From 850bfbc50e7ae378b6e12cb9256e8910fca9fd36 Mon Sep 17 00:00:00 2001 From: natalie-bernhard Date: Fri, 21 Jun 2024 11:14:37 -0500 Subject: [PATCH 01/13] merge commits into staging without file changes --- scripts/build/ruby_install.sh | 1 - src/main/content/_assets/css/post.scss | 24 ---- .../io/openliberty/website/TLSFilter.java | 128 ++++++++++++++++++ 3 files changed, 128 insertions(+), 25 deletions(-) create mode 100644 src/main/java/io/openliberty/website/TLSFilter.java diff --git a/scripts/build/ruby_install.sh b/scripts/build/ruby_install.sh index 8d0c730e5a..53d13a5d63 100755 --- a/scripts/build/ruby_install.sh +++ b/scripts/build/ruby_install.sh @@ -27,7 +27,6 @@ echo "Ruby version:" echo `ruby -v` gem install ffi -v 1.16.3 -gem install public_suffix -v 5.1.1 gem install jekyll -v 3.8.6 gem install jekyll-assets -v 2.4.0 gem install jekyll-multiple-languages-plugin diff --git a/src/main/content/_assets/css/post.scss b/src/main/content/_assets/css/post.scss index 85e989079b..fe1103c3a1 100644 --- a/src/main/content/_assets/css/post.scss +++ b/src/main/content/_assets/css/post.scss @@ -540,28 +540,4 @@ iframe{ div.sectionbody div.ulist > ul > li p{ font-size: 16px; -} - -.quoteblock{ - display: table; - margin: auto; - blockquote{ - &:before{ - content: "\201c"; - float: left; - font-family: Arial, Helvetica, sans-serif; - font-size: 2.5em; - font-weight: 700; - line-height: .6em; - margin-left: -.6em; - } - margin-left: 22px; - margin-right: 0; - text-align: justify; - } - .attribution{ - text-align: right; - font-style: italic; - margin-right: 0.5ex; - } } \ No newline at end of file diff --git a/src/main/java/io/openliberty/website/TLSFilter.java b/src/main/java/io/openliberty/website/TLSFilter.java new file mode 100644 index 0000000000..fa20ffcd89 --- /dev/null +++ b/src/main/java/io/openliberty/website/TLSFilter.java @@ -0,0 +1,128 @@ +/******************************************************************************* + * Copyright (c) 2017 IBM Corporation and others. + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License v1.0 + * which accompanies this distribution, and is available at + * http://www.eclipse.org/legal/epl-v10.html + * + * Contributors: + * IBM Corporation - initial API and implementation + *******************************************************************************/ +package io.openliberty.website; + +import java.io.IOException; +import java.util.Map; + +import javax.servlet.Filter; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.FilterChain; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpServletRequest; +import java.io.FileNotFoundException; + +/** + * Originally this filter was used simply to force the use of TLS, however it + * has since been enhanced for general security related content. + * + *

+ * Note: This does not correctly cope with an SSL port that is not 443 which + * happens when using dev mode + *

+ */ +public class TLSFilter implements Filter { + FilterConfig cfg; + + public void destroy() { + } + + public void init(FilterConfig cfg) { + this.cfg = cfg; + } + + public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) + throws IOException, ServletException { + + HttpServletResponse response = ((HttpServletResponse) resp); + + boolean doFilter = true; + + if ("http".equals(req.getScheme())) { + // If the request is via http sends a redirect to HTTPS. Note the filter chain + // is still called which is probably not the right behavior. + response.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY); // HTTP 301 + // This assumes default https port number. + response.setHeader("Location", + ((HttpServletRequest) req).getRequestURL().replace(0, 4, "https").toString()); + } else if ("https".equals(req.getScheme())) { + // If HTTPS is configured this sets a bunch of security headers + + // Tell browsers that this site should only be accessed using HTTPS, instead of using HTTP. + // IncludeSubDomains and 1 year set per OWASP. + response.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains"); + // Prevent framing of this website. + response.setHeader("X-Frame-Options", "SAMEORIGIN"); + // Cross-site scripting prevention for Chrome, Safari, and IE. It's not necessary with newer browser + // versions that support the Content-Security-Policy but it helps prevent XSS on older versions of these browsers. + response.setHeader("X-XSS-Protection", "1; mode=block"); + // Stops a browser from trying to MIME-sniff the content type. + response.setHeader("X-Content-Type-Options", "nosniff"); + // Mitigating cross site scripting (XSS) from other domains. + response.setHeader("Content-Security-Policy", + "default-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net fonts.googleapis.com ajax.googleapis.com code.jquery.com fonts.gstatic.com *.githubusercontent.com api.github.com www.googletagmanager.com tagmanager.google.com www.google-analytics.com cdnjs.cloudflare.com data: buttons.github.io www.youtube.com video.ibm.com https://start.openliberty.io/ gitlab.com starter-staging.rh9j6zz75er.us-east.codeengine.appdomain.cloud https://docs.oracle.com/javase/8/docs/api/"); + + // Limits the information sent cross-domain and does not send the origin name. + response.setHeader("Referrer-Policy", "no-referrer"); + + // Note this should be moved into its own filter. It appears to set cache control + // for images, and no cache for everything else. This could likely be replaced + // with a filter just on /img/* which sets Cache-Control only for images. It also isn't + // clear why the Pragma header (for some HTTP 1.0 clients) is set for the api calls, + // but not for everything else. + String uri = ((HttpServletRequest) req).getRequestURI(); + if (uri.startsWith("/img/")) { + response.setHeader("Cache-Control", "max-age=604800"); + // if requesting the JAX-RS api set cache control to not cache + } else if (uri.startsWith("/docs") && uri.endsWith(".html") && !uri.endsWith("index.html")) { + boolean doGzip = true; + // Check if the servlet context contains a redirect rule for this url + Map map = cfg.getServletContext().getContext(uri).getFilterRegistrations(); + for (String key : map.keySet()) { + String redirectRule = key.replace("redirect_", ""); + if (redirectRule.endsWith("*")) { + redirectRule = redirectRule.substring(0, redirectRule.indexOf("*")); + if (uri.startsWith(redirectRule) && !uri.equals(redirectRule)) { + doGzip = false; + } + } else if (uri.equals(redirectRule)) { + // Do not prevent the redirect from happening. + doGzip = false; + } + } + if (doGzip) { + response.setHeader("Content-Type", "text/html"); + response.setHeader("Content-Encoding", "gzip"); + doFilter = false; + try { + req.getRequestDispatcher(uri.concat(".gz")).include(req, response); + } + catch(FileNotFoundException e) { + response.setStatus(HttpServletResponse.SC_NOT_FOUND); + response.sendRedirect("/404.html"); + } + } + } else if (uri.startsWith("/api/builds/") || uri.startsWith("/api/github/")) { + response.setHeader("Cache-Control", "no-store"); + response.setHeader("Pragma", "no-cache"); + } else { + response.setHeader("Cache-Control", "no-cache"); + } + } + if (doFilter) { + chain.doFilter(req, resp); + } + + } +} \ No newline at end of file From c2bebb7411a04a87a53edad4a77ea37586bb0257 Mon Sep 17 00:00:00 2001 From: SteveSamJacob19 Date: Mon, 11 Mar 2024 11:22:36 +0530 Subject: [PATCH 02/13] Fixed jumping of content --- src/main/content/_assets/js/tabs.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/content/_assets/js/tabs.js b/src/main/content/_assets/js/tabs.js index 41b0711e9b..563999c5b9 100644 --- a/src/main/content/_assets/js/tabs.js +++ b/src/main/content/_assets/js/tabs.js @@ -66,7 +66,7 @@ $(document).ready(function() { // get class of clicked tab and class of its respective content section var class_list = this.classList; for (var i = 0; i < class_list.length; i++) { - var class_name = class_list[i]; + class_name = class_list[i]; if (class_name !== "tab_link" && class_name.indexOf("_link") > -1) { var tab_content = "." + class_name.replace("link", "section"); var tab_class = "." + class_name; From a812b82365c3534ec4c73e3069ce0a7b4745a1f9 Mon Sep 17 00:00:00 2001 From: natalie-bernhard Date: Mon, 18 Mar 2024 11:22:48 -0500 Subject: [PATCH 03/13] Revert "Fixed jumping of content" This reverts commit 0d90a87b767dae6c88fd3c9f9a5f3bac73cd1887. --- src/main/content/_assets/js/tabs.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/main/content/_assets/js/tabs.js b/src/main/content/_assets/js/tabs.js index 563999c5b9..993f1f2e8c 100644 --- a/src/main/content/_assets/js/tabs.js +++ b/src/main/content/_assets/js/tabs.js @@ -66,12 +66,13 @@ $(document).ready(function() { // get class of clicked tab and class of its respective content section var class_list = this.classList; for (var i = 0; i < class_list.length; i++) { - class_name = class_list[i]; + var class_name = class_list[i]; if (class_name !== "tab_link" && class_name.indexOf("_link") > -1) { var tab_content = "." + class_name.replace("link", "section"); var tab_class = "." + class_name; } } + // show content of clicked tab and add active class to clicked tab $(this).parent().find('.tab_content' + tab_content).show(); $(this).parent().find('.tab_link' + tab_class).addClass("active"); From 8beac3c9e1c0a124f4c875821221892362ad4ebb Mon Sep 17 00:00:00 2001 From: natalie-bernhard Date: Mon, 25 Mar 2024 09:43:53 -0500 Subject: [PATCH 04/13] Revert "Revert "Fixed jumping of content"" This reverts commit 3307a9fb89727ed920a12b3f3e7605e34c46d891. --- src/main/content/_assets/js/tabs.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/main/content/_assets/js/tabs.js b/src/main/content/_assets/js/tabs.js index 993f1f2e8c..563999c5b9 100644 --- a/src/main/content/_assets/js/tabs.js +++ b/src/main/content/_assets/js/tabs.js @@ -66,13 +66,12 @@ $(document).ready(function() { // get class of clicked tab and class of its respective content section var class_list = this.classList; for (var i = 0; i < class_list.length; i++) { - var class_name = class_list[i]; + class_name = class_list[i]; if (class_name !== "tab_link" && class_name.indexOf("_link") > -1) { var tab_content = "." + class_name.replace("link", "section"); var tab_class = "." + class_name; } } - // show content of clicked tab and add active class to clicked tab $(this).parent().find('.tab_content' + tab_content).show(); $(this).parent().find('.tab_link' + tab_class).addClass("active"); From ff5c133d54ac4d5c3c1d50772b8f906275c3a578 Mon Sep 17 00:00:00 2001 From: navaneethsnair1 Date: Tue, 4 Jun 2024 18:19:10 +0530 Subject: [PATCH 05/13] render blockquotes on blogs --- src/main/content/_assets/css/post.scss | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/src/main/content/_assets/css/post.scss b/src/main/content/_assets/css/post.scss index fe1103c3a1..85e989079b 100644 --- a/src/main/content/_assets/css/post.scss +++ b/src/main/content/_assets/css/post.scss @@ -540,4 +540,28 @@ iframe{ div.sectionbody div.ulist > ul > li p{ font-size: 16px; +} + +.quoteblock{ + display: table; + margin: auto; + blockquote{ + &:before{ + content: "\201c"; + float: left; + font-family: Arial, Helvetica, sans-serif; + font-size: 2.5em; + font-weight: 700; + line-height: .6em; + margin-left: -.6em; + } + margin-left: 22px; + margin-right: 0; + text-align: justify; + } + .attribution{ + text-align: right; + font-style: italic; + margin-right: 0.5ex; + } } \ No newline at end of file From d0309ee4fea45374d971dc513d3ce27a847da25e Mon Sep 17 00:00:00 2001 From: SteveSamJacob19 Date: Mon, 17 Jun 2024 11:55:33 +0530 Subject: [PATCH 06/13] Removed TLSFilter --- .../io/openliberty/website/TLSFilter.java | 128 ------------------ 1 file changed, 128 deletions(-) delete mode 100644 src/main/java/io/openliberty/website/TLSFilter.java diff --git a/src/main/java/io/openliberty/website/TLSFilter.java b/src/main/java/io/openliberty/website/TLSFilter.java deleted file mode 100644 index fa20ffcd89..0000000000 --- a/src/main/java/io/openliberty/website/TLSFilter.java +++ /dev/null @@ -1,128 +0,0 @@ -/******************************************************************************* - * Copyright (c) 2017 IBM Corporation and others. - * All rights reserved. This program and the accompanying materials - * are made available under the terms of the Eclipse Public License v1.0 - * which accompanies this distribution, and is available at - * http://www.eclipse.org/legal/epl-v10.html - * - * Contributors: - * IBM Corporation - initial API and implementation - *******************************************************************************/ -package io.openliberty.website; - -import java.io.IOException; -import java.util.Map; - -import javax.servlet.Filter; -import javax.servlet.FilterConfig; -import javax.servlet.ServletException; -import javax.servlet.FilterChain; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpServletRequest; -import java.io.FileNotFoundException; - -/** - * Originally this filter was used simply to force the use of TLS, however it - * has since been enhanced for general security related content. - * - *

- * Note: This does not correctly cope with an SSL port that is not 443 which - * happens when using dev mode - *

- */ -public class TLSFilter implements Filter { - FilterConfig cfg; - - public void destroy() { - } - - public void init(FilterConfig cfg) { - this.cfg = cfg; - } - - public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) - throws IOException, ServletException { - - HttpServletResponse response = ((HttpServletResponse) resp); - - boolean doFilter = true; - - if ("http".equals(req.getScheme())) { - // If the request is via http sends a redirect to HTTPS. Note the filter chain - // is still called which is probably not the right behavior. - response.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY); // HTTP 301 - // This assumes default https port number. - response.setHeader("Location", - ((HttpServletRequest) req).getRequestURL().replace(0, 4, "https").toString()); - } else if ("https".equals(req.getScheme())) { - // If HTTPS is configured this sets a bunch of security headers - - // Tell browsers that this site should only be accessed using HTTPS, instead of using HTTP. - // IncludeSubDomains and 1 year set per OWASP. - response.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains"); - // Prevent framing of this website. - response.setHeader("X-Frame-Options", "SAMEORIGIN"); - // Cross-site scripting prevention for Chrome, Safari, and IE. It's not necessary with newer browser - // versions that support the Content-Security-Policy but it helps prevent XSS on older versions of these browsers. - response.setHeader("X-XSS-Protection", "1; mode=block"); - // Stops a browser from trying to MIME-sniff the content type. - response.setHeader("X-Content-Type-Options", "nosniff"); - // Mitigating cross site scripting (XSS) from other domains. - response.setHeader("Content-Security-Policy", - "default-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net fonts.googleapis.com ajax.googleapis.com code.jquery.com fonts.gstatic.com *.githubusercontent.com api.github.com www.googletagmanager.com tagmanager.google.com www.google-analytics.com cdnjs.cloudflare.com data: buttons.github.io www.youtube.com video.ibm.com https://start.openliberty.io/ gitlab.com starter-staging.rh9j6zz75er.us-east.codeengine.appdomain.cloud https://docs.oracle.com/javase/8/docs/api/"); - - // Limits the information sent cross-domain and does not send the origin name. - response.setHeader("Referrer-Policy", "no-referrer"); - - // Note this should be moved into its own filter. It appears to set cache control - // for images, and no cache for everything else. This could likely be replaced - // with a filter just on /img/* which sets Cache-Control only for images. It also isn't - // clear why the Pragma header (for some HTTP 1.0 clients) is set for the api calls, - // but not for everything else. - String uri = ((HttpServletRequest) req).getRequestURI(); - if (uri.startsWith("/img/")) { - response.setHeader("Cache-Control", "max-age=604800"); - // if requesting the JAX-RS api set cache control to not cache - } else if (uri.startsWith("/docs") && uri.endsWith(".html") && !uri.endsWith("index.html")) { - boolean doGzip = true; - // Check if the servlet context contains a redirect rule for this url - Map map = cfg.getServletContext().getContext(uri).getFilterRegistrations(); - for (String key : map.keySet()) { - String redirectRule = key.replace("redirect_", ""); - if (redirectRule.endsWith("*")) { - redirectRule = redirectRule.substring(0, redirectRule.indexOf("*")); - if (uri.startsWith(redirectRule) && !uri.equals(redirectRule)) { - doGzip = false; - } - } else if (uri.equals(redirectRule)) { - // Do not prevent the redirect from happening. - doGzip = false; - } - } - if (doGzip) { - response.setHeader("Content-Type", "text/html"); - response.setHeader("Content-Encoding", "gzip"); - doFilter = false; - try { - req.getRequestDispatcher(uri.concat(".gz")).include(req, response); - } - catch(FileNotFoundException e) { - response.setStatus(HttpServletResponse.SC_NOT_FOUND); - response.sendRedirect("/404.html"); - } - } - } else if (uri.startsWith("/api/builds/") || uri.startsWith("/api/github/")) { - response.setHeader("Cache-Control", "no-store"); - response.setHeader("Pragma", "no-cache"); - } else { - response.setHeader("Cache-Control", "no-cache"); - } - } - if (doFilter) { - chain.doFilter(req, resp); - } - - } -} \ No newline at end of file From 4e513dbfe165bb51d92b82ceedbf2d0a48c42aa4 Mon Sep 17 00:00:00 2001 From: natalie-bernhard Date: Fri, 21 Jun 2024 08:59:22 -0500 Subject: [PATCH 07/13] set public suffix version for ruby compatibility --- scripts/build/ruby_install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/build/ruby_install.sh b/scripts/build/ruby_install.sh index 53d13a5d63..8d0c730e5a 100755 --- a/scripts/build/ruby_install.sh +++ b/scripts/build/ruby_install.sh @@ -27,6 +27,7 @@ echo "Ruby version:" echo `ruby -v` gem install ffi -v 1.16.3 +gem install public_suffix -v 5.1.1 gem install jekyll -v 3.8.6 gem install jekyll-assets -v 2.4.0 gem install jekyll-multiple-languages-plugin From a7384ff3b979542ca4c7d493dd7c7187e5c1e0c2 Mon Sep 17 00:00:00 2001 From: natalie-bernhard Date: Fri, 21 Jun 2024 09:01:24 -0500 Subject: [PATCH 08/13] reset to prod --- src/main/content/_assets/js/tabs.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/content/_assets/js/tabs.js b/src/main/content/_assets/js/tabs.js index 563999c5b9..41b0711e9b 100644 --- a/src/main/content/_assets/js/tabs.js +++ b/src/main/content/_assets/js/tabs.js @@ -66,7 +66,7 @@ $(document).ready(function() { // get class of clicked tab and class of its respective content section var class_list = this.classList; for (var i = 0; i < class_list.length; i++) { - class_name = class_list[i]; + var class_name = class_list[i]; if (class_name !== "tab_link" && class_name.indexOf("_link") > -1) { var tab_content = "." + class_name.replace("link", "section"); var tab_class = "." + class_name; From b0151727991cd15672919b05f6bc6cbc7cdf2ff4 Mon Sep 17 00:00:00 2001 From: natalie-bernhard Date: Fri, 21 Jun 2024 11:23:44 -0500 Subject: [PATCH 09/13] Revert "render blockquotes on blogs" This reverts commit b1789e2b9d20092bd10dfe5659d888fc62d6d239. --- src/main/content/_assets/css/post.scss | 24 ------------------------ 1 file changed, 24 deletions(-) diff --git a/src/main/content/_assets/css/post.scss b/src/main/content/_assets/css/post.scss index 85e989079b..fe1103c3a1 100644 --- a/src/main/content/_assets/css/post.scss +++ b/src/main/content/_assets/css/post.scss @@ -540,28 +540,4 @@ iframe{ div.sectionbody div.ulist > ul > li p{ font-size: 16px; -} - -.quoteblock{ - display: table; - margin: auto; - blockquote{ - &:before{ - content: "\201c"; - float: left; - font-family: Arial, Helvetica, sans-serif; - font-size: 2.5em; - font-weight: 700; - line-height: .6em; - margin-left: -.6em; - } - margin-left: 22px; - margin-right: 0; - text-align: justify; - } - .attribution{ - text-align: right; - font-style: italic; - margin-right: 0.5ex; - } } \ No newline at end of file From db8733c881ae3ef176ab012287573a4c6943fc6d Mon Sep 17 00:00:00 2001 From: natalie-bernhard Date: Fri, 21 Jun 2024 11:24:29 -0500 Subject: [PATCH 10/13] Revert "Removed TLSFilter" This reverts commit bcda1187544a53e7610f79e68b83d818c6278008. --- .../io/openliberty/website/TLSFilter.java | 128 ++++++++++++++++++ 1 file changed, 128 insertions(+) create mode 100644 src/main/java/io/openliberty/website/TLSFilter.java diff --git a/src/main/java/io/openliberty/website/TLSFilter.java b/src/main/java/io/openliberty/website/TLSFilter.java new file mode 100644 index 0000000000..fa20ffcd89 --- /dev/null +++ b/src/main/java/io/openliberty/website/TLSFilter.java @@ -0,0 +1,128 @@ +/******************************************************************************* + * Copyright (c) 2017 IBM Corporation and others. + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License v1.0 + * which accompanies this distribution, and is available at + * http://www.eclipse.org/legal/epl-v10.html + * + * Contributors: + * IBM Corporation - initial API and implementation + *******************************************************************************/ +package io.openliberty.website; + +import java.io.IOException; +import java.util.Map; + +import javax.servlet.Filter; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.FilterChain; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpServletRequest; +import java.io.FileNotFoundException; + +/** + * Originally this filter was used simply to force the use of TLS, however it + * has since been enhanced for general security related content. + * + *

+ * Note: This does not correctly cope with an SSL port that is not 443 which + * happens when using dev mode + *

+ */ +public class TLSFilter implements Filter { + FilterConfig cfg; + + public void destroy() { + } + + public void init(FilterConfig cfg) { + this.cfg = cfg; + } + + public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) + throws IOException, ServletException { + + HttpServletResponse response = ((HttpServletResponse) resp); + + boolean doFilter = true; + + if ("http".equals(req.getScheme())) { + // If the request is via http sends a redirect to HTTPS. Note the filter chain + // is still called which is probably not the right behavior. + response.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY); // HTTP 301 + // This assumes default https port number. + response.setHeader("Location", + ((HttpServletRequest) req).getRequestURL().replace(0, 4, "https").toString()); + } else if ("https".equals(req.getScheme())) { + // If HTTPS is configured this sets a bunch of security headers + + // Tell browsers that this site should only be accessed using HTTPS, instead of using HTTP. + // IncludeSubDomains and 1 year set per OWASP. + response.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains"); + // Prevent framing of this website. + response.setHeader("X-Frame-Options", "SAMEORIGIN"); + // Cross-site scripting prevention for Chrome, Safari, and IE. It's not necessary with newer browser + // versions that support the Content-Security-Policy but it helps prevent XSS on older versions of these browsers. + response.setHeader("X-XSS-Protection", "1; mode=block"); + // Stops a browser from trying to MIME-sniff the content type. + response.setHeader("X-Content-Type-Options", "nosniff"); + // Mitigating cross site scripting (XSS) from other domains. + response.setHeader("Content-Security-Policy", + "default-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net fonts.googleapis.com ajax.googleapis.com code.jquery.com fonts.gstatic.com *.githubusercontent.com api.github.com www.googletagmanager.com tagmanager.google.com www.google-analytics.com cdnjs.cloudflare.com data: buttons.github.io www.youtube.com video.ibm.com https://start.openliberty.io/ gitlab.com starter-staging.rh9j6zz75er.us-east.codeengine.appdomain.cloud https://docs.oracle.com/javase/8/docs/api/"); + + // Limits the information sent cross-domain and does not send the origin name. + response.setHeader("Referrer-Policy", "no-referrer"); + + // Note this should be moved into its own filter. It appears to set cache control + // for images, and no cache for everything else. This could likely be replaced + // with a filter just on /img/* which sets Cache-Control only for images. It also isn't + // clear why the Pragma header (for some HTTP 1.0 clients) is set for the api calls, + // but not for everything else. + String uri = ((HttpServletRequest) req).getRequestURI(); + if (uri.startsWith("/img/")) { + response.setHeader("Cache-Control", "max-age=604800"); + // if requesting the JAX-RS api set cache control to not cache + } else if (uri.startsWith("/docs") && uri.endsWith(".html") && !uri.endsWith("index.html")) { + boolean doGzip = true; + // Check if the servlet context contains a redirect rule for this url + Map map = cfg.getServletContext().getContext(uri).getFilterRegistrations(); + for (String key : map.keySet()) { + String redirectRule = key.replace("redirect_", ""); + if (redirectRule.endsWith("*")) { + redirectRule = redirectRule.substring(0, redirectRule.indexOf("*")); + if (uri.startsWith(redirectRule) && !uri.equals(redirectRule)) { + doGzip = false; + } + } else if (uri.equals(redirectRule)) { + // Do not prevent the redirect from happening. + doGzip = false; + } + } + if (doGzip) { + response.setHeader("Content-Type", "text/html"); + response.setHeader("Content-Encoding", "gzip"); + doFilter = false; + try { + req.getRequestDispatcher(uri.concat(".gz")).include(req, response); + } + catch(FileNotFoundException e) { + response.setStatus(HttpServletResponse.SC_NOT_FOUND); + response.sendRedirect("/404.html"); + } + } + } else if (uri.startsWith("/api/builds/") || uri.startsWith("/api/github/")) { + response.setHeader("Cache-Control", "no-store"); + response.setHeader("Pragma", "no-cache"); + } else { + response.setHeader("Cache-Control", "no-cache"); + } + } + if (doFilter) { + chain.doFilter(req, resp); + } + + } +} \ No newline at end of file From 776ee3aa749bbdaec674e233763c573ca5939b7f Mon Sep 17 00:00:00 2001 From: natalie-bernhard Date: Fri, 21 Jun 2024 11:25:28 -0500 Subject: [PATCH 11/13] Revert "Revert "Removed TLSFilter"" This reverts commit 4f104aba2bc00c97daf14334905b0aeebe4514cd. --- .../io/openliberty/website/TLSFilter.java | 128 ------------------ 1 file changed, 128 deletions(-) delete mode 100644 src/main/java/io/openliberty/website/TLSFilter.java diff --git a/src/main/java/io/openliberty/website/TLSFilter.java b/src/main/java/io/openliberty/website/TLSFilter.java deleted file mode 100644 index fa20ffcd89..0000000000 --- a/src/main/java/io/openliberty/website/TLSFilter.java +++ /dev/null @@ -1,128 +0,0 @@ -/******************************************************************************* - * Copyright (c) 2017 IBM Corporation and others. - * All rights reserved. This program and the accompanying materials - * are made available under the terms of the Eclipse Public License v1.0 - * which accompanies this distribution, and is available at - * http://www.eclipse.org/legal/epl-v10.html - * - * Contributors: - * IBM Corporation - initial API and implementation - *******************************************************************************/ -package io.openliberty.website; - -import java.io.IOException; -import java.util.Map; - -import javax.servlet.Filter; -import javax.servlet.FilterConfig; -import javax.servlet.ServletException; -import javax.servlet.FilterChain; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpServletRequest; -import java.io.FileNotFoundException; - -/** - * Originally this filter was used simply to force the use of TLS, however it - * has since been enhanced for general security related content. - * - *

- * Note: This does not correctly cope with an SSL port that is not 443 which - * happens when using dev mode - *

- */ -public class TLSFilter implements Filter { - FilterConfig cfg; - - public void destroy() { - } - - public void init(FilterConfig cfg) { - this.cfg = cfg; - } - - public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) - throws IOException, ServletException { - - HttpServletResponse response = ((HttpServletResponse) resp); - - boolean doFilter = true; - - if ("http".equals(req.getScheme())) { - // If the request is via http sends a redirect to HTTPS. Note the filter chain - // is still called which is probably not the right behavior. - response.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY); // HTTP 301 - // This assumes default https port number. - response.setHeader("Location", - ((HttpServletRequest) req).getRequestURL().replace(0, 4, "https").toString()); - } else if ("https".equals(req.getScheme())) { - // If HTTPS is configured this sets a bunch of security headers - - // Tell browsers that this site should only be accessed using HTTPS, instead of using HTTP. - // IncludeSubDomains and 1 year set per OWASP. - response.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains"); - // Prevent framing of this website. - response.setHeader("X-Frame-Options", "SAMEORIGIN"); - // Cross-site scripting prevention for Chrome, Safari, and IE. It's not necessary with newer browser - // versions that support the Content-Security-Policy but it helps prevent XSS on older versions of these browsers. - response.setHeader("X-XSS-Protection", "1; mode=block"); - // Stops a browser from trying to MIME-sniff the content type. - response.setHeader("X-Content-Type-Options", "nosniff"); - // Mitigating cross site scripting (XSS) from other domains. - response.setHeader("Content-Security-Policy", - "default-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net fonts.googleapis.com ajax.googleapis.com code.jquery.com fonts.gstatic.com *.githubusercontent.com api.github.com www.googletagmanager.com tagmanager.google.com www.google-analytics.com cdnjs.cloudflare.com data: buttons.github.io www.youtube.com video.ibm.com https://start.openliberty.io/ gitlab.com starter-staging.rh9j6zz75er.us-east.codeengine.appdomain.cloud https://docs.oracle.com/javase/8/docs/api/"); - - // Limits the information sent cross-domain and does not send the origin name. - response.setHeader("Referrer-Policy", "no-referrer"); - - // Note this should be moved into its own filter. It appears to set cache control - // for images, and no cache for everything else. This could likely be replaced - // with a filter just on /img/* which sets Cache-Control only for images. It also isn't - // clear why the Pragma header (for some HTTP 1.0 clients) is set for the api calls, - // but not for everything else. - String uri = ((HttpServletRequest) req).getRequestURI(); - if (uri.startsWith("/img/")) { - response.setHeader("Cache-Control", "max-age=604800"); - // if requesting the JAX-RS api set cache control to not cache - } else if (uri.startsWith("/docs") && uri.endsWith(".html") && !uri.endsWith("index.html")) { - boolean doGzip = true; - // Check if the servlet context contains a redirect rule for this url - Map map = cfg.getServletContext().getContext(uri).getFilterRegistrations(); - for (String key : map.keySet()) { - String redirectRule = key.replace("redirect_", ""); - if (redirectRule.endsWith("*")) { - redirectRule = redirectRule.substring(0, redirectRule.indexOf("*")); - if (uri.startsWith(redirectRule) && !uri.equals(redirectRule)) { - doGzip = false; - } - } else if (uri.equals(redirectRule)) { - // Do not prevent the redirect from happening. - doGzip = false; - } - } - if (doGzip) { - response.setHeader("Content-Type", "text/html"); - response.setHeader("Content-Encoding", "gzip"); - doFilter = false; - try { - req.getRequestDispatcher(uri.concat(".gz")).include(req, response); - } - catch(FileNotFoundException e) { - response.setStatus(HttpServletResponse.SC_NOT_FOUND); - response.sendRedirect("/404.html"); - } - } - } else if (uri.startsWith("/api/builds/") || uri.startsWith("/api/github/")) { - response.setHeader("Cache-Control", "no-store"); - response.setHeader("Pragma", "no-cache"); - } else { - response.setHeader("Cache-Control", "no-cache"); - } - } - if (doFilter) { - chain.doFilter(req, resp); - } - - } -} \ No newline at end of file From ae9a945e1a6571414d5e78608a330b6476aec49b Mon Sep 17 00:00:00 2001 From: Kin Ueng Date: Tue, 25 Jun 2024 10:53:59 -0500 Subject: [PATCH 12/13] build: upgrade to Open Liberty 24.0.0.6 --- docker/Dockerfile.demo | 2 +- docker/Dockerfile.draft | 2 +- docker/Dockerfile.prod | 2 +- docker/Dockerfile.staging | 2 +- docker/blogs/Dockerfile.blogs.draft | 2 +- docker/blogs/Dockerfile.blogs.staging | 2 +- docker/certifications/Dockerfile.certifications.draft | 2 +- docker/certifications/Dockerfile.certifications.staging | 2 +- docker/docs/Dockerfile.docs.draft | 2 +- docker/docs/Dockerfile.docs.staging | 2 +- docker/guides/Dockerfile.guides.draft | 2 +- docker/guides/Dockerfile.guides.staging | 2 +- docker/ui-only/Dockerfile.ui-only | 2 +- 13 files changed, 13 insertions(+), 13 deletions(-) diff --git a/docker/Dockerfile.demo b/docker/Dockerfile.demo index b6251de69f..9cf8c7d4ff 100644 --- a/docker/Dockerfile.demo +++ b/docker/Dockerfile.demo @@ -49,7 +49,7 @@ RUN ./mvnw -B -Dhttps.protocols=TLSv1.2 compile war:exploded # # # -FROM icr.io/appcafe/open-liberty:24.0.0.4-kernel-slim-java8-openj9-ubi as runtime +FROM icr.io/appcafe/open-liberty:24.0.0.6-kernel-slim-java8-openj9-ubi as runtime ENV SEC_TLS_TRUSTDEFAULTCERTS true COPY --chown=1001:0 src/main/wlp/server.xml /config/server.xml diff --git a/docker/Dockerfile.draft b/docker/Dockerfile.draft index 385c6f9e84..5fdaec0c04 100644 --- a/docker/Dockerfile.draft +++ b/docker/Dockerfile.draft @@ -50,7 +50,7 @@ RUN ./mvnw -B -Dhttps.protocols=TLSv1.2 compile war:exploded # # # -FROM icr.io/appcafe/open-liberty:24.0.0.4-kernel-slim-java8-openj9-ubi as runtime +FROM icr.io/appcafe/open-liberty:24.0.0.6-kernel-slim-java8-openj9-ubi as runtime ENV SEC_TLS_TRUSTDEFAULTCERTS true COPY --chown=1001:0 src/main/wlp/server.xml /config/server.xml diff --git a/docker/Dockerfile.prod b/docker/Dockerfile.prod index 2c3ea41bbe..47e498573d 100644 --- a/docker/Dockerfile.prod +++ b/docker/Dockerfile.prod @@ -68,7 +68,7 @@ COPY --from=docs --chown=1001:0 /temp-docs/docs /target/openliberty-website-1.0- # # # -FROM icr.io/appcafe/open-liberty:24.0.0.4-kernel-slim-java8-openj9-ubi as runtime +FROM icr.io/appcafe/open-liberty:24.0.0.6-kernel-slim-java8-openj9-ubi as runtime ENV SEC_TLS_TRUSTDEFAULTCERTS true COPY --chown=1001:0 src/main/wlp/server.xml /config/server.xml diff --git a/docker/Dockerfile.staging b/docker/Dockerfile.staging index d7e0f40a5a..4d19361fb5 100644 --- a/docker/Dockerfile.staging +++ b/docker/Dockerfile.staging @@ -65,7 +65,7 @@ COPY --from=docs --chown=1001:0 /temp-docs/docs /target/openliberty-website-1.0- # # # -FROM icr.io/appcafe/open-liberty:24.0.0.4-kernel-slim-java8-openj9-ubi as runtime +FROM icr.io/appcafe/open-liberty:24.0.0.6-kernel-slim-java8-openj9-ubi as runtime ENV SEC_TLS_TRUSTDEFAULTCERTS true COPY --chown=1001:0 src/main/wlp/server.xml /config/server.xml diff --git a/docker/blogs/Dockerfile.blogs.draft b/docker/blogs/Dockerfile.blogs.draft index bd629939c6..f3229e1617 100644 --- a/docker/blogs/Dockerfile.blogs.draft +++ b/docker/blogs/Dockerfile.blogs.draft @@ -42,7 +42,7 @@ RUN ./mvnw -B -Dhttps.protocols=TLSv1.2 compile war:exploded # # # -FROM icr.io/appcafe/open-liberty:24.0.0.4-kernel-slim-java8-openj9-ubi as runtime +FROM icr.io/appcafe/open-liberty:24.0.0.6-kernel-slim-java8-openj9-ubi as runtime ENV SEC_TLS_TRUSTDEFAULTCERTS true COPY --chown=1001:0 src/main/wlp/server.xml /config/server.xml diff --git a/docker/blogs/Dockerfile.blogs.staging b/docker/blogs/Dockerfile.blogs.staging index df5ba1b1f0..1c1353e82c 100644 --- a/docker/blogs/Dockerfile.blogs.staging +++ b/docker/blogs/Dockerfile.blogs.staging @@ -42,7 +42,7 @@ RUN ./mvnw -B -Dhttps.protocols=TLSv1.2 compile war:exploded # # # -FROM icr.io/appcafe/open-liberty:24.0.0.4-kernel-slim-java8-openj9-ubi as runtime +FROM icr.io/appcafe/open-liberty:24.0.0.6-kernel-slim-java8-openj9-ubi as runtime ENV SEC_TLS_TRUSTDEFAULTCERTS true COPY --chown=1001:0 src/main/wlp/server.xml /config/server.xml diff --git a/docker/certifications/Dockerfile.certifications.draft b/docker/certifications/Dockerfile.certifications.draft index d483fcd464..6641a94547 100644 --- a/docker/certifications/Dockerfile.certifications.draft +++ b/docker/certifications/Dockerfile.certifications.draft @@ -42,7 +42,7 @@ RUN ./mvnw -B -Dhttps.protocols=TLSv1.2 compile war:exploded # # # -FROM icr.io/appcafe/open-liberty:24.0.0.4-kernel-slim-java8-openj9-ubi as runtime +FROM icr.io/appcafe/open-liberty:24.0.0.6-kernel-slim-java8-openj9-ubi as runtime ENV SEC_TLS_TRUSTDEFAULTCERTS true COPY --chown=1001:0 src/main/wlp/server.xml /config/server.xml diff --git a/docker/certifications/Dockerfile.certifications.staging b/docker/certifications/Dockerfile.certifications.staging index d046d2650c..f7caaf9de4 100644 --- a/docker/certifications/Dockerfile.certifications.staging +++ b/docker/certifications/Dockerfile.certifications.staging @@ -42,7 +42,7 @@ RUN ./mvnw -B -Dhttps.protocols=TLSv1.2 compile war:exploded # # # -FROM icr.io/appcafe/open-liberty:24.0.0.4-kernel-slim-java8-openj9-ubi as runtime +FROM icr.io/appcafe/open-liberty:24.0.0.6-kernel-slim-java8-openj9-ubi as runtime ENV SEC_TLS_TRUSTDEFAULTCERTS true COPY --chown=1001:0 src/main/wlp/server.xml /config/server.xml diff --git a/docker/docs/Dockerfile.docs.draft b/docker/docs/Dockerfile.docs.draft index dde9a7ddd4..92952d05db 100644 --- a/docker/docs/Dockerfile.docs.draft +++ b/docker/docs/Dockerfile.docs.draft @@ -54,7 +54,7 @@ RUN ./mvnw -B -Dhttps.protocols=TLSv1.2 compile war:exploded # # # -FROM icr.io/appcafe/open-liberty:24.0.0.4-kernel-slim-java8-openj9-ubi as runtime +FROM icr.io/appcafe/open-liberty:24.0.0.6-kernel-slim-java8-openj9-ubi as runtime ENV SEC_TLS_TRUSTDEFAULTCERTS true COPY --chown=1001:0 src/main/wlp/server.xml /config/server.xml diff --git a/docker/docs/Dockerfile.docs.staging b/docker/docs/Dockerfile.docs.staging index 20f616a2f9..fc37da310d 100644 --- a/docker/docs/Dockerfile.docs.staging +++ b/docker/docs/Dockerfile.docs.staging @@ -54,7 +54,7 @@ RUN ./mvnw -B -Dhttps.protocols=TLSv1.2 compile war:exploded # # # -FROM icr.io/appcafe/open-liberty:24.0.0.4-kernel-slim-java8-openj9-ubi as runtime +FROM icr.io/appcafe/open-liberty:24.0.0.6-kernel-slim-java8-openj9-ubi as runtime ENV SEC_TLS_TRUSTDEFAULTCERTS true COPY --chown=1001:0 src/main/wlp/server.xml /config/server.xml diff --git a/docker/guides/Dockerfile.guides.draft b/docker/guides/Dockerfile.guides.draft index a130ada2ff..3cea227ec4 100644 --- a/docker/guides/Dockerfile.guides.draft +++ b/docker/guides/Dockerfile.guides.draft @@ -42,7 +42,7 @@ RUN ./mvnw -B -Dhttps.protocols=TLSv1.2 compile war:exploded # # # -FROM icr.io/appcafe/open-liberty:24.0.0.4-kernel-slim-java8-openj9-ubi as runtime +FROM icr.io/appcafe/open-liberty:24.0.0.6-kernel-slim-java8-openj9-ubi as runtime ENV SEC_TLS_TRUSTDEFAULTCERTS true COPY --chown=1001:0 src/main/wlp/server.xml /config/server.xml diff --git a/docker/guides/Dockerfile.guides.staging b/docker/guides/Dockerfile.guides.staging index e91dbeb7b4..f8228ccd0f 100644 --- a/docker/guides/Dockerfile.guides.staging +++ b/docker/guides/Dockerfile.guides.staging @@ -42,7 +42,7 @@ RUN ./mvnw -B -Dhttps.protocols=TLSv1.2 compile war:exploded # # # -FROM icr.io/appcafe/open-liberty:24.0.0.4-kernel-slim-java8-openj9-ubi as runtime +FROM icr.io/appcafe/open-liberty:24.0.0.6-kernel-slim-java8-openj9-ubi as runtime ENV SEC_TLS_TRUSTDEFAULTCERTS true COPY --chown=1001:0 src/main/wlp/server.xml /config/server.xml diff --git a/docker/ui-only/Dockerfile.ui-only b/docker/ui-only/Dockerfile.ui-only index cd59094379..a3d66cc05a 100644 --- a/docker/ui-only/Dockerfile.ui-only +++ b/docker/ui-only/Dockerfile.ui-only @@ -41,7 +41,7 @@ RUN ./mvnw -B -Dhttps.protocols=TLSv1.2 compile war:exploded # # # -FROM icr.io/appcafe/open-liberty:24.0.0.4-kernel-slim-java8-openj9-ubi as runtime +FROM icr.io/appcafe/open-liberty:24.0.0.6-kernel-slim-java8-openj9-ubi as runtime ENV SEC_TLS_TRUSTDEFAULTCERTS true COPY --chown=1001:0 src/main/wlp/server.xml /config/server.xml From 2b9c01baa99818d7ec461c6a545394181882cd38 Mon Sep 17 00:00:00 2001 From: SteveSamJacob19 Date: Thu, 27 Jun 2024 11:51:07 +0530 Subject: [PATCH 13/13] Removed post.scss change --- src/main/content/_assets/css/post.scss | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/src/main/content/_assets/css/post.scss b/src/main/content/_assets/css/post.scss index fe1103c3a1..85e989079b 100644 --- a/src/main/content/_assets/css/post.scss +++ b/src/main/content/_assets/css/post.scss @@ -540,4 +540,28 @@ iframe{ div.sectionbody div.ulist > ul > li p{ font-size: 16px; +} + +.quoteblock{ + display: table; + margin: auto; + blockquote{ + &:before{ + content: "\201c"; + float: left; + font-family: Arial, Helvetica, sans-serif; + font-size: 2.5em; + font-weight: 700; + line-height: .6em; + margin-left: -.6em; + } + margin-left: 22px; + margin-right: 0; + text-align: justify; + } + .attribution{ + text-align: right; + font-style: italic; + margin-right: 0.5ex; + } } \ No newline at end of file