diff --git a/.github/workflows/daily_checks.yml b/.github/workflows/daily_checks.yml index 3cd153f96..edd1f7369 100644 --- a/.github/workflows/daily_checks.yml +++ b/.github/workflows/daily_checks.yml @@ -91,4 +91,4 @@ jobs: fail_action: true allow_issue_writing: false rules_file_name: 'zap.conf' - cmd_options: '-I -d' + cmd_options: '-I' diff --git a/app/__init__.py b/app/__init__.py index add218e5d..f7427f9f1 100644 --- a/app/__init__.py +++ b/app/__init__.py @@ -286,6 +286,13 @@ def init_app(app): @app.after_request def after_request(response): response.headers.add("X-Content-Type-Options", "nosniff") + + # Some dynamic scan findings + response.headers.add("Cross-Origin-Opener-Policy", "same-origin") + response.headers.add("Cross-Origin-Embedder-Policy", "require-corp") + response.headers.add("Cross-Origin-Resource-Policy", "same-origin") + response.headers.add("Cross-Origin-Opener-Policy", "same-origin") + return response @app.errorhandler(Exception) diff --git a/app/celery/nightly_tasks.py b/app/celery/nightly_tasks.py index f51b0ec9a..01bdbbd67 100644 --- a/app/celery/nightly_tasks.py +++ b/app/celery/nightly_tasks.py @@ -52,7 +52,8 @@ def cleanup_unfinished_jobs(): # The query already checks that the processing_finished time is null, so here we are saying # if it started more than 4 hours ago, that's too long try: - acceptable_finish_time = job.processing_started + timedelta(minutes=5) + if job.processing_started is not None: + acceptable_finish_time = job.processing_started + timedelta(minutes=5) except TypeError: current_app.logger.exception( f"Job ID {job.id} processing_started is {job.processing_started}.", diff --git a/app/commands.py b/app/commands.py index bbcdd2cd9..b865a5363 100644 --- a/app/commands.py +++ b/app/commands.py @@ -846,6 +846,19 @@ def create_new_service(name, message_limit, restricted, email_from, created_by_i db.session.rollback() +@notify_command(name="get-service-sender-phones") +@click.option("-s", "--service_id", required=True, prompt=True) +def get_service_sender_phones(service_id): + sender_phone_numbers = """ + select sms_sender, is_default + from service_sms_senders + where service_id = :service_id + """ + rows = db.session.execute(text(sender_phone_numbers), {"service_id": service_id}) + for row in rows: + print(row) + + @notify_command(name="promote-user-to-platform-admin") @click.option("-u", "--user-email-address", required=True, prompt=True) def promote_user_to_platform_admin(user_email_address): diff --git a/app/dao/notifications_dao.py b/app/dao/notifications_dao.py index ab34d134e..1ed1f8411 100644 --- a/app/dao/notifications_dao.py +++ b/app/dao/notifications_dao.py @@ -270,7 +270,6 @@ def get_notifications_for_job( def get_recent_notifications_for_job( service_id, job_id, filter_dict=None, page=1, page_size=None ): - print(f"FILTER_DICT AT DAO LEVEL {filter_dict}") if page_size is None: page_size = current_app.config["PAGE_SIZE"] @@ -281,7 +280,6 @@ def get_recent_notifications_for_job( stmt = _filter_query(stmt, filter_dict) stmt = stmt.order_by(desc(Notification.job_row_number)) - print(f"STMT {stmt}") results = db.session.execute(stmt).scalars().all() page_size = current_app.config["PAGE_SIZE"] diff --git a/app/job/rest.py b/app/job/rest.py index 7506b4030..21ff38958 100644 --- a/app/job/rest.py +++ b/app/job/rest.py @@ -128,7 +128,6 @@ def get_all_notifications_for_service_job(service_id, job_id): @job_blueprint.route("//recent_notifications", methods=["GET"]) def get_recent_notifications_for_service_job(service_id, job_id): data = notifications_filter_schema.load(request.args) - print(f"DATA COMING IN AT REST LEVEL IS {data}") page = data["page"] if "page" in data else 1 page_size = ( data["page_size"] diff --git a/application.py b/application.py index 25885fc16..0b1256667 100644 --- a/application.py +++ b/application.py @@ -2,9 +2,12 @@ from __future__ import print_function from flask import Flask +from werkzeug.serving import WSGIRequestHandler from app import create_app +WSGIRequestHandler.version_string = lambda self: "SecureServer" + application = Flask("app") create_app(application) diff --git a/notifications_utils/request_helper.py b/notifications_utils/request_helper.py index 48776e69a..d5375065f 100644 --- a/notifications_utils/request_helper.py +++ b/notifications_utils/request_helper.py @@ -76,6 +76,11 @@ class ResponseHeaderMiddleware(object): if SPAN_ID_HEADER.lower() not in lower_existing_header_names: headers.append((SPAN_ID_HEADER, str(req.span_id))) + headers = [ + (key, value) + for key, value in headers + if key.lower() not in ["server", "last-modified"] + ] return start_response(status, headers, exc_info) return self._app(environ, rewrite_response_headers) diff --git a/zap.conf b/zap.conf index f4e88ff07..255e0dde8 100644 --- a/zap.conf +++ b/zap.conf @@ -50,7 +50,7 @@ 10061 WARN (X-AspNet-Version Response Header - Passive/release) 10062 FAIL (PII Disclosure - Passive/beta) 10095 IGNORE (Backup File Disclosure - Active/beta) -10096 WARN (Timestamp Disclosure - Passive/release) +10096 IGNORE (Timestamp Disclosure - Passive/release) 10097 WARN (Hash Disclosure - Passive/beta) 10098 WARN (Cross-Domain Misconfiguration - Passive/release) 10104 WARN (User Agent Fuzzer - Active/beta) @@ -119,3 +119,4 @@ 90030 WARN (WSDL File Detection - Passive/alpha) 90033 WARN (Loosely Scoped Cookie - Passive/release) 90034 WARN (Cloud Metadata Potentially Exposed - Active/beta) +100001 IGNORE (Unexpected Content-Type was returned)