Block auto-indexing of static assets more narrowly

[adsr]

In c870cc3, we added rules to 404 instead of serving a 403 or auto-indexing on static asset directories in automate-ui and dex respectively. The regexes used are overly broad in that they cause any URIs ending in "dex" or "assets" to 404¹ including unrelated API endpoints. For example, this is blocking us from publishing policyfiles named "index".

I'm not so familiar with these internals, but I believe it's sufficient to use regexes ^/dex/ and ^/assets/ etc instead of .dex and .assets etc. I also blocked auto-indexing of two other static asset directories under dex (fonts and font-awesome-*). I made a note that ideally dex itself should be handling this.

I'll note that the 404s served at the loadbalancer look different than the 404s of underlying servers, so an attacker can still know they "hit" something. For example:

$ curl -k -v -H 'Host: chef-automate' 'https://127.0.0.1/dex/foo/bar'
...
< HTTP/2 404
< date: Wed, 28 Aug 2024 17:35:03 GMT
< content-type: text/plain; charset=utf-8
< content-length: 19
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
<
404 page not found
$ curl -k -v -H 'Host: chef-automate' 'https://127.0.0.1/dex/static'
< HTTP/2 404
< date: Wed, 28 Aug 2024 17:35:55 GMT
< content-type: text/html
< content-length: 146
< x-xss-protection: 1; mode=block
< strict-transport-security: max-age=63072000; includeSubDomains
< x-content-type-options: nosniff
<
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

At least it doesn't auto-index, but I do question the integrity of this approach. As I stated above it should be handled by dex itself. I suspect there's a way to handle the automate-ui assets more elegantly as well.

---

🔩 Description: What code changed, and why?

Fix nginx 404 rules

⛓️ Related Resources

• Hidden Directory Detected #4855
• Hidden Directory Detected - automate-ui #5872
• c870cc3
• https://community.progress.com/s/article/Paths-or-URIs-ending-with-dex-or-assets-Lead-to-a-404-in-Chef-Automate

👍 Definition of Done

For us, the ability to publish policyfiles named "index"

👟 How to Build and Test the Change

curl assets and dex endpoints

✅ Checklist

All PRs must tick these:

• I have read the CONTRIBUTING document.
• All commits signed-off for the Developer Certification of Origin.

With occasional exceptions, all PRs from Progress employees must tick these:

• Is the code clear? (complicated code or lots of comments--subdivide and use well-named methods, meaningful variable names, etc.)
• Consistency checked? (user notifications, user prompts, visual patterns, code patterns, variable names)
• Repeated code blocks eliminated? (adapt and reuse existing components, blocks, functions, etc.)
• Spelling, grammar, typos checked? (at a minimum use make spell in any component directory)
• Code well-formatted? (indents, line breaks, etc. improve rather than hinder readability)

All PRs from Progress employees should tick these if appropriate:

• Tests added/updated? (all new code needs new tests)
• Docs added/updated? (all customer-facing changes)

Please add a note next to any checkbox above if you are NOT ticking it.

📷 Screenshots, if applicable

n/a

Footnotes

1. https://community.progress.com/s/article/Paths-or-URIs-ending-with-dex-or-assets-Lead-to-a-404-in-Chef-Automate ↩

[netlify]

👷 Deploy Preview for chef-automate processing.

Name	Link
🔨 Latest commit	4900587
🔍 Latest deploy log	https://app.netlify.com/sites/chef-automate/deploys/66cf62bd92f8d10008572a39

[sam-k3nny]

I added this as a feature request as well. If anyone else comes across this PR, please feel free to upvote it too.