Support dynamic CSP rules to mitigate clickjacking #5641
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #5641 +/- ##
==========================================
+ Coverage 67.11% 67.12% +0.01%
==========================================
Files 3322 3323 +1
Lines 64271 64291 +20
Branches 10333 10336 +3
==========================================
+ Hits 43135 43155 +20
Misses 18614 18614
Partials 2522 2522
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
tianleh
changed the title
|
The one failed https://github.com/opensearch-project/OpenSearch-Dashboards/actions/runs/7353558209/job/20019665599?pr=5641 to build on macOS ARM64 failed but was successful in previous run https://github.com/opensearch-project/OpenSearch-Dashboards/actions/runs/7353233916 Will monitor in next run. Could anyone with permission rerun it for me or grant me the re-run workflow permission? |
tianleh
requested review from
ananzh,
kavilla,
AMoo-Miki,
ashwin-pc,
joshuarrrr,
abbyhu2000,
zengyan-amazon,
kristenTian,
zhongnansu,
manasvinibs,
ZilongX,
Flyingliuhub,
BSFishy,
curq,
bandinib-amzn and
SuZhou-Joe
as code owners
|
Hi team @opensearch-project/opensearch-dashboards-core , could you please help review? |
ruanyl
reviewed
Dec 30, 2023
SuZhou-Joe
reviewed
Jan 2, 2024
|
cc current oncall @AMoo-Miki for visibility. Please help review and add the backport labels |
|
@Flyingliuhub @bandinib-amzn @ZilongX would you help to review |
|
pulling down |
kavilla
reviewed
Jan 5, 2024
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
Signed-off-by: Tianle Huang <[email protected]>
bandinib-amzn
force-pushed
the
cj-mitigation
branch
from
fa8bcd6
to
fcc9875
Compare
ZilongX
approved these changes
Mar 8, 2024
opensearch-trigger-bot bot
pushed a commit
that referenced
this pull request
Mar 8, 2024
* support dynamic csp rules to mitigate clickjacking Signed-off-by: Tianle Huang <[email protected]> * add unit tests for the provider class Signed-off-by: Tianle Huang <[email protected]> * move request handler to its own class Signed-off-by: Tianle Huang <[email protected]> * add license headers Signed-off-by: Tianle Huang <[email protected]> * fix failed unit tests Signed-off-by: Tianle Huang <[email protected]> * add unit tests for the handler Signed-off-by: Tianle Huang <[email protected]> * add content to read me Signed-off-by: Tianle Huang <[email protected]> * fix test error Signed-off-by: Tianle Huang <[email protected]> * update readme Signed-off-by: Tianle Huang <[email protected]> * update CHANGELOG.md Signed-off-by: Tianle Huang <[email protected]> * update snap tests Signed-off-by: Tianle Huang <[email protected]> * update snapshots Signed-off-by: Tianle Huang <[email protected]> * fix a wrong import Signed-off-by: Tianle Huang <[email protected]> * undo changes in listing snap Signed-off-by: Tianle Huang <[email protected]> * improve wording Signed-off-by: Tianle Huang <[email protected]> * set client after default client is created Signed-off-by: Tianle Huang <[email protected]> * update return value and add a unit test Signed-off-by: Tianle Huang <[email protected]> * remove unnecessary dependency Signed-off-by: Tianle Huang <[email protected]> * make the name of the index configurable Signed-off-by: Tianle Huang <[email protected]> * expose APIs and update file structures Signed-off-by: Tianle Huang <[email protected]> * add header Signed-off-by: Tianle Huang <[email protected]> * fix link error Signed-off-by: Tianle Huang <[email protected]> * fix link error Signed-off-by: Tianle Huang <[email protected]> * add more unit tests Signed-off-by: Tianle Huang <[email protected]> * add more unit tests Signed-off-by: Tianle Huang <[email protected]> * update api path Signed-off-by: Tianle Huang <[email protected]> * remove logging Signed-off-by: Tianle Huang <[email protected]> * update path Signed-off-by: Tianle Huang <[email protected]> * rename index name Signed-off-by: Tianle Huang <[email protected]> * update wording Signed-off-by: Tianle Huang <[email protected]> * make the new plugin disabled by default Signed-off-by: Tianle Huang <[email protected]> * do not update defaults to avoid breaking change Signed-off-by: Tianle Huang <[email protected]> * update readme to reflect new API path Signed-off-by: Tianle Huang <[email protected]> * update handler to append frame-ancestors conditionally Signed-off-by: Tianle Huang <[email protected]> * update readme Signed-off-by: Tianle Huang <[email protected]> * clean up code to prepare for application config Signed-off-by: Tianle Huang <[email protected]> * reset change log Signed-off-by: Tianle Huang <[email protected]> * reset change log again Signed-off-by: Tianle Huang <[email protected]> * update accordingly to new changes in applicationConfig Signed-off-by: Tianle Huang <[email protected]> * update changelog Signed-off-by: Tianle Huang <[email protected]> * rename to a new plugin name Signed-off-by: Tianle Huang <[email protected]> * rename Signed-off-by: Tianle Huang <[email protected]> * rename more Signed-off-by: Tianle Huang <[email protected]> * sync changelog from main Signed-off-by: Tianle Huang <[email protected]> * onboard to app config Signed-off-by: Tianle Huang <[email protected]> * fix comment Signed-off-by: Tianle Huang <[email protected]> * update yml Signed-off-by: Tianle Huang <[email protected]> * update readme Signed-off-by: Tianle Huang <[email protected]> * update change log Signed-off-by: Tianle Huang <[email protected]> * call out single quotes in readme Signed-off-by: Tianle Huang <[email protected]> * update yml Signed-off-by: Tianle Huang <[email protected]> * update default Signed-off-by: Tianle Huang <[email protected]> * add reference link Signed-off-by: Tianle Huang <[email protected]> * update js doc Signed-off-by: Tianle Huang <[email protected]> * rename Signed-off-by: Tianle Huang <[email protected]> * use new name Signed-off-by: Tianle Huang <[email protected]> * redo changelog update Signed-off-by: Tianle Huang <[email protected]> * remove link Signed-off-by: Tianle Huang <[email protected]> * better name Signed-off-by: Tianle Huang <[email protected]> --------- Signed-off-by: Tianle Huang <[email protected]> (cherry picked from commit 58fb588) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
bandinib-amzn
pushed a commit
that referenced
this pull request
Mar 9, 2024
* support dynamic csp rules to mitigate clickjacking * add unit tests for the provider class * move request handler to its own class * add license headers * fix failed unit tests * add unit tests for the handler * add content to read me * fix test error * update readme * update CHANGELOG.md * update snap tests * update snapshots * fix a wrong import * undo changes in listing snap * improve wording * set client after default client is created * update return value and add a unit test * remove unnecessary dependency * make the name of the index configurable * expose APIs and update file structures * add header * fix link error * fix link error * add more unit tests * add more unit tests * update api path * remove logging * update path * rename index name * update wording * make the new plugin disabled by default * do not update defaults to avoid breaking change * update readme to reflect new API path * update handler to append frame-ancestors conditionally * update readme * clean up code to prepare for application config * reset change log * reset change log again * update accordingly to new changes in applicationConfig * update changelog * rename to a new plugin name * rename * rename more * sync changelog from main * onboard to app config * fix comment * update yml * update readme * update change log * call out single quotes in readme * update yml * update default * add reference link * update js doc * rename * use new name * redo changelog update * remove link * better name --------- (cherry picked from commit 58fb588) Signed-off-by: Tianle Huang <[email protected]> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR is to mitigate the Clickjacking vulnerability as stated #5639.
Notes for the repo maintainers: please add backport label to the branch2.x. We are targeting at2.12.0release for this feature.We will target at
2.13.0. Please help add the backport label to the branch2.x.12/27/2023
Unit tests are being added.
12/23/2023
For now, I am sending the PR without any tests to collect early feedback. More tests will be added later.
Issues Resolved
fixes #5639
Screenshot
Testing the changes
Test Case 1
Step 0: There are no csp rules configured in OSD yml.
Step 1: Verify that there is no index
.opensearch_dashboards_configby default.Run command
GET .opensearch_dashboards_config/_doc/csp.rulesReceive this response.
Step 2: Verify the response header has added
frame-ancestors 'self'by default.Step 3: Verify through a local test html file.
Open the test html in browser and expect to see the following page.
Step 4: Update the index
.opensearch_dashboards_configto allow embedding inside local file.Step 5: Verify that the test html can open now.
Test Case 2
Step 0: There are CSP rules configured in OSD YML.
Step 1:
Verify that by default there is no index
.opensearch_dashboards_config.Returns
index_not_found_exceptionStep 2:
Verify that the values from the OSD YML are used.
Step 3:
Update the
.opensearch_dashboards_configwith different CSP rules from the YML.Step 4:
Verify that the values from the index are used.
Step 5:
Update
.opensearch_dashboards_configwith empty rules.Step 6:
Verify that the values from the YML are used.
Check List
yarn test:jestyarn test:jest_integration