(query, (limit, offset))
+        
+        logs = [dict(row) for row in cursor.fetchall()]
+        
+        return jsonify({
+            "status": "success",
+            "data": logs,
+            "pagination": {
+                "total": total_count,
+                "limit": limit,
+                "offset": offset
+            }
+        })
+    except Exception as e:
+        logger.error(f"Error fetching logs: {str(e)}")
+        return jsonify({"status": "error", "message": "Failed to fetch logs"}), 500
+
 @app.route('/api/logs/stats', methods=['GET'])
 @auth.login_required
 def get_log_stats():
@@ -3016,7 +3062,7 @@ def client_statistics():
                 WHERE source_ip IS NOT NULL AND source_ip != ''
                 GROUP BY source_ip
                 ORDER BY requests DESC
-                LIMIT 50  # Limit to top 50 clients for performance
+                LIMIT 50
             """)
             clients = [dict(row) for row in cursor.fetchall()]
 
@@ -3055,7 +3101,7 @@ def domain_statistics():
                 WHERE destination IS NOT NULL AND destination != ''
                 GROUP BY destination
                 ORDER BY requests DESC
-                LIMIT 50  # Limit to top 50 domains for performance
+                LIMIT 50
             """)
             domains_raw = [dict(row) for row in cursor.fetchall()]
 

config/custom_squid.conf

@@ -84,7 +84,7 @@ connect_timeout 30 seconds
 dns_timeout 5 seconds
 
 # Log settings
-debug_options ALL,INFO
+debug_options ALL,DEBUG
 access_log daemon:/var/log/squid/access.log squid
 cache_log /var/log/squid/cache.log
 cache_store_log stdio:/var/log/squid/store.log

config/ip_blacklist.txt

@@ -1 +1,2 @@
-1.1.1.1
+1.1.1.1
+1.2.3.4

data/secure_proxy.db

@@ -1,6 +1,11 @@
 FROM ubuntu:22.04
 
-RUN apt-get update && apt-get install -y \
+RUN echo "Acquire::http::Pipeline-Depth 0;" > /etc/apt/apt.conf.d/99fixbadproxy && \
+    echo "Acquire::http::No-Cache true;" >> /etc/apt/apt.conf.d/99fixbadproxy && \
+    echo "Acquire::BrokenProxy true;" >> /etc/apt/apt.conf.d/99fixbadproxy && \
+    rm -rf /var/lib/apt/lists/* && \
+    apt-get update && \
+    apt-get install -y --fix-missing \
     squid \
     squid-common \
     iproute2 \

proxy/Dockerfile

@@ -2,6 +2,7 @@
 import json
 import os
 import sys
+import tempfile
 from unittest.mock import patch, MagicMock
 
 # Add backend to path
@@ -13,17 +14,31 @@
 os.environ['SECRET_KEY'] = 'test_secret'
 
 from app.app import app, init_db, get_db
+import app.app as backend_app
 
 class SecurityTests(unittest.TestCase):
     def setUp(self):
         app.config['TESTING'] = True
         self.client = app.test_client()
 
-        # Setup in-memory db
+        # Create a temporary file for the database
+        self.db_fd, self.db_path = tempfile.mkstemp()
+        
+        # Patch the DATABASE_PATH in the backend app module
+        self.original_db_path = backend_app.DATABASE_PATH
+        backend_app.DATABASE_PATH = self.db_path
+        
+        # Initialize the database
         with app.app_context():
-            # Mock database path to use in-memory
-            with patch('app.app.DATABASE_PATH', ':memory:'):
-                init_db()
+            init_db()
+
+    def tearDown(self):
+        # Close and remove the temporary database
+        os.close(self.db_fd)
+        os.unlink(self.db_path)
+        
+        # Restore original DATABASE_PATH
+        backend_app.DATABASE_PATH = self.original_db_path
 
     def test_input_validation_ip(self):
         # Test invalid IP
@@ -53,6 +68,8 @@ def test_input_validation_domain(self):
             headers={'Authorization': 'Basic YWRtaW46YWRtaW4='},
             json={'domain': 'example.com', 'description': 'test'}
         )
+        if response.status_code != 200:
+            print(f"Domain validation failed: {response.get_json()}")
         self.assertEqual(response.status_code, 200)
 
     def test_settings_update(self):

tests/test_security_improvements.py

@@ -2,8 +2,11 @@ FROM python:3.11-slim
 
 WORKDIR /app
 
-# Install Flask with compatible dependencies
-RUN pip install --no-cache-dir flask==2.0.1 werkzeug==2.0.1 flask-basicauth==0.2.0 requests==2.28.2 python-dotenv==1.0.0
+# Copy requirements first to leverage Docker cache
+COPY requirements.txt .
+
+# Install dependencies
+RUN pip install --no-cache-dir -r requirements.txt
 
 # Copy application code
 COPY . .

ui/Dockerfile

@@ -22,10 +22,10 @@
 # Configure CSP
 csp = {
     'default-src': "'self'",
-    'script-src': "'self'",
-    'style-src': "'self'",
-    'img-src': "'self' data:",
-    'font-src': "'self'"
+    'script-src': ["'self'", "'unsafe-inline'"],
+    'style-src': ["'self'", "'unsafe-inline'"],
+    'img-src': ["'self'", "data:"],
+    'font-src': ["'self'", "data:"]
 }
 talisman = Talisman(app, content_security_policy=csp, force_https=False)