Closed
Bug 1403247
Opened 7 years ago
Closed 6 years ago
Fix up simple ZAP failures
Categories
(Taskcluster :: Services, enhancement)
Taskcluster
Services
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: dustin, Assigned: dustin)
References
()
Details
Silly stuff like CSP headers on APIs. https://github.com/taskcluster/taskcluster-lib-app/pull/12
Assignee | ||
Comment 1•7 years ago
|
||
That's tc-lib-app v1.1.0. Next steps are to upgrade services.
Assignee | ||
Comment 2•7 years ago
|
||
https://github.com/taskcluster/taskcluster-lib-app/pull/13 I pushed a secrets version that bombed out today. It *might* have failed because of this, but I don't think so -- my read of the express-sslify source is that it just didn't do anything when passed a boolean. In which case, the theory is that there was a random network error in heroku that broke the deployment, and with luck that won't recur.
Assignee | ||
Comment 3•7 years ago
|
||
https://github.com/taskcluster/taskcluster-lib-app/pull/14
Assignee | ||
Comment 4•7 years ago
|
||
dustin@jemison ~ $ curl -i https://taskcluster-secrets-staging.herokuapp.com/v1/secrets | grep Secu Content-Security-Policy: report-uri /__cspreport__;default-src 'none';frame-ancestors 'none'; so hopefully we see that notching up in the next baseline scan. Assuming so, it's easy enough to deploy to most of the other services.
Assignee | ||
Comment 5•7 years ago
|
||
It notched down, because it's an API now :( Here are the latest failures, organized by failure with affected apps: WARN-NEW: Strict-Transport-Security Header Not Set [10035] x 3 schemas references public-artifacts WARN-NEW: Incomplete or No Cache-control and Pragma HTTP Header Set [10015] x 2 secrets tools github auth scheduler queue purge-cache provisioner notify login index hooks github ec2-manager cloud-mirror aws-provisioner docs WARN-NEW: Cross-Domain JavaScript Source File Inclusion [10017] x 1 login docs WARN-NEW: Information Disclosure - Debug Error Messages [10023] x 4 docs WARN-NEW: Cookie Without SameSite Attribute [10054] x 4 login WARN-NEW: The JavaScript file 'jquery.min.js' includes a vulnerable version of the library 'jquery' [322420463] x 2 login docs WARN-NEW: Application Error Disclosure [90022] x 12 docs FAIL-NEW: X-Frame-Options Header Not Set [10020] x 3 login docs FAIL-NEW: X-Content-Type-Options Header Missing [10021] x 1 secrets github auth scheduler queue purge-cache provisioner notify login index login github ec2-manager cloud-mirror aws-provisioner docs FAIL-NEW: Content Security Policy (CSP) Header Not Set [10038] x 6 github auth scheduler queue purge-cache provisioner notify login index login github events ec2-manager cloud-mirror aws-provisioner docs FAIL-NEW: Strict-Transport-Security Header Not Set [10035] x 5 secrets statsum scheduler login events docs FAIL-NEW: Cross-Domain Misconfiguration [10098] x 2 secrets github auth scheduler queue purge-cache provisioner notify login index login github ec2-manager cloud-mirror aws-provisioner FAIL-NEW: Cookie No HttpOnly Flag [10010] x 2 login FAIL-NEW: Absence of Anti-CSRF Tokens [10202] x 6 login docs
Assignee | ||
Comment 6•7 years ago
|
||
https://gist.github.com/djmitche/5f138154426ac00fc656246c2b98e6bb
Assignee | ||
Comment 7•6 years ago
|
||
We've fixed a bunch of these -- the easier / more intelligible anyway. I'm going to call this a draw..
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Updated•5 years ago
|
Component: Platform and Services → Services
You need to log in
before you can comment on or make changes to this bug.
Description
•