Merge branch 'default-csp' into 'master'

Adds a CSP that is enabled by default See merge request gitlab-org/gitlab!56923

Merge branch 'default-csp' into 'master'
Adds a CSP that is enabled by default See merge request gitlab-org/gitlab!56923
7c87aeab · Etienne Baqué · b93a4223 · 24d2d927 · 7c87aeab · 7c87aeab
Commit 7c87aeab authored May 11, 2021 by Etienne Baqué
3 changed files
--- a/changelogs/unreleased/default-csp.yml
+++ b/changelogs/unreleased/default-csp.yml
+---
+title: Enable Content-Security-Policy header by default
+merge_request: 56923
+author:
+type: other
--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -8,11 +8,33 @@ module Gitlab
                      media_src object_src report_uri script_src style_src worker_src).freeze

      def self.default_settings_hash
-        {
-          'enabled' => false,
+        settings_hash = {
+          'enabled' => true,
          'report_only' => false,
-          'directives' => DIRECTIVES.each_with_object({}) { |directive, hash| hash[directive] = nil }
+          'directives' => {
+            'default_src' => "'self'",
+            'base_uri' => "'self'",
+            'child_src' => "'none'",
+            'connect_src' => "'self'",
+            'font_src' => "'self'",
+            'form_action' => "'self' https: http:",
+            'frame_ancestors' => "'self'",
+            'frame_src' => "'self' https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com",
+            'img_src' => "'self' data: blob: http: https:",
+            'manifest_src' => "'self'",
+            'media_src' => "'self'",
+            'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.recaptcha.net https://apis.google.com",
+            'style_src' => "'self' 'unsafe-inline'",
+            'worker_src' => "'self'",
+            'object_src' => "'none'",
+            'report_uri' => nil
+          }
        }
+
+        allow_webpack_dev_server(settings_hash) if Rails.env.development?
+        allow_cdn(settings_hash) if ENV['GITLAB_CDN_HOST'].present?
+
+        settings_hash
      end

      def initialize(csp_directives)
@@ -38,6 +60,26 @@ module Gitlab

        arguments.strip.split(' ').map(&:strip)
      end
+
+      def self.allow_webpack_dev_server(settings_hash)
+        secure = Settings.webpack.dev_server['https']
+        host_and_port = "#{Settings.webpack.dev_server['host']}:#{Settings.webpack.dev_server['port']}"
+        http_url = "#{secure ? 'https' : 'http'}://#{host_and_port}"
+        ws_url = "#{secure ? 'wss' : 'ws'}://#{host_and_port}"
+
+        append_to_directive(settings_hash, 'connect_src', "#{http_url} #{ws_url}")
+      end
+
+      def self.allow_cdn(settings_hash)
+        cdn_host = ENV['GITLAB_CDN_HOST']
+
+        append_to_directive(settings_hash, 'script_src', cdn_host)
+        append_to_directive(settings_hash, 'style_src', cdn_host)
+      end
+
+      def self.append_to_directive(settings_hash, directive, text)
+        settings_hash['directives'][directive] = "#{settings_hash['directives'][directive]} #{text}".strip
+      end
    end
  end
 end
--- a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
+++ b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
@@ -20,15 +20,34 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
  end

  describe '.default_settings_hash' do
-    it 'returns empty defaults' do
+    it 'returns defaults for all keys' do
      settings = described_class.default_settings_hash

-      expect(settings['enabled']).to be_falsey
+      expect(settings['enabled']).to be_truthy
      expect(settings['report_only']).to be_falsey

-      described_class::DIRECTIVES.each do |directive|
-        expect(settings['directives'].has_key?(directive)).to be_truthy
-        expect(settings['directives'][directive]).to be_nil
+      directives = settings['directives']
+      directive_names = (described_class::DIRECTIVES - ['report_uri'])
+      directive_names.each do |directive|
+        expect(directives.has_key?(directive)).to be_truthy
+        expect(directives[directive]).to be_truthy
+      end
+
+      expect(directives.has_key?('report_uri')).to be_truthy
+      expect(directives['report_uri']).to be_nil
+    end
+
+    context 'when GITLAB_CDN_HOST is set' do
+      before do
+        stub_env('GITLAB_CDN_HOST', 'https://example.com')
+      end
+
+      it 'adds GITLAB_CDN_HOST to CSP' do
+        settings = described_class.default_settings_hash
+        directives = settings['directives']
+
+        expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.recaptcha.net https://apis.google.com https://example.com")
+        expect(directives['style_src']).to eq("'self' 'unsafe-inline' https://example.com")
      end
    end
  end