[FOLIO-3557] Disable http to https redirection on snapshot/snapshot-2 Created: 11/Aug/22  Updated: 10/May/23

Status: Open
Project: FOLIO
Components: Continuous Integration
Affects versions: None
Fix versions: None

Type: Story Priority: P3
Reporter: Julian Ladisch Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to EDGCOMMON-54 Edge-common - Vert.x 4.3.3 fixing dis... Closed
relates to RMB-934 Vert.x 4.3.3 fixing disabled SSL in 4... Closed
Sprint: DevOps Sprint 160
Development Team: FOLIO DevOps
RCA Group: TBD

 Description   

How to reproduce:

curl -w"\n" -D - -L http://folio-snapshot-okapi.dev.folio.org/_/proxy/health 

Actual:

HTTP/1.1 301 Moved Permanently
Server: awselb/2.0
Date: Thu, 11 Aug 2022 13:55:54 GMT
Content-Type: text/html
Content-Length: 134
Connection: keep-alive
Location: https://folio-snapshot-okapi.dev.folio.org:443/_/proxy/health

HTTP/2 200
date: Thu, 11 Aug 2022 13:55:55 GMT
content-type: application/json
content-length: 3

[ ] 

Expected:

HTTP/1.1 404 Not Found
...

Background:

A bug in Vert.x ( RMB-934 Closed ) disables SSL where it should be used. The snapshot environments hide this bug by redirecting from http to https.

Please disable redirection.

If SSL is disabled an attacker can successfully run a machine-in-the-middle attack. The integrations tests run against snapshot or snapshot-2 should fail if SSL is disabled.

References:

https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html#use-tls-for-all-pages allows redirection only for public facing applications where users manually type in the domain name and only with HSTS header. Therefore it is not allowed for the Okapi URLs.

https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x17-V9-Communications.md#v92-server-communication-security 9.2.2 requires "that connections to and from the server use trusted TLS certificates. [...] All others should be rejected." This doesn't allow unencrypted redirect messages.


Generated at Thu Feb 08 23:29:00 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.