Commit 7c87aeab authored by Etienne Baqué's avatar Etienne Baqué

Merge branch 'default-csp' into 'master'

Adds a CSP that is enabled by default

See merge request gitlab-org/gitlab!56923
parents b93a4223 24d2d927
---
title: Enable Content-Security-Policy header by default
merge_request: 56923
author:
type: other
...@@ -8,11 +8,33 @@ module Gitlab ...@@ -8,11 +8,33 @@ module Gitlab
media_src object_src report_uri script_src style_src worker_src).freeze media_src object_src report_uri script_src style_src worker_src).freeze
def self.default_settings_hash def self.default_settings_hash
{ settings_hash = {
'enabled' => false, 'enabled' => true,
'report_only' => false, 'report_only' => false,
'directives' => DIRECTIVES.each_with_object({}) { |directive, hash| hash[directive] = nil } 'directives' => {
'default_src' => "'self'",
'base_uri' => "'self'",
'child_src' => "'none'",
'connect_src' => "'self'",
'font_src' => "'self'",
'form_action' => "'self' https: http:",
'frame_ancestors' => "'self'",
'frame_src' => "'self' https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com",
'img_src' => "'self' data: blob: http: https:",
'manifest_src' => "'self'",
'media_src' => "'self'",
'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.recaptcha.net https://apis.google.com",
'style_src' => "'self' 'unsafe-inline'",
'worker_src' => "'self'",
'object_src' => "'none'",
'report_uri' => nil
}
} }
allow_webpack_dev_server(settings_hash) if Rails.env.development?
allow_cdn(settings_hash) if ENV['GITLAB_CDN_HOST'].present?
settings_hash
end end
def initialize(csp_directives) def initialize(csp_directives)
...@@ -38,6 +60,26 @@ module Gitlab ...@@ -38,6 +60,26 @@ module Gitlab
arguments.strip.split(' ').map(&:strip) arguments.strip.split(' ').map(&:strip)
end end
def self.allow_webpack_dev_server(settings_hash)
secure = Settings.webpack.dev_server['https']
host_and_port = "#{Settings.webpack.dev_server['host']}:#{Settings.webpack.dev_server['port']}"
http_url = "#{secure ? 'https' : 'http'}://#{host_and_port}"
ws_url = "#{secure ? 'wss' : 'ws'}://#{host_and_port}"
append_to_directive(settings_hash, 'connect_src', "#{http_url} #{ws_url}")
end
def self.allow_cdn(settings_hash)
cdn_host = ENV['GITLAB_CDN_HOST']
append_to_directive(settings_hash, 'script_src', cdn_host)
append_to_directive(settings_hash, 'style_src', cdn_host)
end
def self.append_to_directive(settings_hash, directive, text)
settings_hash['directives'][directive] = "#{settings_hash['directives'][directive]} #{text}".strip
end
end end
end end
end end
...@@ -20,15 +20,34 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do ...@@ -20,15 +20,34 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
end end
describe '.default_settings_hash' do describe '.default_settings_hash' do
it 'returns empty defaults' do it 'returns defaults for all keys' do
settings = described_class.default_settings_hash settings = described_class.default_settings_hash
expect(settings['enabled']).to be_falsey expect(settings['enabled']).to be_truthy
expect(settings['report_only']).to be_falsey expect(settings['report_only']).to be_falsey
described_class::DIRECTIVES.each do |directive| directives = settings['directives']
expect(settings['directives'].has_key?(directive)).to be_truthy directive_names = (described_class::DIRECTIVES - ['report_uri'])
expect(settings['directives'][directive]).to be_nil directive_names.each do |directive|
expect(directives.has_key?(directive)).to be_truthy
expect(directives[directive]).to be_truthy
end
expect(directives.has_key?('report_uri')).to be_truthy
expect(directives['report_uri']).to be_nil
end
context 'when GITLAB_CDN_HOST is set' do
before do
stub_env('GITLAB_CDN_HOST', 'https://example.com')
end
it 'adds GITLAB_CDN_HOST to CSP' do
settings = described_class.default_settings_hash
directives = settings['directives']
expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.recaptcha.net https://apis.google.com https://example.com")
expect(directives['style_src']).to eq("'self' 'unsafe-inline' https://example.com")
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment