From 9a940dabf04df126e7978c0ab4b8770b86dcaaa8 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Thu, 7 Dec 2023 15:12:19 +0000 Subject: Add latest changes from gitlab-org/gitlab@master --- app/controllers/acme_challenges_controller.rb | 4 +- app/controllers/application_controller.rb | 30 +-------------- app/controllers/base_action_controller.rb | 53 +++++++++++++++++++++++++++ app/controllers/chaos_controller.rb | 4 +- app/controllers/health_controller.rb | 4 +- app/controllers/metrics_controller.rb | 4 +- 6 files changed, 58 insertions(+), 41 deletions(-) create mode 100644 app/controllers/base_action_controller.rb (limited to 'app/controllers') diff --git a/app/controllers/acme_challenges_controller.rb b/app/controllers/acme_challenges_controller.rb index 4a7706db94e..a187e43b3df 100644 --- a/app/controllers/acme_challenges_controller.rb +++ b/app/controllers/acme_challenges_controller.rb @@ -1,7 +1,6 @@ # frozen_string_literal: true -# rubocop:disable Rails/ApplicationController -class AcmeChallengesController < ActionController::Base +class AcmeChallengesController < BaseActionController def show if acme_order render plain: acme_order.challenge_file_content, content_type: 'text/plain' @@ -16,4 +15,3 @@ class AcmeChallengesController < ActionController::Base @acme_order ||= PagesDomainAcmeOrder.find_by_domain_and_token(params[:domain], params[:token]) end end -# rubocop:enable Rails/ApplicationController diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index f4d9d616851..8156cf8e165 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -3,7 +3,7 @@ require 'gon' require 'fogbugz' -class ApplicationController < ActionController::Base +class ApplicationController < BaseActionController include Gitlab::GonHelper include Gitlab::NoCacheHeaders include GitlabRoutingHelper @@ -25,7 +25,6 @@ class ApplicationController < ActionController::Base include FlocOptOut include CheckRateLimit include RequestPayloadLogger - extend ContentSecurityPolicyPatch before_action :limit_session_time, if: -> { !current_user } before_action :authenticate_user!, except: [:route_not_found] @@ -113,33 +112,6 @@ class ApplicationController < ActionController::Base render plain: e.message, status: :service_unavailable end - content_security_policy do |p| - next if p.directives.blank? - - if helpers.vite_enabled? - vite_host = ViteRuby.instance.config.host - vite_port = ViteRuby.instance.config.port - vite_origin = "#{vite_host}:#{vite_port}" - http_origin = "http://#{vite_origin}" - ws_origin = "ws://#{vite_origin}" - wss_origin = "wss://#{vite_origin}" - gitlab_ws_origin = Gitlab::Utils.append_path(Gitlab.config.gitlab.url, 'vite-dev/') - http_path = Gitlab::Utils.append_path(http_origin, 'vite-dev/') - - connect_sources = p.directives['connect-src'] - p.connect_src(*(Array.wrap(connect_sources) | [ws_origin, wss_origin, http_path])) - - worker_sources = p.directives['worker-src'] - p.worker_src(*(Array.wrap(worker_sources) | [gitlab_ws_origin, http_path])) - end - - next unless Gitlab::CurrentSettings.snowplow_enabled? && !Gitlab::CurrentSettings.snowplow_collector_hostname.blank? - - default_connect_src = p.directives['connect-src'] || p.directives['default-src'] - connect_src_values = Array.wrap(default_connect_src) | [Gitlab::CurrentSettings.snowplow_collector_hostname] - p.connect_src(*connect_src_values) - end - def redirect_back_or_default(default: root_path, options: {}) redirect_back(fallback_location: default, **options) end diff --git a/app/controllers/base_action_controller.rb b/app/controllers/base_action_controller.rb new file mode 100644 index 00000000000..05ba00426c2 --- /dev/null +++ b/app/controllers/base_action_controller.rb @@ -0,0 +1,53 @@ +# frozen_string_literal: true + +# GitLab lightweight base action controller +# +# This class should be limited to content that +# is desired/required for *all* controllers in +# GitLab. +# +# Most controllers inherit from `ApplicationController`. +# Some controllers don't want or need all of that +# logic and instead inherit from `ActionController::Base`. +# This makes it difficult to set security headers and +# handle other critical logic across *all* controllers. +# +# Between this controller and `ApplicationController` +# no controller should ever inherit directly from +# `ActionController::Base` +# +# rubocop:disable Rails/ApplicationController -- This class is specifically meant as a base class for controllers that +# don't inherit from ApplicationController +# rubocop:disable Gitlab/NamespacedClass -- Base controllers live in the global namespace +class BaseActionController < ActionController::Base + extend ContentSecurityPolicyPatch + + content_security_policy do |p| + next if p.directives.blank? + + if helpers.vite_enabled? + vite_host = ViteRuby.instance.config.host + vite_port = ViteRuby.instance.config.port + vite_origin = "#{vite_host}:#{vite_port}" + http_origin = "http://#{vite_origin}" + ws_origin = "ws://#{vite_origin}" + wss_origin = "wss://#{vite_origin}" + gitlab_ws_origin = Gitlab::Utils.append_path(Gitlab.config.gitlab.url, 'vite-dev/') + http_path = Gitlab::Utils.append_path(http_origin, 'vite-dev/') + + connect_sources = p.directives['connect-src'] + p.connect_src(*(Array.wrap(connect_sources) | [ws_origin, wss_origin, http_path])) + + worker_sources = p.directives['worker-src'] + p.worker_src(*(Array.wrap(worker_sources) | [gitlab_ws_origin, http_path])) + end + + next unless Gitlab::CurrentSettings.snowplow_enabled? && !Gitlab::CurrentSettings.snowplow_collector_hostname.blank? + + default_connect_src = p.directives['connect-src'] || p.directives['default-src'] + connect_src_values = Array.wrap(default_connect_src) | [Gitlab::CurrentSettings.snowplow_collector_hostname] + p.connect_src(*connect_src_values) + end +end +# rubocop:enable Gitlab/NamespacedClass +# rubocop:enable Rails/ApplicationController diff --git a/app/controllers/chaos_controller.rb b/app/controllers/chaos_controller.rb index 7328b793b09..b61a8c5ff12 100644 --- a/app/controllers/chaos_controller.rb +++ b/app/controllers/chaos_controller.rb @@ -1,7 +1,6 @@ # frozen_string_literal: true -# rubocop:disable Rails/ApplicationController -class ChaosController < ActionController::Base +class ChaosController < BaseActionController before_action :validate_chaos_secret, unless: :development_or_test? def leakmem @@ -95,4 +94,3 @@ class ChaosController < ActionController::Base Rails.env.development? || Rails.env.test? end end -# rubocop:enable Rails/ApplicationController diff --git a/app/controllers/health_controller.rb b/app/controllers/health_controller.rb index 1381999ab4c..2b2db2f950c 100644 --- a/app/controllers/health_controller.rb +++ b/app/controllers/health_controller.rb @@ -1,7 +1,6 @@ # frozen_string_literal: true -# rubocop:disable Rails/ApplicationController -class HealthController < ActionController::Base +class HealthController < BaseActionController protect_from_forgery with: :exception, prepend: true include RequiresAllowlistedMonitoringClient @@ -40,4 +39,3 @@ class HealthController < ActionController::Base render json: result.json, status: result.http_status end end -# rubocop:enable Rails/ApplicationController diff --git a/app/controllers/metrics_controller.rb b/app/controllers/metrics_controller.rb index 9f41c092fa0..61851fd1c60 100644 --- a/app/controllers/metrics_controller.rb +++ b/app/controllers/metrics_controller.rb @@ -1,7 +1,6 @@ # frozen_string_literal: true -# rubocop:disable Rails/ApplicationController -class MetricsController < ActionController::Base +class MetricsController < BaseActionController include RequiresAllowlistedMonitoringClient protect_from_forgery with: :exception, prepend: true @@ -36,4 +35,3 @@ class MetricsController < ActionController::Base ) end end -# rubocop:enable Rails/ApplicationController -- cgit v1.2.3