diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-08-19 12:08:42 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-08-19 12:08:42 +0300 |
| commit | b76ae638462ab0f673e5915986070518dd3f9ad3 (patch) | |
| tree | bdab0533383b52873be0ec0eb4d3c66598ff8b91 /lib/gitlab/content_security_policy | |
| parent | 434373eabe7b4be9593d18a585fb763f1e5f1a6f (diff) | |
Add latest changes from gitlab-org/gitlab@14-2-stable-eev14.2.0-rc42
Diffstat (limited to 'lib/gitlab/content_security_policy')
| -rw-r--r-- | lib/gitlab/content_security_policy/config_loader.rb | 83 |
1 files changed, 45 insertions, 38 deletions
diff --git a/lib/gitlab/content_security_policy/config_loader.rb b/lib/gitlab/content_security_policy/config_loader.rb index 842920ba02e..bdcedd1896d 100644 --- a/lib/gitlab/content_security_policy/config_loader.rb +++ b/lib/gitlab/content_security_policy/config_loader.rb @@ -7,39 +7,40 @@ module Gitlab form_action frame_ancestors frame_src img_src manifest_src media_src object_src report_uri script_src style_src worker_src).freeze - def self.default_settings_hash - settings_hash = { - 'enabled' => Rails.env.development? || Rails.env.test?, - 'report_only' => false, - 'directives' => { - 'default_src' => "'self'", - 'base_uri' => "'self'", - 'connect_src' => "'self'", - 'font_src' => "'self'", - 'form_action' => "'self' https: http:", - 'frame_ancestors' => "'self'", - 'frame_src' => "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com", - 'img_src' => "'self' data: blob: http: https:", - 'manifest_src' => "'self'", - 'media_src' => "'self'", - 'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com", - 'style_src' => "'self' 'unsafe-inline'", - 'worker_src' => "'self' blob: data:", - 'object_src' => "'none'", - 'report_uri' => nil - } + def self.default_enabled + Rails.env.development? || Rails.env.test? + end + + def self.default_directives + directives = { + 'default_src' => "'self'", + 'base_uri' => "'self'", + 'connect_src' => "'self'", + 'font_src' => "'self'", + 'form_action' => "'self' https: http:", + 'frame_ancestors' => "'self'", + 'frame_src' => "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com", + 'img_src' => "'self' data: blob: http: https:", + 'manifest_src' => "'self'", + 'media_src' => "'self'", + 'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com", + 'style_src' => "'self' 'unsafe-inline'", + 'worker_src' => "'self' blob: data:", + 'object_src' => "'none'", + 'report_uri' => nil } # frame-src was deprecated in CSP level 2 in favor of child-src # CSP level 3 "undeprecated" frame-src and browsers fall back on child-src if it's missing # However Safari seems to read child-src first so we'll just keep both equal - settings_hash['directives']['child_src'] = settings_hash['directives']['frame_src'] + directives['child_src'] = directives['frame_src'] - allow_webpack_dev_server(settings_hash) if Rails.env.development? - allow_cdn(settings_hash) if ENV['GITLAB_CDN_HOST'].present? - allow_customersdot(settings_hash) if Rails.env.development? && ENV['CUSTOMER_PORTAL_URL'].present? + allow_webpack_dev_server(directives) if Rails.env.development? + allow_cdn(directives, Settings.gitlab.cdn_host) if Settings.gitlab.cdn_host.present? + allow_customersdot(directives) if Rails.env.development? && ENV['CUSTOMER_PORTAL_URL'].present? + allow_sentry(directives) if Gitlab.config.sentry&.enabled && Gitlab.config.sentry&.clientside_dsn - settings_hash + directives end def initialize(csp_directives) @@ -66,31 +67,37 @@ module Gitlab arguments.strip.split(' ').map(&:strip) end - def self.allow_webpack_dev_server(settings_hash) + def self.allow_webpack_dev_server(directives) secure = Settings.webpack.dev_server['https'] host_and_port = "#{Settings.webpack.dev_server['host']}:#{Settings.webpack.dev_server['port']}" http_url = "#{secure ? 'https' : 'http'}://#{host_and_port}" ws_url = "#{secure ? 'wss' : 'ws'}://#{host_and_port}" - append_to_directive(settings_hash, 'connect_src', "#{http_url} #{ws_url}") + append_to_directive(directives, 'connect_src', "#{http_url} #{ws_url}") end - def self.allow_cdn(settings_hash) - cdn_host = ENV['GITLAB_CDN_HOST'] - - append_to_directive(settings_hash, 'script_src', cdn_host) - append_to_directive(settings_hash, 'style_src', cdn_host) - append_to_directive(settings_hash, 'font_src', cdn_host) + def self.allow_cdn(directives, cdn_host) + append_to_directive(directives, 'script_src', cdn_host) + append_to_directive(directives, 'style_src', cdn_host) + append_to_directive(directives, 'font_src', cdn_host) end - def self.append_to_directive(settings_hash, directive, text) - settings_hash['directives'][directive] = "#{settings_hash['directives'][directive]} #{text}".strip + def self.append_to_directive(directives, directive, text) + directives[directive] = "#{directives[directive]} #{text}".strip end - def self.allow_customersdot(settings_hash) + def self.allow_customersdot(directives) customersdot_host = ENV['CUSTOMER_PORTAL_URL'] - append_to_directive(settings_hash, 'frame_src', customersdot_host) + append_to_directive(directives, 'frame_src', customersdot_host) + end + + def self.allow_sentry(directives) + sentry_dsn = Gitlab.config.sentry.clientside_dsn + sentry_uri = URI(sentry_dsn) + sentry_uri.user = nil + + append_to_directive(directives, 'connect_src', sentry_uri.to_s) end end end |