From b9a7c8c45164463b290498cf9aa26c0ceca772ed Mon Sep 17 00:00:00 2001
From: "[Peter Burnett]" <[peterburnett@catalyst-au.net]>
Date: Tue, 24 Sep 2019 13:45:38 +1000
Subject: [PATCH 1/9] Removed column for sourceURI, and aggregated target URI
rows with a DB query
---
classes/table/csp_report.php | 2 +-
csp_report.php | 34 +++++++++++++++++++++++++++-------
2 files changed, 28 insertions(+), 8 deletions(-)
diff --git a/classes/table/csp_report.php b/classes/table/csp_report.php
index cd61db6..11f54d8 100644
--- a/classes/table/csp_report.php
+++ b/classes/table/csp_report.php
@@ -120,7 +120,7 @@ protected function col_action($record) {
$action = new \confirm_action(get_string('areyousuretodeleteonerecord', 'local_csp'));
$url = new \moodle_url($this->baseurl);
$url->params(array(
- 'removerecordwithhash' => $record->sha1hash,
+ 'removeviolationclass' => $record->blockeduri,
'sesskey' => sesskey(),
'redirecttopage' => $this->currpage,
));
diff --git a/csp_report.php b/csp_report.php
index 5b25985..dd5a8f0 100644
--- a/csp_report.php
+++ b/csp_report.php
@@ -28,9 +28,17 @@
global $DB;
-// Remove CSP report record with specified hash. This is triggered from \local_csp\table\csp_report->col_action().
+/*// Remove CSP report record with specified hash. This is triggered from \local_csp\table\csp_report->col_action().
if (($removerecordwithhash = optional_param('removerecordwithhash', false, PARAM_TEXT)) !== false && confirm_sesskey()) {
- $DB->delete_records('local_csp', array('sha1hash' => $removerecordwithhash));
+ //$DB->delete_records('local_csp', array('sha1hash' => $removerecordwithhash));
+ $PAGE->set_url('/local/csp/csp_report.php', array(
+ 'page' => optional_param('redirecttopage', 0, PARAM_INT),
+ ));
+ redirect($PAGE->url);
+}*/
+
+if (($removeviolationclass = optional_param('removeviolationclass', false, PARAM_TEXT)) !== false && confirm_sesskey()) {
+ $DB->delete_records('local_csp', array('blockeduri' => $removeviolationclass));
$PAGE->set_url('/local/csp/csp_report.php', array(
'page' => optional_param('redirecttopage', 0, PARAM_INT),
));
@@ -63,7 +71,6 @@
echo $OUTPUT->single_button($urlresetallcspstatistics,
get_string('resetallcspstatistics', 'local_csp'), 'post', array('actions' => array($action)));
-$documenturi = get_string('documenturi', 'local_csp');
$blockeduri = get_string('blockeduri', 'local_csp');
$violateddirective = get_string('violateddirective', 'local_csp');
$failcounter = get_string('failcounter', 'local_csp');
@@ -76,7 +83,6 @@
$table->sortable(true, 'failcounter', SORT_DESC);
$table->define_columns(array(
'failcounter',
- 'documenturi',
'blockeduri',
'violateddirective',
'timecreated',
@@ -85,7 +91,6 @@
));
$table->define_headers(array(
$failcounter,
- $documenturi,
$blockeduri,
$violateddirective,
$timecreated,
@@ -93,8 +98,23 @@
$action,
));
-$fields = 'id, sha1hash, documenturi, blockeduri, violateddirective, failcounter, timecreated, timeupdated';
-$from = '{local_csp}';
+$fields = 'id, sha1hash, blockeduri, violateddirective, failcounter, timecreated, timeupdated';
+// Select the first blockedURI of a type, and collapse the rest while summing failcounter
+// Then grab other fields from the table where id is the selected collapsed ID
+$from = "(SELECT A.id,
+ A.blockeduri,
+ A.failcounter,
+ B.violateddirective,
+ B.sha1hash,
+ B.timecreated,
+ B.timeupdated
+ FROM (
+ SELECT MIN(id) AS id,
+ blockeduri,
+ SUM(failcounter) AS failcounter
+ FROM {local_csp} GROUP BY blockeduri) AS A,
+ {local_csp} as B
+ WHERE A.id = B.id) AS subquery";
$where = '1 = 1';
$table->set_sql($fields, $from, $where);
From 08b992d7fca3dff74cb5771921024caad9d26dbd Mon Sep 17 00:00:00 2001
From: "[Peter Burnett]" <[peterburnett@catalyst-au.net]>
Date: Tue, 24 Sep 2019 14:39:36 +1000
Subject: [PATCH 2/9] Added column for top violaters of CSP
---
classes/table/csp_report.php | 17 +++++++++++++++++
collector.php | 2 +-
csp_report.php | 21 ++++++++++++---------
lang/en/local_csp.php | 2 ++
samples/sample.html | 2 +-
5 files changed, 33 insertions(+), 11 deletions(-)
diff --git a/classes/table/csp_report.php b/classes/table/csp_report.php
index 11f54d8..dea27f3 100644
--- a/classes/table/csp_report.php
+++ b/classes/table/csp_report.php
@@ -128,4 +128,21 @@ protected function col_action($record) {
return $actionlink;
}
+
+ protected function col_highestviolaters($record) {
+ global $DB;
+
+ // Get 3 highest violaters for each blocked URI
+ $sql = "SELECT *
+ FROM {local_csp}
+ WHERE blockeduri = ?
+ ORDER BY failcounter DESC";
+ $violaters = $DB->get_records_sql($sql, array($record->blockeduri), 0, 3);
+ $return = '';
+ foreach ($violaters as $violater) {
+ $return .= \html_writer::link($violater->documenturi, $violater->documenturi).'
';
+ $return .= get_string('highestviolaterscount', 'local_csp', $violater->failcounter).'
';
+ }
+ return $return;
+ }
} // end class csp_report
diff --git a/collector.php b/collector.php
index 024ca06..f63c025 100644
--- a/collector.php
+++ b/collector.php
@@ -22,11 +22,11 @@
* @copyright Catalyst IT
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
+require_once(__DIR__ . '/../../config.php');
$inputjson = file_get_contents('php://input');
$cspreport = json_decode($inputjson, true)['csp-report'];
-require_once(__DIR__ . '/../../config.php');
global $DB;
if ($cspreport) {
diff --git a/csp_report.php b/csp_report.php
index dd5a8f0..d5d0c17 100644
--- a/csp_report.php
+++ b/csp_report.php
@@ -72,6 +72,7 @@
get_string('resetallcspstatistics', 'local_csp'), 'post', array('actions' => array($action)));
$blockeduri = get_string('blockeduri', 'local_csp');
+$highestviolaters = get_string('highestviolaters', 'local_csp');
$violateddirective = get_string('violateddirective', 'local_csp');
$failcounter = get_string('failcounter', 'local_csp');
$timecreated = get_string('timecreated', 'local_csp');
@@ -84,6 +85,7 @@
$table->define_columns(array(
'failcounter',
'blockeduri',
+ 'highestviolaters',
'violateddirective',
'timecreated',
'timeupdated',
@@ -92,6 +94,7 @@
$table->define_headers(array(
$failcounter,
$blockeduri,
+ $highestviolaters,
$violateddirective,
$timecreated,
$timeupdated,
@@ -103,17 +106,17 @@
// Then grab other fields from the table where id is the selected collapsed ID
$from = "(SELECT A.id,
A.blockeduri,
- A.failcounter,
- B.violateddirective,
- B.sha1hash,
- B.timecreated,
- B.timeupdated
+ A.failcounter,
+ B.violateddirective,
+ B.sha1hash,
+ B.timecreated,
+ B.timeupdated
FROM (
- SELECT MIN(id) AS id,
- blockeduri,
- SUM(failcounter) AS failcounter
+ SELECT MAX(id) AS id,
+ blockeduri,
+ SUM(failcounter) AS failcounter
FROM {local_csp} GROUP BY blockeduri) AS A,
- {local_csp} as B
+ {local_csp} as B
WHERE A.id = B.id) AS subquery";
$where = '1 = 1';
$table->set_sql($fields, $from, $where);
diff --git a/lang/en/local_csp.php b/lang/en/local_csp.php
index b8f489a..0cbf5f4 100644
--- a/lang/en/local_csp.php
+++ b/lang/en/local_csp.php
@@ -46,6 +46,8 @@
$string['cspsettingsinfo'] = '
CSP works through adding a special HTTP response header to every Moodle page. Modern browsers, when they see this header, are able to perform certain actions e.g. block insecure content on such pages. Please read more about CSP here.
If you leave any of these settings blank CSP headers will not be used.
'; $string['documenturi'] = 'Violation at'; $string['failcounter'] = 'Count'; +$string['highestviolaters'] = 'Top Violation Sources'; +$string['highestviolaterscount'] = 'Count: {$a}'; $string['loadingmixedcontentdescription'] = 'When accessing moodle website via HTTPS browser prohibits displaying of the below resources because they origin from HTTP.Successfully loaded sample.html!
-