bLThUnFw

· 6 years ago · Jun 17, 2019, 01:38 AM
1# -*- coding: utf-8 -*-
2"""
3Django settings for vvda project.
4
5Generated by 'django-admin startproject' using Django 1.11.18.
6
7For more information on this file, see
8https://docs.djangoproject.com/en/1.11/topics/settings/
9
10For the full list of settings and their values, see
11https://docs.djangoproject.com/en/1.11/ref/settings/
12"""
13
14import os
15import sys
16
17reload(sys)
18sys.setdefaultencoding('utf8')
19
20# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
21BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
22
23
24# Quick-start development settings - unsuitable for production
25# See https://docs.djangoproject.com/en/1.11/howto/deployment/checklist/
26
27# SECURITY WARNING: keep the secret key used in production secret!
28SECRET_KEY = 'g+k&xgcb^c!175g-$xk(4+ne24v&ma-*#&pvmz0j@p1o%*v3ju'
29
30######vuln: SECURITY WARNING: don't run with debug turned on in production!
31######ref: https://docs.djangoproject.com/en/1.11/ref/settings/#std:setting-DEBUG
32DEBUG = True
33
34
35######vuln: all host header values are allowed!
36######ref: https://docs.djangoproject.com/en/1.11/topics/security/#host-header-validation
37######ref: https://docs.djangoproject.com/en/1.11/ref/settings/#allowed-hosts
38ALLOWED_HOSTS = ['*']
39
40
41# Application definition
42
43INSTALLED_APPS = [
44    'grappelli',
45    'filebrowser',
46    'django.contrib.admin',
47    'django.contrib.auth',
48    'django.contrib.contenttypes',
49    'django.contrib.sessions',
50    'django.contrib.messages',
51    'django.contrib.staticfiles',
52    'django_jinja',
53    'vulnerable',
54    'rest_framework',
55    'graphene_django',
56    'channels',
57]
58
59
60MIDDLEWARE = [
61    'django.middleware.security.SecurityMiddleware',
62    'django.contrib.sessions.middleware.SessionMiddleware',
63    'django.middleware.common.CommonMiddleware',
64    'django.middleware.csrf.CsrfViewMiddleware',
65    'django.contrib.auth.middleware.AuthenticationMiddleware',
66    'django.contrib.messages.middleware.MessageMiddleware',
67    'django.middleware.clickjacking.XFrameOptionsMiddleware',
68]
69
70ROOT_URLCONF = 'vvda.urls'
71TEMPLATE_DIR = os.path.join(BASE_DIR,"vvda/templates/")
72TEMPLATES = [
73 {
74   'BACKEND': 'django_jinja.backend.Jinja2',
75   'APP_DIRS': False,
76   'DIRS' : [TEMPLATE_DIR,],
77   'OPTIONS': {
78     'match_extension': '.jinja'
79   },
80 },
81        {
82        'BACKEND': 'django.template.backends.django.DjangoTemplates',
83        'DIRS': [TEMPLATE_DIR,],
84        'APP_DIRS': False,
85        'OPTIONS': {
86            'context_processors': [
87                'django.template.context_processors.debug',
88                'django.template.context_processors.request',
89                'django.contrib.auth.context_processors.auth',
90                'django.contrib.messages.context_processors.messages',
91            ],
92                                        'loaders': [
93                ('django.template.loaders.cached.Loader', [
94                    'django.template.loaders.filesystem.Loader',
95                    'django.template.loaders.app_directories.Loader',
96                ]),
97            ],  
98
99        },
100    },
101]
102
103WSGI_APPLICATION = 'vvda.wsgi.application'
104
105
106# Database
107# https://docs.djangoproject.com/en/1.11/ref/settings/#databases
108
109
110DATABASES = {
111    'default': {
112        'ENGINE': 'django.db.backends.postgresql_psycopg2',
113        'NAME': 'vvda',
114        'USER': 'postgres',
115        'PASSWORD': 'P@ssw0rdPostgres676&&&&****',
116        'HOST': '127.0.0.1',
117        'PORT': '5432',
118        'CONN_MAX_AGE': 600,
119    },
120}
121
122
123
124CACHES = {
125    'default':{
126        'BACKEND': 'redis_cache.RedisCache',
127        'TIMEOUT': 3600 * 24,
128        'LOCATION': '127.0.0.1:6379',
129        #'OPTIONS':{'PASSWORD':"VERYsecureP@ssw0rd^^^^yygygTWTWF3344%$$"}
130        }
131
132}
133
134SESSION_ENGINE = "django.contrib.sessions.backends.cached_db"
135
136
137#password hashers
138
139######vuln: weak password hashing
140######ref: https://docs.djangoproject.com/en/1.11/topics/auth/passwords/
141PASSWORD_HASHERS = [
142            'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher',
143        ]
144
145# Password validation
146######vuln: no password validation enabled
147######ref: https://docs.djangoproject.com/en/1.11/ref/settings/#auth-password-validators
148
149AUTH_PASSWORD_VALIDATORS = []#[
150#    {
151#        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
152#    },
153#    {
154#        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
155#    },
156#    {
157#        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
158#    },
159#    {
160#        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
161#    },
162#]
163
164
165# Internationalization
166# https://docs.djangoproject.com/en/1.11/topics/i18n/
167
168LANGUAGE_CODE = 'en-us'
169
170TIME_ZONE = 'UTC'
171
172USE_I18N = True
173
174USE_L10N = True
175
176USE_TZ = True
177
178
179# Static files (CSS, JavaScript, Images)
180# https://docs.djangoproject.com/en/1.11/howto/static-files/
181
182STATIC_URL = '/static/'
183#STATIC_ROOT = os.path.join(BASE_DIR,"static/")
184
185STATICFILES_DIRS = (os.path.join(BASE_DIR,"static/"),)
186MEDIA_URL = '/media/'
187MEDIA_ROOT = os.path.join(BASE_DIR,"media/")
188
189
190
191URL_FILEBROWSER_MEDIA =  MEDIA_URL + "filebrowser/"
192PATH_FILEBROWSER_MEDIA =  os.path.join(MEDIA_ROOT, 'filebrowser/')
193
194FILEBROWSER_DIRECTORY = "filebrowser/"
195DIRECTORY = "filebrowser/"
196
197
198
199######vuln: Insecure File upload permissions
200######ref: https://docs.djangoproject.com/en/1.11/ref/settings/#std:setting-FILE_UPLOAD_PERMISSIONS
201FILE_UPLOAD_PERMISSIONS = 0o777
202FILEBROWSER_DEFAULT_PERMISSIONS = 0o777
203
204
205
206######vuln: Insecure session cookie security
207######ref: https://docs.djangoproject.com/en/1.11/ref/settings/#std:setting-SESSION_COOKIE_HTTPONLY
208######ref: https://docs.djangoproject.com/en/1.11/ref/settings/#session-cookie-secure
209######ref: https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#HttpOnly_Attribute
210SESSION_COOKIE_HTTPONLY = False
211SESSION_COOKIE_SECURE = False
212
213
214######vuln: Insecure XSS related header configurations
215######ref: 
216
217SECURE_BROWSER_XSS_FILTER = False
218SECURE_CONTENT_TYPE_NOSNIFF = False
219
220
221GRAPHENE = {
222    'SCHEMA': 'vulnerable.schema.schema' # Where your Graphene schema lives
223}
224
225
226LOGIN_REDIRECT_URL = '/'
227
228ASGI_APPLICATION = "vulnerable.routing.application"
229
230CHANNEL_LAYERS = {
231    "default": {
232        "BACKEND": "asgi_redis.RedisChannelLayer",
233        "CONFIG": {
234            "hosts": [os.environ.get('REDIS_URL', 'redis://localhost:6379')],
235        },
236        "ROUTING": "vulnerable.routing.channel_routing",
237    },
238}