[FOLIO-3557] Disable http to https redirection on snapshot/snapshot-2 Created: 11/Aug/22 Updated: 10/May/23 |
|
| Status: | Open |
| Project: | FOLIO |
| Components: | Continuous Integration |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Story | Priority: | P3 |
| Reporter: | Julian Ladisch | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | security, security-reviewed | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||||||
| Sprint: | DevOps Sprint 160 | ||||||||||||
| Development Team: | FOLIO DevOps | ||||||||||||
| RCA Group: | TBD | ||||||||||||
| Description |
|
How to reproduce: curl -w"\n" -D - -L http://folio-snapshot-okapi.dev.folio.org/_/proxy/health Actual:
HTTP/1.1 301 Moved Permanently
Server: awselb/2.0
Date: Thu, 11 Aug 2022 13:55:54 GMT
Content-Type: text/html
Content-Length: 134
Connection: keep-alive
Location: https://folio-snapshot-okapi.dev.folio.org:443/_/proxy/health
HTTP/2 200
date: Thu, 11 Aug 2022 13:55:55 GMT
content-type: application/json
content-length: 3
[ ]
Expected: HTTP/1.1 404 Not Found ... Background: A bug in Vert.x (
Please disable redirection. If SSL is disabled an attacker can successfully run a machine-in-the-middle attack. The integrations tests run against snapshot or snapshot-2 should fail if SSL is disabled. References: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html#use-tls-for-all-pages allows redirection only for public facing applications where users manually type in the domain name and only with HSTS header. Therefore it is not allowed for the Okapi URLs. https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x17-V9-Communications.md#v92-server-communication-security 9.2.2 requires "that connections to and from the server use trusted TLS certificates. [...] All others should be rejected." This doesn't allow unencrypted redirect messages. |