Merge branch 'security-disable-caching-for-wiki-attachments' into 'master'

Disable caching for wiki attachments Closes #168 See merge request gitlab-org/security/gitlab!632

Merge branch 'security-disable-caching-for-wiki-attachments' into 'master'
Disable caching for wiki attachments Closes #168 See merge request gitlab-org/security/gitlab!632
757ee605 · GitLab Release Tools Bot · 06f424ef · 943ebda3 · 757ee605 · 757ee605
Commit 757ee605 authored Jun 29, 2020 by GitLab Release Tools Bot
3 changed files
--- a/app/controllers/concerns/wiki_actions.rb
+++ b/app/controllers/concerns/wiki_actions.rb
@@ -62,7 +62,7 @@ module WikiActions
      render 'shared/wikis/show'
    elsif file_blob
-      send_blob(wiki.repository, file_blob, allow_caching: container.public?)
+      send_blob(wiki.repository, file_blob)
    elsif show_create_form?
      # Assign a title to the WikiPage unless `id` is a randomly generated slug from #new
      title = params[:id] unless params[:random_title].present?

--- a/changelogs/unreleased/security-disable-caching-for-wiki-attachments.yml
+++ b/changelogs/unreleased/security-disable-caching-for-wiki-attachments.yml
+---
+title: Disable caching for wiki attachments
+merge_request:
+author:
+type: security
--- a/spec/support/shared_examples/controllers/wiki_actions_shared_examples.rb
+++ b/spec/support/shared_examples/controllers/wiki_actions_shared_examples.rb
@@ -158,46 +158,18 @@ RSpec.shared_examples 'wiki controller actions' do
    context 'when page is a file' do
      include WikiHelpers
-      let(:id) { upload_file_to_wiki(container, user, file_name) }
+      where(:file_name) { ['dk.png', 'unsanitized.svg', 'git-cheat-sheet.pdf'] }
-      context 'when file is an image' do
+      with_them do
-        let(:file_name) { 'dk.png' }
+        let(:id) { upload_file_to_wiki(container, user, file_name) }
-        it 'delivers the image' do
+        it 'delivers the file with the correct headers' do
          subject
          expect(response.headers['Content-Disposition']).to match(/^inline/)
-          expect(response.headers[Gitlab::Workhorse::DETECT_HEADER]).to eq "true"
+          expect(response.headers[Gitlab::Workhorse::DETECT_HEADER]).to eq('true')
-        end
+          expect(response.cache_control[:public]).to be(false)
+          expect(response.cache_control[:extras]).to include('no-store')
-        context 'when file is a svg' do
-          let(:file_name) { 'unsanitized.svg' }
-          it 'delivers the image' do
-            subject
-            expect(response.headers['Content-Disposition']).to match(/^inline/)
-            expect(response.headers[Gitlab::Workhorse::DETECT_HEADER]).to eq "true"
-          end
-        end
-        it_behaves_like 'project cache control headers' do
-          let(:project) { container }
-        end
-      end
-      context 'when file is a pdf' do
-        let(:file_name) { 'git-cheat-sheet.pdf' }
-        it 'sets the content type to sets the content response headers' do
-          subject
-          expect(response.headers['Content-Disposition']).to match(/^inline/)
-          expect(response.headers[Gitlab::Workhorse::DETECT_HEADER]).to eq "true"
-        end
-        it_behaves_like 'project cache control headers' do
-          let(:project) { container }
        end
      end
    end