Forbid scripting for wiki files

Wiki files (not pages - files in the repo) are just sent to the browser with whatever content-type the mime_types gem assigns to them based on their extension. As this is from the same domain as the GitLab application, this is an XSS vulnerability. Set a CSP forbidding all sources for scripting, CSS, XHR, etc. on these files.
author: Sean McGivern <sean@gitlab.com> 2016-06-08 15:09:12 +0100
committer: Sean McGivern <sean@gitlab.com> 2016-06-14 11:28:58 +0100
commit: 1cda245cc4f04dedfb826053c95166a141d2ca4a (patch)
tree: 5c6af7208816533bb40b4ac886b2b4067f491357 /app/controllers/projects/wikis_controller.rb
parent: 066020fcd015ca92397b794342a49a46dd02582c (diff)
download: gitlab-ce-1cda245cc4f04dedfb826053c95166a141d2ca4a.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/app/controllers/projects/wikis_controller.rb b/app/controllers/projects/wikis_controller.rb
index 2aa6bed0724..7ec1e73b3be 100644
--- a/app/controllers/projects/wikis_controller.rb
+++ b/app/controllers/projects/wikis_controller.rb
@@ -16,6 +16,9 @@ class Projects::WikisController < Projects::ApplicationController
     if @page
       render 'show'
     elsif file = @project_wiki.find_file(params[:id], params[:version_id])
+      response.headers['Content-Security-Policy'] = "default-src 'none'"
+      response.headers['X-Content-Security-Policy'] = "default-src 'none'"
+
       if file.on_disk?
         send_file file.on_disk_path, disposition: 'inline'
       else
author	Sean McGivern <sean@gitlab.com>	2016-06-08 15:09:12 +0100
committer	Sean McGivern <sean@gitlab.com>	2016-06-14 11:28:58 +0100
commit	1cda245cc4f04dedfb826053c95166a141d2ca4a (patch)
tree	5c6af7208816533bb40b4ac886b2b4067f491357 /app/controllers/projects/wikis_controller.rb
parent	066020fcd015ca92397b794342a49a46dd02582c (diff)
download	gitlab-ce-1cda245cc4f04dedfb826053c95166a141d2ca4a.tar.gz