Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix web UI index path http security headers #4517

Merged
merged 3 commits into from
Jun 25, 2024
Merged

Fix web UI index path http security headers #4517

merged 3 commits into from
Jun 25, 2024

Conversation

Rendez
Copy link
Contributor

@Rendez Rendez commented Jun 20, 2024
edited by timvisee
Loading

The web-ui /dashboard endpoint can currently be embedded as an iframe. Adding the header X-Frame-Options: DENY shall protect against it.

In terms of the approach taken with actix_web, it would have been ideal if actix_files::Files allowed to set HTTP headers, but it only allows a handful of flags like etag, last_modified or content_disposition, which fall short of our needs.

This is why for the root path reading the index.html file a custom handler has been introduced: web_ui_index.

Awaiting for feedback in the approach before writing any kind of tests.

All Submissions:

  • Contributions should target the dev branch. Did you create your branch from dev?
  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?

New Feature Submissions:

  1. Does your submission pass tests?
  2. Have you formatted your code locally using cargo +nightly fmt --all command prior to submission?
  3. Have you checked your code using cargo clippy --all --all-features command?

Changes to Core Features:

  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your core changes, as applicable?
  • Have you successfully ran tests with your changes locally?

@Rendez Rendez added the chore Nice to have improvement label Jun 20, 2024
@Rendez Rendez requested review from agourlay and timvisee June 20, 2024 17:14
@Rendez Rendez added the bug Something isn't working label Jun 20, 2024
@Rendez Rendez changed the base branch from master to dev June 20, 2024 17:15
@generall generall force-pushed the fix-web-ui-index-path-http-security-headers branch from 8a699db to 44d03d5 Compare June 24, 2024 15:31
@Rendez Rendez force-pushed the fix-web-ui-index-path-http-security-headers branch from 44d03d5 to 836ced3 Compare June 24, 2024 17:37
xzfc
xzfc reviewed Jun 24, 2024
View reviewed changes
src/actix/mod.rs Outdated Show resolved Hide resolved
@timvisee timvisee requested a review from xzfc June 25, 2024 08:25
@timvisee timvisee merged commit 36d7e11 into dev Jun 25, 2024
18 checks passed
@timvisee timvisee deleted the fix-web-ui-index-path-http-security-headers branch June 25, 2024 11:44
timvisee added a commit that referenced this pull request Jun 25, 2024
@Rendez @timvisee
Fix web UI index path http security headers (#4517)
7bacd67 
* Draft: web-ui root endpoint x-frame-options: deny header

* Switch to async

* Simplify setting frame options header by using DefaultHeaders

---------

Co-authored-by: timvisee <tim@visee.me>
@Rendez Rendez mentioned this pull request Jun 25, 2024
Merged
9 tasks
timonv referenced this pull request in bosun-ai/swiftide Jun 28, 2024
@renovate
chore(deps): update qdrant/qdrant docker tag to v1.9.7 (#95)
8a2541e 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [qdrant/qdrant](https://qdrant.com/)
([source](https://togithub.com/qdrant/qdrant)) | service | patch |
`v1.9.2` -> `v1.9.7` |

---

### Release Notes

<details>
<summary>qdrant/qdrant (qdrant/qdrant)</summary>

### [`v1.9.7`](https://togithub.com/qdrant/qdrant/releases/tag/v1.9.7)

[Compare
Source](https://togithub.com/qdrant/qdrant/compare/v1.9.6...v1.9.7)

### Change log

#### Improvements

-
[https://github.com/qdrant/qdrant/pull/4517](https://togithub.com/qdrant/qdrant/pull/4517)
- Do not allow embedding the web UI in an iframe
-
[https://github.com/qdrant/qdrant/pull/4556](https://togithub.com/qdrant/qdrant/pull/4556)
- Include HNSW configuration in snasphots to fix some edge cases

#### Bug fixes

-
[https://github.com/qdrant/qdrant/pull/4555](https://togithub.com/qdrant/qdrant/pull/4555)
- Fix panic on start with sparse index from versions 1.9.3 to 1.9.6
-
[https://github.com/qdrant/qdrant/pull/4551](https://togithub.com/qdrant/qdrant/pull/4551)
- Fix positive/negative points IDs being excluded when using
recommendation search with `lookup_from`

### [`v1.9.6`](https://togithub.com/qdrant/qdrant/releases/tag/v1.9.6)

[Compare
Source](https://togithub.com/qdrant/qdrant/compare/v1.9.5...v1.9.6)

### Change log

#### Bug fixes

-
[https://github.com/qdrant/qdrant/pull/4472](https://togithub.com/qdrant/qdrant/pull/4472)
- fix potential panic on recovery sparse vectors from crash
-
[https://github.com/qdrant/qdrant/pull/4426](https://togithub.com/qdrant/qdrant/pull/4426)
- improve error message on missing payload index
-
[https://github.com/qdrant/qdrant/pull/4375](https://togithub.com/qdrant/qdrant/pull/4375)
- fix in-place updates for sparse index
-
[https://github.com/qdrant/qdrant/pull/4523](https://togithub.com/qdrant/qdrant/pull/4523)
- fix missing payload index issue, introduced in v1.9.5

### [`v1.9.5`](https://togithub.com/qdrant/qdrant/releases/tag/v1.9.5)

[Compare
Source](https://togithub.com/qdrant/qdrant/compare/v1.9.4...v1.9.5)

### Change log

#### Features

-
[https://github.com/qdrant/qdrant/pull/4254](https://togithub.com/qdrant/qdrant/pull/4254)
- Add pyroscope integration for continuous profiling on demand

#### Improvements

-
[https://github.com/qdrant/qdrant/pull/4309](https://togithub.com/qdrant/qdrant/pull/4309)
- Allow to configure default number of shards per node
-
[https://github.com/qdrant/qdrant/pull/4317](https://togithub.com/qdrant/qdrant/pull/4317)
- Allow to overwrite optimizer settings via config
-
[https://github.com/qdrant/qdrant/pull/4312](https://togithub.com/qdrant/qdrant/pull/4312),
[https://github.com/qdrant/qdrant/pull/4369](https://togithub.com/qdrant/qdrant/pull/4369)
- Improve vector size estimations, making index thresholds more reliable
-
[https://github.com/qdrant/qdrant/pull/4428](https://togithub.com/qdrant/qdrant/pull/4428)
- Improve default maximum segment size, base it on number of CPUs used
for indexing
-
[https://github.com/qdrant/qdrant/pull/4370](https://togithub.com/qdrant/qdrant/pull/4370)
- Use consistent RocksDB settings for both put and remove
-
[https://github.com/qdrant/qdrant/pull/4376](https://togithub.com/qdrant/qdrant/pull/4376)
- Improve ordering of insertions and deletions in RocksDB
-
[https://github.com/qdrant/qdrant/pull/4371](https://togithub.com/qdrant/qdrant/pull/4371)
- Log error if segment flushing failed on drop
-
[https://github.com/qdrant/qdrant/pull/4352](https://togithub.com/qdrant/qdrant/pull/4352)
- Promote REST request processing problems from warning to error
-
[https://github.com/qdrant/qdrant/pull/4368](https://togithub.com/qdrant/qdrant/pull/4368)
- Improve error messages in cases of missing vectors
-
[https://github.com/qdrant/qdrant/pull/4391](https://togithub.com/qdrant/qdrant/pull/4391)
- Improve shard state log message, not strictly related to snapshot
recovery
-
[https://github.com/qdrant/qdrant/pull/4414](https://togithub.com/qdrant/qdrant/pull/4414)
- Improve Dockerfile, don't invalidate caches each commit and allow
debug settings

#### Bug fixes

-
[https://github.com/qdrant/qdrant/pull/4402](https://togithub.com/qdrant/qdrant/pull/4402)
- Fix deadlock caused by concurrent snapshot and optimization
-
[https://github.com/qdrant/qdrant/pull/4411](https://togithub.com/qdrant/qdrant/pull/4411)
- Fix potentially losing vectors on crash by enabling RocksDB WAL
-
[https://github.com/qdrant/qdrant/pull/4416](https://togithub.com/qdrant/qdrant/pull/4416),
[https://github.com/qdrant/qdrant/pull/4440](https://togithub.com/qdrant/qdrant/pull/4440)
- Respect `max_segment_size` on data ingestion with optimizers disabled,
create segments as needed
-
[https://github.com/qdrant/qdrant/pull/4442](https://togithub.com/qdrant/qdrant/pull/4442)
- Fix potentially having bad HNSW links on multithreaded systems

### [`v1.9.4`](https://togithub.com/qdrant/qdrant/releases/tag/v1.9.4)

[Compare
Source](https://togithub.com/qdrant/qdrant/compare/v1.9.3...v1.9.4)

### Change log

#### Bug fixes

-
[https://github.com/qdrant/qdrant/pull/4332](https://togithub.com/qdrant/qdrant/pull/4332)
- Fix potentially losing a segment when creating a snapshot with ongoing
updates
-
[https://github.com/qdrant/qdrant/pull/4342](https://togithub.com/qdrant/qdrant/pull/4342)
- Fix potential panic on start if there is no appendable segment
-
[https://github.com/qdrant/qdrant/pull/4328](https://togithub.com/qdrant/qdrant/pull/4328)
- Prevent panic when searching with huge limit

### [`v1.9.3`](https://togithub.com/qdrant/qdrant/releases/tag/v1.9.3)

[Compare
Source](https://togithub.com/qdrant/qdrant/compare/v1.9.2...v1.9.3)

### Change log

#### Improvements

-
[https://github.com/qdrant/qdrant/pull/4165](https://togithub.com/qdrant/qdrant/pull/4165)
- Handle Out-Of-Disk on insertions gracefully
-
[https://github.com/qdrant/qdrant/pull/3964](https://togithub.com/qdrant/qdrant/pull/3964)
- Faster consensus convergence with batched updates
-
[https://github.com/qdrant/qdrant/pull/4301](https://togithub.com/qdrant/qdrant/pull/4301)
- Deduplicate points by ID for custom sharding

#### Bug fixes

-
[https://github.com/qdrant/qdrant/pull/4307](https://togithub.com/qdrant/qdrant/pull/4307)
- Fix overflow panic if scroll limit is usize::MAX
-
[https://github.com/qdrant/qdrant/pull/4322](https://togithub.com/qdrant/qdrant/pull/4322)
- Fix panic with missing sparse vectors after recovery of corrupted
storage

#### Web UI

-
[https://github.com/qdrant/qdrant-web-ui/pull/183](https://togithub.com/qdrant/qdrant-web-ui/pull/183)
- Notification for miss-configured collections

Full change log:
https://github.com/qdrant/qdrant-web-ui/releases/tag/v0.1.26

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/bosun-ai/swiftide).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MjAuMSIsInVwZGF0ZWRJblZlciI6IjM3LjQyMC4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@generall generall generall left review comments

@timvisee timvisee timvisee approved these changes

@agourlay agourlay Awaiting requested review from agourlay

@xzfc xzfc Awaiting requested review from xzfc

Assignees
No one assigned
Labels
bug Something isn't working chore Nice to have improvement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Rendez @timvisee @generall @xzfc