From 489d0740fcf6e7ba0c4b68e9ccf774ff3bfdbc73 Mon Sep 17 00:00:00 2001 From: Mo Sohani Date: Thu, 5 Oct 2023 09:47:01 -0400 Subject: [PATCH 01/17] added cloud.gov back to scan urls --- scripts/deploy-frontend.sh | 0 scripts/zap-hook.py | 6 +-- scripts/zap-scanner.sh | 10 ++--- tdrs-frontend/.env.development | 44 +++++++++++++++++++ .../nginx/cloud.gov/buildpack.nginx.conf | 1 + tdrs-frontend/reports/zap.conf | 12 ++--- 6 files changed, 58 insertions(+), 15 deletions(-) mode change 100644 => 100755 scripts/deploy-frontend.sh diff --git a/scripts/deploy-frontend.sh b/scripts/deploy-frontend.sh old mode 100644 new mode 100755 diff --git a/scripts/zap-hook.py b/scripts/zap-hook.py index ec01d71cd..274ac4296 100644 --- a/scripts/zap-hook.py +++ b/scripts/zap-hook.py @@ -18,9 +18,9 @@ def zap_started(zap, target): ignored_passive_scan_ids = [ - 10020, # X-Frame-Option Header Not Set - 10021, # X-Content-Type-Options Header Missing - 10027, # Informational: Suspicious Comments + #10020, # X-Frame-Option Header Not Set + #10021, # X-Content-Type-Options Header Missing + #10027, # Informational: Suspicious Comments 10036, # Server Leaks Version Information 10055, # CSP unsafe inline 10096, # Informational: Timestamp Disclosure - Unix diff --git a/scripts/zap-scanner.sh b/scripts/zap-scanner.sh index c3f534b84..1461fd6a8 100755 --- a/scripts/zap-scanner.sh +++ b/scripts/zap-scanner.sh @@ -19,7 +19,7 @@ if [ "$ENVIRONMENT" = "nightly" ]; then fi elif [ "$ENVIRONMENT" = "circle" ] || [ "$ENVIRONMENT" = "local" ]; then if [ "$TARGET" = "frontend" ]; then - APP_URL="http://tdp-frontend/" + APP_URL="https://tdp-frontend-raft.app.cloud.gov" elif [ "$TARGET" = "backend" ]; then APP_URL="http://tdp-frontend/" else @@ -112,10 +112,6 @@ ZAP_CLI_OPTIONS="\ -config globalexcludeurl.url_list.url\(14\).description='Site - FontAwesome.com' \ -config globalexcludeurl.url_list.url\(14\).enabled=true \ - -config globalexcludeurl.url_list.url\(15\).regex='^https:\/\/.*\.cloud.gov\/.*$' \ - -config globalexcludeurl.url_list.url\(15\).description='Site - Cloud.gov' \ - -config globalexcludeurl.url_list.url\(15\).enabled=true \ - -config globalexcludeurl.url_list.url\(16\).regex='^https:\/\/.*\.googletagmanager.com\/.*$' \ -config globalexcludeurl.url_list.url\(16\).description='Site - googletagmanager.com' \ -config globalexcludeurl.url_list.url\(16\).enabled=true \ @@ -140,7 +136,7 @@ ZAP_CLI_OPTIONS="\ -config globalexcludeurl.url_list.url\(21\).description='Site - IdentitySandbox.gov' \ -config globalexcludeurl.url_list.url\(21\).enabled=true \ -config spider.postform=true" - + # How long ZAP will crawl the app with the spider process ZAP_SPIDER_MINS=10 @@ -175,6 +171,8 @@ else ZAP_ARGS+=(-j) fi +ZAP_ARGS+=(-d) + # Run the ZAP full scan and store output for further processing if needed. ZAP_OUTPUT=$(docker-compose run --rm zaproxy "$ZAP_SCRIPT" "${ZAP_ARGS[@]}" | tee /dev/tty) ZAP_EXIT=$? diff --git a/tdrs-frontend/.env.development b/tdrs-frontend/.env.development index 3c0c68d15..73a3ed9eb 100644 --- a/tdrs-frontend/.env.development +++ b/tdrs-frontend/.env.development @@ -40,3 +40,47 @@ REACT_APP_EVENT_THROTTLE_TIME=60000 # @import '../../theme/_global.scss'; # Without the variable, only the relative import is possible SASS_PATH=node_modules:src +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=develop +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=develop +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=develop +REACT_APP_BACKEND_URL=https://local.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://local.app.cloud.gov +REACT_APP_BACKEND_HOST=https://local.app.cloud.gov +REACT_APP_CF_SPACE= +REACT_APP_BACKEND_URL=https://local.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://local.app.cloud.gov +REACT_APP_BACKEND_HOST=https://local.app.cloud.gov +REACT_APP_CF_SPACE= +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=develop +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=develop +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=develop +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=develop +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=develop +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=develop diff --git a/tdrs-frontend/nginx/cloud.gov/buildpack.nginx.conf b/tdrs-frontend/nginx/cloud.gov/buildpack.nginx.conf index 1ab4677bb..319adb75e 100644 --- a/tdrs-frontend/nginx/cloud.gov/buildpack.nginx.conf +++ b/tdrs-frontend/nginx/cloud.gov/buildpack.nginx.conf @@ -84,5 +84,6 @@ http { add_header Content-Security-Policy "${CSP}"; add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0"; add_header Access-Control-Allow-Origin "${ALLOWED_ORIGIN}"; + add_header Access-Control-Allow-Credentials: true; } } diff --git a/tdrs-frontend/reports/zap.conf b/tdrs-frontend/reports/zap.conf index 763647dc2..7b9cddc01 100644 --- a/tdrs-frontend/reports/zap.conf +++ b/tdrs-frontend/reports/zap.conf @@ -85,14 +85,14 @@ ##### forbidden, instead of just a 403 being returned. The test is ##### treating this as though the SQL injection worked, since a page ##### is returned. -40018 IGNORE (SQL Injection - Active/release) -40019 IGNORE (SQL Injection - MySQL - Active/beta) -40020 IGNORE (SQL Injection - Hypersonic SQL - Active/beta) -40021 IGNORE (SQL Injection - Oracle - Active/beta) +40018 FAIL (SQL Injection - Active/release) +40019 FAIL (SQL Injection - MySQL - Active/beta) +40020 FAIL (SQL Injection - Hypersonic SQL - Active/beta) +40021 FAIL (SQL Injection - Oracle - Active/beta) 40022 FAIL (SQL Injection - PostgreSQL - Active/beta) 40023 FAIL (Possible Username Enumeration - Active/beta) -40024 IGNORE (SQL Injection - SQLite - Active/beta) -40025 IGNORE (Proxy Disclosure - Active/beta) +40024 FAIL (SQL Injection - SQLite - Active/beta) +40025 FAIL (Proxy Disclosure - Active/beta) 40026 FAIL (Cross Site Scripting (DOM Based) - Active/beta) 40027 FAIL (SQL Injection - MsSQL - Active/beta) 40028 FAIL (ELMAH Information Leak - Active/release) From 36cc7ce0cbefde0a4f5663b8edc16b0ce2ad46d4 Mon Sep 17 00:00:00 2001 From: Mo Sohani Date: Mon, 16 Oct 2023 13:00:39 -0400 Subject: [PATCH 02/17] temp --- scripts/zap-scanner.sh | 4 +- tdrs-backend/tdpservice/middleware.py | 5 +++ tdrs-frontend/.env.development | 44 -------------------- tdrs-frontend/docker-compose.yml | 3 +- tdrs-frontend/nginx/cloud.gov/locations.conf | 4 ++ 5 files changed, 13 insertions(+), 47 deletions(-) diff --git a/scripts/zap-scanner.sh b/scripts/zap-scanner.sh index 1461fd6a8..7a65e1b16 100755 --- a/scripts/zap-scanner.sh +++ b/scripts/zap-scanner.sh @@ -19,7 +19,7 @@ if [ "$ENVIRONMENT" = "nightly" ]; then fi elif [ "$ENVIRONMENT" = "circle" ] || [ "$ENVIRONMENT" = "local" ]; then if [ "$TARGET" = "frontend" ]; then - APP_URL="https://tdp-frontend-raft.app.cloud.gov" + APP_URL="https://tdp-frontend-raft.app.cloud.gov/" elif [ "$TARGET" = "backend" ]; then APP_URL="http://tdp-frontend/" else @@ -40,7 +40,7 @@ cd "$TARGET_DIR" || exit 2 if [[ $(docker network inspect external-net 2>&1 | grep -c Scope) == 0 ]]; then - docker network create external-net +docker network create external-net fi # Ensure the APP_URL is reachable from the zaproxy container diff --git a/tdrs-backend/tdpservice/middleware.py b/tdrs-backend/tdpservice/middleware.py index 92f7bc665..81681e190 100644 --- a/tdrs-backend/tdpservice/middleware.py +++ b/tdrs-backend/tdpservice/middleware.py @@ -2,7 +2,9 @@ from django.utils.cache import add_never_cache_headers from django.conf import settings from django.contrib.sessions.middleware import SessionMiddleware +import logging +logger = logging.getLogger(__name__) class NoCacheMiddleware(object): """Disable client caching with a Cache-Control header.""" @@ -11,7 +13,10 @@ def __init__(self, get_response): def __call__(self, request): """Add appropriate headers to the response before sending it out.""" + logger.debug("____________________Adding no cache headers to response") response = self.get_response(request) + response["Access-Control-Allow-Credentials"] = "true" + response["Access-Control-Allow-Origin"] = "" add_never_cache_headers(response) return response diff --git a/tdrs-frontend/.env.development b/tdrs-frontend/.env.development index 73a3ed9eb..3c0c68d15 100644 --- a/tdrs-frontend/.env.development +++ b/tdrs-frontend/.env.development @@ -40,47 +40,3 @@ REACT_APP_EVENT_THROTTLE_TIME=60000 # @import '../../theme/_global.scss'; # Without the variable, only the relative import is possible SASS_PATH=node_modules:src -REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 -REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_CF_SPACE=develop -REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 -REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_CF_SPACE=develop -REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 -REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_CF_SPACE=develop -REACT_APP_BACKEND_URL=https://local.app.cloud.gov/v1 -REACT_APP_FRONTEND_URL=https://local.app.cloud.gov -REACT_APP_BACKEND_HOST=https://local.app.cloud.gov -REACT_APP_CF_SPACE= -REACT_APP_BACKEND_URL=https://local.app.cloud.gov/v1 -REACT_APP_FRONTEND_URL=https://local.app.cloud.gov -REACT_APP_BACKEND_HOST=https://local.app.cloud.gov -REACT_APP_CF_SPACE= -REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 -REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_CF_SPACE=develop -REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 -REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_CF_SPACE=develop -REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 -REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_CF_SPACE=develop -REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 -REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_CF_SPACE=develop -REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 -REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_CF_SPACE=develop -REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 -REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_CF_SPACE=develop diff --git a/tdrs-frontend/docker-compose.yml b/tdrs-frontend/docker-compose.yml index d75772fa5..157c1141b 100644 --- a/tdrs-frontend/docker-compose.yml +++ b/tdrs-frontend/docker-compose.yml @@ -3,12 +3,13 @@ services: zaproxy: image: owasp/zap2docker-stable:2.13.0 container_name: zap-scan - command: sleep 3600 + command: sleep 13600 ports: - 8090:8090 networks: - local volumes: + - ../scripts:/zap/scripts/:rw - ./reports:/zap/wrk/:rw - ../scripts/zap-hook.py:/zap/scripts/zap-hook.py:ro tdp-frontend: diff --git a/tdrs-frontend/nginx/cloud.gov/locations.conf b/tdrs-frontend/nginx/cloud.gov/locations.conf index 779dc9f2a..7574fc112 100644 --- a/tdrs-frontend/nginx/cloud.gov/locations.conf +++ b/tdrs-frontend/nginx/cloud.gov/locations.conf @@ -19,6 +19,10 @@ location ~ ^/(v1|admin|static/admin|swagger|redocs) { add_header Access-Control-Allow-Origin 's3-us-gov-west-1.amazonaws.com'; } +if ($request_method ~ ^(PATCH|TRACE)$) { + return 405; +} + location = /profile { index index.html index.htm; try_files $uri $uri/ /index.html; From 686cf454dc2ad72d0eb6b84e5f8a5a5b9aef0183 Mon Sep 17 00:00:00 2001 From: Mo Sohani Date: Tue, 17 Oct 2023 10:44:10 -0400 Subject: [PATCH 03/17] revert changes on zap.conf --- tdrs-frontend/reports/zap.conf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tdrs-frontend/reports/zap.conf b/tdrs-frontend/reports/zap.conf index 7b9cddc01..d84da6b87 100644 --- a/tdrs-frontend/reports/zap.conf +++ b/tdrs-frontend/reports/zap.conf @@ -85,13 +85,13 @@ ##### forbidden, instead of just a 403 being returned. The test is ##### treating this as though the SQL injection worked, since a page ##### is returned. -40018 FAIL (SQL Injection - Active/release) -40019 FAIL (SQL Injection - MySQL - Active/beta) -40020 FAIL (SQL Injection - Hypersonic SQL - Active/beta) -40021 FAIL (SQL Injection - Oracle - Active/beta) +40018 IGNORE (SQL Injection - Active/release) +40019 IGNORE (SQL Injection - MySQL - Active/beta) +40020 IGNORE (SQL Injection - Hypersonic SQL - Active/beta) +40021 IGNORE (SQL Injection - Oracle - Active/beta) 40022 FAIL (SQL Injection - PostgreSQL - Active/beta) 40023 FAIL (Possible Username Enumeration - Active/beta) -40024 FAIL (SQL Injection - SQLite - Active/beta) +40024 IGNORE (SQL Injection - SQLite - Active/beta) 40025 FAIL (Proxy Disclosure - Active/beta) 40026 FAIL (Cross Site Scripting (DOM Based) - Active/beta) 40027 FAIL (SQL Injection - MsSQL - Active/beta) From 3088c70437c76b0f17216a108dbe0a1fd870b392 Mon Sep 17 00:00:00 2001 From: Mo Sohani Date: Tue, 17 Oct 2023 10:45:35 -0400 Subject: [PATCH 04/17] revert change on zap.conf --- tdrs-frontend/reports/zap.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tdrs-frontend/reports/zap.conf b/tdrs-frontend/reports/zap.conf index d84da6b87..763647dc2 100644 --- a/tdrs-frontend/reports/zap.conf +++ b/tdrs-frontend/reports/zap.conf @@ -92,7 +92,7 @@ 40022 FAIL (SQL Injection - PostgreSQL - Active/beta) 40023 FAIL (Possible Username Enumeration - Active/beta) 40024 IGNORE (SQL Injection - SQLite - Active/beta) -40025 FAIL (Proxy Disclosure - Active/beta) +40025 IGNORE (Proxy Disclosure - Active/beta) 40026 FAIL (Cross Site Scripting (DOM Based) - Active/beta) 40027 FAIL (SQL Injection - MsSQL - Active/beta) 40028 FAIL (ELMAH Information Leak - Active/release) From 159a39537bf8e9350a5834be80af6e997f7ed2bc Mon Sep 17 00:00:00 2001 From: Mo Sohani Date: Tue, 17 Oct 2023 10:46:17 -0400 Subject: [PATCH 05/17] revert changes on zap-hook.conf --- scripts/zap-hook.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/zap-hook.py b/scripts/zap-hook.py index 274ac4296..ec01d71cd 100644 --- a/scripts/zap-hook.py +++ b/scripts/zap-hook.py @@ -18,9 +18,9 @@ def zap_started(zap, target): ignored_passive_scan_ids = [ - #10020, # X-Frame-Option Header Not Set - #10021, # X-Content-Type-Options Header Missing - #10027, # Informational: Suspicious Comments + 10020, # X-Frame-Option Header Not Set + 10021, # X-Content-Type-Options Header Missing + 10027, # Informational: Suspicious Comments 10036, # Server Leaks Version Information 10055, # CSP unsafe inline 10096, # Informational: Timestamp Disclosure - Unix From 179934781bf5e2b85d59bd806f13f1b8b8c84ffe Mon Sep 17 00:00:00 2001 From: Mo Sohani Date: Tue, 17 Oct 2023 10:51:52 -0400 Subject: [PATCH 06/17] revert changes on nginx.conf --- tdrs-frontend/nginx/cloud.gov/buildpack.nginx.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/tdrs-frontend/nginx/cloud.gov/buildpack.nginx.conf b/tdrs-frontend/nginx/cloud.gov/buildpack.nginx.conf index 319adb75e..1ab4677bb 100644 --- a/tdrs-frontend/nginx/cloud.gov/buildpack.nginx.conf +++ b/tdrs-frontend/nginx/cloud.gov/buildpack.nginx.conf @@ -84,6 +84,5 @@ http { add_header Content-Security-Policy "${CSP}"; add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0"; add_header Access-Control-Allow-Origin "${ALLOWED_ORIGIN}"; - add_header Access-Control-Allow-Credentials: true; } } From 3709148605e8d2eab47171b981316468c03b0464 Mon Sep 17 00:00:00 2001 From: Mo Sohani Date: Tue, 17 Oct 2023 10:52:23 -0400 Subject: [PATCH 07/17] revert changes on middleware.py --- tdrs-backend/tdpservice/middleware.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/tdrs-backend/tdpservice/middleware.py b/tdrs-backend/tdpservice/middleware.py index 81681e190..399b32fee 100644 --- a/tdrs-backend/tdpservice/middleware.py +++ b/tdrs-backend/tdpservice/middleware.py @@ -13,10 +13,7 @@ def __init__(self, get_response): def __call__(self, request): """Add appropriate headers to the response before sending it out.""" - logger.debug("____________________Adding no cache headers to response") response = self.get_response(request) - response["Access-Control-Allow-Credentials"] = "true" - response["Access-Control-Allow-Origin"] = "" add_never_cache_headers(response) return response From 0b8f7948801ef7d9c35808e0562194a766092a3d Mon Sep 17 00:00:00 2001 From: Mo Sohani Date: Tue, 17 Oct 2023 10:52:56 -0400 Subject: [PATCH 08/17] linting --- tdrs-backend/tdpservice/middleware.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/tdrs-backend/tdpservice/middleware.py b/tdrs-backend/tdpservice/middleware.py index 399b32fee..92f7bc665 100644 --- a/tdrs-backend/tdpservice/middleware.py +++ b/tdrs-backend/tdpservice/middleware.py @@ -2,9 +2,7 @@ from django.utils.cache import add_never_cache_headers from django.conf import settings from django.contrib.sessions.middleware import SessionMiddleware -import logging -logger = logging.getLogger(__name__) class NoCacheMiddleware(object): """Disable client caching with a Cache-Control header.""" From adcd4822fc8d0b43e5ad74154995458e0afbb9dd Mon Sep 17 00:00:00 2001 From: Mo Sohani Date: Tue, 17 Oct 2023 10:55:45 -0400 Subject: [PATCH 09/17] revert change on docker-compose file --- package-lock.json | 6 +++++ scripts/deploy-backend.sh | 11 +++++---- tdrs-backend/tdpservice/settings/cloudgov.py | 10 +++++++- tdrs-frontend/.env.development | 24 ++++++++++++++++++++ tdrs-frontend/docker-compose.yml | 3 +-- tdrs-frontend/nginx/cloud.gov/locations.conf | 5 +++- 6 files changed, 51 insertions(+), 8 deletions(-) create mode 100644 package-lock.json diff --git a/package-lock.json b/package-lock.json new file mode 100644 index 000000000..6551530ca --- /dev/null +++ b/package-lock.json @@ -0,0 +1,6 @@ +{ + "name": "TANF-app", + "lockfileVersion": 2, + "requires": true, + "packages": {} +} diff --git a/scripts/deploy-backend.sh b/scripts/deploy-backend.sh index f3ed5941d..cf59a46a2 100755 --- a/scripts/deploy-backend.sh +++ b/scripts/deploy-backend.sh @@ -54,18 +54,21 @@ set_cf_envs() "REDIS_URI" ) + + echo "Setting environment variables for $CGAPPNAME_BACKEND" for var_name in ${var_list[@]}; do # Intentionally unsetting variable if empty if [[ -z "${!var_name}" ]]; then echo "WARNING: Empty value for $var_name. It will now be unset." - cf_cmd="cf unset-env $CGAPPNAME_BACKEND $var_name ${!var_name}" - $cf_cmd + #cf_cmd="cf unset-env $CGAPPNAME_BACKEND $var_name ${!var_name}" + + #$cf_cmd continue fi - cf_cmd="cf set-env $CGAPPNAME_BACKEND $var_name ${!var_name}" + #cf_cmd="cf set-env $CGAPPNAME_BACKEND $var_name ${!var_name}" echo "Setting var : $var_name" $cf_cmd done @@ -86,7 +89,7 @@ update_backend() cd tdrs-backend || exit if [ "$1" = "rolling" ] ; then set_cf_envs - + cf set-env "$CGAPPNAME_BACKEND" DJANGO_SU_NAME "ajameson@teamraft.com" # Do a zero downtime deploy. This requires enough memory for # two apps to exist in the org/space at one time. cf push "$CGAPPNAME_BACKEND" --no-route -f manifest.buildpack.yml -t 180 --strategy rolling || exit 1 diff --git a/tdrs-backend/tdpservice/settings/cloudgov.py b/tdrs-backend/tdpservice/settings/cloudgov.py index 541d98cc0..daa1373d9 100644 --- a/tdrs-backend/tdpservice/settings/cloudgov.py +++ b/tdrs-backend/tdpservice/settings/cloudgov.py @@ -152,7 +152,14 @@ class Development(CloudGov): # https://docs.djangoproject.com/en/2.0/ref/settings/#allowed-hosts ALLOWED_HOSTS = ['.app.cloud.gov'] - + CORS_ORIGIN_ALLOW_ALL = False + CORS_ALLOWED_ORIGINS = ['https://*.app.cloud.gov'] + CORS_ALLOW_CREDENTIALS = True + CORS_ALLOW_METHODS = ( + "GET", + "PATCH", + "POST", + ) class Staging(CloudGov): """Settings for applications deployed in the Cloud.gov staging space.""" @@ -186,3 +193,4 @@ class Production(CloudGov): # CORS allowed origins CORS_ALLOWED_ORIGINS = ['https://tanfdata.acf.hhs.gov'] + CORS_ORIGIN_ALLOW_ALL = False diff --git a/tdrs-frontend/.env.development b/tdrs-frontend/.env.development index 3c0c68d15..9003ba357 100644 --- a/tdrs-frontend/.env.development +++ b/tdrs-frontend/.env.development @@ -40,3 +40,27 @@ REACT_APP_EVENT_THROTTLE_TIME=60000 # @import '../../theme/_global.scss'; # Without the variable, only the relative import is possible SASS_PATH=node_modules:src +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=tanf-dev +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=tanf-dev +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=tanf-dev +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=tanf-dev +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=tanf-dev +REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 +REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov +REACT_APP_CF_SPACE=tanf-dev diff --git a/tdrs-frontend/docker-compose.yml b/tdrs-frontend/docker-compose.yml index 157c1141b..d75772fa5 100644 --- a/tdrs-frontend/docker-compose.yml +++ b/tdrs-frontend/docker-compose.yml @@ -3,13 +3,12 @@ services: zaproxy: image: owasp/zap2docker-stable:2.13.0 container_name: zap-scan - command: sleep 13600 + command: sleep 3600 ports: - 8090:8090 networks: - local volumes: - - ../scripts:/zap/scripts/:rw - ./reports:/zap/wrk/:rw - ../scripts/zap-hook.py:/zap/scripts/zap-hook.py:ro tdp-frontend: diff --git a/tdrs-frontend/nginx/cloud.gov/locations.conf b/tdrs-frontend/nginx/cloud.gov/locations.conf index 7574fc112..1bccf800e 100644 --- a/tdrs-frontend/nginx/cloud.gov/locations.conf +++ b/tdrs-frontend/nginx/cloud.gov/locations.conf @@ -16,10 +16,13 @@ location ~ ^/(v1|admin|static/admin|swagger|redocs) { proxy_buffer_size 4k; proxy_temp_file_write_size 64k; + limit_except GET HEAD POST { deny all; + } + add_header Access-Control-Allow-Origin 's3-us-gov-west-1.amazonaws.com'; } -if ($request_method ~ ^(PATCH|TRACE)$) { +if ($request_method ~ ^(PATCH|TRACE|OPTION)$) { return 405; } From bf3edcdb1beef8815f1a436f502ce22911f05b60 Mon Sep 17 00:00:00 2001 From: Mo Sohani Date: Tue, 17 Oct 2023 14:21:18 -0400 Subject: [PATCH 10/17] revert changes on .env file --- tdrs-frontend/.env.development | 24 ------------------------ 1 file changed, 24 deletions(-) diff --git a/tdrs-frontend/.env.development b/tdrs-frontend/.env.development index 9003ba357..3c0c68d15 100644 --- a/tdrs-frontend/.env.development +++ b/tdrs-frontend/.env.development @@ -40,27 +40,3 @@ REACT_APP_EVENT_THROTTLE_TIME=60000 # @import '../../theme/_global.scss'; # Without the variable, only the relative import is possible SASS_PATH=node_modules:src -REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 -REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_CF_SPACE=tanf-dev -REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 -REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_CF_SPACE=tanf-dev -REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 -REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_CF_SPACE=tanf-dev -REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 -REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_CF_SPACE=tanf-dev -REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 -REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_CF_SPACE=tanf-dev -REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1 -REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov -REACT_APP_CF_SPACE=tanf-dev From 4f1baf6cd35863b1d33993053af7a5235e5e181f Mon Sep 17 00:00:00 2001 From: Mo Sohani Date: Tue, 17 Oct 2023 14:23:46 -0400 Subject: [PATCH 11/17] remove file not needed --- package-lock.json | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 package-lock.json diff --git a/package-lock.json b/package-lock.json deleted file mode 100644 index 6551530ca..000000000 --- a/package-lock.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "name": "TANF-app", - "lockfileVersion": 2, - "requires": true, - "packages": {} -} From a4cb273583c07ae189ceb560a2c998112855ecbf Mon Sep 17 00:00:00 2001 From: Mo Sohani Date: Tue, 17 Oct 2023 14:34:52 -0400 Subject: [PATCH 12/17] linting --- tdrs-backend/tdpservice/settings/cloudgov.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tdrs-backend/tdpservice/settings/cloudgov.py b/tdrs-backend/tdpservice/settings/cloudgov.py index daa1373d9..160a5106d 100644 --- a/tdrs-backend/tdpservice/settings/cloudgov.py +++ b/tdrs-backend/tdpservice/settings/cloudgov.py @@ -159,7 +159,7 @@ class Development(CloudGov): "GET", "PATCH", "POST", - ) + ) class Staging(CloudGov): """Settings for applications deployed in the Cloud.gov staging space.""" From 18efd9ccec82ecbfa528f2bcbfe974d4e7ce1732 Mon Sep 17 00:00:00 2001 From: Mo Sohani Date: Tue, 17 Oct 2023 14:41:31 -0400 Subject: [PATCH 13/17] revert changes on deploy-backend --- scripts/deploy-backend.sh | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/scripts/deploy-backend.sh b/scripts/deploy-backend.sh index dbabd88a4..9ba45694c 100755 --- a/scripts/deploy-backend.sh +++ b/scripts/deploy-backend.sh @@ -53,21 +53,18 @@ set_cf_envs() "REDIS_URI" ) - - echo "Setting environment variables for $CGAPPNAME_BACKEND" for var_name in ${var_list[@]}; do # Intentionally unsetting variable if empty if [[ -z "${!var_name}" ]]; then echo "WARNING: Empty value for $var_name. It will now be unset." - #cf_cmd="cf unset-env $CGAPPNAME_BACKEND $var_name ${!var_name}" - - #$cf_cmd + cf_cmd="cf unset-env $CGAPPNAME_BACKEND $var_name ${!var_name}" + $cf_cmd continue fi - #cf_cmd="cf set-env $CGAPPNAME_BACKEND $var_name ${!var_name}" + cf_cmd="cf set-env $CGAPPNAME_BACKEND $var_name ${!var_name}" echo "Setting var : $var_name" $cf_cmd done @@ -97,7 +94,6 @@ update_backend() if [ "$1" = "rolling" ] ; then set_cf_envs - cf set-env "$CGAPPNAME_BACKEND" DJANGO_SU_NAME "ajameson@teamraft.com" # Do a zero downtime deploy. This requires enough memory for # two apps to exist in the org/space at one time. cf push "$CGAPPNAME_BACKEND" --no-route -f manifest.buildpack.yml -t 180 --strategy rolling || exit 1 From dc5deee9ca17e9b3b901e8f4da0d5b56747aa32a Mon Sep 17 00:00:00 2001 From: Mo Sohani Date: Tue, 17 Oct 2023 14:44:05 -0400 Subject: [PATCH 14/17] revert changes on zap-scanner.py --- scripts/zap-scanner.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/zap-scanner.sh b/scripts/zap-scanner.sh index 7a65e1b16..30ff7e6a0 100755 --- a/scripts/zap-scanner.sh +++ b/scripts/zap-scanner.sh @@ -19,7 +19,7 @@ if [ "$ENVIRONMENT" = "nightly" ]; then fi elif [ "$ENVIRONMENT" = "circle" ] || [ "$ENVIRONMENT" = "local" ]; then if [ "$TARGET" = "frontend" ]; then - APP_URL="https://tdp-frontend-raft.app.cloud.gov/" + APP_URL="http://tdp-frontend/" elif [ "$TARGET" = "backend" ]; then APP_URL="http://tdp-frontend/" else @@ -40,7 +40,7 @@ cd "$TARGET_DIR" || exit 2 if [[ $(docker network inspect external-net 2>&1 | grep -c Scope) == 0 ]]; then -docker network create external-net + docker network create external-net fi # Ensure the APP_URL is reachable from the zaproxy container From 8fb820b815154e27bc1a95e6c6d55e8f050920bf Mon Sep 17 00:00:00 2001 From: Mo Sohani Date: Tue, 17 Oct 2023 14:57:17 -0400 Subject: [PATCH 15/17] revrt some changes on zap-scanner --- scripts/zap-scanner.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/scripts/zap-scanner.sh b/scripts/zap-scanner.sh index 30ff7e6a0..d03259221 100755 --- a/scripts/zap-scanner.sh +++ b/scripts/zap-scanner.sh @@ -136,7 +136,6 @@ ZAP_CLI_OPTIONS="\ -config globalexcludeurl.url_list.url\(21\).description='Site - IdentitySandbox.gov' \ -config globalexcludeurl.url_list.url\(21\).enabled=true \ -config spider.postform=true" - # How long ZAP will crawl the app with the spider process ZAP_SPIDER_MINS=10 @@ -171,8 +170,6 @@ else ZAP_ARGS+=(-j) fi -ZAP_ARGS+=(-d) - # Run the ZAP full scan and store output for further processing if needed. ZAP_OUTPUT=$(docker-compose run --rm zaproxy "$ZAP_SCRIPT" "${ZAP_ARGS[@]}" | tee /dev/tty) ZAP_EXIT=$? From aa0e47ac908385ba422563195300b996c3605023 Mon Sep 17 00:00:00 2001 From: Mo Sohani Date: Wed, 18 Oct 2023 10:26:26 -0400 Subject: [PATCH 16/17] Added CORS settings --- tdrs-backend/tdpservice/settings/cloudgov.py | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/tdrs-backend/tdpservice/settings/cloudgov.py b/tdrs-backend/tdpservice/settings/cloudgov.py index 93f2fc789..5d8bd6d83 100644 --- a/tdrs-backend/tdpservice/settings/cloudgov.py +++ b/tdrs-backend/tdpservice/settings/cloudgov.py @@ -167,7 +167,14 @@ class Staging(CloudGov): 'tdp-frontend-staging.acf.hhs.gov', 'tdp-frontend-develop.acf.hhs.gov' ] - + CORS_ALLOWED_ORIGINS = ['https://*.acf.hhs.gov'] + CORS_ORIGIN_ALLOW_ALL = False + CORS_ALLOW_CREDENTIALS = True + CORS_ALLOW_METHODS = ( + "GET", + "PATCH", + "POST", + ) LOGIN_GOV_CLIENT_ID = os.getenv( 'OIDC_RP_CLIENT_ID', 'urn:gov:gsa:openidconnect.profiles:sp:sso:hhs:tanf-proto-staging' @@ -193,3 +200,9 @@ class Production(CloudGov): # CORS allowed origins CORS_ALLOWED_ORIGINS = ['https://tanfdata.acf.hhs.gov'] CORS_ORIGIN_ALLOW_ALL = False + CORS_ALLOW_CREDENTIALS = True + CORS_ALLOW_METHODS = ( + "GET", + "PATCH", + "POST", + ) From 0dd838fba81cfe06ca671a921284b816ca94271f Mon Sep 17 00:00:00 2001 From: Mo Sohani Date: Wed, 18 Oct 2023 11:50:10 -0400 Subject: [PATCH 17/17] increase max_file allow large file clamav scans --- tdrs-backend/clamav-router/nginx.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tdrs-backend/clamav-router/nginx.conf b/tdrs-backend/clamav-router/nginx.conf index 50cc6395b..89692f516 100644 --- a/tdrs-backend/clamav-router/nginx.conf +++ b/tdrs-backend/clamav-router/nginx.conf @@ -4,6 +4,7 @@ events { worker_connections 1024; # This opens a route to clamav prod http{ server { + client_max_body_size 100m; listen {{port}}; location /scan { proxy_pass http://tanf-prod-clamav-rest.apps.internal:9000/scan; @@ -11,6 +12,7 @@ http{ } } server { + client_max_body_size 100m; listen 9000; location /scan { proxy_pass http://tanf-prod-clamav-rest.apps.internal:9000/scan;