Session timeout notification 2 #12225
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
docker
settings_changes
🔴 Risk threshold exceeded.This pull request involves sensitive edits to critical files like
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/templates/base.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/context_processors.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/templates/base.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/templates/base.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
💭 Unconfirmed Findings (4)
| Vulnerability | Session Management Vulnerabilities |
|---|---|
| Description | Identified potential security risks including client-side timestamp manipulation in session timeout calculation, exposure of session timing information to frontend, and indirect exposure of sensitive session configuration settings. |
| Vulnerability | Information Disclosure Risks |
|---|---|
| Description | Discovered vulnerabilities where modal reveals imminent session expiration, exposes session configuration details like SESSION_COOKIE_AGE, and potential masking of runtime issues due to broad exception handling. |
| Vulnerability | Configuration Security Considerations |
|---|---|
| Description | Found issues with session timing calculations relying on environment variables, indirect references to sensitive session configuration settings, and potential for unhandled runtime exceptions. |
| Vulnerability | Client-Side Security Concerns |
|---|---|
| Description | Detected risks from using client-side JavaScript for session timeout tracking, potential for timestamp manipulation, and reliance on dynamically generated session notification times. |
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Re-creation of #12093
Recreated because of it breaking unit tests once fully in dev branch. I added a check to make sure the user is authenticated to prevent notifications on the login page and managed the aria-hidden attribute in the modal itself to resolve the warning.
Description
Issue: Session timeout without letting the user either extend the time or have any type of indication that the session is about to expire.
A warning will appear shortly before the session expires using Bootstrap's modal components warning the user their session will expire soon.
Impact on Users
People with physical disabilities often need more time to react, to type and to complete activities. People with low vision need more time to locate things on screen and to read. People who are blind and using screen readers may need more time to understand screen layouts, to find information and to operate controls. People who have cognitive or language limitations need more time to read and to understand. People who are deaf and communicate in sign language may need more time to read information printed in text (which may be a second language for some).
In circumstances where a sign-language interpreter may be relating audio content to a user who is deaf, control over time limits is also important.
People with reading disabilities, cognitive limitations, and learning disabilities who may need more time to read or comprehend information can have additional time to read the information by pausing the content.
Remediation
The user is warned before time expires.
I used a context processor to pass the session cookie age value to base.html. Since no view directly renders base.html, I didn't think I could use a view-based approach. If there is a better idea, I can modify the PR.