Always serve repository file entries as application/octet-stream

app/controllers/repositories_controller.rb

@@ -446,11 +446,11 @@ class RepositoriesController < ApplicationController
   end
 
   def send_raw(content, path)
-    # Force the download
-    send_opt = { filename: filename_for_content_disposition(path.split("/").last) }
-    send_type = OpenProject::MimeType.of(path)
-    send_opt[:type] = send_type.to_s if send_type
-    send_data content, send_opt
+    # Force the download as binary to prevent CSP bypass
+    send_data content,
+              filename: filename_for_content_disposition(path.split("/").last),
+              type: "application/octet-stream",
+              disposition: :attachment
   end
 
   def render_text_entry

spec/controllers/repositories_controller_spec.rb

@@ -291,6 +291,18 @@ RSpec.describe RepositoriesController do
         end
       end
 
+      describe "#send_raw" do
+        let(:permissions) { [:browse_repository] }
+
+        it "serves raw files as application/octet-stream attachment" do
+          get :entry, params: { project_id: project.identifier, repo_path: "subversion_test/textfile.txt", format: "raw" }
+
+          expect(response).to be_successful
+          expect(response.headers["Content-Type"]).to eq("application/octet-stream")
+          expect(response.headers["Content-Disposition"]).to match(/attachment/)
+        end
+      end
+
       describe "checkout path" do
         render_views