From 32a0a6868f471aa9af79ee84a72ce2b580c503fe Mon Sep 17 00:00:00 2001
From: Rene Pfeuffer <rene.pfeuffer@cloudogu.com>
Date: Wed, 14 Jun 2023 15:57:01 +0200
Subject: [PATCH] Fix security findings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add security headers:
  - X-Frame-Options
  - X-Content-Type-Options
  - Content-Security-Policy
  - Permissions-Policy
- Do not send server information header

Committed-by: Eduard Heimbuch <eduard.heimbuch@cloudogu.com>
Co-authored-by: Eduard Heimbuch <eduard.heimbuch@cloudogu.com>
Co-authored-by: René Pfeuffer <rene.pfeuffer@cloudogu.com>
---
 .../groovy/com/cloudogu/scm/ScmServer.groovy  |  1 +
 gradle/changelog/zap.yaml                     |  2 +
 .../deb/src/main/fs/etc/scm/server-config.xml |  1 +
 .../src/main/fs/etc/scm/server-config.xml     |  1 +
 .../src/main/chart/templates/configmap.yaml   |  1 +
 .../rpm/src/main/fs/etc/scm/server-config.xml |  1 +
 .../unix/src/main/fs/conf/server-config.xml   |  1 +
 .../src/main/fs/conf/server-config.xml        |  1 +
 .../resources/sonia/scm/server/ctxPath.xml    |  1 +
 .../resources/sonia/scm/server/default.xml    |  1 +
 .../test/resources/sonia/scm/server/ssl.xml   |  1 +
 .../scm/filter/SecurityHeadersFilter.java     | 83 +++++++++++++++++++
 12 files changed, 95 insertions(+)
 create mode 100644 gradle/changelog/zap.yaml
 create mode 100644 scm-webapp/src/main/java/sonia/scm/filter/SecurityHeadersFilter.java

diff --git a/build-plugins/src/main/groovy/com/cloudogu/scm/ScmServer.groovy b/build-plugins/src/main/groovy/com/cloudogu/scm/ScmServer.groovy
index 3f9e833f69..5fa371fc99 100644
--- a/build-plugins/src/main/groovy/com/cloudogu/scm/ScmServer.groovy
+++ b/build-plugins/src/main/groovy/com/cloudogu/scm/ScmServer.groovy
@@ -142,6 +142,7 @@ class ScmServer {
 
     cfg.setRequestHeaderSize(configuration.headerSize)
     cfg.setResponseHeaderSize(configuration.headerSize)
+    cfg.setSendServerVersion(false)
 
     connector.setConnectionFactories([new HttpConnectionFactory(cfg)])
     connector.setPort(configuration.port)
diff --git a/gradle/changelog/zap.yaml b/gradle/changelog/zap.yaml
new file mode 100644
index 0000000000..0ae58113db
--- /dev/null
+++ b/gradle/changelog/zap.yaml
@@ -0,0 +1,2 @@
+- type: fixed
+  description: Security findings (security headers and jetty server information)
diff --git a/scm-packaging/deb/src/main/fs/etc/scm/server-config.xml b/scm-packaging/deb/src/main/fs/etc/scm/server-config.xml
index 6a16453b6e..d88ff30eab 100644
--- a/scm-packaging/deb/src/main/fs/etc/scm/server-config.xml
+++ b/scm-packaging/deb/src/main/fs/etc/scm/server-config.xml
@@ -38,6 +38,7 @@
     <!-- increase header size for mercurial -->
     <Set name="requestHeaderSize">16384</Set>
     <Set name="responseHeaderSize">16384</Set>
+    <Set name="sendServerVersion">false</Set>
 
     <Call name="addCustomizer">
       <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
diff --git a/scm-packaging/docker/src/main/fs/etc/scm/server-config.xml b/scm-packaging/docker/src/main/fs/etc/scm/server-config.xml
index d7c0e6c6cb..3048cf72bd 100644
--- a/scm-packaging/docker/src/main/fs/etc/scm/server-config.xml
+++ b/scm-packaging/docker/src/main/fs/etc/scm/server-config.xml
@@ -38,6 +38,7 @@
     <!-- increase header size for mercurial -->
     <Set name="requestHeaderSize">16384</Set>
     <Set name="responseHeaderSize">16384</Set>
+    <Set name="sendServerVersion">false</Set>
 
     <Call name="addCustomizer">
       <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
diff --git a/scm-packaging/helm/src/main/chart/templates/configmap.yaml b/scm-packaging/helm/src/main/chart/templates/configmap.yaml
index b259af5d85..e0d7dd151a 100644
--- a/scm-packaging/helm/src/main/chart/templates/configmap.yaml
+++ b/scm-packaging/helm/src/main/chart/templates/configmap.yaml
@@ -41,6 +41,7 @@ data:
         <!-- increase header size for mercurial -->
         <Set name="requestHeaderSize">16384</Set>
         <Set name="responseHeaderSize">16384</Set>
+        <Set name="sendServerVersion">false</Set>
 
         {{- if .Values.ingress.enabled -}}
         <!--
diff --git a/scm-packaging/rpm/src/main/fs/etc/scm/server-config.xml b/scm-packaging/rpm/src/main/fs/etc/scm/server-config.xml
index 6a16453b6e..d88ff30eab 100644
--- a/scm-packaging/rpm/src/main/fs/etc/scm/server-config.xml
+++ b/scm-packaging/rpm/src/main/fs/etc/scm/server-config.xml
@@ -38,6 +38,7 @@
     <!-- increase header size for mercurial -->
     <Set name="requestHeaderSize">16384</Set>
     <Set name="responseHeaderSize">16384</Set>
+    <Set name="sendServerVersion">false</Set>
 
     <Call name="addCustomizer">
       <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
diff --git a/scm-packaging/unix/src/main/fs/conf/server-config.xml b/scm-packaging/unix/src/main/fs/conf/server-config.xml
index 49fecb4333..526ef3ecae 100644
--- a/scm-packaging/unix/src/main/fs/conf/server-config.xml
+++ b/scm-packaging/unix/src/main/fs/conf/server-config.xml
@@ -38,6 +38,7 @@
     <!-- increase header size for mercurial -->
     <Set name="requestHeaderSize">16384</Set>
     <Set name="responseHeaderSize">16384</Set>
+    <Set name="sendServerVersion">false</Set>
 
     <Call name="addCustomizer">
       <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
diff --git a/scm-packaging/windows/src/main/fs/conf/server-config.xml b/scm-packaging/windows/src/main/fs/conf/server-config.xml
index d502c0a729..7b3439c618 100644
--- a/scm-packaging/windows/src/main/fs/conf/server-config.xml
+++ b/scm-packaging/windows/src/main/fs/conf/server-config.xml
@@ -38,6 +38,7 @@
     <!-- increase header size for mercurial -->
     <Set name="requestHeaderSize">16384</Set>
     <Set name="responseHeaderSize">16384</Set>
+    <Set name="sendServerVersion">false</Set>
 
     <Call name="addCustomizer">
       <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
diff --git a/scm-server/src/test/resources/sonia/scm/server/ctxPath.xml b/scm-server/src/test/resources/sonia/scm/server/ctxPath.xml
index ccf2e70f4c..661c118252 100644
--- a/scm-server/src/test/resources/sonia/scm/server/ctxPath.xml
+++ b/scm-server/src/test/resources/sonia/scm/server/ctxPath.xml
@@ -38,6 +38,7 @@
     <!-- increase header size for mercurial -->
     <Set name="requestHeaderSize">16384</Set>
     <Set name="responseHeaderSize">16384</Set>
+    <Set name="sendServerVersion">false</Set>
 
     <Call name="addCustomizer">
       <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
diff --git a/scm-server/src/test/resources/sonia/scm/server/default.xml b/scm-server/src/test/resources/sonia/scm/server/default.xml
index 6a16453b6e..d88ff30eab 100644
--- a/scm-server/src/test/resources/sonia/scm/server/default.xml
+++ b/scm-server/src/test/resources/sonia/scm/server/default.xml
@@ -38,6 +38,7 @@
     <!-- increase header size for mercurial -->
     <Set name="requestHeaderSize">16384</Set>
     <Set name="responseHeaderSize">16384</Set>
+    <Set name="sendServerVersion">false</Set>
 
     <Call name="addCustomizer">
       <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
diff --git a/scm-server/src/test/resources/sonia/scm/server/ssl.xml b/scm-server/src/test/resources/sonia/scm/server/ssl.xml
index a2b48c487e..c989c4f656 100644
--- a/scm-server/src/test/resources/sonia/scm/server/ssl.xml
+++ b/scm-server/src/test/resources/sonia/scm/server/ssl.xml
@@ -38,6 +38,7 @@
     <!-- increase header size for mercurial -->
     <Set name="requestHeaderSize">16384</Set>
     <Set name="responseHeaderSize">16384</Set>
+    <Set name="sendServerVersion">false</Set>
 
     <Call name="addCustomizer">
       <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
diff --git a/scm-webapp/src/main/java/sonia/scm/filter/SecurityHeadersFilter.java b/scm-webapp/src/main/java/sonia/scm/filter/SecurityHeadersFilter.java
new file mode 100644
index 0000000000..75d41cc82e
--- /dev/null
+++ b/scm-webapp/src/main/java/sonia/scm/filter/SecurityHeadersFilter.java
@@ -0,0 +1,83 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.filter;
+
+import sonia.scm.Priority;
+import sonia.scm.web.filter.HttpFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+@Priority(7000)
+@WebElement("*")
+public class SecurityHeadersFilter extends HttpFilter {
+  @Override
+  protected void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
+    response.setHeader("X-Frame-Options", "deny");
+    response.setHeader("X-Content-Type-Options", "nosniff");
+    response.setHeader("Content-Security-Policy",
+        "form-action 'self'; " +
+        "object-src 'none'; " +
+        "frame-ancestors 'none'; " +
+        "upgrade-insecure-requests; " +
+        "block-all-mixed-content"
+    );
+    response.setHeader("Permissions-Policy",
+      "accelerometer=()," +
+        "ambient-light-sensor=()," +
+        "autoplay=()," +
+        "battery=()," +
+        "camera=()," +
+        "display-capture=()," +
+        "document-domain=()," +
+        "encrypted-media=()," +
+        "fullscreen=()," +
+        "gamepad=()," +
+        "geolocation=()," +
+        "gyroscope=()," +
+        "layout-animations=(self)," +
+        "legacy-image-formats=(self)," +
+        "magnetometer=()," +
+        "microphone=()," +
+        "midi=()," +
+        "oversized-images=(self)," +
+        "payment=()," +
+        "picture-in-picture=()," +
+        "publickey-credentials-get=()," +
+        "speaker-selection=()," +
+        "sync-xhr=(self)," +
+        "unoptimized-images=(self)," +
+        "unsized-media=(self)," +
+        "usb=()," +
+        "screen-wake-lock=()," +
+        "web-share=()," +
+        "xr-spatial-tracking=()"
+    );
+    chain.doFilter(request, response);
+  }
+}