~cytrogen/masto-fe

9a70cac9debf31e9cc379b6a67d793346c978a76 — CSDUMMI 2 years ago 9322363 
Fix #26849 by adding the domain of the current SSO provider to the form-action CSP (#26857)
patch browse .tar.gz 
3 files changed, 25 insertions(+), 3 deletions(-)

M app/controllers/concerns/web_app_controller_concern.rb
M app/serializers/initial_state_serializer.rb
M config/initializers/content_security_policy.rb

M app/controllers/concerns/web_app_controller_concern.rb => app/controllers/concerns/web_app_controller_concern.rb +1 -1
@@ 11,7 11,7 @@ module WebAppControllerConcern
  end

  def skip_csrf_meta_tags?
    !(ENV['OMNIAUTH_ONLY'] == 'true' && Devise.omniauth_providers.length == 1) && current_user.nil?
    !(ENV['ONE_CLICK_SSO_LOGIN'] == 'true' && ENV['OMNIAUTH_ONLY'] == 'true' && Devise.omniauth_providers.length == 1) && current_user.nil?
  end

  def set_app_body_class


M app/serializers/initial_state_serializer.rb => app/serializers/initial_state_serializer.rb +1 -1
@@ 113,6 113,6 @@ class InitialStateSerializer < ActiveModel::Serializer
  end

  def sso_redirect
    "/auth/auth/#{Devise.omniauth_providers[0]}" if ENV['OMNIAUTH_ONLY'] == 'true' && Devise.omniauth_providers.length == 1
    "/auth/auth/#{Devise.omniauth_providers[0]}" if ENV['ONE_CLICK_SSO_LOGIN'] == 'true' && ENV['OMNIAUTH_ONLY'] == 'true' && Devise.omniauth_providers.length == 1
  end
end


M config/initializers/content_security_policy.rb => config/initializers/content_security_policy.rb +23 -1
@@ 19,6 19,22 @@ media_host ||= host_to_url(ENV['AZURE_ALIAS_HOST'])
media_host ||= host_to_url(ENV['S3_HOSTNAME']) if ENV['S3_ENABLED'] == 'true'
media_host ||= assets_host

def sso_host
  return unless ENV['ONE_CLICK_SSO_LOGIN'] == 'true'
  return unless ENV['OMNIAUTH_ONLY'] == 'true'
  return unless Devise.omniauth_providers.length == 1

  provider = Devise.omniauth_configs[Devise.omniauth_providers[0]]
  @sso_host ||= begin
    # using CAS
    provider.cas_url if ENV['CAS_ENABLED'] == 'true'
    # using SAML
    provider.options[:idp_sso_target_url] if ENV['SAML_ENABLED'] == 'true'
    # or using OIDC
    ENV['OIDC_AUTH_ENDPOINT'] || (OpenIDConnect::Discovery::Provider::Config.discover!(ENV['OIDC_ISSUER']).authorization_endpoint if ENV['OIDC_ENABLED'] == 'true')
  end
end

Rails.application.config.content_security_policy do |p|
  p.base_uri        :none
  p.default_src     :none


@@ 29,7 45,13 @@ Rails.application.config.content_security_policy do |p|
  p.media_src       :self, :https, :data, assets_host
  p.frame_src       :self, :https
  p.manifest_src    :self, assets_host
  p.form_action     :self

  if sso_host.present?
    p.form_action     :self, sso_host
  else
    p.form_action     :self
  end

  p.child_src       :self, :blob, assets_host
  p.worker_src      :self, :blob, assets_host