Merge pull request #1550 from GSA/notify-api-1548

try to fix dynamic scan warnings

app/__init__.py

@@ -286,6 +286,13 @@ def init_app(app):
     @app.after_request
     def after_request(response):
         response.headers.add("X-Content-Type-Options", "nosniff")
+
+        # Some dynamic scan findings
+        response.headers.add("Cross-Origin-Opener-Policy", "same-origin")
+        response.headers.add("Cross-Origin-Embedder-Policy", "require-corp")
+        response.headers.add("Cross-Origin-Resource-Policy", "same-origin")
+        response.headers.add("Cross-Origin-Opener-Policy", "same-origin")
+
         return response
 
     @app.errorhandler(Exception)

app/celery/nightly_tasks.py

@@ -52,7 +52,8 @@ def cleanup_unfinished_jobs():
         # The query already checks that the processing_finished time is null, so here we are saying
         # if it started more than 4 hours ago, that's too long
         try:
-            acceptable_finish_time = job.processing_started + timedelta(minutes=5)
+            if job.processing_started is not None:
+                acceptable_finish_time = job.processing_started + timedelta(minutes=5)
         except TypeError:
             current_app.logger.exception(
                 f"Job ID {job.id} processing_started is {job.processing_started}.",

app/service/rest.py

@@ -694,7 +694,12 @@ def get_single_month_notification_stats_by_user(service_id, user_id):
         service_id, start_date, end_date, user_id
     )
 
-    stats = get_specific_days_stats(results, start_date, end_date=end_date, total_notifications=total_notifications,)
+    stats = get_specific_days_stats(
+        results,
+        start_date,
+        end_date=end_date,
+        total_notifications=total_notifications,
+    )
     return jsonify(stats)
 
 

application.py

@@ -2,9 +2,12 @@
 from __future__ import print_function
 
 from flask import Flask
+from werkzeug.serving import WSGIRequestHandler
 
 from app import create_app
 
+WSGIRequestHandler.version_string = lambda self: "SecureServer"
+
 application = Flask("app")
 
 create_app(application)

notifications_utils/request_helper.py

@@ -76,6 +76,11 @@ class ResponseHeaderMiddleware(object):
                 if SPAN_ID_HEADER.lower() not in lower_existing_header_names:
                     headers.append((SPAN_ID_HEADER, str(req.span_id)))
 
+                headers = [
+                    (key, value)
+                    for key, value in headers
+                    if key.lower() not in ["server", "last-modified"]
+                ]
                 return start_response(status, headers, exc_info)
 
             return self._app(environ, rewrite_response_headers)

zap.conf

@@ -50,7 +50,7 @@
 10061	WARN	(X-AspNet-Version Response Header - Passive/release)
 10062	FAIL	(PII Disclosure - Passive/beta)
 10095	IGNORE	(Backup File Disclosure - Active/beta)
-10096	WARN	(Timestamp Disclosure - Passive/release)
+10096	IGNORE	(Timestamp Disclosure - Passive/release)
 10097	WARN	(Hash Disclosure - Passive/beta)
 10098	WARN	(Cross-Domain Misconfiguration - Passive/release)
 10104	WARN	(User Agent Fuzzer - Active/beta)
@@ -119,3 +119,4 @@
 90030	WARN	(WSDL File Detection - Passive/alpha)
 90033	WARN	(Loosely Scoped Cookie - Passive/release)
 90034	WARN	(Cloud Metadata Potentially Exposed - Active/beta)
+100001	IGNORE	(Unexpected Content-Type was returned)