o i0+@s dZddlmZmZmZddlmZddlmZddl m Z ddl m Z m Z ddlZddlZddlZddlZddlZddlZeeZGdd d e ZGd d d e Zd d ZdefddZdedefddZdededefddZdedefddZ dCdedede!fd d!Z"d"e ed#ede!fd$d%Z#dCd#edede$fd&d'Z%d(ede!fd)d*Z&d(ede!fd+d,Z'd-ede!fd.d/Z(dede!fd0d1Z)dedefd2d3Z*dede!fd4d5Z+dedefd6d7Z,d8Z-d9Z.d:Z/defd;d<Z0d=e ed>e ede!fd?d@Z1GdAdBdBe Z2dS)Dz Security Utilities Provides security-related utilities: - Rate limiting - Input validation - Security headers - CORS configuration )Request HTTPExceptionstatus)CORSMiddleware)TrustedHostMiddleware)BaseHTTPMiddleware)DictOptionalNc6eZdZdZd deffdd ZdefddZZS) RateLimitMiddlewarez` Simple rate limiting middleware. Limits requests per IP address to prevent abuse. <requests_per_minutecst|||_i|_dSN)super__init__r requests)selfappr  __class__?/lsinfo/ai/hellotax_ai/base_platform/app/core/security_utils.pyr s  zRateLimitMiddleware.__init__requestcs|jr|jjnd}|jjdvr||IdHSt||jvr%g|j|<fdd|j|D|j|<t|j||jkrMt d|t t j dd|j| ||IdH}|S) z= Check rate limit before processing request. unknown)/health/metricsNcsg|] }|dkr|qSr r).0req_time current_timerr 8s  z0RateLimitMiddleware.dispatch..zRate limit exceeded for IP: z*Too many requests. Please try again later. status_codedetail)clienthosturlpathtimerlenr loggerwarningrrHTTP_429_TOO_MANY_REQUESTSappend)rr call_next client_ipresponserrrdispatch%s&     zRateLimitMiddleware.dispatchr) __name__ __module__ __qualname____doc__intrrr2 __classcell__rrrrr sr c@seZdZdZdefddZdS)SecurityHeadersMiddlewarez0 Add security headers to all responses. rcsZ||IdH}d|jd<d|jd<d|jd<d|jd <d |jd <d |jd <d|jd<|S)z3 Add security headers to response. NnosniffzX-Content-Type-OptionsDENYzX-Frame-Optionsz 1; mode=blockzX-XSS-Protectionz#max-age=31536000; includeSubDomainszStrict-Transport-Securityzdefault-src 'self'zContent-Security-Policyzstrict-origin-when-cross-originzReferrer-Policyz(geolocation=(), microphone=(), camera=()zPermissions-Policy)headers)rrr/r1rrrr2Rs       z"SecurityHeadersMiddleware.dispatchN)r3r4r5r6rr2rrrrr9Msr9cCs$|jtgddgdgdddS)z^ Configure CORS middleware. In production, restrict origins to specific domains. )zhttp://localhost:8888zhttp://localhost:8889zhttp://localhost:3000zhttp://127.0.0.1:8888zhttp://127.0.0.1:8889zhttp://127.0.0.1:3000T)GETPOSTPUTDELETEPATCH) Authorizationz Content-TypeAcceptzAccept-Language X-CSRF-Tokenz X-Request-ID) allow_originsallow_credentials allow_methods allow_headersN)add_middlewarer)rrrrconfigure_corsds  rJ allowed_hostscCs|jt|ddS)zO Configure trusted host middleware. Prevents host header attacks. )rKN)rIr)rrKrrrconfigure_trusted_hostss rLdatareturncCst|S)zQ Hash sensitive data for storage. Uses SHA-256 for one-way hashing. )hashlibsha256encode hexdigest)rMrrrhash_sensitive_datasrSvalue max_length field_namecCs(t||krttj|d|ddS)zC Validate input length to prevent buffer overflow attacks. z exceeds maximum length of r"N)r*rrHTTP_400_BAD_REQUEST)rTrUrVrrrvalidate_input_lengths  rXfilenamecCs`|dddd}tdd|}|dd}|dd}|d}t|d kr.|d d }|S) z> Sanitize filename to prevent path traversal attacks. /_\z [<>:"|?*]z...N)replaceresublstripr*)rYrrrsanitize_filenames     re size max_size_mbcCs |dkrdS|dd}||kS)z5 Check if file size is within allowed limit. rFir)rgrhmax_size_bytesrrrcheck_file_sizes rj mime_type allowed_typescCs|sdS||vS)z3 Validate MIME type against allowed types. Fr)rkrlrrrvalidate_mime_typesrmcCsPt|j|sdd|jdSt|j|sdd|ddSt|j}d|dS)z/ Comprehensive file upload validation. FzInvalid MIME type: )validerrorz*File size exceeds maximum allowed size of MBT)rnsanitized_filename)rm content_typerjrgrerY)filerlrhsanitized_namerrrvalidate_file_uploads     ruemailcCsd}t||duS)z! Basic email validation. z0^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$N)rbmatch)rvpatternrrrvalidate_emailsrycCs|sdSt|S)zValidate email format.F)ry)rvrrrvalidate_email_formatsrzr'csF|sdSgd}|tfdd|DrdSdp"dS)z4Validate URL format and prevent dangerous protocols.F) javascript:zfile:zdata:c3s|]}|VqdSr) startswith)rproto url_lowerrr sz&validate_url_format..zhttp://zhttps://)loweranyr|)r'dangerous_protocolsrr~rvalidate_url_formatsrc&gd}|tfdd|DS)ze Check for common SQL injection patterns. Returns True if suspicious patterns detected. )z ' OR '1'='1z '; DROP TABLEz' OR 1=1z UNION SELECTz'; --z ' OR 'a'='ac3|] }|vVqdSr)upperrrx value_upperrrrz&check_sql_injection..)rrrTsuspicious_patternsrrrcheck_sql_injection rcCs$|s|S|ddddddS)z(Sanitize SQL input to prevent injection.'r];z--)rarTrrrsanitize_sql_inputsrcr)z[ Check for common XSS patterns. Returns True if suspicious patterns detected. )z.)rrrrrr check_xss"rrcCs t|S)z#Sanitize HTML input to prevent XSS.)htmlescaperrrrsanitize_html_input5 r csrf_tokenrDcCs ttS)zGenerate a secure CSRF token.)secrets token_hexCSRF_TOKEN_LENGTHrrrrgenerate_csrf_token@rrtoken cookie_tokencCs|r|sdSt||S)z'Verify CSRF token matches cookie token.F)rcompare_digest)rrrrrverify_csrf_tokenEs rcr ) CSRFMiddlewarezz CSRF protection middleware. Validates CSRF tokens for state-changing operations (POST, PUT, DELETE, PATCH). N exempt_pathscst||p gd|_dS)N)rrz/docsz /openapi.jsonz/api/v1/auth/loginz/api/v1/auth/registerz/api/v1/agents)rrr)rrrrrrrSs zCSRFMiddleware.__init__rcsjdvr(|IdH}tjvr&t}jjdk}|jt|d|ddd|Stfdd |jDr;|IdHSj t }j t}|rK|s`t d jd jjttjd d t||szt djd jjttjdd |IdHS)z-Check CSRF token for state-changing requests.)r=HEADOPTIONSNhttpsFlaxi)keyrThttponlysecuresamesitemax_agec3s|] }jj|VqdSr)r'r(r|)rr(rrrrksz*CSRFMiddleware.dispatch..zCSRF token missing for  zCSRF token missingr"zCSRF token mismatch for zCSRF token invalid)methodCSRF_COOKIE_NAMEcookiesrr'scheme set_cookierrr<getCSRF_HEADER_NAMEr+r,r(rrHTTP_403_FORBIDDENr)rrr/r1ris_https csrf_cookierrrr2Ws@      zCSRFMiddleware.dispatchr) r3r4r5r6listrrr2r8rrrrrLsr)rf)3r6fastapirrrfastapi.middleware.corsrfastapi.middleware.trustedhostrstarlette.middleware.basertypingrr r)rOloggingrrbr getLoggerr3r+r r9rJrrLstrrSr7rXreboolrjrmdictruryrzrrrrrrrrrrrrrrrsH    4