CCM-4566: address zap alerts

Author: Ian-Hodges

.gitignore

@@ -35,3 +35,4 @@ tmp/
 tests/locust/*.html
 postman/Integration.test.postman_environment.json
 sandbox/test-results.xml
+.vscode/*

azure/nightly-zap-scan-pipeline.yml

@@ -35,18 +35,14 @@ steps:
     parameters:
       secret_file_ids:
       - ptl/api-deployment/communications-manager/INTEGRATION_PRIVATE_KEY
-      - ptl/azure-devops/communications-manager/PRODUCTION_PRIVATE_KEY
       secret_ids:
       - ptl/api-deployment/communications-manager/INTEGRATION_API_KEY
-      - ptl/azure-devops/communications-manager/PRODUCTION_API_KEY
   - template: ./templates/teams-alert-setup.yml
     parameters:
       webhook_uri: 'ALERTS_DEV_API_WEBHOOK_URI'
   - bash: |
       export INTEGRATION_PRIVATE_KEY="$(Pipeline.Workspace)/secrets/$(INTEGRATION_PRIVATE_KEY)"
       export INTEGRATION_API_KEY="$(INTEGRATION_API_KEY)"
-      export PRODUCTION_PRIVATE_KEY="$(Pipeline.Workspace)/secrets/$(PRODUCTION_PRIVATE_KEY)"
-      export PRODUCTION_API_KEY="$(PRODUCTION_API_KEY)"
       make install-python && make zap-security-scan    
     displayName: Run OWASP zap scan
   - task: PublishTestResults@2

docs/proxies.md

@@ -277,8 +277,7 @@ Source: [proxies/shared/partials/Partial.Target.PreFlowRequest.xml](https://gith
 
 ```mermaid
 flowchart
-    S[Start] --> SRD["<a href='https://github.com/NHSDigital/communications-manager-api/blob/release/docs/proxies.md#set-response-defaults'>Set response defaults</a>"]
-    SRD --> SBCI["Set the backend request correlation id
+    S[Start] --> SBCI["Set the backend request correlation id
 
     <em><a href='https://github.com/NHSDigital/communications-manager-api/blob/release/proxies/shared/policies/JavaScript.SetBackendCorrelationId.xml'>JavaScript.SetBackendCorrelationId</a></em>"]
     SBCI --> ADRP["Sets a default request path
@@ -348,20 +347,6 @@ flowchart
     405 --> E
 ```
 
-### Target PreFlow Response
-
-This defines the actions carried out on all outgoing responses from the communications manager target.
-
-Source: [proxies/shared/partials/Partial.Target.PreFlowResponse.xml](https://github.com/NHSDigital/communications-manager-api/blob/release/proxies/shared/partials/Partial.Target.PreFlowResponse.xml)
-
-```mermaid
-flowchart LR
-    S[Start] --> AD["Add CORS headers
-
-    <em><a href='https://github.com/NHSDigital/communications-manager-api/blob/release/proxies/shared/policies/AssignMessage.AddCors.xml'>AssignMessage.AddCors</a></em>"]
-    AD --> E[End]
-```
-
 ### Create Message Batch
 
 This flow manages the validating of incoming create message batches requests, plus mapping the incoming request and outgoing response so they match the schemas set out in the specification.

proxies/live/apiproxy/targets/target.xml

@@ -3,9 +3,6 @@
         <Request>
             [% include './partials/Partial.Target.PreFlowRequest.xml' %]
         </Request>
-        <Response>
-            [% include './partials/Partial.Target.PreFlowResponse.xml' %]
-        </Response>
     </PreFlow>
     <Flows>
         [% include './partials/Partial.Flows.CreateMessageBatchEndpoint.xml' %]

proxies/sandbox/apiproxy/targets/sandbox.xml

@@ -3,9 +3,6 @@
         <Request>
             [% include './partials/Partial.Target.PreFlowRequest.xml' %]
         </Request>
-        <Response>
-            [% include './partials/Partial.Target.PreFlowResponse.xml' %]
-        </Response>
     </PreFlow>
     <Flows>
         [% include './partials/Partial.Flows.CreateMessageBatchEndpoint.xml' %]

proxies/shared/partials/Partial.Target.PreFlowRequest.xml

@@ -1,4 +1,3 @@
-[% include './partials/Partial.Component.SetResponseDefaults.xml' %]
 <Step>
     <Name>JavaScript.SetBackendCorrelationId</Name>
 </Step>

proxies/shared/partials/Partial.Target.PreFlowResponse.xml

@@ -34,7 +34,8 @@ def scan_and_remove(obj, mappings):
             specification,
             (
                 ("format", "date"),
-                ("personalisation", None)
+                ("personalisation", None),
+                ("/callbacks", None)
             )
         ),
         f

scripts/publish_zap_compatible.py

@@ -17,16 +17,13 @@ mv .python-version.ignore .python-version
 
 # open the contents in INTEGRATION_PRIVATE_KEY and put it into INTEGRATION_PRIVATE_KEY_CONTENTS
 export INTEGRATION_PRIVATE_KEY_CONTENTS=$(cat $INTEGRATION_PRIVATE_KEY)
-export PRODUCTION_PRIVATE_KEY_CONTENTS=$(cat $PRODUCTION_PRIVATE_KEY)
 
 docker build -t zap -f ./zap/Dockerfile .
 
 # run zap in a container
 docker container run \
     --env INTEGRATION_PRIVATE_KEY_CONTENTS="$INTEGRATION_PRIVATE_KEY_CONTENTS" \
     --env INTEGRATION_API_KEY="$INTEGRATION_API_KEY" \
-    --env PRODUCTION_PRIVATE_KEY_CONTENTS="$PRODUCTION_PRIVATE_KEY_CONTENTS" \
-    --env PRODUCTION_API_KEY="$PRODUCTION_API_KEY" \
     -v $(pwd):/zap/wrk/:rw \
     -v $TEMP_DIR:/zap/tmp/:rw \
     -v $(pwd)/zap/comms-manager-json/:/home/zap/.ZAP/reports/comms-manager-json/:rw \

scripts/run_zap.sh

@@ -10,41 +10,20 @@ env:
       urls:
         - https://int.api.service.nhs.uk/comms # the actual url used for the scan is defined in the openapi job below
       authentication:
-        method: 'script'
+        method: script
         parameters:
           url: https://int.api.service.nhs.uk/oauth2/token
-          script: 'scripts/authentication/get_bearer_token.js'
-          scriptEngine: 'Graal.js'
+          script: scripts/authentication/get_bearer_token.js
+          scriptEngine: Graal.js
         verification:
-          method: 'response'
-          loggedOutRegex: '401 Unauthorized'
+          method: response
+          loggedOutRegex: 401 Unauthorized
       users:
         - name: Integration
           credentials:
             kid: local
-            api_key: "${INTEGRATION_API_KEY}"
-            private_key: "${INTEGRATION_PRIVATE_KEY_CONTENTS}"
-    - name: ProdUnauthenticated
-      urls:
-        - https://api.service.nhs.uk/comms # the actual url used for the scan is defined in the openapi job below
-    - name: ProdAuthenticated
-      urls:
-        - https://api.service.nhs.uk/comms # the actual url used for the scan is defined in the openapi job below
-      authentication:
-        method: 'script'
-        parameters:
-          url: https://api.service.nhs.uk/oauth2/token
-          script: 'scripts/authentication/get_bearer_token.js'
-          scriptEngine: 'Graal.js'
-        verification:
-          method: 'response'
-          loggedOutRegex: '401 Unauthorized'
-      users:
-        - name: Prod
-          credentials:
-            kid: prod-1
-            api_key: "${PRODUCTION_API_KEY}"
-            private_key: "${PRODUCTION_PRIVATE_KEY_CONTENTS}"
+            api_key: ${INTEGRATION_API_KEY}
+            private_key: ${INTEGRATION_PRIVATE_KEY_CONTENTS}
   parameters:
     failOnError: true
     failOnWarning: true
@@ -54,46 +33,83 @@ jobs:
   # load our authentication and httpsender script
   - type: script
     parameters:
-      action: 'add'
-      type: 'httpsender'
-      engine: 'Graal.js'
-      name: 'add_bearer_token'
-      file: 'scripts/httpsender/add_bearer_token.js'
+      action: add
+      type: httpsender
+      engine: Graal.js
+      name: add_bearer_token
+      file: scripts/httpsender/add_bearer_token.js
   - type: script
     parameters:
-      action: 'add'
-      type: 'authentication'
-      engine: 'Graal.js'
-      name: 'get_bearer_token'
-      file: 'scripts/authentication/get_bearer_token.js'
+      action: add
+      type: authentication
+      engine: Graal.js
+      name: get_bearer_token
+      file: scripts/authentication/get_bearer_token.js
+
+  # configure the passive scan
+  - type: passiveScan-config
+    parameters:
+      maxAlertsPerRule: 10
+      scanOnlyInScope: true
+    rules:
+      - id: 10049
+        name: Non-Storable Content
+        threshold: Off
+        # We do not want responses cached.
+        # See https://github.com/NHSDigital/communications-manager-api/pull/548 for more information.
+
+      - id: 90005
+        name: Sec-Fetch-Site Header is Missing
+        threshold: Off
+        # Sec-Fetch-* headers are only for requests.
+        # See https://github.com/NHSDigital/communications-manager-api/pull/548 for more information.
+
+      - id: 10094
+        name: Base64 Disclosure
+        threshold: Off
+        # The KSUIDs are sometimes detected as base64 strings.
+        # See https://github.com/NHSDigital/communications-manager-api/pull/548 for more information.
+
+      - id: 110009
+        name: Full Path Disclosure
+        threshold: Off
+        # Error responses include a link to the NHS developer catalogue.
+        # ZAP is picking up 'developer' in the link.
+        # See https://github.com/NHSDigital/communications-manager-api/pull/548 for more information.
+
+      - id: 90004
+        name: Insufficient Site Isolation Against Spectre Vulnerability
+        threshold: Off
+        # CORS headers (including Cross-Origin-Resource-Policy) are only added to the response when the request has an origin specified.
+        # See https://github.com/NHSDigital/communications-manager-api/pull/548 for more information.
+
+      - id: 10062
+        name: PII Disclosure
+        threshold: Off
+        # Error responses include the apigee message id in the body.
+        # Sometimes it can be detected as a Maestro credit card number.
+        # This rule only checks for credit card details, no other PII.
+        # See https://github.com/NHSDigital/communications-manager-api/pull/548 for more information.
 
   # load the zap specific openapi specification
   - type: openapi
     parameters:
-      apiFile: '/zap/wrk/build/communications-manager-zap.json'
+      apiFile: /zap/wrk/build/communications-manager-zap.json
       targetUrl: https://sandbox.api.service.nhs.uk/comms
       context: Sandbox
   - type: openapi
     parameters:
-      apiFile: '/zap/wrk/build/communications-manager-zap.json'
+      apiFile: /zap/wrk/build/communications-manager-zap.json
       targetUrl: https://int.api.service.nhs.uk/comms
       context: IntegrationUnauthenticated
   - type: openapi
     parameters:
-      apiFile: '/zap/wrk/build/communications-manager-zap.json'
+      apiFile: /zap/wrk/build/communications-manager-zap.json
       targetUrl: https://int.api.service.nhs.uk/comms
       context: IntegrationAuthenticated
-  - type: openapi
-    parameters:
-      apiFile: '/zap/wrk/build/communications-manager-zap.json'
-      targetUrl: https://api.service.nhs.uk/comms
-      context: ProdUnauthenticated
-  - type: openapi
-    parameters:
-      apiFile: '/zap/wrk/build/communications-manager-zap.json'
-      targetUrl: https://api.service.nhs.uk/comms
-      context: ProdAuthenticated
 
+  # let the passive scan do it's stuff
+  - type: passiveScan-wait
 
   # run an active scan on sandbox
   - type: activeScan
@@ -123,31 +139,12 @@ jobs:
       delayInMs: 500
       threadPerHost: 1
 
-   # run an active scan on prod, using unauthenticated calls
-  - type: activeScan
-    parameters:
-      policy: API
-      context: ProdUnauthenticated
-      scanHeadersAllRequests: true
-      delayInMs: 500
-      threadPerHost: 1
-
-  # run an active scan on prod, using authenticated calls
-  - type: activeScan
-    parameters:
-      policy: API
-      context: ProdAuthenticated
-      user: Prod
-      scanHeadersAllRequests: true
-      delayInMs: 500
-      threadPerHost: 1
-
   # generate our custom JSON report
   - type: report
     parameters:
-      template: 'comms-manager-json'
-      reportDir: '/zap/tmp'
-      reportFile: 'zap-report.json'
+      template: comms-manager-json
+      reportDir: /zap/tmp
+      reportFile: zap-report.json
     risks:
       - high
       - medium
@@ -157,4 +154,4 @@ jobs:
       - high
       - medium
       - low
-      - falsepositive
+      - falsepositive