Sonarqube 4.2 Variants of X-Frame and Cross-Site Scripting Roughs
I am running an instance Sonarqube 4.2
on a linux box. Since in our system we have a central portal page from which we navigate to all child pages, I need to have a framed sonarque. When I have the href, Sonarqube denies that I think it is because of being X-Frame options
set as SAMEORIGIN
. Any clue how can we change this?
Also I need to provide protection CSRF
in sonarqube. For jenkins, it has a built-in option for security CSRF
. Does Sonarquiz have something similar?
Thanks in advance for all inputs.
source to share
For the X-Frame parameter, this was fixed in SQ 5.1, and you can actually check it out on our Nemo .
For CSRF protection, we have an open ticket about this: SONAR-5040 . Please note that whenever an XSS vulnerability is discovered, we always fix it in the next version as well as in the latest LTS version (currently 4.5.x).
source to share
I had the same issue trying to get responses from the SonarQube instance to display when placed in an iframe consumed by the backplane app.
While 'X-Frames-Option'
not definitely configurable in SonarQube, these two steps will allow you to display the response from the SonarQube server in an iframe:
-
Modify the
environment.rb
script in the directory<SonarQube-Home>\web\WEB-INF\config
by commenting out the title assignment'X-Frames-Option'
(or changing the value to'ALLOW-FROM'
with the appropriate url exception):# Clickjacking protection # See https://www.owasp.org/index.php/Clickjacking_Protection_for_Java_EE # headers['X-Frame-Options']='SAMEORIGIN'
-
Either comment out the existing filter configuration in the file
<SonarQube-Home>\web\WEB-INF\web.xml
(not recommended), or write your own implementationFilter
and replace the existing configuration:<filter> <filter-name>SecurityFilter</filter-name> <filter-class>org.sonar.server.platform.SecurityServletFilter</filter-class> </filter>
with my (example):
<filter> <filter-name>SecurityFilter</filter-name> <filter-class>com.foo.MySecurityServletFilter</filter-class> <init-param> <param-name>X-Content-Type-Options</param-name> <param-value>nosniff</param-value> </init-param> <init-param> <param-name>X-XSS-Protection</param-name> <param-value>1; mode=block</param-value> </init-param> <init-param> <param-name>X-Frame-Options</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>allow-from-uri</param-name> <param-value>http://internal.foo.com</param-value> </init-param> </filter>
The initialization parameters must of course be supported by your custom implementationFilter
. -
I created a simple jar containing my filter and copied it to the directory
<SonarQube-Home>\lib\server
.
source to share