Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix possible renderer security problem(#30136) #30315

Merged
merged 3 commits into from
Apr 8, 2024
Merged

Fix possible renderer security problem(#30136) #30315

merged 3 commits into from
Apr 8, 2024

Conversation

lunny
Copy link
Member

@lunny lunny commented Apr 7, 2024
edited
Loading

backport #30136

@GiteaBot GiteaBot added this to the 1.21.11 milestone Apr 7, 2024
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Apr 7, 2024
@pull-request-size pull-request-size bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Apr 7, 2024
@github-actions github-actions bot added the modifies/go Pull requests that update Go code label Apr 7, 2024
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Apr 7, 2024
@lunny lunny changed the title Refactor render (#30136) Fix possible renderer security problem(#30136) Apr 7, 2024
silverwind
silverwind reviewed Apr 7, 2024
View reviewed changes
routers/web/repo/render.go
@@ -44,20 +45,17 @@ func RenderFile(ctx *context.Context) {
isTextFile := st.IsText()

rd := charset.ToUTF8WithFallbackReader(io.MultiReader(bytes.NewReader(buf), dataRc), charset.ConvertOpts{})
ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'; sandbox allow-scripts")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we also set frame-ancestors 'self'?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think so. Maybe we can also update the original PR. Please send commits to this PR directly.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we likely want to set only frame-ancestors, e.g. control where this page is embedded, not which pages it can embed.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest setting both until someone needs that feature. Currently I don't think anyone has used that feature.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assuming we want to backport this, I'd suggest doing the frame-ancestors change only on v1.23, so this is fine with me without.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

5b2d7b6

Copy link
Member

@silverwind silverwind Apr 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My only concern about this is in case someone uses this renderer on external websites. Do we support this? I think we shouldn't but not sure if we really should prevent this on the stable branch.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK. Let's revert it. 07e1ba9

@lunny lunny mentioned this pull request Apr 8, 2024
Merged
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Apr 8, 2024
@lunny lunny added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Apr 8, 2024
@silverwind silverwind merged commit 65d9672 into go-gitea:release/v1.21 Apr 8, 2024
27 checks passed
@GiteaBot GiteaBot removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Apr 8, 2024
@lunny lunny deleted the lunny/backport_30136 branch April 9, 2024 01:39
@Ma27 Ma27 mentioned this pull request Apr 16, 2024
Merged
13 tasks
@wxiaoguang wxiaoguang added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Apr 19, 2024
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Jul 8, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@silverwind silverwind silverwind approved these changes

@delvh delvh delvh approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/go Pull requests that update Go code size/S Denotes a PR that changes 10-29 lines, ignoring generated files. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!
Projects
None yet
Milestone
1.21.11
Development

Successfully merging this pull request may close these issues.
5 participants
@lunny @silverwind @delvh @wxiaoguang @GiteaBot