Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CORE-27] Add CSP Header #334

Merged
merged 10 commits into from
Oct 21, 2024
Merged

[CORE-27] Add CSP Header #334

merged 10 commits into from
Oct 21, 2024

Conversation

kevinmarete
Copy link
Contributor

@kevinmarete kevinmarete commented Oct 19, 2024
edited
Loading

Jira: https://broadworkbench.atlassian.net/browse/CORE-27

Description:

This PR adds a Content Security Policy (CSP) header to the Thurloe Swagger page and endpoints to enhance security by reducing the risk of cross-site scripting (XSS) and data injection attacks.

Testing:

  • Added tests for csp header and ran them successfully
  • Compiled project and observed no issues
  • Submitter: Make sure Swagger is updated if API changes
  • Submitter: If updating admin endpoints, also update firecloud-admin-cli
  • Submitter: Update FISMA documentation if changes to:
    • Authentication
    • Authorization
    • Encryption
    • Audit trails
  • Submitter: If you're adding new libraries, sign us up to security updates for them

@kevinmarete kevinmarete requested a review from a team October 19, 2024 02:07
@kevinmarete kevinmarete self-assigned this Oct 19, 2024
@kevinmarete kevinmarete requested review from dvoet and marctalbott and removed request for a team October 19, 2024 02:07
@kevinmarete kevinmarete changed the title [CORE-27] add csp header [CORE-27] Add CSP Header Oct 19, 2024
kevinmarete
kevinmarete commented Oct 19, 2024
View reviewed changes
src/main/resources/application.conf
Comment on lines +12 to +15
auth {
googleClientId = ""
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests were failing due to this missing reference.

@codecov Codecov
Copy link

codecov bot commented Oct 19, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 59.27%. Comparing base (f27d5fe) to head (ac12dcb).
Report is 1 commits behind head on develop.

Additional details and impacted files 
@@             Coverage Diff             @@
##           develop     #334      +/-   ##
===========================================
+ Coverage    55.92%   59.27%   +3.35%     
===========================================
  Files           17       18       +1     
  Lines          633      636       +3     
  Branches        69       68       -1     
===========================================
+ Hits           354      377      +23     
+ Misses         279      259      -20

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@kevinmarete kevinmarete marked this pull request as ready for review October 19, 2024 02:48
@kevinmarete
Copy link
Contributor Author

Codecov Report

Attention: Patch coverage is 57.69231% with 11 lines in your changes missing coverage. Please review.

Project coverage is 59.34%. Comparing base (f27d5fe) to head (8cec42e).

Files with missing lines Patch % Lines
...in/scala/thurloe/service/ThurloeServiceActor.scala 56.52% 10 Missing ⚠️
src/main/scala/thurloe/Main.scala 0.00% 1 Missing ⚠️
Additional details and impacted files
☔ View full report in Codecov by Sentry. 📢 Have feedback on the report? Share it here.

Note: Some of these changes were formatting related to scalafmt!

dvoet
dvoet requested changes Oct 21, 2024
View reviewed changes
Copy link
Contributor

@dvoet dvoet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code calls addCSP in 3 places, once in Main which covers all routes, then 2 other redundant times in ThurloeServiceActor. I think it need only be called once but it makes more sense to have that be in ThurloeServiceActor where route is defined:

  def route: Route = addCSP {
    swaggerUiService ~ statusRoute ~ fireCloudProtectedRoutes
  }

Alternately, we could do this in the apache proxy.

@kevinmarete kevinmarete requested review from dvoet and davidangb and removed request for marctalbott October 21, 2024 17:28
@kevinmarete kevinmarete merged commit bcd8b62 into develop Oct 21, 2024
8 checks passed
@kevinmarete kevinmarete deleted the km_CORE-27_add_csp_header branch October 21, 2024 18:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidangb davidangb davidangb approved these changes

@dvoet dvoet dvoet approved these changes

Assignees

@kevinmarete kevinmarete

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kevinmarete @dvoet @davidangb