-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Content Security Policy (CSP) Not Implemented (DataBiosphere/azul-private#6) #6483
base: develop
Are you sure you want to change the base?
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## develop #6483 +/- ##
===========================================
- Coverage 85.38% 85.37% -0.02%
===========================================
Files 155 155
Lines 20788 20807 +19
===========================================
+ Hits 17749 17763 +14
- Misses 3039 3044 +5 ☔ View full report in Codecov by Sentry. |
00b8e08
to
13a04fb
Compare
src/azul/chalice.py
Outdated
@@ -468,12 +471,34 @@ def catalog(self) -> str: | |||
def _controller(self, controller_cls: Type[C], **kwargs) -> C: | |||
return controller_cls(app=self, **kwargs) | |||
|
|||
def content_security_policy(self, nonce: Optional[str] = None) -> str: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For consistency
def content_security_policy(self, nonce: Optional[str] = None) -> str: | |
def content_security_policy(self, nonce: str | None = None) -> str: |
src/azul/chalice.py
Outdated
self = q('self') | ||
none = q('none') | ||
if nonce is not None: | ||
nonce = q(f'nonce-{nonce}') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Contributing guide says to prefer concatenation over f-strings when the expressions are of equal length, as they are here:
nonce = q(f'nonce-{nonce}') | |
nonce = q('nonce-' + nonce) |
src/azul/chalice.py
Outdated
@@ -468,12 +471,34 @@ def catalog(self) -> str: | |||
def _controller(self, controller_cls: Type[C], **kwargs) -> C: | |||
return controller_cls(app=self, **kwargs) | |||
|
|||
def content_security_policy(self, nonce: Optional[str] = None) -> str: | |||
def q(s: str) -> str: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible for the string to contain quote characters that need to be escaped?
Consider creating a dedicated, non-local function for this in src/azul/strings.py
. I'm pretty sure there are other places in the codebase where we use this logic.
src/azul/chalice.py
Outdated
def s(*args: str | None) -> str: | ||
return ' '.join(filter(None, args)) | ||
|
||
self = q('self') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To avoid overriding the reference to the self
parameter.
self = q('self') | |
self_ = q('self') |
a406e1b
to
a36f7c5
Compare
src/azul/strings.py
Outdated
return surround(jw(*words), "'") | ||
|
||
|
||
def qq(*words: str) -> str: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is at least one other place this function could be used
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are other places. Search for f'"
and f"'
(that's a single quote and double quote in either order)
src/azul/strings.py
Outdated
return ' '.join(words) | ||
|
||
|
||
def surround(string: str, end: str) -> str: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
azul.bigquery.backtick
could make use of this function
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe the issue we saw on Friday regarding a circular import error when importing from azul.strings
into azul.bigquery
was due to a problem with my PyCharm configuration. After a reboot & reset of my Python interpreter path I am no longer able to reproduce the error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alright, as long as the build's green on GitHub I think we're okay.
src/azul/strings.py
Outdated
@@ -232,11 +232,11 @@ def jl(*lines: str) -> str: | |||
return '\n'.join(lines) | |||
|
|||
|
|||
def jw(*words: str) -> str: | |||
def jw(*words: str | None) -> str: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is a good idea. Filtering and joining the strings in the same function was okay when it was a local function that could only be used in one place, but a public function like this shouldn't be so fine-tuned to a single call site. There may be other call sites someday where the filtering isn't necessary or appropriate (it could hide bugs, for example).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I understand correctly, the only word that actually needs to be filtered is the nonce
variable. How about this approach instead to eliminate the call to filter
altogether?
Subject: [PATCH] review
---
Index: src/azul/chalice.py
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/src/azul/chalice.py b/src/azul/chalice.py
--- a/src/azul/chalice.py (revision a36f7c5062b20fb1b79c21140c5bdb2c8db92fdf)
+++ b/src/azul/chalice.py (date 1723684328983)
@@ -478,14 +478,13 @@
def content_security_policy(self, nonce: str | None = None) -> str:
self_ = sq('self')
none = sq('none')
- if nonce is not None:
- nonce = sq('nonce-' + nonce)
+ nonce = [] if nonce is None else [sq('nonce-' + nonce)]
return ';'.join([
jw('default-src', self_),
jw('img-src', self_, 'data:'),
- jw('script-src', self_, nonce),
- jw('style-src', self_, nonce),
+ jw('script-src', self_, *nonce),
+ jw('style-src', self_, *nonce),
jw('frame-ancestors', none),
])
4311908
to
e2dab47
Compare
src/azul/strings.py
Outdated
... | ||
azul.RequirementError: foo's | ||
""" | ||
require(end not in string, string) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
require(end not in string, string) | |
reject(end in string, string) |
src/azul/strings.py
Outdated
return ' '.join(words) | ||
|
||
|
||
def surround(string: str, end: str) -> str: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alright, as long as the build's green on GitHub I think we're okay.
src/azul/strings.py
Outdated
Prefix and postfix a string with another. The pre/postfix cannot be a | ||
substring of the source string. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick, but I think the English can be streamlined a bit
Prefix and postfix a string with another. The pre/postfix cannot be a | |
substring of the source string. | |
Prepend and append an affix to a string. The affix cannot be a | |
substring of the base string. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(feel free to disregard if you feel "affix" is too obscure a word to be helpful here)
e2dab47
to
7756e47
Compare
ccb1884
to
6e4f20d
Compare
6e4f20d
to
59d1e61
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM ✅
🔎👁️ Consider moving the commit 'Move import statement above docstring' closer to the beginning, perhaps after the quotes change, preceding the refactor. Keeps the semantically neutral changes closer together.
response_headers = { | ||
'Access-Control-Allow-Origin': '*', | ||
'Access-Control-Allow-Headers': 'Authorization,' | ||
'Content-Type,' | ||
'X-Amz-Date,' | ||
'X-Amz-Security-Token,' | ||
'X-Api-Key', | ||
'Content-Security-Policy': f"default-src {sq('self')}", | ||
'Content-Security-Policy': f"default-src {self_};" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With the inner quotes extracted, the double quotes in these paragraphs should be converted to single quotes in this commit.
# 5XX responses from API Gateway. Use of these headers addresses known | ||
# security vulnerabilities. | ||
# | ||
security_headers = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick: I would refactor this from a variable to a method in a separate commit. This makes it easier to read the changes by isolating the noisy insertion of ()
away from the semantic changes.
none = sq('none') | ||
headers = { | ||
'Content-Type': 'text/plain', | ||
'Content-Security-Policy': f"default-src {self_};" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Quotes again
3ff035a
to
59d1e61
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comments were thumbs-upped but requested changes were not implemented:
Connected issues: DataBiosphere/azul-private#6
Checklist
Author
develop
issues/<GitHub handle of author>/<issue#>-<slug>
1 when the issue title describes a problem, the corresponding PR
title is
Fix:
followed by the issue titleAuthor (partiality)
p
tag to titles of partial commitspartial
or completely resolves all connected issuespartial
labelAuthor (chains)
base
or this PR is not chained to another PRchained
or is not chained to another PRAuthor (reindex, API changes)
r
tag to commit title or the changes introduced by this PR will not require reindexing of any deploymentreindex:dev
or the changes introduced by it will not require reindexing ofdev
reindex:anvildev
or the changes introduced by it will not require reindexing ofanvildev
reindex:anvilprod
or the changes introduced by it will not require reindexing ofanvilprod
reindex:prod
or the changes introduced by it will not require reindexing ofprod
reindex:partial
and its description documents the specific reindexing procedure fordev
,anvildev
,anvilprod
andprod
or requires a full reindex or carries none of the labelsreindex:dev
,reindex:anvildev
,reindex:anvilprod
andreindex:prod
API
or this PR does not modify a REST APIa
(A
) tag to commit title for backwards (in)compatible changes or this PR does not modify a REST APIapp.py
or this PR does not modify a REST APIAuthor (upgrading deployments)
make image_manifests.json
and committed the resulting changes or this PR does not modifyazul_docker_images
, or any other variables referenced in the definition of that variableu
tag to commit title or this PR does not require upgrading deploymentsupgrade
or does not require upgrading deploymentsdeploy:shared
or does not modifyimage_manifests.json
, and does not require deploying theshared
component for any other reasondeploy:gitlab
or does not require deploying thegitlab
componentdeploy:runner
or does not require deploying therunner
imageAuthor (hotfixes)
F
tag to main commit title or this PR does not include permanent fix for a temporary hotfixanvilprod
andprod
) have temporary hotfixes for any of the issues connected to this PRAuthor (before every review)
develop
, squashed old fixupsmake requirements_update
or this PR does not modifyrequirements*.txt
,common.mk
,Makefile
andDockerfile
R
tag to commit title or this PR does not modifyrequirements*.txt
reqs
or does not modifyrequirements*.txt
make integration_test
passes in personal deployment or this PR does not modify functionality that could affect the IT outcomePeer reviewer (after approval)
System administrator (after approval)
demo
orno demo
no demo
no sandbox
N reviews
label is accurateOperator (before pushing merge the commit)
reindex:…
labels andr
commit title tagno demo
develop
_select dev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused
or this PR is not labeleddeploy:shared
_select dev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply
or this PR is not labeleddeploy:gitlab
_select anvildev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused
or this PR is not labeleddeploy:shared
_select anvildev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply
or this PR is not labeleddeploy:gitlab
deploy:gitlab
deploy:gitlab
System administrator
dev.gitlab
are complete or this PR is not labeleddeploy:gitlab
anvildev.gitlab
are complete or this PR is not labeleddeploy:gitlab
Operator (before pushing merge the commit)
_select dev.gitlab && make -C terraform/gitlab/runner
or this PR is not labeleddeploy:runner
_select anvildev.gitlab && make -C terraform/gitlab/runner
or this PR is not labeleddeploy:runner
sandbox
label or PR is labeledno sandbox
dev
or PR is labeledno sandbox
anvildev
or PR is labeledno sandbox
sandbox
deployment or PR is labeledno sandbox
anvilbox
deployment or PR is labeledno sandbox
sandbox
deployment or PR is labeledno sandbox
anvilbox
deployment or PR is labeledno sandbox
sandbox
or this PR does not remove catalogs or otherwise causes unreferenced indices indev
anvilbox
or this PR does not remove catalogs or otherwise causes unreferenced indices inanvildev
sandbox
or this PR is not labeledreindex:dev
anvilbox
or this PR is not labeledreindex:anvildev
sandbox
or this PR is not labeledreindex:dev
anvilbox
or this PR is not labeledreindex:anvildev
p
if the PR is also labeledpartial
Operator (chain shortening)
develop
or this PR is not labeledbase
chained
label from the blocked PR or this PR is not labeledbase
base
base
label from this PR or this PR is not labeledbase
Operator (after pushing the merge commit)
dev
anvildev
dev
dev
anvildev
anvildev
_select dev.shared && make -C terraform/shared apply
or this PR is not labeleddeploy:shared
_select anvildev.shared && make -C terraform/shared apply
or this PR is not labeleddeploy:shared
dev
anvildev
Operator (reindex)
dev
or this PR is neither labeledreindex:partial
norreindex:dev
anvildev
or this PR is neither labeledreindex:partial
norreindex:anvildev
dev
or this PR is neither labeledreindex:partial
norreindex:dev
anvildev
or this PR is neither labeledreindex:partial
norreindex:anvildev
dev
or this PR is neither labeledreindex:partial
norreindex:dev
anvildev
or this PR is neither labeledreindex:partial
norreindex:anvildev
dev
or this PR does not require reindexingdev
anvildev
or this PR does not require reindexinganvildev
dev
or this PR does not require reindexingdev
anvildev
or this PR does not require reindexinganvildev
dev
or this PR does not require reindexingdev
anvildev
or this PR does not require reindexinganvildev
Operator
deploy:shared
,deploy:gitlab
,deploy:runner
,API
,reindex:partial
,reindex:anvilprod
andreindex:prod
labels to the next promotion PRs or this PR carries none of these labelsdeploy:shared
,deploy:gitlab
,deploy:runner
,API
,reindex:partial
,reindex:anvilprod
andreindex:prod
labels, from the description of this PR to that of the next promotion PRs or this PR carries none of these labelsShorthand for review comments
L
line is too longW
line wrapping is wrongQ
bad quotesF
other formatting problem