IBX-5852: Created a new layout for error pages to prevent leak data #2106
Conversation
| var _jipt = []; | ||
| _jipt.push(['project', 'ezplatform']); | ||
| </script> | ||
| <script type="text/javascript" src="//cdn.crowdin.com/jipt/jipt.js"></script> |
There was a problem hiding this comment.
Comment on the security hotspot alert for this? https://sonarcloud.io/project/security_hotspots?id=ezsystems_ezplatform-admin-ui&pullRequest=2106&resolved=false&types=SECURITY_HOTSPOT
There was a problem hiding this comment.
If this integrity check can be used, it would be good: https://sonarcloud.io/organizations/ezsystems/rules?open=Web%3AS5725&rule_key=Web%3AS5725&tab=how_to_fix
There was a problem hiding this comment.
this code was from our default layout: https://github.com/ezsystems/ezplatform-admin-ui/blob/2.3/src/bundle/Resources/views/themes/admin/ui/layout.html.twig#L88
There was a problem hiding this comment.
DO NOT COMMIT, just an example
| <script type="text/javascript" src="//cdn.crowdin.com/jipt/jipt.js"></script> | |
| <script type="text/javascript" src="//cdn.crowdin.com/version-x.y.z/jipt/jipt.js" integrity="sha384-ye83f7h4...etc"></script> |
So this alert is not from this PR, but I'm trying to resolve it anyway. The subresource integrity check makes sense here. Making the hash is easy. But we need to lock it to a specific version of the JS code, so it doesn't break on the next update. I haven't yet found how crowdin would specify the version.
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity#tools_for_generating_sri_hashes
There was a problem hiding this comment.
NB: This should not hold up this PR - but please look into it as a follow-up, if merged without a fix for this.
There was a problem hiding this comment.
@glye I asked Crowdin about this and here is an answer:
"The team told me that we don’t have versions of jipt.js. Bug fixes or new features may be introduced to the file"
There was a problem hiding this comment.
Thanks. That's unfortunate. The only way to secure it is to bundle it, then, and ensure we update it during release cycles.
Anyway, this problem should not block this PR since it's pre-existing.
src/bundle/Resources/views/themes/admin/ui/layout_error.html.twig
Outdated
Show resolved
Hide resolved
src/bundle/Resources/views/themes/admin/ui/layout_error.html.twig
Outdated
Show resolved
Hide resolved
src/bundle/Resources/views/themes/admin/ui/error_page/403.html.twig
Outdated
Show resolved
Hide resolved
|
SonarCloud Quality Gate failed.
|
Changed the layout that error pages use so that by default they use as few of our components as possible and haven't too much data like window.ibexa
Checklist:
$ composer fix-cs)