Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Fix XSS Vulnerability where content-type header wasn't explicitly set #21704

Merged
merged 5 commits into from
Sep 11, 2024
Merged

[Security] Fix XSS Vulnerability where content-type header wasn't explicitly set #21704

merged 5 commits into from
Sep 11, 2024

Conversation

sarahalsmiller
Copy link
Member

Description

Added middleware to ensure that content-type header is always set to mitigate XSS vulnerability.

Testing & Reproduction steps

  • Updated unit tests to add additional checks for content-type header
  • Vercel should deploy UI with no errors

Links

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

@sarahalsmiller sarahalsmiller added the backport/all Apply backports for all active releases per .release/versions.hcl label Sep 10, 2024
@sarahalsmiller sarahalsmiller marked this pull request as ready for review September 10, 2024 20:09
@sarahalsmiller sarahalsmiller merged commit 07fae7b into main Sep 11, 2024
91 checks passed
@sarahalsmiller sarahalsmiller deleted the SECVULN-8619-TOB-CONSUL24-3-Reflected-XSS-in-peering-endpoints-that-return-an-error branch September 11, 2024 19:23
@hc-github-team-consul-core hc-github-team-consul-core added backport/1.19 This release series is longer active on CE, use backport/ent/1.19 backport/ent/1.17 This release series is longer active on CE or Ent backport/ent/1.15 Changes are backported to 1.15 ent backport/ent/1.18 Changes are backported to 1.18 ent labels Sep 11, 2024
@hc-github-team-consul-core hc-github-team-consul-core mentioned this pull request Sep 11, 2024
Merged
4 tasks
@hc-github-team-consul-core
Copy link
Collaborator

📣 Hi @sarahalsmiller! a backport is missing for this PR [21704] for versions [1.15,1.17,1.18,1.19] please perform the backport manually and add the following snippet to your backport PR description:

<details>
	<summary> Overview of commits </summary>
		- <<backport commit 1>>
		- <<backport commit 2>>
		...
</details>

philrenaud pushed a commit that referenced this pull request Sep 12, 2024
@sarahalsmiller @philrenaud
[Security] Fix XSS Vulnerability where content-type header wasn't exp…
653cf64 
…licitly set (#21704)

* explicitly add content-type anywhere possible and add middleware to set and warn

* added tests, fixed typo

* clean up unused constants

* changelog

* fix call order in middleware
@hc-github-team-consul-core
Copy link
Collaborator

📣 Hi @sarahalsmiller! a backport is missing for this PR [21704] for versions [1.15,1.17,1.18,1.19] please perform the backport manually and add the following snippet to your backport PR description:

<details>
	<summary> Overview of commits </summary>
		- <<backport commit 1>>
		- <<backport commit 2>>
		...
</details>

@hc-github-team-consul-core
Copy link
Collaborator

📣 Hi @sarahalsmiller! a backport is missing for this PR [21704] for versions [1.15,1.17,1.18] please perform the backport manually and add the following snippet to your backport PR description:

<details>
	<summary> Overview of commits </summary>
		- <<backport commit 1>>
		- <<backport commit 2>>
		...
</details>

2 similar comments
@hc-github-team-consul-core
Copy link
Collaborator

📣 Hi @sarahalsmiller! a backport is missing for this PR [21704] for versions [1.15,1.17,1.18] please perform the backport manually and add the following snippet to your backport PR description:

<details>
	<summary> Overview of commits </summary>
		- <<backport commit 1>>
		- <<backport commit 2>>
		...
</details>

@hc-github-team-consul-core
Copy link
Collaborator

📣 Hi @sarahalsmiller! a backport is missing for this PR [21704] for versions [1.15,1.17,1.18] please perform the backport manually and add the following snippet to your backport PR description:

<details>
	<summary> Overview of commits </summary>
		- <<backport commit 1>>
		- <<backport commit 2>>
		...
</details>

@dhiaayachi dhiaayachi mentioned this pull request Sep 25, 2024
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dduzgun-security dduzgun-security dduzgun-security approved these changes

Assignees
No one assigned
Labels
backport/all Apply backports for all active releases per .release/versions.hcl backport/ent/1.15 Changes are backported to 1.15 ent backport/ent/1.17 This release series is longer active on CE or Ent backport/ent/1.18 Changes are backported to 1.18 ent backport/1.19 This release series is longer active on CE, use backport/ent/1.19
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sarahalsmiller @hc-github-team-consul-core @dduzgun-security