Skip to content

Fix/clickjacking vulnerability #319

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
atharv02-git wants to merge 163 commits into from
Closed

Fix/clickjacking vulnerability #319

atharv02-git wants to merge 163 commits into from

Conversation

@atharv02-git
Copy link

@atharv02-git atharv02-git commented Apr 28, 2025

Base Repository: 8.0.x

Description

This PR ensures that the internal nginx.conf inside doubtfire-web does not override the security headers (e.g., X-Frame-Options, Content-Security-Policy) that are now being enforced via the outer proxy-nginx.conf file in the doubtfire-deploy repository.

Note

Kindly go through the attached documentation first inorder to understand what this fix is about in detail and how it can be tested.

What was changed:

  • Commented out redundant security headers from doubtfire-web/nginx.conf to prevent conflict or override with headers applied at the reverse proxy layer (proxy-nginx.conf).
  • This avoids duplication and ensures centralized management of security headers at the proxy level for consistency across services.

Fixes # (Header override issues caused by multiple NGINX layers)

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • This change requires a documentation update

How Has This Been Tested?

  • Validated that headers set in proxy-nginx.conf (doubtfire-deploy) reflect in browser response
  • Confirmed no duplication or override from doubtfire-web/nginx.conf
  • Ensured static files are still served correctly via inner NGINX
  • Yet to test Clickjacking Prevention in a Malicious <Iframe> Setup as listed in the report.

Testing Checklist:

  • Tested in latest Chrome
  • Needs to be tested inside a dedicated environment like kali linux inside a virtual box.

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have requested a review from @ibi420

Bahnschrift and others added 30 commits May 31, 2024 12:56
@Bahnschrift
fix: marking shortcuts no longer conflict with common browser shortcuts
ec7524a
@macite
fix: ensure download blob supports 206 responses
6445f9f
@macite
chore(release): 7.0.24
c241f0e
@maddernd @satikaj
feat: add new Numbas Feature
8eba913 
Added new Numbas Service to the frontend as part of Integration

Changed by: Daniel Maddern
@maddernd @satikaj
feat: add new Numbas Feature
6f1ac4e 
adjusted lint on edit-profile-component.spec.ts

Changed by: Daniel Maddern
@maddernd @satikaj
feat: numbas-test-numbas-service
cee13b7 
Added numbas service and numbas service test

daniel
@maddernd @satikaj
test: add numbas service test file
8d3e3fd 
added a spec test file for numbas service

daniel
@maddernd @satikaj
feat: added numbas-lms service code
471d344 
added the lms service code and functionality

Added by Daniel
@maddernd @satikaj
test: added numbas-lms spec test
5d9d2c1 
added the spec test basic version for numbas-lms service

Added by Daniel
@maddernd @satikaj
fix: adjusted edit profile accidental change
316abc7 
removed the addtional comma added into this component

daniel
@satikaj
feat: add Numbas test upload section and reorder editor sections
edbd536
@satikaj
feat: add Numbas upload component and related functions to task-defin…
4ecaee8 
…ition model
@satikaj
feat: insert Numbas test rules options in the task editor
7e52ad5
@TinyServal @satikaj
feat: implement numbas test data upload in task definition service
2c7dab5 
renamed api endpoint to reduce confusion between components
@satikaj
feat: add Numbas config options to task def service keys
ff28e48
@satikaj
fix: show delete and download buttons in editor when Numbas test exists
821feb9
@satikaj
refactor: remove redundant Numbas upload method
077c462
@satikaj
fix: hide config options if numbas test is disabled
0b15b1c
@satikaj
refactor: replace Numbas config checkboxes with input fields
6e96584
@satikaj
feat: add numbas component
7c1734b
@satikaj
feat: add Numbas test section on ready for feedback
e61295c
@satikaj
fix: show previously configured Numbas attempt limit
56e1a5d
@satikaj
feat: change Numbas time delay config to enable incremental delays
0afa719
@satikaj
feat: show launch button on ready for feedback if Numbas test is enab…
17af5b7 
…led for the task
@satikaj
feat: add Numbas test attempt model
097df79
@satikaj
fix: integrate Numbas services well with the existing system
d47b8ed
@satikaj
fix: show Numbas button component and modify iframe request
c9c2fbe
@satikaj
fix: show Numbas iframe on top of other elements
f53befd
@TinyServal @satikaj
fix: update numbas api path
3df59dc
@satikaj
fix: show correct Numbas test from the task def with all assets loaded
bee0a0b
macite added 29 commits September 5, 2024 15:34
@macite
feat: add support for the view language
b4b3654
@macite
chore(release): 8.0.28
3f1a752
@macite
fix: correct task scroll into view
7984b39
@macite
Merge branch '8.0.x' into new/scorm
d16d831
@macite
Merge pull request doubtfire-lms#877 from doubtfire-lms/new/scorm
95e24f9 
New/scorm
@macite
chore(release): 8.0.29
a5316c4
@macite
feat: switch to html5 mode
9d017fb
@macite
feat: add ability to collect d2l org and grade object ids
93fd614
@macite
fix: ensure standard error propagate to the ui
fd056db
@macite
chore: add ability for unit to detect changes
fa88355
@macite
feat: add ability to trigger d2l grade transfer
fd0cc07
@macite
fix: report better errors during file downloads
cf87d68
@macite
chore: allow development via external tunnel without port
5664910
@macite
feat: d2l integration checks settings
0a61df5 
- checks with weighted grading
- provides a link to open D2L unit edit for weight
@macite
feat: check if d2l results available
2460c88
@macite
feat: add success page for oauth callback
921406e
@macite
Merge pull request doubtfire-lms#909 from macite/new/d2lintegration
d782e4e 
New/d2lintegration - Introduce D2L integration for grade transfer
@macite
chore: update run all and remove watch for angularjs changes
9732921
@macite
chore(release): 8.0.30
dac5ea8
@macite
fix: ensure test attempt work for staff students
06bfa71 
Where the staff member is the student.
Also ensures the current user is in the cache when they login from cookie.
@macite
fix: serve index.html for unknown paths
d07ad26 
This should ensure that the new html5 urls work correctly.
@macite
chore(release): 8.0.31
12c675f
@macite
fix: correct issue fetching user from cookie
0d63775
@macite
chore(release): 8.0.32
1935310
@macite
fix: nginx conf redirect for spa
95c0ca9 
- Add directory to direct to index.html
- Add root index.html otherwise
@macite
chore(release): 8.0.33
bb861d2
@macite
chore: update entity service
226bdea 
Fixes issues with task definitions not getting their id
when created. Which caused upload of
task sheets to fail until reloaded.
@macite
fix: enhance rollover messages
48348c8 
Make sure roll over in a unit indicates it
copies to a new teaching period or custom
dates.
@macite
chore(release): 8.0.34
2d083a5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@atharv02-git @Bahnschrift @macite @maddernd @satikaj @TinyServal @jakerenzella