Prevent CSP bypass that use Rails' ujs data links
Summary
Rails data links (probably not really how they're called, please correct me on the terminology) allow fetching a JavaScript file and inserting it into the DOM with the correct nonce attribute, bypassing the CSP
I opened an issue in the Rails project but I don't understand enough in what context this is legitimately used and need to do more homework on this. https://github.com/rails/rails/issues/42164 I closed it, I need more understanding of this to make a good suggestion
Steps to reproduce
Assuming an XSS vulnerability, inject
<a data-remote="true" data-method="get" data-type="script" href="https://gitlab.com/path/to/raw/evil.js">XSS</a>Example Project
Used in #213273 (closed)
The attacker can use CSS to make the link take the full page and make it transparent so the victim is definitely going to click on it and trigger the vulnerability.
What is the current bug behavior?
It's possible to load a malicious script with the correct nonce
What is the expected correct behavior?
It shouldn't be possible to inject arbitrary scripts with the correct nonce
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)