Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2683-zap-CORS-misconfig #2727

Merged
merged 20 commits into from
Dec 1, 2023
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
temp
raftmsohani committed Oct 16, 2023
commit 36cc7ce0cbefde0a4f5663b8edc16b0ce2ad46d4
4 changes: 2 additions & 2 deletions scripts/zap-scanner.sh
Original file line number Diff line number Diff line change
@@ -19,7 +19,7 @@ if [ "$ENVIRONMENT" = "nightly" ]; then
fi
elif [ "$ENVIRONMENT" = "circle" ] || [ "$ENVIRONMENT" = "local" ]; then
if [ "$TARGET" = "frontend" ]; then
APP_URL="https://tdp-frontend-raft.app.cloud.gov"
APP_URL="https://tdp-frontend-raft.app.cloud.gov/"
elif [ "$TARGET" = "backend" ]; then
APP_URL="http://tdp-frontend/"
else
@@ -40,7 +40,7 @@ cd "$TARGET_DIR" || exit 2


if [[ $(docker network inspect external-net 2>&1 | grep -c Scope) == 0 ]]; then
docker network create external-net
docker network create external-net
fi

# Ensure the APP_URL is reachable from the zaproxy container
5 changes: 5 additions & 0 deletions tdrs-backend/tdpservice/middleware.py
Original file line number Diff line number Diff line change
@@ -2,7 +2,9 @@
from django.utils.cache import add_never_cache_headers
from django.conf import settings
from django.contrib.sessions.middleware import SessionMiddleware
import logging

logger = logging.getLogger(__name__)
class NoCacheMiddleware(object):
"""Disable client caching with a Cache-Control header."""

@@ -11,7 +13,10 @@ def __init__(self, get_response):

def __call__(self, request):
"""Add appropriate headers to the response before sending it out."""
logger.debug("____________________Adding no cache headers to response")
response = self.get_response(request)
response["Access-Control-Allow-Credentials"] = "true"
response["Access-Control-Allow-Origin"] = ""
add_never_cache_headers(response)
return response

44 changes: 0 additions & 44 deletions tdrs-frontend/.env.development
Original file line number Diff line number Diff line change
@@ -40,47 +40,3 @@ REACT_APP_EVENT_THROTTLE_TIME=60000
# @import '../../theme/_global.scss';
# Without the variable, only the relative import is possible
SASS_PATH=node_modules:src
REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1
REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov
REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov
REACT_APP_CF_SPACE=develop
REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1
REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov
REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov
REACT_APP_CF_SPACE=develop
REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1
REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov
REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov
REACT_APP_CF_SPACE=develop
REACT_APP_BACKEND_URL=https://local.app.cloud.gov/v1
REACT_APP_FRONTEND_URL=https://local.app.cloud.gov
REACT_APP_BACKEND_HOST=https://local.app.cloud.gov
REACT_APP_CF_SPACE=
REACT_APP_BACKEND_URL=https://local.app.cloud.gov/v1
REACT_APP_FRONTEND_URL=https://local.app.cloud.gov
REACT_APP_BACKEND_HOST=https://local.app.cloud.gov
REACT_APP_CF_SPACE=
REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1
REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov
REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov
REACT_APP_CF_SPACE=develop
REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1
REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov
REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov
REACT_APP_CF_SPACE=develop
REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1
REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov
REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov
REACT_APP_CF_SPACE=develop
REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1
REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov
REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov
REACT_APP_CF_SPACE=develop
REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1
REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov
REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov
REACT_APP_CF_SPACE=develop
REACT_APP_BACKEND_URL=https://tdp-frontend-raft.app.cloud.gov/v1
REACT_APP_FRONTEND_URL=https://tdp-frontend-raft.app.cloud.gov
REACT_APP_BACKEND_HOST=https://tdp-frontend-raft.app.cloud.gov
REACT_APP_CF_SPACE=develop
3 changes: 2 additions & 1 deletion tdrs-frontend/docker-compose.yml
Original file line number Diff line number Diff line change
@@ -3,12 +3,13 @@ services:
zaproxy:
image: owasp/zap2docker-stable:2.13.0
container_name: zap-scan
command: sleep 3600
command: sleep 13600
ports:
- 8090:8090
networks:
- local
volumes:
- ../scripts:/zap/scripts/:rw
- ./reports:/zap/wrk/:rw
- ../scripts/zap-hook.py:/zap/scripts/zap-hook.py:ro
tdp-frontend:
4 changes: 4 additions & 0 deletions tdrs-frontend/nginx/cloud.gov/locations.conf
Original file line number Diff line number Diff line change
@@ -19,6 +19,10 @@ location ~ ^/(v1|admin|static/admin|swagger|redocs) {
add_header Access-Control-Allow-Origin 's3-us-gov-west-1.amazonaws.com';
}

if ($request_method ~ ^(PATCH|TRACE)$) {
return 405;
}

location = /profile {
index index.html index.htm;
try_files $uri $uri/ /index.html;