.oO SearXNG Developer Documentation Oo.
Loading...
Searching...
No Matches
http_sec_fetch.py
Go to the documentation of this file.
1# SPDX-License-Identifier: AGPL-3.0-or-later
2"""
3Method ``http_sec_fetch``
4-------------------------
5
6The ``http_sec_fetch`` method protect resources from web attacks with `Fetch
7Metadata`_. A request is filtered out in case of:
8
9- http header Sec-Fetch-Mode_ is invalid
10- http header Sec-Fetch-Dest_ is invalid
11
12.. _Fetch Metadata:
13 https://developer.mozilla.org/en-US/docs/Glossary/Fetch_metadata_request_header
14
15.. _Sec-Fetch-Dest:
16 https://developer.mozilla.org/en-US/docs/Web/API/Request/destination
17
18.. _Sec-Fetch-Mode:
19 https://developer.mozilla.org/en-US/docs/Web/API/Request/mode
20
21
22"""
23# pylint: disable=unused-argument
24
25
26from ipaddress import (
27 IPv4Network,
28 IPv6Network,
29)
30
31import re
32import flask
33import werkzeug
34
35from . import config
36from ._helpers import logger
37
38
39def is_browser_supported(user_agent: str) -> bool:
40 """Check if the browser supports Sec-Fetch headers.
41
42 https://caniuse.com/mdn-http_headers_sec-fetch-dest
43 https://caniuse.com/mdn-http_headers_sec-fetch-mode
44 https://caniuse.com/mdn-http_headers_sec-fetch-site
45
46 Supported browsers:
47 - Chrome >= 80
48 - Firefox >= 90
49 - Safari >= 16.4
50 - Edge (mirrors Chrome)
51 - Opera (mirrors Chrome)
52 """
53 user_agent = user_agent.lower()
54
55 # Chrome/Chromium/Edge/Opera
56 chrome_match = re.search(r'chrome/(\d+)', user_agent)
57 if chrome_match:
58 version = int(chrome_match.group(1))
59 return version >= 80
60
61 # Firefox
62 firefox_match = re.search(r'firefox/(\d+)', user_agent)
63 if firefox_match:
64 version = int(firefox_match.group(1))
65 return version >= 90
66
67 # Safari
68 safari_match = re.search(r'version/(\d+)\.(\d+)', user_agent)
69 if safari_match:
70 major = int(safari_match.group(1))
71 minor = int(safari_match.group(2))
72 return major > 16 or (major == 16 and minor >= 4)
73
74 return False
75
76
77def filter_request(
78 network: IPv4Network | IPv6Network,
79 request: flask.Request,
80 cfg: config.Config,
81) -> werkzeug.Response | None:
82
83 if not request.is_secure:
84 logger.warning(
85 "Sec-Fetch cannot be verified for non-secure requests (HTTP headers are not set/sent by the client)."
86 )
87 return None
88
89 # Only check Sec-Fetch headers for supported browsers
90 user_agent = request.headers.get('User-Agent', '')
91 if is_browser_supported(user_agent):
92 val = request.headers.get("Sec-Fetch-Mode", "")
93 if val not in ('navigate', 'cors'):
94 logger.debug("invalid Sec-Fetch-Mode '%s'", val)
95 return flask.redirect(flask.url_for('index'), code=302)
96
97 val = request.headers.get("Sec-Fetch-Site", "")
98 if val not in ('same-origin', 'same-site', 'none'):
99 logger.debug("invalid Sec-Fetch-Site '%s'", val)
100 flask.redirect(flask.url_for('index'), code=302)
101
102 val = request.headers.get("Sec-Fetch-Dest", "")
103 if val not in ('document', 'empty'):
104 logger.debug("invalid Sec-Fetch-Dest '%s'", val)
105 flask.redirect(flask.url_for('index'), code=302)
106
107 return None
searx.botdetection.http_sec_fetch.is_browser_supported
bool is_browser_supported(str user_agent)
Definition http_sec_fetch.py:39
searx.botdetection.http_sec_fetch.filter_request
werkzeug.Response|None filter_request(IPv4Network|IPv6Network network, flask.Request request, config.Config cfg)
Definition http_sec_fetch.py:81