From 489d0740fcf6e7ba0c4b68e9ccf774ff3bfdbc73 Mon Sep 17 00:00:00 2001 From: Mo Sohani Date: Thu, 5 Oct 2023 09:47:01 -0400 Subject: [PATCH] added cloud.gov back to scan urls --- scripts/deploy-frontend.sh | 0 scripts/zap-hook.py | 6 +-- scripts/zap-scanner.sh | 10 ++--- tdrs-frontend/.env.development | 44 +++++++++++++++++++ .../nginx/cloud.gov/buildpack.nginx.conf | 1 + tdrs-frontend/reports/zap.conf | 12 ++--- 6 files changed, 58 insertions(+), 15 deletions(-) mode change 100644 => 100755 scripts/deploy-frontend.sh diff --git a/scripts/deploy-frontend.sh b/scripts/deploy-frontend.sh old mode 100644 new mode 100755 diff --git a/scripts/zap-hook.py b/scripts/zap-hook.py index ec01d71cd..274ac4296 100644 --- a/scripts/zap-hook.py +++ b/scripts/zap-hook.py @@ -18,9 +18,9 @@ def zap_started(zap, target): ignored_passive_scan_ids = [ - 10020, # X-Frame-Option Header Not Set - 10021, # X-Content-Type-Options Header Missing - 10027, # Informational: Suspicious Comments + #10020, # X-Frame-Option Header Not Set + #10021, # X-Content-Type-Options Header Missing + #10027, # Informational: Suspicious Comments 10036, # Server Leaks Version Information 10055, # CSP unsafe inline 10096, # Informational: Timestamp Disclosure - Unix diff --git a/scripts/zap-scanner.sh b/scripts/zap-scanner.sh index c3f534b84..1461fd6a8 100755 --- a/scripts/zap-scanner.sh +++ b/scripts/zap-scanner.sh @@ -19,7 +19,7 @@ if [ "$ENVIRONMENT" = "nightly" ]; then fi elif [ "$ENVIRONMENT" = "circle" ] || [ "$ENVIRONMENT" = "local" ]; then if [ "$TARGET" = "frontend" ]; then - APP_URL="http://tdp-frontend/" + APP_URL="https://tdp-frontend-raft.app.cloud.gov" elif [ "$TARGET" = "backend" ]; then APP_URL="http://tdp-frontend/" else @@ -112,10 +112,6 @@ ZAP_CLI_OPTIONS="\ -config globalexcludeurl.url_list.url\(14\).description='Site - FontAwesome.com' \ -config globalexcludeurl.url_list.url\(14\).enabled=true \ - -config globalexcludeurl.url_list.url\(15\).regex='^https:\/\/.*\.cloud.gov\/.*$' \ - -config globalexcludeurl.url_list.url\(15\).description='Site - Cloud.gov' \ - -config globalexcludeurl.url_list.url\(15\).enabled=true \ - -config globalexcludeurl.url_list.url\(16\).regex='^https:\/\/.*\.googletagmanager.com\/.*$' \ -config globalexcludeurl.url_list.url\(16\).description='Site - googletagmanager.com' \ -config globalexcludeurl.url_list.url\(16\).enabled=true \ @@ -140,7 +136,7 @@ ZAP_CLI_OPTIONS="\ -config globalexcludeurl.url_list.url\(21\).description='Site - IdentitySandbox.gov' \ -config globalexcludeurl.url_list.url\(21\).enabled=true \ -config spider.postform=true" - + # How long ZAP will crawl the app with the spider process ZAP_SPIDER_MINS=10 @@ -175,6 +171,8 @@ else ZAP_ARGS+=(-j) fi +ZAP_ARGS+=(-d) + # Run the ZAP full scan and store output for further processing if needed. ZAP_OUTPUT=$(docker-compose run --rm zaproxy "$ZAP_SCRIPT" "${ZAP_ARGS[@]}" | tee /dev/tty) ZAP_EXIT=$? diff --git a/tdrs-frontend/.env.development b/tdrs-frontend/.env.development index 3c0c68d15..73a3ed9eb 100644 --- a/tdrs-frontend/.env.development +++ b/tdrs-frontend/.env.development @@ -40,3 +40,47 @@ REACT_APP_EVENT_THROTTLE_TIME=60000 # @import '../../theme/_global.scss'; # Without the variable, only the relative import is possible SASS_PATH=node_modules:src +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=develop +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=develop +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=develop +REACT_APP_BACKEND_URL=https://local.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://local.app.cloud.gov +REACT_APP_BACKEND_HOST=https://local.app.cloud.gov +REACT_APP_CF_SPACE= +REACT_APP_BACKEND_URL=https://local.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://local.app.cloud.gov +REACT_APP_BACKEND_HOST=https://local.app.cloud.gov +REACT_APP_CF_SPACE= +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=develop +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=develop +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=develop +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=develop +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=develop +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=develop diff --git a/tdrs-frontend/nginx/cloud.gov/buildpack.nginx.conf b/tdrs-frontend/nginx/cloud.gov/buildpack.nginx.conf index 1ab4677bb..319adb75e 100644 --- a/tdrs-frontend/nginx/cloud.gov/buildpack.nginx.conf +++ b/tdrs-frontend/nginx/cloud.gov/buildpack.nginx.conf @@ -84,5 +84,6 @@ http { add_header Content-Security-Policy "${CSP}"; add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0"; add_header Access-Control-Allow-Origin "${ALLOWED_ORIGIN}"; + add_header Access-Control-Allow-Credentials: true; } } diff --git a/tdrs-frontend/reports/zap.conf b/tdrs-frontend/reports/zap.conf index 763647dc2..7b9cddc01 100644 --- a/tdrs-frontend/reports/zap.conf +++ b/tdrs-frontend/reports/zap.conf @@ -85,14 +85,14 @@ ##### forbidden, instead of just a 403 being returned. The test is ##### treating this as though the SQL injection worked, since a page ##### is returned. -40018 IGNORE (SQL Injection - Active/release) -40019 IGNORE (SQL Injection - MySQL - Active/beta) -40020 IGNORE (SQL Injection - Hypersonic SQL - Active/beta) -40021 IGNORE (SQL Injection - Oracle - Active/beta) +40018 FAIL (SQL Injection - Active/release) +40019 FAIL (SQL Injection - MySQL - Active/beta) +40020 FAIL (SQL Injection - Hypersonic SQL - Active/beta) +40021 FAIL (SQL Injection - Oracle - Active/beta) 40022 FAIL (SQL Injection - PostgreSQL - Active/beta) 40023 FAIL (Possible Username Enumeration - Active/beta) -40024 IGNORE (SQL Injection - SQLite - Active/beta) -40025 IGNORE (Proxy Disclosure - Active/beta) +40024 FAIL (SQL Injection - SQLite - Active/beta) +40025 FAIL (Proxy Disclosure - Active/beta) 40026 FAIL (Cross Site Scripting (DOM Based) - Active/beta) 40027 FAIL (SQL Injection - MsSQL - Active/beta) 40028 FAIL (ELMAH Information Leak - Active/release)