Skip to content

(GONRG-1759) Fix Security response headers issue

Igor Filippov (EPAM) requested to merge GCP-add-response-headers into master

Issue

Testing team reported "VULN-05 HSTS and CSP not implemented properly".

The report is attached to the GONRG-1637: [^API security testing report _Trajectory.pdf].

They say "The HSTS and CSP headers are not implemented. A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate".

Reported contexts: STORAGE, DELIVERY

Replay and analysis

Debugged Search service API:

curl --location --request POST 'https://os-search-attcrcktoa-uc.a.run.app/api/search/v2/query' \
--header 'Authorization: Bearer <token>' \
--header 'data-partition-id: osdu' \
--header 'Content-Type: application/json' \
--data-raw '{
   "kind": "osdu:osdu:*:0.2.0",
   "query": "BIR*"
}'
  • Noticed security headers (Strict-Transport-Security, Content-Security-Policy etc.) absence in responses
  • Analyzed Search service Java code
    • not found any "active" code for setting security headers on Responses
    • found the inactivated class "org.opengroup.osdu.search.middleware.CorrelationIDRequestFilter" designed to set needed headers
      • the class is inactivated by the commented "@Component" annotation
    • CorrelationIDRequestFilter component should be reviewed, actualized and reactivated
      • see the similar functionality code we have in Storage service: GONRG-1756

Type of change

  • Bug Fix
  • Feature

Does this introduce a change in the core logic?

  • [YES]

Does this introduce a change in the cloud provider implementation, if so which cloud?

  • AWS
  • Azure
  • GCP
  • IBM

Does this introduce a breaking change?

  • [NO]

Have you added/updated Unit Tests and Integration Tests?

  • [NO]
Edited by Riabokon Stanislav(EPAM)[GCP]

Merge request reports