Discource-C
/
discourse-ai
mirror of https://github.com/discourse/discourse-ai.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: properly bypass CSP for artifacts (#920) 

Was meant to be bypassed but was not implemented correctly
This commit is contained in:
Sam 2024-11-19 20:25:07 +11:00 committed by GitHub
parent 755b63f31f
commit 3ae1e4eaf0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 73 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/discourse_ai/ai_bot/artifacts_controller.rb
View File

@ -40,7 +40,7 @@ module DiscourseAi
HTML HTML
response.headers.delete("X-Frame-Options") response.headers.delete("X-Frame-Options")
response.headers.delete("Content-Security-Policy") response.headers["Content-Security-Policy"] = "script-src 'unsafe-inline';"
# Render the content # Render the content
render html: html.html_safe, layout: false, content_type: "text/html" render html: html.html_safe, layout: false, content_type: "text/html"

72
spec/requests/ai_bot/artifacts_controller_spec.rb Normal file
View File

@ -0,0 +1,72 @@
# frozen_string_literal: true
RSpec.describe DiscourseAi::AiBot::ArtifactsController do
fab!(:user)
fab!(:topic) { Fabricate(:private_message_topic, user: user) }
fab!(:post) { Fabricate(:post, user: user, topic: topic) }
fab!(:artifact) do
AiArtifact.create!(
user: user,
post: post,
name: "Test Artifact",
html: "<div>Hello World</div>",
css: "div { color: blue; }",
js: "console.log('test');",
metadata: {
public: false,
},
)
end
before do
SiteSetting.discourse_ai_enabled = true
SiteSetting.ai_artifact_security = "strict"
end
describe "#show" do
it "returns 404 when discourse_ai is disabled" do
SiteSetting.discourse_ai_enabled = false
get "/discourse-ai/ai-bot/artifacts/#{artifact.id}"
expect(response.status).to eq(404)
end
it "returns 404 when ai_artifact_security disables it" do
SiteSetting.ai_artifact_security = "disabled"
get "/discourse-ai/ai-bot/artifacts/#{artifact.id}"
expect(response.status).to eq(404)
end
context "with private artifact" do
it "returns 404 when user cannot see the post" do
get "/discourse-ai/ai-bot/artifacts/#{artifact.id}"
expect(response.status).to eq(404)
end
it "shows artifact when user can see the post" do
sign_in(user)
get "/discourse-ai/ai-bot/artifacts/#{artifact.id}"
expect(response.status).to eq(200)
expect(response.body).to include(artifact.html)
expect(response.body).to include(artifact.css)
expect(response.body).to include(artifact.js)
end
end
context "with public artifact" do
before { artifact.update!(metadata: { public: true }) }
it "shows artifact without authentication" do
get "/discourse-ai/ai-bot/artifacts/#{artifact.id}"
expect(response.status).to eq(200)
expect(response.body).to include(artifact.html)
end
end
it "removes security headers" do
sign_in(user)
get "/discourse-ai/ai-bot/artifacts/#{artifact.id}"
expect(response.headers["X-Frame-Options"]).to eq(nil)
expect(response.headers["Content-Security-Policy"]).to eq("script-src 'unsafe-inline';")
end
end
end