GEODE-1532: Fix Pulse Clickjacking vuln. * Removed firefox driver dependency * This closes #256
Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/a78fa753 Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/a78fa753 Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/a78fa753 Branch: refs/heads/develop Commit: a78fa7537dfd656521649d57245ecd7fa05b2d31 Parents: 6054e00 Author: Jared Stewart <jstew...@pivotal.io> Authored: Mon Oct 10 18:48:01 2016 -0700 Committer: Jinmei Liao <jil...@pivotal.io> Committed: Wed Oct 12 09:52:40 2016 -0700 ---------------------------------------------------------------------- geode-pulse/build.gradle | 1 - geode-pulse/src/main/webapp/WEB-INF/spring-security.xml | 5 +++++ .../geode/tools/pulse/testbed/driver/PulseUITest.java | 11 +++++++++-- 3 files changed, 14 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/a78fa753/geode-pulse/build.gradle ---------------------------------------------------------------------- diff --git a/geode-pulse/build.gradle b/geode-pulse/build.gradle index ef29ab3..3d19dea 100755 --- a/geode-pulse/build.gradle +++ b/geode-pulse/build.gradle @@ -73,7 +73,6 @@ dependencies { exclude module: 'selenium-java' //by artifact name } - testCompile 'org.seleniumhq.selenium:selenium-firefox-driver:' + project.'selenium.version' testCompile 'org.seleniumhq.selenium:selenium-api:' + project.'selenium.version' testCompile 'org.seleniumhq.selenium:selenium-remote-driver:' + project.'selenium.version' testCompile 'org.seleniumhq.selenium:selenium-support:' + project.'selenium.version' http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/a78fa753/geode-pulse/src/main/webapp/WEB-INF/spring-security.xml ---------------------------------------------------------------------- diff --git a/geode-pulse/src/main/webapp/WEB-INF/spring-security.xml b/geode-pulse/src/main/webapp/WEB-INF/spring-security.xml index b4fccf0..2842f64 100644 --- a/geode-pulse/src/main/webapp/WEB-INF/spring-security.xml +++ b/geode-pulse/src/main/webapp/WEB-INF/spring-security.xml @@ -47,6 +47,11 @@ <form-login login-page="/Login.html" authentication-failure-handler-ref="authenticationFailureHandler" default-target-url="/clusterDetail.html" /> + <headers> + <frame-options policy="DENY" /> + <content-type-options /> + <xss-protection enabled="true" block="true" /> + </headers> <logout logout-url="/pulse/clusterLogout" success-handler-ref="customLogoutSuccessHandler"/> http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/a78fa753/geode-pulse/src/test/java/org/apache/geode/tools/pulse/testbed/driver/PulseUITest.java ---------------------------------------------------------------------- diff --git a/geode-pulse/src/test/java/org/apache/geode/tools/pulse/testbed/driver/PulseUITest.java b/geode-pulse/src/test/java/org/apache/geode/tools/pulse/testbed/driver/PulseUITest.java index ced298b..5a02edc 100644 --- a/geode-pulse/src/test/java/org/apache/geode/tools/pulse/testbed/driver/PulseUITest.java +++ b/geode-pulse/src/test/java/org/apache/geode/tools/pulse/testbed/driver/PulseUITest.java @@ -31,7 +31,8 @@ import org.junit.experimental.categories.Category; import org.openqa.selenium.By; import org.openqa.selenium.WebDriver; import org.openqa.selenium.WebElement; -import org.openqa.selenium.firefox.FirefoxDriver; +import org.openqa.selenium.phantomjs.PhantomJSDriver; +import org.openqa.selenium.remote.DesiredCapabilities; import org.openqa.selenium.support.ui.ExpectedCondition; import org.openqa.selenium.support.ui.WebDriverWait; @@ -77,7 +78,13 @@ public class PulseUITest { pulseURL = "http://" + host + ":" + port + context; Thread.sleep(1000); //wait till tomcat settles down - driver = new FirefoxDriver(); + + DesiredCapabilities capabilities = new DesiredCapabilities(); + capabilities.setJavascriptEnabled(true); + capabilities.setCapability("takesScreenshot", true); + capabilities.setCapability("phantomjs.page.settings.userAgent", "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:16.0) Gecko/20121026 Firefox/16.0"); + + driver = new PhantomJSDriver(capabilities); driver.manage().window().maximize();//required to make all elements visible Thread.sleep(5000); //wait till pulse starts polling threads...