test(ui): add owasp zap scanner in ci/cd (#1224)

(cherry picked from commit 6d03ce5f2d) Additional changes on top of: 6d03ce5f2d - Build and use zot from the same branch do not use a container image as scan target, use the binary - Fix typo in rules filename - Add the full rule list to the rules config file - Ignore some of the specific rules and add reasons - Add security-related headers to fix some of the issues identified by the scan - Update UI it includes the latest fixes for zap scan issues Signed-off-by: Andrei Aaron <aaaron@luxoft.com> Co-authored-by: Ramkumar Chinchani <rchincha@cisco.com>
2026-06-16 12:28:01 +08:00 · 2023-02-27 21:25:47 +02:00
parent d62c09e2cc
commit 5968e7199f
6 changed files with 158 additions and 7 deletions
@@ -4,6 +4,7 @@
 package extensions

 import (
+	"net/http"
 	"time"

 	gqlHandler "github.com/99designs/gqlgen/graphql/handler"
@@ -76,6 +77,14 @@ func downloadTrivyDB(cveInfo CveInfo, log log.Logger, updateInterval time.Durati
 	}
 }

+func addSearchSecurityHeaders(h http.Handler) http.HandlerFunc { //nolint:varnamelen
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+
+		h.ServeHTTP(w, r)
+	}
+}
+
 func SetupSearchRoutes(config *config.Config, router *mux.Router, storeController storage.StoreController,
 	repoDB repodb.RepoDB, cveInfo CveInfo, log log.Logger,
 ) {
@@ -86,7 +95,7 @@ func SetupSearchRoutes(config *config.Config, router *mux.Router, storeControlle

 		extRouter := router.PathPrefix(constants.ExtSearchPrefix).Subrouter()
 		extRouter.Methods("GET", "POST", "OPTIONS").
-			Handler(gqlHandler.NewDefaultServer(gql_generated.NewExecutableSchema(resConfig)))
+			Handler(addSearchSecurityHeaders(gqlHandler.NewDefaultServer(gql_generated.NewExecutableSchema(resConfig))))
 	}
 }

@@ -33,6 +33,17 @@ func (uih uiHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 }

+func addUISecurityHeaders(h http.Handler) http.HandlerFunc { //nolint:varnamelen
+	return func(w http.ResponseWriter, r *http.Request) {
+		permissionsPolicy := "microphone=(), geolocation=(), battery=(), camera=(), autoplay=(), gyroscope=(), payment=()"
+		w.Header().Set("Permissions-Policy", permissionsPolicy)
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+		w.Header().Set("X-Frame-Options", "DENY")
+
+		h.ServeHTTP(w, r)
+	}
+}
+
 func SetupUIRoutes(config *config.Config, router *mux.Router, storeController storage.StoreController,
 	log log.Logger,
 ) {
@@ -40,11 +51,11 @@ func SetupUIRoutes(config *config.Config, router *mux.Router, storeController st
 		fsub, _ := fs.Sub(content, "build")
 		uih := uiHandler{log: log}

-		router.PathPrefix("/login").Handler(uih)
-		router.PathPrefix("/home").Handler(uih)
-		router.PathPrefix("/explore").Handler(uih)
-		router.PathPrefix("/image").Handler(uih)
-		router.PathPrefix("/").Handler(http.FileServer(http.FS(fsub)))
+		router.PathPrefix("/login").Handler(addUISecurityHeaders(uih))
+		router.PathPrefix("/home").Handler(addUISecurityHeaders(uih))
+		router.PathPrefix("/explore").Handler(addUISecurityHeaders(uih))
+		router.PathPrefix("/image").Handler(addUISecurityHeaders(uih))
+		router.PathPrefix("/").Handler(addUISecurityHeaders(http.FileServer(http.FS(fsub))))

 		log.Info().Msg("setting up ui routes")
 	}