RawController respond with uncached headers

Also small refactor on spec/requests/api/files_spec.rb to use new uncached response shared example.

RawController respond with uncached headers
Also small refactor on spec/requests/api/files_spec.rb to use new uncached response shared example.
494c56ef · Alex Pooley · 52c7630e · 494c56ef · 494c56ef · 494c56ef
Commit 494c56ef authored Feb 12, 2020 by Alex Pooley
5 changed files
--- a/app/controllers/projects/raw_controller.rb
+++ b/app/controllers/projects/raw_controller.rb
@@ -12,6 +12,7 @@ class Projects::RawController < Projects::ApplicationController
  before_action :authorize_download_code!
  before_action :show_rate_limit, only: [:show], unless: :external_storage_request?
  before_action :assign_ref_vars
+  before_action :no_cache_headers, only: [:show]
  before_action :redirect_to_external_storage, only: :show, if: :static_objects_external_storage_enabled?
  def show

--- a/changelogs/unreleased/security-44-stored-xss-via-svg-file-preview.yml
+++ b/changelogs/unreleased/security-44-stored-xss-via-svg-file-preview.yml
+---
+title: Prevent SVG XSS via Web IDE
+merge_request:
+author:
+type: security
--- a/spec/controllers/projects/raw_controller_spec.rb
+++ b/spec/controllers/projects/raw_controller_spec.rb
@@ -33,6 +33,11 @@ RSpec.describe Projects::RawController do
      it_behaves_like 'project cache control headers'
      it_behaves_like 'content disposition headers'
+      it_behaves_like 'uncached response' do
+        before do
+          subject
+        end
+      end
    end
    context 'image header' do

--- a/spec/requests/api/files_spec.rb
+++ b/spec/requests/api/files_spec.rb
@@ -532,16 +532,13 @@ RSpec.describe API::Files do
        expect(response).to have_gitlab_http_status(:ok)
      end
-      it 'sets no-cache headers' do
+      it_behaves_like 'uncached response' do
-        url = route('.gitignore') + "/raw"
+        before do
-        expect(Gitlab::Workhorse).to receive(:send_git_blob)
+          url = route('.gitignore') + "/raw"
+          expect(Gitlab::Workhorse).to receive(:send_git_blob)
-        get api(url, current_user), params: params
-        expect(response.headers["Cache-Control"]).to include("no-store")
+          get api(url, current_user), params: params
-        expect(response.headers["Cache-Control"]).to include("no-cache")
+        end
-        expect(response.headers["Pragma"]).to eq("no-cache")
-        expect(response.headers["Expires"]).to eq("Fri, 01 Jan 1990 00:00:00 GMT")
      end
      context 'when mandatory params are not given' do

--- a/spec/support/shared_examples/cached_response_shared_examples.rb
+++ b/spec/support/shared_examples/cached_response_shared_examples.rb
+# frozen_string_literal: true
+#
+# Negates lib/gitlab/no_cache_headers.rb
+#
+RSpec.shared_examples 'cached response' do
+  it 'defines a cached header response' do
+    expect(response.headers["Cache-Control"]).not_to include("no-store", "no-cache")
+    expect(response.headers["Pragma"]).not_to eq("no-cache")
+    expect(response.headers["Expires"]).not_to eq("Fri, 01 Jan 1990 00:00:00 GMT")
+  end
+end