Fix: 4xx and 5xx responses from API Gateway cause Invicti findings (#154

)
DataBiosphere · Aug 1, 2024 · c371d6d · c371d6d
1 parent 3bc6669
commit c371d6d
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 0 deletions.
diff --git a/src/azul/terraform.py b/src/azul/terraform.py
@@ -793,6 +793,29 @@ def tf_config(self, app_name):
         del deployment['lifecycle']
         deployment['triggers'] = {'redeployment': deployment.pop('stage_description')}
 
+        # Instead of specifying these properties in the related Terraform
+        # resource, using an AWS API Gateway extension to the OpenAPI
+        # specification lets us avoid maintaining a complicated trigger
+        # dependency between Terraform resources.
+        #
+        openapi_spec = json.loads(locals[app_name])
+        openapi_spec['x-amazon-apigateway-gateway-responses'] = {
+            f'DEFAULT_{response_type}': {
+                'responseParameters': {
+                    f'gatewayresponse.header.{k}': v
+                    for k, v in [
+                        ('Content-Security-Policy', "'default-src \'self\''"),
+                        ('X-Content-Type-Options', "'nosniff'"),
+                        ('X-Frame-Options', "'DENY'"),
+                        ('Referrer-Policy', "'strict-origin-when-cross-origin'"),
+                        ('Strict-Transport-Security', "'max-age=63072000; includeSubDomains; preload'"),
+                        ('X-XSS-Protection', "'1; mode=block'")
+                    ]
+                }
+            } for response_type in ['4XX', '5XX']
+        }
+        locals[app_name] = json.dumps(openapi_spec)
+
         return {
             'resource': resources,
             'data': data,

diff --git a/test/integration_test.py b/test/integration_test.py
@@ -2093,3 +2093,18 @@ def test_response_security_headers(self):
                         response.raise_for_status()
                         expected = expected_headers | global_headers
                         self.assertIsSubset(expected.items(), response.headers.items())
+
+    def test_default_4xx_response_headers(self):
+        headers = {
+            'Content-Security-Policy': "default-src 'self'",
+            'X-Content-Type-Options': 'nosniff',
+            'X-Frame-Options': 'DENY',
+            'Referrer-Policy': 'strict-origin-when-cross-origin',
+            'Strict-Transport-Security': 'max-age=63072000; includeSubDomains; preload',
+            'X-XSS-Protection': '1; mode=block'
+        }
+        for endpoint in (config.service_endpoint, config.indexer_endpoint):
+            with self.subTest(endpoint=endpoint):
+                response = requests.get(str(endpoint / 'does-not-exist'))
+                self.assertEqual(403, response.status_code)
+                self.assertIsSubset(headers.items(), response.headers.items())