Tool registry submissions do not appear to be working / sending notification to PDS operator - Githubissues

NASA-PDS / portal-tasks

PDS Portal tasks repo used to track update requests for the website. Actual code and website are managed in separate private repo

https://pds.nasa.gov

0 stars 0 forks source link

Tool registry submissions do not appear to be working / sending notification to PDS operator #79

Open jordanpadams opened 11 months ago

jordanpadams commented 11 months ago

Checked for duplicates

Yes - I've already checked

🐛 Describe the bug

When I submitted a new tool to the tool registry, I noticed we never receive a notification email to pds-operator@jpl.nasa.gov .

🕵️ Expected behavior

I expected to receive a notification of that submission

📜 To Reproduce

Go to https://pds.nasa.gov/tools/tool-registry/
Select Submit a Tool
Go through the forms and click submit
Note there is no email notification sent to pds-operator@jpl.nasa.gov

🖥 Environment Info

No response

📚 Version of Software Used

No response

🩺 Test Data / Additional context

No response

🦄 Related requirements

Blocking https://github.com/NASA-PDS/portal-tasks/issues/75

⚙️ Engineering Details

No response

c-suh commented 11 months ago

Preemptive resolution which did not work on production.

c-suh commented 11 months ago

Have piggybacked off ticket,DSIO-2392, to ask a question about CORS and am awaiting an answer

nutjob4life commented 11 months ago

@c-suh: new sprint-backlog item; blocker for feedback-widget#78. CORS confusion if this is strictly self-hosted; AJAX calls should just be local. Works on gamma, but not production. Thomas suggests time on breakout.

c-suh commented 11 months ago

It is unclear how the redirects are organized. Will bring this up during the weekly SA office hours ~~. Must get clarification from Thomas on if I should open an SA ticket for this or wait til the office hours.~~ if there is no response to the ticket, DSIO-4252.

c-suh commented 11 months ago

Tested with the SAs, and it is a WAF issue. They will look into it more and let us know.

c-suh commented 11 months ago

SAs have let us know of an XSS issue; am looking into this.

sjoshi-jpl commented 11 months ago

Call setup with Anil / Sean to discuss possible solutions and next steps.

tloubrieu-jpl commented 10 months ago

An application scan should be done with resources found on: https://jplsoc.jpl.nasa.gov/scanning/scanning.html https://cybersecurity.jpl.nasa.gov/appsec_services.php https://jplsoc.jpl.nasa.gov/appscan/appscan_login.html

The scan should look at the server side code and check that the input payload sent with the POST request is sanitazied, for example by applying a schema and schematron verification on the XML input.

c-suh commented 10 months ago

Thomas is awaiting scan results.

tloubrieu-jpl commented 10 months ago

2 actions needed:

ask the SA to figure the security scan
ask the SA to notify us before or at worse immediatelly as soon, as an application is blocked by the WAF.

jordanpadams commented 3 months ago

Moving this to icebox for now. We removed all ability for users to submit new tools for the time being.

jordanpadams commented 3 weeks ago

These submissions have been disabled for the time being and we have more important issues to crack. Moving to icebox for time being.