Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid cross origin forgery by using same-site cookie (backport #2948) #2958

Merged
merged 3 commits into from
Jun 3, 2021
Merged

Avoid cross origin forgery by using same-site cookie (backport #2948) #2958

merged 3 commits into from
Jun 3, 2021

Conversation

mergify[bot]
Copy link

@mergify mergify bot commented Jun 3, 2021

This is an automatic backport of pull request #2948 done by Mergify.
Cherry-pick of d0b8867 has failed:

On branch mergify/bp/gsa-21.04/pr-2948
Your branch is ahead of 'origin/gsa-21.04' by 1 commit.
  (use "git push" to publish your local commits)

You are currently cherry-picking commit d0b886713.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   CHANGELOG.md

no changes added to commit (use "git add" and/or "git commit -a")

To fix up this pull request, you can check it out locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

Mergify commands and options

More conditions and actions can be found in the documentation.

You can also trigger Mergify actions by commenting on this pull request:

  • @Mergifyio refresh will re-evaluate the rules
  • @Mergifyio rebase will rebase this PR on its base branch
  • @Mergifyio update will merge the base branch into this PR
  • @Mergifyio backport <destination> will backport this PR on <destination> branch

Additionally, on Mergify dashboard you can:

  • look at your merge queues
  • generate the Mergify configuration with the config editor.

Finally, you can contact us on https://mergify.io/

@bjoernricks
Avoid cross origin forgery by using same-site cookie
d191086 
Only allow access to the session cookie from the same site and not for
third parties. This avoids CSRF attacks like like e.g.
[BREACH](http://breachattack.com/).

For more details please take a look at
http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/

(cherry picked from commit d65c7a3)
@bjoernricks
Add changelog entry
9d13f4e 
(cherry picked from commit d0b8867)

# Conflicts:
#	CHANGELOG.md
@mergify mergify bot requested a review from a team as a code owner June 3, 2021 13:19
@mergify mergify bot added the conflicts label Jun 3, 2021
@codecov
Copy link

codecov bot commented Jun 3, 2021
edited

Codecov Report

Merging #2958 (9d13f4e) into gsa-21.04 (da7c00e) will not change coverage.
The diff coverage is 50.00%.

❗ Current head 9d13f4e differs from pull request most recent head e2d597d. Consider uploading reports for the commit e2d597d to get more accurate results
Impacted file tree graph

@@            Coverage Diff             @@
##           gsa-21.04    #2958   +/-   ##
==========================================
  Coverage      53.84%   53.84%           
==========================================
  Files           1075     1075           
  Lines          26250    26250           
  Branches        7506     7506           
==========================================
  Hits           14133    14133           
  Misses         11000    11000           
  Partials        1117     1117
Impacted Files Coverage Δ
gsa/src/gmp/parser/cvss.js 100.00% <ø> (ø)
gsa/src/web/pages/results/detailspage.js 12.32% <0.00%> (ø)
gsa/src/gmp/models/nvt.js 99.00% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ddc17af...e2d597d. Read the comment docs.

@bjoernricks bjoernricks merged commit 58acb69 into gsa-21.04 Jun 3, 2021
@bjoernricks bjoernricks deleted the mergify/bp/gsa-21.04/pr-2948 branch June 3, 2021 14:15
cfi-gb
cfi-gb reviewed Jun 7, 2021
View reviewed changes
CHANGELOG.md
@@ -21,7 +22,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- Fixed missing name for CVE results on result detailspage [#2892](https://github.com/greenbone/gsa/pull/2892)
- Fixed setting secret key in RADIUS dialog [#2891](https://github.com/greenbone/gsa/pull/2891)
- Fixed setting result UUID in notes dialog [#2889](https://github.com/greenbone/gsa/pull/2889)

- Fixed setting whether to include related resources for new permissions [#2931](https://github.com/greenbone/gsa/pull/2891)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bjoernricks @greenbone/gsa-maintainers Seems those entries where unrelated to this MR and at least the RADIUS entry is now duplicated in the changelog (similar happened in #2957 as well).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixes in #2991 and #2992

This was referenced Jun 14, 2021
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cfi-gb cfi-gb cfi-gb left review comments

@bjoernricks bjoernricks bjoernricks approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@bjoernricks @cfi-gb