Merge pull request #186 from HHS/owasp-remediation

OWASP finding remediation
HHS · Feb 22, 2021 · ab9fd8a · ab9fd8a
2 parents 6cd157f + 1acd244
commit ab9fd8a
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 19 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -241,13 +241,7 @@ jobs:
           at: .
       - run:
           name: Start up local server
-          command: | # production style build (single BE server with static FE)
-            docker-compose -f docker-compose.dss.yml run --rm server yarn install --production=false
-            docker-compose -f docker-compose.dss.yml run --rm server yarn --cwd frontend install --production=false
-            docker-compose -f docker-compose.dss.yml run --rm server yarn build
-            docker-compose -f docker-compose.dss.yml run --rm server yarn --cwd frontend run build
-            docker-compose -f docker-compose.dss.yml up -d
-            docker-compose -f docker-compose.dss.yml exec server yarn db:migrate:ci
+          command: ./bin/prod-style-server
       - run:
           name: Pull OWASP ZAP docker image
           command: docker pull owasp/zap2docker-weekly
@@ -256,16 +250,7 @@ jobs:
           command: chmod g+w reports
       - run:
           name: Run OWASP ZAP
-          command: |
-            docker run \
-              -v $(pwd)/zap.conf:/zap/wrk/zap.conf:ro \
-              -v $(pwd)/reports:/zap/wrk:rw \
-              --rm \
-              --user zap:$(id -g) \
-              --network="project_smarthub" \
-              -t owasp/zap2docker-weekly zap-baseline.py \
-              -t http://server:8080 \
-              -c zap.conf -I -i -r owasp_report.html
+          command: ./bin/run-owasp-scan
       - store_artifacts:
           path: reports/owasp_report.html
   accessibility_scan:

diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,5 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+[zap.conf]
+indent_size = 4
+indent_style = tab
diff --git a/bin/prod-style-server b/bin/prod-style-server
@@ -0,0 +1,14 @@
+#!/bin/bash
+#
+# This script sets up a server as run-owasp-scan expects it
+
+# remove old build directory
+rm -r build/
+
+# run a production style build (single BE server with static FE)
+docker-compose -f docker-compose.dss.yml run --rm server yarn install --production=false
+docker-compose -f docker-compose.dss.yml run --rm server yarn --cwd frontend install --production=false
+docker-compose -f docker-compose.dss.yml run --rm server yarn build
+docker-compose -f docker-compose.dss.yml run --rm server yarn --cwd frontend run build
+docker-compose -f docker-compose.dss.yml up -d
+docker-compose -f docker-compose.dss.yml run --rm server yarn db:migrate:ci
diff --git a/bin/run-owasp-scan b/bin/run-owasp-scan
@@ -0,0 +1,29 @@
+#!/bin/bash
+###########################
+#
+# Allow running OWASP Zap scans on demand. This script expects
+# a server running at http://server:8080. This can be setup with
+#
+# ./bin/prod-style-server
+#
+# The only argument for this script is the network name docker will
+# find server on. For a default git clone, this should be
+#
+# ./bin/run-owasp-scan head-start-ttadp_smarthub
+#
+###########################
+
+declare network="project_smarthub"
+if [ -n "$1" ]; then
+  network=$1
+fi
+
+docker run \
+  -v $(pwd)/zap.conf:/zap/wrk/zap.conf:ro \
+  -v $(pwd)/reports:/zap/wrk:rw \
+  --rm \
+  --user zap:$(id -g) \
+  --network=$network \
+  -t owasp/zap2docker-weekly zap-baseline.py \
+  -t http://server:8080 \
+  -c zap.conf -I -i -r owasp_report.html
diff --git a/src/app.js b/src/app.js
@@ -5,6 +5,7 @@ import axios from 'axios';
 import cookieSession from 'cookie-session';
 import path from 'path';
 import join from 'url-join';
+import { omit } from 'lodash';
 import { INTERNAL_SERVER_ERROR } from 'http-codes';
 import { CronJob } from 'cron';
 import { hsesAuth } from './middleware/authMiddleware';
@@ -21,7 +22,14 @@ const oauth2CallbackPath = '/oauth2-client/login/oauth2/code/';
 app.use(requestLogger);
 app.use(express.json());
 app.use(express.urlencoded({ extended: true }));
-app.use(helmet());
+app.use(helmet({
+  contentSecurityPolicy: {
+    directives: {
+      ...omit(helmet.contentSecurityPolicy.getDefaultDirectives(), 'upgrade-insecure-requests', 'block-all-mixed-content'),
+      'form-action': ["'self'"],
+    },
+  },
+}));
 
 app.use(cookieSession({
   name: 'session',

diff --git a/zap.conf b/zap.conf
@@ -19,11 +19,12 @@
 10040	FAIL	(Secure Pages Include Mixed Content)
 10105	FAIL	(Weak Authentication Method)
 10202	FAIL	(Absence of Anti-CSRF Tokens)
+10055	WARN	(CSP)
 2	WARN	(Private IP Disclosure)
 3	FAIL	(Session ID in URL Rewrite)
 50001	WARN	(Script Passive Scan Rules)
 90001	FAIL	(Insecure JSF ViewState)
 90011	WARN	(Charset Mismatch)
 90022	WARN	(Application Error Disclosure)
 90033	FAIL	(Loosely Scoped Cookie)
-*	OUTOFSCOPE	.*(robots.txt)
+*	OUTOFSCOPE	.*(robots.txt|sitemap.xml)