From ccdf8c55e6764a7028671f1d2d8a29f7cc996b9f Mon Sep 17 00:00:00 2001 From: Nishant Kumar Date: Fri, 24 Aug 2018 06:07:46 +0530 Subject: [PATCH] Add django-debreach to horizon BREACH is a category of vulnerabilities and not a specific instance affecting a specific piece of software. To be vulnerable, a web application must: * Be served from a server that uses HTTP-level compression * Reflect user-input in HTTP response bodies * Reflect a secret (such as a CSRF token) in HTTP response bodies More details on breach attack - http://breachattack.com/ Since horizon falls under this category, we can include django-debreach module within horizon as a requirement which provides mitigation against the breach attacks. https://github.com/lpomfrey/django-debreach CSRF token masking is a built-in feature within Django 1.10+, therefore only content-length modification feature provided by django-debreach can be enabled. Depends-On: I32f11e089fc794444ef267b463c7fb2ad8cfa96a Change-Id: I2b4999ca7b0e1762c5273c4fe96f5ee768f44339 Blueprint: mitigate-breach-attacks --- lower-constraints.txt | 1 + openstack_dashboard/settings.py | 2 ++ .../notes/bp-mitigate-breach-attacks-dd54b705e22363b0.yaml | 7 +++++++ requirements.txt | 1 + 4 files changed, 11 insertions(+) create mode 100644 releasenotes/notes/bp-mitigate-breach-attacks-dd54b705e22363b0.yaml diff --git a/lower-constraints.txt b/lower-constraints.txt index 76fce7c973..8847146248 100644 --- a/lower-constraints.txt +++ b/lower-constraints.txt @@ -19,6 +19,7 @@ Django==1.11 django-appconf==1.0.2 django-babel==0.6.2 django-compressor==2.0 +django-debreach==1.4.2 django-pyscss==2.0.2 doc8==0.6.0 docutils==0.11 diff --git a/openstack_dashboard/settings.py b/openstack_dashboard/settings.py index 0bd097c575..197be7c3c9 100644 --- a/openstack_dashboard/settings.py +++ b/openstack_dashboard/settings.py @@ -110,6 +110,7 @@ OPENSTACK_IMAGE_BACKEND = { } MIDDLEWARE = ( + 'debreach.middleware.RandomCommentMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', @@ -184,6 +185,7 @@ INSTALLED_APPS = [ 'django.contrib.staticfiles', 'django.contrib.humanize', 'django_pyscss', + 'debreach', 'openstack_dashboard.django_pyscss_fix', 'compressor', 'horizon', diff --git a/releasenotes/notes/bp-mitigate-breach-attacks-dd54b705e22363b0.yaml b/releasenotes/notes/bp-mitigate-breach-attacks-dd54b705e22363b0.yaml new file mode 100644 index 0000000000..ff3ce1412e --- /dev/null +++ b/releasenotes/notes/bp-mitigate-breach-attacks-dd54b705e22363b0.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + [:blueprint:`mitigate-breach-attacks`] + Adding Django-debreach module to mitigate breach attacks. Enabling + the RandomCommentMiddleware to counter breach attack by randomising + the content length of each response. diff --git a/requirements.txt b/requirements.txt index a889154552..93d2971be0 100644 --- a/requirements.txt +++ b/requirements.txt @@ -14,6 +14,7 @@ Django<2,>=1.11;python_version<'3.0' # BSD Django<2.1,>=1.11;python_version>='3.0' # BSD django-babel>=0.6.2 # BSD django-compressor>=2.0 # MIT +django-debreach>=1.4.2 # BSD License (2 clause) django-pyscss>=2.0.2 # BSD License (2 clause) futurist>=1.2.0 # Apache-2.0 iso8601>=0.1.11 # MIT