<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:29:00 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-3557] Disable http to https redirection on snapshot/snapshot-2</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-3557</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;How to reproduce:&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
curl -w&lt;span class=&quot;code-quote&quot;&gt;&quot;\n&quot;&lt;/span&gt; -D - -L http:&lt;span class=&quot;code-comment&quot;&gt;//folio-snapshot-okapi.dev.folio.org/_/proxy/health &lt;/span&gt;&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;p&gt;Actual:&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
HTTP/1.1 301 Moved Permanently
Server: awselb/2.0
Date: Thu, 11 Aug 2022 13:55:54 GMT
Content-Type: text/html
Content-Length: 134
Connection: keep-alive
Location: https:&lt;span class=&quot;code-comment&quot;&gt;//folio-snapshot-okapi.dev.folio.org:443/_/proxy/health
&lt;/span&gt;
HTTP/2 200
date: Thu, 11 Aug 2022 13:55:55 GMT
content-type: application/json
content-length: 3

[ ] &lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;p&gt;Expected:&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
HTTP/1.1 404 Not Found
...&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;p&gt;Background:&lt;/p&gt;

&lt;p&gt;A bug in Vert.x (
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;RMB-934&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/RMB-934&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Vert.x 4.3.3 fixing disabled SSL in 4.3.0/4.3.1&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium&quot; /&gt;
            RMB-934
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
) disables SSL where it should be used. The snapshot environments hide this bug by redirecting from http to https.&lt;/p&gt;

&lt;p&gt;Please disable redirection.&lt;/p&gt;

&lt;p&gt;If SSL is disabled an attacker can successfully run a machine-in-the-middle attack. The integrations tests run against snapshot or snapshot-2 should fail if SSL is disabled.&lt;/p&gt;

&lt;p&gt;References:&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html#use-tls-for-all-pages&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html#use-tls-for-all-pages&lt;/a&gt; allows redirection only for public facing applications where users manually type in the domain name and only with HSTS header. Therefore it is not allowed for the Okapi URLs.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x17-V9-Communications.md#v92-server-communication-security&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x17-V9-Communications.md#v92-server-communication-security&lt;/a&gt; 9.2.2 requires &quot;that connections to and from the server use trusted TLS certificates. &lt;span class=&quot;error&quot;&gt;&amp;#91;...&amp;#93;&lt;/span&gt; All others should be rejected.&quot; This doesn&apos;t allow unencrypted redirect messages.&lt;/p&gt;</description>
                <environment></environment>
        <key id="79748">FOLIO-3557</key>
            <summary>Disable http to https redirection on snapshot/snapshot-2</summary>
                <type id="10005" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10309?size=medium">Story</type>
                                            <priority id="10002" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p3.svg">P3</priority>
                        <status id="1" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/open.png" description="The issue is open and ready for the assignee to start work on it.">Open</status>
                    <statusCategory id="2" key="new" colorName="blue-gray"/>
                                    <resolution id="-1">Unresolved</resolution>
                                                        <assignee accountid="-1">Unassigned</assignee>
                                                                <reporter accountid="5ee89462f7aa140abd82d11d">Julian Ladisch</reporter>
                                    <labels>
                            <label>security</label>
                            <label>security-reviewed</label>
                    </labels>
                <created>Thu, 11 Aug 2022 14:06:32 +0000</created>
                <updated>Wed, 10 May 2023 11:27:22 +0000</updated>
                                                                            <component>Continuous Integration</component>
                        <due></due>
                            <votes>0</votes>
                                    <watches>1</watches>
                                                                    <issuelinks>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                                                <inwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="38555">EDGCOMMON-54</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="57504">RMB-934</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10155"><![CDATA[FOLIO DevOps]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10063" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>PO Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10106" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>RCA Group</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10367"><![CDATA[TBD]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|hzx1ar:o</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="1718">DevOps Sprint 160</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    </customfields>
    </item>
</channel>
</rss>