From a16309fc57f6e5574e498b0a6b54ba921aca4d61 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Tue, 27 Feb 2024 13:25:05 -0600 Subject: [PATCH 01/34] Update Access-Control-Allow-Origin to include subdomains such as staging.crossfeed.cyber.dhs. --- backend/src/api/app.ts | 2 +- backend/src/api/organizations.ts | 1 + frontend/scripts/constants.js | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/backend/src/api/app.ts b/backend/src/api/app.ts index 0bbd3242f..3d17c4c68 100644 --- a/backend/src/api/app.ts +++ b/backend/src/api/app.ts @@ -61,7 +61,7 @@ app.use(express.json({ strict: false })); app.use( cors({ - origin: [/crossfeed\.cyber\.dhs\.gov$/, /localhost$/], + origin: [/.*crossfeed\.cyber\.dhs\.gov$/, /localhost$/], methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'] }) ); diff --git a/backend/src/api/organizations.ts b/backend/src/api/organizations.ts index a5eeb742c..a0a785bc9 100644 --- a/backend/src/api/organizations.ts +++ b/backend/src/api/organizations.ts @@ -369,6 +369,7 @@ export const create = wrapHandler(async (event) => { export const list = wrapHandler(async (event) => { if (!isGlobalViewAdmin(event) && getOrgMemberships(event).length === 0) { return { + //TODO: Should we return a 403? statusCode: 200, body: JSON.stringify([]) }; diff --git a/frontend/scripts/constants.js b/frontend/scripts/constants.js index cf7dfc669..7579df589 100644 --- a/frontend/scripts/constants.js +++ b/frontend/scripts/constants.js @@ -1,3 +1,3 @@ //CORS Options -export const ALLOW_ORIGIN = [/crossfeed\.cyber\.dhs\.gov$/, /localhost$/]; +export const ALLOW_ORIGIN = [/.*crossfeed\.cyber\.dhs\.gov$/, /localhost$/]; export const ALLOW_METHODS = ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS']; From 7f7f8bf775ed56217fdd876fb6fad5ed4381bb5e Mon Sep 17 00:00:00 2001 From: nickviola Date: Tue, 27 Feb 2024 16:33:06 -0600 Subject: [PATCH 02/34] Update organizations list to filter by users regionId --- frontend/src/components/OrganizationList/OrganizationList.tsx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/frontend/src/components/OrganizationList/OrganizationList.tsx b/frontend/src/components/OrganizationList/OrganizationList.tsx index ccfa88c35..cc0663bd5 100644 --- a/frontend/src/components/OrganizationList/OrganizationList.tsx +++ b/frontend/src/components/OrganizationList/OrganizationList.tsx @@ -16,6 +16,8 @@ export const OrganizationList: React.FC<{ const [organizations, setOrganizations] = useState([]); const [dialogOpen, setDialogOpen] = useState(false); const history = useHistory(); + const regionId = user?.regionId; + const getOrgsURL = `/organizations/regionId/${regionId}`; const orgCols: GridColDef[] = [ { field: 'name', headerName: 'Organization', minWidth: 100, flex: 2 }, @@ -61,7 +63,7 @@ export const OrganizationList: React.FC<{ const fetchOrganizations = useCallback(async () => { try { - const rows = await apiGet('/organizations/'); + const rows = await apiGet(getOrgsURL); rows.forEach((obj) => { obj.userCount = obj.userRoles.length; obj.tagNames = obj.tags.map((tag) => tag.name); From c287f970dc3c47e4fde54d2adf46fee5e4f8303b Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Wed, 28 Feb 2024 10:33:48 -0600 Subject: [PATCH 03/34] Hardcode access-control-allow-origin sites. --- backend/src/api/app.ts | 7 ++++++- frontend/scripts/constants.js | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/backend/src/api/app.ts b/backend/src/api/app.ts index 3d17c4c68..ca538ca68 100644 --- a/backend/src/api/app.ts +++ b/backend/src/api/app.ts @@ -61,7 +61,12 @@ app.use(express.json({ strict: false })); app.use( cors({ - origin: [/.*crossfeed\.cyber\.dhs\.gov$/, /localhost$/], + origin: [ + 'crossfeed.cyber.dhs.gov', + 'staging.crossfeed.cyber.dhs.gov', + 'staging-cd.crossfeed.cyber.dhs.gov', + 'localhost' + ], methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'] }) ); diff --git a/frontend/scripts/constants.js b/frontend/scripts/constants.js index 7579df589..baa07a335 100644 --- a/frontend/scripts/constants.js +++ b/frontend/scripts/constants.js @@ -1,3 +1,8 @@ //CORS Options -export const ALLOW_ORIGIN = [/.*crossfeed\.cyber\.dhs\.gov$/, /localhost$/]; +export const ALLOW_ORIGIN = [ + 'crossfeed.cyber.dhs.gov', + 'staging.crossfeed.cyber.dhs.gov', + 'staging-cd.crossfeed.cyber.dhs.gov', + 'localhost' +]; export const ALLOW_METHODS = ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS']; From d9f5e7892da59faa385c8305f1fba2934204be29 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Wed, 28 Feb 2024 11:00:26 -0600 Subject: [PATCH 04/34] Revert localhost to regex. --- backend/src/api/app.ts | 5 ++++- frontend/scripts/constants.js | 7 +++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/backend/src/api/app.ts b/backend/src/api/app.ts index ca538ca68..980fee1a3 100644 --- a/backend/src/api/app.ts +++ b/backend/src/api/app.ts @@ -62,10 +62,13 @@ app.use(express.json({ strict: false })); app.use( cors({ origin: [ + 'api.staging-cd.crossfeed.cyber.dhs.gov', + 'api.crossfeed.cyber.dhs.gov', + 'api.staging.crossfeed.cyber.dhs.gov', 'crossfeed.cyber.dhs.gov', 'staging.crossfeed.cyber.dhs.gov', 'staging-cd.crossfeed.cyber.dhs.gov', - 'localhost' + /localhost$/ ], methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'] }) diff --git a/frontend/scripts/constants.js b/frontend/scripts/constants.js index baa07a335..b219e8472 100644 --- a/frontend/scripts/constants.js +++ b/frontend/scripts/constants.js @@ -1,8 +1,11 @@ //CORS Options export const ALLOW_ORIGIN = [ + 'api.staging-cd.crossfeed.cyber.dhs.gov', + 'api.crossfeed.cyber.dhs.gov', + 'api.staging.crossfeed.cyber.dhs.gov', 'crossfeed.cyber.dhs.gov', 'staging.crossfeed.cyber.dhs.gov', - 'staging-cd.crossfeed.cyber.dhs.gov', - 'localhost' + 'staging-cd.crossfeed.cyber.dhs.gov',git s + /localhost$/ ]; export const ALLOW_METHODS = ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS']; From 437c54120d7bf6d7cdc18cc4e05264a39860ac39 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Wed, 28 Feb 2024 11:09:15 -0600 Subject: [PATCH 05/34] fix typo --- frontend/scripts/constants.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frontend/scripts/constants.js b/frontend/scripts/constants.js index b219e8472..aa5162f3d 100644 --- a/frontend/scripts/constants.js +++ b/frontend/scripts/constants.js @@ -5,7 +5,7 @@ export const ALLOW_ORIGIN = [ 'api.staging.crossfeed.cyber.dhs.gov', 'crossfeed.cyber.dhs.gov', 'staging.crossfeed.cyber.dhs.gov', - 'staging-cd.crossfeed.cyber.dhs.gov',git s + 'staging-cd.crossfeed.cyber.dhs.gov', /localhost$/ ]; export const ALLOW_METHODS = ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS']; From fea6a2fa40d342cfb0ed490d45c93e09f11303e1 Mon Sep 17 00:00:00 2001 From: DJensen94 <79864006+DJensen94@users.noreply.github.com> Date: Wed, 28 Feb 2024 12:51:47 -0500 Subject: [PATCH 06/34] Allow vulns to be imported without a service Allow vulnerabilities to be added without a service --- backend/src/tasks/vuln-sync.ts | 66 ++++++++++++++++++---------------- 1 file changed, 36 insertions(+), 30 deletions(-) diff --git a/backend/src/tasks/vuln-sync.ts b/backend/src/tasks/vuln-sync.ts index 5ca81579d..218778f09 100644 --- a/backend/src/tasks/vuln-sync.ts +++ b/backend/src/tasks/vuln-sync.ts @@ -90,8 +90,9 @@ const fetchPEVulnData = async (scan_name: string, task_id: string) => { } else { console.log('Request failed'); } + console.log(response.data) return response.data as TaskResponse; - } catch (error) { + } catch (error) { console.log(`Error making GET request: ${error}`); } }; @@ -189,35 +190,39 @@ export const handler = async (commandOptions: CommandOptions) => { } let serviceId; - try { - // Save discovered services to the Service table - [serviceId] = await saveServicesToDb([ - plainToClass(Service, { - domain: { id: domainId }, - discoveredBy: { id: commandOptions.scanId }, - port: vuln.port, - lastSeen: new Date(vuln.last_seen), - banner: - vuln.banner == null ? null : sanitizeStringField(vuln.banner), - serviceSource: vuln.source, - shodanResults: - vuln.source === 'shodan' - ? { - product: vuln.product, - version: vuln.version, - cpe: vuln.cpe - } - : {} - }) - ]); - console.log('Saved services.'); - } catch (e) { - console.error( - 'Could not save services. Continuing to next vulnerability.' - ); - console.error(e); - continue; + if (vuln.port != null) { + try { + // Save discovered services to the Service table + [serviceId] = await saveServicesToDb([ + plainToClass(Service, { + domain: { id: domainId }, + discoveredBy: { id: commandOptions.scanId }, + port: vuln.port, + lastSeen: new Date(vuln.last_seen), + banner: + vuln.banner == null ? null : sanitizeStringField(vuln.banner), + serviceSource: vuln.source, + shodanResults: + vuln.source === 'shodan' + ? { + product: vuln.product, + version: vuln.version, + cpe: vuln.cpe + } + : {} + }) + ]); + console.log('Saved services.'); + const service = {id: serviceId} + } catch (e) { + console.error( + 'Could not save services. Continuing to next vulnerability.' + ); + console.error(e); + continue; + } } + try { const vulns: Vulnerability[] = []; vulns.push( @@ -229,11 +234,12 @@ export const handler = async (commandOptions: CommandOptions) => { cwe: vuln.cwe, description: vuln.description, cvss: vuln.cvss, + severity: vuln.severity, state: vuln.state, structuredData: vuln.structuredData, source: vuln.source, needsPopulation: vuln.needsPopulation, - service: { id: serviceId } + service: vuln.port == null ? null :{ id: serviceId } }) ); await saveVulnerabilitiesToDb(vulns, false); From 75b590c88edb4bde05957f0cc747c967a691062f Mon Sep 17 00:00:00 2001 From: DJensen94 <79864006+DJensen94@users.noreply.github.com> Date: Wed, 28 Feb 2024 12:57:57 -0500 Subject: [PATCH 07/34] run linter Run backend linter --- backend/src/tasks/vuln-sync.ts | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/backend/src/tasks/vuln-sync.ts b/backend/src/tasks/vuln-sync.ts index 218778f09..ce723fafc 100644 --- a/backend/src/tasks/vuln-sync.ts +++ b/backend/src/tasks/vuln-sync.ts @@ -90,9 +90,9 @@ const fetchPEVulnData = async (scan_name: string, task_id: string) => { } else { console.log('Request failed'); } - console.log(response.data) + console.log(response.data); return response.data as TaskResponse; - } catch (error) { + } catch (error) { console.log(`Error making GET request: ${error}`); } }; @@ -213,7 +213,7 @@ export const handler = async (commandOptions: CommandOptions) => { }) ]); console.log('Saved services.'); - const service = {id: serviceId} + const service = { id: serviceId }; } catch (e) { console.error( 'Could not save services. Continuing to next vulnerability.' @@ -222,7 +222,7 @@ export const handler = async (commandOptions: CommandOptions) => { continue; } } - + try { const vulns: Vulnerability[] = []; vulns.push( @@ -239,7 +239,7 @@ export const handler = async (commandOptions: CommandOptions) => { structuredData: vuln.structuredData, source: vuln.source, needsPopulation: vuln.needsPopulation, - service: vuln.port == null ? null :{ id: serviceId } + service: vuln.port == null ? null : { id: serviceId } }) ); await saveVulnerabilitiesToDb(vulns, false); From 2be63ad71b9ea38b0381ccb53779328b1caf645a Mon Sep 17 00:00:00 2001 From: DJensen94 <79864006+DJensen94@users.noreply.github.com> Date: Wed, 28 Feb 2024 13:00:49 -0500 Subject: [PATCH 08/34] Remove unnecessary comment Remove non-useful comment --- backend/src/tasks/vuln-sync.ts | 2 -- 1 file changed, 2 deletions(-) diff --git a/backend/src/tasks/vuln-sync.ts b/backend/src/tasks/vuln-sync.ts index ce723fafc..f7f6ded3a 100644 --- a/backend/src/tasks/vuln-sync.ts +++ b/backend/src/tasks/vuln-sync.ts @@ -90,7 +90,6 @@ const fetchPEVulnData = async (scan_name: string, task_id: string) => { } else { console.log('Request failed'); } - console.log(response.data); return response.data as TaskResponse; } catch (error) { console.log(`Error making GET request: ${error}`); @@ -213,7 +212,6 @@ export const handler = async (commandOptions: CommandOptions) => { }) ]); console.log('Saved services.'); - const service = { id: serviceId }; } catch (e) { console.error( 'Could not save services. Continuing to next vulnerability.' From 6d98f23bd0e3d098a897268a7e738a727e21b6b7 Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Wed, 28 Feb 2024 13:41:58 -0600 Subject: [PATCH 09/34] Revert cors option access-control-allow-origin. --- backend/src/api/app.ts | 10 +--------- frontend/scripts/constants.js | 10 +--------- 2 files changed, 2 insertions(+), 18 deletions(-) diff --git a/backend/src/api/app.ts b/backend/src/api/app.ts index 980fee1a3..3d17c4c68 100644 --- a/backend/src/api/app.ts +++ b/backend/src/api/app.ts @@ -61,15 +61,7 @@ app.use(express.json({ strict: false })); app.use( cors({ - origin: [ - 'api.staging-cd.crossfeed.cyber.dhs.gov', - 'api.crossfeed.cyber.dhs.gov', - 'api.staging.crossfeed.cyber.dhs.gov', - 'crossfeed.cyber.dhs.gov', - 'staging.crossfeed.cyber.dhs.gov', - 'staging-cd.crossfeed.cyber.dhs.gov', - /localhost$/ - ], + origin: [/.*crossfeed\.cyber\.dhs\.gov$/, /localhost$/], methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'] }) ); diff --git a/frontend/scripts/constants.js b/frontend/scripts/constants.js index aa5162f3d..7579df589 100644 --- a/frontend/scripts/constants.js +++ b/frontend/scripts/constants.js @@ -1,11 +1,3 @@ //CORS Options -export const ALLOW_ORIGIN = [ - 'api.staging-cd.crossfeed.cyber.dhs.gov', - 'api.crossfeed.cyber.dhs.gov', - 'api.staging.crossfeed.cyber.dhs.gov', - 'crossfeed.cyber.dhs.gov', - 'staging.crossfeed.cyber.dhs.gov', - 'staging-cd.crossfeed.cyber.dhs.gov', - /localhost$/ -]; +export const ALLOW_ORIGIN = [/.*crossfeed\.cyber\.dhs\.gov$/, /localhost$/]; export const ALLOW_METHODS = ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS']; From f7af61130af978611cef08583019d2e837326aaa Mon Sep 17 00:00:00 2001 From: "Grayson, Matthew" Date: Wed, 28 Feb 2024 13:46:51 -0600 Subject: [PATCH 10/34] Add console logs to list organizations endpoint. --- backend/src/api/organizations.ts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/backend/src/api/organizations.ts b/backend/src/api/organizations.ts index a0a785bc9..cbae68f2e 100644 --- a/backend/src/api/organizations.ts +++ b/backend/src/api/organizations.ts @@ -367,6 +367,8 @@ export const create = wrapHandler(async (event) => { * - Organizations */ export const list = wrapHandler(async (event) => { + console.log('list function called with event: ', event); + if (!isGlobalViewAdmin(event) && getOrgMemberships(event).length === 0) { return { //TODO: Should we return a 403? @@ -375,6 +377,8 @@ export const list = wrapHandler(async (event) => { }; } await connectToDatabase(); + console.log('Database connected'); + let where: any = { parent: null }; if (!isGlobalViewAdmin(event)) { where = { id: In(getOrgMemberships(event)), parent: null }; @@ -385,6 +389,8 @@ export const list = wrapHandler(async (event) => { order: { name: 'ASC' } }); + console.log('Organization.find result: ', result); + return { statusCode: 200, body: JSON.stringify(result) From 07ac118fe349f5f2ae0e82e6fe2b62e4f22c3ca1 Mon Sep 17 00:00:00 2001 From: nickviola Date: Wed, 28 Feb 2024 14:45:25 -0600 Subject: [PATCH 11/34] Fix linter error for dependency array in OrganizationList.tsx --- frontend/src/components/OrganizationList/OrganizationList.tsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frontend/src/components/OrganizationList/OrganizationList.tsx b/frontend/src/components/OrganizationList/OrganizationList.tsx index cc0663bd5..93e09d11d 100644 --- a/frontend/src/components/OrganizationList/OrganizationList.tsx +++ b/frontend/src/components/OrganizationList/OrganizationList.tsx @@ -72,7 +72,7 @@ export const OrganizationList: React.FC<{ } catch (e) { console.error(e); } - }, [apiGet]); + }, [apiGet, getOrgsURL]); React.useEffect(() => { if (!parent) fetchOrganizations(); From 63d4683b3750dee3bd0e0ae2013ed5754580fd1d Mon Sep 17 00:00:00 2001 From: nickviola Date: Wed, 28 Feb 2024 15:08:14 -0600 Subject: [PATCH 12/34] Add log of orgs for testing --- frontend/src/components/OrganizationList/OrganizationList.tsx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/frontend/src/components/OrganizationList/OrganizationList.tsx b/frontend/src/components/OrganizationList/OrganizationList.tsx index 93e09d11d..675912a90 100644 --- a/frontend/src/components/OrganizationList/OrganizationList.tsx +++ b/frontend/src/components/OrganizationList/OrganizationList.tsx @@ -81,6 +81,8 @@ export const OrganizationList: React.FC<{ } }, [fetchOrganizations, parent]); + console.log(JSON.stringify(organizations)); + const addOrgButton = user?.userType === 'globalAdmin' && (