You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by kr...@apache.org on 2019/09/04 14:32:39 UTC
[knox] branch master updated: KNOX-1788 - New XSS Provider is added
to Web Application Security Provider List (#141)
This is an automated email from the ASF dual-hosted git repository.
krisden pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new 36cdb97 KNOX-1788 - New XSS Provider is added to Web Application Security Provider List (#141)
36cdb97 is described below
commit 36cdb97febfd0aa7d0dfbf4c8f9b165a7c7ee0aa
Author: Sandor Molnar <sm...@apache.org>
AuthorDate: Wed Sep 4 16:32:34 2019 +0200
KNOX-1788 - New XSS Provider is added to Web Application Security Provider List (#141)
---
.../app/provider-config-wizard/webappsec-wizard.ts | 8 ++-
.../provider-config-wizard/xss-provider-config.ts | 65 ++++++++++++++++++++++
2 files changed, 71 insertions(+), 2 deletions(-)
diff --git a/gateway-admin-ui/admin-ui/app/provider-config-wizard/webappsec-wizard.ts b/gateway-admin-ui/admin-ui/app/provider-config-wizard/webappsec-wizard.ts
index f67196a..b6d337b 100644
--- a/gateway-admin-ui/admin-ui/app/provider-config-wizard/webappsec-wizard.ts
+++ b/gateway-admin-ui/admin-ui/app/provider-config-wizard/webappsec-wizard.ts
@@ -26,6 +26,7 @@ import {WebAppSecurityContributor} from './webappsec-contributor';
import {STSProviderConfig} from './sts-provider-config';
import {XFrameOptionsProviderConfig} from './xframeoptions-provider-config';
import {XContentTypeOptionsProviderConfig} from './xcontent-type-options-provider-config';
+import {XSSProviderConfig} from './xss-provider-config';
export class WebAppSecurityWizard extends CategoryWizard implements ProviderContributorWizard {
// WebAppSec provider types
@@ -34,12 +35,14 @@ export class WebAppSecurityWizard extends CategoryWizard implements ProviderCont
private static XFRAME = 'X-Frame-Options';
private static XCONTENT_TYPE = 'X-Content-Type-Options';
private static STS = 'Strict Transport Security';
+ private static XSS = 'X-XSS-Protection';
private static webAppSecTypes: string[] = [WebAppSecurityWizard.CSRF,
WebAppSecurityWizard.CORS,
WebAppSecurityWizard.XFRAME,
WebAppSecurityWizard.XCONTENT_TYPE,
- WebAppSecurityWizard.STS
+ WebAppSecurityWizard.STS,
+ WebAppSecurityWizard.XSS
];
private static typeConfigMap: Map<string, typeof WebAppSecurityContributor> =
@@ -48,7 +51,8 @@ export class WebAppSecurityWizard extends CategoryWizard implements ProviderCont
[WebAppSecurityWizard.CORS, CORSProviderConfig],
[WebAppSecurityWizard.XFRAME, XFrameOptionsProviderConfig],
[WebAppSecurityWizard.XCONTENT_TYPE, XContentTypeOptionsProviderConfig],
- [WebAppSecurityWizard.STS, STSProviderConfig]
+ [WebAppSecurityWizard.STS, STSProviderConfig],
+ [WebAppSecurityWizard.XSS, XSSProviderConfig]
] as [string, typeof WebAppSecurityContributor][]);
private stepCount = 4;
diff --git a/gateway-admin-ui/admin-ui/app/provider-config-wizard/xss-provider-config.ts b/gateway-admin-ui/admin-ui/app/provider-config-wizard/xss-provider-config.ts
new file mode 100644
index 0000000..d4ac6bb
--- /dev/null
+++ b/gateway-admin-ui/admin-ui/app/provider-config-wizard/xss-provider-config.ts
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import {WebAppSecurityContributor} from './webappsec-contributor';
+
+export class XSSProviderConfig extends WebAppSecurityContributor {
+ public static X_XSS_PROTECTION = 'X-XSS-Protection';
+
+ private static SUPPORTED_VALUES: string[] = ['0', '1', '1; mode=block'];
+
+ private static displayPropertyNames = [XSSProviderConfig.X_XSS_PROTECTION];
+
+ private static displayPropertyNameBindings: Map<string, string> = new Map(
+ [ [XSSProviderConfig.X_XSS_PROTECTION, 'xss.protection'] ] as [string, string][]
+ );
+
+ constructor() {
+ super();
+ // Set default values
+ this.setParam('xss.protection.enabled', 'true');
+ this.setParam(XSSProviderConfig.displayPropertyNameBindings.get(XSSProviderConfig.X_XSS_PROTECTION), '1; mode=block');
+ }
+
+ getDisplayPropertyNames(): string[] {
+ return XSSProviderConfig.displayPropertyNames;
+ }
+
+ getDisplayNamePropertyBinding(name: string): string {
+ return XSSProviderConfig.displayPropertyNameBindings.get(name);
+ }
+
+ isValidParamValue(paramName: string): boolean {
+ let isValid = false;
+ let value = this.getParam(this.getDisplayNamePropertyBinding(paramName));
+ if (value) {
+ switch (paramName) {
+ case XSSProviderConfig.X_XSS_PROTECTION:
+ if (XSSProviderConfig.SUPPORTED_VALUES.includes(value)) {
+ isValid = true;
+ } else {
+ // only supported in Chromium
+ isValid = value.startsWith('1; report=');
+ }
+ break;
+ default:
+ break;
+ }
+ }
+
+ return isValid;
+ }
+}