new configuration version

2024-11-11 10:41:28 +00:00 · 2024-11-11 10:41:28 +00:00 · 41a02209c4
parent 6163a1422b
commit 41a02209c4
3 changed files with 1 additions and 94 deletions
--- a/DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/npi/etc/nevis/k8s-npi-92e282d1dc2b69d9e4f91fc0.yaml
+++ b/DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/npi/etc/nevis/k8s-npi-92e282d1dc2b69d9e4f91fc0.yaml
@ -46,7 +46,7 @@ spec:
  podDisruptionBudget:
    maxUnavailable: "50%"
  git:
-    tag: "r-4fb5275ec4c9d183bf1a4df388ebf867cbd8f1c9"
+    tag: "r-603573b16dce3bad3093656c6cd14820e69672b4"
    dir: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/npi"
    credentials: "git-credentials"
  keystores:
--- a/DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/npi/var/opt/nevisproxy/default/host-cossa.agov-w.azure.adnovum.net/WEB-INF/csrf_default.lua
+++ b/DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/npi/var/opt/nevisproxy/default/host-cossa.agov-w.azure.adnovum.net/WEB-INF/csrf_default.lua
@ -1,73 +0,0 @@
-function contains(tab, val)
-    for index, value in ipairs(tab) do
-        if value == val then
-            return true
-        end
-    end
-    return false
-end
-
-function inputHeader(request, response)
-
-  if (request:getMethod() == "GET" or request:getMethod() == "HEAD" or request:getMethod() == "OPTIONS" or request:getMethod() == "TRACE") then
-    -- these requests are not sensitive (do not manipulate state) and are thus not checked
-    return
-  end
-
-  -- patterns sets allowed domains or {}
-  domains = {}
-
-  host = request:getHeader("Host")
-
-  if (host == nil) then
-    -- Internet-based HTTP/1.1 servers MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message which lacks a Host header field.
-    request:getTracer():notice("VA05", "Missing Host header")
-    response:setHeader("Content-Type", "text/plain")
-    response:setBody("400 Bad Request")
-    response:send(400)
-    return
-  end
-
-  -- extract host name
-  host = host:match('([^:]+)')
-
-  referer = request:getHeader("Referer")
-  if (referer ~= nil) then
-    referer = referer:match('^%w+://([^/:]+)')
-    if (referer ~= host and not contains(domains, referer)) then
-        if (referer ~= nil) then
-            request:getTracer():notice("VA01", "HTTP Referer header " .. referer .. " does not match host " .. host)
-        else
-            request:getTracer():notice("VA01", "HTTP Referer header " .. request:getHeader("Referer") .. " does not match pattern '^[a-zA-Z0-9]+://([^/:]+)'")
-        end
-        response:setHeader("Content-Type", "text/plain")
-        response:setBody("403 Denied")
-        response:send(403)
-        return
-    end
-  end
-
-  origin = request:getHeader("Origin")
-  if (origin ~= nil) then
-    origin = origin:match('^%w+://([^/:]+)')
-    if (origin ~= host and not contains(domains, origin)) then
-        if (origin ~= nil) then
-            request:getTracer():notice("VA01", "HTTP Origin header " .. origin .. " does not match host " .. host)
-        else
-            request:getTracer():notice("VA01", "HTTP Origin header " .. request:getHeader("Origin") .. " does not match pattern '^[a-zA-Z0-9]+://([^/:]+)'")
-        end
-        response:setHeader("Content-Type", "text/plain")
-        response:setBody("403 Denied")
-        response:send(403)
-        return
-    end
-  end
-
-  if (origin == nil and referer == nil) then
-    request:getTracer():info("VA05", "Referer or Origin header is required for sensitive requests")
-    response:setHeader("Content-Type", "text/plain")
-    response:setBody("403 Denied")
-    response:send(403)
-    return
-  end
-end
--- a/DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/npi/var/opt/nevisproxy/default/host-cossa.agov-w.azure.adnovum.net/WEB-INF/web.xml
+++ b/DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/npi/var/opt/nevisproxy/default/host-cossa.agov-w.azure.adnovum.net/WEB-INF/web.xml
@ -66,21 +66,6 @@
            <param-value>false</param-value>
        </init-param>
    </filter>
-    <!-- source: pattern://cc0434226c610ad74ffbf1d1 -->
-    <filter>
-        <filter-name>CSRF_Default</filter-name>
-        <filter-class>ch::nevis::isiweb4::filter::lua::LuaFilter</filter-class>
-        <!-- source: pattern://cc0434226c610ad74ffbf1d1 -->
-        <init-param>
-            <param-name>Script.InputHeaderFunctionName</param-name>
-            <param-value>inputHeader</param-value>
-        </init-param>
-        <!-- source: pattern://cc0434226c610ad74ffbf1d1 -->
-        <init-param>
-            <param-name>Script.Path</param-name>
-            <param-value>/var/opt/nevisproxy/default/host-cossa.agov-w.azure.adnovum.net/WEB-INF/csrf_default.lua</param-value>
-        </init-param>
-    </filter>
    <!-- source: pattern://23dc4a9fcc79a12d82662747 -->
    <filter>
        <filter-name>ErrorHandler_Default</filter-name>
@ -208,11 +193,6 @@
        <filter-name>ModSecurity_cossa_realm_REST2</filter-name>
        <url-pattern>/oauth/introspect2/*</url-pattern>
    </filter-mapping>
-    <!-- source: pattern://cc0434226c610ad74ffbf1d1 -->
-    <filter-mapping>
-        <filter-name>CSRF_Default</filter-name>
-        <url-pattern>/oauth/introspect2/*</url-pattern>
-    </filter-mapping>
    <!-- source: pattern://b67f81a971e4c08aa79040a2 -->
    <filter-mapping>
        <filter-name>AuthenticationService_cossa_realm</filter-name>