Merge pull request #659 from daniel-ac-martin/fix-zap-warnings

Fix DAST warnings
daniel-ac-martin · Jan 23, 2023 · b6e0568 · b6e0568 · github-actions · Jan 23, 2023
2 parents 018c186 + 142f37d
commit b6e0568
Show file tree

Hide file tree

Showing 3 changed files with 86 additions and 0 deletions.
diff --git a/.zap/rules.tsv b/.zap/rules.tsv
@@ -1,6 +1,8 @@
 # False positives
 10027	IGNORE	(Information Disclosure - Suspicious Comments)
 10031	IGNORE	(User Controllable HTML Element Attribute)
+# We deliberately don't cache HTML as it may contain sensitive information
+10049	IGNORE	(Non-Storable Content)
 # Netlify seems to randomly generate these
 10096	IGNORE	(Timestamp Disclosure)
 # HSTS should be set by the proxy terminating TLS
@@ -11,11 +13,15 @@
 10055	IGNORE	(CSP: style-src unsafe-inline)
 # We can't seem to run the Ajax spider
 10109	INFO	(Modern Web Application)
+# These are not real forms, and we replicate GDS
+10202	IGNORE	(Absence of Anti-CSRF Tokens)
 # We don't control the headers on Netlify's CDN
 10021	OUTOFSCOPE	.*/public/.*
+10063	OUTOFSCOPE	.*/public/.*
 # These are not timestamps
 10096	OUTOFSCOPE	.*/public/.*\.css
 # These are HTML errors
 10202	OUTOFSCOPE	.*/public/.*\.bundle\.js
 # We don't control the vendors code
+10110	OUTOFSCOPE	.*/public/js/vendors\..*\.bundle\.js
 90022	OUTOFSCOPE	.*/public/js/vendors\..*\.bundle\.js
diff --git a/lib/restify/src/index.ts b/lib/restify/src/index.ts
@@ -3,6 +3,7 @@ import restifyBunyanLogger from 'restify-bunyan-logger';
 import stoppable from 'stoppable';
 import { liveness } from './middleware/health-check';
 import { htmlByDefault } from './middleware/html-by-default';
+import { permissionsPolicy } from './middleware/permissions-policy';
 import { preventClickjacking } from './middleware/prevent-clickjacking';
 import { preventMimeSniffing } from './middleware/prevent-mime-sniffing';
 import { noCacheByDefault } from './middleware/no-cache-by-default';
@@ -92,6 +93,7 @@ export const createServer = (options: ServerOptions ) => {
 
   httpd.on('after', restifyBunyanLogger());
 
+  httpd.pre(permissionsPolicy);
   httpd.pre(preventClickjacking);
   httpd.pre(preventMimeSniffing);
   httpd.pre(noCacheByDefault);

diff --git a/lib/restify/src/middleware/permissions-policy.ts b/lib/restify/src/middleware/permissions-policy.ts
@@ -0,0 +1,78 @@
+import { Middleware } from './common';
+
+const keywords = [
+  'self',
+  'src'
+];
+
+const ppObj = {
+  'accelerometer': 'self',
+  'ambient-light-sensor': 'self',
+  'autoplay': 'self',
+  'battery': 'self',
+  'camera': 'self',
+  'display-capture': 'self',
+  'document-domain': 'self',
+  'encrypted-media ': 'self',
+  'execution-while-not-rendered': 'self',
+  'execution-while-out-of-viewport': 'self',
+  'fullscreen': 'self',
+  'gamepad': 'self',
+  'geolocation': 'self',
+  'gyroscope': 'self',
+  'hid': 'self',
+  'idle-detection': 'self',
+  'local-fonts': 'self',
+  'magnetometer': 'self',
+  'microphone': 'self',
+  'midi': 'self',
+  'payment': 'self',
+  'picture-in-picture': 'self',
+  'publickey-credentials-get': 'self',
+  'screen-wake-lock': 'self',
+  'serial': 'self',
+  'speaker-selection': 'self',
+  'usb': 'self',
+  'web-share': 'self',
+  'xr-spatial-tracking': 'self'
+};
+
+const isDefined = (v: any): boolean => (
+  v !== undefined
+);
+
+const policy = Object.keys(ppObj)
+  .map(directive => {
+    const _valueArr = ppObj[directive];
+    const valueArr = (
+      Array.isArray(_valueArr)
+        ? _valueArr
+        : [ _valueArr ]
+    );
+    const values = (
+      valueArr
+        .filter(isDefined)
+        .map(v => (
+          keywords.includes(v)
+            ? v
+            : `"${v}"`
+        ) )
+        .join(' ')
+    );
+
+    return (
+      values === ''
+      ? undefined
+        : `${directive}=(${values})`
+    );
+  } )
+  .filter(isDefined)
+  .join(', ');
+
+export const permissionsPolicy: Middleware = (_req, res, next) => {
+  res.header('Permissions-Policy', policy);
+
+  next();
+};
+
+export default permissionsPolicy;