Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP with a proc attribute fails in redirection routes. #34200

Closed
viraptor opened this issue Oct 12, 2018 · 2 comments · Fixed by #34286
Closed

CSP with a proc attribute fails in redirection routes. #34200

viraptor opened this issue Oct 12, 2018 · 2 comments · Fixed by #34286
Assignees
@pixeltrix
Labels
actionpack
Milestone
5.2.2

Comments

@viraptor
Copy link

viraptor commented Oct 12, 2018
edited

Steps to reproduce

  1. Add a content_security_policy with an option specified via a proc. For example:
  policy.report_uri(proc { "..." if Random.rand(100.0) < 0.002 })
  1. Add a route with redirect. For example:
get 'author/top_authors', to: redirect('/authors/top')

Expected behavior

I should get a redirect, either with or without the CSP headers.

Actual behavior

RuntimeError at /author/top_authors
Missing context for the dynamic content security policy source: #<Proc:0x007f9c9eb655e8@.../config/initializers/content_security_policy.rb:18>

due to missing request.controller_instance

System configuration

Rails version:
5.2.1
Ruby version:
2.3.3
@pixeltrix pixeltrix added this to the 5.2.2 milestone Oct 15, 2018
@pixeltrix pixeltrix self-assigned this Oct 15, 2018
@pixeltrix
Copy link
Contributor

@viraptor is this the case for all of the CSP directives or just report_uri ?

@viraptor
Copy link
Author

I haven't checked them all, but other parameters are affected as well. Making default_src and others procs also breaks the redirect.

pixeltrix added a commit that referenced this issue Oct 22, 2018
@pixeltrix
Use request object for context if there's no controller
a150a02 
There is no controller instance when using a redirect route or a
mounted rack application so pass the request object as the context
when resolving dynamic CSP sources in this scenario.

Fixes #34200.
@pixeltrix pixeltrix mentioned this issue Oct 22, 2018
Merged
pixeltrix added a commit that referenced this issue Oct 23, 2018
@pixeltrix
Use request object for context if there's no controller
4725b2f 
There is no controller instance when using a redirect route or a
mounted rack application so pass the request object as the context
when resolving dynamic CSP sources in this scenario.

Fixes #34200.

(cherry picked from commit a150a02)
@jacobbednarz jacobbednarz mentioned this issue Nov 14, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pixeltrix pixeltrix

Labels
actionpack
Projects
None yet
Milestone
5.2.2
Development

Successfully merging a pull request may close this issue.

Fix CSP dynamic sources rails/rails
3 participants
@pixeltrix @viraptor @y-yagi