Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(csp): upgrade UI and fix zap failure #1372

Merged
merged 1 commit into from
Apr 13, 2023
Merged

fix(csp): upgrade UI and fix zap failure #1372

merged 1 commit into from
Apr 13, 2023

Conversation

andaaron
Copy link
Contributor

@andaaron andaaron commented Apr 13, 2023
edited

The zap scanner started to check the csp header, which is causing a warning.

We also need to ignore the rule, as both settings are read by the scanner.

Per https://w3c.github.io/webappsec-csp/#example-7bb4ce67 we can have multiple Content-Security-Policy headers, and the most restrictive policies apply. This rule doesn't seem to be applied by zap, which finds these headers, but still fails:

  • URL: http://localhost:8080/
    • Method: GET
    • Parameter: content-security-policy
    • Attack: ``
    • Evidence: default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src *; img-src 'self'; manifest-src 'self'; base-uri 'self'
  • URL: http://localhost:8080/
    • Method: GET
    • Parameter: Content-Security-Policy
    • Attack: ``
    • Evidence: default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; img-src 'self'; manifest-src 'self'; base-uri 'self'

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@andaaron
fix(csp): upgrade UI and fix zap failure
1e873b9 
The zap scanner started to check the csp header, which is causing a warning.

We also need to ignore the rule, as both settings are read by the scanner.

Per https://w3c.github.io/webappsec-csp/#example-7bb4ce67 we can have multiple
Content-Security-Policy headers, and the most restrictive policies apply.
This rule doesn't seem to be applied by zap.

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
@andaaron andaaron linked an issue Apr 13, 2023 that may be closed by this pull request
zap: fix CSP: Wildcard Directive [10055] #1340
Closed
@andaaron andaaron marked this pull request as ready for review April 13, 2023 19:10
@andaaron andaaron mentioned this pull request Apr 13, 2023
Closed
@codecov
Copy link

codecov bot commented Apr 13, 2023

Codecov Report

Merging #1372 (1e873b9) into main (e6b81bb) will decrease coverage by 0.02%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main    #1372      +/-   ##
==========================================
- Coverage   90.50%   90.49%   -0.02%     
==========================================
  Files          97       97              
  Lines       21503    21515      +12     
==========================================
+ Hits        19462    19469       +7     
- Misses       1526     1530       +4     
- Partials      515      516       +1
Impacted Files Coverage Δ
pkg/extensions/extension_ui.go 92.68% <100.00%> (+3.02%) ⬆️

... and 1 file with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@rchincha rchincha merged commit e63faa8 into project-zot:main Apr 13, 2023
25 of 26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rchincha rchincha Awaiting requested review from rchincha rchincha is a code owner

@peusebiu peusebiu Awaiting requested review from peusebiu peusebiu is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

zap: fix CSP: Wildcard Directive [10055]
2 participants
@andaaron @rchincha