fix(csp): upgrade UI and fix zap failure (#1372)

The zap scanner started to check the csp header, which is causing a warning. We also need to ignore the rule, as both settings are read by the scanner. Per https://w3c.github.io/webappsec-csp/#example-7bb4ce67 we can have multiple Content-Security-Policy headers, and the most restrictive policies apply. This rule doesn't seem to be applied by zap. Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2024-12-16 21:56:37 -05:00 · 2023-04-13 23:48:09 +03:00 · 2023-04-13 23:48:09 +03:00 · e63faa8898
commit e63faa8898
parent 9638899e6e
3 changed files with 16 additions and 3 deletions
--- a/.zap/rules.tsv
+++ b/.zap/rules.tsv
@ -37,7 +37,7 @@
 10050	WARN	(Retrieved from Cache)
 10052	WARN	(X-ChromeLogger-Data (XCOLD) Header Information Leak)
 10054	WARN	(Cookie without SameSite Attribute)
-10055	WARN	(CSP)
+10055	IGNORE	(CSP) We set CSP in both UI (with *) and backend (no *), unfortunately the UI needs to use * in case it is deployed separately
 10056	WARN	(X-Debug-Token Information Leak)
 10057	WARN	(Username Hash Found)
 10061	WARN	(X-AspNet-Version Response Header)
@ -56,7 +56,7 @@
 50001	WARN	(Script Passive Scan Rules)
 90001	WARN	(Insecure JSF ViewState)
 90002	WARN	(Java Serialization Object)
-90003	IGNORE	(Sub Resource Integrity Attribute Missing)  Google Fonts API return dynamic stylesheets depending on OS/Browser and it is not possible to use static identity hashes
+90003	WARN	(Sub Resource Integrity Attribute Missing)
 90011	WARN	(Charset Mismatch)
 90022	WARN	(Application Error Disclosure)
 90030	WARN	(WSDL File Detection)
--- a/2
+++ b/2
@ -23,7 +23,7 @@ CRICTL := $(TOOLSDIR)/bin/crictl
 CRICTL_VERSION := v1.26.1
 ACTION_VALIDATOR := $(TOOLSDIR)/bin/action-validator
 ACTION_VALIDATOR_VERSION := v0.2.1
-ZUI_VERSION := commit-2f94cc3
+ZUI_VERSION := commit-e0d4417
 STACKER := $(TOOLSDIR)/bin/stacker
 BATS := $(TOOLSDIR)/bin/bats
 TESTDATA := $(TOP_LEVEL)/test/data
--- a/pkg/extensions/extension_ui.go
+++ b/pkg/extensions/extension_ui.go
@ -7,6 +7,7 @@ import (
 	"embed"
 	"io/fs"
 	"net/http"
+	"strings"

 	"github.com/gorilla/mux"

@ -40,6 +41,18 @@ func addUISecurityHeaders(h http.Handler) http.HandlerFunc { //nolint:varnamelen
 		w.Header().Set("X-Content-Type-Options", "nosniff")
 		w.Header().Set("X-Frame-Options", "DENY")

+		cspDirectives := []string{
+			"default-src 'none'",
+			"script-src 'self' 'unsafe-inline'",
+			"style-src 'self' 'unsafe-inline'",
+			"font-src 'self'",
+			"connect-src 'self'",
+			"img-src 'self'",
+			"manifest-src 'self'",
+			"base-uri 'self'",
+		}
+		w.Header().Set("Content-Security-Policy", strings.Join(cspDirectives, "; "))
+
 		h.ServeHTTP(w, r)
 	}
 }