2020-02-06 16:11:17 +00:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
|
|
module Api
|
|
|
|
|
module V1
|
|
|
|
|
# Recibe los reportes de Content Security Policy
|
|
|
|
|
class CspReportsController < BaseController
|
2020-02-12 15:22:37 +00:00
|
|
|
skip_forgery_protection
|
|
|
|
|
|
2022-04-19 13:07:10 +00:00
|
|
|
# No queremos indicar que algo salió mal
|
|
|
|
|
rescue_from ActionController::ParameterMissing, with: :csp_report_created
|
|
|
|
|
|
2020-02-06 16:11:17 +00:00
|
|
|
# Crea un reporte de CSP intercambiando los guiones medios por
|
|
|
|
|
# bajos
|
|
|
|
|
#
|
|
|
|
|
# TODO: Aplicar rate_limit
|
|
|
|
|
def create
|
2022-04-19 13:57:01 +00:00
|
|
|
csp = CspReport.new(csp_report_params.to_h.transform_keys do |k|
|
|
|
|
|
k.tr('-', '_')
|
|
|
|
|
end)
|
2020-02-06 16:11:17 +00:00
|
|
|
|
|
|
|
|
csp.id = SecureRandom.uuid
|
|
|
|
|
csp.save
|
|
|
|
|
|
2022-04-19 13:07:10 +00:00
|
|
|
csp_report_created
|
2020-02-06 16:11:17 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
|
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only#Violation_report_syntax
|
|
|
|
|
def csp_report_params
|
|
|
|
|
params.require(:'csp-report')
|
|
|
|
|
.permit(:disposition,
|
|
|
|
|
:referrer,
|
|
|
|
|
:'blocked-uri',
|
|
|
|
|
:'document-uri',
|
|
|
|
|
:'effective-directive',
|
|
|
|
|
:'original-policy',
|
|
|
|
|
:'script-sample',
|
|
|
|
|
:'status-code',
|
|
|
|
|
:'violated-directive',
|
|
|
|
|
:'line-number',
|
|
|
|
|
:'column-number',
|
|
|
|
|
:'source-file')
|
|
|
|
|
end
|
2022-04-19 13:07:10 +00:00
|
|
|
|
|
|
|
|
def csp_report_created
|
|
|
|
|
render json: {}, status: :created
|
|
|
|
|
end
|
2020-02-06 16:11:17 +00:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
