From 6c8ee1862ab31153b5d27a5a3fefcadaa0dbf86f Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Fri, 18 Sep 2015 19:04:28 +0000
Subject: [PATCH] use subresource integrity attributes to guard against CDNs
 being used as an attack vector; drop external resources that we can't protect
 this way (fonts); fixes #234

---
 management/templates/index.html       | 14 +++++---------
 tools/update-subresource-integrity.py | 24 ++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 9 deletions(-)
 create mode 100755 tools/update-subresource-integrity.py

diff --git a/management/templates/index.html b/management/templates/index.html
index c9e2f81e..2b59abea 100644
--- a/management/templates/index.html
+++ b/management/templates/index.html
@@ -9,11 +9,8 @@
 
         <meta name="robots" content="noindex, nofollow">
 
-        <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css">
+        <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css" integrity="sha256-MfvZlkHCEqatNoGiOXveE8FIwMzZg4W85qfrfIFBfYc=" crossorigin="anonymous">
         <style>
-            @import url(https://fonts.googleapis.com/css?family=Raleway:400,700);
-            @import url(https://fonts.googleapis.com/css?family=Ubuntu:300);
-
 	    body {
 		overflow-y: scroll;
                 padding-bottom: 20px;
@@ -24,7 +21,7 @@
             }
 
             h1, h2, h3, h4 {
-              font-family: Raleway, sans-serif;
+              font-family: sans-serif;
               font-weight: bold;
             }
 
@@ -66,8 +63,7 @@
 	       margin-bottom: 1em;
 	    }
         </style>
-        <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap-theme.min.css">
-        <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css">
+        <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap-theme.min.css" integrity="sha256-bHQiqcFbnJb1Qhh61RY9cMh6kR0gTuQY6iFOBj1yj00=" crossorigin="anonymous">
     </head>
     <body>
 
@@ -195,8 +191,8 @@
           </div>
         </div>
 
-        <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
-        <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js"></script>
+        <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js" integrity="sha256-rsPUGdUPBXgalvIj4YKJrrUlmLXbOb6Cp7cdxn1qeUc=" crossorigin="anonymous"></script>
+        <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js" integrity="sha256-Sk3nkD6mLTMOF0EOpNtsIry+s1CsaqQC1rVLTAy+0yc=" crossorigin="anonymous"></script>
 
         <script>
 var global_modal_state = null;
diff --git a/tools/update-subresource-integrity.py b/tools/update-subresource-integrity.py
new file mode 100755
index 00000000..0400c20a
--- /dev/null
+++ b/tools/update-subresource-integrity.py
@@ -0,0 +1,24 @@
+#!/usr/bin/python3
+# Updates subresource integrity attributes in management/templates/index.html
+# to prevent CDN-hosted resources from being used as an attack vector. Run this
+# after updating the Bootstrap and jQuery <link> and <script> to compute the
+# appropriate hash and insert it into the template.
+
+import re, urllib.request, hashlib, base64
+
+fn = "management/templates/index.html"
+
+with open(fn, 'r') as f:
+	content = f.read()
+
+def make_integrity(url):
+	resource = urllib.request.urlopen(url).read()
+	return "sha256-" + base64.b64encode(hashlib.sha256(resource).digest()).decode('ascii')
+
+content = re.sub(
+	r'<(link rel="stylesheet" href|script src)="(.*?)" integrity="(.*?)"',
+	lambda m : '<' + m.group(1) + '="' + m.group(2) + '" integrity="' + make_integrity(m.group(2)) + '"',
+	content)
+
+with open(fn, 'w') as f:
+	f.write(content)