Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
  • Sign in / Register
  • Search Search
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 35
    • Issues 35
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 12
    • Merge requests 12
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Open Subsurface Data Universe SoftwareOpen Subsurface Data Universe Software
  • Platform
  • System
  • SearchSearch
  • Merge requests
  • !81

(GONRG-1759) Fix Security response headers issue

  • Review changes

  • Download
  • Email patches
  • Plain diff
Merged Igor Filippov (EPAM) requested to merge GCP-add-response-headers into master Mar 02, 2021
  • Overview 9
  • Commits 11
  • Pipelines 22
  • Changes 9

Issue

Testing team reported "VULN-05 HSTS and CSP not implemented properly".

The report is attached to the GONRG-1637: [^API security testing report _Trajectory.pdf].

They say "The HSTS and CSP headers are not implemented. A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate".

Reported contexts: STORAGE, DELIVERY

Replay and analysis

Debugged Search service API:

curl --location --request POST 'https://os-search-attcrcktoa-uc.a.run.app/api/search/v2/query' \
--header 'Authorization: Bearer <token>' \
--header 'data-partition-id: osdu' \
--header 'Content-Type: application/json' \
--data-raw '{
   "kind": "osdu:osdu:*:0.2.0",
   "query": "BIR*"
}'
  • Noticed security headers (Strict-Transport-Security, Content-Security-Policy etc.) absence in responses
  • Analyzed Search service Java code
    • not found any "active" code for setting security headers on Responses
    • found the inactivated class "org.opengroup.osdu.search.middleware.CorrelationIDRequestFilter" designed to set needed headers
      • the class is inactivated by the commented "@Component" annotation
    • CorrelationIDRequestFilter component should be reviewed, actualized and reactivated
      • see the similar functionality code we have in Storage service: GONRG-1756

Type of change

  • Bug Fix
  • Feature

Does this introduce a change in the core logic?

  • [YES]

Does this introduce a change in the cloud provider implementation, if so which cloud?

  • AWS
  • Azure
  • GCP
  • IBM

Does this introduce a breaking change?

  • [NO]

Have you added/updated Unit Tests and Integration Tests?

  • [NO]
Edited Mar 19, 2021 by Riabokon Stanislav(EPAM)[GCP]
Assignee
Assign to
Reviewers
Request review from
Time tracking
Source branch: GCP-add-response-headers