h< tdZddlZddlZddlZddlZddlZddlmZmZm Z m Z ddl m Z ddl mZdededee d efd Zd e d e d eeeeeeeefffd Zddeded efdZded eeeeffdZd ded efdZdededed efdZd!deded efdZde ee fde ee fd eeeee ee fffdZdZy)"a; security_enhancements.py Purpose: Advanced security enhancement functions that implement protection against sophisticated attack vectors identified during red-team security auditing. This module provides timing attack protection, input validation hardening, and security-focused error handling to maintain the highest security standards across the application. Security Enhancements: - Timing attack resistant authentication checks (username enumeration prevention) - Geographic coordinate validation with proper bounds checking - Security-focused error message sanitization to prevent information disclosure - Enhanced input validation for all user-controllable parameters - Cryptographic helper functions for secure token generation and validation Implementation Philosophy: All functions follow defense-in-depth principles with multiple validation layers. Error handling is designed to prevent information leakage while maintaining system functionality. Security measures are transparent to legitimate users but effectively block malicious attempts. N)TupleOptionalDictAny)wraps) current_appusernamepassworduser_rowreturncd}|r@|dr;|djd}tj|jd|}|Stj|jd|jdd}|S)a Timing-attack resistant password verification. Prevents username enumeration by ensuring consistent timing regardless of whether the username exists in the database. Always performs bcrypt operation to maintain constant time complexity. Args: username: Username being authenticated password: Password to verify user_row: User database row (None if user doesn't exist) Returns: bool: True if authentication successful, False otherwise Security Features: - Constant time execution regardless of username validity - Secure password hashing verification - No information leakage through timing differences z<$2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewiyTuTpbsEf.ug. password_hashutf-8F)encodebcryptcheckpw)r r r dummy_hash target_hashresults TC:\Users\algun\Documents\ceba web\Ceba - Github\app_modules\security_enhancements.pysecure_password_checkr"sw.PJH_-/66w?  8+F M xw/1B1B71KL Mlatlngc t|}t|}d|cxkrdksyyd|cxkrdksyy||k7s||k7rydd ||ffS#tttf$rYywxYw) a_ Validate geographic coordinates with proper bounds checking. Prevents injection of invalid coordinate data that could pollute the database or cause application errors. Enforces strict geographic bounds and type validation. Args: lat: Latitude value (any type, will be validated) lng: Longitude value (any type, will be validated) Returns: Tuple[bool, Optional[str], Optional[Tuple[float, float]]]: - success: Whether validation passed - error_message: Error description if validation failed - coordinates: Validated (lat, lng) tuple if successful Security Features: - Strict type validation prevents injection attacks - Geographic bounds enforcement prevents invalid data - Sanitized error messages prevent information disclosure gVgV@)FuNeispravna geografska širina.Ngfgf@)FuNeispravna geografska dužina.N)FzNeispravne koordinate.NTN)float ValueError TypeError OverflowError)rr lat_float lng_floats rvalidate_geographic_coordinatesr"Gs,5#J #J *d*@+@),u,@-@  !Y)%;8TIy111  = 1545s*!AA AA AAAAerrorcontextct|jtfddDrytfddDrytfddDry tfd d Dry y )a Sanitize error messages to prevent information disclosure. Converts detailed system errors into generic user-friendly messages that don't reveal sensitive system information or internal application structure. Args: error: The original exception context: Context of the operation for logging purposes Returns: str: Sanitized error message safe for user display Security Features: - Removes database-specific error details - Hides file system paths and internal structure - Prevents stack trace information leakage - Maintains user experience with helpful generic messages c3&K|]}|v ywN.0keyword error_strs r z)sanitize_error_message..s g/fG7i /f)sqlitedatabasetablecolumn constraintuGreška pri obradi podataka.c3&K|]}|v ywr'r(r)s rr-z)sanitize_error_message..s e/dG7i /dr.) permissionaccessfile directorypathuGreška pri pristupu datoteci.c3&K|]}|v ywr'r(r)s rr-z)sanitize_error_message.. ^/]G7i /]r.) connectiontimeoutnetworksocketuGreška mreže.c3&K|]}|v ywr'r(r)s rr-z)sanitize_error_message..r;r.) unauthorized forbiddenz access deniedz Nemate dozvolu za ovu operaciju.u0Došlo je do greške. Molimo pokušajte ponovno.)strlowerany)r#r$r,s @rsanitize_error_messagerFssl(E   "I g/f gg- e/d ee/ ^/] ^^  ^/] ^^1 >rfilenamec|rt|tsyt|dkDrygd}|D]}||vsygd}|j}|D]}|j |syd|vryy ) a Validate filename for security issues including path traversal and malicious extensions. Prevents path traversal attacks, executable file uploads, and other filename-based security vulnerabilities. Args: filename: Filename to validate Returns: Tuple[bool, Optional[str]]: (is_valid, error_message) Security Features: - Path traversal prevention (../, ..\, etc.) - Malicious extension detection - Special character filtering - Length validation )FzNedostaje ime datoteke.)FuIme datoteke je predugačko.) z../\:|<>*?")FzNeispravno ime datoteke.)z.phpz.php3z.php4z.php5z.phtmlz.aspz.aspxz.jspz.jspxz.pyz.plz.rbz.shz.batz.cmdz.exez.scrz.comz.pifz .htaccessz .htpasswdz.configz.iniz.cfg)FzNedozvoljena vrsta datoteke.)TN) isinstancerClenrDendswith)rGdangerous_patternspatterndangerous_extensionsfilename_lowerexts rvalidate_filename_securityr\s& :h4/ 8}s4 & h 4& ^^%N#  " "3 '8$ 0 rlengthc,tj|S)a Generate cryptographically secure random token. Creates tokens with high entropy suitable for CSRF protection, session tokens, and other security-critical applications. Args: length: Desired token length in bytes (default 32) Returns: str: URL-safe base64 encoded secure token Security Features: - Cryptographically secure random number generation - High entropy output suitable for security tokens - URL-safe encoding for web application compatibility )secrets token_urlsafe)r]s rgenerate_secure_tokenras$   ((rdatatoken secret_keyc tj|jd|jdtjj }tj ||S#t$rYywxYw)a< Verify HMAC-based token for integrity and authenticity. Provides secure verification of tokens used in media URLs, API authentication, and other security-sensitive contexts. Args: data: Original data that was signed token: HMAC token to verify secret_key: Secret key used for signing Returns: bool: True if token is valid, False otherwise Security Features: - Timing-attack resistant comparison - Strong HMAC-SHA256 verification - Prevents token manipulation attacks rF)hmacnewrhashlibsha256 hexdigestcompare_digest Exception)rbrcrdexpected_tokens rverify_hmac_tokenrnsi(    g & KK NN  )+ ""5.99 sA&A)) A54A5 attempt_count base_delayc<|dkryt|d|dz zzd}|S)a| Calculate exponential backoff delay for rate limiting. Implements increasingly longer delays for repeated failed attempts, making brute force attacks impractical while allowing legitimate users to retry after reasonable delays. Args: attempt_count: Number of failed attempts base_delay: Base delay in seconds (default 5) Returns: int: Delay in seconds before next attempt allowed Security Features: - Exponential increase in delay times - Maximum cap to prevent excessive delays - Transparent to legitimate users with minimal attempts ri)min)rorpdelays r#rate_limit_with_exponential_backoffrvs1(  aMA$567 >E Lrschemact|tsddifSi}|jD]\}}|j|}|jddr||dk(r dd|difcS|?|jdt}t||s ||}t|tr|jd d }|jd d}t||kr dd|difcSt||kDr dd|difcSgd} |j} | D]} | | vsdd |d ifccS|||<dd|fS#t t f$rdd |d ifcYcSwxYw)a Validate API input against schema with security-focused validation. Provides comprehensive input validation with type checking, length limits, and security pattern detection to prevent injection attacks. Args: data: Input data to validate schema: Validation schema with field definitions Returns: Tuple[bool, Optional[str], Dict[str, Any]]: (is_valid, error_message, sanitized_data) Security Features: - SQL injection pattern detection - XSS prevention through input sanitization - Type and length validation - Required field enforcement FzNeispravni podaci.requiredNzPolje 'z' je obavezno.typezNeispravna vrijednost za 'z'. min_lengthr max_lengthi''z ' prekratak.u' predugačak.)script javascriptvbscriptonloadonerroronclickselectuniondropinsertupdatedeletez--;T) rTdictitemsgetrCrrrUrD) rbrwsanitized_data field_name field_schemavalue expected_typer|r}rW value_lowerrXs rvalidate_api_inputr2s( dD !*B..N$*LLN L$   J .EMUb[GJ<~>B B  (,,VS9Me]3R)%0E %%)--lA> )--lEB u: * Aj\">BBu: * Aj\"@"DD&""$kkm 1G+-$(B:,b&QSUUU 2*/N: &g%3j ~ %%Q#I.R $>zl""MrQQRs D11E Ecgd}dj||jd<d|jd<d|jd<d|jd <d |jd <d |jd <|jjdd|S)a; Add comprehensive security headers to HTTP responses. Implements defense-in-depth security headers to protect against various web application attacks including XSS, clickjacking, and data injection. Args: response: Flask response object Returns: Response object with security headers added Security Features: - Content Security Policy (CSP) enforcement - XSS protection headers - Clickjacking prevention - MIME type sniffing prevention - Referrer policy enforcement ) zdefault-src 'self'z3script-src 'self' 'unsafe-inline' https://unpkg.comzOstyle-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://unpkg.comzGimg-src 'self' data: https://*.tile.openstreetmap.org https://unpkg.comz/font-src 'self' https://fonts.gstatic.com data:zconnect-src 'self'zframe-ancestors 'none'zbase-uri 'self'zform-action 'self'z; zContent-Security-PolicyDENYzX-Frame-OptionsnosniffzX-Content-Type-Optionsz 1; mode=blockzX-XSS-Protectionzstrict-origin-when-cross-originzReferrer-Policyz,geolocation=(self), microphone=(), camera=()zPermissions-PolicyServerN)joinheaderspop)responsecsp_directivess rsecurity_headers_middlewarers* N37))N2KH./+1H&'1:H-.+:H'(*KH&'-[H)* 4( Or) operation) ))__doc__timerr_rhrftypingrrrr functoolsrflaskrrCboolrrr"rlrFr\intrarnrvrrr(rrrsn.  --"C"3"(4."UY"J)5)53)55xPS}V^_dejlqeq_rVsAs;t)5X'>)'>c'>C'>T??tXc]7J1K?D)#)s)*CDsTW8N&T#s(^N&T#t)_N&tU]^aUbdhilnqiqdrOrIsN&b-r