Merge branch 'feat/js-sbom' into 3.x-master

govCMS · Oct 8, 2024 · a104df8 · a104df8
2 parents a5346c1 + 10f5abd
commit a104df8
Show file tree

Hide file tree

Showing 85 changed files with 13,471 additions and 0 deletions.
diff --git a/.docker/Dockerfile.nginx-drupal b/.docker/Dockerfile.nginx-drupal
@@ -22,5 +22,13 @@ COPY .docker/sanitize.sh /app/sanitize.sh
 RUN /app/sanitize.sh \
   && rm -rf /app/sanitize.sh
 
+# JS SBOM
+COPY .docker/images/nginx/helpers/lualib/resty/ /usr/local/openresty/lualib/resty/
+RUN echo 'env JS_SBOM_ENABLED;' >> /etc/nginx/nginx.conf
+RUN echo 'env JS_SBOM_API_ENDPOINT;' >> /etc/nginx/nginx.conf
+RUN echo 'env JS_SBOM_FILE_LOCATION;' >> /etc/nginx/nginx.conf
+RUN echo 'env JS_SBOM_FIND;' >> /etc/nginx/nginx.conf
+RUN echo 'env JS_SBOM_REPLACE;' >> /etc/nginx/nginx.conf
+
 # Define where the Drupal Root is located
 ENV WEBROOT=web
diff --git a/.docker/images/nginx/helpers/012_internal_resolver.conf b/.docker/images/nginx/helpers/012_internal_resolver.conf
@@ -0,0 +1 @@
+resolver "${RESTY_RESOLVER:-kube-dns.kube-system.svc.cluster.local}" valid=60s;
diff --git a/.docker/images/nginx/helpers/100_x-robots-header-development.conf b/.docker/images/nginx/helpers/100_x-robots-header-development.conf
@@ -19,4 +19,122 @@ header_filter_by_lua_block {
   if (xframeoptions == nil or xframeoptions == '') then
     ngx.header["X-Frame-Options"] = "${X_FRAME_OPTIONS:-SAMEORIGIN}";
   end
+
+  -- content-length must be unset if the response payload is altered
+  if (os.getenv("JS_SBOM_FIND") and os.getenv("JS_SBOM_REPLACE")) then
+    ngx.header['Content-Length'] = nil
+  end
+
+  -- set up the global queue and processor
+  local function processQueue()
+
+    if not filter_queue or next(filter_queue) == nil then
+        return
+    end
+
+    -- submit js sbom to API endpoint, else write to file on disk
+    if os.getenv("JS_SBOM_API_ENDPOINT") then
+        local httpc = require("resty.http").new()
+        local postQueue = {}
+        local f = assert(io.open("/var/run/secrets/lagoon/dynamic/insights-token/INSIGHTS_TOKEN", "rb"))
+        local token = f:read("*all")
+        f:close()
+
+        for k,v in pairs(filter_queue) do
+            table.insert(postQueue, v)
+            filter_queue[k] = nil
+        end
+
+        local cjson = require('cjson')
+        local res, err = httpc:request_uri(os.getenv("JS_SBOM_API_ENDPOINT"), {
+            method = "POST",
+            body = cjson.encode(postQueue),
+            headers = {
+                ["Content-Type"] = "application/json",
+                ["Authorization"] = token
+            },
+        })
+        if not res then
+            ngx.log(ngx.ERR, "request failed: ", err)
+            return
+        end
+    end
+
+    if os.getenv("JS_SBOM_FILE_LOCATION") then
+        local f, err = io.open(os.getenv("JS_SBOM_FILE_LOCATION"), "w")
+        if f == nil then
+            ngx.log(ngx.ERR, err)
+            return
+        end
+
+        -- read existing file, or create new
+        local fData, err = f:read( "*a" )
+
+        local fResult
+        local cjson = require('cjson')
+
+        if (fData) then
+            fResult = cjson.decode(fData)
+            for k,v in pairs(filter_queue) do
+                fResult[k] = v
+            end
+        else
+            fResult = filter_queue
+        end
+
+        f:write(cjson.encode(fResult))
+        io.close(f)
+
+        -- clear queue.
+        filter_queue = {}
+
+    end
+  end
+
+  if not filter_queue then
+    ngx.log(ngx.ERR, 'Starting processQueue worker')
+    local hdl, err = ngx.timer.every(5, processQueue)
+  end
+}
+
+
+body_filter_by_lua_block {
+
+    local js_sbom_enabled = os.getenv("JS_SBOM_ENABLED")
+    if not js_sbom_enabled or js_sbom_enabled ~= 'true' then
+        return
+    end
+
+    local ct = ngx.header['content-type']
+    if ct and not string.match(string.lower(ct), '^text/html.*$') then
+        return
+    end
+
+    -- support find/replace with lua pattern matches
+    if (os.getenv("JS_SBOM_FIND") and os.getenv("JS_SBOM_REPLACE")) then
+        ngx.arg[1] = ngx.arg[1]:gsub(os.getenv("JS_SBOM_FIND"), os.getenv("JS_SBOM_REPLACE"))
+    end
+
+    -- keep a buffered response to parse on final chunk
+    ngx.ctx.buffered = (ngx.ctx.buffered or "") .. ngx.arg[1]
+
+    -- ngx.arg[2] is set on the last chunk
+    if ngx.arg[2] then
+        if not filter_queue then
+          filter_queue = {}
+        end
+
+        for scrapture in string.gmatch(ngx.ctx.buffered, "<script(.-)>") do
+            for capture in string.gmatch(scrapture, "[https?:]?//w?w?w?%.?(.-)['|\"]") do
+                local value = {
+                    category = 'Third-party Javascript SBOM',
+                    name = capture,
+                    source = 'sbom:lua:js',
+                    description = 'Last seen ' .. os.date("%d/%m/%Y %H:%M")
+                }
+                filter_queue[capture] = value
+            end
+        end
+    end
+
 }
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		resolver "${RESTY_RESOLVER:-kube-dns.kube-system.svc.cluster.local}" valid=60s;