From 5fbbd3dd6e965f76ecf1767373bddd236a78a4be Mon Sep 17 00:00:00 2001 From: Stan Hu Date: Mon, 5 Aug 2019 23:14:32 -0700 Subject: Add support for Content-Security-Policy A nonce-based Content-Security-Policy thwarts XSS attacks by allowing inline JavaScript to execute if the script nonce matches the header value. Rails 5.2 supports nonce-based Content-Security-Policy headers, so provide configuration to enable this and make it work. To support this, we need to change all `:javascript` HAML filters to the following form: ``` = javascript_tag nonce: true do :plain ... ``` We use `%script` throughout our HAML to store JSON and other text, but since this doesn't execute, browsers don't appear to block this content from being used and require the nonce value to be present. --- .../content_security_policy/config_loader_spec.rb | 59 ++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 spec/lib/gitlab/content_security_policy/config_loader_spec.rb (limited to 'spec/lib/gitlab/content_security_policy/config_loader_spec.rb') diff --git a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb new file mode 100644 index 00000000000..e7670c9d523 --- /dev/null +++ b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb @@ -0,0 +1,59 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe Gitlab::ContentSecurityPolicy::ConfigLoader do + let(:policy) { ActionDispatch::ContentSecurityPolicy.new } + let(:csp_config) do + { + enabled: true, + report_only: false, + directives: { + base_uri: 'http://example.com', + child_src: "'self' https://child.example.com", + default_src: "'self' https://other.example.com", + script_src: "'self' https://script.exammple.com ", + worker_src: "data: https://worker.example.com" + } + } + end + + context '.default_settings_hash' do + it 'returns empty defaults' do + settings = described_class.default_settings_hash + + expect(settings['enabled']).to be_falsey + expect(settings['report_only']).to be_falsey + + described_class::DIRECTIVES.each do |directive| + expect(settings['directives'].has_key?(directive)).to be_truthy + expect(settings['directives'][directive]).to be_nil + end + end + end + + context '#load' do + subject { described_class.new(csp_config[:directives]) } + + def expected_config(directive) + csp_config[:directives][directive].split(' ').map(&:strip) + end + + it 'sets the policy properly' do + subject.load(policy) + + expect(policy.directives['base-uri']).to eq([csp_config[:directives][:base_uri]]) + expect(policy.directives['default-src']).to eq(expected_config(:default_src)) + expect(policy.directives['child-src']).to eq(expected_config(:child_src)) + expect(policy.directives['worker-src']).to eq(expected_config(:worker_src)) + end + + it 'ignores malformed policy statements' do + csp_config[:directives][:base_uri] = 123 + + subject.load(policy) + + expect(policy.directives['base-uri']).to be_nil + end + end +end -- cgit v1.2.1 From d265408c26b6d4a6087df032b1928d142534d0a6 Mon Sep 17 00:00:00 2001 From: Stan Hu Date: Wed, 7 Aug 2019 11:17:12 -0700 Subject: Add missing report-uri to CSP config This is supported in Rails 5.2, although it may be deprecated in the future by reports-to. --- spec/lib/gitlab/content_security_policy/config_loader_spec.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'spec/lib/gitlab/content_security_policy/config_loader_spec.rb') diff --git a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb index e7670c9d523..1d404915617 100644 --- a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb +++ b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb @@ -13,7 +13,8 @@ describe Gitlab::ContentSecurityPolicy::ConfigLoader do child_src: "'self' https://child.example.com", default_src: "'self' https://other.example.com", script_src: "'self' https://script.exammple.com ", - worker_src: "data: https://worker.example.com" + worker_src: "data: https://worker.example.com", + report_uri: "http://example.com" } } end @@ -46,6 +47,7 @@ describe Gitlab::ContentSecurityPolicy::ConfigLoader do expect(policy.directives['default-src']).to eq(expected_config(:default_src)) expect(policy.directives['child-src']).to eq(expected_config(:child_src)) expect(policy.directives['worker-src']).to eq(expected_config(:worker_src)) + expect(policy.directives['report-uri']).to eq(expected_config(:report_uri)) end it 'ignores malformed policy statements' do -- cgit v1.2.1