Skip to content

Add an integrity attribute on the default login and logout pages for the signin.css Bootstrap stylesheet #13486

New issue
New issue
Closed
Closed
Add an integrity attribute on the default login and logout pages for the signin.css Bootstrap stylesheet#13486
Assignees
sjohnr
Labels
in: webAn issue in web modules (web, webmvc)status: duplicateA duplicate of another issuetype: enhancementA general enhancement
@ovanekem

Description

@ovanekem
ovanekem
opened on Jul 11, 2023

Expected Behavior

The currently generated login and logout pages include 2 CSS from Bootstrap CDN. The first CSS (bootstrap.min.css) already includes an integrity attribute in the generated link. The second CSS (signing.css) does not include such attribute. However, according to https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity, sub resources elements loaded from a CDN using a link element should ideally include the integrity attribute. This could be reported as an issue by web security tools such as OWASP ZAP.
Code impacted:

spring-security/web/src/main/java/org/springframework/security/web/server/ui/LogoutPageGeneratingWebFilter.java

Line 81 in f2f1927

page.append(" <link href=\"https://getbootstrap.com/docs/4.0/examples/signin/signin.css\" "

spring-security/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLogoutPageGeneratingFilter.java

Line 75 in f2f1927

sb.append(" <link href=\"https://getbootstrap.com/docs/4.0/examples/signin/signin.css\" "

spring-security/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java

Line 205 in f2f1927

sb.append(" <link href=\"https://getbootstrap.com/docs/4.0/examples/signin/signin.css\" "

spring-security/web/src/main/java/org/springframework/security/web/server/ui/LoginPageGeneratingWebFilter.java

Line 101 in f2f1927

page.append(" <link href=\"https://getbootstrap.com/docs/4.0/examples/signin/signin.css\" "

Current Behavior

This is the currently generated login page:
<title>Please sign in</title>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-/Y6pD6FV/Vv2HJnA6t+vslU6fwYXjCFtcEpHbNJ0lyAFsXTsjBbfaDjzALeQsN6M" crossorigin="anonymous">
<link href="https://getbootstrap.com/docs/4.0/examples/signin/signin.css" rel="stylesheet" crossorigin="anonymous"/>
</head>

Context

Found this issue while running OWASP ZAP on my Spring Boot application, ZAP generated this alert:
Sub Resource Integrity Attribute Missing
Evidence: <link href="https://getbootstrap.com/docs/4.0/examples/signin/signin.css" rel="stylesheet" crossorigin="anonymous"/>
CWE: 345
WASC ID: 15
Source: Passive (90003 - Sub Resource Integrity Attribute Missing)

Metadata

Metadata

Assignees

Labels

in: webAn issue in web modules (web, webmvc)status: duplicateA duplicate of another issuetype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions