Explain why we mangle blob content typessafe-content-type

author: Jacob Vosmaer <contact@jacobvosmaer.nl> 2016-02-24 11:53:30 +0100
committer: Jacob Vosmaer <contact@jacobvosmaer.nl> 2016-02-24 11:53:30 +0100
commit: cf2c5396e014e54db7a3183380a8ed2b77b2e6e1 (patch)
tree: 1dbf75efad1006ff2aff91562e573d29455ec457 /app/helpers
parent: bd71438d6accb61a33b520177aeb92a3614eedb5 (diff)
download: gitlab-ce-cf2c5396e014e54db7a3183380a8ed2b77b2e6e1.tar.gz
1 files changed, 18 insertions, 0 deletions
diff --git a/app/helpers/blob_helper.rb b/app/helpers/blob_helper.rb
index 7143a744869..7f63a2e2cb4 100644
--- a/app/helpers/blob_helper.rb
+++ b/app/helpers/blob_helper.rb
@@ -134,4 +134,22 @@ module BlobHelper
     blob.data = Loofah.scrub_fragment(blob.data, :strip).to_xml
     blob
   end
+
+  # If we blindly set the 'real' content type when serving a Git blob we
+  # are enabling XSS attacks. An attacker could upload e.g. a Javascript
+  # file to a Git repository, trick the browser of a victim into
+  # downloading the blob, and then the 'application/javascript' content
+  # type would tell the browser to execute the attacker's Javascript. By
+  # overriding the content type and setting it to 'text/plain' (in the
+  # example of Javascript) we tell the browser of the victim not to
+  # execute untrusted data.
+  def safe_content_type(blob)
+    if blob.text?
+      'text/plain; charset=utf-8'
+    elsif blob.image?
+      blob.content_type
+    else
+      'application/octet-stream'
+    end
+  end
 end
author	Jacob Vosmaer <contact@jacobvosmaer.nl>	2016-02-24 11:53:30 +0100
committer	Jacob Vosmaer <contact@jacobvosmaer.nl>	2016-02-24 11:53:30 +0100
commit	cf2c5396e014e54db7a3183380a8ed2b77b2e6e1 (patch)
tree	1dbf75efad1006ff2aff91562e573d29455ec457 /app/helpers
parent	bd71438d6accb61a33b520177aeb92a3614eedb5 (diff)
download	gitlab-ce-cf2c5396e014e54db7a3183380a8ed2b77b2e6e1.tar.gz