KNOX-1310 - The X-Content-Type-Options header should be set as 'nosniff'
Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/7953de69 Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/7953de69 Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/7953de69 Branch: refs/heads/master Commit: 7953de69200ba1e9c2189bdd1b9a387831c79376 Parents: 1c75488 Author: Phil Zampino <pzamp...@apache.org> Authored: Tue May 15 14:53:47 2018 -0400 Committer: Phil Zampino <pzamp...@apache.org> Committed: Tue May 15 21:57:00 2018 -0400 ---------------------------------------------------------------------- .../provider-config-wizard/webappsec-wizard.ts | 22 +-- .../xcontent-type-options-provider-config.ts | 64 +++++++++ .../src/app/resource/resource.service.ts | 1 - .../applications/admin-ui/app/index.html | 2 +- .../app/inline.54158808b163fa44d0bd.bundle.js | 1 - .../app/inline.dc59050cc2ba8fa0f20a.bundle.js | 1 + .../app/main.01aab16068818ea5386e.bundle.js | 1 - .../app/main.74bb3a74ba22824ce047.bundle.js | 1 + .../webappsec/deploy/WebAppSecContributor.java | 71 +++++++--- .../filter/XContentTypeOptionsFilter.java | 123 ++++++++++++++++ .../XContentTypeOptionsFilterTest.java | 141 +++++++++++++++++++ 11 files changed, 395 insertions(+), 33 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/7953de69/gateway-admin-ui/src/app/provider-config-wizard/webappsec-wizard.ts ---------------------------------------------------------------------- diff --git a/gateway-admin-ui/src/app/provider-config-wizard/webappsec-wizard.ts b/gateway-admin-ui/src/app/provider-config-wizard/webappsec-wizard.ts index 3f7bca3..c6d0d35 100644 --- a/gateway-admin-ui/src/app/provider-config-wizard/webappsec-wizard.ts +++ b/gateway-admin-ui/src/app/provider-config-wizard/webappsec-wizard.ts @@ -40,30 +40,34 @@ import {CORSProviderConfig} from "./cors-provider-config"; import {WebAppSecurityContributor} from "./webappsec-contributor"; import {STSProviderConfig} from "./sts-provider-config"; import {XFrameOptionsProviderConfig} from "./xframeoptions-provider-config"; +import {XContentTypeOptionsProviderConfig} from "./xcontent-type-options-provider-config"; export class WebAppSecurityWizard extends CategoryWizard implements ProviderContributorWizard { private stepCount: number = 4; // WebAppSec provider types - private static CSRF: string = 'Cross-Site Request Forgery'; - private static CORS: string = 'Cross-Origin Resource Sharing'; - private static XFRAME: string = 'X-Frame-Options'; - private static STS: string = 'Strict Transport Security'; + private static CSRF: string = 'Cross-Site Request Forgery'; + private static CORS: string = 'Cross-Origin Resource Sharing'; + private static XFRAME: string = 'X-Frame-Options'; + private static XCONTENT_TYPE: string = 'X-Content-Type-Options'; + private static STS: string = 'Strict Transport Security'; private static webAppSecTypes: string[] = [ WebAppSecurityWizard.CSRF, WebAppSecurityWizard.CORS, WebAppSecurityWizard.XFRAME, + WebAppSecurityWizard.XCONTENT_TYPE, WebAppSecurityWizard.STS ] private static typeConfigMap: Map<string, typeof WebAppSecurityContributor> = new Map([ - [WebAppSecurityWizard.CSRF, CSRFProviderConfig], - [WebAppSecurityWizard.CORS, CORSProviderConfig], - [WebAppSecurityWizard.XFRAME, XFrameOptionsProviderConfig], - [WebAppSecurityWizard.STS, STSProviderConfig] - ] as [string, typeof WebAppSecurityContributor][]); + [WebAppSecurityWizard.CSRF, CSRFProviderConfig], + [WebAppSecurityWizard.CORS, CORSProviderConfig], + [WebAppSecurityWizard.XFRAME, XFrameOptionsProviderConfig], + [WebAppSecurityWizard.XCONTENT_TYPE, XContentTypeOptionsProviderConfig], + [WebAppSecurityWizard.STS, STSProviderConfig] + ] as [string, typeof WebAppSecurityContributor][]); getTypes(): string[] { http://git-wip-us.apache.org/repos/asf/knox/blob/7953de69/gateway-admin-ui/src/app/provider-config-wizard/xcontent-type-options-provider-config.ts ---------------------------------------------------------------------- diff --git a/gateway-admin-ui/src/app/provider-config-wizard/xcontent-type-options-provider-config.ts b/gateway-admin-ui/src/app/provider-config-wizard/xcontent-type-options-provider-config.ts new file mode 100644 index 0000000..b340548 --- /dev/null +++ b/gateway-admin-ui/src/app/provider-config-wizard/xcontent-type-options-provider-config.ts @@ -0,0 +1,64 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +import {WebAppSecurityContributor} from "./webappsec-contributor"; + +export class XContentTypeOptionsProviderConfig extends WebAppSecurityContributor { + + public static VALUE: string = 'X-Content-Type-Options Header'; + + private static SUPPORTED_VALUES: string[] = ['nosniff']; + + private static displayPropertyNames = [ XContentTypeOptionsProviderConfig.VALUE ]; + + private static displayPropertyNameBindings: Map<string, string> = + new Map([ [XContentTypeOptionsProviderConfig.VALUE, 'xcontent-type.options.value'] ] as [string, string][]); + + constructor() { + super(); + // Set the default values + this.setParam('xcontent-type.options.enabled', 'true'); + this.setParam(XContentTypeOptionsProviderConfig.displayPropertyNameBindings.get(XContentTypeOptionsProviderConfig.VALUE), + 'nosniff'); + } + + getDisplayPropertyNames(): string[] { + return XContentTypeOptionsProviderConfig.displayPropertyNames; + } + + getDisplayNamePropertyBinding(name: string): string { + return XContentTypeOptionsProviderConfig.displayPropertyNameBindings.get(name); + } + + isValidParamValue(paramName: string): boolean { + let isValid: boolean = true; + + let value = this.getParam(this.getDisplayNamePropertyBinding(paramName)); + if (value) { + switch (paramName) { + case XContentTypeOptionsProviderConfig.VALUE: + value = value.trim().toLowerCase(); + isValid = XContentTypeOptionsProviderConfig.SUPPORTED_VALUES.includes(value); + break; + default: + } + } + + return isValid; + } + +} http://git-wip-us.apache.org/repos/asf/knox/blob/7953de69/gateway-admin-ui/src/app/resource/resource.service.ts ---------------------------------------------------------------------- diff --git a/gateway-admin-ui/src/app/resource/resource.service.ts b/gateway-admin-ui/src/app/resource/resource.service.ts index b709dab..618f80e 100644 --- a/gateway-admin-ui/src/app/resource/resource.service.ts +++ b/gateway-admin-ui/src/app/resource/resource.service.ts @@ -245,7 +245,6 @@ export class ResourceService { break; } } - this.logHeaders(headers); // TODO: PJZ: DELETE ME return headers; } http://git-wip-us.apache.org/repos/asf/knox/blob/7953de69/gateway-applications/src/main/resources/applications/admin-ui/app/index.html ---------------------------------------------------------------------- diff --git a/gateway-applications/src/main/resources/applications/admin-ui/app/index.html b/gateway-applications/src/main/resources/applications/admin-ui/app/index.html index 1cb9c5e..69c5639 100644 --- a/gateway-applications/src/main/resources/applications/admin-ui/app/index.html +++ b/gateway-applications/src/main/resources/applications/admin-ui/app/index.html @@ -11,4 +11,4 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ---><!doctype html><html><head><meta charset="utf-8"><title>Apache Knox Manager</title><meta name="viewport" content="width=device-width,initial-scale=1"><link rel="icon" type="image/x-icon" href="favicon.ico"><meta name="viewport" content="width=device-width,initial-scale=1"><!-- Latest compiled and minified CSS --><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous"><!-- Optional theme --><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap-theme.min.css" integrity="sha384-rHyoN1iRsVXV4nD0JutlnGaslCJuC7uwjduW9SVrLvRYooPp2bWYgmgJQIXwl/Sp" crossorigin="anonymous"><!-- Custom styles for this template --><link href="assets/sticky-footer.css" rel="stylesheet"><script src="https://ajax.googleapis.com/ajax/libs/jquery/3.0.0/jquery.min.js"></script><!-- Latest compiled and minified JavaScript --><scr ipt src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script><script src="assets/vkbeautify.js"></script><link href="styles.2ee5b7f4cd59a6cf015e.bundle.css" rel="stylesheet"/></head><body><div class="navbar-wrapper"><div class="container-fluid"><nav class="navbar navbar-inverse navbar-static-top"><div class="container-fluid"><div class="navbar-header"><button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar"><span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span></button> <a class="navbar-brand" href="#"><img style="max-width:200px; margin-top: -9px;" src="assets/knox-logo-transparent.gif" alt="Apache Knox Manager"></a></div></div></nav></div><!-- Content --><resource-management></res ource-management><footer class="footer"><div class="container-fluid"><div>Knox Manager Version 1.0.0</div><gateway-version></gateway-version></div></footer><script type="text/javascript" src="inline.54158808b163fa44d0bd.bundle.js"></script><script type="text/javascript" src="scripts.c50bb762c438ae0f8842.bundle.js"></script><script type="text/javascript" src="main.01aab16068818ea5386e.bundle.js"></script></div></body></html> \ No newline at end of file +--><!doctype html><html><head><meta charset="utf-8"><title>Apache Knox Manager</title><meta name="viewport" content="width=device-width,initial-scale=1"><link rel="icon" type="image/x-icon" href="favicon.ico"><meta name="viewport" content="width=device-width,initial-scale=1"><!-- Latest compiled and minified CSS --><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous"><!-- Optional theme --><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap-theme.min.css" integrity="sha384-rHyoN1iRsVXV4nD0JutlnGaslCJuC7uwjduW9SVrLvRYooPp2bWYgmgJQIXwl/Sp" crossorigin="anonymous"><!-- Custom styles for this template --><link href="assets/sticky-footer.css" rel="stylesheet"><script src="https://ajax.googleapis.com/ajax/libs/jquery/3.0.0/jquery.min.js"></script><!-- Latest compiled and minified JavaScript --><scr ipt src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script><script src="assets/vkbeautify.js"></script><link href="styles.2ee5b7f4cd59a6cf015e.bundle.css" rel="stylesheet"/></head><body><div class="navbar-wrapper"><div class="container-fluid"><nav class="navbar navbar-inverse navbar-static-top"><div class="container-fluid"><div class="navbar-header"><button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar"><span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span></button> <a class="navbar-brand" href="#"><img style="max-width:200px; margin-top: -9px;" src="assets/knox-logo-transparent.gif" alt="Apache Knox Manager"></a></div></div></nav></div><!-- Content --><resource-management></res ource-management><footer class="footer"><div class="container-fluid"><div>Knox Manager Version 1.0.0</div><gateway-version></gateway-version></div></footer><script type="text/javascript" src="inline.dc59050cc2ba8fa0f20a.bundle.js"></script><script type="text/javascript" src="scripts.c50bb762c438ae0f8842.bundle.js"></script><script type="text/javascript" src="main.74bb3a74ba22824ce047.bundle.js"></script></div></body></html> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/7953de69/gateway-applications/src/main/resources/applications/admin-ui/app/inline.54158808b163fa44d0bd.bundle.js ---------------------------------------------------------------------- diff --git a/gateway-applications/src/main/resources/applications/admin-ui/app/inline.54158808b163fa44d0bd.bundle.js b/gateway-applications/src/main/resources/applications/admin-ui/app/inline.54158808b163fa44d0bd.bundle.js deleted file mode 100644 index 097bfcf..0000000 --- a/gateway-applications/src/main/resources/applications/admin-ui/app/inline.54158808b163fa44d0bd.bundle.js +++ /dev/null @@ -1 +0,0 @@ -!function(e){var n=window.webpackJsonp;window.webpackJsonp=function(r,a,c){for(var u,i,f,l=0,s=[];l<r.length;l++)t[i=r[l]]&&s.push(t[i][0]),t[i]=0;for(u in a)Object.prototype.hasOwnProperty.call(a,u)&&(e[u]=a[u]);for(n&&n(r,a,c);s.length;)s.shift()();if(c)for(l=0;l<c.length;l++)f=o(o.s=c[l]);return f};var r={},t={2:0};function o(n){if(r[n])return r[n].exports;var t=r[n]={i:n,l:!1,exports:{}};return e[n].call(t.exports,t,t.exports,o),t.l=!0,t.exports}o.e=function(e){var n=t[e];if(0===n)return new Promise(function(e){e()});if(n)return n[2];var r=new Promise(function(r,o){n=t[e]=[r,o]});n[2]=r;var a=document.getElementsByTagName("head")[0],c=document.createElement("script");c.type="text/javascript",c.charset="utf-8",c.async=!0,c.timeout=12e4,o.nc&&c.setAttribute("nonce",o.nc),c.src=o.p+""+e+"."+{0:"01aab16068818ea5386e",1:"aed76669724804835353"}[e]+".chunk.js";var u=setTimeout(i,12e4);function i(){c.onerror=c.onload=null,clearTimeout(u);var n=t[e];0!==n&&(n&&n[1](new Error("Loading chu nk "+e+" failed.")),t[e]=void 0)}return c.onerror=c.onload=i,a.appendChild(c),r},o.m=e,o.c=r,o.d=function(e,n,r){o.o(e,n)||Object.defineProperty(e,n,{configurable:!1,enumerable:!0,get:r})},o.n=function(e){var n=e&&e.__esModule?function(){return e.default}:function(){return e};return o.d(n,"a",n),n},o.o=function(e,n){return Object.prototype.hasOwnProperty.call(e,n)},o.p="",o.oe=function(e){throw console.error(e),e}}([]); \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/7953de69/gateway-applications/src/main/resources/applications/admin-ui/app/inline.dc59050cc2ba8fa0f20a.bundle.js ---------------------------------------------------------------------- diff --git a/gateway-applications/src/main/resources/applications/admin-ui/app/inline.dc59050cc2ba8fa0f20a.bundle.js b/gateway-applications/src/main/resources/applications/admin-ui/app/inline.dc59050cc2ba8fa0f20a.bundle.js new file mode 100644 index 0000000..65c1b28 --- /dev/null +++ b/gateway-applications/src/main/resources/applications/admin-ui/app/inline.dc59050cc2ba8fa0f20a.bundle.js @@ -0,0 +1 @@ +!function(e){var n=window.webpackJsonp;window.webpackJsonp=function(r,c,a){for(var u,i,f,l=0,s=[];l<r.length;l++)t[i=r[l]]&&s.push(t[i][0]),t[i]=0;for(u in c)Object.prototype.hasOwnProperty.call(c,u)&&(e[u]=c[u]);for(n&&n(r,c,a);s.length;)s.shift()();if(a)for(l=0;l<a.length;l++)f=o(o.s=a[l]);return f};var r={},t={2:0};function o(n){if(r[n])return r[n].exports;var t=r[n]={i:n,l:!1,exports:{}};return e[n].call(t.exports,t,t.exports,o),t.l=!0,t.exports}o.e=function(e){var n=t[e];if(0===n)return new Promise(function(e){e()});if(n)return n[2];var r=new Promise(function(r,o){n=t[e]=[r,o]});n[2]=r;var c=document.getElementsByTagName("head")[0],a=document.createElement("script");a.type="text/javascript",a.charset="utf-8",a.async=!0,a.timeout=12e4,o.nc&&a.setAttribute("nonce",o.nc),a.src=o.p+""+e+"."+{0:"74bb3a74ba22824ce047",1:"aed76669724804835353"}[e]+".chunk.js";var u=setTimeout(i,12e4);function i(){a.onerror=a.onload=null,clearTimeout(u);var n=t[e];0!==n&&(n&&n[1](new Error("Loading chu nk "+e+" failed.")),t[e]=void 0)}return a.onerror=a.onload=i,c.appendChild(a),r},o.m=e,o.c=r,o.d=function(e,n,r){o.o(e,n)||Object.defineProperty(e,n,{configurable:!1,enumerable:!0,get:r})},o.n=function(e){var n=e&&e.__esModule?function(){return e.default}:function(){return e};return o.d(n,"a",n),n},o.o=function(e,n){return Object.prototype.hasOwnProperty.call(e,n)},o.p="",o.oe=function(e){throw console.error(e),e}}([]); \ No newline at end of file