From b6d8c7175b3de160c81eadc9a024f7d55ed24103 Mon Sep 17 00:00:00 2001
From: Sebastian Serth <Sebastian.Serth@hpi.de>
Date: Sat, 3 Sep 2022 21:42:27 +0200
Subject: [PATCH] Disallow any external resources for :render_file

---
 app/controllers/submissions_controller.rb | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/app/controllers/submissions_controller.rb b/app/controllers/submissions_controller.rb
index fe6d67e8..6db1bab9 100644
--- a/app/controllers/submissions_controller.rb
+++ b/app/controllers/submissions_controller.rb
@@ -14,6 +14,16 @@ class SubmissionsController < ApplicationController
   before_action :set_files_and_specific_file, only: %i[download_file render_file run test]
   before_action :set_mime_type, only: %i[download_file render_file]
 
+  # Overwrite the CSP header for the :render_file action
+  content_security_policy only: :render_file do |policy|
+    policy.img_src        :none
+    policy.script_src     :none
+    policy.font_src       :none
+    policy.style_src      :none
+    policy.connect_src    :none
+    policy.form_action    :none
+  end
+
   def create
     @submission = Submission.new(submission_params)
     authorize!