Merge branch 'develop' of github.com:cisagov/XFD into CRASM_1073_fstr…

…ings_to_format

backend/Dockerfile.pe

@@ -28,7 +28,7 @@ RUN ./aws/install
 # Sync the latest from cf-staging branch
 RUN git clone -b crossfeed-SQS https://github.com/cisagov/ATC-Framework.git && \
     cd ATC-Framework && \
-    git checkout 694dc68487ab24b625f157fb5d79f675c7ec1467 && \
+    git checkout 563f59e8b67ca153ab5564d697433ca0d8db451a && \
     pip install .
 
 RUN python -m spacy download en_core_web_lg

backend/src/api/app.ts

@@ -444,17 +444,17 @@ app.use(
     // API Gateway isn't able to proxy fonts properly -- so we're using a CDN instead.
     if (req.path === '/plugins/Morpheus/fonts/matomo.woff2') {
       return res.redirect(
-        'https://cdn.jsdelivr.net/gh/matomo-org/matomo@3.14.1/plugins/Morpheus/fonts/matomo.woff2'
+        'https://cdn.jsdelivr.net/gh/matomo-org/matomo@5.2.1/plugins/Morpheus/fonts/matomo.woff2'
       );
     }
     if (req.path === '/plugins/Morpheus/fonts/matomo.woff') {
       return res.redirect(
-        'https://cdn.jsdelivr.net/gh/matomo-org/matomo@3.14.1/plugins/Morpheus/fonts/matomo.woff'
+        'https://cdn.jsdelivr.net/gh/matomo-org/matomo@5.2.1/plugins/Morpheus/fonts/matomo.woff'
       );
     }
     if (req.path === '/plugins/Morpheus/fonts/matomo.ttf') {
       return res.redirect(
-        'https://cdn.jsdelivr.net/gh/matomo-org/matomo@3.14.1/plugins/Morpheus/fonts/matomo.ttf'
+        'https://cdn.jsdelivr.net/gh/matomo-org/matomo@5.2.1/plugins/Morpheus/fonts/matomo.ttf'
       );
     }
     // Only allow global admins to access all other paths.

backend/src/xfd_django/xfd_api/tasks/cveSync.py

@@ -65,7 +65,7 @@ def fetch_cve_data(page):
     """Fetch CVE data for a specific page."""
     print("Fetching CVE data for page {}".format(page))
     headers = {
-        "Authorization": os.getenv("CF_API_KEY"),
+        "X-API-KEY": os.getenv("CF_API_KEY"),
         "access_token": os.getenv("PE_API_KEY"),
         "Content-Type": "",
     }
@@ -91,7 +91,7 @@ def fetch_cve_data_task(task_id):
         task_id
     )
     headers = {
-        "Authorization": os.getenv("CF_API_KEY"),
+        "X-API-KEY": os.getenv("CF_API_KEY"),
         "access_token": os.getenv("PE_API_KEY"),
         "Content-Type": "",
     }

backend/src/xfd_django/xfd_api/tasks/vulnSync.py

@@ -75,7 +75,7 @@ def fetch_pe_vuln_task(org_acronym):
     """Fetch PE vulnerability task data."""
     print("Fetching PE vulnerability task for organization: {}".format(org_acronym))
     headers = {
-        "Authorization": os.getenv("CF_API_KEY"),
+        "X-API-KEY": os.getenv("CF_API_KEY"),
         "access_token": os.getenv("PE_API_KEY"),
         "Content-Type": "",
     }
@@ -101,7 +101,7 @@ def fetch_pe_vuln_data(scan_name, task_id):
         task_id, scan_name
     )
     headers = {
-        "Authorization": os.getenv("CF_API_KEY"),
+        "X-API-KEY": os.getenv("CF_API_KEY"),
         "access_token": os.getenv("PE_API_KEY"),
         "Content-Type": "",
     }

backend/src/xfd_django/xfd_api/views.py

@@ -129,7 +129,7 @@ async def matomo_proxy(
         "/plugins/Morpheus/fonts/matomo.ttf",
     ]:
         return RedirectResponse(
-            url="https://cdn.jsdelivr.net/gh/matomo-org/matomo@3.14.1{}".format(
+            url="https://cdn.jsdelivr.net/gh/matomo-org/matomo@5.2.1{}".format(
                 request.url.path
             )
         )
@@ -147,6 +147,7 @@ async def matomo_proxy(
 # P&E Proxy
 @api_router.api_route(
     "/pe/{path:path}",
+    methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],
     dependencies=[Depends(get_current_active_user)],
     tags=["Analytics"],
 )

backend/src/xfd_django/xfd_django/asgi.py

@@ -32,60 +32,38 @@
 # Ensure apps are populated
 apps.populate(settings.INSTALLED_APPS)
 
-# Define the CSP policy
-CSP_POLICY = {
-    "default-src": ["'self'"],
-    "connect-src": [
-        "'self'",
-        os.getenv("COGNITO_URL"),
-        os.getenv("BACKEND_DOMAIN"),
-        "https://cdn.jsdelivr.net/npm/[email protected]/swagger-ui-bundle.js",
-    ],
-    "frame-src": ["'self'", "https://www.dhs.gov/ntas/"],
-    "img-src": [
-        "'self'",
-        "data:",
-        os.getenv("FRONTEND_DOMAIN"),
-        "https://www.ssa.gov",
-        "https://www.dhs.gov",
-        "https://fastapi.tiangolo.com/img/favicon.png",
-    ],
-    "object-src": ["'none'"],
-    "script-src": [
-        "'self'",
-        os.getenv("BACKEND_DOMAIN"),
-        "https://ajax.googleapis.com/ajax/libs/jquery/3.7.1/jquery.min.js",
-        "https://www.ssa.gov/accessibility/andi/fandi.js",
-        "https://www.ssa.gov/accessibility/andi/andi.js",
-        "https://cdn.jsdelivr.net/npm/[email protected]/swagger-ui-bundle.js",
-        "'sha256-QOOQu4W1oxGqd2nbXbxiA1Di6OHQOLQD+o+G9oWL8YY='",
-        "https://www.dhs.gov",
-    ],
-    "style-src": [
-        "'self'",
-        "'unsafe-inline'",
-        "https://cdn.jsdelivr.net/npm/[email protected]/swagger-ui.css",
-    ],
-    "frame-ancestors": ["'none'"],
-}
-
 
 def set_security_headers(response: Response):
     """Apply security headers to the HTTP response."""
-    # Set Content Security Policy
+    # Set Content Security Policy (CSP)
     csp_value = "; ".join(
         [
             "{} {}".format(key, " ".join(map(str, value)))
-            for key, value in CSP_POLICY.items()
+            for key, value in settings.SECURE_CSP_POLICY.items()
             if isinstance(value, (list, tuple))
         ]
     )
     response.headers["Content-Security-Policy"] = csp_value
-    response.headers["Strict-Transport-Security"] = "max-age=31536000"
-    response.headers["X-XSS-Protection"] = "0"
-    response.headers["X-Content-Type-Options"] = "nosniff"
-    response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
-    response.headers["Access-Control-Allow-Credentials"] = "true"
+
+    # Set Strict-Transport-Security (HSTS)
+    hsts_value = f"max-age={settings.SECURE_HSTS_SECONDS}"
+    if settings.SECURE_HSTS_PRELOAD:
+        hsts_value += "; preload"
+    if settings.SECURE_HSTS_INCLUDE_SUBDOMAINS:
+        hsts_value += "; includeSubDomains"
+    response.headers["Strict-Transport-Security"] = hsts_value
+
+    # Additional security headers
+    response.headers["X-XSS-Protection"] = (
+        "1; mode=block" if settings.SECURE_BROWSER_XSS_FILTER else "0"
+    )
+    response.headers["X-Content-Type-Options"] = (
+        "nosniff" if settings.SECURE_CONTENT_TYPE_NOSNIFF else ""
+    )
+    response.headers["Cache-Control"] = settings.SECURE_CACHE_CONTROL
+    response.headers["Access-Control-Allow-Credentials"] = (
+        "true" if settings.SECURE_ACCESS_CONTROL_ALLOW_CREDENTIALS else "false"
+    )
 
     return response
 

backend/src/xfd_django/xfd_django/settings.py

@@ -136,3 +136,47 @@
 # SameSite policy to prevent CSRF via cross-origin requests
 SESSION_COOKIE_SAMESITE = "Lax"
 CSRF_COOKIE_SAMESITE = "Lax"
+
+# SECURITY CONFIGURATION
+SECURE_HSTS_SECONDS = 31536000  # Enable HSTS for 1 year
+SECURE_HSTS_PRELOAD = True
+SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+SECURE_BROWSER_XSS_FILTER = True
+SECURE_CONTENT_TYPE_NOSNIFF = True
+SECURE_CACHE_CONTROL = "no-cache, no-store, must-revalidate"
+SECURE_CSP_POLICY = {
+    "default-src": ["'self'"],
+    "connect-src": [
+        "'self'",
+        os.getenv("COGNITO_URL"),
+        os.getenv("BACKEND_DOMAIN"),
+        "https://cdn.jsdelivr.net/npm/[email protected]/swagger-ui-bundle.js",
+    ],
+    "frame-src": ["'self'", "https://www.dhs.gov/ntas/"],
+    "img-src": [
+        "'self'",
+        "data:",
+        os.getenv("FRONTEND_DOMAIN"),
+        "https://www.ssa.gov",
+        "https://www.dhs.gov",
+        "https://fastapi.tiangolo.com/img/favicon.png",
+    ],
+    "object-src": ["'none'"],
+    "script-src": [
+        "'self'",
+        os.getenv("BACKEND_DOMAIN"),
+        "https://ajax.googleapis.com/ajax/libs/jquery/3.7.1/jquery.min.js",
+        "https://www.ssa.gov/accessibility/andi/fandi.js",
+        "https://www.ssa.gov/accessibility/andi/andi.js",
+        "https://cdn.jsdelivr.net/npm/[email protected]/swagger-ui-bundle.js",
+        "'sha256-QOOQu4W1oxGqd2nbXbxiA1Di6OHQOLQD+o+G9oWL8YY='",
+        "https://www.dhs.gov",
+    ],
+    "style-src": [
+        "'self'",
+        "'unsafe-inline'",
+        "https://cdn.jsdelivr.net/npm/[email protected]/swagger-ui.css",
+    ],
+    "frame-ancestors": ["'none'"],
+}
+SECURE_ACCESS_CONTROL_ALLOW_CREDENTIALS = True

docker-compose.yml

@@ -112,7 +112,7 @@ services:
   #     LOGGING_QUIET: 'true'
 
   matomodb:
-    image: mariadb:10.6
+    image: mariadb:11.4
     command: --max-allowed-packet=64MB
     networks:
       - backend
@@ -122,9 +122,11 @@ services:
       - MYSQL_ROOT_PASSWORD=password
     logging:
       driver: none
+    ports:
+      - 3306:3306
 
   matomo:
-    image: matomo:3.14.1
+    image: matomo:5.2.1
     user: root
     networks:
       - backend
@@ -141,6 +143,9 @@ services:
       - MATOMO_GENERAL_ASSUME_SECURE_PROTOCOL=1
     logging:
       driver: none
+    ports:
+      - "8080:80"
+
   # rabbitmq:
   #   image: 'rabbitmq:3.8-management'
   #   ports:

docs/package.json

@@ -2,6 +2,8 @@
   "dependencies": {
     "@reach/router": "^1.3.4",
     "clipboardy": "^3.0.0",
+    "cross-spawn": "^7.0.6",
+    "nanoid": "^5.0.9",
     "resolve-url-loader": "^5.0.0",
     "swagger-jsdoc": "^5.0.1"
   },

frontend/public/index.html

@@ -7,6 +7,25 @@
     <meta name="viewport" content="width=device-width, initial-scale=1" />
     <link rel="manifest" href="%PUBLIC_URL%/manifest.json" />
     <title>CyHy Dashboard</title>
+    <!-- Matomo -->
+    <script type="text/javascript">
+      var _paq = (window._paq = window._paq || []);
+      _paq.push(['trackPageView']);
+      _paq.push(['enableLinkTracking']);
+      (function () {
+        var u = '//localhost:8080/';
+        _paq.push(['setTrackerUrl', u + 'matomo.php']);
+        _paq.push(['setSiteId', '1']);
+        var d = document,
+          g = d.createElement('script'),
+          s = d.getElementsByTagName('script')[0];
+        g.type = 'text/javascript';
+        g.async = true;
+        g.src = u + 'matomo.js';
+        s.parentNode.insertBefore(g, s);
+      })();
+    </script>
+    <!-- End Matomo Code -->
   </head>
   <body>
     <div id="root"></div>

frontend/src/pages/Search/FilterTags.tsx

@@ -160,25 +160,30 @@ export const FilterTags: React.FC<Props> = ({ filters, removeFilter }) => {
 
   return (
     <Root aria-live="polite" aria-atomic="true">
-      {filtersByColumn.map((filter, idx) => (
+      {filtersByColumn.length === 0 ? (
         <Chip
-          key={idx}
-          disabled={disabledFilters?.includes(filter.label)}
-          color={'primary'}
+          color="primary"
           classes={{ root: classes.chip }}
-          label={`${filter.label}: ${filter.value}`}
-          onDelete={() => {
-            if (filter.onClear) {
-              console.log('custom clear');
-              filter.onClear();
-              return;
-            }
-            filter.values.forEach((val) => {
-              removeFilter(filter.field, val, filter.type);
-            });
-          }}
+          label="No Filter(s) Applied"
         />
-      ))}
+      ) : (
+        filtersByColumn.map((filter, idx) => (
+          <Chip
+            key={idx}
+            disabled={disabledFilters?.includes(filter.label)}
+            color="primary"
+            classes={{ root: classes.chip }}
+            label={`${filter.label}: ${filter.value}`}
+            onDelete={() => {
+              filter.onClear
+                ? filter.onClear()
+                : filter.values.forEach((val) =>
+                    removeFilter(filter.field, val, filter.type)
+                  );
+            }}
+          />
+        ))
+      )}
     </Root>
   );
 };