Updated based on scan results

This commit is contained in:
alexjanousekGSA
2025-07-31 11:39:58 -04:00
parent 6a3d9c40b4
commit 55340dbc4b
3 changed files with 41 additions and 7 deletions

View File

@@ -18,7 +18,7 @@ def test_owasp_useful_headers_set(
assert search(r"frame-ancestors 'none';", csp)
assert search(r"form-action 'self';", csp)
assert search(
r"script-src 'self' static\.example\.com 'unsafe-eval' https:\/\/js-agent\.new"
r"script-src 'self' static\.example\.com https:\/\/js-agent\.new"
r"relic\.com https:\/\/gov-bam\.nr-data\.net https:\/\/www\.googletagmanager\."
r"com https:\/\/www\.google-analytics\.com https:\/\/dap\.digitalgov\.gov "
r"https:\/\/cdn\.socket\.io",
@@ -50,3 +50,6 @@ def test_owasp_useful_headers_set(
), f"Missing sources in connect-src: {expected_sources - actual_sources}"
assert search(r"style-src 'self' static\.example\.com 'nonce-.*';", csp)
assert search(r"img-src 'self' static\.example\.com", csp)
# Test for Cross-Origin-Embedder-Policy header
assert response.headers["Cross-Origin-Embedder-Policy"] == "credentialless"

View File

@@ -0,0 +1,34 @@
"""Simple tests to verify ZAP security fixes"""
import pytest
def test_csp_no_unsafe_eval(client_request, mocker, mock_get_service_and_organization_counts):
"""Check that unsafe-eval was removed from CSP"""
mocker.patch("app.notify_client.user_api_client.UserApiClient.deactivate_user")
client_request.logout()
response = client_request.get_response('.index')
csp = response.headers.get('Content-Security-Policy', '')
assert "'unsafe-eval'" not in csp
def test_no_duplicate_form_action(client_request, mocker, mock_get_service_and_organization_counts):
"""Check that form-action only appears once in CSP"""
mocker.patch("app.notify_client.user_api_client.UserApiClient.deactivate_user")
client_request.logout()
response = client_request.get_response('.index')
csp = response.headers.get('Content-Security-Policy', '')
# Count how many times form-action appears
count = csp.count('form-action')
assert count == 1
def test_cross_origin_embedder_policy_exists(client_request, mocker, mock_get_service_and_organization_counts):
"""Check that Cross-Origin-Embedder-Policy header is present"""
mocker.patch("app.notify_client.user_api_client.UserApiClient.deactivate_user")
client_request.logout()
response = client_request.get_response('.index')
assert 'Cross-Origin-Embedder-Policy' in response.headers
assert response.headers['Cross-Origin-Embedder-Policy'] == 'credentialless'