Use a more precise Sourcegraph URL in CSP (!72552) · Merge requests · GitLab.org / GitLab

Dominic Couture requested to merge sourgraph-csp-path into master Oct 18, 2021

What does this MR do and why?

It fixes a CSP bypass vector that abuses the fact that it's possible to host arbitrary files on sourcegraph.com (and I would assume on self-hosted instances as well). See #334361 (comment 613780719) for more details about the bypass.

There are 2 commits, the first one does what is described above and the second one replaces a whitelist with an allowlist in the specs.

Screenshots or screen recordings

No visual changes but here's what a working integration looks like when clicking on a type definition.

How to set up and validate locally

Set up a local instance of sourcegraph (I used the docker command in https://docs.sourcegraph.com/admin/install/docker)
Configure the integration https://docs.gitlab.com/ee/integration/sourcegraph.html#set-up-for-self-managed-gitlab-instances
Go to a project and make it public (I used the gitlab-shell project in the GDK)
Navigate to a code file and validate that the integration still works
While doing that, check the browser console for CSP-related errors

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Nov 22, 2021 by Dominic Couture

Use a more precise Sourcegraph URL in CSP

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports