Fix artifact content-type raw endpoint

This commit lets workhorse set the content-type when serving artifacts. This prevents an attacker to host a maliciou JavaScript payload as an artifact and bypass our CSP. Changelog: security

Fix artifact content-type raw endpoint
This commit lets workhorse set the content-type when serving artifacts. This prevents an attacker to host a maliciou JavaScript payload as an artifact and bypass our CSP. Changelog: security
1a60a674 · Max Orefice · Igor Drozdov · e22e94ce · 1a60a674 · 1a60a674
Commit 1a60a674 authored Apr 05, 2022 by Max Orefice Committed by Igor Drozdov Apr 05, 2022
9 changed files
--- a/app/controllers/projects/artifacts_controller.rb
+++ b/app/controllers/projects/artifacts_controller.rb
@@ -81,7 +81,11 @@ class Projects::ArtifactsController < Projects::ApplicationController
    path = Gitlab::Ci::Build::Artifacts::Path.new(params[:path])
+    if ::Feature.enabled?(:ci_safe_artifact_content_type, project, default_enabled: :yaml)
      send_artifacts_entry(artifacts_file, path)
+    else
+      legacy_send_artifacts_entry(artifacts_file, path)
+    end
  end
  def keep

--- a/app/helpers/workhorse_helper.rb
+++ b/app/helpers/workhorse_helper.rb
@@ -36,8 +36,16 @@ module WorkhorseHelper
  end
  # Send an entry from artifacts through Workhorse
+  def legacy_send_artifacts_entry(file, entry)
+    headers.store(*Gitlab::Workhorse.send_artifacts_entry(file, entry))
+    head :ok
+  end
+  # Send an entry from artifacts through Workhorse and set safe content type
  def send_artifacts_entry(file, entry)
    headers.store(*Gitlab::Workhorse.send_artifacts_entry(file, entry))
+    headers.store(*Gitlab::Workhorse.detect_content_type)
    head :ok
  end

--- a/config/feature_flags/development/ci_safe_artifact_content_type.yml
+++ b/config/feature_flags/development/ci_safe_artifact_content_type.yml
+---
+name: ci_safe_artifact_content_type
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/83826
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/357664
+milestone: '14.10'
+type: development
+group: group::pipeline insights
+default_enabled: false
--- a/lib/api/ci/job_artifacts.rb
+++ b/lib/api/ci/job_artifacts.rb
@@ -60,7 +60,11 @@ module API
            bad_request! unless path.valid?
+            if ::Feature.enabled?(:ci_safe_artifact_content_type, build&.project, default_enabled: :yaml)
              send_artifacts_entry(build.artifacts_file, path)
+            else
+              legacy_send_artifacts_entry(build.artifacts_file, path)
+            end
          end
        desc 'Download the artifacts archive from a job' do
@@ -100,7 +104,11 @@ module API
          bad_request! unless path.valid?
-          send_artifacts_entry(build.artifacts_file, path)
+          # This endpoint is being used for Artifact Browser feature that renders the content via pages.
+          # Since Content-Type is controlled by Rails and Workhorse, if a wrong
+          # content-type is sent, it could cause a regression on pages rendering.
+          # See https://gitlab.com/gitlab-org/gitlab/-/issues/357078 for more information.
+          legacy_send_artifacts_entry(build.artifacts_file, path)
        end
        desc 'Keep the artifacts to prevent them from being deleted' do

--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -705,8 +705,16 @@ module API
      body ''
    end
+    # Deprecated. Use `send_artifacts_entry` instead.
+    def legacy_send_artifacts_entry(file, entry)
+      header(*Gitlab::Workhorse.send_artifacts_entry(file, entry))
+      body ''
+    end
    def send_artifacts_entry(file, entry)
      header(*Gitlab::Workhorse.send_artifacts_entry(file, entry))
+      header(*Gitlab::Workhorse.detect_content_type)
      body ''
    end

--- a/lib/gitlab/workhorse.rb
+++ b/lib/gitlab/workhorse.rb
@@ -226,6 +226,13 @@ module Gitlab
        end
      end
+      def detect_content_type
+        [
+          Gitlab::Workhorse::DETECT_HEADER,
+          'true'
+        ]
+      end
      protected
      # This is the outermost encoding of a senddata: header. It is safe for

--- a/spec/controllers/projects/artifacts_controller_spec.rb
+++ b/spec/controllers/projects/artifacts_controller_spec.rb
@@ -323,6 +323,7 @@ RSpec.describe Projects::ArtifactsController do
          subject
          expect(response).to have_gitlab_http_status(:ok)
+          expect(response.headers['Gitlab-Workhorse-Detect-Content-Type']).to eq('true')
          expect(send_data).to start_with('artifacts-entry:')
          expect(params.keys).to eq(%w(Archive Entry))
@@ -380,6 +381,18 @@ RSpec.describe Projects::ArtifactsController do
            let(:store) { ObjectStorage::Store::LOCAL }
            let(:archive_path) { JobArtifactUploader.root }
          end
+          context 'when ci_safe_artifact_content_type is disabled' do
+            before do
+              stub_feature_flags(ci_safe_artifact_content_type: false)
+            end
+            it 'does not let workhorse set content type' do
+              subject
+              expect(response.headers).not_to include('Gitlab-Workhorse-Detect-Content-Type')
+            end
+          end
        end
        context 'when the artifact is not zip' do

--- a/spec/lib/gitlab/workhorse_spec.rb
+++ b/spec/lib/gitlab/workhorse_spec.rb
@@ -448,6 +448,14 @@ RSpec.describe Gitlab::Workhorse do
    end
  end
+  describe '.detect_content_type' do
+    subject { described_class.detect_content_type }
+    it 'returns array setting detect content type in workhorse' do
+      expect(subject).to eq(%w[Gitlab-Workhorse-Detect-Content-Type true])
+    end
+  end
  describe '.send_git_blob' do
    include FakeBlobHelpers

--- a/spec/requests/api/ci/job_artifacts_spec.rb
+++ b/spec/requests/api/ci/job_artifacts_spec.rb
@@ -224,6 +224,8 @@ RSpec.describe API::Ci::JobArtifacts do
          expect(response.headers.to_h)
            .to include('Content-Type' => 'application/json',
                        'Gitlab-Workhorse-Send-Data' => /artifacts-entry/)
+          expect(response.headers.to_h)
+            .not_to include('Gitlab-Workhorse-Detect-Content-Type' => 'true')
          expect(response.parsed_body).to be_empty
        end
@@ -556,7 +558,18 @@ RSpec.describe API::Ci::JobArtifacts do
            expect(response).to have_gitlab_http_status(:ok)
            expect(response.headers.to_h)
              .to include('Content-Type' => 'application/json',
-                          'Gitlab-Workhorse-Send-Data' => /artifacts-entry/)
+                          'Gitlab-Workhorse-Send-Data' => /artifacts-entry/,
+                          'Gitlab-Workhorse-Detect-Content-Type' => 'true')
+          end
+          context 'when ci_safe_artifact_content_type is disabled' do
+            before do
+              stub_feature_flags(ci_safe_artifact_content_type: false)
+            end
+            it 'does not let workhorse set content type' do
+              expect(response.headers).not_to include('Gitlab-Workhorse-Detect-Content-Type')
+            end
          end
        end
@@ -626,7 +639,8 @@ RSpec.describe API::Ci::JobArtifacts do
          expect(response).to have_gitlab_http_status(:ok)
          expect(response.headers.to_h)
            .to include('Content-Type' => 'application/json',
-                        'Gitlab-Workhorse-Send-Data' => /artifacts-entry/)
+                        'Gitlab-Workhorse-Send-Data' => /artifacts-entry/,
+                        'Gitlab-Workhorse-Detect-Content-Type' => 'true')
          expect(response.parsed_body).to be_empty
        end
      end
@@ -644,7 +658,8 @@ RSpec.describe API::Ci::JobArtifacts do
          expect(response).to have_gitlab_http_status(:ok)
          expect(response.headers.to_h)
            .to include('Content-Type' => 'application/json',
-                        'Gitlab-Workhorse-Send-Data' => /artifacts-entry/)
+                        'Gitlab-Workhorse-Send-Data' => /artifacts-entry/,
+                        'Gitlab-Workhorse-Detect-Content-Type' => 'true')
        end
      end