HPCC-Platform icon indicating copy to clipboard operation
HPCC-Platform copied to clipboard
verified publisher icon hpcc-systems

HPCC-32679 Prevent frame injection in legacy EclWatch URLs

Open asselitx opened this issue 1 year ago • 3 comments

Set a Content-Security-Policy header that restricts frame sources to be the current host with a wildcard on the port to allow ws_ecl to be embedded.

Type of change:

  • [x] This change is a bug fix (non-breaking change which fixes an issue).
  • [ ] This change is a new feature (non-breaking change which adds functionality).
  • [ ] This change improves the code (refactor or other change that does not change the functionality)
  • [ ] This change fixes warnings (the fix does not alter the functionality or the generated code)
  • [ ] This change is a breaking change (fix or feature that will cause existing behavior to change).
  • [ ] This change alters the query API (existing queries will have to be recompiled)

Checklist:

  • [x] My code follows the code style of this project.
    • [x] My code does not create any new warnings from compiler, build system, or lint.
  • [x] The commit message is properly formatted and free of typos.
    • [x] The commit message title makes sense in a changelog, by itself.
    • [x] The commit is signed.
  • [ ] My change requires a change to the documentation.
    • [ ] I have updated the documentation accordingly, or...
    • [ ] I have created a JIRA ticket to update the documentation.
    • [ ] Any new interfaces or exported functions are appropriately commented.
  • [x] I have read the CONTRIBUTORS document.
  • [x] The change has been fully tested:
    • [ ] I have added tests to cover my changes.
    • [x] All new and existing tests passed.
    • [x] I have checked that this change does not introduce memory leaks.
    • [x] I have used Valgrind or similar tools to check for potential issues.
  • [x] I have given due consideration to all of the following potential concerns:
    • [x] Scalability
    • [x] Performance
    • [x] Security
    • [x] Thread-safety
    • [x] Cloud-compatibility
    • [x] Premature optimization
    • [x] Existing deployed queries will not be broken
    • [x] This change fixes the problem, not just the symptom
    • [x] The target branch of this pull request is appropriate for such a change.
  • [x] There are no similar instances of the same problem that should be addressed
    • [ ] I have addressed them here
    • [ ] I have raised JIRA issues to address them separately
  • [ ] This is a user interface / front-end modification
    • [ ] I have tested my changes in multiple modern browsers
    • [ ] The component(s) render as expected

Smoketest:

  • [ ] Send notifications about my Pull Request position in Smoketest queue.
  • [ ] Test my draft Pull Request.

Testing:

Tested on a locally-running deployment.

asselitx avatar Feb 18 '25 20:02 asselitx

Jira Issue: https://hpccsystems.atlassian.net//browse/HPCC-32679

Jirabot Action Result: Workflow Transition To: Merge Pending Updated PR

github-actions[bot] avatar Feb 18 '25 20:02 github-actions[bot]

@ghalliday - as this is security fix, should it target 9.2.x?

GordonSmith avatar Mar 13 '25 14:03 GordonSmith

@asselitx please rebase the branch onto 9.2.x

ghalliday avatar Apr 03 '25 09:04 ghalliday

Jirabot Action Result: Added fix version: 9.2.172 Added fix version: 9.4.146 Added fix version: 9.6.98 Added fix version: 9.8.74 Added fix version: 9.10.20 Workflow Transition: 'Resolve issue'

github-actions[bot] avatar Apr 09 '25 15:04 github-actions[bot]