Merge branch '17298-wiki-xss' into 'master'

Forbid scripting for wiki files Wiki files (not pages - files in the repo) are just sent to the browser with whatever content-type the mime_types gem assigns to them based on their extension. As this is from the same domain as the GitLab application, this is an XSS vulnerability. Set a CSP forbidding all sources for scripting, CSS, XHR, etc. on these files. Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/17298. See merge request !1969
author: Robert Speicher <robert@gitlab.com> 2016-06-14 17:53:01 +0300
committer: Tomasz Maczukin <tomasz@maczukin.pl> 2016-06-14 20:24:18 +0300
commit: c041db4f8d721e16bce4091b2be1e65632763bea (patch)
tree: 72b2fe3feebfd327bf38dbf48886866f6070672c /app
parent: 0b5cd653a9ce068ea71adb8ad370c53d066ecff8 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/app/controllers/projects/wikis_controller.rb b/app/controllers/projects/wikis_controller.rb
index 88fccfed509..712e73bb96c 100644
--- a/app/controllers/projects/wikis_controller.rb
+++ b/app/controllers/projects/wikis_controller.rb
@@ -16,6 +16,9 @@ class Projects::WikisController < Projects::ApplicationController
     if @page
       render 'show'
     elsif file = @project_wiki.find_file(params[:id], params[:version_id])
+      response.headers['Content-Security-Policy'] = "default-src 'none'"
+      response.headers['X-Content-Security-Policy'] = "default-src 'none'"
+
       if file.on_disk?
         send_file file.on_disk_path, disposition: 'inline'
       else
author	Robert Speicher <robert@gitlab.com>	2016-06-14 17:53:01 +0300
committer	Tomasz Maczukin <tomasz@maczukin.pl>	2016-06-14 20:24:18 +0300
commit	c041db4f8d721e16bce4091b2be1e65632763bea (patch)
tree	72b2fe3feebfd327bf38dbf48886866f6070672c /app
parent	0b5cd653a9ce068ea71adb8ad370c53d066ecff8 (diff)