Class: Gitlab::ContentSecurityPolicy::ConfigLoader
- Inherits:
-
Object
- Object
- Gitlab::ContentSecurityPolicy::ConfigLoader
- Defined in:
- lib/gitlab/content_security_policy/config_loader.rb
Constant Summary collapse
- DIRECTIVES =
%w[ base_uri child_src connect_src default_src font_src form_action frame_ancestors frame_src img_src manifest_src media_src object_src report_uri script_src style_src worker_src ].freeze
- DEFAULT_FALLBACK_VALUE =
'<default_value>'
- HTTP_PORTS =
[80, 443].freeze
Class Method Summary collapse
- .add_browsersdk_tracking(directives) ⇒ Object
- .allow_cdn(directives) ⇒ Object
- .allow_customersdot(directives) ⇒ Object
-
.allow_development_tooling(directives) ⇒ Object
connect_src with ‘self’ includes https/wss variations of the origin, however, safari hasn’t covered this yet and we need to explicitly add support for websocket origins until Safari catches up with the specs.
-
.allow_framed_gitlab_paths(directives) ⇒ Object
Using ‘self’ in the CSP introduces several CSP bypass opportunities for this reason we list the URLs where GitLab frames itself instead.
- .allow_legacy_sentry(directives) ⇒ Object
- .allow_letter_opener(directives) ⇒ Object
- .allow_lfs(directives) ⇒ Object
- .allow_review_apps(directives) ⇒ Object
- .allow_sentry(directives) ⇒ Object
- .allow_snowplow_micro(directives) ⇒ Object
- .allow_webpack_dev_server(directives) ⇒ Object
- .allow_websocket_connections(directives) ⇒ Object
- .allow_zuora(directives) ⇒ Object
- .append_to_directive(directives, directive, text) ⇒ Object
- .build_lfs_url ⇒ Object
-
.csp_level_3_backport(directives) ⇒ Object
The follow contains workarounds to patch Safari’s lack of support for CSP Level 3.
- .default_directives ⇒ Object
- .default_directives_defaults ⇒ Object
- .default_enabled ⇒ Object
- .legacy_sentry_configured? ⇒ Boolean
- .sentry_client_side_dsn_enabled? ⇒ Boolean
- .zuora_host ⇒ Object
Instance Method Summary collapse
-
#initialize(csp_directives) ⇒ ConfigLoader
constructor
A new instance of ConfigLoader.
- #load(policy) ⇒ Object
Constructor Details
#initialize(csp_directives) ⇒ ConfigLoader
Returns a new instance of ConfigLoader.
212 213 214 215 216 217 218 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 212 def initialize(csp_directives) # Using <default_value> falls back to the default values. @merged_csp_directives = csp_directives .reject { |_, value| value == DEFAULT_FALLBACK_VALUE } .with_indifferent_access .reverse_merge(ConfigLoader.default_directives) end |
Class Method Details
.add_browsersdk_tracking(directives) ⇒ Object
87 88 89 90 91 92 93 94 95 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 87 def add_browsersdk_tracking(directives) return if directives.blank? return unless Gitlab.com? && Feature.enabled?(:browsersdk_tracking) && ENV['GITLAB_ANALYTICS_URL'].present? default_connect_src = directives['connect-src'] || directives['default-src'] connect_src_values = Array.wrap(default_connect_src) | [ENV['GITLAB_ANALYTICS_URL']] append_to_directive(directives, 'connect_src', connect_src_values.join(' ')) end |
.allow_cdn(directives) ⇒ Object
118 119 120 121 122 123 124 125 126 127 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 118 def allow_cdn(directives) cdn_host = Settings.gitlab.cdn_host.presence return unless cdn_host append_to_directive(directives, 'script_src', cdn_host) append_to_directive(directives, 'style_src', cdn_host) append_to_directive(directives, 'font_src', cdn_host) append_to_directive(directives, 'worker_src', cdn_host) append_to_directive(directives, 'frame_src', cdn_host) end |
.allow_customersdot(directives) ⇒ Object
168 169 170 171 172 173 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 168 def allow_customersdot(directives) customersdot_host = ENV['CUSTOMER_PORTAL_URL'].presence return unless customersdot_host append_to_directive(directives, 'frame_src', customersdot_host) end |
.allow_development_tooling(directives) ⇒ Object
connect_src with ‘self’ includes https/wss variations of the origin, however, safari hasn’t covered this yet and we need to explicitly add support for websocket origins until Safari catches up with the specs
60 61 62 63 64 65 66 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 60 def allow_development_tooling(directives) return unless Rails.env.development? allow_webpack_dev_server(directives) allow_letter_opener(directives) allow_snowplow_micro(directives) if Gitlab::Tracking.snowplow_micro_enabled? end |
.allow_framed_gitlab_paths(directives) ⇒ Object
Using ‘self’ in the CSP introduces several CSP bypass opportunities for this reason we list the URLs where GitLab frames itself instead
162 163 164 165 166 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 162 def allow_framed_gitlab_paths(directives) ['/admin/', '/assets/', '/-/speedscope/index.html', '/-/sandbox/'].map do |path| append_to_directive(directives, 'frame_src', Gitlab::Utils.append_path(Gitlab.config.gitlab.url, path)) end end |
.allow_legacy_sentry(directives) ⇒ Object
144 145 146 147 148 149 150 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 144 def allow_legacy_sentry(directives) # Support for Sentry setup via configuration files will be removed in 16.0 # in favor of Gitlab::CurrentSettings. sentry_uri = URI(Gitlab.config.sentry.clientside_dsn) append_to_directive(directives, 'connect_src', "#{sentry_uri.scheme}://#{sentry_uri.host}") end |
.allow_letter_opener(directives) ⇒ Object
77 78 79 80 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 77 def allow_letter_opener(directives) url = Gitlab::Utils.append_path(Gitlab.config.gitlab.url, '/rails/letter_opener/') append_to_directive(directives, 'frame_src', url) end |
.allow_lfs(directives) ⇒ Object
97 98 99 100 101 102 103 104 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 97 def allow_lfs(directives) return unless Gitlab.config.lfs.enabled && LfsObjectUploader.object_store_enabled? && LfsObjectUploader.direct_download_enabled? lfs_url = build_lfs_url return unless lfs_url.present? append_to_directive(directives, 'connect_src', lfs_url) end |
.allow_review_apps(directives) ⇒ Object
175 176 177 178 179 180 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 175 def allow_review_apps(directives) return unless ENV['REVIEW_APPS_ENABLED'].presence # Allow-listed to allow POSTs to https://gitlab.com/api/v4/projects/278964/merge_requests/:merge_request_iid/visual_review_discussions append_to_directive(directives, 'connect_src', 'https://gitlab.com/api/v4/projects/278964/merge_requests/') end |
.allow_sentry(directives) ⇒ Object
135 136 137 138 139 140 141 142 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 135 def allow_sentry(directives) allow_legacy_sentry(directives) if legacy_sentry_configured? return unless sentry_client_side_dsn_enabled? sentry_uri = URI(Gitlab::CurrentSettings.sentry_clientside_dsn) append_to_directive(directives, 'connect_src', "#{sentry_uri.scheme}://#{sentry_uri.host}") end |
.allow_snowplow_micro(directives) ⇒ Object
82 83 84 85 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 82 def allow_snowplow_micro(directives) url = URI.join(Gitlab::Tracking::Destinations::SnowplowMicro.new.uri, '/').to_s append_to_directive(directives, 'connect_src', url) end |
.allow_webpack_dev_server(directives) ⇒ Object
68 69 70 71 72 73 74 75 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 68 def allow_webpack_dev_server(directives) secure = Settings.webpack.dev_server['https'] host_and_port = "#{Settings.webpack.dev_server['host']}:#{Settings.webpack.dev_server['port']}" http_url = "#{secure ? 'https' : 'http'}://#{host_and_port}" ws_url = "#{secure ? 'wss' : 'ws'}://#{host_and_port}" append_to_directive(directives, 'connect_src', "#{http_url} #{ws_url}") end |
.allow_websocket_connections(directives) ⇒ Object
106 107 108 109 110 111 112 113 114 115 116 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 106 def allow_websocket_connections(directives) host = Gitlab.config.gitlab.host port = Gitlab.config.gitlab.port secure = Gitlab.config.gitlab.https protocol = secure ? 'wss' : 'ws' ws_url = "#{protocol}://#{host}" ws_url = "#{ws_url}:#{port}" unless HTTP_PORTS.include?(port) append_to_directive(directives, 'connect_src', ws_url) end |
.allow_zuora(directives) ⇒ Object
129 130 131 132 133 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 129 def allow_zuora(directives) return unless Gitlab.com? append_to_directive(directives, 'frame_src', zuora_host) end |
.append_to_directive(directives, directive, text) ⇒ Object
196 197 198 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 196 def append_to_directive(directives, directive, text) directives[directive] = "#{directives[directive]} #{text}".strip end |
.build_lfs_url ⇒ Object
204 205 206 207 208 209 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 204 def build_lfs_url uploader = LfsObjectUploader.new(nil) fog = CarrierWave::Storage::Fog.new(uploader) fog_file = CarrierWave::Storage::Fog::File.new(uploader, fog, nil) fog_file.public_url || fog_file.url end |
.csp_level_3_backport(directives) ⇒ Object
The follow contains workarounds to patch Safari’s lack of support for CSP Level 3
183 184 185 186 187 188 189 190 191 192 193 194 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 183 def csp_level_3_backport(directives) # See https://gitlab.com/gitlab-org/gitlab/-/issues/343579 # frame-src was deprecated in CSP level 2 in favor of child-src # CSP level 3 "undeprecated" frame-src and browsers fall back on child-src if it's missing # However Safari seems to read child-src first so we'll just keep both equal append_to_directive(directives, 'child_src', directives['frame_src']) # Safari also doesn't support worker-src and only checks child-src # So for compatibility until it catches up to other browsers we need to # append worker-src's content to child-src append_to_directive(directives, 'child_src', directives['worker_src']) end |
.default_directives ⇒ Object
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 19 def default_directives directives = default_directives_defaults allow_development_tooling(directives) allow_websocket_connections(directives) allow_lfs(directives) allow_cdn(directives) allow_zuora(directives) allow_sentry(directives) allow_framed_gitlab_paths(directives) allow_customersdot(directives) allow_review_apps(directives) csp_level_3_backport(directives) add_browsersdk_tracking(directives) directives end |
.default_directives_defaults ⇒ Object
37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 37 def default_directives_defaults { 'default_src' => "'self'", 'base_uri' => "'self'", 'connect_src' => ContentSecurityPolicy::Directives.connect_src, 'font_src' => "'self'", 'form_action' => "'self' https: http:", 'frame_ancestors' => "'self'", 'frame_src' => ContentSecurityPolicy::Directives.frame_src, 'img_src' => "'self' data: blob: http: https:", 'manifest_src' => "'self'", 'media_src' => "'self' data: blob: http: https:", 'script_src' => ContentSecurityPolicy::Directives.script_src, 'style_src' => ContentSecurityPolicy::Directives.style_src, 'worker_src' => "#{Gitlab::Utils.append_path(Gitlab.config.gitlab.url, 'assets/')} blob: data:", 'object_src' => "'none'", 'report_uri' => nil } end |
.default_enabled ⇒ Object
15 16 17 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 15 def default_enabled Rails.env.development? || Rails.env.test? end |
.legacy_sentry_configured? ⇒ Boolean
152 153 154 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 152 def legacy_sentry_configured? Gitlab.config.sentry&.enabled && Gitlab.config.sentry&.clientside_dsn end |
.sentry_client_side_dsn_enabled? ⇒ Boolean
156 157 158 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 156 def sentry_client_side_dsn_enabled? Gitlab::CurrentSettings.try(:sentry_enabled) && Gitlab::CurrentSettings.try(:sentry_clientside_dsn) end |
.zuora_host ⇒ Object
200 201 202 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 200 def zuora_host "https://*.zuora.com/apps/PublicHostedPageLite.do" end |
Instance Method Details
#load(policy) ⇒ Object
220 221 222 223 224 225 226 227 228 |
# File 'lib/gitlab/content_security_policy/config_loader.rb', line 220 def load(policy) DIRECTIVES.each do |directive| arguments = arguments_for(directive) next unless arguments.present? policy.public_send(directive, *arguments) # rubocop:disable GitlabSecurity/PublicSend end end |