Thread: [pgAdmin][5919] Fix security related issues
Hi Hackers,
Please find the attached patch to fix the below security issues:
- Host Header Injection - Added ALLOWED_HOSTS list to limit host address
- Lack of Content Security Policy (CSP) - Added security header
- Lack of Protection Mechanisms - HSTS - Added security header
- Lack of Cookie Attribute – Secure : Kept as False as secure limits cookies to HTTPS traffic only.
- Information Disclosure – Web Server / Development Framework VersionDescription: Kept as hard coded 'Python' instead of exposing wsgi/python/gunicorn version info.
Please review and let me know if I have missed anything.
Regards,
Ganesh Jaybhay
Attachment
Hi
On Mon, Oct 19, 2020 at 1:01 PM Ganesh Jaybhay <ganesh.jaybhay@enterprisedb.com> wrote:
Hi Hackers,Please find the attached patch to fix the below security issues:
- Host Header Injection - Added ALLOWED_HOSTS list to limit host address
- Lack of Content Security Policy (CSP) - Added security header
- Lack of Protection Mechanisms - HSTS - Added security header
- Lack of Cookie Attribute – Secure : Kept as False as secure limits cookies to HTTPS traffic only.
- Information Disclosure – Web Server / Development Framework VersionDescription: Kept as hard coded 'Python' instead of exposing wsgi/python/gunicorn version info.
Please review and let me know if I have missed anything.
I took a very quick look at this, and one thing that immediately stood out is that HSTS should definitely not be enabled by default. That can make dev/test/redeploy extremely difficult.
Thank you Dave for the suggestion.
Please find the attached updated patch to make HSTS by default disabled and conditional based on flag.
Regards,
Ganesh Jaybhay
On Mon, Oct 19, 2020 at 5:38 PM Dave Page <dpage@pgadmin.org> wrote:
Hi--On Mon, Oct 19, 2020 at 1:01 PM Ganesh Jaybhay <ganesh.jaybhay@enterprisedb.com> wrote:Hi Hackers,Please find the attached patch to fix the below security issues:
- Host Header Injection - Added ALLOWED_HOSTS list to limit host address
- Lack of Content Security Policy (CSP) - Added security header
- Lack of Protection Mechanisms - HSTS - Added security header
- Lack of Cookie Attribute – Secure : Kept as False as secure limits cookies to HTTPS traffic only.
- Information Disclosure – Web Server / Development Framework VersionDescription: Kept as hard coded 'Python' instead of exposing wsgi/python/gunicorn version info.
Please review and let me know if I have missed anything.I took a very quick look at this, and one thing that immediately stood out is that HSTS should definitely not be enabled by default. That can make dev/test/redeploy extremely difficult.
Attachment
Thanks, patch applied.
On Mon, Oct 19, 2020 at 7:17 PM Ganesh Jaybhay <ganesh.jaybhay@enterprisedb.com> wrote:
Thank you Dave for the suggestion.Please find the attached updated patch to make HSTS by default disabled and conditional based on flag.Regards,Ganesh JaybhayOn Mon, Oct 19, 2020 at 5:38 PM Dave Page <dpage@pgadmin.org> wrote:Hi--On Mon, Oct 19, 2020 at 1:01 PM Ganesh Jaybhay <ganesh.jaybhay@enterprisedb.com> wrote:Hi Hackers,Please find the attached patch to fix the below security issues:
- Host Header Injection - Added ALLOWED_HOSTS list to limit host address
- Lack of Content Security Policy (CSP) - Added security header
- Lack of Protection Mechanisms - HSTS - Added security header
- Lack of Cookie Attribute – Secure : Kept as False as secure limits cookies to HTTPS traffic only.
- Information Disclosure – Web Server / Development Framework VersionDescription: Kept as hard coded 'Python' instead of exposing wsgi/python/gunicorn version info.
Please review and let me know if I have missed anything.I took a very quick look at this, and one thing that immediately stood out is that HSTS should definitely not be enabled by default. That can make dev/test/redeploy extremely difficult.
Thanks & Regards
Akshay Joshi
pgAdmin Hacker | Sr. Software Architect
EDB PostgresMobile: +91 976-788-8246