Add CSP headers for Zuora iFrame

15f20d46 · Alex Buijs · e3fae047 · 15f20d46 · 15f20d46
Commit 15f20d46 authored Jan 14, 2020 by Alex Buijs
Showing with 75 additions and 0 deletions

ee/app/controllers/subscriptions_controller.rb ee/app/controllers/subscriptions_controller.rb +18 -0

ee/spec/features/subscriptions_spec.rb ee/spec/features/subscriptions_spec.rb +57 -0

No files found.
--- a/ee/app/controllers/subscriptions_controller.rb
+++ b/ee/app/controllers/subscriptions_controller.rb
@@ -4,6 +4,24 @@ class SubscriptionsController < ApplicationController
  layout 'checkout'
  skip_before_action :authenticate_user!, only: :new

+  content_security_policy do |p|
+    next if p.directives.blank?
+    next unless Feature.enabled?(:paid_signup_flow)
+
+    default_script_src = p.directives['script-src'] || p.directives['default-src']
+    script_src_values = Array.wrap(default_script_src) | ["'self'", "'unsafe-eval'", 'https://*.zuora.com']
+
+    default_frame_src = p.directives['frame-src'] || p.directives['default-src']
+    frame_src_values = Array.wrap(default_frame_src) | ["'self'", 'https://*.zuora.com']
+
+    default_child_src = p.directives['child-src'] || p.directives['default-src']
+    child_src_values = Array.wrap(default_child_src) | ["'self'", 'https://*.zuora.com']
+
+    p.script_src(*script_src_values)
+    p.frame_src(*frame_src_values)
+    p.child_src(*child_src_values)
+  end
+
  def new
    if experiment_enabled?(:paid_signup_flow)
      return if current_user

--- a/ee/spec/features/subscriptions_spec.rb
+++ b/ee/spec/features/subscriptions_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'Subscriptions Content Security Policy' do
+  subject { response_headers['Content-Security-Policy'] }
+
+  let_it_be(:default_csp_values) { "'self' https://some-cdn.test" }
+  let_it_be(:zuora_url) { 'https://*.zuora.com' }
+
+  before do
+    stub_experiment_for_user(paid_signup_flow: true, signup_flow: true)
+
+    stub_request(:get, /.*gitlab_plans.*/).to_return(status: 200, body: "{}")
+
+    expect_next_instance_of(SubscriptionsController) do |controller|
+      expect(controller).to receive(:current_content_security_policy).and_return(csp)
+    end
+
+    sign_in(create(:user))
+
+    visit new_subscriptions_path
+  end
+
+  context 'when there is no global CSP config' do
+    let(:csp) { ActionDispatch::ContentSecurityPolicy.new }
+
+    it { is_expected.to be_blank }
+  end
+
+  context 'when a global CSP config exists' do
+    let(:csp) do
+      ActionDispatch::ContentSecurityPolicy.new do |p|
+        p.script_src(*default_csp_values.split)
+        p.frame_src(*default_csp_values.split)
+        p.child_src(*default_csp_values.split)
+      end
+    end
+
+    it { is_expected.to include("script-src #{default_csp_values} 'unsafe-eval' #{zuora_url}") }
+    it { is_expected.to include("frame-src #{default_csp_values} #{zuora_url}") }
+    it { is_expected.to include("child-src #{default_csp_values} #{zuora_url}") }
+  end
+
+  context 'when just a default CSP config exists' do
+    let(:csp) do
+      ActionDispatch::ContentSecurityPolicy.new do |p|
+        p.default_src(*default_csp_values.split)
+      end
+    end
+
+    it { is_expected.to include("default-src #{default_csp_values}") }
+    it { is_expected.to include("script-src #{default_csp_values} 'unsafe-eval' #{zuora_url}") }
+    it { is_expected.to include("frame-src #{default_csp_values} #{zuora_url}") }
+    it { is_expected.to include("child-src #{default_csp_values} #{zuora_url}") }
+  end
+end