internal: add CSP header to files in `/media` (cherry-pick #12092)

gcp-cherry-pick-bot[bot] commented 1 day ago

Cherry-picked internal: add CSP header to files in /media (#12092)

add CSP header to files in /media

This fixes a security issue of stored cross-site scripting via embedding JavaScript in SVG files by a malicious user with can_save_media capability.

This can be exploited if:

the uploaded file is served from the same origin as authentik, and
the user opens the uploaded file directly in their browser

Co-authored-by: Jens L. jens@goauthentik.io

netlify[bot] commented 1 day ago

Deploy Preview for authentik-docs ready!

Name	Link
Latest commit	6be59a78dd9174a7dc8aa9bbc8b3929cec5142ea
Latest deploy log	https://app.netlify.com/sites/authentik-docs/deploys/673eec51a1380a0007d0d739
Deploy Preview	https://deploy-preview-12108--authentik-docs.netlify.app
Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

codecov[bot] commented 1 day ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 92.67%. Comparing base (f8015fc) to head (6be59a7). Report is 1 commits behind head on version-2024.10.

:white_check_mark: All tests successful. No failed tests found.

Additional details and impacted files

```diff @@ Coverage Diff @@ ## version-2024.10 #12108 +/- ## =================================================== + Coverage 92.66% 92.67% +0.01% =================================================== Files 761 761 Lines 37863 37863 =================================================== + Hits 35085 35090 +5 + Misses 2778 2773 -5 ``` | [Flag](https://app.codecov.io/gh/goauthentik/authentik/pull/12108/flags?src=pr&el=flags&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=goauthentik) | Coverage Δ | | |---|---|---| | [e2e](https://app.codecov.io/gh/goauthentik/authentik/pull/12108/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=goauthentik) | `49.28% <ø> (+0.01%)` | :arrow_up: | | [integration](https://app.codecov.io/gh/goauthentik/authentik/pull/12108/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=goauthentik) | `24.89% <ø> (ø)` | | | [unit](https://app.codecov.io/gh/goauthentik/authentik/pull/12108/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=goauthentik) | `90.17% <ø> (ø)` | | Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=goauthentik#carryforward-flags-in-the-pull-request-comment) to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

🚨 Try these New Features:

JS Bundle Analysis - Avoid shipping oversized bundles

github-actions[bot] commented 23 hours ago

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your `.env` file: ```shell AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server AUTHENTIK_TAG=gh-6be59a78dd9174a7dc8aa9bbc8b3929cec5142ea AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s ``` For arm64, use these values: ```shell AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server AUTHENTIK_TAG=gh-6be59a78dd9174a7dc8aa9bbc8b3929cec5142ea-arm64 AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s ``` Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your `values.yml` file: ```yaml authentik: outposts: container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s global: image: repository: ghcr.io/goauthentik/dev-server tag: gh-6be59a78dd9174a7dc8aa9bbc8b3929cec5142ea ``` For arm64, use these values: ```yaml authentik: outposts: container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s global: image: repository: ghcr.io/goauthentik/dev-server tag: gh-6be59a78dd9174a7dc8aa9bbc8b3929cec5142ea-arm64 ``` Afterwards, run the upgrade commands from the latest release notes.

goauthentik / authentik