knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kris...@apache.org
Subject [knox] branch master updated: KNOX-1788 - New XSS Provider is added to Web Application Security Provider List (#141)
Date Wed, 04 Sep 2019 14:32:39 GMT
This is an automated email from the ASF dual-hosted git repository.

krisden pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git


The following commit(s) were added to refs/heads/master by this push:
     new 36cdb97  KNOX-1788 - New XSS Provider is added to Web Application Security Provider
List (#141)
36cdb97 is described below

commit 36cdb97febfd0aa7d0dfbf4c8f9b165a7c7ee0aa
Author: Sandor Molnar <smolnar@apache.org>
AuthorDate: Wed Sep 4 16:32:34 2019 +0200

    KNOX-1788 - New XSS Provider is added to Web Application Security Provider List (#141)
---
 .../app/provider-config-wizard/webappsec-wizard.ts |  8 ++-
 .../provider-config-wizard/xss-provider-config.ts  | 65 ++++++++++++++++++++++
 2 files changed, 71 insertions(+), 2 deletions(-)

diff --git a/gateway-admin-ui/admin-ui/app/provider-config-wizard/webappsec-wizard.ts b/gateway-admin-ui/admin-ui/app/provider-config-wizard/webappsec-wizard.ts
index f67196a..b6d337b 100644
--- a/gateway-admin-ui/admin-ui/app/provider-config-wizard/webappsec-wizard.ts
+++ b/gateway-admin-ui/admin-ui/app/provider-config-wizard/webappsec-wizard.ts
@@ -26,6 +26,7 @@ import {WebAppSecurityContributor} from './webappsec-contributor';
 import {STSProviderConfig} from './sts-provider-config';
 import {XFrameOptionsProviderConfig} from './xframeoptions-provider-config';
 import {XContentTypeOptionsProviderConfig} from './xcontent-type-options-provider-config';
+import {XSSProviderConfig} from './xss-provider-config';
 
 export class WebAppSecurityWizard extends CategoryWizard implements ProviderContributorWizard
{
     // WebAppSec provider types
@@ -34,12 +35,14 @@ export class WebAppSecurityWizard extends CategoryWizard implements ProviderCont
     private static XFRAME = 'X-Frame-Options';
     private static XCONTENT_TYPE = 'X-Content-Type-Options';
     private static STS = 'Strict Transport Security';
+    private static XSS = 'X-XSS-Protection';
 
     private static webAppSecTypes: string[] = [WebAppSecurityWizard.CSRF,
         WebAppSecurityWizard.CORS,
         WebAppSecurityWizard.XFRAME,
         WebAppSecurityWizard.XCONTENT_TYPE,
-        WebAppSecurityWizard.STS
+        WebAppSecurityWizard.STS,
+        WebAppSecurityWizard.XSS
     ];
 
     private static typeConfigMap: Map<string, typeof WebAppSecurityContributor> =
@@ -48,7 +51,8 @@ export class WebAppSecurityWizard extends CategoryWizard implements ProviderCont
             [WebAppSecurityWizard.CORS, CORSProviderConfig],
             [WebAppSecurityWizard.XFRAME, XFrameOptionsProviderConfig],
             [WebAppSecurityWizard.XCONTENT_TYPE, XContentTypeOptionsProviderConfig],
-            [WebAppSecurityWizard.STS, STSProviderConfig]
+            [WebAppSecurityWizard.STS, STSProviderConfig],
+            [WebAppSecurityWizard.XSS, XSSProviderConfig]
         ] as [string, typeof WebAppSecurityContributor][]);
 
     private stepCount = 4;
diff --git a/gateway-admin-ui/admin-ui/app/provider-config-wizard/xss-provider-config.ts b/gateway-admin-ui/admin-ui/app/provider-config-wizard/xss-provider-config.ts
new file mode 100644
index 0000000..d4ac6bb
--- /dev/null
+++ b/gateway-admin-ui/admin-ui/app/provider-config-wizard/xss-provider-config.ts
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import {WebAppSecurityContributor} from './webappsec-contributor';
+
+export class XSSProviderConfig extends WebAppSecurityContributor {
+    public static X_XSS_PROTECTION = 'X-XSS-Protection';
+
+    private static SUPPORTED_VALUES: string[] = ['0', '1', '1; mode=block'];
+
+    private static displayPropertyNames = [XSSProviderConfig.X_XSS_PROTECTION];
+
+    private static displayPropertyNameBindings: Map<string, string> = new Map(
+       [ [XSSProviderConfig.X_XSS_PROTECTION, 'xss.protection'] ] as [string, string][]
+    );
+
+    constructor() {
+        super();
+        // Set default values
+        this.setParam('xss.protection.enabled', 'true');
+        this.setParam(XSSProviderConfig.displayPropertyNameBindings.get(XSSProviderConfig.X_XSS_PROTECTION),
'1; mode=block');
+    }
+
+    getDisplayPropertyNames(): string[] {
+        return XSSProviderConfig.displayPropertyNames;
+    }
+
+    getDisplayNamePropertyBinding(name: string): string {
+        return XSSProviderConfig.displayPropertyNameBindings.get(name);
+    }
+
+    isValidParamValue(paramName: string): boolean {
+        let isValid = false;
+        let value = this.getParam(this.getDisplayNamePropertyBinding(paramName));
+        if (value) {
+            switch (paramName) {
+                case XSSProviderConfig.X_XSS_PROTECTION:
+                    if (XSSProviderConfig.SUPPORTED_VALUES.includes(value)) {
+                        isValid = true;
+                    } else {
+                        // only supported in Chromium
+                        isValid = value.startsWith('1; report=');
+                    }
+                    break;
+                default:
+                    break;
+            }
+        }
+
+        return isValid;
+    }
+}


Mime
View raw message