Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

owasp action #122

Merged
merged 7 commits into from
Aug 4, 2024
Merged

owasp action #122

merged 7 commits into from
Aug 4, 2024

Conversation

acouch
Copy link
Contributor

@acouch acouch commented Jul 31, 2024
edited
Loading

Ticket

Resolves FFS-1083

Changes

Make the OWASP running actually run. Started: #116

This adds a couple of ignore:

10110	IGNORE	Dangerous JS Functions
# There are necessary and properly scoped in content_security_policy.rb
10055	IGNORE	CSP: Notices
# Perms Policy not supported in rails https://github.com/rails/rails/issues/48878
# Also not fully adopted: https://caniuse.com/permissions-policy
10063	IGNORE	Permissions Policy Header Not Set

Unfortunately, Zap does not support ignoring risk levels like LOW, so ignoring a full check is the only way to filter.

@acouch acouch marked this pull request as ready for review July 31, 2024 16:17
@acouch acouch mentioned this pull request Jul 31, 2024
Closed
tdooner
tdooner approved these changes Jul 31, 2024
View reviewed changes
.github/workflows/owasp-daily-scan.yml
# this will run at noon UTC every day (7am EST / 8am EDT)
- cron: '0 12 * * *'
pull_request:
branches: [main]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: File is misnamed if this is no longer a daily scan

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, I renamed to owasp-scan.yml so the name is separate from the trigger.

app/app/controllers/pages_controller.rb Outdated
@@ -1,4 +1,7 @@
class PagesController < ApplicationController
def home
unless params["format"].nil?
head 401, content_type: "text/html"
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if this is still necessary given your change to the routes.rb you've discussed in Slack

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was introduced in #116 .

@joeyg was there a reason this was added? I'm reading it as returning unauthorized if a request to the home page doesn't have a request format.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@acouch One of the checks is for files like ._hg and the like.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@joeyg Thanks, I can confirm that #124 fixes that. I'm going to remove from here and rebase once #124 is pulled in.

@acouch acouch force-pushed the jgasiorek-owasp-action branch from 2a1037a to e7f8f1a Compare August 4, 2024 16:34
@acouch acouch merged commit 8977a4c into main Aug 4, 2024
20 checks passed
@acouch acouch deleted the jgasiorek-owasp-action branch August 4, 2024 21:51
@allthesignals allthesignals mentioned this pull request Jan 22, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joeyg joeyg joeyg left review comments

@tdooner tdooner tdooner approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@acouch @tdooner @joeyg