Commit e2e17fe6 authored by Maxime Orefice's avatar Maxime Orefice

Fix artifacts content-type

This commit lets workhorse set the content-type when serving
artifacts. This prevents an attacker to host a maliciou JavaScript
payload as an artifact and bypass our CSP.

Changelog: security
parent 1cffa4a3
......@@ -38,6 +38,8 @@ module WorkhorseHelper
# Send an entry from artifacts through Workhorse
def send_artifacts_entry(file, entry)
headers.store(*Gitlab::Workhorse.send_artifacts_entry(file, entry))
headers.store(*Gitlab::Workhorse.detect_content_type)
head :ok
end
......
......@@ -707,6 +707,7 @@ module API
def send_artifacts_entry(file, entry)
header(*Gitlab::Workhorse.send_artifacts_entry(file, entry))
header(*Gitlab::Workhorse.detect_content_type)
body ''
end
......
......@@ -226,6 +226,13 @@ module Gitlab
end
end
def detect_content_type
[
Gitlab::Workhorse::DETECT_HEADER,
'true'
]
end
protected
# This is the outermost encoding of a senddata: header. It is safe for
......
......@@ -323,6 +323,7 @@ RSpec.describe Projects::ArtifactsController do
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response.headers['Gitlab-Workhorse-Detect-Content-Type']).to eq('true')
expect(send_data).to start_with('artifacts-entry:')
expect(params.keys).to eq(%w(Archive Entry))
......
......@@ -448,6 +448,14 @@ RSpec.describe Gitlab::Workhorse do
end
end
describe '.detect_content_type' do
subject { described_class.detect_content_type }
it 'returns array setting detect content type in workhorse' do
expect(subject).to eq(%w[Gitlab-Workhorse-Detect-Content-Type true])
end
end
describe '.send_git_blob' do
include FakeBlobHelpers
......
......@@ -568,7 +568,8 @@ RSpec.describe API::Ci::JobArtifacts do
expect(response).to have_gitlab_http_status(:ok)
expect(response.headers.to_h)
.to include('Content-Type' => 'application/json',
'Gitlab-Workhorse-Send-Data' => /artifacts-entry/)
'Gitlab-Workhorse-Send-Data' => /artifacts-entry/,
'Gitlab-Workhorse-Detect-Content-Type' => 'true')
end
end
......@@ -638,7 +639,8 @@ RSpec.describe API::Ci::JobArtifacts do
expect(response).to have_gitlab_http_status(:ok)
expect(response.headers.to_h)
.to include('Content-Type' => 'application/json',
'Gitlab-Workhorse-Send-Data' => /artifacts-entry/)
'Gitlab-Workhorse-Send-Data' => /artifacts-entry/,
'Gitlab-Workhorse-Detect-Content-Type' => 'true')
expect(response.parsed_body).to be_empty
end
end
......@@ -656,7 +658,8 @@ RSpec.describe API::Ci::JobArtifacts do
expect(response).to have_gitlab_http_status(:ok)
expect(response.headers.to_h)
.to include('Content-Type' => 'application/json',
'Gitlab-Workhorse-Send-Data' => /artifacts-entry/)
'Gitlab-Workhorse-Send-Data' => /artifacts-entry/,
'Gitlab-Workhorse-Detect-Content-Type' => 'true')
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment