Support dynamic CSP rules to mitigate clickjacking #5641
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #5641 +/- ##
==========================================
+ Coverage 67.11% 67.12% +0.01%
==========================================
Files 3322 3323 +1
Lines 64271 64291 +20
Branches 10333 10336 +3
==========================================
+ Hits 43135 43155 +20
Misses 18614 18614
Partials 2522 2522
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
tianleh
changed the title
|
The one failed https://github.com/opensearch-project/OpenSearch-Dashboards/actions/runs/7353558209/job/20019665599?pr=5641 to build on macOS ARM64 failed but was successful in previous run https://github.com/opensearch-project/OpenSearch-Dashboards/actions/runs/7353233916 Will monitor in next run. Could anyone with permission rerun it for me or grant me the re-run workflow permission? |
tianleh
requested review from
ananzh,
kavilla,
AMoo-Miki,
ashwin-pc,
joshuarrrr,
abbyhu2000,
zengyan-amazon,
kristenTian,
zhongnansu,
manasvinibs,
ZilongX,
Flyingliuhub,
BSFishy,
curq,
bandinib-amzn and
SuZhou-Joe
as code owners
|
Hi team @opensearch-project/opensearch-dashboards-core , could you please help review? |
ruanyl
reviewed
Dec 30, 2023
SuZhou-Joe
reviewed
Jan 2, 2024
|
cc current oncall @AMoo-Miki for visibility. Please help review and add the backport labels |
|
@Flyingliuhub @bandinib-amzn @ZilongX would you help to review |
|
pulling down |
kavilla
reviewed
Jan 5, 2024
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
Signed-off-by: Tianle Huang <tianleh@amazon.com>
bandinib-amzn
force-pushed
the
cj-mitigation
branch
from
fa8bcd6
to
fcc9875
Compare
ZilongX
approved these changes
Mar 8, 2024
opensearch-trigger-bot bot
pushed a commit
that referenced
this pull request
Mar 8, 2024
* support dynamic csp rules to mitigate clickjacking Signed-off-by: Tianle Huang <tianleh@amazon.com> * add unit tests for the provider class Signed-off-by: Tianle Huang <tianleh@amazon.com> * move request handler to its own class Signed-off-by: Tianle Huang <tianleh@amazon.com> * add license headers Signed-off-by: Tianle Huang <tianleh@amazon.com> * fix failed unit tests Signed-off-by: Tianle Huang <tianleh@amazon.com> * add unit tests for the handler Signed-off-by: Tianle Huang <tianleh@amazon.com> * add content to read me Signed-off-by: Tianle Huang <tianleh@amazon.com> * fix test error Signed-off-by: Tianle Huang <tianleh@amazon.com> * update readme Signed-off-by: Tianle Huang <tianleh@amazon.com> * update CHANGELOG.md Signed-off-by: Tianle Huang <tianleh@amazon.com> * update snap tests Signed-off-by: Tianle Huang <tianleh@amazon.com> * update snapshots Signed-off-by: Tianle Huang <tianleh@amazon.com> * fix a wrong import Signed-off-by: Tianle Huang <tianleh@amazon.com> * undo changes in listing snap Signed-off-by: Tianle Huang <tianleh@amazon.com> * improve wording Signed-off-by: Tianle Huang <tianleh@amazon.com> * set client after default client is created Signed-off-by: Tianle Huang <tianleh@amazon.com> * update return value and add a unit test Signed-off-by: Tianle Huang <tianleh@amazon.com> * remove unnecessary dependency Signed-off-by: Tianle Huang <tianleh@amazon.com> * make the name of the index configurable Signed-off-by: Tianle Huang <tianleh@amazon.com> * expose APIs and update file structures Signed-off-by: Tianle Huang <tianleh@amazon.com> * add header Signed-off-by: Tianle Huang <tianleh@amazon.com> * fix link error Signed-off-by: Tianle Huang <tianleh@amazon.com> * fix link error Signed-off-by: Tianle Huang <tianleh@amazon.com> * add more unit tests Signed-off-by: Tianle Huang <tianleh@amazon.com> * add more unit tests Signed-off-by: Tianle Huang <tianleh@amazon.com> * update api path Signed-off-by: Tianle Huang <tianleh@amazon.com> * remove logging Signed-off-by: Tianle Huang <tianleh@amazon.com> * update path Signed-off-by: Tianle Huang <tianleh@amazon.com> * rename index name Signed-off-by: Tianle Huang <tianleh@amazon.com> * update wording Signed-off-by: Tianle Huang <tianleh@amazon.com> * make the new plugin disabled by default Signed-off-by: Tianle Huang <tianleh@amazon.com> * do not update defaults to avoid breaking change Signed-off-by: Tianle Huang <tianleh@amazon.com> * update readme to reflect new API path Signed-off-by: Tianle Huang <tianleh@amazon.com> * update handler to append frame-ancestors conditionally Signed-off-by: Tianle Huang <tianleh@amazon.com> * update readme Signed-off-by: Tianle Huang <tianleh@amazon.com> * clean up code to prepare for application config Signed-off-by: Tianle Huang <tianleh@amazon.com> * reset change log Signed-off-by: Tianle Huang <tianleh@amazon.com> * reset change log again Signed-off-by: Tianle Huang <tianleh@amazon.com> * update accordingly to new changes in applicationConfig Signed-off-by: Tianle Huang <tianleh@amazon.com> * update changelog Signed-off-by: Tianle Huang <tianleh@amazon.com> * rename to a new plugin name Signed-off-by: Tianle Huang <tianleh@amazon.com> * rename Signed-off-by: Tianle Huang <tianleh@amazon.com> * rename more Signed-off-by: Tianle Huang <tianleh@amazon.com> * sync changelog from main Signed-off-by: Tianle Huang <tianleh@amazon.com> * onboard to app config Signed-off-by: Tianle Huang <tianleh@amazon.com> * fix comment Signed-off-by: Tianle Huang <tianleh@amazon.com> * update yml Signed-off-by: Tianle Huang <tianleh@amazon.com> * update readme Signed-off-by: Tianle Huang <tianleh@amazon.com> * update change log Signed-off-by: Tianle Huang <tianleh@amazon.com> * call out single quotes in readme Signed-off-by: Tianle Huang <tianleh@amazon.com> * update yml Signed-off-by: Tianle Huang <tianleh@amazon.com> * update default Signed-off-by: Tianle Huang <tianleh@amazon.com> * add reference link Signed-off-by: Tianle Huang <tianleh@amazon.com> * update js doc Signed-off-by: Tianle Huang <tianleh@amazon.com> * rename Signed-off-by: Tianle Huang <tianleh@amazon.com> * use new name Signed-off-by: Tianle Huang <tianleh@amazon.com> * redo changelog update Signed-off-by: Tianle Huang <tianleh@amazon.com> * remove link Signed-off-by: Tianle Huang <tianleh@amazon.com> * better name Signed-off-by: Tianle Huang <tianleh@amazon.com> --------- Signed-off-by: Tianle Huang <tianleh@amazon.com> (cherry picked from commit 58fb588) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
bandinib-amzn
pushed a commit
that referenced
this pull request
Mar 9, 2024
* support dynamic csp rules to mitigate clickjacking * add unit tests for the provider class * move request handler to its own class * add license headers * fix failed unit tests * add unit tests for the handler * add content to read me * fix test error * update readme * update CHANGELOG.md * update snap tests * update snapshots * fix a wrong import * undo changes in listing snap * improve wording * set client after default client is created * update return value and add a unit test * remove unnecessary dependency * make the name of the index configurable * expose APIs and update file structures * add header * fix link error * fix link error * add more unit tests * add more unit tests * update api path * remove logging * update path * rename index name * update wording * make the new plugin disabled by default * do not update defaults to avoid breaking change * update readme to reflect new API path * update handler to append frame-ancestors conditionally * update readme * clean up code to prepare for application config * reset change log * reset change log again * update accordingly to new changes in applicationConfig * update changelog * rename to a new plugin name * rename * rename more * sync changelog from main * onboard to app config * fix comment * update yml * update readme * update change log * call out single quotes in readme * update yml * update default * add reference link * update js doc * rename * use new name * redo changelog update * remove link * better name --------- (cherry picked from commit 58fb588) Signed-off-by: Tianle Huang <tianleh@amazon.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR is to mitigate the Clickjacking vulnerability as stated #5639.
Notes for the repo maintainers: please add backport label to the branch2.x. We are targeting at2.12.0release for this feature.We will target at
2.13.0. Please help add the backport label to the branch2.x.12/27/2023
Unit tests are being added.
12/23/2023
For now, I am sending the PR without any tests to collect early feedback. More tests will be added later.
Issues Resolved
fixes #5639
Screenshot
Testing the changes
Test Case 1
Step 0: There are no csp rules configured in OSD yml.
Step 1: Verify that there is no index
.opensearch_dashboards_configby default.Run command
GET .opensearch_dashboards_config/_doc/csp.rulesReceive this response.
Step 2: Verify the response header has added
frame-ancestors 'self'by default.Step 3: Verify through a local test html file.
Open the test html in browser and expect to see the following page.
Step 4: Update the index
.opensearch_dashboards_configto allow embedding inside local file.Step 5: Verify that the test html can open now.
Test Case 2
Step 0: There are CSP rules configured in OSD YML.
Step 1:
Verify that by default there is no index
.opensearch_dashboards_config.Returns
index_not_found_exceptionStep 2:
Verify that the values from the OSD YML are used.
Step 3:
Update the
.opensearch_dashboards_configwith different CSP rules from the YML.Step 4:
Verify that the values from the index are used.
Step 5:
Update
.opensearch_dashboards_configwith empty rules.Step 6:
Verify that the values from the YML are used.
Check List
yarn test:jestyarn test:jest_integration