Library for flask security enhancement, Geo IP blocking and retro-compatibility.
Project description
Flask-Security-Utils
A simple security extension for Flask.
About • Getting Started • Usage • Roadmap • Contributing • Implementation Details
About The Project
Flask-Security-Uils is an extension to enhance the security of flask applications blocking IP, countries and sqlinjections, it's aims to reimplement any deprecated security functionality from flask 1 to 2
This library needs a flask library over 1.1.4, may work with older versions but never been tested. This library needs a Python 3.5 and above.
Built With
Getting Started
This is an example of how you may give instructions on setting up your project locally. To get a local copy up and running follow these simple example steps.
Installation
Installation is straigthfoward
- Create and activate your virtual enviroment
virtualenv -p python3 venv
source venv/bin/activate
- Install Flask
pip install Flask
- Install Flask-Security-Utils (Not implemented yet)
pip install Flask-Security-Utils
Usage
It's implemented as any flask extension:
from flask import Flask
from security_utils.flask_security_utils import FlaskSecurityUtils
app = Flask(__name__)
app.config["IP_BLOCKED_CSV_FILE"]="example_csv.csv"
app.config["SQL_INJECTION_CHECK"]= True #You can avoid as it's the default value
fs = FlaskSecurityUtils(app)
if __name__ == "__main__":
app.run()
For more examples, read the *flask_example.py files
Configuration
- IP_BLOCKED_CSV_FILE: must be the complete file where the block list is saved, only used for persistence in reboots.
- SQL_INJECTION_CHECK:
- When is True check for injection runs for the whole site.
- When is False the scan is skipped.
- BLOCKED_IP_LIST:
- When is None the check is avoided.
- When is [] the check is avoided
- When contains one o more IPs, the block behavior turn on.
- ALLOWED_IP_LIST:
- When is None the check is avoided.
- When is [] the check is avoided
- When contains one o more IPs, the system only grant access to the IP list.
- IN_MEMORY_IP_DATABASE:
- When is True the database is charged on memory.
- When is False the database is used from file. Is the default behavior
- IP_COUNTRY_FILE_DB:
- When is None the folder 'ip_database' is created and 'IP-COUNTRY.BIN' downloaded from git.
- When is [] the folder 'ip_database' is created and 'IP-COUNTRY.BIN' downloaded from git.
- When contains one o more IPs, the block behavior turn on.
- Download the last file version from https://lite.ip2location.com/database/ip-country
- IP_V6_COUNTRY_FILE_DB:
- When is None the folder 'ip_database' is created and 'IPV6-COUNTRY.BIN' downloaded from git.
- When is [] the folder 'ip_database' is created and 'IPV6-COUNTRY.BIN' downloaded from git.
- When contains one o more IPs, the system only grant access to the IP list.
- Download the last file version from https://lite.ip2location.com/database/ip-country
- ALLOWED_COUNTRIES:
- When is None the check is avoided.
- When is [] the check is avoided
- When contains one o more countries, the system only grant access to an IP from the country list.
- Uses the ISO_3166-1_alpha-2 nomenclature, more info in https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
- BLOCKED_COUNTRIES:
- When is None the check is avoided.
- When is [] the check is avoided
- When contains one o more countries, the block behavior turn on.
- Uses the ISO_3166-1_alpha-2 nomenclature, more info in https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
Decorators
- SQLInjection Regex Firewall:
- sql_injection_check
- ignore_sql_injection_check
- IP Firewall:
- ignore_blocked_ip_list
- ignore_allowed_ip_list
- grant_access_ip_list(ipList=[])
- block_ip_list(ipList=[])
- localhost_only
- Country Firewall:
- ignore_blocked_country_list: I
- grant_access_country_list(countryList=[])
- block_access_country_list(countryList=[])
Functions
- SQLInjection Regex Firewall:
- detectSQLInjectionVar: Allow detecting an injection into a var:
# Test with an attact on var ex '+OR+1=1-- # http://127.0.0.1:5000/'+OR+1=1--/check_single @app.route('/<var>/check-single', methods=['GET','POST']) def test_single(var: str): sqlCheck : SQLInjection = SQLInjection() #Use as singleton ip = request.environ.get('HTTP_X_FORWARDED_FOR', request.remote_addr) if sqlCheck.detectSQLInjectionVar(var,ip) == True: return "Alert, injection detected" else: return "Hi, i'm checked on demand"
Roadmap
- SQLInjection detector and IP Blocking : it's allow to detect hackers and block the IP where the connection was made, currently use a list on memory and a CSV, it's allow to check the blocked IPs on Excel or Calc.
- Block IP: It's allow to block an IP on the system or just an endpoint.
- Allow IP: It's allow to only grant access to a global IP list, or just an endpoint.
- Block Country: It's allow to ban an entire country on the system, or just an endpoint.
- LocalHostOnly: An decorator that allow to create localhost endpoints, useful to interconnect microservices created on different programming languages.
- Scale Support
- Redis IP storage: To share the blocked list across multiple Flask instances.
See the open issues for a full list of proposed features (and known issues).
Contributing
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature
) - Commit your Changes (
git commit -m 'Add some AmazingFeature'
) - Push to the Branch (
git push origin feature/AmazingFeature
) - Open a Pull Request
Implementation Details
Some implementations detail highly important to understand the library behavior.
Default regular expressions of SQLInjection
The class SQLInjection contains the following expressions to detect injections by default:
- ((%3D)|(=))[^\n]*((%27)|(')|(--)|(%3B)|(:)) to detect SQL meta-characters
- \w((%27)|('))((%6F)|o|(%4F))((%72)|r|(%52)) to detect typical SQL Injection attack
- ((%27)|('))union") to detect injection with the UNION keyword
- *exec(\s|+)+(s|x)p\w+ to detect attacks on a MS SQL Server
SQLInjection.clearExpressions() clear all regular expressions generated on the class constructor. SQLInjection.addExpression(cls, expression : rawStr) will let you add new expressions in raw string format r"".
License
Distributed under the BSD-3-Clause License. See LICENSE.txt
for more information.
IP2Location
It's uses the IP2Location lite database who is free for personal or commercial use but attribution required by mentioning the use of this data as follows,
This site or product includes IP2Location LITE data available from https://lite.ip2location.com.
Contact
Project Link: https://github.com/alejivo/Flask-Security-Utils
Project Pypi Repo Link: https://pypi.org/project/Flask-Security-Utils/
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for Flask-Security-Utils-1.0.2.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 1c015ee23dd0ea2269db506d8b089e1e68e65385113d75ab9dad1a0ec35a4ce0 |
|
MD5 | e26b2af075f4b0b3ad9abe72483fdc38 |
|
BLAKE2b-256 | 902a6507ebb40d8f5cdce907677d4fe939820dda259f952c922d890a80e3f476 |
Hashes for Flask_Security_Utils-1.0.2-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 8a3195bf85052741f67dfdd90a24cf14f5fa2c1c549dca8fb43bc484ab200b03 |
|
MD5 | 945198676753ae10c3dc2dc7341fb874 |
|
BLAKE2b-256 | 28e61ff3ea10bf905deb08b250636d6b36724dce913db98a06adfc95e5367d72 |