new configuration version

This commit is contained in:
mamo 2024-11-11 10:41:28 +00:00
parent 6163a1422b
commit 41a02209c4
3 changed files with 1 additions and 94 deletions

View File

@ -46,7 +46,7 @@ spec:
podDisruptionBudget: podDisruptionBudget:
maxUnavailable: "50%" maxUnavailable: "50%"
git: git:
tag: "r-4fb5275ec4c9d183bf1a4df388ebf867cbd8f1c9" tag: "r-603573b16dce3bad3093656c6cd14820e69672b4"
dir: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/npi" dir: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/npi"
credentials: "git-credentials" credentials: "git-credentials"
keystores: keystores:

View File

@ -1,73 +0,0 @@
function contains(tab, val)
for index, value in ipairs(tab) do
if value == val then
return true
end
end
return false
end
function inputHeader(request, response)
if (request:getMethod() == "GET" or request:getMethod() == "HEAD" or request:getMethod() == "OPTIONS" or request:getMethod() == "TRACE") then
-- these requests are not sensitive (do not manipulate state) and are thus not checked
return
end
-- patterns sets allowed domains or {}
domains = {}
host = request:getHeader("Host")
if (host == nil) then
-- Internet-based HTTP/1.1 servers MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message which lacks a Host header field.
request:getTracer():notice("VA05", "Missing Host header")
response:setHeader("Content-Type", "text/plain")
response:setBody("400 Bad Request")
response:send(400)
return
end
-- extract host name
host = host:match('([^:]+)')
referer = request:getHeader("Referer")
if (referer ~= nil) then
referer = referer:match('^%w+://([^/:]+)')
if (referer ~= host and not contains(domains, referer)) then
if (referer ~= nil) then
request:getTracer():notice("VA01", "HTTP Referer header " .. referer .. " does not match host " .. host)
else
request:getTracer():notice("VA01", "HTTP Referer header " .. request:getHeader("Referer") .. " does not match pattern '^[a-zA-Z0-9]+://([^/:]+)'")
end
response:setHeader("Content-Type", "text/plain")
response:setBody("403 Denied")
response:send(403)
return
end
end
origin = request:getHeader("Origin")
if (origin ~= nil) then
origin = origin:match('^%w+://([^/:]+)')
if (origin ~= host and not contains(domains, origin)) then
if (origin ~= nil) then
request:getTracer():notice("VA01", "HTTP Origin header " .. origin .. " does not match host " .. host)
else
request:getTracer():notice("VA01", "HTTP Origin header " .. request:getHeader("Origin") .. " does not match pattern '^[a-zA-Z0-9]+://([^/:]+)'")
end
response:setHeader("Content-Type", "text/plain")
response:setBody("403 Denied")
response:send(403)
return
end
end
if (origin == nil and referer == nil) then
request:getTracer():info("VA05", "Referer or Origin header is required for sensitive requests")
response:setHeader("Content-Type", "text/plain")
response:setBody("403 Denied")
response:send(403)
return
end
end

View File

@ -66,21 +66,6 @@
<param-value>false</param-value> <param-value>false</param-value>
</init-param> </init-param>
</filter> </filter>
<!-- source: pattern://cc0434226c610ad74ffbf1d1 -->
<filter>
<filter-name>CSRF_Default</filter-name>
<filter-class>ch::nevis::isiweb4::filter::lua::LuaFilter</filter-class>
<!-- source: pattern://cc0434226c610ad74ffbf1d1 -->
<init-param>
<param-name>Script.InputHeaderFunctionName</param-name>
<param-value>inputHeader</param-value>
</init-param>
<!-- source: pattern://cc0434226c610ad74ffbf1d1 -->
<init-param>
<param-name>Script.Path</param-name>
<param-value>/var/opt/nevisproxy/default/host-cossa.agov-w.azure.adnovum.net/WEB-INF/csrf_default.lua</param-value>
</init-param>
</filter>
<!-- source: pattern://23dc4a9fcc79a12d82662747 --> <!-- source: pattern://23dc4a9fcc79a12d82662747 -->
<filter> <filter>
<filter-name>ErrorHandler_Default</filter-name> <filter-name>ErrorHandler_Default</filter-name>
@ -208,11 +193,6 @@
<filter-name>ModSecurity_cossa_realm_REST2</filter-name> <filter-name>ModSecurity_cossa_realm_REST2</filter-name>
<url-pattern>/oauth/introspect2/*</url-pattern> <url-pattern>/oauth/introspect2/*</url-pattern>
</filter-mapping> </filter-mapping>
<!-- source: pattern://cc0434226c610ad74ffbf1d1 -->
<filter-mapping>
<filter-name>CSRF_Default</filter-name>
<url-pattern>/oauth/introspect2/*</url-pattern>
</filter-mapping>
<!-- source: pattern://b67f81a971e4c08aa79040a2 --> <!-- source: pattern://b67f81a971e4c08aa79040a2 -->
<filter-mapping> <filter-mapping>
<filter-name>AuthenticationService_cossa_realm</filter-name> <filter-name>AuthenticationService_cossa_realm</filter-name>