admin-route-access-controls #47

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

MillicentAmolo wants to merge 58 commits into thoth-tech:dev from MillicentAmolo:main

README.md

-Original file line number
+Diff line change
@@ -1,3 +1,6 @@
+    # Current deployment
+    https://ontrackdocumentation.netlify.app/
     # Contributing to Doubtfire Astro Repository
     This guide provides high-level details on how to contribute to the Doubtfire repositories. This repository reflects the code for Ontrack documentation website.
@@ Expand Down @@

...cts/clickjacking/addressing-broken-access-control-clickjacking-vulnerability.md

-Original file line number
+Diff line change
@@ -0,0 +1,74 @@
+    # Addressing Broken Access Control (Clickjacking) Vulnerability (Documentation)
+    ## Summary
+    This PR provides documentation for remediating the `A01 Broken Access Control` vulnerability, specifically addressing the missing `X-Frame-Options` header. This vulnerability exposes the OnTrack application to clickjacking attacks, which could lead to unauthorized actions and data leakage.
+    ---
+    ## Vulnerability Details
+    ### Description
+    Clickjacking, also known as a User Interface redress attack, occurs when a malicious website tricks users into clicking on hidden elements of another site. The absence of the `X-Frame-Options` header allows the OnTrack application to be embedded in an iframe, making it vulnerable to clickjacking.
+    ### Impact
+    - **Confidentiality**: None
+    - **Integrity**: Partial (e.g., unauthorised actions may be performed by users).
+    - **Availability**: None.
+    ### Affected Paths
+    The following paths lack the secure `X-Frame-Options` header:
+    - `http://localhost:4200/`
+    - `http://localhost:4200/assets/icons/`
+    - `http://localhost:4200/sitemap.xml`
+    - `http://localhost:4200/clientaccesspolicy.xml`
+    - `http://localhost:4200/assets/fonts/`
+    - Other static assets under `http://localhost:4200/assets/...`.
+    ---
+    ## Remediation Plan
+    ### Overview
+    The remediation involves:
+. Adding the `X-Frame-Options` header to HTTP responses.
+. Setting the header value to `DENY` to block the application from being embedded in any iframe.
+    ### Implementation
+    - **File**: `doubtfire-web/nginx.conf`
+    - **Changes**:
+      Add the following line to the `server` block:
+      ```nginx
+      add_header X-Frame-Options "DENY" always;
+      ```
+    ---
+    ## Testing Plan
+    ### Functional Testing
+. Verify that the `X-Frame-Options` header is present in all HTTP responses using the following command:
+       ```bash
+       curl -I http://localhost:4200/
+       ```
+       **Expected Output**:
+       ```plaintext
+       HTTP/1.1 200 OK
+       X-Frame-Options: DENY
+       ```
+. Ensure that the application continues to function normally after the changes.
+    ### Security Testing
+. Create a test HTML page that attempts to embed the application in an iframe:
+       ```html
+       <iframe src="http://localhost:4200/" width="600" height="400"></iframe>
+       ```
+. Open the test page in a browser and confirm the iframe is blocked.
+    ### Regression Testing
+. Validate that adding the `X-Frame-Options` header does not affect existing functionality, such as asset loading and API responses.
+    ---
+    ## References
+    - [OWASP: Clickjacking](https://owasp.org/www-community/attacks/Clickjacking)
+    - [Mozilla Developer Network: X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)

artefacts/clickjacking/doubt-web-nginx-config.md

-Original file line number
+Diff line change
@@ -0,0 +1,56 @@
+    worker_processes 1;
+    events { }
+    http {
+        include /etc/nginx/mime.types;
+        sendfile on;
+        # Server block for port 80
+        server {
+            root /usr/share/nginx/html/;
+            index index.html;
+            listen 80;
+            add_header Content-Security-Policy "default-src https: 'unsafe-inline' 'unsafe-eval' blob: data:" always;
+            add_header Feature-Policy "microphone 'self';speaker 'self';fullscreen 'self';payment none;" always;
+            add_header Permissions-Policy "microphone=(self), fullscreen=(self), payment=()" always;
+            # X-Frame-Options header for clickjacking protection
+            add_header X-Frame-Options "DENY" always;
+        }
+        # Server block for port 4200
+        server {
+            root /usr/share/nginx/html/;
+            index index.html;
+            listen 4200;
+            add_header Content-Security-Policy "default-src https: 'unsafe-inline' 'unsafe-eval' blob: data:" always;
+            add_header Feature-Policy "microphone 'self';speaker 'self';fullscreen 'self';payment none;" always;
+            add_header Permissions-Policy "microphone=(self), fullscreen=(self), payment=()" always;
+            # X-Frame-Options header for clickjacking protection
+            add_header X-Frame-Options "DENY" always;
+        }
+        # Server block for port 443
+        server {
+            root /usr/share/nginx/html/;
+            index index.html;
+            listen 443;
+            add_header Content-Security-Policy "default-src https: 'unsafe-inline' 'unsafe-eval' blob: data:" always;
+            add_header Feature-Policy "microphone 'self';speaker 'self';fullscreen 'self';payment none;" always;
+            add_header Permissions-Policy "microphone=(self), fullscreen=(self), payment=()" always;
+            # X-Frame-Options header for clickjacking protection
+            add_header X-Frame-Options "DENY" always;
+        }
+        gzip on;
+        gzip_types text/css application/javascript;
+        gzip_proxied any;
+        gzip_buffers 32 8k;
+    }

astro.config.mjs

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -26,6 +26,10 @@ export default defineConfig({
  
                directory: '/setup',

              },

              items: [

                {

                  label: 'Frontend Documentation',

                  link: '/frontend/page',

                },

                {

                  label: 'OnTrack Intial Setup Guidance',

                  link: '/setup/set',

    @@ -39,10 +43,17 @@ export default defineConfig({
  
                directory: '/frontend',

              },

              items: [

                {

                  label: 'Frontend Documentation',

                  link: '/frontend/page',

                  label: 'Frontend Tutor-Times Design',

                  link: '/frontend/tutor-times/tutor-times-design',

                },

                {

                  label:'Frontend Tutor-Times Requirements',

                  link: '/frontend/tutor-times/tutor-times-requirements',

                }

              ],

            },

    @@ -59,7 +70,7 @@ export default defineConfig({
  
                {

                  label: 'activity types',

                  link: '/backend/api/activity_types',

                },     

                },

                {

                  label: 'admin',

                  link: '/backend/api/admin',

    @@ -168,6 +179,22 @@ export default defineConfig({
  
                  label: 'stats',

                  link: '/backend/api/stats',

                },

                {

                  label: 'Tutor Times',

                  autogenerate: {

                    directory: '/tutor_times',

                  },

                  items: [

                    {

                      label: 'Requirements Document',

                      link: '/backend/tutor_times/requirements_document',

                    },

                    {

                      label: 'Design Document',

                      link: '/backend/tutor_times/design_document',

                    },

                  ],

                },

              ],

            },

            {

    @@ -207,9 +234,15 @@ export default defineConfig({
  
                {

                  label: 'Backend APIs',

                  link: '/courseflow/backend',

                }

                },

              ],

            },

            {

              label: 'Security',

              autogenerate: {

                directory: '/security',

              },

            },

          ],

        }),

      ],

docs/ontrack-dev-environment-setup.md

-Original file line number
+Diff line change
@@ -0,0 +1,121 @@
+    # OnTrack Development Environment Setup Guide
+    Use this guide to correctly clone, configure, and set up the development environment for OnTrack using your GitHub fork and the correct remotes. Copy the commands and change `<your-username>` to your actual GitHub username.
+    ## Tutorial Video
+    You can watch the full step-by-step setup tutorial here:
+    [Click to open the video in SharePoint](https://deakin365.sharepoint.com/:v:/s/ThothTech2/EYtXd8ztAdpKgI5Ki8jF7lMBC4ixVvhTzqqlDX3kmvBn4A?e=wK4v8n)
+    ## Understanding the Repository Structure
+    Before starting, it's important to understand the different repository organizations:
+    - **doubtfirelms** - The "upstream" organization that maintains the live versions of OnTrack used by several universities
+    - **thoth-tech** - Used internally at Deakin for the capstone unit (this is where you'll contribute)
+    - **Your fork** - Your personal copy where you'll push your changes
+    ## Branch Strategy
+    **Critical:** All repositories (`doubtfire-deploy`, `doubtfire-web`, and `doubtfire-api`) must be on the **same branch** to ensure compatibility:
+    - If working on **9.x** → all repos should be on `9.x`
+    **For the next few semesters, we have agreed to use branch 9.x for all development work.**
+    This is essential because different branches use different Docker builds with specific Node.js and Ruby versions that are only compatible within the same branch family.
+    > **Avoid the `development` branch entirely** - it is outdated and unsupported. Switch to the appropriate version branch (e.g., `9.x`) immediately.
+    ## Step 1: Create or Navigate to the Dev Directory
+    - Create the directory if it doesn't exist:
+      ```bash
+      mkdir ~/dev
+      ```
+    - Navigate to it:
+      ```bash
+      cd ~/dev
+      ```
+    ## Step 2: Clone the `doubtfire-deploy` Repository with Submodules
+    Replace `<your-username>` with your GitHub username:
+    ```bash
+    git clone --recurse-submodules https://github.com/<your-username>/doubtfire-deploy.git
+    cd doubtfire-deploy
+    ```
+    ## Step 3: Set Up Remotes for `doubtfire-deploy`
+    ```bash
+    git remote set-url origin https://github.com/<your-username>/doubtfire-deploy.git
+    git remote add upstream https://github.com/thoth-tech/doubtfire-deploy.git
+    git fetch upstream
+    git checkout 9.x
+    ```
+    ## Remote Configuration Explained
+    - **origin** → Points to your personal fork (where you push your changes)
+    - **upstream** → Points to thoth-tech repository (where you pull updates from)
+    - **doubtfirelms** → Can only be added later if needed for advanced merging (points to the live upstream repository)
+    ## Step 4: Configure `doubtfire-web`
+    ```bash
+    cd doubtfire-web
+    git remote set-url origin https://github.com/<your-username>/doubtfire-web.git
+    git remote add upstream https://github.com/thoth-tech/doubtfire-web.git
+    git fetch upstream
+    git checkout 9.x
+    ```
+    ## Step 5: Configure `doubtfire-api`
+    ```bash
+    cd ..
+    cd doubtfire-api
+    git remote set-url origin https://github.com/<your-username>/doubtfire-api.git
+    git remote add upstream https://github.com/thoth-tech/doubtfire-api.git
+    git fetch upstream
+    git checkout 9.x
+    ```
+    ## Critical Notes and Best Practices
+    ### Remote Configuration
+    - **origin** should point to your fork — this is where you push your code
+    - **upstream** should point to the thoth-tech repo — pull updates from here
+    - **doubtfirelms** can be added later for advanced merging scenarios
+    ### Branch Management
+    - **Never use the `development` branch** — it is outdated and unsupported
+    - **Always use matching branches** across all three repositories (deploy, web, api)
+    - **Stick to version branches** like `9.x`, `8.0.x`, or `10.0.x`
+    ### Before Opening Pull Requests
+    - **Verify your last commit** before opening a pull request:
+      ```bash
+      git log
+      ```
+    - **Compare your commit** with the one shown on `github.com/thoth-tech/doubtfire-xxx` for that repository
+    - **Avoid extra commits** from doubtfirelms repo that make PRs hard to review
+    ### Repository Understanding
+    - **doubtfirelms** = Live upstream used by universities
+    - **thoth-tech** = Internal Deakin capstone development
+    - **Your fork** = Your personal development space
+    > **Pro Tip:** If you've accidentally fetched branches from doubtfirelms, your PRs may contain extra commits. Always verify your latest commit matches the thoth-tech repository before submitting.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

admin-route-access-controls #47

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

admin-route-access-controls #47

Are you sure you want to change the base?

Uh oh!

admin-route-access-controls #47

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!