Add django-debreach to horizon

BREACH is a category of vulnerabilities and not a specific instance affecting a specific piece of software. To be vulnerable, a web application must: * Be served from a server that uses HTTP-level compression * Reflect user-input in HTTP response bodies * Reflect a secret (such as a CSRF token) in HTTP response bodies More details on breach attack - http://breachattack.com/ Since horizon falls under this category, we can include django-debreach module within horizon as a requirement which provides mitigation against the breach attacks. https://github.com/lpomfrey/django-debreach CSRF token masking is a built-in feature within Django 1.10+, therefore only content-length modification feature provided by django-debreach can be enabled. Depends-On: I32f11e089fc794444ef267b463c7fb2ad8cfa96a Change-Id: I2b4999ca7b0e1762c5273c4fe96f5ee768f44339 Blueprint: mitigate-breach-attacks
2018-08-24 06:07:46 +05:30 · 2018-08-24 06:07:46 +05:30 · ccdf8c55e6
parent 33f579b1b4
commit ccdf8c55e6
4 changed files with 11 additions and 0 deletions
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@ -19,6 +19,7 @@ Django==1.11
 django-appconf==1.0.2
 django-babel==0.6.2
 django-compressor==2.0
+django-debreach==1.4.2
 django-pyscss==2.0.2
 doc8==0.6.0
 docutils==0.11
--- a/openstack_dashboard/settings.py
+++ b/openstack_dashboard/settings.py
@ -110,6 +110,7 @@ OPENSTACK_IMAGE_BACKEND = {
 }

 MIDDLEWARE = (
+    'debreach.middleware.RandomCommentMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
@ -184,6 +185,7 @@ INSTALLED_APPS = [
    'django.contrib.staticfiles',
    'django.contrib.humanize',
    'django_pyscss',
+    'debreach',
    'openstack_dashboard.django_pyscss_fix',
    'compressor',
    'horizon',
--- a/releasenotes/notes/bp-mitigate-breach-attacks-dd54b705e22363b0.yaml
+++ b/releasenotes/notes/bp-mitigate-breach-attacks-dd54b705e22363b0.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - |
+    [:blueprint:`mitigate-breach-attacks`]
+    Adding Django-debreach module to mitigate breach attacks. Enabling
+    the RandomCommentMiddleware to counter breach attack by randomising
+    the content length of each response.
--- a/requirements.txt
+++ b/requirements.txt
@ -14,6 +14,7 @@ Django<2,>=1.11;python_version<'3.0'  # BSD
 Django<2.1,>=1.11;python_version>='3.0'  # BSD
 django-babel>=0.6.2 # BSD
 django-compressor>=2.0 # MIT
+django-debreach>=1.4.2 # BSD License (2 clause)
 django-pyscss>=2.0.2 # BSD License (2 clause)
 futurist>=1.2.0 # Apache-2.0
 iso8601>=0.1.11 # MIT