Class: Gitlab::ContentSecurityPolicy::ConfigLoader

Inherits:
Object
  • Object
show all
Defined in:
lib/gitlab/content_security_policy/config_loader.rb

Constant Summary collapse

DIRECTIVES =
%w[
  base_uri child_src connect_src default_src font_src form_action
  frame_ancestors frame_src img_src manifest_src media_src object_src
  report_uri script_src style_src worker_src
].freeze
DEFAULT_FALLBACK_VALUE =
'<default_value>'
HTTP_PORTS =
[80, 443].freeze

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(csp_directives) ⇒ ConfigLoader

Returns a new instance of ConfigLoader.



191
192
193
194
195
196
197
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 191

def initialize(csp_directives)
  # Using <default_value> falls back to the default values.
  @merged_csp_directives = csp_directives
    .reject { |_, value| value == DEFAULT_FALLBACK_VALUE }
    .with_indifferent_access
    .reverse_merge(ConfigLoader.default_directives)
end

Class Method Details

.add_browsersdk_tracking(directives) ⇒ Object



86
87
88
89
90
91
92
93
94
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 86

def add_browsersdk_tracking(directives)
  return if directives.blank?
  return unless Gitlab.com? && ENV['GITLAB_ANALYTICS_URL'].present?

  default_connect_src = directives['connect-src'] || directives['default-src']
  connect_src_values = Array.wrap(default_connect_src) | [ENV['GITLAB_ANALYTICS_URL']]

  append_to_directive(directives, 'connect_src', connect_src_values.join(' '))
end

.allow_cdn(directives) ⇒ Object



117
118
119
120
121
122
123
124
125
126
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 117

def allow_cdn(directives)
  cdn_host = Settings.gitlab.cdn_host.presence
  return unless cdn_host

  append_to_directive(directives, 'script_src', cdn_host)
  append_to_directive(directives, 'style_src', cdn_host)
  append_to_directive(directives, 'font_src', cdn_host)
  append_to_directive(directives, 'worker_src', cdn_host)
  append_to_directive(directives, 'frame_src', cdn_host)
end

.allow_customersdot(directives) ⇒ Object



154
155
156
157
158
159
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 154

def allow_customersdot(directives)
  customersdot_host = ENV['CUSTOMER_PORTAL_URL'].presence
  return unless customersdot_host

  append_to_directive(directives, 'frame_src', customersdot_host)
end

.allow_development_tooling(directives) ⇒ Object

connect_src with ‘self’ includes https/wss variations of the origin, however, safari hasn’t covered this yet and we need to explicitly add support for websocket origins until Safari catches up with the specs



59
60
61
62
63
64
65
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 59

def allow_development_tooling(directives)
  return unless Rails.env.development?

  allow_webpack_dev_server(directives)
  allow_letter_opener(directives)
  allow_snowplow_micro(directives) if Gitlab::Tracking.snowplow_micro_enabled?
end

.allow_framed_gitlab_paths(directives) ⇒ Object

Using ‘self’ in the CSP introduces several CSP bypass opportunities for this reason we list the URLs where GitLab frames itself instead



148
149
150
151
152
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 148

def allow_framed_gitlab_paths(directives)
  ['/admin/', '/assets/', '/-/speedscope/index.html', '/-/sandbox/'].map do |path|
    append_to_directive(directives, 'frame_src', Gitlab::Utils.append_path(Gitlab.config.gitlab.url, path))
  end
end

.allow_letter_opener(directives) ⇒ Object



76
77
78
79
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 76

def allow_letter_opener(directives)
  url = Gitlab::Utils.append_path(Gitlab.config.gitlab.url, '/rails/letter_opener/')
  append_to_directive(directives, 'frame_src', url)
end

.allow_lfs(directives) ⇒ Object



96
97
98
99
100
101
102
103
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 96

def allow_lfs(directives)
  return unless Gitlab.config.lfs.enabled && LfsObjectUploader.object_store_enabled? && LfsObjectUploader.direct_download_enabled?

  lfs_url = build_lfs_url
  return unless lfs_url.present?

  append_to_directive(directives, 'connect_src', lfs_url)
end

.allow_sentry(directives) ⇒ Object



134
135
136
137
138
139
140
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 134

def allow_sentry(directives)
  return unless sentry_client_side_dsn_enabled?

  sentry_uri = URI(Gitlab::CurrentSettings.sentry_clientside_dsn)

  append_to_directive(directives, 'connect_src', "#{sentry_uri.scheme}://#{sentry_uri.host}")
end

.allow_snowplow_micro(directives) ⇒ Object



81
82
83
84
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 81

def allow_snowplow_micro(directives)
  url = URI.join(Gitlab::Tracking::Destinations::SnowplowMicro.new.uri, '/').to_s
  append_to_directive(directives, 'connect_src', url)
end

.allow_webpack_dev_server(directives) ⇒ Object



67
68
69
70
71
72
73
74
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 67

def allow_webpack_dev_server(directives)
  secure = Settings.webpack.dev_server['https']
  host_and_port = "#{Settings.webpack.dev_server['host']}:#{Settings.webpack.dev_server['port']}"
  http_url = "#{secure ? 'https' : 'http'}://#{host_and_port}"
  ws_url = "#{secure ? 'wss' : 'ws'}://#{host_and_port}"

  append_to_directive(directives, 'connect_src', "#{http_url} #{ws_url}")
end

.allow_websocket_connections(directives) ⇒ Object



105
106
107
108
109
110
111
112
113
114
115
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 105

def allow_websocket_connections(directives)
  host = Gitlab.config.gitlab.host
  port = Gitlab.config.gitlab.port
  secure = Gitlab.config.gitlab.https
  protocol = secure ? 'wss' : 'ws'

  ws_url = "#{protocol}://#{host}"
  ws_url = "#{ws_url}:#{port}" unless HTTP_PORTS.include?(port)

  append_to_directive(directives, 'connect_src', ws_url)
end

.allow_zuora(directives) ⇒ Object



128
129
130
131
132
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 128

def allow_zuora(directives)
  return unless Gitlab.com?

  append_to_directive(directives, 'frame_src', zuora_host)
end

.append_to_directive(directives, directive, text) ⇒ Object



175
176
177
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 175

def append_to_directive(directives, directive, text)
  directives[directive] = "#{directives[directive]} #{text}".strip
end

.build_lfs_urlObject



183
184
185
186
187
188
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 183

def build_lfs_url
  uploader = LfsObjectUploader.new(nil)
  fog = CarrierWave::Storage::Fog.new(uploader)
  fog_file = CarrierWave::Storage::Fog::File.new(uploader, fog, nil)
  fog_file.public_url || fog_file.url
end

.csp_level_3_backport(directives) ⇒ Object

The follow contains workarounds to patch Safari’s lack of support for CSP Level 3



162
163
164
165
166
167
168
169
170
171
172
173
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 162

def csp_level_3_backport(directives)
  # See https://gitlab.com/gitlab-org/gitlab/-/issues/343579
  # frame-src was deprecated in CSP level 2 in favor of child-src
  # CSP level 3 "undeprecated" frame-src and browsers fall back on child-src if it's missing
  # However Safari seems to read child-src first so we'll just keep both equal
  append_to_directive(directives, 'child_src', directives['frame_src'])

  # Safari also doesn't support worker-src and only checks child-src
  # So for compatibility until it catches up to other browsers we need to
  # append worker-src's content to child-src
  append_to_directive(directives, 'child_src', directives['worker_src'])
end

.default_directivesObject



19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 19

def default_directives
  directives = default_directives_defaults

  allow_development_tooling(directives)
  allow_websocket_connections(directives)
  allow_lfs(directives)
  allow_cdn(directives)
  allow_zuora(directives)
  allow_sentry(directives)
  allow_framed_gitlab_paths(directives)
  allow_customersdot(directives)
  csp_level_3_backport(directives)
  add_browsersdk_tracking(directives)

  directives
end

.default_directives_defaultsObject



36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 36

def default_directives_defaults
  {
    'default_src' => "'self'",
    'base_uri' => "'self'",
    'connect_src' => ContentSecurityPolicy::Directives.connect_src,
    'font_src' => "'self'",
    'form_action' => "'self' https: http:",
    'frame_ancestors' => "'self'",
    'frame_src' => ContentSecurityPolicy::Directives.frame_src,
    'img_src' => "'self' data: blob: http: https:",
    'manifest_src' => "'self'",
    'media_src' => "'self' data: blob: http: https:",
    'script_src' => ContentSecurityPolicy::Directives.script_src,
    'style_src' => ContentSecurityPolicy::Directives.style_src,
    'worker_src' => ContentSecurityPolicy::Directives.worker_src,
    'object_src' => "'none'",
    'report_uri' => nil
  }
end

.default_enabledObject



15
16
17
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 15

def default_enabled
  Rails.env.development? || Rails.env.test?
end

.sentry_client_side_dsn_enabled?Boolean

Returns:

  • (Boolean)


142
143
144
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 142

def sentry_client_side_dsn_enabled?
  Gitlab::CurrentSettings.try(:sentry_enabled) && Gitlab::CurrentSettings.try(:sentry_clientside_dsn)
end

.zuora_hostObject



179
180
181
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 179

def zuora_host
  "https://*.zuora.com/apps/PublicHostedPageLite.do"
end

Instance Method Details

#load(policy) ⇒ Object



199
200
201
202
203
204
205
206
207
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 199

def load(policy)
  DIRECTIVES.each do |directive|
    arguments = arguments_for(directive)

    next unless arguments.present?

    policy.public_send(directive, *arguments) # rubocop:disable GitlabSecurity/PublicSend
  end
end