darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2026-01-31 23:26:23 -05:00
Code Issues Packages Projects Releases Wiki Activity

Address moderate and low owasp findings

Browse Source 
* CORS headers removed because browsers should not interact with API directly
* Updated error handling to return expected content-type for JSON error messages
This commit is contained in:
Ryan Ahearn
2023-04-19 09:27:16 -04:00
parent 81f36182e8
commit db62e318ca
2 changed files with 19 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
app/__init__.py
View File

@@ -290,9 +290,7 @@ def init_app(app):
def after_request(response): def after_request(response):
CONCURRENT_REQUESTS.dec() CONCURRENT_REQUESTS.dec()
response.headers.add('Access-Control-Allow-Origin', '*') response.headers.add('X-Content-Type-Options', 'nosniff')
response.headers.add('Access-Control-Allow-Headers', 'Content-Type,Authorization')
response.headers.add('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE')
return response return response
@app.errorhandler(Exception) @app.errorhandler(Exception)
@@ -301,20 +299,34 @@ def init_app(app):
# error.code is set for our exception types. # error.code is set for our exception types.
msg = getattr(error, 'message', str(error)) msg = getattr(error, 'message', str(error))
code = getattr(error, 'code', 500) code = getattr(error, 'code', 500)
return jsonify(result='error', message=msg), code response = make_response(
jsonify(result='error', message=msg),
code,
error.get_headers()
)
response.content_type = "application/json"
return response
@app.errorhandler(WerkzeugHTTPException) @app.errorhandler(WerkzeugHTTPException)
def werkzeug_exception(e): def werkzeug_exception(e):
return make_response( response = make_response(
jsonify(result='error', message=e.description), jsonify(result='error', message=e.description),
e.code, e.code,
e.get_headers() e.get_headers()
) )
response.content_type = 'application/json'
return response
@app.errorhandler(404) @app.errorhandler(404)
def page_not_found(e): def page_not_found(e):
msg = e.description or "Not found" msg = e.description or "Not found"
return jsonify(result='error', message=msg), 404 response = make_response(
jsonify(result='error', message=msg),
404,
e.get_headers()
)
response.content_type = 'application/json'
return response
def create_uuid(): def create_uuid():

2
docs/testing.md
View File

@@ -56,5 +56,5 @@ docker run -v $(pwd):/zap/wrk/:rw --network="notify-network" -t owasp/zap2docker
The equivalent command if you are running the API locally: The equivalent command if you are running the API locally:
``` ```
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly zap-api-scan.py -t http://host.docker.internal:6011/docs/openapi.yml -f openapi -c zap.conf docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly zap-api-scan.py -t http://host.docker.internal:6011/docs/openapi.yml -f openapi -c zap.conf -r report.html
``` ```