From eb16d8b3d4bd868d508203038ffb3fdc33002598 Mon Sep 17 00:00:00 2001 From: raftmsohani <97037188+raftmsohani@users.noreply.github.com> Date: Fri, 1 Dec 2023 10:55:28 -0500 Subject: [PATCH] 2683-zap-CORS-misconfig (#2727) * added cloud.gov back to scan urls * temp * revert changes on zap.conf * revert change on zap.conf * revert changes on zap-hook.conf * revert changes on nginx.conf * revert changes on middleware.py * linting * revert change on docker-compose file * revert changes on .env file * remove file not needed * linting * revert changes on deploy-backend * revert changes on zap-scanner.py * revrt some changes on zap-scanner * Added CORS settings * increase max_file allow large file clamav scans --------- Co-authored-by: Alex P <63075587+ADPennington@users.noreply.github.com> --- scripts/deploy-backend.sh | 1 - scripts/deploy-frontend.sh | 0 scripts/zap-scanner.sh | 7 +----- tdrs-backend/clamav-router/nginx.conf | 2 ++ tdrs-backend/tdpservice/settings/cloudgov.py | 25 ++++++++++++++++++-- tdrs-frontend/nginx/cloud.gov/locations.conf | 7 ++++++ 6 files changed, 33 insertions(+), 9 deletions(-) mode change 100644 => 100755 scripts/deploy-frontend.sh diff --git a/scripts/deploy-backend.sh b/scripts/deploy-backend.sh index ec372396a..3547debb7 100755 --- a/scripts/deploy-backend.sh +++ b/scripts/deploy-backend.sh @@ -100,7 +100,6 @@ update_backend() if [ "$1" = "rolling" ] ; then set_cf_envs - # Do a zero downtime deploy. This requires enough memory for # two apps to exist in the org/space at one time. cf push "$CGAPPNAME_BACKEND" --no-route -f manifest.buildpack.yml -t 180 --strategy rolling || exit 1 diff --git a/scripts/deploy-frontend.sh b/scripts/deploy-frontend.sh old mode 100644 new mode 100755 diff --git a/scripts/zap-scanner.sh b/scripts/zap-scanner.sh index c3f534b84..d03259221 100755 --- a/scripts/zap-scanner.sh +++ b/scripts/zap-scanner.sh @@ -40,7 +40,7 @@ cd "$TARGET_DIR" || exit 2 if [[ $(docker network inspect external-net 2>&1 | grep -c Scope) == 0 ]]; then - docker network create external-net + docker network create external-net fi # Ensure the APP_URL is reachable from the zaproxy container @@ -112,10 +112,6 @@ ZAP_CLI_OPTIONS="\ -config globalexcludeurl.url_list.url\(14\).description='Site - FontAwesome.com' \ -config globalexcludeurl.url_list.url\(14\).enabled=true \ - -config globalexcludeurl.url_list.url\(15\).regex='^https:\/\/.*\.cloud.gov\/.*$' \ - -config globalexcludeurl.url_list.url\(15\).description='Site - Cloud.gov' \ - -config globalexcludeurl.url_list.url\(15\).enabled=true \ - -config globalexcludeurl.url_list.url\(16\).regex='^https:\/\/.*\.googletagmanager.com\/.*$' \ -config globalexcludeurl.url_list.url\(16\).description='Site - googletagmanager.com' \ -config globalexcludeurl.url_list.url\(16\).enabled=true \ @@ -140,7 +136,6 @@ ZAP_CLI_OPTIONS="\ -config globalexcludeurl.url_list.url\(21\).description='Site - IdentitySandbox.gov' \ -config globalexcludeurl.url_list.url\(21\).enabled=true \ -config spider.postform=true" - # How long ZAP will crawl the app with the spider process ZAP_SPIDER_MINS=10 diff --git a/tdrs-backend/clamav-router/nginx.conf b/tdrs-backend/clamav-router/nginx.conf index 142657ffb..35e95e7a7 100644 --- a/tdrs-backend/clamav-router/nginx.conf +++ b/tdrs-backend/clamav-router/nginx.conf @@ -4,6 +4,7 @@ events { worker_connections 1024; # This opens a route to clamav prod http{ server { + client_max_body_size 100m; listen {{port}}; client_max_body_size 100m; location /scan { @@ -12,6 +13,7 @@ http{ } } server { + client_max_body_size 100m; listen 9000; client_max_body_size 100m; location /scan { diff --git a/tdrs-backend/tdpservice/settings/cloudgov.py b/tdrs-backend/tdpservice/settings/cloudgov.py index b7def9383..b00f76fa9 100644 --- a/tdrs-backend/tdpservice/settings/cloudgov.py +++ b/tdrs-backend/tdpservice/settings/cloudgov.py @@ -155,7 +155,14 @@ class Development(CloudGov): # https://docs.djangoproject.com/en/2.0/ref/settings/#allowed-hosts ALLOWED_HOSTS = ['.app.cloud.gov'] - + CORS_ORIGIN_ALLOW_ALL = False + CORS_ALLOWED_ORIGINS = ['https://*.app.cloud.gov'] + CORS_ALLOW_CREDENTIALS = True + CORS_ALLOW_METHODS = ( + "GET", + "PATCH", + "POST", + ) class Staging(CloudGov): """Settings for applications deployed in the Cloud.gov staging space.""" @@ -164,7 +171,14 @@ class Staging(CloudGov): 'tdp-frontend-staging.acf.hhs.gov', 'tdp-frontend-develop.acf.hhs.gov' ] - + CORS_ALLOWED_ORIGINS = ['https://*.acf.hhs.gov'] + CORS_ORIGIN_ALLOW_ALL = False + CORS_ALLOW_CREDENTIALS = True + CORS_ALLOW_METHODS = ( + "GET", + "PATCH", + "POST", + ) LOGIN_GOV_CLIENT_ID = os.getenv( 'OIDC_RP_CLIENT_ID', 'urn:gov:gsa:openidconnect.profiles:sp:sso:hhs:tanf-proto-staging' @@ -189,3 +203,10 @@ class Production(CloudGov): # CORS allowed origins CORS_ALLOWED_ORIGINS = ['https://tanfdata.acf.hhs.gov'] + CORS_ORIGIN_ALLOW_ALL = False + CORS_ALLOW_CREDENTIALS = True + CORS_ALLOW_METHODS = ( + "GET", + "PATCH", + "POST", + ) diff --git a/tdrs-frontend/nginx/cloud.gov/locations.conf b/tdrs-frontend/nginx/cloud.gov/locations.conf index 779dc9f2a..1bccf800e 100644 --- a/tdrs-frontend/nginx/cloud.gov/locations.conf +++ b/tdrs-frontend/nginx/cloud.gov/locations.conf @@ -16,9 +16,16 @@ location ~ ^/(v1|admin|static/admin|swagger|redocs) { proxy_buffer_size 4k; proxy_temp_file_write_size 64k; + limit_except GET HEAD POST { deny all; + } + add_header Access-Control-Allow-Origin 's3-us-gov-west-1.amazonaws.com'; } +if ($request_method ~ ^(PATCH|TRACE|OPTION)$) { + return 405; +} + location = /profile { index index.html index.htm; try_files $uri $uri/ /index.html;