Fix CSP issues related to captchas

The required URLs are added to the CSP and nonces are added to the tags Changelog: fixed

Fix CSP issues related to captchas
The required URLs are added to the CSP and nonces are added to the tags Changelog: fixed
c7f10973 · dcouture · 8fe57fb5 · c7f10973 · c7f10973 · c7f10973
Commit c7f10973 authored May 31, 2021 by dcouture
6 changed files
--- a/app/views/devise/sessions/_new_base.html.haml
+++ b/app/views/devise/sessions/_new_base.html.haml
@@ -17,7 +17,7 @@
          = link_to _('Forgot your password?'), new_password_path(:user)
    %div
    - if captcha_enabled? || captcha_on_login_required?
-      = recaptcha_tags
+      = recaptcha_tags nonce: content_security_policy_nonce
  .submit-container.move-submit-down
    = f.submit _('Sign in'), class: 'gl-button btn btn-confirm', data: { qa_selector: 'sign_in_button' }
--- a/app/views/devise/shared/_signup_box.html.haml
+++ b/app/views/devise/shared/_signup_box.html.haml
@@ -9,7 +9,7 @@
    .devise-errors
      = render 'devise/shared/error_messages', resource: resource
    - if Gitlab::CurrentSettings.invisible_captcha_enabled
-      = invisible_captcha
+      = invisible_captcha nonce: true
    .name.form-row
      .col.form-group
        = f.label :first_name, _('First name'), for: 'new_user_first_name', class: 'label-bold'
@@ -59,7 +59,7 @@
      %p.gl-field-hint.text-secondary= s_('SignUp|Minimum length is %{minimum_password_length} characters.') % { minimum_password_length: @minimum_password_length }
    %div
    - if show_recaptcha_sign_up?
-      = recaptcha_tags
+      = recaptcha_tags nonce: content_security_policy_nonce
    .submit-container
      = f.submit button_text, class: 'btn gl-button btn-confirm', data: { qa_selector: 'new_user_register_button' }
    = render 'devise/shared/terms_of_service_notice', button_text: button_text

--- a/app/views/groups/_new_group_fields.html.haml
+++ b/app/views/groups/_new_group_fields.html.haml
@@ -20,7 +20,7 @@
 - if captcha_required?
  .row.recaptcha
    .col-sm-4
-      = recaptcha_tags
+      = recaptcha_tags nonce: content_security_policy_nonce
 .row
  .col-sm-12
    = f.submit _('Create group'), class: "btn gl-button btn-confirm"

--- a/app/views/shared/_recaptcha_form.html.haml
+++ b/app/views/shared/_recaptcha_form.html.haml
@@ -10,7 +10,7 @@
      = hidden_field(resource_name, field, value: value)
    = hidden_field_tag(:spam_log_id, spammable.spam_log.id)
    -# The reCAPTCHA response value will be returned in the 'g-recaptcha-response' field
-    = recaptcha_tags script: script, callback: 'recaptchaDialogCallback' unless Rails.env.test?
+    = recaptcha_tags script: script, callback: 'recaptchaDialogCallback', nonce: content_security_policy_nonce unless Rails.env.test?
    -# Fake the 'g-recaptcha-response' field in the test environment, so that the feature spec
    -# can get to the (mocked) SpamVerdictService check.
    = hidden_field_tag('g-recaptcha-response', 'abc123') if Rails.env.test?

--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -18,11 +18,11 @@ module Gitlab
            'font_src' => "'self'",
            'form_action' => "'self' https: http:",
            'frame_ancestors' => "'self'",
-            'frame_src' => "'self' https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com",
+            'frame_src' => "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com",
            'img_src' => "'self' data: blob: http: https:",
            'manifest_src' => "'self'",
            'media_src' => "'self'",
-            'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.recaptcha.net https://apis.google.com",
+            'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com",
            'style_src' => "'self' 'unsafe-inline'",
            'worker_src' => "'self'",
            'object_src' => "'none'",

--- a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
+++ b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
@@ -47,7 +47,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
        settings = described_class.default_settings_hash
        directives = settings['directives']
-        expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.recaptcha.net https://apis.google.com https://example.com")
+        expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://example.com")
        expect(directives['style_src']).to eq("'self' 'unsafe-inline' https://example.com")
      end
    end