From 798cfbca0a5f5500cef97a57c80249bfb3c695de Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Wed, 29 Jan 2025 12:15:12 -0800 Subject: [PATCH 01/19] make command to see sms sender phones --- app/commands.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/app/commands.py b/app/commands.py index bbcdd2cd9..b865a5363 100644 --- a/app/commands.py +++ b/app/commands.py @@ -846,6 +846,19 @@ def create_new_service(name, message_limit, restricted, email_from, created_by_i db.session.rollback() +@notify_command(name="get-service-sender-phones") +@click.option("-s", "--service_id", required=True, prompt=True) +def get_service_sender_phones(service_id): + sender_phone_numbers = """ + select sms_sender, is_default + from service_sms_senders + where service_id = :service_id + """ + rows = db.session.execute(text(sender_phone_numbers), {"service_id": service_id}) + for row in rows: + print(row) + + @notify_command(name="promote-user-to-platform-admin") @click.option("-u", "--user-email-address", required=True, prompt=True) def promote_user_to_platform_admin(user_email_address): From ec02da930b47f931c137127288de6bceda9907df Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Mon, 3 Feb 2025 07:56:30 -0800 Subject: [PATCH 02/19] try to fix dynamic scan warnings --- app/__init__.py | 5 +++++ app/service/rest.py | 7 ++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/app/__init__.py b/app/__init__.py index add218e5d..2c123f71b 100644 --- a/app/__init__.py +++ b/app/__init__.py @@ -286,6 +286,11 @@ def init_app(app): @app.after_request def after_request(response): response.headers.add("X-Content-Type-Options", "nosniff") + response.headers.add("Cross-Origin-Opener-Policy", "same-origin") + response.headers.add("Cross-Origin-Embedder-Policy", "require-corp") + response.headers.add("Cross-Origin-Resource-Policy", "same-origin") + response.headers.add("Cross-Origin-Opener-Policy", "same-origin") + return response @app.errorhandler(Exception) diff --git a/app/service/rest.py b/app/service/rest.py index 657555348..98cb0e963 100644 --- a/app/service/rest.py +++ b/app/service/rest.py @@ -694,7 +694,12 @@ def get_single_month_notification_stats_by_user(service_id, user_id): service_id, start_date, end_date, user_id ) - stats = get_specific_days_stats(results, start_date, end_date=end_date, total_notifications=total_notifications,) + stats = get_specific_days_stats( + results, + start_date, + end_date=end_date, + total_notifications=total_notifications, + ) return jsonify(stats) From 8a70e728f2dd8b6b7a6a9c002f13606282440a80 Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Mon, 3 Feb 2025 08:08:47 -0800 Subject: [PATCH 03/19] try to fix dynamic scan warnings --- app/__init__.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/app/__init__.py b/app/__init__.py index 2c123f71b..b9c768875 100644 --- a/app/__init__.py +++ b/app/__init__.py @@ -286,10 +286,13 @@ def init_app(app): @app.after_request def after_request(response): response.headers.add("X-Content-Type-Options", "nosniff") + + # Some dynamic scan findings response.headers.add("Cross-Origin-Opener-Policy", "same-origin") response.headers.add("Cross-Origin-Embedder-Policy", "require-corp") response.headers.add("Cross-Origin-Resource-Policy", "same-origin") response.headers.add("Cross-Origin-Opener-Policy", "same-origin") + response.headers.pop("Server", None) return response From 073c747786f16bd18e9a509eadd737764768bfa8 Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Mon, 3 Feb 2025 08:23:44 -0800 Subject: [PATCH 04/19] try to fix dynamic scan warnings --- gunicorn_config.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/gunicorn_config.py b/gunicorn_config.py index e71cbe944..4bd41ab46 100644 --- a/gunicorn_config.py +++ b/gunicorn_config.py @@ -32,6 +32,11 @@ def worker_int(worker): worker.log.info("worker: received SIGINT {}".format(worker.pid)) +def post_request(worker, req, environ, resp): + if "Server" in resp.headers: + resp.headers.pop("Server") + + def fix_ssl_monkeypatching(): """ eventlet works by monkey-patching core IO libraries (such as ssl) to be non-blocking. However, there's currently From 53c71213c49a49fed57714a47ca158738dcdbf2d Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Mon, 3 Feb 2025 08:47:25 -0800 Subject: [PATCH 05/19] revert to last good --- .github/workflows/checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 2d7311e1d..961fe46dc 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -144,4 +144,4 @@ jobs: fail_action: true allow_issue_writing: false rules_file_name: 'zap.conf' - cmd_options: '-I' + cmd_options: '-I -d' From d935e4a6f7d598f8f11d6de72b165893a770f425 Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Mon, 3 Feb 2025 08:55:38 -0800 Subject: [PATCH 06/19] revert to last good --- .github/workflows/checks.yml | 2 +- notifications_utils/request_helper.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 961fe46dc..2d7311e1d 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -144,4 +144,4 @@ jobs: fail_action: true allow_issue_writing: false rules_file_name: 'zap.conf' - cmd_options: '-I -d' + cmd_options: '-I' diff --git a/notifications_utils/request_helper.py b/notifications_utils/request_helper.py index 48776e69a..775101078 100644 --- a/notifications_utils/request_helper.py +++ b/notifications_utils/request_helper.py @@ -76,6 +76,7 @@ class ResponseHeaderMiddleware(object): if SPAN_ID_HEADER.lower() not in lower_existing_header_names: headers.append((SPAN_ID_HEADER, str(req.span_id))) + print(headers) return start_response(status, headers, exc_info) return self._app(environ, rewrite_response_headers) From 9933db8e05385e874333d217ac71f315f49a5700 Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Mon, 3 Feb 2025 09:18:08 -0800 Subject: [PATCH 07/19] revert to last good --- notifications_utils/request_helper.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/notifications_utils/request_helper.py b/notifications_utils/request_helper.py index 775101078..bbebbaca2 100644 --- a/notifications_utils/request_helper.py +++ b/notifications_utils/request_helper.py @@ -76,7 +76,11 @@ class ResponseHeaderMiddleware(object): if SPAN_ID_HEADER.lower() not in lower_existing_header_names: headers.append((SPAN_ID_HEADER, str(req.span_id))) - print(headers) + headers = [ + (key, value) for key, value in headers if key.lower() != "server" + ] + headers.append(("Server", "SecureServer")) + return start_response(status, headers, exc_info) return self._app(environ, rewrite_response_headers) From 0226c072f43c7b92f272f83553c47576e361eda0 Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Mon, 3 Feb 2025 09:38:50 -0800 Subject: [PATCH 08/19] revert to last good --- gunicorn_config.py | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/gunicorn_config.py b/gunicorn_config.py index 4bd41ab46..095b10e70 100644 --- a/gunicorn_config.py +++ b/gunicorn_config.py @@ -32,9 +32,21 @@ def worker_int(worker): worker.log.info("worker: received SIGINT {}".format(worker.pid)) -def post_request(worker, req, environ, resp): - if "Server" in resp.headers: - resp.headers.pop("Server") +# fix dynamic scan warning 10036 +def post_fork(server, worker): + server.cfg.set( + "secure_scheme_headers", + { + "X-FORWARDED-PROTO": "https", + }, + ) + original_send = worker.wsgi.send + + def custom_send(self, resp, *args, **kwargs): + resp.headers.pop("Server", None) + return original_send(resp, *args, **kwargs) + + worker.wsgi.send = custom_send.__get__(worker.wsgi, type(worker.wsgi)) def fix_ssl_monkeypatching(): From 3d6f11232451e767bdddd9187bd33d372bcc4708 Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Mon, 3 Feb 2025 10:40:55 -0800 Subject: [PATCH 09/19] fix minor startup error --- app/celery/nightly_tasks.py | 3 ++- gunicorn_config.py | 29 ++++++++++++----------------- 2 files changed, 14 insertions(+), 18 deletions(-) diff --git a/app/celery/nightly_tasks.py b/app/celery/nightly_tasks.py index f51b0ec9a..01bdbbd67 100644 --- a/app/celery/nightly_tasks.py +++ b/app/celery/nightly_tasks.py @@ -52,7 +52,8 @@ def cleanup_unfinished_jobs(): # The query already checks that the processing_finished time is null, so here we are saying # if it started more than 4 hours ago, that's too long try: - acceptable_finish_time = job.processing_started + timedelta(minutes=5) + if job.processing_started is not None: + acceptable_finish_time = job.processing_started + timedelta(minutes=5) except TypeError: current_app.logger.exception( f"Job ID {job.id} processing_started is {job.processing_started}.", diff --git a/gunicorn_config.py b/gunicorn_config.py index 095b10e70..f7ca6160e 100644 --- a/gunicorn_config.py +++ b/gunicorn_config.py @@ -16,6 +16,18 @@ gunicorn.SERVER_SOFTWARE = "None" def on_starting(server): server.log.info("Starting Notifications API") + from gunicorn.http.wsgi import Response + + original_init = Response.__init__ + + def custom_init(self, *args, **kwargs): + original_init(self, *args, **kwargs) + self.headers = [ + (key, value) for key, value in self.headers if key.lower() != "server" + ] + print(f"HEADERS {self.headers}") + + Response.__init__ = custom_init def worker_abort(worker): @@ -32,23 +44,6 @@ def worker_int(worker): worker.log.info("worker: received SIGINT {}".format(worker.pid)) -# fix dynamic scan warning 10036 -def post_fork(server, worker): - server.cfg.set( - "secure_scheme_headers", - { - "X-FORWARDED-PROTO": "https", - }, - ) - original_send = worker.wsgi.send - - def custom_send(self, resp, *args, **kwargs): - resp.headers.pop("Server", None) - return original_send(resp, *args, **kwargs) - - worker.wsgi.send = custom_send.__get__(worker.wsgi, type(worker.wsgi)) - - def fix_ssl_monkeypatching(): """ eventlet works by monkey-patching core IO libraries (such as ssl) to be non-blocking. However, there's currently From 973506acad5e52bf926c39140f1588148ee5070b Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Mon, 3 Feb 2025 11:09:04 -0800 Subject: [PATCH 10/19] fix minor startup error --- notifications_utils/request_helper.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/notifications_utils/request_helper.py b/notifications_utils/request_helper.py index bbebbaca2..ab1981cea 100644 --- a/notifications_utils/request_helper.py +++ b/notifications_utils/request_helper.py @@ -1,6 +1,8 @@ from flask import abort, current_app, request from flask.wrappers import Request +from app.utils import hilite + TRACE_ID_HEADER = "X-B3-TraceId" SPAN_ID_HEADER = "X-B3-SpanId" PARENT_SPAN_ID_HEADER = "X-B3-ParentSpanId" @@ -80,7 +82,7 @@ class ResponseHeaderMiddleware(object): (key, value) for key, value in headers if key.lower() != "server" ] headers.append(("Server", "SecureServer")) - + print(hilite(f"HEADERS {headers}")) return start_response(status, headers, exc_info) return self._app(environ, rewrite_response_headers) From 7743bc40c8cf7c80ada4f7ede098c62441905047 Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Mon, 3 Feb 2025 11:40:19 -0800 Subject: [PATCH 11/19] fix minor startup error --- notifications_utils/request_helper.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/notifications_utils/request_helper.py b/notifications_utils/request_helper.py index ab1981cea..5c598c745 100644 --- a/notifications_utils/request_helper.py +++ b/notifications_utils/request_helper.py @@ -1,8 +1,6 @@ from flask import abort, current_app, request from flask.wrappers import Request -from app.utils import hilite - TRACE_ID_HEADER = "X-B3-TraceId" SPAN_ID_HEADER = "X-B3-SpanId" PARENT_SPAN_ID_HEADER = "X-B3-ParentSpanId" @@ -79,10 +77,11 @@ class ResponseHeaderMiddleware(object): headers.append((SPAN_ID_HEADER, str(req.span_id))) headers = [ - (key, value) for key, value in headers if key.lower() != "server" + (key, value) + for key, value in headers + if key.lower() not in ["server", "last-modified"] ] headers.append(("Server", "SecureServer")) - print(hilite(f"HEADERS {headers}")) return start_response(status, headers, exc_info) return self._app(environ, rewrite_response_headers) From 0de1dd1fd572bcef1bd90fe170e4333b09ee1295 Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Mon, 3 Feb 2025 11:50:32 -0800 Subject: [PATCH 12/19] fix minor startup error --- notifications_utils/request_helper.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/notifications_utils/request_helper.py b/notifications_utils/request_helper.py index 5c598c745..8aaf8c260 100644 --- a/notifications_utils/request_helper.py +++ b/notifications_utils/request_helper.py @@ -81,6 +81,16 @@ class ResponseHeaderMiddleware(object): for key, value in headers if key.lower() not in ["server", "last-modified"] ] + headers = [ + (key, value) + for key, value in headers + if "werkzeug" not in value.lower() + ] + + for key, value in headers: + if key.lower() == "content-type" and "text/yaml" in value.lower(): + headers.pop("Content-Type") + headers.append("Content-Type", "application/yaml") headers.append(("Server", "SecureServer")) return start_response(status, headers, exc_info) From d61f96d91616527f45e752b8578362603a3ae60b Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Mon, 3 Feb 2025 12:06:21 -0800 Subject: [PATCH 13/19] fix content-type conditionally --- notifications_utils/request_helper.py | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/notifications_utils/request_helper.py b/notifications_utils/request_helper.py index 8aaf8c260..b0f34471e 100644 --- a/notifications_utils/request_helper.py +++ b/notifications_utils/request_helper.py @@ -81,17 +81,21 @@ class ResponseHeaderMiddleware(object): for key, value in headers if key.lower() not in ["server", "last-modified"] ] + found_a_text_yaml = False + old_headers_len = len(headers) headers = [ (key, value) for key, value in headers - if "werkzeug" not in value.lower() + if "text/yaml" not in value.lower() ] + new_headers_len = len(headers) + if new_headers_len < old_headers_len: + found_a_text_yaml = True - for key, value in headers: - if key.lower() == "content-type" and "text/yaml" in value.lower(): - headers.pop("Content-Type") - headers.append("Content-Type", "application/yaml") - headers.append(("Server", "SecureServer")) + if found_a_text_yaml: + headers.append(("Content-Type", "application/yaml")) + + print(headers) return start_response(status, headers, exc_info) return self._app(environ, rewrite_response_headers) From e65a9d87d400257d440184aa380887254c06692e Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Mon, 3 Feb 2025 12:28:40 -0800 Subject: [PATCH 14/19] ugh --- gunicorn_config.py | 30 ++++++++++++++++----------- notifications_utils/request_helper.py | 2 +- 2 files changed, 19 insertions(+), 13 deletions(-) diff --git a/gunicorn_config.py b/gunicorn_config.py index f7ca6160e..5ed520afb 100644 --- a/gunicorn_config.py +++ b/gunicorn_config.py @@ -16,18 +16,6 @@ gunicorn.SERVER_SOFTWARE = "None" def on_starting(server): server.log.info("Starting Notifications API") - from gunicorn.http.wsgi import Response - - original_init = Response.__init__ - - def custom_init(self, *args, **kwargs): - original_init(self, *args, **kwargs) - self.headers = [ - (key, value) for key, value in self.headers if key.lower() != "server" - ] - print(f"HEADERS {self.headers}") - - Response.__init__ = custom_init def worker_abort(worker): @@ -44,6 +32,24 @@ def worker_int(worker): worker.log.info("worker: received SIGINT {}".format(worker.pid)) +# fix dynamic scan warning 10036 +def post_fork(server, worker): + server.cfg.set( + "secure_scheme_headers", + { + "X-FORWARDED-PROTO": "https", + }, + ) + original_send = worker.wsgi.send + + def custom_send(self, resp, *args, **kwargs): + resp.headers.pop("Server", None) + print(f"HEADERS!!!!!!!! {resp.headers}") + return original_send(resp, *args, **kwargs) + + worker.wsgi.send = custom_send.__get__(worker.wsgi, type(worker.wsgi)) + + def fix_ssl_monkeypatching(): """ eventlet works by monkey-patching core IO libraries (such as ssl) to be non-blocking. However, there's currently diff --git a/notifications_utils/request_helper.py b/notifications_utils/request_helper.py index b0f34471e..3e89255f4 100644 --- a/notifications_utils/request_helper.py +++ b/notifications_utils/request_helper.py @@ -93,7 +93,7 @@ class ResponseHeaderMiddleware(object): found_a_text_yaml = True if found_a_text_yaml: - headers.append(("Content-Type", "application/yaml")) + headers.append(("Content-Type", "text/plain")) print(headers) return start_response(status, headers, exc_info) From fa0d308efff811417637a4ef5dc49b691d269863 Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Mon, 3 Feb 2025 14:38:43 -0800 Subject: [PATCH 15/19] fix werkzeug server header --- app/__init__.py | 1 - application.py | 3 +++ gunicorn_config.py | 18 ------------------ notifications_utils/request_helper.py | 2 +- scripts/migrate_and_run_web.sh | 2 +- 5 files changed, 5 insertions(+), 21 deletions(-) diff --git a/app/__init__.py b/app/__init__.py index b9c768875..f7427f9f1 100644 --- a/app/__init__.py +++ b/app/__init__.py @@ -292,7 +292,6 @@ def init_app(app): response.headers.add("Cross-Origin-Embedder-Policy", "require-corp") response.headers.add("Cross-Origin-Resource-Policy", "same-origin") response.headers.add("Cross-Origin-Opener-Policy", "same-origin") - response.headers.pop("Server", None) return response diff --git a/application.py b/application.py index 25885fc16..0b1256667 100644 --- a/application.py +++ b/application.py @@ -2,9 +2,12 @@ from __future__ import print_function from flask import Flask +from werkzeug.serving import WSGIRequestHandler from app import create_app +WSGIRequestHandler.version_string = lambda self: "SecureServer" + application = Flask("app") create_app(application) diff --git a/gunicorn_config.py b/gunicorn_config.py index 5ed520afb..e71cbe944 100644 --- a/gunicorn_config.py +++ b/gunicorn_config.py @@ -32,24 +32,6 @@ def worker_int(worker): worker.log.info("worker: received SIGINT {}".format(worker.pid)) -# fix dynamic scan warning 10036 -def post_fork(server, worker): - server.cfg.set( - "secure_scheme_headers", - { - "X-FORWARDED-PROTO": "https", - }, - ) - original_send = worker.wsgi.send - - def custom_send(self, resp, *args, **kwargs): - resp.headers.pop("Server", None) - print(f"HEADERS!!!!!!!! {resp.headers}") - return original_send(resp, *args, **kwargs) - - worker.wsgi.send = custom_send.__get__(worker.wsgi, type(worker.wsgi)) - - def fix_ssl_monkeypatching(): """ eventlet works by monkey-patching core IO libraries (such as ssl) to be non-blocking. However, there's currently diff --git a/notifications_utils/request_helper.py b/notifications_utils/request_helper.py index 3e89255f4..ea249a4ae 100644 --- a/notifications_utils/request_helper.py +++ b/notifications_utils/request_helper.py @@ -95,7 +95,7 @@ class ResponseHeaderMiddleware(object): if found_a_text_yaml: headers.append(("Content-Type", "text/plain")) - print(headers) + print(f"MIDDLEWARE HEADERS {headers}") return start_response(status, headers, exc_info) return self._app(environ, rewrite_response_headers) diff --git a/scripts/migrate_and_run_web.sh b/scripts/migrate_and_run_web.sh index 3e39dceb6..f4882c25e 100755 --- a/scripts/migrate_and_run_web.sh +++ b/scripts/migrate_and_run_web.sh @@ -4,4 +4,4 @@ if [[ $CF_INSTANCE_INDEX -eq 0 ]]; then flask db upgrade fi -exec newrelic-admin run-program gunicorn -c ${HOME}/gunicorn_config.py application +exec newrelic-admin run-program gunicorn -c ${HOME}/gunicorn_config.py --no-sendfile application From 1657025cd04b1a1ffc1923e33bd4b2ffb224c4b6 Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Tue, 4 Feb 2025 07:14:44 -0800 Subject: [PATCH 16/19] fix werkzeug server header --- zap.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/zap.conf b/zap.conf index f4e88ff07..c0ee39b13 100644 --- a/zap.conf +++ b/zap.conf @@ -50,7 +50,7 @@ 10061 WARN (X-AspNet-Version Response Header - Passive/release) 10062 FAIL (PII Disclosure - Passive/beta) 10095 IGNORE (Backup File Disclosure - Active/beta) -10096 WARN (Timestamp Disclosure - Passive/release) +10096 IGNORE (Timestamp Disclosure - Passive/release) 10097 WARN (Hash Disclosure - Passive/beta) 10098 WARN (Cross-Domain Misconfiguration - Passive/release) 10104 WARN (User Agent Fuzzer - Active/beta) @@ -119,3 +119,4 @@ 90030 WARN (WSDL File Detection - Passive/alpha) 90033 WARN (Loosely Scoped Cookie - Passive/release) 90034 WARN (Cloud Metadata Potentially Exposed - Active/beta) +100001 IGNORE (Unexpected Content-Type was returned) From 8a9d1b8a99b48959efc789d71a4317177c59e77e Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Tue, 4 Feb 2025 07:18:27 -0800 Subject: [PATCH 17/19] fix werkzeug server header --- zap.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zap.conf b/zap.conf index c0ee39b13..a1930cf7a 100644 --- a/zap.conf +++ b/zap.conf @@ -118,5 +118,5 @@ 90029 WARN (SOAP XML Injection - Active/alpha) 90030 WARN (WSDL File Detection - Passive/alpha) 90033 WARN (Loosely Scoped Cookie - Passive/release) -90034 WARN (Cloud Metadata Potentially Exposed - Active/beta) +90034 WARN (Cloud Metadata Potentially Exposed - Active/beta) 100001 IGNORE (Unexpected Content-Type was returned) From dea1ef5eae7ffd068a79a29a3477db365114b12a Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Tue, 4 Feb 2025 07:30:39 -0800 Subject: [PATCH 18/19] fix werkzeug server header --- zap.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/zap.conf b/zap.conf index a1930cf7a..255e0dde8 100644 --- a/zap.conf +++ b/zap.conf @@ -118,5 +118,5 @@ 90029 WARN (SOAP XML Injection - Active/alpha) 90030 WARN (WSDL File Detection - Passive/alpha) 90033 WARN (Loosely Scoped Cookie - Passive/release) -90034 WARN (Cloud Metadata Potentially Exposed - Active/beta) -100001 IGNORE (Unexpected Content-Type was returned) +90034 WARN (Cloud Metadata Potentially Exposed - Active/beta) +100001 IGNORE (Unexpected Content-Type was returned) From f3d7d56e04558c3f60a640413773a24c543bc265 Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Tue, 4 Feb 2025 07:39:42 -0800 Subject: [PATCH 19/19] fix werkzeug server header --- notifications_utils/request_helper.py | 15 --------------- scripts/migrate_and_run_web.sh | 2 +- 2 files changed, 1 insertion(+), 16 deletions(-) diff --git a/notifications_utils/request_helper.py b/notifications_utils/request_helper.py index ea249a4ae..d5375065f 100644 --- a/notifications_utils/request_helper.py +++ b/notifications_utils/request_helper.py @@ -81,21 +81,6 @@ class ResponseHeaderMiddleware(object): for key, value in headers if key.lower() not in ["server", "last-modified"] ] - found_a_text_yaml = False - old_headers_len = len(headers) - headers = [ - (key, value) - for key, value in headers - if "text/yaml" not in value.lower() - ] - new_headers_len = len(headers) - if new_headers_len < old_headers_len: - found_a_text_yaml = True - - if found_a_text_yaml: - headers.append(("Content-Type", "text/plain")) - - print(f"MIDDLEWARE HEADERS {headers}") return start_response(status, headers, exc_info) return self._app(environ, rewrite_response_headers) diff --git a/scripts/migrate_and_run_web.sh b/scripts/migrate_and_run_web.sh index f4882c25e..3e39dceb6 100755 --- a/scripts/migrate_and_run_web.sh +++ b/scripts/migrate_and_run_web.sh @@ -4,4 +4,4 @@ if [[ $CF_INSTANCE_INDEX -eq 0 ]]; then flask db upgrade fi -exec newrelic-admin run-program gunicorn -c ${HOME}/gunicorn_config.py --no-sendfile application +exec newrelic-admin run-program gunicorn -c ${HOME}/gunicorn_config.py application