Closed Bug 1403247 Opened 7 years ago Closed 6 years ago

Fix up simple ZAP failures

Categories

(Taskcluster :: Services, enhancement)

enhancement
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: dustin, Assigned: dustin)

References

()

Details

That's tc-lib-app v1.1.0.  Next steps are to upgrade services.
https://github.com/taskcluster/taskcluster-lib-app/pull/13

I pushed a secrets version that bombed out today.  It *might* have failed because of this, but I don't think so -- my read of the express-sslify source is that it just didn't do anything when passed a boolean.  In which case, the theory is that there was a random network error in heroku that broke the deployment, and with luck that won't recur.
dustin@jemison ~ $ curl -i https://taskcluster-secrets-staging.herokuapp.com/v1/secrets | grep Secu
Content-Security-Policy: report-uri /__cspreport__;default-src 'none';frame-ancestors 'none';

so hopefully we see that notching up in the next baseline scan.  Assuming so, it's easy enough to deploy to most of the other services.
It notched down, because it's an API now :(  Here are the latest failures, organized by failure with affected apps:

WARN-NEW: Strict-Transport-Security Header Not Set [10035] x 3 
	schemas
	references
	public-artifacts

WARN-NEW: Incomplete or No Cache-control and Pragma HTTP Header Set [10015] x 2 
	secrets
	tools
	github
	auth
	scheduler
	queue
	purge-cache
	provisioner
	notify
	login
	index
	hooks
	github
	ec2-manager
	cloud-mirror
	aws-provisioner
	docs

WARN-NEW: Cross-Domain JavaScript Source File Inclusion [10017] x 1 
	login
	docs

WARN-NEW: Information Disclosure - Debug Error Messages [10023] x 4 
	docs

WARN-NEW: Cookie Without SameSite Attribute [10054] x 4 
	login

WARN-NEW: The JavaScript file 'jquery.min.js' includes a vulnerable version of the library 'jquery' [322420463] x 2 
	login
	docs

WARN-NEW: Application Error Disclosure [90022] x 12 
	docs

FAIL-NEW: X-Frame-Options Header Not Set [10020] x 3 
	login
	docs

FAIL-NEW: X-Content-Type-Options Header Missing [10021] x 1 
	secrets
	github
	auth
	scheduler
	queue
	purge-cache
	provisioner
	notify
	login
	index
	login
	github
	ec2-manager
	cloud-mirror
	aws-provisioner
	docs

FAIL-NEW: Content Security Policy (CSP) Header Not Set [10038] x 6 
	github
	auth
	scheduler
	queue
	purge-cache
	provisioner
	notify
	login
	index
	login
	github
	events
	ec2-manager
	cloud-mirror
	aws-provisioner
	docs

FAIL-NEW: Strict-Transport-Security Header Not Set [10035] x 5 
	secrets
	statsum
	scheduler
	login
	events
	docs

FAIL-NEW: Cross-Domain Misconfiguration [10098] x 2 
	secrets
	github
	auth
	scheduler
	queue
	purge-cache
	provisioner
	notify
	login
	index
	login
	github
	ec2-manager
	cloud-mirror
	aws-provisioner

FAIL-NEW: Cookie No HttpOnly Flag [10010] x 2 
	login

FAIL-NEW: Absence of Anti-CSRF Tokens [10202] x 6 
	login
	docs
Depends on: 1404461
Depends on: 1408474
Depends on: 1408475
Depends on: 1408476
Depends on: 1408477
Depends on: 1408478
Depends on: 1412005
Depends on: 1421330
We've fixed a bunch of these -- the easier / more intelligible anyway.  I'm going to call this a draw..
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Component: Platform and Services → Services
You need to log in before you can comment on or make changes to this bug.