Closed Bug 1596106 Opened 6 years ago Closed 5 years ago

crash-stats.allizom.org has failed the web security baseline

Categories

(Socorro :: Webapp, defect, P2)

Product:
Socorro
Component:
Webapp
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: security-baseline, Assigned: willkg)

Details

Attachments

(1 file)

pr 5289: bug 1596106: security fixes
53 bytes, text/x-github-pull-request
Details | Review

Site https://crash-stats.allizom.org has failed the web security baseline scan.

The failing tests are:

Cross-Domain Misconfiguration [10098] x 30

Absence of Anti-CSRF Tokens [10202] x 313

This issue was automatically raised.

This issue is managed automatically by the baseline scan:

  • If the failing tests change then it will be updated
  • If it is closed before the tests pass then a new one will be opened
  • When all of the tests pass then it will be closed

Full details, including how to test for these issues locally, can be found on this Security Baseline Service dashboard.
If you have any questions or concerns please get in contact with @psiinon

Assignee: nobody → willkg
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P2

I'm not sure what I need to do here for "Cross-Domain Misconfiguration" or "Absence of Anti-CSRF Tokens". I skimmed the ZAP code, but I'm still not clear on what the issue is.

I emailed Simon about it. If that doesn't pan out, I'll talk with John next week since he worked through similar issues with MLS.

Observatory says we should add "SameSite" to the cookies. There's a library that does this, but we could also write our own middleware for it.

https://pypi.org/project/django-cookies-samesite/

I don't know if that helps with the baseline scan or not.

Sorry, we definitely need better docs :/
ZAP does actually give much more info, but I havnt worked out a good way to surface it yet, hence the line about getting in touch with me :)

Cross-Domain Misconfiguration is being reported because those URLs are including the CORS header: Access-Control-Allow-Origin: *
If you actually need that then I can whitelist it, and if you're not sure then just say and we can look into it together.

Absence of Anti-CSRF Tokens is reported because the 2 forms on https://crash-stats.allizom.org/search/ dont have any anti CRSF tokens.
As its a search form (and therefore doesnt perform any permanent actions) then they probably dont need them, but ZAP cant tell that.
There are various ways we can fix that.
The recommended way is to include a data-no-csrf attribute in the FORM element - thats a signal to ZAP that the form really doesnt need one.
If you cant do that then we can whitelist forms via IDs, but unfortunately only one of the forms on that page has an ID:
<form id="simple_search" method="get" action="/search/quick/">

<form method="get" action="/search/" data-fields-url="/search/fields/?exclude=date" data-results-url="/search/results/" data-custom-url="/search/custom/" data-public-api-url="/api/SuperSearch/">

Can you add the data-no-csrf attribute or will we need to look at other alternatives?

Flags: needinfo?(willkg)

For the Cross-Domain Misconfiguration [10098] x 30 issues, they're all for files under /static/. That's handled by the whitenoise plugin which is adding Access-Control-Allow-Origin: * to responses. We don't need to load those files from other places or CDNs, so we can disable this whitenoise feature.

For the Absense of Anti-CSRF Tokens, there are several GET forms on the site that perform searches. There's the quick search form in the navbar, the super search form, and the signature search form. I didn't see others, but there might be more. We should add the data-no-csrf attribute to them.

Working on this now.

Flags: needinfo?(willkg)

willkg merged PR #5289: "bug 1596106: security fixes" in 02f5e24.

After this deploys to stage, I'll see how ZAP feels about it and then verify it didn't break anything (I don't think it did).

The security baseline report suggests that we're good here. I'm not sure why this bug didn't get closed.

Simon: Are we good here?

Flags: needinfo?(sbennetts)

Yeah, all good. I'm not sure why the bug wasnt updated automatically either right now, but I'll look into it.
Thanks for fixing this these issues!

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(sbennetts)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: