Change form-action Content-Security-Policy directive to be more restrictive (#26897)

2024-09-12 15:24:19 +02:00 · 2024-09-12 15:24:19 +02:00 · 69eecdda9c
commit 69eecdda9c
parent 8fd9f6fb55
4 changed files with 30 additions and 22 deletions
--- a/app/controllers/concerns/web_app_controller_concern.rb
+++ b/app/controllers/concerns/web_app_controller_concern.rb
@ -8,6 +8,16 @@ module WebAppControllerConcern

    before_action :redirect_unauthenticated_to_permalinks!
    before_action :set_app_body_class
+
+    content_security_policy do |p|
+      policy = ContentSecurityPolicy.new
+
+      if policy.sso_host.present?
+        p.form_action policy.sso_host
+      else
+        p.form_action :none
+      end
+    end
  end

  def skip_csrf_meta_tags?
--- a/app/lib/content_security_policy.rb
+++ b/app/lib/content_security_policy.rb
@ -13,6 +13,22 @@ class ContentSecurityPolicy
    [assets_host, cdn_host_value, paperclip_root_url].compact
  end

+  def sso_host
+    return unless ENV['ONE_CLICK_SSO_LOGIN'] == 'true' && ENV['OMNIAUTH_ONLY'] == 'true' && Devise.omniauth_providers.length == 1
+
+    provider = Devise.omniauth_configs[Devise.omniauth_providers[0]]
+    @sso_host ||= begin
+      case provider.provider
+      when :cas
+        provider.cas_url
+      when :saml
+        provider.options[:idp_sso_target_url]
+      when :openid_connect
+        provider.options.dig(:client_options, :authorization_endpoint) || OpenIDConnect::Discovery::Provider::Config.discover!(provider.options[:issuer]).authorization_endpoint
+      end
+    end
+  end
+
  private

  def url_from_configured_asset_host