Forbid scripting for wiki files

Wiki files (not pages - files in the repo) are just sent to the browser with whatever content-type the mime_types gem assigns to them based on their extension. As this is from the same domain as the GitLab application, this is an XSS vulnerability. Set a CSP forbidding all sources for scripting, CSS, XHR, etc. on these files.

Forbid scripting for wiki files
Wiki files (not pages - files in the repo) are just sent to the browser with whatever content-type the mime_types gem assigns to them based on their extension. As this is from the same domain as the GitLab application, this is an XSS vulnerability. Set a CSP forbidding all sources for scripting, CSS, XHR, etc. on these files.
1cda245c · Sean McGivern · 066020fc · 1cda245c
Commit 1cda245c authored Jun 08, 2016 by Sean McGivern
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

app/controllers/projects/wikis_controller.rb app/controllers/projects/wikis_controller.rb +3 -0

No files found.
--- a/app/controllers/projects/wikis_controller.rb
+++ b/app/controllers/projects/wikis_controller.rb
@@ -16,6 +16,9 @@ class Projects::WikisController < Projects::ApplicationController
    if @page
      render 'show'
    elsif file = @project_wiki.find_file(params[:id], params[:version_id])
+      response.headers['Content-Security-Policy'] = "default-src 'none'"
+      response.headers['X-Content-Security-Policy'] = "default-src 'none'"
+
      if file.on_disk?
        send_file file.on_disk_path, disposition: 'inline'
      else