2683-zap-CORS-misconfig

scripts/deploy-backend.sh

@@ -100,7 +100,6 @@ update_backend()
 
     if [ "$1" = "rolling" ] ; then
         set_cf_envs
-
         # Do a zero downtime deploy.  This requires enough memory for
         # two apps to exist in the org/space at one time.
         cf push "$CGAPPNAME_BACKEND" --no-route -f manifest.buildpack.yml -t 180 --strategy rolling || exit 1

scripts/zap-scanner.sh

@@ -40,7 +40,7 @@ cd "$TARGET_DIR" || exit 2
 
 
 if [[ $(docker network inspect external-net 2>&1 | grep -c Scope) == 0 ]]; then 
-    docker network create external-net
+  docker network create external-net
 fi
 
 # Ensure the APP_URL is reachable from the zaproxy container
@@ -112,10 +112,6 @@ ZAP_CLI_OPTIONS="\
   -config globalexcludeurl.url_list.url\(14\).description='Site - FontAwesome.com' \
   -config globalexcludeurl.url_list.url\(14\).enabled=true \
 
-  -config globalexcludeurl.url_list.url\(15\).regex='^https:\/\/.*\.cloud.gov\/.*$' \
-  -config globalexcludeurl.url_list.url\(15\).description='Site - Cloud.gov' \
-  -config globalexcludeurl.url_list.url\(15\).enabled=true \
-
   -config globalexcludeurl.url_list.url\(16\).regex='^https:\/\/.*\.googletagmanager.com\/.*$' \
   -config globalexcludeurl.url_list.url\(16\).description='Site - googletagmanager.com' \
   -config globalexcludeurl.url_list.url\(16\).enabled=true \
@@ -140,7 +136,6 @@ ZAP_CLI_OPTIONS="\
   -config globalexcludeurl.url_list.url\(21\).description='Site - IdentitySandbox.gov' \
   -config globalexcludeurl.url_list.url\(21\).enabled=true \
   -config spider.postform=true"
-
 # How long ZAP will crawl the app with the spider process
 ZAP_SPIDER_MINS=10
 

tdrs-backend/clamav-router/nginx.conf

@@ -4,6 +4,7 @@ events { worker_connections 1024;
 # This opens a route to clamav prod
 http{ 
     server {
+        client_max_body_size 100m;
         listen {{port}};
         client_max_body_size 100m;
         location /scan {
@@ -12,6 +13,7 @@ http{
         }
     }
     server {
+        client_max_body_size 100m;
         listen 9000;
         client_max_body_size 100m;
         location /scan {

tdrs-backend/tdpservice/settings/cloudgov.py

@@ -155,7 +155,14 @@ class Development(CloudGov):
 
     # https://docs.djangoproject.com/en/2.0/ref/settings/#allowed-hosts
     ALLOWED_HOSTS = ['.app.cloud.gov']
-
+    CORS_ORIGIN_ALLOW_ALL = False
+    CORS_ALLOWED_ORIGINS = ['https://*.app.cloud.gov']
+    CORS_ALLOW_CREDENTIALS = True
+    CORS_ALLOW_METHODS = (
+        "GET",
+        "PATCH",
+        "POST",
+    )
 
 class Staging(CloudGov):
     """Settings for applications deployed in the Cloud.gov staging space."""
@@ -164,7 +171,14 @@ class Staging(CloudGov):
         'tdp-frontend-staging.acf.hhs.gov',
         'tdp-frontend-develop.acf.hhs.gov'
         ]
-
+    CORS_ALLOWED_ORIGINS = ['https://*.acf.hhs.gov']
+    CORS_ORIGIN_ALLOW_ALL = False
+    CORS_ALLOW_CREDENTIALS = True
+    CORS_ALLOW_METHODS = (
+        "GET",
+        "PATCH",
+        "POST",
+    )
     LOGIN_GOV_CLIENT_ID = os.getenv(
         'OIDC_RP_CLIENT_ID',
         'urn:gov:gsa:openidconnect.profiles:sp:sso:hhs:tanf-proto-staging'
@@ -189,3 +203,10 @@ class Production(CloudGov):
 
     # CORS allowed origins
     CORS_ALLOWED_ORIGINS = ['https://tanfdata.acf.hhs.gov']
+    CORS_ORIGIN_ALLOW_ALL = False
+    CORS_ALLOW_CREDENTIALS = True
+    CORS_ALLOW_METHODS = (
+        "GET",
+        "PATCH",
+        "POST",
+    )

tdrs-frontend/nginx/cloud.gov/locations.conf

@@ -16,9 +16,16 @@ location ~ ^/(v1|admin|static/admin|swagger|redocs) {
         proxy_buffer_size     4k;
         proxy_temp_file_write_size 64k;
 
+        limit_except GET HEAD POST { deny all;
+        }
+
         add_header Access-Control-Allow-Origin 's3-us-gov-west-1.amazonaws.com';
 }
 
+if ($request_method ~ ^(PATCH|TRACE|OPTION)$) { 
+			return 405; 
+}
+
 location = /profile {
     index index.html index.htm;
     try_files $uri $uri/ /index.html;