Class: Gitlab::ContentSecurityPolicy::ConfigLoader
- Inherits:
-
Object
- Object
- Gitlab::ContentSecurityPolicy::ConfigLoader
- Defined in:
- lib/gitlab/content_security_policy/config_loader.rb
Constant Summary collapse
- DIRECTIVES =
%w[ base_uri child_src connect_src default_src font_src form_action frame_ancestors frame_src img_src manifest_src media_src object_src report_uri script_src style_src worker_src ].freeze
- DEFAULT_FALLBACK_VALUE =
'<default_value>'
- HTTP_PORTS =
[80, 443].freeze
Class Method Summary collapse
- .add_browsersdk_tracking(directives) ⇒ Object
- .allow_cdn(directives) ⇒ Object
- .allow_customersdot(directives) ⇒ Object
-
.allow_development_tooling(directives) ⇒ Object
connect_src with ‘self’ includes https/wss variations of the origin, however, safari hasn’t covered this yet and we need to explicitly add support for websocket origins until Safari catches up with the specs.
-
.allow_framed_gitlab_paths(directives) ⇒ Object
Using ‘self’ in the CSP introduces several CSP bypass opportunities for this reason we list the URLs where GitLab frames itself instead.
- .allow_letter_opener(directives) ⇒ Object
- .allow_lfs(directives) ⇒ Object
- .allow_sentry(directives) ⇒ Object
- .allow_snowplow_micro(directives) ⇒ Object
- .allow_webpack_dev_server(directives) ⇒ Object
- .allow_websocket_connections(directives) ⇒ Object
- .allow_zuora(directives) ⇒ Object
- .append_to_directive(directives, directive, text) ⇒ Object
- .build_lfs_url ⇒ Object
-
.csp_level_3_backport(directives) ⇒ Object
The follow contains workarounds to patch Safari’s lack of support for CSP Level 3.
- .default_directives ⇒ Object
- .default_directives_defaults ⇒ Object
- .default_enabled ⇒ Object
- .sentry_client_side_dsn_enabled? ⇒ Boolean
- .zuora_host ⇒ Object
Instance Method Summary collapse
-
#initialize(csp_directives) ⇒ ConfigLoader
constructor
A new instance of ConfigLoader.
- #load(policy) ⇒ Object
Constructor Details
#initialize(csp_directives) ⇒ ConfigLoader
Returns a new instance of ConfigLoader.
191 192 193 194 195 196 197 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 191 def initialize(csp_directives) # Using <default_value> falls back to the default values. @merged_csp_directives = csp_directives .reject { |_, value| value == DEFAULT_FALLBACK_VALUE } .with_indifferent_access .reverse_merge(ConfigLoader.default_directives) end |
Class Method Details
.add_browsersdk_tracking(directives) ⇒ Object
86 87 88 89 90 91 92 93 94 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 86 def add_browsersdk_tracking(directives) return if directives.blank? return unless Gitlab.com? && ENV['GITLAB_ANALYTICS_URL'].present? default_connect_src = directives['connect-src'] || directives['default-src'] connect_src_values = Array.wrap(default_connect_src) | [ENV['GITLAB_ANALYTICS_URL']] append_to_directive(directives, 'connect_src', connect_src_values.join(' ')) end |
.allow_cdn(directives) ⇒ Object
117 118 119 120 121 122 123 124 125 126 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 117 def allow_cdn(directives) cdn_host = Settings.gitlab.cdn_host.presence return unless cdn_host append_to_directive(directives, 'script_src', cdn_host) append_to_directive(directives, 'style_src', cdn_host) append_to_directive(directives, 'font_src', cdn_host) append_to_directive(directives, 'worker_src', cdn_host) append_to_directive(directives, 'frame_src', cdn_host) end |
.allow_customersdot(directives) ⇒ Object
154 155 156 157 158 159 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 154 def allow_customersdot(directives) customersdot_host = ENV['CUSTOMER_PORTAL_URL'].presence return unless customersdot_host append_to_directive(directives, 'frame_src', customersdot_host) end |
.allow_development_tooling(directives) ⇒ Object
connect_src with ‘self’ includes https/wss variations of the origin, however, safari hasn’t covered this yet and we need to explicitly add support for websocket origins until Safari catches up with the specs
59 60 61 62 63 64 65 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 59 def allow_development_tooling(directives) return unless Rails.env.development? allow_webpack_dev_server(directives) allow_letter_opener(directives) allow_snowplow_micro(directives) if Gitlab::Tracking.snowplow_micro_enabled? end |
.allow_framed_gitlab_paths(directives) ⇒ Object
Using ‘self’ in the CSP introduces several CSP bypass opportunities for this reason we list the URLs where GitLab frames itself instead
148 149 150 151 152 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 148 def allow_framed_gitlab_paths(directives) ['/admin/', '/assets/', '/-/speedscope/index.html', '/-/sandbox/'].map do |path| append_to_directive(directives, 'frame_src', Gitlab::Utils.append_path(Gitlab.config.gitlab.url, path)) end end |
.allow_letter_opener(directives) ⇒ Object
76 77 78 79 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 76 def allow_letter_opener(directives) url = Gitlab::Utils.append_path(Gitlab.config.gitlab.url, '/rails/letter_opener/') append_to_directive(directives, 'frame_src', url) end |
.allow_lfs(directives) ⇒ Object
96 97 98 99 100 101 102 103 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 96 def allow_lfs(directives) return unless Gitlab.config.lfs.enabled && LfsObjectUploader.object_store_enabled? && LfsObjectUploader.direct_download_enabled? lfs_url = build_lfs_url return unless lfs_url.present? append_to_directive(directives, 'connect_src', lfs_url) end |
.allow_sentry(directives) ⇒ Object
134 135 136 137 138 139 140 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 134 def allow_sentry(directives) return unless sentry_client_side_dsn_enabled? sentry_uri = URI(Gitlab::CurrentSettings.sentry_clientside_dsn) append_to_directive(directives, 'connect_src', "#{sentry_uri.scheme}://#{sentry_uri.host}") end |
.allow_snowplow_micro(directives) ⇒ Object
81 82 83 84 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 81 def allow_snowplow_micro(directives) url = URI.join(Gitlab::Tracking::Destinations::SnowplowMicro.new.uri, '/').to_s append_to_directive(directives, 'connect_src', url) end |
.allow_webpack_dev_server(directives) ⇒ Object
67 68 69 70 71 72 73 74 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 67 def allow_webpack_dev_server(directives) secure = Settings.webpack.dev_server['https'] host_and_port = "#{Settings.webpack.dev_server['host']}:#{Settings.webpack.dev_server['port']}" http_url = "#{secure ? 'https' : 'http'}://#{host_and_port}" ws_url = "#{secure ? 'wss' : 'ws'}://#{host_and_port}" append_to_directive(directives, 'connect_src', "#{http_url} #{ws_url}") end |
.allow_websocket_connections(directives) ⇒ Object
105 106 107 108 109 110 111 112 113 114 115 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 105 def allow_websocket_connections(directives) host = Gitlab.config.gitlab.host port = Gitlab.config.gitlab.port secure = Gitlab.config.gitlab.https protocol = secure ? 'wss' : 'ws' ws_url = "#{protocol}://#{host}" ws_url = "#{ws_url}:#{port}" unless HTTP_PORTS.include?(port) append_to_directive(directives, 'connect_src', ws_url) end |
.allow_zuora(directives) ⇒ Object
128 129 130 131 132 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 128 def allow_zuora(directives) return unless Gitlab.com? append_to_directive(directives, 'frame_src', zuora_host) end |
.append_to_directive(directives, directive, text) ⇒ Object
175 176 177 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 175 def append_to_directive(directives, directive, text) directives[directive] = "#{directives[directive]} #{text}".strip end |
.build_lfs_url ⇒ Object
183 184 185 186 187 188 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 183 def build_lfs_url uploader = LfsObjectUploader.new(nil) fog = CarrierWave::Storage::Fog.new(uploader) fog_file = CarrierWave::Storage::Fog::File.new(uploader, fog, nil) fog_file.public_url || fog_file.url end |
.csp_level_3_backport(directives) ⇒ Object
The follow contains workarounds to patch Safari’s lack of support for CSP Level 3
162 163 164 165 166 167 168 169 170 171 172 173 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 162 def csp_level_3_backport(directives) # See https://gitlab.com/gitlab-org/gitlab/-/issues/343579 # frame-src was deprecated in CSP level 2 in favor of child-src # CSP level 3 "undeprecated" frame-src and browsers fall back on child-src if it's missing # However Safari seems to read child-src first so we'll just keep both equal append_to_directive(directives, 'child_src', directives['frame_src']) # Safari also doesn't support worker-src and only checks child-src # So for compatibility until it catches up to other browsers we need to # append worker-src's content to child-src append_to_directive(directives, 'child_src', directives['worker_src']) end |
.default_directives ⇒ Object
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 19 def default_directives directives = default_directives_defaults allow_development_tooling(directives) allow_websocket_connections(directives) allow_lfs(directives) allow_cdn(directives) allow_zuora(directives) allow_sentry(directives) allow_framed_gitlab_paths(directives) allow_customersdot(directives) csp_level_3_backport(directives) add_browsersdk_tracking(directives) directives end |
.default_directives_defaults ⇒ Object
36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 36 def default_directives_defaults { 'default_src' => "'self'", 'base_uri' => "'self'", 'connect_src' => ContentSecurityPolicy::Directives.connect_src, 'font_src' => "'self'", 'form_action' => "'self' https: http:", 'frame_ancestors' => "'self'", 'frame_src' => ContentSecurityPolicy::Directives.frame_src, 'img_src' => "'self' data: blob: http: https:", 'manifest_src' => "'self'", 'media_src' => "'self' data: blob: http: https:", 'script_src' => ContentSecurityPolicy::Directives.script_src, 'style_src' => ContentSecurityPolicy::Directives.style_src, 'worker_src' => ContentSecurityPolicy::Directives.worker_src, 'object_src' => "'none'", 'report_uri' => nil } end |
.default_enabled ⇒ Object
15 16 17 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 15 def default_enabled Rails.env.development? || Rails.env.test? end |
.sentry_client_side_dsn_enabled? ⇒ Boolean
142 143 144 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 142 def sentry_client_side_dsn_enabled? Gitlab::CurrentSettings.try(:sentry_enabled) && Gitlab::CurrentSettings.try(:sentry_clientside_dsn) end |
.zuora_host ⇒ Object
179 180 181 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 179 def zuora_host "https://*.zuora.com/apps/PublicHostedPageLite.do" end |
Instance Method Details
#load(policy) ⇒ Object
199 200 201 202 203 204 205 206 207 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 199 def load(policy) DIRECTIVES.each do |directive| arguments = arguments_for(directive) next unless arguments.present? policy.public_send(directive, *arguments) # rubocop:disable GitlabSecurity/PublicSend end end |