Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PXP-8363 Fix/samesite cookie #951

Merged
merged 5 commits into from
Aug 11, 2021
Merged

PXP-8363 Fix/samesite cookie #951

merged 5 commits into from
Aug 11, 2021

Conversation

mfshao
Copy link
Contributor

@mfshao mfshao commented Aug 4, 2021
edited
Loading

Jira Ticket: PXP-8363

Add samesite="Lax" to cookies of access_token and fence

This shouldn't breaks anything since some browsers (Chrome/Edge) has already been using Lax
as default value of samesite if not declared

To fix vulnerability documented in Veracode scan report (link in Jira ticket)

Improvements

  • Add samesite="Lax" to cookies of access_token and fence

@github-actions
Copy link

github-actions bot commented Aug 4, 2021

The style in this PR agrees with black. ✔️

This formatting comment was generated automatically by a script in uc-cdis/wool.

@coveralls
Copy link

coveralls commented Aug 4, 2021
edited
Loading

Pull Request Test Coverage Report for Build 11478

  • 1 of 1 (100.0%) changed or added relevant line in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 71.012%
Totals Coverage Status
Change from base Build 11418: 0.0%
Covered Lines: 6205
Relevant Lines: 8738
💛 - Coveralls

@mfshao mfshao changed the title Fix/samesite cookie PXP-8363 Fix/samesite cookie Aug 6, 2021
mfshao
mfshao commented Aug 6, 2021
View reviewed changes
Jenkinsfile Outdated Show resolved Hide resolved
@mfshao mfshao marked this pull request as ready for review August 6, 2021 21:30
mfshao
mfshao commented Aug 6, 2021
View reviewed changes
pyproject.toml
@@ -46,7 +46,8 @@ retry = "^0.9.2"
sqlalchemy = "^1.3.3"
storageclient = {git = "https://github.com/uc-cdis/storage-client", rev = "1.0.2"}
userdatamodel = "^2.3.3"
werkzeug = "^0.16.0"
werkzeug = "^1.0.0"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

need to bump up this so we can add samesite in tests

mfshao
mfshao commented Aug 6, 2021
View reviewed changes
pyproject.toml
@@ -46,7 +46,8 @@ retry = "^0.9.2"
sqlalchemy = "^1.3.3"
storageclient = {git = "https://github.com/uc-cdis/storage-client", rev = "1.0.2"}
userdatamodel = "^2.3.3"
werkzeug = "^0.16.0"
werkzeug = "^1.0.0"
cachelib = "^0.2.0"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

need to add this because the werkzeug bump

@mfshao mfshao merged commit 7f8b48a into master Aug 11, 2021
@mfshao mfshao deleted the fix/samesite-cookie branch August 11, 2021 02:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paulineribeyre paulineribeyre paulineribeyre approved these changes

Assignees
No one assigned
Labels
test-apis-centralizedAuth test-apis-OAuth2Test test-apis-rasIntegrationTest test-google-googleServiceAccountRemovalTest
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mfshao @coveralls @paulineribeyre @PlanXCyborg