Bug 2160664

Summary: Some pcs webui responses are missing proper CSP headers
Product: Red Hat Enterprise Linux 9 Reporter: Tomas Jelinek <tojeline>
Component: pcsAssignee: Tomas Jelinek <tojeline>
Status: CLOSED ERRATA QA Contact: cluster-qe <cluster-qe>
Severity: low Docs Contact:
Priority: low    
Version: 9.2CC: cluster-maint, idevat, mlisik, mmazoure, mpospisi, nhostako, omular, slevine, tojeline, tsorense
Target Milestone: rcKeywords: Triaged
Target Release: 9.3Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pcs-0.11.5-1.el9 Doc Type: Enhancement
Doc Text:
Feature: Instruct web browsers to only load resources directly from pcs web UI and no other sources even when an error page is sent to a browser. Reason: This helps guard against cross-site scripting attacks. Result: HTTP header "Content-Security-Policy: frame-ancestors 'self'; default-src 'self'" is sent by pcsd in error HTTP responses instructing web browsers to only load and run resources from pcs web UI and no external sources.
 Story Points: ---
Clone Of: 2160555 Environment:
Last Closed: 2023-11-07 08:23:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2160555    

Description Tomas Jelinek 2023-01-13 08:54:24 UTC 
+++ This bug was initially created as a clone of Bug #2160555 +++

Description of problem:
Response with status code 401 is not showing right content type; technically it would require CSP with a text/html response, but it would not with JSON

Response with status code 404 is showing HTML response with no CSP

Version-Release number of selected component (if applicable):
pcs-0.10.14-5.el8

How reproducible:
Always

Steps to Reproduce:
1. Disable pcs WebUI
2. Access WebUI and receive either a 401 or 404 error page
3. Check headers

Actual results:
Headers lack CSP

Expected results:
CSP to be included even with error pages
Comment 2 Tomas Jelinek 2023-02-22 15:23:57 UTC 
Upstream patch: https://github.com/ClusterLabs/pcs/commit/36e476d1a431375dfb53aca560d3a4d50494d001

Test:
1. disable pcs web UI
2. access pcs web UI and receive a 404 page
3. verify that "Content-Security-Policy" HTTP header is set to "frame-ancestors 'self'; default-src 'self'"
Comment 6 Michal Pospisil 2023-05-26 09:27:52 UTC 
DevTestResults:

[root@r09-03-a ~]# rpm -q pcs
pcs-0.11.5-1.el9.x86_64

Response headers on requests for index.html and favicon.ico both contain the desired CSP policy:
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Date: Wed, 24 May 2023 16:03:39 GMT
Strict-Transport-Security: max-age=63072000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; default-src 'self'
X-Xss-Protection: 1; mode=block
Cache-Control: no-store, no-cache
Pragma: no-cache
Referrer-Policy: no-referrer
Content-Length: 69
Comment 11 Michal Mazourek 2023-07-17 15:28:50 UTC 
BEFORE:
=======

[root@virt-510 ~]# rpm -q pcs
pcs-0.11.4-6.el9.x86_64


## disable web UI

[root@virt-510 ~]# cat /etc/sysconfig/pcsd | grep PCSD_DISABLE_GUI
PCSD_DISABLE_GUI=true

[root@virt-510 ~]# systemctl restart pcsd
[root@virt-510 ~]# echo $?
0


## access web UI

1. open https://<hostname>:2224
> got 404: Not Found
2. check network headers for index and favicon
the header:
HTTP/1.1 404 Not Found
Server: TornadoServer/6.2
Content-Type: text/html; charset=UTF-8
Date: Mon, 17 Jul 2023 15:16:24 GMT
Content-Length: 69

> CSP (Content-Security-Policy) is not present


AFTER:
======

[root@virt-496 ~]# rpm -q pcs
pcs-0.11.6-1.el9.x86_64


## disable web UI

[root@virt-496 ~]# cat /etc/sysconfig/pcsd | grep PCSD_DISABLE_GUI
PCSD_DISABLE_GUI=true

[root@virt-496 ~]# systemctl restart pcsd
[root@virt-496 ~]# echo $?
0


## access web UI

1. open https://<hostname>:2224
> got 404: Not Found
2. check network headers for index and favicon
the header:
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Date: Fri, 14 Jul 2023 14:58:31 GMT
Strict-Transport-Security: max-age=63072000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; default-src 'self'
X-Xss-Protection: 1; mode=block
Cache-Control: no-store, no-cache
Pragma: no-cache
Referrer-Policy: no-referrer
Content-Length: 69
3. open https://<hostname>:2224/remote/capabilities
> got 401: {"notauthorized":"true"}
4. check network header for capabilities
the header:
HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=UTF-8
Date: Mon, 17 Jul 2023 15:02:16 GMT
Strict-Transport-Security: max-age=63072000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; default-src 'self'
X-Xss-Protection: 1; mode=block
Cache-Control: no-store, no-cache
Pragma: no-cache
Referrer-Policy: no-referrer
Content-Length: 24

> OK: CSP (Content-Security-Policy) is in place for 404 and 401 with values frame-ancestors 'self'; default-src 'self'


Marking as VERIFIED for pcs-0.11.6-1.el9.
Comment 14 errata-xmlrpc 2023-11-07 08:23:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: pcs security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6316