Merge pull request #2311 from sue445/csp_params

Add content_security_policy params

Author: sameersbn

README.md

@@ -924,6 +924,24 @@ Below is the complete list of available options that can be used to customize yo
 | `GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED` | Set to `true` to enable the sidekiq exporter, enabled by default. |
 | `GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS` | Sidekiq exporter address, defaults to `0.0.0.0` |
 | `GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT` | Sidekiq exporter port, defaults to `3807` |
+| `GITLAB_CONTENT_SECURITY_POLICY_ENABLED` | Set to `true` to enable [Content Security Policy](https://guides.rubyonrails.org/security.html#content-security-policy), enabled by default. |
+| `GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY` | Set to `true` to set `Content-Security-Policy-Report-Only` header, disabled by default |
+| `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI` | The value of the `base-uri` directive in the `Content-Security-Policy` header |
+| `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC` | The value of the `child-src` directive in the `Content-Security-Policy` header |
+| `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC` | The value of the `connect-src` directive in the `Content-Security-Policy` header. Default to `'self' http://localhost:* ws://localhost:* wss://localhost:*` |
+| `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC` | The value of the `default-src` directive in the `Content-Security-Policy` header. Default to `'self'` |
+| `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC` | The value of the `font-src` directive in the `Content-Security-Policy` header |
+| `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION` | The value of the `form-action` directive in the `Content-Security-Policy` header |
+| `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS` | The value of the `frame-ancestors` directive in the `Content-Security-Policy` header. Default to `'self'` |
+| `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC` | The value of the `frame-src` directive in the `Content-Security-Policy` header. Default to `'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com` |
+| `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC` | The value of the `img-src` directive in the `Content-Security-Policy` header. Default to `* data: blob:` |
+| `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC` | The value of the `manifest-src` directive in the `Content-Security-Policy` header |
+| `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC` | The value of the `media-src` directive in the `Content-Security-Policy` header |
+| `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC` | The value of the `object-src` directive in the `Content-Security-Policy` header. Default to `'none'`  |
+| `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC` | The value of the `script-src` directive in the `Content-Security-Policy` header. Default to `'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com` |
+| `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC` | The value of the `style-src` directive in the `Content-Security-Policy` header. Default to `'self' 'unsafe-inline'` |
+| `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC` | The value of the `worker-src` directive in the `Content-Security-Policy` header. Default to `'self' blob:` |
+| `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI` | The value of the `report-uri` directive in the `Content-Security-Policy` header |
 | `SSL_SELF_SIGNED` | Set to `true` when using self signed ssl certificates. `false` by default. |
 | `SSL_CERTIFICATE_PATH` | Location of the ssl certificate. Defaults to `/home/git/data/certs/gitlab.crt` |
 | `SSL_KEY_PATH` | Location of the ssl private key. Defaults to `/home/git/data/certs/gitlab.key` |

assets/runtime/config/gitlabhq/gitlab.yml

@@ -53,25 +53,25 @@ production: &base
     # Content Security Policy
     # See https://guides.rubyonrails.org/security.html#content-security-policy
     content_security_policy:
-      enabled: true
-      report_only: false
+      enabled: {{GITLAB_CONTENT_SECURITY_POLICY_ENABLED}}
+      report_only: {{GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY}}
       directives:
-        base_uri:
-        child_src:
-        connect_src: "'self' http://localhost:* ws://localhost:* wss://localhost:*"
-        default_src: "'self'"
-        font_src:
-        form_action:
-        frame_ancestors: "'self'"
-        frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
-        img_src: "* data: blob:"
-        manifest_src:
-        media_src:
-        object_src: "'none'"
-        script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
-        style_src: "'self' 'unsafe-inline'"
-        worker_src: "'self' blob:"
-        report_uri:
+        base_uri: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI}}"
+        child_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC}}"
+        connect_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC}}"
+        default_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC}}"
+        font_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC}}"
+        form_action: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION}}"
+        frame_ancestors: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS}}"
+        frame_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC}}"
+        img_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC}}"
+        manifest_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC}}"
+        media_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC}}"
+        object_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC}}"
+        script_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC}}"
+        style_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC}}"
+        worker_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC}}"
+        report_uri: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI}}"
 
     # Trusted Proxies
     # Customize if you have GitLab behind a reverse proxy which is running on a different machine.

assets/runtime/env-defaults

@@ -517,3 +517,24 @@ SENTRY_ENABLED=${SENTRY_ENABLED:-false}
 SENTRY_DSN=${SENTRY_DSN:-}
 SENTRY_CLIENTSIDE_DSN=${SENTRY_CLIENTSIDE_DSN:-}
 SENTRY_ENVIRONMENT=${SENTRY_ENVIRONMENT:-production}
+
+## Content Security Policy
+# See https://guides.rubyonrails.org/security.html#content-security-policy
+GITLAB_CONTENT_SECURITY_POLICY_ENABLED=${GITLAB_CONTENT_SECURITY_POLICY_ENABLED:-true}
+GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY=${GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY:-false}
+GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI:-}
+GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC:-}
+GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC:-"'self' http://localhost:* ws://localhost:* wss://localhost:*"}
+GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC:-"'self'"}
+GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC:-}
+GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION:-}
+GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS:-"'self'"}
+GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC:-"'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"}
+GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC:-"* data: blob:"}
+GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC:-}
+GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC:-}
+GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC:-"'none'"}
+GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC:-"'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"}
+GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC:-"'self' 'unsafe-inline'"}
+GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC:-"'self' blob:"}
+GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI:-}

assets/runtime/functions

@@ -1166,6 +1166,29 @@ gitlab_configure_sentry(){
     SENTRY_ENVIRONMENT
 }
 
+gitlab_configure_content_security_policy(){
+  echo "Configuring gitlab::content_security_policy..."
+  update_template ${GITLAB_CONFIG} \
+    GITLAB_CONTENT_SECURITY_POLICY_ENABLED \
+    GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY \
+    GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI \
+    GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC \
+    GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC \
+    GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC \
+    GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC \
+    GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION \
+    GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS \
+    GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC \
+    GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC \
+    GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC \
+    GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC \
+    GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC \
+    GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC \
+    GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC \
+    GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC \
+    GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI
+}
+
 nginx_configure_gitlab_ssl() {
   if [[ ${GITLAB_HTTPS} == true && -f ${SSL_CERTIFICATE_PATH} && -f ${SSL_KEY_PATH} && -f ${SSL_DHPARAM_PATH} ]]; then
     echo "Configuring nginx::gitlab::ssl..."
@@ -1681,6 +1704,7 @@ configure_gitlab() {
   gitlab_configure_pages
   gitlab_configure_sentry
   generate_healthcheck_script
+  gitlab_configure_content_security_policy
 
   # remove stale gitlab.socket
   rm -rf ${GITLAB_INSTALL_DIR}/tmp/sockets/gitlab.socket