Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
24d2d927
Commit
24d2d927
authored
Mar 17, 2021
by
dcouture
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Enable Content-Security-Policy header by default
Changelog: other
parent
e38498d2
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
74 additions
and
8 deletions
+74
-8
changelogs/unreleased/default-csp.yml
changelogs/unreleased/default-csp.yml
+5
-0
lib/gitlab/content_security_policy/config_loader.rb
lib/gitlab/content_security_policy/config_loader.rb
+45
-3
spec/lib/gitlab/content_security_policy/config_loader_spec.rb
.../lib/gitlab/content_security_policy/config_loader_spec.rb
+24
-5
No files found.
changelogs/unreleased/default-csp.yml
0 → 100644
View file @
24d2d927
---
title
:
Enable Content-Security-Policy header by default
merge_request
:
56923
author
:
type
:
other
lib/gitlab/content_security_policy/config_loader.rb
View file @
24d2d927
...
@@ -8,11 +8,33 @@ module Gitlab
...
@@ -8,11 +8,33 @@ module Gitlab
media_src object_src report_uri script_src style_src worker_src)
.
freeze
media_src object_src report_uri script_src style_src worker_src)
.
freeze
def
self
.
default_settings_hash
def
self
.
default_settings_hash
{
settings_hash
=
{
'enabled'
=>
fals
e
,
'enabled'
=>
tru
e
,
'report_only'
=>
false
,
'report_only'
=>
false
,
'directives'
=>
DIRECTIVES
.
each_with_object
({})
{
|
directive
,
hash
|
hash
[
directive
]
=
nil
}
'directives'
=>
{
'default_src'
=>
"'self'"
,
'base_uri'
=>
"'self'"
,
'child_src'
=>
"'none'"
,
'connect_src'
=>
"'self'"
,
'font_src'
=>
"'self'"
,
'form_action'
=>
"'self' https: http:"
,
'frame_ancestors'
=>
"'self'"
,
'frame_src'
=>
"'self' https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
,
'img_src'
=>
"'self' data: blob: http: https:"
,
'manifest_src'
=>
"'self'"
,
'media_src'
=>
"'self'"
,
'script_src'
=>
"'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.recaptcha.net https://apis.google.com"
,
'style_src'
=>
"'self' 'unsafe-inline'"
,
'worker_src'
=>
"'self'"
,
'object_src'
=>
"'none'"
,
'report_uri'
=>
nil
}
}
}
allow_webpack_dev_server
(
settings_hash
)
if
Rails
.
env
.
development?
allow_cdn
(
settings_hash
)
if
ENV
[
'GITLAB_CDN_HOST'
].
present?
settings_hash
end
end
def
initialize
(
csp_directives
)
def
initialize
(
csp_directives
)
...
@@ -38,6 +60,26 @@ module Gitlab
...
@@ -38,6 +60,26 @@ module Gitlab
arguments
.
strip
.
split
(
' '
).
map
(
&
:strip
)
arguments
.
strip
.
split
(
' '
).
map
(
&
:strip
)
end
end
def
self
.
allow_webpack_dev_server
(
settings_hash
)
secure
=
Settings
.
webpack
.
dev_server
[
'https'
]
host_and_port
=
"
#{
Settings
.
webpack
.
dev_server
[
'host'
]
}
:
#{
Settings
.
webpack
.
dev_server
[
'port'
]
}
"
http_url
=
"
#{
secure
?
'https'
:
'http'
}
://
#{
host_and_port
}
"
ws_url
=
"
#{
secure
?
'wss'
:
'ws'
}
://
#{
host_and_port
}
"
append_to_directive
(
settings_hash
,
'connect_src'
,
"
#{
http_url
}
#{
ws_url
}
"
)
end
def
self
.
allow_cdn
(
settings_hash
)
cdn_host
=
ENV
[
'GITLAB_CDN_HOST'
]
append_to_directive
(
settings_hash
,
'script_src'
,
cdn_host
)
append_to_directive
(
settings_hash
,
'style_src'
,
cdn_host
)
end
def
self
.
append_to_directive
(
settings_hash
,
directive
,
text
)
settings_hash
[
'directives'
][
directive
]
=
"
#{
settings_hash
[
'directives'
][
directive
]
}
#{
text
}
"
.
strip
end
end
end
end
end
end
end
spec/lib/gitlab/content_security_policy/config_loader_spec.rb
View file @
24d2d927
...
@@ -20,15 +20,34 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
...
@@ -20,15 +20,34 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
end
end
describe
'.default_settings_hash'
do
describe
'.default_settings_hash'
do
it
'returns
empty default
s'
do
it
'returns
defaults for all key
s'
do
settings
=
described_class
.
default_settings_hash
settings
=
described_class
.
default_settings_hash
expect
(
settings
[
'enabled'
]).
to
be_
false
y
expect
(
settings
[
'enabled'
]).
to
be_
truth
y
expect
(
settings
[
'report_only'
]).
to
be_falsey
expect
(
settings
[
'report_only'
]).
to
be_falsey
described_class
::
DIRECTIVES
.
each
do
|
directive
|
directives
=
settings
[
'directives'
]
expect
(
settings
[
'directives'
].
has_key?
(
directive
)).
to
be_truthy
directive_names
=
(
described_class
::
DIRECTIVES
-
[
'report_uri'
])
expect
(
settings
[
'directives'
][
directive
]).
to
be_nil
directive_names
.
each
do
|
directive
|
expect
(
directives
.
has_key?
(
directive
)).
to
be_truthy
expect
(
directives
[
directive
]).
to
be_truthy
end
expect
(
directives
.
has_key?
(
'report_uri'
)).
to
be_truthy
expect
(
directives
[
'report_uri'
]).
to
be_nil
end
context
'when GITLAB_CDN_HOST is set'
do
before
do
stub_env
(
'GITLAB_CDN_HOST'
,
'https://example.com'
)
end
it
'adds GITLAB_CDN_HOST to CSP'
do
settings
=
described_class
.
default_settings_hash
directives
=
settings
[
'directives'
]
expect
(
directives
[
'script_src'
]).
to
eq
(
"'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.recaptcha.net https://apis.google.com https://example.com"
)
expect
(
directives
[
'style_src'
]).
to
eq
(
"'self' 'unsafe-inline' https://example.com"
)
end
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment