2019-08-06 06:14:32 +00:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
require 'spec_helper'
|
|
|
|
|
2020-06-24 18:09:03 +00:00
|
|
|
RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
|
2019-08-06 06:14:32 +00:00
|
|
|
let(:policy) { ActionDispatch::ContentSecurityPolicy.new }
|
2021-08-10 21:10:06 +00:00
|
|
|
let(:cdn_host) { nil }
|
2019-08-06 06:14:32 +00:00
|
|
|
let(:csp_config) do
|
|
|
|
{
|
|
|
|
enabled: true,
|
|
|
|
report_only: false,
|
|
|
|
directives: {
|
|
|
|
base_uri: 'http://example.com',
|
|
|
|
child_src: "'self' https://child.example.com",
|
|
|
|
default_src: "'self' https://other.example.com",
|
|
|
|
script_src: "'self' https://script.exammple.com ",
|
2019-08-07 18:17:12 +00:00
|
|
|
worker_src: "data: https://worker.example.com",
|
|
|
|
report_uri: "http://example.com"
|
2019-08-06 06:14:32 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
2020-02-06 21:08:48 +00:00
|
|
|
describe '.default_settings_hash' do
|
2021-08-10 21:10:06 +00:00
|
|
|
let(:settings) { described_class.default_settings_hash(cdn_host) }
|
2019-08-06 06:14:32 +00:00
|
|
|
|
2021-06-03 09:10:18 +00:00
|
|
|
it 'returns defaults for all keys' do
|
2021-05-11 12:10:20 +00:00
|
|
|
expect(settings['enabled']).to be_truthy
|
2019-08-06 06:14:32 +00:00
|
|
|
expect(settings['report_only']).to be_falsey
|
|
|
|
|
2021-05-11 12:10:20 +00:00
|
|
|
directives = settings['directives']
|
|
|
|
directive_names = (described_class::DIRECTIVES - ['report_uri'])
|
|
|
|
directive_names.each do |directive|
|
|
|
|
expect(directives.has_key?(directive)).to be_truthy
|
|
|
|
expect(directives[directive]).to be_truthy
|
|
|
|
end
|
|
|
|
|
|
|
|
expect(directives.has_key?('report_uri')).to be_truthy
|
|
|
|
expect(directives['report_uri']).to be_nil
|
2021-05-25 21:10:26 +00:00
|
|
|
expect(directives['child_src']).to eq(directives['frame_src'])
|
2021-05-11 12:10:20 +00:00
|
|
|
end
|
|
|
|
|
2021-06-03 09:10:18 +00:00
|
|
|
context 'when in production' do
|
2021-05-11 12:10:20 +00:00
|
|
|
before do
|
2021-06-03 09:10:18 +00:00
|
|
|
allow(Rails).to receive(:env).and_return(ActiveSupport::StringInquirer.new('production'))
|
2021-05-11 12:10:20 +00:00
|
|
|
end
|
|
|
|
|
2021-06-03 09:10:18 +00:00
|
|
|
it 'is disabled' do
|
|
|
|
expect(settings['enabled']).to be_falsey
|
2021-06-03 06:10:07 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2021-08-10 21:10:06 +00:00
|
|
|
context 'when CDN host is defined' do
|
|
|
|
let(:cdn_host) { 'https://example.com' }
|
2021-06-03 06:10:07 +00:00
|
|
|
|
2021-08-10 21:10:06 +00:00
|
|
|
it 'adds CDN host to CSP' do
|
2021-06-03 06:10:07 +00:00
|
|
|
directives = settings['directives']
|
|
|
|
|
2021-06-03 09:10:18 +00:00
|
|
|
expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://example.com")
|
|
|
|
expect(directives['style_src']).to eq("'self' 'unsafe-inline' https://example.com")
|
2021-06-03 15:10:01 +00:00
|
|
|
expect(directives['font_src']).to eq("'self' https://example.com")
|
2019-08-06 06:14:32 +00:00
|
|
|
end
|
|
|
|
end
|
2021-06-30 12:07:58 +00:00
|
|
|
|
2021-08-12 03:10:11 +00:00
|
|
|
context 'when sentry is configured' do
|
|
|
|
before do
|
|
|
|
stub_sentry_settings
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'adds sentry path to CSP without user' do
|
|
|
|
directives = settings['directives']
|
|
|
|
|
|
|
|
expect(directives['connect_src']).to eq("'self' dummy://example.com/43")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2021-06-30 12:07:58 +00:00
|
|
|
context 'when CUSTOMER_PORTAL_URL is set' do
|
|
|
|
before do
|
|
|
|
stub_env('CUSTOMER_PORTAL_URL', 'https://customers.example.com')
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when in production' do
|
|
|
|
before do
|
|
|
|
allow(Rails).to receive(:env).and_return(ActiveSupport::StringInquirer.new('production'))
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not add CUSTOMER_PORTAL_URL to CSP' do
|
|
|
|
directives = settings['directives']
|
|
|
|
|
|
|
|
expect(directives['frame_src']).to eq("'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when in development' do
|
|
|
|
before do
|
|
|
|
allow(Rails).to receive(:env).and_return(ActiveSupport::StringInquirer.new('development'))
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'adds CUSTOMER_PORTAL_URL to CSP' do
|
|
|
|
directives = settings['directives']
|
|
|
|
|
|
|
|
expect(directives['frame_src']).to eq("'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://customers.example.com")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2019-08-06 06:14:32 +00:00
|
|
|
end
|
|
|
|
|
2020-02-06 21:08:48 +00:00
|
|
|
describe '#load' do
|
2019-08-06 06:14:32 +00:00
|
|
|
subject { described_class.new(csp_config[:directives]) }
|
|
|
|
|
|
|
|
def expected_config(directive)
|
|
|
|
csp_config[:directives][directive].split(' ').map(&:strip)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'sets the policy properly' do
|
|
|
|
subject.load(policy)
|
|
|
|
|
|
|
|
expect(policy.directives['base-uri']).to eq([csp_config[:directives][:base_uri]])
|
|
|
|
expect(policy.directives['default-src']).to eq(expected_config(:default_src))
|
|
|
|
expect(policy.directives['child-src']).to eq(expected_config(:child_src))
|
|
|
|
expect(policy.directives['worker-src']).to eq(expected_config(:worker_src))
|
2019-08-07 18:17:12 +00:00
|
|
|
expect(policy.directives['report-uri']).to eq(expected_config(:report_uri))
|
2019-08-06 06:14:32 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
it 'ignores malformed policy statements' do
|
|
|
|
csp_config[:directives][:base_uri] = 123
|
|
|
|
|
|
|
|
subject.load(policy)
|
|
|
|
|
|
|
|
expect(policy.directives['base-uri']).to be_nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|