expose CSP check in API, ensure it gets updated on full cron

Author: elrido

README.md

@@ -16,8 +16,6 @@ The image supports the use of the following environment variables:
 
 - `CRON`: (Optional) If set when running the app a cron cycle is performed.
   Set it to `CRON=FULL` to run a full cron (once a day).
-  use this app to hammer the listed instances. Any string works, for example
-  one generated using `openssl rand -hex 32`
 - `GEOIP_MMDB`: path to the GeoIP database, in MaxMind format
 - `ROCKET_DATABASES`: [database dict](https://api.rocket.rs/v0.4/rocket_contrib/databases/index.html#environment-variables)
   for Diesel SQLite library integration into Rocket

src/main.rs

@@ -269,13 +269,14 @@ async fn report(
 }
 
 #[get(
-    "/api?<top>&<attachments>&<country>&<https>&<https_redirect>&<version>&<min_uptime>&<min_rating>",
+    "/api?<top>&<attachments>&<country>&<csp_header>&<https>&<https_redirect>&<version>&<min_uptime>&<min_rating>",
     format = "json"
 )]
 async fn api(
     top: Option<NonZeroU8>,
     attachments: Option<bool>,
     country: Option<String>,
+    csp_header: Option<bool>,
     https: Option<bool>,
     https_redirect: Option<bool>,
     version: Option<String>,
@@ -300,6 +301,9 @@ async fn api(
     let is_country_set = country.is_some();
     let country = country.unwrap_or_default();
 
+    let is_csp_header_set = csp_header.is_some();
+    let csp_header = csp_header.unwrap_or(false);
+
     let is_https_set = https.is_some();
     let https = https.unwrap_or(false);
 
@@ -321,6 +325,7 @@ async fn api(
     for instance in &*cache.instances.read().unwrap() {
         if (is_attachments_set && instance.attachments != attachments)
             || (is_country_set && instance.country_id != country)
+            || (is_csp_header_set && instance.csp_header != csp_header)
             || (is_https_set && instance.https != https)
             || (is_https_redirect_set && instance.https_redirect != https_redirect)
             || (is_version_set && !instance.version.starts_with(&version))

src/tasks.rs

@@ -51,7 +51,7 @@ pub async fn check_full(rocket: Rocket<Build>) {
                 {
                     match diesel::delete(instances.filter(id.eq(result.instance.id))).execute(&conn)
                     {
-                        Ok(_) => println!("    removed the instance, due to: {message}"),
+                        Ok(_) => print!("    removed the instance, due to: {message}"),
                         Err(e) => {
                             println!("    error removing the instance: {e:?}");
                         }
@@ -80,6 +80,7 @@ pub async fn check_full(rocket: Rocket<Build>) {
                             version.eq(updated_instance.version),
                             https.eq(updated_instance.https),
                             https_redirect.eq(updated_instance.https_redirect),
+                            csp_header.eq(updated_instance.csp_header),
                             attachments.eq(updated_instance.attachments),
                             country_id.eq(updated_instance.country_id),
                         )),
@@ -162,6 +163,11 @@ async fn check_instance(instance: Instance) -> InstanceCheckResult {
             format!("{:?}", instance.https_redirect.clone()),
             String::new(),
         ),
+        (
+            "csp_header",
+            format!("{:?}", instance.csp_header.clone()),
+            String::new(),
+        ),
         (
             "attachments",
             format!("{:?}", instance.attachments.clone()),
@@ -180,8 +186,9 @@ async fn check_instance(instance: Instance) -> InstanceCheckResult {
             instance_options[0].2 = privatebin.instance.version.clone();
             instance_options[1].2 = format!("{:?}", privatebin.instance.https.clone());
             instance_options[2].2 = format!("{:?}", privatebin.instance.https_redirect.clone());
-            instance_options[3].2 = format!("{:?}", privatebin.instance.attachments.clone());
-            instance_options[4].2 = privatebin.instance.country_id.clone();
+            instance_options[3].2 = format!("{:?}", privatebin.instance.csp_header.clone());
+            instance_options[4].2 = format!("{:?}", privatebin.instance.attachments.clone());
+            instance_options[5].2 = privatebin.instance.country_id.clone();
             let elapsed = timer.elapsed();
             let timer = Instant::now();
             if instance_options.iter().any(|x| x.1 != x.2) {

templates/about.html.tera

@@ -84,6 +84,8 @@ $ curl --header "Accept: application/json" https://privatebin.info/directory/api
 				<dd>Boolean (true or false), unset by default. Only return instances that offer attachment upload in their web UI - third party clients can always upload attachments.</dd>
 				<dt>country</dt>
 				<dd>ISO 3166-1 alpha-2 country code, unset by default. Only return instances of that country. Note the limitations of this type of lookup, as explained above.</dd>
+				<dt>csp_header</dt>
+				<dd>Boolean (true or false), unset by default. Only return instances that set the currently recommend HTTP <code>Content-Security-Policy</code> (<a href="https://content-security-policy.com/">CSP</a>) header (see above).</dd>
 				<dt>https</dt>
 				<dd>Boolean (true or false), unset by default. Only return instances that offer HTTPS.</dd>
 				<dt>https_redirect</dt>