github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-29 12:21:40 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
59,140 Commits 325 Branches 518 Tags
stable
Commit Graph

9 Commits

Author SHA1 Message Date
Kelv
b9363494d4 FIX: invalid CSP directive sources should allow site to boot with valid CSP directives (stable) (#31270) 
[Security
patch](5558e72f22)
(for this [CVE](https://nvd.nist.gov/vuln/detail/CVE-2024-54133)) from
rails actionpack was backported from [Rails
8.0.0.1](https://github.com/rails/rails/blob/v8.0.1/actionpack/CHANGELOG.md#rails-8001-december-10-2024)
to previous stable versions including `7-1-stable` / `7-2-stable`.

Any previous version of Discourse upgrading to v3.4.0.beta3 and above
would have observed their sites crashing if they had invalid sources in
their CSP directive extensions.

This fix removes such invalid sources during our build of the CSP, and
logs these at a warning level so devs are able to find out why their CSP
sources were filtered out of the extendable directives.
 2025-02-11 11:51:01 +08:00
David Taylor
2546817d07 FIX: correctly strip unneeded csp directives under strict-dynamic (#26180) 2024-03-14 18:50:09 +00:00
David Taylor
ee08a8c52b Revert "FIX: Omit CSP nonce and hash values when unsafe-inline enabled (#25590)" (#25609) 
This reverts commit 767b49232e0c4c853e5b92e0abde8381f3aa1e88.

If anything else (e.g. GTM integration) introduces a nonce/hash, then this change stops the splash screen JS to fail and makes sites unusable.
 2024-02-08 11:44:09 +00:00
David Taylor
767b49232e FIX: Omit CSP nonce and hash values when unsafe-inline enabled (#25590) 
Browsers will ignore unsafe-inline if nonces or hashes are included in the CSP. When unsafe-inline is enabled, nonces and hashes are not required, so we can skip them.

Our strong recommendation remains that unsafe-inline should not be used in production.
 2024-02-07 12:35:35 +00:00
David Taylor
cb932d6ee1 DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
Phil Pirozhkov
493d437e79 Add RSpec 4 compatibility (#17652) 
* Remove outdated option

04078317ba

* Use the non-globally exposed RSpec syntax

https://github.com/rspec/rspec-core/pull/2803

* Use the non-globally exposed RSpec syntax, cont

https://github.com/rspec/rspec-core/pull/2803

* Comply to strict predicate matchers

See:
 - https://github.com/rspec/rspec-expectations/pull/1195
 - https://github.com/rspec/rspec-expectations/pull/1196
 - https://github.com/rspec/rspec-expectations/pull/1277
 2022-07-28 10:27:38 +08:00
David Taylor
c9dab6fd08 DEV: Automatically require 'rails_helper' in all specs (#16077) 
It's very easy to forget to add `require 'rails_helper'` at the top of every core/plugin spec file, and omissions can cause some very confusing/sporadic errors.

By setting this flag in `.rspec`, we can remove the need for `require 'rails_helper'` entirely.
 2022-03-01 17:50:50 +00:00
David Taylor
19814c5e81 FIX: Allow CSP to work correctly for non-default hostnames/schemes (#9180) 
- Define the CSP based on the requested domain / scheme (respecting force_https)
- Update EnforceHostname middleware to allow secondary domains, add specs
- Add URL scheme to anon cache key so that CSP headers are cached correctly
 2020-03-19 19:54:42 +00:00
Kyle Zhao
488fba3c5f FEATURE: allow plugins and themes to extend the default CSP (#6704) 
* FEATURE: allow plugins and themes to extend the default CSP

For plugins:

```
extend_content_security_policy(
  script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'],
  style_src: ['https://domain.com/style.css']
)
```

For themes and components:

```
extend_content_security_policy:
  type: list
  default: "script_src:https://domain.com/|style_src:https://domain.com"
```

* clear CSP base url before each test

we have a test that stubs `Rails.env.development?` to true

* Only allow extending directives that core includes, for now
 2018-11-30 09:51:45 -05:00