| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Webpack (which is what vue uses to compress its HTML) is capable of
generating hashes of files when it produces the dist files[1].
This gets generated in the form of
<filename>.<hash>.<extension>
This commit attempts to detect these patterns, and enable etag caching
to speed up webui load times. It detects these patterns, grabs the hash
for the file, and returns it in the Etag header[2].
The behavior is implemented such that:
If the file has an etag, the etag header is returned.
If the request has an If-None-Match header, and that header matches,
only 304 is returned.
Tested:
Tests were run on qemu S7106 bmcweb with default error logging level,
and HTTP/2 enabled, along with svg optimization patches.
Run scripts/generate_auth_certificate.py to set up TLS certificates.
(valid TLS certs are required for HTTP caching to work properly in some
browsers).
Load the webui. Note that DOM load takes 1.10 seconds, Load takes 1.10
seconds, and all requests return 200 OK.
Refresh the GUI.
Note that most resources now return 304, and DOM time is reduced to
279 milliseconds and load is reduced to 280 milliseconds. DOM load
(which is what the BMC has control over) is decreased by a factor of
3-4X.
Setting chrome to "Fast 5g" throttling in the network tab shows a more
pronounced difference, 1.28S load time vs 3.96S.
BMC also shows 477KB transferred on the wire, versus 2.3KB
transferred on the wire. This has the potential to significantly
reduce the load on the BMC when the webui refreshes.
[1] https://webpack.js.org/guides/caching/
[2] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag
Change-Id: I68aa7ef75533506d98e8fce10bb04a494dc49669
Signed-off-by: Ed Tanous <ed@tanous.net>
|
|
This feature was created for a time before webpack had a built in proxy,
and to debug the UI required setting specific flags. The webpack proxy
solves this problem in a much better way, by proxying everything.
This commit is one piece in the solving a use after free bug. Removing
this allows us to no longer have to cache the origin header [1], which
is only used in this mode.
Tested: Code compiles.
[1] https://gerrit.openbmc.org/c/openbmc/bmcweb/+/70850
Change-Id: I01d67006e217c0c9fd2db7526c0ec34b0da068f3
Signed-off-by: Ed Tanous <ed@tanous.net>
|
|
This TODO has been in bmcweb for a very long time. Implement it.
W3 sets rules for what security policies apply to which content
types[1]. Reading through this, essentially CSP should only apply to
HTML files.
Tested: Unit tests pass. Webui loads properly. Chrome network window
Shows headers show up as expected.
[1] https://www.w3.org/TR/CSP2/#which-policy-applies
Change-Id: I5467d0373832668763c72a66da2a8872e07bfb58
Signed-off-by: Ed Tanous <ed@tanous.net>
|
|
If one sets the XSS policy disable, and tries to load the webui, they're
met with the following error message:
```
chunk-vendors.6cfb4b74.js:36 Refused to load the image
'data:image/svg+xml;charset=utf-8,%3Csvg
xmlns='http://www.w3.org/2000/svg' width='4' height='5'%3E%3Cpath
fill='%233f3f3f' d='M2 0L0 2h4zm0 5L0 3h4z'/%3E%3C/svg%3E' because it
violates the following Content Security Policy directive: "img-src *".
Note that '*' matches only URLs with network schemes ('http', 'https',
'ws', 'wss'), or URLs whose scheme matches `self`'s scheme. The scheme
'data:' must be added explicitly.
```
Do as it asks, and add data: to the content security policy.
Tested: Browser console no longer shows error when XSS is enabled.
Change-Id: I17f70d7c87a284b33ef6eb5a01a01c23a14898c9
Signed-off-by: Ed Tanous <ed@tanous.net>
|
|
Boost asio provides a test stream object that we can use to begin unit
testing the connection object. This patchset uses it to re-enable
some simple http1.1 tests. There's some features that have snuck into
the connection class that aren't compatible with a stream (like ip
address getting), so unfortunately we do need the connection class to
be aware if it's in test mode, but that tradeoff seems worthwhile.
Tested: Unit test pass.
Change-Id: Id8b1f8866582b58502dbafe6139f841bf64b8ef3
Signed-off-by: Ed Tanous <edtanous@google.com>
|
|
This adds a missing comma in the Permissions-Policy response header value.
Tested: no; I didn't even try to compile it.
Change-Id: I4f08b54a5e5af040e10a95d913ef8b457f5bd457
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
|
|
Change the Cache-Control header to what owasp recommends.
Remove the X-XSS-Protection. This has been removed from Chrome, and is
unimplemented in other browsers[1].
Add:
X-Permitted-Cross-Domain-Policies
Clear-Site-Data
Cross-Origin-Embedder-Policy
Cross-Origin-Opener-Policy
Cross-Origin-Resource-Policy
And set them to the OWASP recommended values.
Tested: The OWASP Venom test suite now passes more tests.
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
Change-Id: I2860041c1037f47bb85a6444cec66960d0aa55f9
Signed-off-by: Ed Tanous <edtanous@google.com>
|
|
This adds HTTP response headers Referrer-Policy and Permissions-Policy per
OWASP guidelines, with some appropriate values for BMCWeb.
https://owasp.org/www-project-secure-headers/
Policies are given for all standardized feature. Most features are disabled
except for the following which the web application uses: usb=(self).
Tested: Yes
Via curl, confirmed headers are present.
On selected browsers, opened browser tools and confirmed browsers didn't
complain about the new headers. Browsers checked were:
- Firefox 111.0.1 (64-bit)
- Safari Version 16.4 (18615.1.26.11.23)
Did not test access to features secured by the Permissions-Policy.
Did not test if the web application features still work.
Change-Id: I65f89d2959b0b1338c20d7222229fbdc1d720834
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
|
|
string_view should always be passed by value; This commit is a sed
replace of the code to make all string_views pass by value, per general
coding guidelines[1].
[1] https://quuxplusone.github.io/blog/2021/11/09/pass-string-view-by-value/
Tested: Code compiles.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I55b342a29a0fbfce0a4ed9ea63db6014d03b134c
|
|
Most of these missing includes were found by running clang-tidy on all
files, including headers. The existing scripts just run clang-tidy on
source files, which doesn't catch most of these.
Tested: Code compiles
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: Ic741fbb2cc9e5e92955fd5a1b778a482830e80e8
|
|
The HTTP Content-Security-Policy (CSP) plugin-types directive has been
removed from the specification and is not supported by most browsers.
Chrome browser suggests to specify "object-src 'none'" instead to block
plugins, so replace it with that directive.
Refer https://github.com/w3c/webappsec-csp/issues/394 for details about
this change.
Tested:
* In Chrome 99.0.4844.74, it no longer gives errors about CSP
plugin-types directive.
* Checked neiter <embed>, <object> or <applet> tags are used in eiter
phosphor-webui or webui-vue.
* Using webui-vue, KVM and SOL Console works.
Change-Id: I79d7ed1de2c4d204bf040e7b32a7b6afe354862c
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@intel.com>
|
|
These checks ensure that we're not implicitly converting ints or
pointers into bools, which makes the code easier to read.
Tested:
Ran series through redfish service validator. No changes observed.
UUID failing in Qemu both before and after.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I1ca0be980d136bd4e5474341f4fd62f2f6bbdbae
|
|
As part of rearranging include files, it was found that a couple files
don't include what they use. bmcweb_config.h.in uses size_t, which
isn't in cstdint, and a couple files use variables out of
bmcweb_config.h, which it didn't include.
Tested:
Code compiles; No functional changes.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I6d8f3617d10a30a1f0209e492841e9d3adc9c3f3
|
|
Content Security Policy Level2 directives as below,
form-action set to 'none'-No form-submissions to external websites.
frame-ancestors set to 'none' -Preventing framing attacks
(clickjacking, cross-site leaks)
plugin-types set to 'none' -Plugins are not allowed
base-uri set to 'none' -protect against classical stored,reflected,
and some of the DOM XSS attacks.
More Information
<https://cheatsheetseries.owasp.org/cheatsheets/
Content_Security_Policy_Cheat_Sheet.html>
Tested :
Checked the CSP level directives in Chrome/Firefox/Safari Browsers,
webui and webui-vue.
Change-Id: Id823958469fdbb02259fcc24c4e91789c65eec33
Signed-off-by: Basheer Ahmed Muddebihal <basheerx.muddebihal@intel.com>
|
|
Fix KVM failed to load images issue introduced by incorrect condition
updated by commit 0260d9d6b252d5fef81a51d4797e27a6893827f4.
Tested:
KVM loaded images successfully
Signed-off-by: Arun P. Mohanan <arun.p.m@linux.intel.com>
Change-Id: Ib753ed1d56ce2e0a9228ca52e36ffab298d21cff
|
|
Fixes #178
Every few months, this option breaks because of some combination of
compiler options. I'm hoping that this is a more permenant fix, and
will keep it working forever.
Functionally, this commit changes a couple things.
1. It fixes the regression that snuck into this option, by making the
req variable optional using the c++17 [[maybe_unused]] syntax.
2. It promotes the BMCWEB_INSECURE_DISABLE_XSS_PREVENTION into the
config.h file, and a constexpr variable rather than a #define. This has
the benefit that both the code paths in question will compiled
regardless of whether or not they're used, thus ensuring they stay
buildable forever. The optimization path will still delete the code
later, but we won't have so many one-off build options breaking. We
should move all the other feature driven #ifdefs to this pattern in the
future.
3. As a mechnaical change to #2, this adds a config.h.in, which delcares
the various variables as their respective constexpr types. This allows
the constants to be used in a cleaner way.
As an aside, at some point, DISABLE_XSS_PREVENTION should really move to
a non-persistent runtime option rather than a compile time option. Too
many people get hung up on having to recompile their BMC, and moving it
to runtime under admin credentials is no more a security risk.
As another aside, we should move all the other #ifdef style options to
this pattern. It seems like it would help with keeping all options
buildable, and is definitely more modern than #ifdefs for features,
especially if they don't require #include changes or linker changes.
Tested:
enabled meson option insecure-disable-xss, and verified code builds and
works again.
Change-Id: Id03faa17cffdbabaf4e5b0d46b24bb58b7f44669
Signed-off-by: Ed Tanous <edtanous@google.com>
|
|
cppcheck isn't smart enough to recognize these are c++ headers, not c
headers. Considering we're already inconsistent about our naming, it's
easier to just be consistent, and move the last few files to use .hpp
instead of .h.
Tested:
Code builds, no changes.
Signed-off-by: Ed Tanous <ed@tanous.net>
Change-Id: Ic348d695f8527fa4a0ded53f433e1558c319db40
|
|
Middlewares, while kinda cool from an academic standpoint, make our
build times even worse than they already are. Given that we only really
use 1 real middleware today (token auth) and it needs to move into the
parser mode anyway (for security limiting buffer sizes), we might as well
use this as an opportunity to delete some code.
Some other things that happen:
1. Persistent data now moves out of the crow namespace
2. App is no longer a template
3. All request_routes implementations no longer become templates. This
should be a decent (unmeasured) win on compile times.
This commit was part of a commit previously called "various cleanups".
This separates ONLY the middleware deletion part of that.
Note, this also deletes about 400 lines of hard to understand code.
Change-Id: I4c19e25491a153a2aa2e4ef46fc797bcb5b3581a
Signed-off-by: Ed Tanous <ed@tanous.net>
|
