Review feedback: incorporate github action, make OWASP pass with explicit exceptions

src/docker-compose.yml

@@ -73,7 +73,7 @@ services:
       - pa11y
 
   owasp:
-    image: owasp/zap2docker-weekly
+    image: owasp/zap2docker-stable
     command: zap-baseline.py -t http://app:8080 -c zap.conf -I -r zap_report.html
     volumes:
       - .:/zap/wrk/

src/registrar/config/settings.py

@@ -228,6 +228,18 @@ SERVER_EMAIL = "root@get.gov"
 # endregion
 # region: Headers-----------------------------------------------------------###
 
+# Content-Security-Policy configuration
+# this can be restrictive because we have few external scripts
+allowed_sources = (
+	"'self'",
+)
+CSP_DEFAULT_SRC = allowed_sources
+# Most things fall back to default-src, but these two do not and should be
+# explicitly set
+CSP_FRAME_ANCESTORS = allowed_sources
+CSP_FORM_ACTION = allowed_sources
+
+
 # Content-Length header is set by django.middleware.common.CommonMiddleware
 
 # X-Frame-Options header is set by
@@ -240,12 +252,6 @@ SERVER_EMAIL = "root@get.gov"
 # as Host header may contain a proxy rather than the actual client
 USE_X_FORWARDED_HOST = True
 
-# Content-security policy header configuration
-CSP_DEFAULT_SRC = ["'none'"]
-CSP_STYLE_SRC = ["'self'"]
-CSP_SCRIPT_SRC = ["'self'"]
-CSP_IMG_SRC = ["'self'"]
-
 # endregion
 # region: Internationalisation----------------------------------------------###
 

src/zap.conf

@@ -1,80 +1,96 @@
 # zap-full-scan rule configuration file
-# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
-# Active scan rules set to IGNORE will not be run which will speed up the scan
 # Only the rule identifiers are used - the names are just for info
 # You can add your own messages to each rule by appending them after a tab on each line.
-0	WARN	(Directory Browsing - Active/release)
-10003	WARN	(Vulnerable JS Library - Passive/release)
+0	FAIL	(Directory Browsing - Active/release)
+10003	FAIL	(Vulnerable JS Library - Passive/release)
 10010	FAIL	(Cookie No HttpOnly Flag - Passive/release)
 10011	FAIL	(Cookie Without Secure Flag - Passive/release)
-10015	WARN	(Incomplete or No Cache-control Header Set - Passive/release)
+10015	FAIL	(Incomplete or No Cache-control Header Set - Passive/release)
 10016	FAIL	(Web Browser XSS Protection Not Enabled)
-10017	WARN	(Cross-Domain JavaScript Source File Inclusion - Passive/release)
-10019	WARN	(Content-Type Header Missing - Passive/release)
+10017	FAIL	(Cross-Domain JavaScript Source File Inclusion - Passive/release)
+10019	FAIL	(Content-Type Header Missing - Passive/release)
 10020	FAIL	(X-Frame-Options Header - Passive/release)
-10021	WARN	(X-Content-Type-Options Header Missing - Passive/release)
-10023	WARN	(Information Disclosure - Debug Error Messages - Passive/release)
+10021	FAIL	(X-Content-Type-Options Header Missing - Passive/release)
+# With DEBUG=True Django's internal server serves static files without this
+# header, but it is not an issue in production
+10021	OUTOFSCOPE	http://app:8080/public/.*$
+10023	FAIL	(Information Disclosure - Debug Error Messages - Passive/release)
 10024	FAIL	(Information Disclosure - Sensitive Information in URL - Passive/release)
 10025	FAIL	(Information Disclosure - Sensitive Information in HTTP Referrer Header - Passive/release)
-10026	WARN	(HTTP Parameter Override - Passive/beta)
-10027	WARN	(Information Disclosure - Suspicious Comments - Passive/release)
+10026	FAIL	(HTTP Parameter Override - Passive/beta)
+10027	FAIL	(Information Disclosure - Suspicious Comments - Passive/release)
+# Debug toolbar contains the word "from" which is a false positive and also
+# it isn't installed in production (see word list at https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/zapHomeFiles/xml/suspicious-comments.txt)
+10027	OUTOFSCOPE	http://app:8080/public/debug_toolbar/js/toolbar.js
+# USWDS.min.js contains suspicious words "query", "select", "from" in ordinary usage
+10027	OUTOFSCOPE	http://app:8080/public/js/uswds.min.js
 10028	FAIL	(Open Redirect - Passive/beta)
-10029	WARN	(Cookie Poisoning - Passive/beta)
-10030	WARN	(User Controllable Charset - Passive/beta)
-10031	WARN	(User Controllable HTML Element Attribute (Potential XSS) - Passive/beta)
-10032	WARN	(Viewstate - Passive/release)
-10033	WARN	(Directory Browsing - Passive/beta)
-10034	WARN	(Heartbleed OpenSSL Vulnerability (Indicative) - Passive/beta)
+10029	FAIL	(Cookie Poisoning - Passive/beta)
+10030	FAIL	(User Controllable Charset - Passive/beta)
+10031	FAIL	(User Controllable HTML Element Attribute (Potential XSS) - Passive/beta)
+10032	FAIL	(Viewstate - Passive/release)
+10033	FAIL	(Directory Browsing - Passive/beta)
+10034	FAIL	(Heartbleed OpenSSL Vulnerability (Indicative) - Passive/beta)
 10035	FAIL	(Strict-Transport-Security Header - Passive/beta)
-10036	WARN	(HTTP Server Response Header - Passive/beta)
-10037	WARN	(Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) - Passive/release)
-10038	WARN	(Content Security Policy (CSP) Header Not Set - Passive/beta)
-10039	WARN	(X-Backend-Server Header Information Leak - Passive/beta)
+10036	FAIL	(HTTP Server Response Header - Passive/beta)
+# With DEBUG=True Django's internal server sends the Server header, but
+# it is not an issue in production
+10036	OUTOFSCOPE	http://app:8080.*$
+10037	FAIL	(Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) - Passive/release)
+10038	FAIL	(Content Security Policy (CSP) Header Not Set - Passive/beta)
+# With DEBUG=True, Django sends a 404 page without the CSP headers. This isn't true on production
+# For URLs that Zap gets that aren't present for us, skip this false positive
+10038	OUTOFSCOPE	http://app:8080/public/img/(favicon|touch-icon).png
+10038	OUTOFSCOPE	http://app:8080/(robots.txt|sitemap.xml)
+10039	FAIL	(X-Backend-Server Header Information Leak - Passive/beta)
 10040	FAIL	(Secure Pages Include Mixed Content - Passive/release)
-10041	WARN	(HTTP to HTTPS Insecure Transition in Form Post - Passive/beta)
-10042	WARN	(HTTPS to HTTP Insecure Transition in Form Post - Passive/beta)
+10041	FAIL	(HTTP to HTTPS Insecure Transition in Form Post - Passive/beta)
+10042	FAIL	(HTTPS to HTTP Insecure Transition in Form Post - Passive/beta)
 10043	FAIL	(User Controllable JavaScript Event (XSS) - Passive/beta)
-10044	WARN	(Big Redirect Detected (Potential Sensitive Information Leak) - Passive/beta)
-10045	WARN	(Source Code Disclosure - /WEB-INF folder - Active/release)
-10047	WARN	(HTTPS Content Available via HTTP - Active/beta)
+10044	FAIL	(Big Redirect Detected (Potential Sensitive Information Leak) - Passive/beta)
+10045	FAIL	(Source Code Disclosure - /WEB-INF folder - Active/release)
+10047	FAIL	(HTTPS Content Available via HTTP - Active/beta)
 10048	FAIL	(Remote Code Execution - Shell Shock - Active/beta)
-10050	WARN	(Retrieved from Cache - Passive/beta)
-10051	WARN	(Relative Path Confusion - Active/beta)
-10052	WARN	(X-ChromeLogger-Data (XCOLD) Header Information Leak - Passive/beta)
-10053	WARN	(Apache Range Header DoS (CVE-2011-3192) - Active/beta)
-10054	WARN	(Cookie without SameSite Attribute - Passive/release)
-10055	WARN	(CSP - Passive/release)
-10056	WARN	(X-Debug-Token Information Leak - Passive/release)
-10057	WARN	(Username Hash Found - Passive/release)
+10050	FAIL	(Retrieved from Cache - Passive/beta)
+10051	FAIL	(Relative Path Confusion - Active/beta)
+10052	FAIL	(X-ChromeLogger-Data (XCOLD) Header Information Leak - Passive/beta)
+10053	FAIL	(Apache Range Header DoS (CVE-2011-3192) - Active/beta)
+10054	FAIL	(Cookie without SameSite Attribute - Passive/release)
+10055	FAIL	(CSP - Passive/release)
+10056	FAIL	(X-Debug-Token Information Leak - Passive/release)
+10057	FAIL	(Username Hash Found - Passive/release)
 10058	FAIL	(GET for POST - Active/beta)
-10061	WARN	(X-AspNet-Version Response Header - Passive/release)
+10061	FAIL	(X-AspNet-Version Response Header - Passive/release)
 10062	FAIL	(PII Disclosure - Passive/beta)
-10095	IGNORE	(Backup File Disclosure - Active/beta)
-10096	WARN	(Timestamp Disclosure - Passive/release)
-10097	WARN	(Hash Disclosure - Passive/beta)
-10098	WARN	(Cross-Domain Misconfiguration - Passive/release)
-10104	WARN	(User Agent Fuzzer - Active/beta)
-10105	WARN	(Weak Authentication Method - Passive/release)
-10106	IGNORE	(HTTP Only Site - Active/beta)
-10107	WARN	(Httpoxy - Proxy Header Misuse - Active/beta)
-10108	WARN	(Reverse Tabnabbing - Passive/beta)
-10109	WARN	(Modern Web Application - Passive/beta)
+10095	FAIL	(Backup File Disclosure - Active/beta)
+10096	FAIL	(Timestamp Disclosure - Passive/release)
+10097	FAIL	(Hash Disclosure - Passive/beta)
+10098	FAIL	(Cross-Domain Misconfiguration - Passive/release)
+10104	FAIL	(User Agent Fuzzer - Active/beta)
+10105	FAIL	(Weak Authentication Method - Passive/release)
+10106	FAIL	(HTTP Only Site - Active/beta)
+10107	FAIL	(Httpoxy - Proxy Header Misuse - Active/beta)
+10108	FAIL	(Reverse Tabnabbing - Passive/beta)
+10109	FAIL	(Modern Web Application - Passive/beta)
+# With DEBUG=True Django's debug toolbar uses <a href="#"> links which triggers this rule
+# The debug toolbar doesn't run in production
+10109	OUTOFSCOPE	http://app:8080.*
 10202	FAIL	(Absence of Anti-CSRF Tokens - Passive/release)
-2	WARN	(Private IP Disclosure - Passive/release)
+2	FAIL	(Private IP Disclosure - Passive/release)
 20012	FAIL	(Anti-CSRF Tokens Check - Active/beta)
-20014	WARN	(HTTP Parameter Pollution - Active/beta)
-20015	WARN	(Heartbleed OpenSSL Vulnerability - Active/beta)
-20016	WARN	(Cross-Domain Misconfiguration - Active/beta)
+20014	FAIL	(HTTP Parameter Pollution - Active/beta)
+20015	FAIL	(Heartbleed OpenSSL Vulnerability - Active/beta)
+20016	FAIL	(Cross-Domain Misconfiguration - Active/beta)
 20017	FAIL	(Source Code Disclosure - CVE-2012-1823 - Active/beta)
 20018	FAIL	(Remote Code Execution - CVE-2012-1823 - Active/beta)
-20019	WARN	(External Redirect - Active/release)
-3	WARN	(Session ID in URL Rewrite - Passive/release)
-30001	WARN	(Buffer Overflow - Active/release)
-30002	WARN	(Format String Error - Active/release)
-30003	WARN	(Integer Overflow Error - Active/beta)
-40003	WARN	(CRLF Injection - Active/release)
-40008	WARN	(Parameter Tampering - Active/release)
-40009	WARN	(Server Side Include - Active/release)
+20019	FAIL	(External Redirect - Active/release)
+3	FAIL	(Session ID in URL Rewrite - Passive/release)
+30001	FAIL	(Buffer Overflow - Active/release)
+30002	FAIL	(Format String Error - Active/release)
+30003	FAIL	(Integer Overflow Error - Active/beta)
+40003	FAIL	(CRLF Injection - Active/release)
+40008	FAIL	(Parameter Tampering - Active/release)
+40009	FAIL	(Server Side Include - Active/release)
 40012	FAIL	(Cross Site Scripting (Reflected) - Active/release)
 40013	FAIL	(Session Fixation - Active/beta)
 40014	FAIL	(Cross Site Scripting (Persistent) - Active/release)
@@ -90,32 +106,36 @@
 40025	FAIL	(Proxy Disclosure - Active/beta)
 40026	FAIL	(Cross Site Scripting (DOM Based) - Active/beta)
 40027	FAIL	(SQL Injection - MsSQL - Active/beta)
-40028	WARN	(ELMAH Information Leak - Active/release)
-40029	WARN	(Trace.axd Information Leak - Active/beta)
+40028	FAIL	(ELMAH Information Leak - Active/release)
+40029	FAIL	(Trace.axd Information Leak - Active/beta)
 40032	FAIL	(.htaccess Information Leak - Active/release)
 40034	FAIL	(.env Information Leak - Active/beta)
 40035	FAIL	(Hidden File Finder - Active/beta)
 41	FAIL	(Source Code Disclosure - Git  - Active/beta)
-42	WARN	(Source Code Disclosure - SVN - Active/beta)
-43	WARN	(Source Code Disclosure - File Inclusion - Active/beta)
-50000	WARN	(Script Active Scan Rules - Active/release)
-50001	WARN	(Script Passive Scan Rules - Passive/release)
-6	WARN	(Path Traversal - Active/release)
-7	WARN	(Remote File Inclusion - Active/release)
-90001	WARN	(Insecure JSF ViewState - Passive/release)
-90011	WARN	(Charset Mismatch - Passive/release)
-90017	WARN	(XSLT Injection - Active/beta)
-90019	WARN	(Server Side Code Injection - Active/release)
+42	FAIL	(Source Code Disclosure - SVN - Active/beta)
+43	FAIL	(Source Code Disclosure - File Inclusion - Active/beta)
+50000	FAIL	(Script Active Scan Rules - Active/release)
+50001	FAIL	(Script Passive Scan Rules - Passive/release)
+6	FAIL	(Path Traversal - Active/release)
+7	FAIL	(Remote File Inclusion - Active/release)
+90001	FAIL	(Insecure JSF ViewState - Passive/release)
+90011	FAIL	(Charset Mismatch - Passive/release)
+90017	FAIL	(XSLT Injection - Active/beta)
+90019	FAIL	(Server Side Code Injection - Active/release)
 90020	FAIL	(Remote OS Command Injection - Active/release)
-90021	WARN	(XPath Injection - Active/beta)
-90022	WARN	(Application Error Disclosure - Passive/release)
-90023	WARN	(XML External Entity Attack - Active/beta)
-90024	WARN	(Generic Padding Oracle - Active/beta)
-90025	WARN	(Expression Language Injection - Active/beta)
-90026	WARN	(SOAP Action Spoofing - Active/alpha)
-90027	IGNORE	(Cookie Slack Detector - Active/beta)
-90028	WARN	(Insecure HTTP Method - Active/beta)
-90029	WARN	(SOAP XML Injection - Active/alpha)
-90030	WARN	(WSDL File Detection - Passive/alpha)
-90033	WARN	(Loosely Scoped Cookie - Passive/release)
-90034	WARN	(Cloud Metadata Potentially Exposed - Active/beta)
+90021	FAIL	(XPath Injection - Active/beta)
+90022	FAIL	(Application Error Disclosure - Passive/release)
+90023	FAIL	(XML External Entity Attack - Active/beta)
+90024	FAIL	(Generic Padding Oracle - Active/beta)
+90025	FAIL	(Expression Language Injection - Active/beta)
+90026	FAIL	(SOAP Action Spoofing - Active/alpha)
+90027	FAIL	(Cookie Slack Detector - Active/beta)
+90028	FAIL	(Insecure HTTP Method - Active/beta)
+90029	FAIL	(SOAP XML Injection - Active/alpha)
+90030	FAIL	(WSDL File Detection - Passive/alpha)
+90033	FAIL	(Loosely Scoped Cookie - Passive/release)
+# With DEBUG=True Django's internal server returns a Set-Cookie header that appears
+# to trigger this rule even though it has no domain scope. And the cookie header
+# isn't sent this way on production
+90033	OUTOFSCOPE	http://app:8080.*$
+90034	FAIL	(Cloud Metadata Potentially Exposed - Active/beta)