search

CDCgov / prime-simplereport

SimpleReport is a fast, free, and easy way for COVID-19 testing facilities to report results to public health departments.
https://simplereport.gov
Creative Commons Zero v1.0 Universal
58 stars 53 forks source link

Broken links in the tos.md page (static site) #8166

Open bobbywells52 opened 1 month ago

bobbywells52 commented 1 month ago

Description

There are two broken links on the static site that have been identified by our link checker here.

Expected behavior

The two links in question are currently returning 403s, when we expect 200s.

mpbrown commented 1 month ago

Linking broken link report here

DanielSass commented 1 month ago

The links both seem to work in a browser, I'm curious why we're getting permissions issues https://www.hhs.gov/foia/privacy/index.html https://www.hhs.gov/vulnerability-disclosure-policy/index.html

bobbywells52 commented 1 month ago

Update the links are working in my browser as well but still failing in the link checker here.

DanielSass commented 4 weeks ago

In addition to direct browsing to the links, I'm able to click the links on the static site itself. It appears to just be an issue from the github actions.

DanielSass commented 4 weeks ago

Followed up with Rin on this:

Both of these sites go to HHS, not CDC. The DNS entry for this points to an ec2 instance floating around somewhere in AWS, with a default Apache page. I have heard of instances where GitHub Actions runners are blocked, since they can be used to launch attacks. I want to say we have run into something like this previously with SimpleReport's WAF. Ultimately, everything is configured correctly on our end. This would be outside the CDC's hands. The only two workarounds that I can think of are:

  1. Use a self-hosted runner for this. CDC provides a few in their CDCEnt organization, but they haven't made them accessible in CDCGov. Unfortunately, unless we want to pay a few hundred per month in hosting costs, this will be a no-go for us.
  2. Use a lycheeignore file, or pass in domains to ignore using the --exclude switch from within the action's args: input. We can exclude the problematic HHS domains here, but we will have no way to know if they end up broken. Ultimately, though, that's beyond our control.
  3. Bonus option: expect a 403 code. Concern with this approach is if the code we're getting is at the gateway level vs the page level. Link could go back and everything would still be green.