Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DDO-3763] Do CORS from Sherlock #590

Merged
merged 6 commits into from
Jul 1, 2024
Merged

[DDO-3763] Do CORS from Sherlock #590

merged 6 commits into from
Jul 1, 2024

Conversation

jack-r-warren
Copy link
Contributor

@jack-r-warren jack-r-warren commented Jun 28, 2024
edited
Loading

Details in the ticket.

This does the CORS thing that we've been having the proxy do so far. Benefit now is that we can actually just pass the list of origins and it filters based on them, without treating them like a vulnerable regex like Apache does. Argument for this approach is that it's simpler.

We also move the CSRF mitigations from the proxy into Sherlock for the same reasons.

Two chart changes are required for this to work: we'll need to pass the origins into Sherlock's config and we'll need to configure the proxy to not mutate the Host/Origin headers so that this new middleware can see the real values.

Testing

Via unit test, my own manual testing, and most importantly, Sarah Gibson's testing from her pentest tools

Risk

Low

@github-actions GitHub Actions
Copy link

No API changes detected

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 28, 2024
edited
Loading

Published image from 17343c8 (merge 9af7587):

us-central1-docker.pkg.dev/dsp-artifact-registry/sherlock/sherlock:v1.5.8-9af7587
us-central1-docker.pkg.dev/dsp-devops-super-prod/sherlock/sherlock:v1.5.8-9af7587

@codecov Codecov
Copy link

codecov bot commented Jun 28, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 91.66667% with 3 lines in your changes missing coverage. Please review.

Project coverage is 77.71%. Comparing base (b10f73d) to head (17343c8).
Report is 3 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #590      +/-   ##
==========================================
+ Coverage   77.65%   77.71%   +0.05%     
==========================================
  Files         203      206       +3     
  Lines        9572     9610      +38     
==========================================
+ Hits         7433     7468      +35     
- Misses       1489     1491       +2     
- Partials      650      651       +1
Files Coverage Δ
sherlock/internal/boot/router.go 71.42% <100.00%> (+2.67%) ⬆️
.../internal/middleware/csrf_protection/middleware.go 100.00% <100.00%> (ø)
sherlock/internal/middleware/cors/middleware.go 72.72% <72.72%> (ø)

... and 1 file with indirect coverage changes

@jack-r-warren jack-r-warren marked this pull request as ready for review July 1, 2024 14:13
@jack-r-warren jack-r-warren requested a review from a team as a code owner July 1, 2024 14:13
mikeflinn
mikeflinn approved these changes Jul 1, 2024
View reviewed changes
Copy link
Contributor

@mikeflinn mikeflinn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me

@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Jul 1, 2024

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
21.6% Duplication on New Code

See analysis details on SonarCloud

@jack-r-warren jack-r-warren merged commit 6617fc9 into main Jul 1, 2024
31 checks passed
@jack-r-warren jack-r-warren deleted the DDO-3763-cors branch July 1, 2024 18:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@choover-broad choover-broad choover-broad approved these changes

@mikeflinn mikeflinn mikeflinn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jack-r-warren @mikeflinn @choover-broad