Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dev #39

Merged
merged 29 commits into from
Sep 17, 2024
Merged

Dev #39

merged 29 commits into from
Sep 17, 2024

Conversation

romainkieffer
Copy link
Contributor

Generic requirements in order to contribute:

  • One Pull Request per fix/feature/change/...
  • Keep the amount of commits per PR as small as possible: if for any reason, you need to fix your commit after the pull request, please squash the changes in one single commit (or tell us why not)
  • Always make sure it is mergeable in the default branch
  • Any major changes adding a functionality should be disabled by default in the configuration

What does it do?

If it fixes an existing issue, please use GitHub syntax: #<IssueID>

Questions

  • Does it require a DB change?
  • Are you using it in production?

Release Type:

  • Major
  • Minor
  • Patch

pparage and others added 29 commits June 4, 2024 15:22
@pparage
Revamped landing page took obs as basis. Footer WIP; About Section WIP;
50f66cc
@pparage
Changed Login and Signup to newer design
a732d56
@pparage
New dashboard design
e59771e
@pparage
Merged DMARC/SPF Policy generation and design, web report design chan…
7b03eac 
…ged;
@pparage
E-Mail, Infra new design;
393e003
@pparage
frontend conversion;
cc7e229
@pparage
Knowledgebase new design
171e9b0
@pparage
Improved e-mail checks
4b54336
@romainkieffer
new: [zap] Early implementation of Zap
b5171bd 
Signed-off-by: Romain Kieffer <[email protected]>
@romainkieffer
Merge branch 'dev' of github.com:NC3-LU/TestingPlatform into dev
31221e3
@romainkieffer
fix:[tp] Small fixups
4dd8e75 
Signed-off-by: Romain Kieffer <[email protected]>
@romainkieffer
fix: [zap] Added missing zap methods
f4a24a9 
Signed-off-by: Romain Kieffer <[email protected]>
@romainkieffer
chg: [tp] Added model for storing test result
0442494 
Signed-off-by: Romain Kieffer <[email protected]>
@romainkieffer
fix: [zap] Fixed zap api implementation
54b72da 
Signed-off-by: Romain Kieffer <[email protected]>
@romainkieffer
chg: [zap] Changed results tu call alerts api instead of core.jsonreport
eb85af6 
Signed-off-by: Romain Kieffer <[email protected]>
@romainkieffer
new: [pdf] Added pdf export for zap
4613979 
Signed-off-by: Romain Kieffer <[email protected]>
@pparage
WEB Test include replacing mozilla obs
475e89e
@pparage
Merge branch 'dev' of github.com:NC3-LU/TestingPlatform into dev
0ed9532
@romainkieffer
fix: [infra-test] Fixed infra test broken resource links
7e54be5 
Signed-off-by: Romain Kieffer <[email protected]>
@romainkieffer
fix: [tos] Fixed broken ToS link
0a25eed 
Signed-off-by: Romain Kieffer <[email protected]>
@romainkieffer
new: [pdf export] Added pdf export feature for most tests
ddf2ce2 
Signed-off-by: Romain Kieffer <[email protected]>
@pparage
Removed CDN links, added files to static_global
87b038f
@romainkieffer
fix: [email] Fixed template rendering
bb8e775 
Signed-off-by: Romain Kieffer <[email protected]>
@pparage
Dashboard structure change, web test text changes
487d0ab
@romainkieffer
chg: [templates] Completed infra test pdf template + minor html fixups
79ee502 
Signed-off-by: Romain Kieffer <[email protected]>
@romainkieffer
Merge branch 'dev' of github.com:NC3-LU/TestingPlatform into dev
a62f616
@pparage
Text changes
0e8f7d0
@romainkieffer
chg: [iot] Updated templates for IOT section
3262acc 
Signed-off-by: Romain Kieffer <[email protected]>
@romainkieffer
fix: [templates] Various template fixes
383ab84 
Signed-off-by: Romain Kieffer <[email protected]>
@romainkieffer romainkieffer merged commit 97d2a16 into main Sep 17, 2024
1 of 7 checks passed
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 17, 2024
View reviewed changes
landing_page/templates/dashboard.html

const href = this.getAttribute('data-href');
if (href) {
window.location.href = href;

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
testing/helpers.py
results[f"{server}:{port}"] = "TLS not supported"
elif port == 465:
# For 465, it should be SSL/TLS from the start
with context.wrap_socket(sock, server_hostname=server) as ssock:

Check failure

Code scanning / CodeQL

Use of insecure SSL/TLS version High test

Insecure SSL/TLS protocol version TLSv1 allowed by
call to ssl.create_default_context
Loading
.
Insecure SSL/TLS protocol version TLSv1_1 allowed by
call to ssl.create_default_context
Loading
.
testing/helpers.py
dict: A dictionary with detailed CSP analysis results.
"""
try:
response = requests.get(f"https://{domain}", timeout=10)

Check failure

Code scanning / CodeQL

Full server-side request forgery Critical test

The full URL of this request depends on a
user-provided value
Loading
.
testing/helpers.py


def check_csp_syntax(csp, result, header_name):
if not re.match(r'^[a-zA-Z0-9\-]+\s+[^;]+(?:;\s*[a-zA-Z0-9\-]+\s+[^;]+)*$', csp):

Check failure

Code scanning / CodeQL

Inefficient regular expression High test

This part of the regular expression may cause exponential backtracking on strings starting with '- :;-' and containing many repetitions of ' :;-'.
testing/helpers.py


def check_csp_syntax(csp, result, header_name):
if not re.match(r'^[a-zA-Z0-9\-]+\s+[^;]+(?:;\s*[a-zA-Z0-9\-]+\s+[^;]+)*$', csp):

Check failure

Code scanning / CodeQL

Polynomial regular expression used on uncontrolled data High test

This
regular expression
Loading
that depends on a
user-provided value
Loading
may run slow on strings starting with '- ' and with many repetitions of ' '.
This
regular expression
Loading
that depends on a
user-provided value
Loading
may run slow on strings starting with '- :;-' and with many repetitions of ' :;- '.
This
regular expression
Loading
that depends on a
user-provided value
Loading
may run slow on strings starting with '- :;- ' and with many repetitions of ' '.
testing/helpers.py
bool: True if the integrity is valid, False otherwise.
"""
try:
response = requests.get(src, timeout=10)

Check failure

Code scanning / CodeQL

Full server-side request forgery Critical test

The full URL of this request depends on a
user-provided value
Loading
.
testing/helpers.py
- 'message' (str): Additional information or error message.
"""
try:
response = requests.get(f"https://{domain}", timeout=10)

Check failure

Code scanning / CodeQL

Full server-side request forgery Critical test

The full URL of this request depends on a
user-provided value
Loading
.
testing/helpers.py
"""
url = f'https://{domain}'
try:
response = requests.get(url, timeout=10)

Check failure

Code scanning / CodeQL

Full server-side request forgery Critical test

The full URL of this request depends on a
user-provided value
Loading
.
testing/helpers.py
url = f'https://{domain}/.well-known/security.txt'
try:
# First, check if the file exists using HEAD request
head_response = requests.head(url, timeout=10)

Check failure

Code scanning / CodeQL

Full server-side request forgery Critical test

The full URL of this request depends on a
user-provided value
Loading
.
testing/helpers.py
if head_response.status_code == 200:
# If it exists, attempt to get the content
try:
response = requests.get(url, timeout=10)

Check failure

Code scanning / CodeQL

Full server-side request forgery Critical test

The full URL of this request depends on a
user-provided value
Loading
.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@romainkieffer @pparage