-
Notifications
You must be signed in to change notification settings - Fork 892
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support dynamic CSP rules to mitigate clickjacking #5641
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #5641 +/- ##
==========================================
+ Coverage 67.11% 67.12% +0.01%
==========================================
Files 3322 3323 +1
Lines 64271 64291 +20
Branches 10333 10336 +3
==========================================
+ Hits 43135 43155 +20
Misses 18614 18614
Partials 2522 2522
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
The one failed https://github.com/opensearch-project/OpenSearch-Dashboards/actions/runs/7353558209/job/20019665599?pr=5641 to build on macOS ARM64 failed but was successful in previous run https://github.com/opensearch-project/OpenSearch-Dashboards/actions/runs/7353233916 Will monitor in next run. Could anyone with permission rerun it for me or grant me the re-run workflow permission? |
Hi team @opensearch-project/opensearch-dashboards-core , could you please help review? |
cc current oncall @AMoo-Miki for visibility. Please help review and add the backport labels |
@Flyingliuhub @bandinib-amzn @ZilongX would you help to review |
pulling down |
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
fa8bcd6
to
fcc9875
Compare
* support dynamic csp rules to mitigate clickjacking Signed-off-by: Tianle Huang <tianleh@amazon.com> * add unit tests for the provider class Signed-off-by: Tianle Huang <tianleh@amazon.com> * move request handler to its own class Signed-off-by: Tianle Huang <tianleh@amazon.com> * add license headers Signed-off-by: Tianle Huang <tianleh@amazon.com> * fix failed unit tests Signed-off-by: Tianle Huang <tianleh@amazon.com> * add unit tests for the handler Signed-off-by: Tianle Huang <tianleh@amazon.com> * add content to read me Signed-off-by: Tianle Huang <tianleh@amazon.com> * fix test error Signed-off-by: Tianle Huang <tianleh@amazon.com> * update readme Signed-off-by: Tianle Huang <tianleh@amazon.com> * update CHANGELOG.md Signed-off-by: Tianle Huang <tianleh@amazon.com> * update snap tests Signed-off-by: Tianle Huang <tianleh@amazon.com> * update snapshots Signed-off-by: Tianle Huang <tianleh@amazon.com> * fix a wrong import Signed-off-by: Tianle Huang <tianleh@amazon.com> * undo changes in listing snap Signed-off-by: Tianle Huang <tianleh@amazon.com> * improve wording Signed-off-by: Tianle Huang <tianleh@amazon.com> * set client after default client is created Signed-off-by: Tianle Huang <tianleh@amazon.com> * update return value and add a unit test Signed-off-by: Tianle Huang <tianleh@amazon.com> * remove unnecessary dependency Signed-off-by: Tianle Huang <tianleh@amazon.com> * make the name of the index configurable Signed-off-by: Tianle Huang <tianleh@amazon.com> * expose APIs and update file structures Signed-off-by: Tianle Huang <tianleh@amazon.com> * add header Signed-off-by: Tianle Huang <tianleh@amazon.com> * fix link error Signed-off-by: Tianle Huang <tianleh@amazon.com> * fix link error Signed-off-by: Tianle Huang <tianleh@amazon.com> * add more unit tests Signed-off-by: Tianle Huang <tianleh@amazon.com> * add more unit tests Signed-off-by: Tianle Huang <tianleh@amazon.com> * update api path Signed-off-by: Tianle Huang <tianleh@amazon.com> * remove logging Signed-off-by: Tianle Huang <tianleh@amazon.com> * update path Signed-off-by: Tianle Huang <tianleh@amazon.com> * rename index name Signed-off-by: Tianle Huang <tianleh@amazon.com> * update wording Signed-off-by: Tianle Huang <tianleh@amazon.com> * make the new plugin disabled by default Signed-off-by: Tianle Huang <tianleh@amazon.com> * do not update defaults to avoid breaking change Signed-off-by: Tianle Huang <tianleh@amazon.com> * update readme to reflect new API path Signed-off-by: Tianle Huang <tianleh@amazon.com> * update handler to append frame-ancestors conditionally Signed-off-by: Tianle Huang <tianleh@amazon.com> * update readme Signed-off-by: Tianle Huang <tianleh@amazon.com> * clean up code to prepare for application config Signed-off-by: Tianle Huang <tianleh@amazon.com> * reset change log Signed-off-by: Tianle Huang <tianleh@amazon.com> * reset change log again Signed-off-by: Tianle Huang <tianleh@amazon.com> * update accordingly to new changes in applicationConfig Signed-off-by: Tianle Huang <tianleh@amazon.com> * update changelog Signed-off-by: Tianle Huang <tianleh@amazon.com> * rename to a new plugin name Signed-off-by: Tianle Huang <tianleh@amazon.com> * rename Signed-off-by: Tianle Huang <tianleh@amazon.com> * rename more Signed-off-by: Tianle Huang <tianleh@amazon.com> * sync changelog from main Signed-off-by: Tianle Huang <tianleh@amazon.com> * onboard to app config Signed-off-by: Tianle Huang <tianleh@amazon.com> * fix comment Signed-off-by: Tianle Huang <tianleh@amazon.com> * update yml Signed-off-by: Tianle Huang <tianleh@amazon.com> * update readme Signed-off-by: Tianle Huang <tianleh@amazon.com> * update change log Signed-off-by: Tianle Huang <tianleh@amazon.com> * call out single quotes in readme Signed-off-by: Tianle Huang <tianleh@amazon.com> * update yml Signed-off-by: Tianle Huang <tianleh@amazon.com> * update default Signed-off-by: Tianle Huang <tianleh@amazon.com> * add reference link Signed-off-by: Tianle Huang <tianleh@amazon.com> * update js doc Signed-off-by: Tianle Huang <tianleh@amazon.com> * rename Signed-off-by: Tianle Huang <tianleh@amazon.com> * use new name Signed-off-by: Tianle Huang <tianleh@amazon.com> * redo changelog update Signed-off-by: Tianle Huang <tianleh@amazon.com> * remove link Signed-off-by: Tianle Huang <tianleh@amazon.com> * better name Signed-off-by: Tianle Huang <tianleh@amazon.com> --------- Signed-off-by: Tianle Huang <tianleh@amazon.com> (cherry picked from commit 58fb588) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* support dynamic csp rules to mitigate clickjacking * add unit tests for the provider class * move request handler to its own class * add license headers * fix failed unit tests * add unit tests for the handler * add content to read me * fix test error * update readme * update CHANGELOG.md * update snap tests * update snapshots * fix a wrong import * undo changes in listing snap * improve wording * set client after default client is created * update return value and add a unit test * remove unnecessary dependency * make the name of the index configurable * expose APIs and update file structures * add header * fix link error * fix link error * add more unit tests * add more unit tests * update api path * remove logging * update path * rename index name * update wording * make the new plugin disabled by default * do not update defaults to avoid breaking change * update readme to reflect new API path * update handler to append frame-ancestors conditionally * update readme * clean up code to prepare for application config * reset change log * reset change log again * update accordingly to new changes in applicationConfig * update changelog * rename to a new plugin name * rename * rename more * sync changelog from main * onboard to app config * fix comment * update yml * update readme * update change log * call out single quotes in readme * update yml * update default * add reference link * update js doc * rename * use new name * redo changelog update * remove link * better name --------- (cherry picked from commit 58fb588) Signed-off-by: Tianle Huang <tianleh@amazon.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Description
This PR is to mitigate the Clickjacking vulnerability as stated #5639.
Notes for the repo maintainers: please add backport label to the branch2.x
. We are targeting at2.12.0
release for this feature.We will target at
2.13.0
. Please help add the backport label to the branch2.x
.12/27/2023
Unit tests are being added.
12/23/2023
For now, I am sending the PR without any tests to collect early feedback. More tests will be added later.
Issues Resolved
fixes #5639
Screenshot
Testing the changes
Test Case 1
Step 0: There are no csp rules configured in OSD yml.
Step 1: Verify that there is no index
.opensearch_dashboards_config
by default.Run command
GET .opensearch_dashboards_config/_doc/csp.rules
Receive this response.
Step 2: Verify the response header has added
frame-ancestors 'self'
by default.Step 3: Verify through a local test html file.
Open the test html in browser and expect to see the following page.
Step 4: Update the index
.opensearch_dashboards_config
to allow embedding inside local file.Step 5: Verify that the test html can open now.
Test Case 2
Step 0: There are CSP rules configured in OSD YML.
Step 1:
Verify that by default there is no index
.opensearch_dashboards_config
.Returns
index_not_found_exception
Step 2:
Verify that the values from the OSD YML are used.
Step 3:
Update the
.opensearch_dashboards_config
with different CSP rules from the YML.Step 4:
Verify that the values from the index are used.
Step 5:
Update
.opensearch_dashboards_config
with empty rules.Step 6:
Verify that the values from the YML are used.
Check List
yarn test:jest
yarn test:jest_integration