Merge pull request #11 from secure-web-apps/feature/fix-sonarqube-cloud-findings

Fix SonarQube Cloud findings

Author: rufer7

.github/workflows/deploy-to-azure.yml

@@ -62,7 +62,7 @@ jobs:
         with:
           name: dotnet-app
           path: ./temp
-          include-hidden-files: true
+          include-hidden-files: true # otherwise .well-known folder is not included
 
   iac_plan:
     name: IaC (Terraform) Plan

Bff.ServiceDefaults/Extensions.cs

@@ -35,11 +35,10 @@ public static TBuilder AddServiceDefaults<TBuilder>(this TBuilder builder) where
             http.AddServiceDiscovery();
         });
 
-        // Uncomment the following to restrict the allowed schemes for service discovery.
-        // builder.Services.Configure<ServiceDiscoveryOptions>(options =>
-        // {
-        //     options.AllowedSchemes = ["https"];
-        // });
+        builder.Services.Configure<ServiceDiscoveryOptions>(options =>
+        {
+            options.AllowedSchemes = ["https"];
+        });
 
         return builder;
     }
@@ -68,8 +67,6 @@ public static TBuilder ConfigureOpenTelemetry<TBuilder>(this TBuilder builder) w
                             !context.Request.Path.StartsWithSegments(HealthEndpointPath)
                             && !context.Request.Path.StartsWithSegments(AlivenessEndpointPath)
                     )
-                    // Uncomment the following line to enable gRPC instrumentation (requires the OpenTelemetry.Instrumentation.GrpcNetClient package)
-                    //.AddGrpcClientInstrumentation()
                     .AddHttpClientInstrumentation();
             });
 

server/Controllers/AccountController.cs

@@ -27,7 +27,6 @@ public ActionResult Login(string? returnUrl, string? claimsChallenge)
     /// [ValidateAntiForgeryToken] // not needed explicitly due the the Auto global definition.
     /// </summary>
     /// <returns></returns>
-    [IgnoreAntiforgeryToken] // need to apply this to the form post request
     [Authorize]
     [HttpPost("Logout")]
     public IActionResult Logout()

server/Pages/Error.cshtml

@@ -6,7 +6,7 @@
 
 <head>
     <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0" />
     <title>Error</title>
 </head>
 

ui/src/app/getCookie.ts

@@ -2,12 +2,11 @@ export const getCookie = (cookieName: string) => {
   const name = `${cookieName}=`;
   const decodedCookie = decodeURIComponent(document.cookie);
   const ca = decodedCookie.split(";");
-  for (let i = 0; i < ca.length; i += 1) {
-    let c = ca[i];
-    while (c.charAt(0) === " ") {
+  for (let c of ca) {
+    while (c.startsWith(" ")) {
       c = c.substring(1);
     }
-    if (c.indexOf(name) === 0) {
+    if (c.startsWith(name)) {
       return c.substring(name.length, c.length);
     }
   }

ui/src/app/home.component.html

@@ -18,6 +18,12 @@
       (userProfileClaims?.isAuthenticated) {
       <form method="post" action="api/Account/Logout">
         <button class="btn btn-outline btn-danger" type="submit">Sign out</button>
+        <input
+          type="hidden"
+          id="__RequestVerificationToken"
+          name="__RequestVerificationToken"
+          [value]="getXsrfToken()"
+        />
       </form>
       } @else {
       <a class="btn btn-outline-success btn-outline" href="api/Account/Login">Log in</a>

ui/src/app/home.component.ts

@@ -2,6 +2,7 @@ import { CommonModule } from '@angular/common';
 import { HttpClient } from '@angular/common/http';
 import { Component, OnInit, inject } from '@angular/core';
 import { Observable } from 'rxjs';
+import { getCookie } from './getCookie';
 
 interface Claim {
   type: string;
@@ -31,6 +32,10 @@ export class HomeComponent implements OnInit {
     this.getUserProfile();
   }
 
+  getXsrfToken(): string {
+    return getCookie('XSRF-RequestToken');
+  }
+
   getUserProfile() {
     this.userProfileClaims$ = this.httpClient.get<UserProfile>(
       `${this.getCurrentHost()}/api/User`
@@ -50,8 +55,8 @@ export class HomeComponent implements OnInit {
   }
 
   private getCurrentHost() {
-    const host = window.location.host;
-    const url = `${window.location.protocol}//${host}`;
+    const host = globalThis.location.host;
+    const url = `${globalThis.location.protocol}//${host}`;
 
     return url;
   }

ui/src/app/secure-api.interceptor.ts

@@ -28,7 +28,7 @@ function getApiUrl() {
 }
 
 function getCurrentHost() {
-  const host = window.location.host;
-  const url = `${window.location.protocol}//${host}`;
+  const host = globalThis.location.host;
+  const url = `${globalThis.location.protocol}//${host}`;
   return url;
 }