This addresses an SSTI vulnerability in Flask's `render_template_string`
function, which we were using for rendering flash messages. The
implementation I'd built was too complicated, so I removed its reliance
on Jinja template rendering. Instead, all parts of the flash message
should be keys in the translations file. The `flash` wrapper in
`atst.utils.flash` is just a thin wrapper over our `translate` function.
The `translate` function relies on Python string formatting, which does
not evaluate expressions and so isn't vulnerable to SSTI.
- Update the form to use BooleanFields for the permissions and make the
form more similar to the Application Members form
- Use MemberFormTemplate macro in the portfolio settings template
- fix tests affected by the form changes
To satisfy security requirements, we need to explicitly track:
- when a user attempts to log in, successful or not
- when a user logs out
- whether or not the user associated with a request is logged in
The first two are satisfied by extra log statements and the last is a
new boolean field on the JSON logs.
This is leftover from a previous iteration of ATAT where inviting a user
to a portfolio would create a pending entry in the users table. This is
no longer used.
uWGI was generating warnings about being unable to find plugin files we
specify. To fix this, I've added uwsgi-python3 to the list of Alpine
packages we install in the container specified the plugins directory in
the uWSGI config. The updated uWSGI ConfigMap has been applied to the
staging cluster, which eliminated the warning about the logfile plugin.
The remaining warning about the python3 plugin will be eliminated once
the new container built by this branch is deployed.
I left the domains hard-coded for the redirects in our NGINX config,
which was breaking authentication for versions of the site that don't
use that domain. This updates the config to use the domains supplied via
environment variable.
This got lost somewhere along the way (almost certainly by me), so this
commit tries to make it explicit. The app needs to be able to configure
the session cookie domain name so that it is valid for both the main
site domain and the authentication subdomain. For instance, if the site
is runnning at uat.atat.code.mil and authentication happens at
auth-uat.atat.code.mil, SESSION_COOKIE_DOMAIN should be set to
atat.code.mil so that it's valid for both.
This adds the setting to the base INI file and a default for our K8s
clusters.
