Fix: 4xx and 5xx responses from API Gateway cause Invicti findings (#154

)
DataBiosphere · Jul 9, 2024 · b3b68a3 · b3b68a3
1 parent 6cde58d
commit b3b68a3
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 1 deletion.
diff --git a/src/azul/terraform.py b/src/azul/terraform.py
@@ -791,7 +791,16 @@ def tf_config(self, app_name):
         del deployment['lifecycle']['create_before_destroy']
         assert not deployment['lifecycle'], deployment
         del deployment['lifecycle']
-        deployment['triggers'] = {'redeployment': deployment.pop('stage_description')}
+        depends_on = [
+            'aws_api_gateway_gateway_response.%s_%s' % (app_name, response_type)
+            for response_type in ('4XX', '5XX')
+        ]
+        assert 'depends_on' not in deployment
+        deployment['depends_on'] = depends_on
+        deployment['triggers'] = {
+            'redeployment': deployment.pop('stage_description'),
+            **{v: '${sha1(jsonencode(%s))}' % v for v in depends_on}
+        }
 
         return {
             'resource': resources,

diff --git a/terraform/api_gateway.tf.json.template.py b/terraform/api_gateway.tf.json.template.py
@@ -454,6 +454,26 @@ def for_domain(cls, domain):
                         }
                     } for i, domain in enumerate(app.domains)
                 },
+                'aws_api_gateway_gateway_response': {
+                    f'{app.name}_{response_type}': {
+                        'rest_api_id': '${aws_api_gateway_rest_api.%s.id}' % app.name,
+                        'response_type': f'DEFAULT_{response_type}',
+                        'response_parameters': {
+                            f'gatewayresponse.header.{k}': v
+                            for k, v in [
+                                ('Content-Security-Policy', "'default-src \'self\''"),
+                                ('X-Content-Type-Options', "'nosniff'"),
+                                ('X-Frame-Options', "'DENY'"),
+                                ('Referrer-Policy', "'strict-origin-when-cross-origin'"),
+                                ('Strict-Transport-Security', "'max-age=63072000; includeSubDomains; preload'"),
+                                ('X-XSS-Protection', "'1; mode=block'")
+                            ]
+                        },
+                        'response_templates': {
+                            'application/json': '{"message":$context.error.messageString}'
+                        }
+                    } for response_type in ['4XX', '5XX']
+                },
                 'aws_acm_certificate': {
                     f'{app.name}_{i}': {
                         'domain_name': domain,