[jira] [Created] (ZEPPELIN-4724) Zeppelin Documentation link in top menubar is broken for 0.9.0-SNAPSHOT
Krishna Pandey created ZEPPELIN-4724: Summary: Zeppelin Documentation link in top menubar is broken for 0.9.0-SNAPSHOT Key: ZEPPELIN-4724 URL: https://issues.apache.org/jira/browse/ZEPPELIN-4724 Project: Zeppelin Issue Type: Bug Components: documentation Affects Versions: 0.9.0 Reporter: Krishna Pandey Fix For: 0.9.0 The top menu bar for [http://zeppelin.apache.org/docs/0.9.0-SNAPSHOT/index.html] which consists of documentation related to "Quick Start", "Usage", "Setup", etc. has broken links. While the links displayed as part of the web page Table of Contents are updated with correct URLs e.g. for "HTTP Security Headers" it is http://zeppelin.apache.org/docs/0.9.0-SNAPSHOT/setup/security/http_security_headers.html, but drop-down menu link shows http://zeppelin.apache.org/setup/security/http_security_headers.html -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (ZEPPELIN-4723) Configure Security Features in Zeppelin to be enabled by default
Krishna Pandey created ZEPPELIN-4723: Summary: Configure Security Features in Zeppelin to be enabled by default Key: ZEPPELIN-4723 URL: https://issues.apache.org/jira/browse/ZEPPELIN-4723 Project: Zeppelin Issue Type: Improvement Components: zeppelin-web Affects Versions: 0.8.2 Reporter: Krishna Pandey Assignee: Krishna Pandey Fix For: 0.9.0 Zeppelin being a notebook has gained popularity among Data Scientists who are not necessarily also information security savvy. They usually deploy Zeppelin with default configuration options which doesn't enable the common web application security headers by default, e.g. zeppelin.server.xframe.options, zeppelin.server.strict.transport, zeppelin.server.xxss.protection, zeppelin.server.xcontent.type.options, zeppelin.server.xcontent.type.options documented [here|[https://zeppelin.apache.org/docs/0.8.2/setup/security/http_security_headers.html]]. This leaves the Zeppelin installation vulnerable. In recent times, Zeppelin installations are taking flak over these missing security headers from Internal Security teams and External Auditors who are not aware of these features being already available. Also, as software community is moving towards privacy-by-design and compliance-as-code, expectation of secure by design doesn't look out of the place. This Jira's intention is to enable all above HTTP response headers by default. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (ZEPPELIN-4584) Default error page for Zeppelin masking Jetty Server version
Krishna Pandey created ZEPPELIN-4584: Summary: Default error page for Zeppelin masking Jetty Server version Key: ZEPPELIN-4584 URL: https://issues.apache.org/jira/browse/ZEPPELIN-4584 Project: Zeppelin Issue Type: Improvement Components: zeppelin-web Affects Versions: 0.8.2 Reporter: Krishna Pandey Assignee: Krishna Pandey Fix For: 0.8.3 When a non-existent notebook was accessed on the Browser, it shows the server name and version. As software development best practice, a generic error page should be displayed. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (ZEPPELIN-2896) HTTP Response headers are being set multiple times
Krishna Pandey created ZEPPELIN-2896: Summary: HTTP Response headers are being set multiple times Key: ZEPPELIN-2896 URL: https://issues.apache.org/jira/browse/ZEPPELIN-2896 Project: Zeppelin Issue Type: Bug Components: zeppelin-server Affects Versions: 0.7.2 Reporter: Krishna Pandey Priority: Critical HTTP Response Headers are being set multiple times. Refer screenshot attached. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Created] (ZEPPELIN-2783) Broken link at Apache Zeppelin website's Contributions page
Krishna Pandey created ZEPPELIN-2783: Summary: Broken link at Apache Zeppelin website's Contributions page Key: ZEPPELIN-2783 URL: https://issues.apache.org/jira/browse/ZEPPELIN-2783 Project: Zeppelin Issue Type: Bug Components: documentation, Homepage Environment: Apache Zeppelin Website (https://zeppelin.apache.org/contribution/contributions.html) Reporter: Krishna Pandey Priority: Critical Whenever we raise a Pull Request for Apache Zeppelin, we are presented with a helping Questionnaire. One such question is below which points to Contribution guide. {noformat} ### What is this PR for? A few sentences describing the overall goals of the pull request's commits. First time? Check out the contributing guide - https://zeppelin.apache.org/contribution/contributions.html {noformat} When you land on the webpage following the above link and click Community drop-down list on top menu and then click "Contributors" link, it throws error "The requested URL /contribution/community.html was not found on this server." -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Created] (ZEPPELIN-2775) Add configurable Strict-Transport-Security and X-XSS-Protection Headers
Krishna Pandey created ZEPPELIN-2775: Summary: Add configurable Strict-Transport-Security and X-XSS-Protection Headers Key: ZEPPELIN-2775 URL: https://issues.apache.org/jira/browse/ZEPPELIN-2775 Project: Zeppelin Issue Type: Bug Components: zeppelin-server Affects Versions: 0.7.2 Reporter: Krishna Pandey The *HTTP Strict-Transport-Security* response header (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. *Note:* The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header. *An example scenario* You log into a free WiFi access point at an airport and start surfing the web, visiting your online banking service to check your balance and pay a couple of bills. Unfortunately, the access point you're using is actually a hacker's laptop, and they're intercepting your original HTTP request and redirecting you to a clone of your bank's site instead of the real thing. Now your private data is exposed to the hacker. Strict Transport Security resolves this problem; as long as you've accessed your bank's web site once using HTTPS, and the bank's web site uses Strict Transport Security, your browser will know to automatically use only HTTPS, which prevents hackers from performing this sort of man-in-the-middle attack. *Syntax* Strict-Transport-Security: max-age= Strict-Transport-Security: max-age=; includeSubDomains Strict-Transport-Security: max-age=; preload Read more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security The HTTP *X-XSS-Protection* response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. *Syntax* X-XSS-Protection: 0 X-XSS-Protection: 1 X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report= Read more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Created] (ZEPPELIN-2765) Configurable X-FRAME-OPTIONS for Zeppelin
Krishna Pandey created ZEPPELIN-2765: Summary: Configurable X-FRAME-OPTIONS for Zeppelin Key: ZEPPELIN-2765 URL: https://issues.apache.org/jira/browse/ZEPPELIN-2765 Project: Zeppelin Issue Type: Improvement Components: zeppelin-server Affects Versions: 0.7.0 Reporter: Krishna Pandey *Information systems must not be susceptible to Cross-frame Scripting (XFS) attacks and clickjacking.* Information systems must implement proper input validation and output encoding. With proper input validation and output encoding, information systems will not be susceptible to cross-frame scripting, either stored or reflected. A successful cross-frame scripting attack may redirect a user to a malicious third-party page. *Technical Risk* : Without proper input validation and output encoding, information systems are susceptible to cross-frame scripting, which may result in unauthorized access or malicious attacks against the user. *Corrective Action* : This issue can be fixed using the following methods1. Implementing the response header X-Frame- Options and set the value to 'Deny' or 'same origin'.2. Sending the proper browser response headers that instruct the browser to not allow framing from other domains . The application (Zeppelin) loads in iframe. https://localhost:8443/#/; width="100%" height="600"> The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a or . Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites. Set the X-Frame-Options header for all responses containing HTML content. The possible values are "DENY", "SAMEORIGIN", or "ALLOW-FROM uri" *X-Frame-Options Header Types* There are three possible values for the X-Frame-Options header: *DENY*, which prevents any domain from framing the content. The "DENY" setting is recommended unless a specific need has been identified for framing. *SAMEORIGIN*, which only allows the current site to frame the content. *ALLOW-FROM uri*, which permits the specified 'uri' to frame this page. (e.g., ALLOW-FROM http://www.example.com). -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Created] (ZEPPELIN-2461) Masking Jetty Server version with User-configurable parameter
Krishna Pandey created ZEPPELIN-2461: Summary: Masking Jetty Server version with User-configurable parameter Key: ZEPPELIN-2461 URL: https://issues.apache.org/jira/browse/ZEPPELIN-2461 Project: Zeppelin Issue Type: Bug Components: Core Affects Versions: 0.7.0 Environment: All Reporter: Krishna Pandey Priority: Minor Security conscious organisations does not want to reveal the Application Server name and version to prevent Script-kiddies from finding the information easily when fingerprinting the Application. The exact version number can tell an Attacker if the current Application Server is patched for or vulnerable to certain publicly known CVE associated to it. -- This message was sent by Atlassian JIRA (v6.3.15#6346)