fix vulnerability - Multiple Slashes and Encoded Characters (//\\): T… (#210)

* Ajout wrapper cron sentry (production) (#198)

* chore: upgrade version github actions (cd.yml) (#201)

downgrade python github action to v4

fix cd

* feat: ajoute un wrapper pour capturer les erreurs des crons sur sentry

* feat: add sentry-cli

* fix: indentation

* fix: sentry-cli install

* fix: sentry_wrapper_cron path

* fix: sentry wrapper fonctionnel

* Merge dev -> main (#207)

* chore: upgrade version github actions (cd.yml) (#201)

downgrade python github action to v4

fix cd

* Ajout wrapper cron sentry (#204)

* feat: ajoute un wrapper pour capturer les erreurs des crons sur sentry

* feat: add sentry-cli

* fix: indentation

* fix: sentry-cli install

* fix: sentry_wrapper_cron path

* fix: sentry wrapper fonctionnel

* fix: arg invalide en production - install ansible

* chore: bump pm2 v5.4.2 (#206)

* fix: utilise apt pour l'install ansible

* fix: utilise environnement virtuel pour l'install ansible

* fix: utilise environnement virtuel pour l'install ansible

* chore: reset pm2 v5.2

* fix: setup openfisca install

* Debian 11 to 12 (#208)

* fix: ajout de paramétrage pour gérer les M1 plus proprement

* feat: passage a la version 12 de debian

---------

Co-authored-by: Jeremy PASTOURET <[email protected]>

* chore: upgrade pm2 version

* trigger CD

---------

Co-authored-by: Jeremy PASTOURET <[email protected]>

* fix vulnerability - Multiple Slashes and Encoded Characters (//\\): The use of multiple slashes (///) and the encoded characters (%5C) in the URL indicates improper sanitization or validation of user inputs, which can allow malicious actors to bypass security filters and manipulate redirection behavior.

* Setup la roation des journaux systemd (#209)

* feat: setup la roation des journaux systemd

* lint: handler name

* fix: la casse du notify pour restart systemd-journald

* refactor: rotation des logs fixée à 30 jours

* ajout d'une condition de spécification

* fix: repositionnement du commentaire de blocage de redirection

* bookwarm to bookworm

---------

Co-authored-by: Simon Hamery <[email protected]>

Author: jenovateurs

local/Vagrantfile

@@ -2,7 +2,7 @@
 # vi: set ft=ruby :
 
 Vagrant.configure("2") do |config|
-  config.vm.box = "debian/bookwarm64"
+  config.vm.box = "debian/bookworm64"
 
   # Guest have 500MB of RAM by default
   # That is not enough to `npm ci`

roles/bootstrap/templates/nginx_config.conf.j2

@@ -114,6 +114,14 @@ server {
 
   {{ well_known_section(webroot_path, challenge_proxy) }}
 
+  {% if 'openfisca' in service_domain %}
+  # Block URLs with encoded characters or multiple slashes
+  if ($request_uri ~* "(%5C|//)") {
+      return 400; # Bad Request
+  }
+  {% endif %}
+
+
   gzip                on;
   gzip_proxied        any;
   gzip_types          application/json