Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[VULN-45] CSP for Icons Server #4747

Merged
merged 3 commits into from
Sep 9, 2024
Merged

[VULN-45] CSP for Icons Server #4747

merged 3 commits into from
Sep 9, 2024

Conversation

kspearrin
Copy link
Member

🎟️ Tracking

https://bitwarden.atlassian.net/browse/VULN-45

πŸ“” Objective

Prevent icon server from executing JavaScript. Add a CSP header to all responses via ASP.NET middleware.

@codecov Codecov
Copy link

codecov bot commented Sep 9, 2024

Codecov Report

Attention: Patch coverage is 0% with 3 lines in your changes missing coverage. Please review.

Please upload report for BASE (main@a2eadfd). Learn more about missing BASE report.

Files with missing lines Patch % Lines
src/Icons/Startup.cs 0.00% 3 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #4747   +/-   ##
=======================================
  Coverage        ?   41.82%           
=======================================
  Files           ?     1294           
  Lines           ?    61743           
  Branches        ?     5693           
=======================================
  Hits            ?    25827           
  Misses          ?    34725           
  Partials        ?     1191

β˜” View full report in Codecov by Sentry.
πŸ“’ Have feedback on the report? Share it here.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 9, 2024
edited
Loading

Logo
Checkmarx One – Scan Summary & Details – b62059c1-f2ab-4561-867d-25e06568108f

New Issues

Severity Issue Source File / Package Checkmarx Insight
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Passwords And Secrets - Generic Password /database.yml: 65 Query to find passwords and secrets in infrastructure code.
HIGH Passwords And Secrets - Generic Password /infrastructure-tests.yml: 91 Query to find passwords and secrets in infrastructure code.
HIGH Passwords And Secrets - Generic Password /database.yml: 69 Query to find passwords and secrets in infrastructure code.
HIGH Passwords And Secrets - Generic Password /infrastructure-tests.yml: 78 Query to find passwords and secrets in infrastructure code.
HIGH Passwords And Secrets - Generic Password /infrastructure-tests.yml: 97 Query to find passwords and secrets in infrastructure code.
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 7 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 7 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 287 Attack Vector
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 292 Attack Vector
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 292 Attack Vector
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 287 Attack Vector
MEDIUM CSRF /src/Api/Public/Controllers/CollectionsController.cs: 84 Attack Vector
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 179 Attack Vector
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 179 Attack Vector
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 158 Attack Vector
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 210 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/MembersController.cs: 120 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 517 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 293 Attack Vector
MEDIUM CSRF /src/Identity/Controllers/AccountsController.cs: 70 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 136 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 285 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 285 Attack Vector
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 292 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 306 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 120 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 120 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 103 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 517 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 517 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 517 Attack Vector
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 194 Attack Vector
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 292 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 517 Attack Vector
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 251 Attack Vector
MEDIUM CSRF /src/Billing/Controllers/StripeController.cs: 114 Attack Vector
MEDIUM CSRF /src/Billing/Controllers/StripeController.cs: 117 Attack Vector
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 255 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 369 Attack Vector
MEDIUM CSRF /src/Api/Controllers/ConfigController.cs: 28 Attack Vector
MEDIUM CSRF /src/Api/SecretsManager/Controllers/SecretsManagerEventsController.cs: 31 Attack Vector
MEDIUM CSRF /src/Api/Controllers/AccountsController.cs: 270 Attack Vector
MEDIUM CSRF /src/Api/SecretsManager/Controllers/AccessPoliciesController.cs: 279 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationDomainController.cs: 93 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationDomainController.cs: 110 Attack Vector
MEDIUM CSRF /src/Api/SecretsManager/Controllers/AccessPoliciesController.cs: 230 Attack Vector
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 210 Attack Vector
MEDIUM CSRF /src/Api/Auth/Controllers/WebAuthnController.cs: 68 Attack Vector
MEDIUM CSRF /src/Api/SecretsManager/Controllers/SecretsController.cs: 210 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 70 Attack Vector
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 287 Attack Vector
MEDIUM CSRF /src/Api/SecretsManager/Controllers/ServiceAccountsController.cs: 232 Attack Vector
MEDIUM CSRF /src/Api/SecretsManager/Controllers/ServiceAccountsController.cs: 214 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 88 Attack Vector
MEDIUM CSRF /src/Api/SecretsManager/Controllers/AccessPoliciesController.cs: 55 Attack Vector
MEDIUM CSRF /src/Api/SecretsManager/Controllers/AccessPoliciesController.cs: 84 Attack Vector
MEDIUM CSRF /src/Api/SecretsManager/Controllers/AccessPoliciesController.cs: 93 Attack Vector
MEDIUM CSRF /src/Api/SecretsManager/Controllers/AccessPoliciesController.cs: 123 Attack Vector
MEDIUM CSRF /src/Api/SecretsManager/Controllers/AccessPoliciesController.cs: 134 Attack Vector
MEDIUM CSRF /src/Api/SecretsManager/Controllers/AccessPoliciesController.cs: 172 Attack Vector
MEDIUM CSRF /src/Api/SecretsManager/Controllers/ServiceAccountsController.cs: 196 Attack Vector
MEDIUM CSRF /src/Api/SecretsManager/Controllers/AccessPoliciesController.cs: 247 Attack Vector
MEDIUM CSRF /src/Api/SecretsManager/Controllers/AccessPoliciesController.cs: 263 Attack Vector
MEDIUM CSRF /src/Api/SecretsManager/Controllers/SecretsController.cs: 65 Attack Vector
MEDIUM CSRF /src/Api/SecretsManager/Controllers/SecretsController.cs: 82 Attack Vector
MEDIUM CSRF /src/Api/SecretsManager/Controllers/SecretsController.cs: 98 Attack Vector
MEDIUM CSRF /src/Api/SecretsManager/Controllers/SecretsTrashController.cs: 32 Attack Vector
MEDIUM CSRF /src/Billing/Controllers/StripeController.cs: 106 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationConnectionsController.cs: 55 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 120 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 463 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 103 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 396 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 382 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 285 Attack Vector
MEDIUM CSRF /src/Api/Controllers/AccountsController.cs: 156 Attack Vector
MEDIUM CSRF /src/Api/Controllers/AccountsController.cs: 179 Attack Vector
MEDIUM CSRF /src/Api/Controllers/AccountsController.cs: 245 Attack Vector
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationConnectionsController.cs: 141 Attack Vector
MEDIUM CSRF /src/Api/Controllers/CollectionsController.cs: 96 Attack Vector
MEDIUM CSRF /src/Api/Controllers/OrganizationSponsorshipsController.cs: 162 Attack Vector
MEDIUM CSRF /src/Api/Controllers/OrganizationSponsorshipsController.cs: 105 Attack Vector
MEDIUM Container Traffic Not Bound To Host Interface /docker-compose.yml: 15 Incoming container traffic should be bound to a specific host interface
MEDIUM Container Traffic Not Bound To Host Interface /docker-compose.yml: 43 Incoming container traffic should be bound to a specific host interface
MEDIUM Container Traffic Not Bound To Host Interface /docker-compose.yml: 73 Incoming container traffic should be bound to a specific host interface
MEDIUM Container Traffic Not Bound To Host Interface /docker-compose.yml: 59 Incoming container traffic should be bound to a specific host interface
MEDIUM Container Traffic Not Bound To Host Interface /docker-compose.yml: 103 Incoming container traffic should be bound to a specific host interface
MEDIUM Container Traffic Not Bound To Host Interface /docker-compose.yml: 35 Incoming container traffic should be bound to a specific host interface
MEDIUM Container Traffic Not Bound To Host Interface /docker-compose.yml: 92 Incoming container traffic should be bound to a specific host interface
MEDIUM Container Traffic Not Bound To Host Interface /docker-compose.yml: 23 Incoming container traffic should be bound to a specific host interface
MEDIUM Healthcheck Not Set /docker-compose.yml: 84 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /docker-compose.override.yml: 4 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /docker-compose.yml: 70 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /docker-compose.yml: 98 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /docker-compose.yml: 56 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /docker-compose.yml: 41 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /docker-compose.yml: 4 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /docker-compose.yml: 11 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /docker-compose.yml: 33 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /docker-compose.yml: 26 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /docker-compose.yml: 21 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /docker-compose.yml: 4 Check containers periodically to see if they are running properly.
MEDIUM Memory Not Limited /docker-compose.yml: 98 Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
MEDIUM Memory Not Limited /docker-compose.yml: 11 Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
MEDIUM Memory Not Limited /docker-compose.yml: 21 Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
MEDIUM Memory Not Limited /docker-compose.yml: 56 Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
MEDIUM Memory Not Limited /docker-compose.yml: 84 Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
MEDIUM Memory Not Limited /docker-compose.yml: 70 Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
MEDIUM Memory Not Limited /docker-compose.yml: 26 Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
MEDIUM Memory Not Limited /docker-compose.yml: 4 Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
MEDIUM Memory Not Limited

More results are available on AST platform

withinfocus
withinfocus requested changes Sep 9, 2024
View reviewed changes
Copy link
Contributor

@withinfocus withinfocus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Valid lint: https://github.com/bitwarden/server/actions/runs/10775098343/job/29878737644?pr=4747

@kspearrin
Copy link
Member Author

Failing tests seem to be from something other than my changes.

@kspearrin kspearrin merged commit 55bf815 into main Sep 9, 2024
60 of 62 checks passed
@kspearrin kspearrin deleted the iconscsp branch September 9, 2024 19:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@withinfocus withinfocus withinfocus approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kspearrin @withinfocus