Add support for legacy CSP reports

These originate from "report-uri" (not "report-to") tags in CSP headers, and appear as application/csp-report requests.

Add support for legacy CSP reports
dc6fe6bd · ale · 9b688f5a · dc6fe6bd · dc6fe6bd · dc6fe6bd
Commit dc6fe6bd authored 4 years ago by ale
--- a/cmd/reports-collector/main.go
+++ b/cmd/reports-collector/main.go
@@ -35,6 +35,7 @@ func main() {
 		new(rc.LogSink),
 		new(rc.ReportHandler),
 		new(rc.TLSRPTHandler),
+		new(rc.LegacyCSPHandler),
 		new(rc.DMARCHandler),
 	)


--- a/collector_test.go
+++ b/collector_test.go
@@ -21,6 +21,7 @@ func createTestCollector() (*countingSink, string, func()) {
 		sink,
 		new(ReportHandler),
 		new(TLSRPTHandler),
+		new(LegacyCSPHandler),
 		new(DMARCHandler),
 	)
 	srv := httptest.NewServer(c)
@@ -288,3 +289,30 @@ func TestDMARC_IgnoreSuccesses(t *testing.T) {
 		t.Fatalf("parsed %d events, expected 0", sink.counter)
 	}
 }
+
+var cspTestData = `{
+  "csp-report": {
+    "document-uri": "http://localhost:3000/content",
+    "referrer": "",
+    "violated-directive": "frame-src",
+    "effective-directive": "frame-src",
+    "original-policy": "default-src 'self'; frame-src https://*.mozilla.org; report-uri /report",
+    "disposition": "enforce",
+    "blocked-uri": "https://mozilla.org",
+    "line-number": 1,
+    "source-file": "http://localhost:3000/content",
+    "status-code": 200,
+    "script-sample": ""
+  }
+}`
+
+func TestCSP(t *testing.T) {
+	sink, uri, cleanup := createTestCollector()
+	defer cleanup()
+
+	doRequest(t, uri, "application/csp-report", cspTestData)
+
+	if sink.counter != 1 {
+		t.Fatalf("parsed %d events, expected 1", sink.counter)
+	}
+}
--- a/csp.go
+++ b/csp.go
+package reportscollector
+
+import (
+	"encoding/json"
+	"net/http"
+	"time"
+)
+
+type legacyCSPReport struct {
+	DocumentURI        string `json:"document-uri"`
+	Referrer           string `json:"referrer"`
+	ViolatedDirective  string `json:"violated-directive"`
+	EffectiveDirective string `json:"effective-directive"`
+	OriginalPolicy     string `json:"original-policy"`
+	Disposition        string `json:"disposition"`
+	BlockedURI         string `json:"blocked-uri"`
+	LineNumber         int    `json:"line-number"`
+	SourceFile         string `json:"source-file"`
+	StatusCode         int    `json:"status-code"`
+}
+
+type legacyCSPReportContainer struct {
+	Report *legacyCSPReport `json:"csp-report"`
+}
+
+type LegacyCSPHandler struct{}
+
+func (h *LegacyCSPHandler) Parse(contentType string, req *http.Request) ([]Event, error) {
+	if contentType != "application/csp-report" {
+		return nil, ErrNoMatch
+	}
+
+	var cnt legacyCSPReportContainer
+	if err := json.NewDecoder(req.Body).Decode(&cnt); err != nil {
+		return nil, err
+	}
+
+	if cnt.Report == nil {
+		return nil, nil
+	}
+	return []Event{h.eventFromReport(req, cnt.Report)}, nil
+}
+
+func (h *LegacyCSPHandler) eventFromReport(req *http.Request, report *legacyCSPReport) Event {
+	e := make(Event)
+	if asn, ok := lookupASN(getRemoteIP(req)); ok {
+		e.Set("asn", asn)
+	}
+	e.Set("type", "csp")
+	e.Set("event_timestamp", time.Now())
+	e.Set("url", report.DocumentURI)
+	e.Set("domain", domainFromURL(report.DocumentURI))
+	e.Set("user_agent", req.Header.Get("User-Agent"))
+
+	// TODO: use the same fields as report-to CSP reports.
+	e.Set("csp_violated_directive", report.ViolatedDirective)
+	e.Set("csp_blocked_uri", report.BlockedURI)
+	e.Set("csp_source_file", report.SourceFile)
+	e.Set("csp_line_number", report.LineNumber)
+	e.Set("csp_status_code", report.StatusCode)
+	return e
+}