Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: GEO-1237, GEO-1238 - fixed critical security issues identified in WAVA scan #858

Merged
merged 8 commits into from
Nov 26, 2024
Merged

fix: GEO-1237, GEO-1238 - fixed critical security issues identified in WAVA scan #858

merged 8 commits into from
Nov 26, 2024

Conversation

banders
Copy link
Contributor

@banders banders commented Nov 26, 2024
edited by github-actions bot
Loading

Description

Fixed two scenarios where SQL injection attacks on the backend public API were possible. The affected endpoints are:

  • POST api/auth/refresh
  • POST api/v1/file-upload

Both endpoints now perform additional validation on the request body to ensure parameters are of the right type.

Also explicitly set the cookie "samesite" policy for the public app to "lax". Lax provides some protection against Cross Site Request Forgery attacks. This is one step down from "strict", which would be preferable, but our use of a third party site for login means we cannot use "strict" without some other changes to the login process. We were probably using the "lax" policy previously because it may have been enabled by default, but not it is enabled explicitly for the public site.

Fixes # GEO-1237

Also applied the same cookie "samesite" policy as noted above to the admin site.

Fixes # GEO-1238

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

Updated unit tests

Checklist

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have already been accepted and merged

Thanks for the PR!

Deployments, as required, will be available below:

Please create PRs in draft mode. Mark as ready to enable:

After merge, new images are deployed in:

Thanks for the PR!

Deployments, as required, will be available below:

Please create PRs in draft mode. Mark as ready to enable:

After merge, new images are deployed in:

Thanks for the PR!

Deployments, as required, will be available below:

Please create PRs in draft mode. Mark as ready to enable:

After merge, new images are deployed in:

@banders banders requested a review from a team as a code owner November 26, 2024 18:17
@banders banders changed the title fix: GEO-1237 - fixed critical security issues identified in WAVA scan fix: GEO-1237, GEO-1238 - fixed critical security issues identified in WAVA scan Nov 26, 2024
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'Pay Transparency backend-external'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'Pay Transparency Frontend'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Failed Quality Gate failed for 'Pay Transparency Backend'

Failed conditions
70.8% Coverage on New Code (required ≥ 80%)
35.0% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'Pay Transparency admin-frontend'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'Pay Transparency doc-gen-service'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@sukanya-rath sukanya-rath enabled auto-merge (squash) November 26, 2024 21:01
@sukanya-rath sukanya-rath merged commit 3557a4d into main Nov 26, 2024
35 of 38 checks passed
@sukanya-rath sukanya-rath deleted the fix/security-issues branch November 26, 2024 21:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sukanya-rath sukanya-rath sukanya-rath approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@banders @sukanya-rath