Skip to content

Commit

Permalink
fix: Added artifact Content-Security-Policy (#8585)
Browse files Browse the repository at this point in the history
Signed-off-by: Alex Collins <alex_collins@intuit.com>
  • Loading branch information
alexec authored May 3, 2022
1 parent 61b80c9 commit 87470e1
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 5 deletions.
14 changes: 9 additions & 5 deletions server/apiserver/argoserver.go
Original file line number Diff line number Diff line change
Expand Up @@ -341,11 +341,15 @@ func (as *argoServer) newHTTPServer(ctx context.Context, port int, artifactServe
r.Header.Del("Connection")
webhookInterceptor(w, r, gwmux)
})
mux.HandleFunc("/artifacts/", artifactServer.GetOutputArtifact)
mux.HandleFunc("/input-artifacts/", artifactServer.GetInputArtifact)
mux.HandleFunc("/artifacts-by-uid/", artifactServer.GetOutputArtifactByUID)
mux.HandleFunc("/input-artifacts-by-uid/", artifactServer.GetInputArtifactByUID)
mux.HandleFunc("/artifact-files/", artifactServer.GetArtifactFile)

// emergency environment variable that allows you to disable the artifact service in case of problems
if os.Getenv("ARGO_ARTIFACT_SERVER") != "false" {
mux.HandleFunc("/artifacts/", artifactServer.GetOutputArtifact)
mux.HandleFunc("/input-artifacts/", artifactServer.GetInputArtifact)
mux.HandleFunc("/artifacts-by-uid/", artifactServer.GetOutputArtifactByUID)
mux.HandleFunc("/input-artifacts-by-uid/", artifactServer.GetInputArtifactByUID)
mux.HandleFunc("/artifact-files/", artifactServer.GetArtifactFile)
}
mux.Handle("/oauth2/redirect", handlers.ProxyHeaders(http.HandlerFunc(as.oAuth2Service.HandleRedirect)))
mux.Handle("/oauth2/callback", handlers.ProxyHeaders(http.HandlerFunc(as.oAuth2Service.HandleCallback)))
mux.HandleFunc("/metrics", func(w http.ResponseWriter, r *http.Request) {
Expand Down
3 changes: 3 additions & 0 deletions server/artifacts/artifact_server.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (
"google.golang.org/grpc/status"
apierr "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/utils/env"

"github.com/argoproj/argo-workflows/v3/persist/sqldb"
wfv1 "github.com/argoproj/argo-workflows/v3/pkg/apis/workflow/v1alpha1"
Expand Down Expand Up @@ -409,6 +410,8 @@ func (a *ArtifactServer) returnArtifact(w http.ResponseWriter, art *wfv1.Artifac
key, _ := art.GetKey()
w.Header().Add("Content-Disposition", fmt.Sprintf(`filename="%s"`, path.Base(key)))
w.Header().Add("Content-Type", mime.TypeByExtension(path.Ext(key)))
w.Header().Add("Content-Security-Policy", env.GetString("ARGO_ARTIFACT_CONTENT_SECURITY_POLICY", "sandbox; base-uri 'none'; default-src 'none'; img-src 'self'; style-src 'self'"))
w.Header().Add("X-Frame-Options", env.GetString("ARGO_ARTIFACT_X_FRAME_OPTIONS", "SAMEORIGIN"))

_, err = io.Copy(w, stream)
if err != nil {
Expand Down
15 changes: 15 additions & 0 deletions test/e2e/argo_server_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1065,6 +1065,11 @@ func (s *ArgoServerSuite) TestArtifactServer() {
resp.Body().
Contains(":) Hello Argo!")

resp.Header("Content-Security-Policy").
Equal("sandbox; base-uri 'none'; default-src 'none'; img-src 'self'; style-src 'self'") // MSB

resp.Header("X-Frame-Options").
Equal("SAMEORIGIN")
})

// In this case, the artifact name is a file
Expand All @@ -1076,6 +1081,11 @@ func (s *ArgoServerSuite) TestArtifactServer() {
resp.Body().
Contains(":) Hello Argo!")

resp.Header("Content-Security-Policy").
Equal("sandbox; base-uri 'none'; default-src 'none'; img-src 'self'; style-src 'self'") // MSB

resp.Header("X-Frame-Options").
Equal("SAMEORIGIN")
})

// In this case, the artifact name is a directory
Expand Down Expand Up @@ -1110,6 +1120,11 @@ func (s *ArgoServerSuite) TestArtifactServer() {
resp.Body().
Contains(":) Hello Argo!")

resp.Header("Content-Security-Policy").
Equal("sandbox; base-uri 'none'; default-src 'none'; img-src 'self'; style-src 'self'") // MSB

resp.Header("X-Frame-Options").
Equal("SAMEORIGIN")
})

// In this case, the artifact name is a file
Expand Down

0 comments on commit 87470e1

Please sign in to comment.