csp-util 1.0.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 541626754ec321c45e1140c383c0c3848fee01ccd6d814055b72713845a8ffed
+  data.tar.gz: ad1604712fa929d9d753e213709b9c998be4e5416ee7442918caea86aa5ab227
+SHA512:
+  metadata.gz: 96f5afc3ae55b1b7727cc74fcd50cf3fe60dd5e33cda1664d44446f0f64a67ecfdda342892610b2ce850f0ba1e93f384ccb417da4b1d51aa9e7df3fc7de23893
+  data.tar.gz: b7afbc2ca5d3a4778f62b2659edca6c2c8428f1d5aa9b23ceb3f336de31670d4cbd01b9b3f80c17519de08a3400ce59b68af10b2dcbad99ed32b360d315b4915

data/.gitignore

@@ -0,0 +1,2 @@
+Gemfile.lock
+coverage/

data/.rspec

@@ -0,0 +1,3 @@
+--color
+--format doc
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,8 @@
+Style/Documentation:
+  Enabled: false
+
+Metrics/BlockLength:
+  ExcludedMethods:
+    - 'describe'
+    - 'context'
+    - 'let'

data/.ruby-version

@@ -0,0 +1 @@
+2.4.3

data/.travis.yml

@@ -0,0 +1,20 @@
+language: ruby
+
+rvm:
+- 2.2.9
+- 2.3.6
+- 2.4.3
+- 2.5.0  
+
+script: 
+  - bundle exec rspec
+
+deploy:
+  provider: rubygems
+  gem: csp-util
+  api_key:
+    secure: "2SRrvn+9nAB3kpRBIcgNAbLk2UHC2cmg9Q9pkDDdpA2D79Y8ywXv3KLOWYHK742z/iUF5Vlv1zFo5hXgGFQBjqZmNI/HkRiKC1OEToP4XMMz/M2J02fyYW7EH/bFTdwzcy+URWPSI3i8m9PE4Ab6gmqRaTY7MxhD1WJpvXgCGGCv3nCtix9VKoUT8fw9MgX8f5NWQBBJ2LdXI5vpnbhVaGfr+Ux4mfJBrOCL88EIfU601lBeIJ3yGXhFd6ElqCOo3fobqvB7NQ5p2HRBJ2wvASgV0b30WeV0OMgIJIDWhBoAvctsmHezmlNb0KMLTaRH6rKbTwJrenWTabV3t09VoGyaPcltyJ7A2I2qFoYF1neJok9hvAbM8LS4FXxOKq3skF8x0S1Qztvn13b/ZisF6u+YJjc27xBO4Oz3KpMa4+ETz+7wx2+0Y3VyYA8F1/UJVWSgWMUQGwJfYcwA9U1KC9l8lx0adFnM2gZOuDaXI9wrS9u+dOZO8fUCFVUi8uD1KO242jChD30AjM+M8R66pGT05a011EAW3y9dTmC/vrSDFUmoaGZumVXLxKeHAvjxZZfufui01xviOglSijME2SXUEMxICuI7S0GUQ9lza6VHabVZfRjOFEoZD792wxj8DXJ62nMH4PofD8lz+qfroIl34V/yiDswPuPY2/YTcOs="
+  on:
+    tags: true
+    repo: templarbit/ruby-csp-util
+    ruby: "2.4.3"

data/Gemfile

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+gemspec

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 Templarbit
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,43 @@
+# ruby-csp-util
+
+[![Build Status](https://travis-ci.org/templarbit/ruby-csp-util.svg?branch=master)](https://travis-ci.org/templarbit/ruby-csp-util)
+
+Content-Security-Policy utils, i.e. CSP parser in compliance with the W3C 
+[CSP Level 2](https://www.w3.org/TR/CSP2/) 
+and [CSP Level 3](https://www.w3.org/TR/CSP3/) specs.
+
+**ABNF**  
+see https://www.w3.org/TR/CSP2/#policy-syntax
+and https://www.w3.org/TR/CSP3/#framework
+
+```
+serialized-policy    = serialized-directive *( OWS ";" [ OWS serialized-directive ] )
+serialized-directive = directive-name [ RWS directive-value ]
+directive-name       = 1*( ALPHA / DIGIT / "-" )
+directive-value      = *( %x09 / %x20-%x2B / %x2D-%x3A / %x3C-%7E )
+                       ; Directive values may contain whitespace and VCHAR characters,
+                       ; excluding ";" and ","
+```
+
+
+## Installation
+
+Add `gem 'csp-util'` to your `Gemfile`.
+
+## Usage
+
+```ruby
+require 'csp_util'
+
+directives = CSPUtil.parse_directives("default-src 'self'; script-src 'self'; object-src 'self'; base-uri 'none'; report-uri https://logs.templarbit.com/csp/xxkey/reports")
+```
+
+## Other languages
+
+  * [Go](https://github.com/templarbit/go-csp-util)
+  * [Javascript](https://github.com/templarbit/javascript-csp-util)
+
+## Docs
+
+  * Chromium Content Security Policy implementation
+    https://cs.chromium.org/chromium/src/content/common/content_security_policy/?type=cs&sq=package:chromium

data/csp-util.gemspec

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require_relative 'lib/csp_util/version'
+
+Gem::Specification.new do |s|
+  s.name     = 'csp-util'
+  s.licenses = ['MIT']
+  s.version  = CSPUtil::VERSION
+  s.summary  = 'Content-Security-Policy utils'
+  s.authors  = ['Templarbit']
+  s.homepage = 'https://github.com/templarbit/ruby-csp-util'
+  s.files    = `git ls-files -z`.split("\x0")
+                                .reject do |f|
+                                  f.match(%r{^(test|spec|features)/})
+                                end
+  s.executables = s.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  s.required_ruby_version = '~> 2.2'
+
+  s.require_paths = ['lib']
+
+  s.add_development_dependency 'pry'
+  s.add_development_dependency 'rspec', '~> 3.7'
+  s.add_development_dependency 'rubocop'
+  s.add_development_dependency 'simplecov'
+end

data/lib/csp_util/directive.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+module CSPUtil
+  class Directive
+    # More info:
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+    VALID_NAMES =
+      %w[
+        child-src connect-src default-src font-src frame-src img-src
+        manifest-src media-src object-src script-src style-src worker-src
+        base-uri plugin-types sandbox disown-opener form-action frame-ancestors
+        report-uri report-to upgrade-insecure-requests block-all-mixed-content
+        require-sri-for
+      ].freeze
+    DEPRECATED_NAMES = %w[reflected-xss referrer].freeze
+    FULLY_DEPRECATED_NAMES = %w[policy-uri].freeze
+
+    attr_reader :name, :value
+
+    def initialize(token)
+      dir_name, dir_value = token.split(' ', 2)
+      validate_name!(dir_name)
+
+      @name  = dir_name
+      @value =
+        if dir_value
+          dir_value.split(' ').map(&:strip)
+        else
+          []
+        end
+    end
+
+    def same_name?(another_directive)
+      return false unless name
+
+      name.casecmp(another_directive.name).zero?
+    end
+
+    def to_h
+      { name: name, value: value }
+    end
+
+    private
+
+    def validate_name!(directive_name)
+      return unless directive_name
+
+      name = directive_name.downcase
+      return if VALID_NAMES.include?(name)
+      # Show warning for deprecated names?
+      return if DEPRECATED_NAMES.include?(name)
+
+      if FULLY_DEPRECATED_NAMES.include?(name)
+        raise(DirectiveNameDeprecated, directive_name)
+      end
+
+      raise(DirectiveNameUnknown, directive_name)
+    end
+  end
+end

data/lib/csp_util/errors.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module CSPUtil
+  class CSPUtilError < StandardError; end
+
+  class DirectiveError < CSPUtilError
+    def initialize(directive_name)
+      @directive_name = directive_name
+    end
+  end
+
+  class DirectiveNameUnknown < DirectiveError
+    def message
+      "#{@directive_name} has been removed and is not supported"
+    end
+  end
+
+  class DirectiveNameDeprecated < DirectiveError
+    def message
+      "directive name #{@directive_name} is unknown"
+    end
+  end
+
+  class DuplicateDirective < DirectiveError
+    def message
+      "directive #{@directive_name} is a duplicate"
+    end
+  end
+end

data/lib/csp_util/parse_directives.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module CSPUtil
+  class << self
+    def parse_directives(serialized_policy)
+      tokens = serialized_policy.split(';')
+
+      tokens.each_with_object([]) do |token, directives|
+        token.strip!
+        next if token.empty?
+
+        directive = Directive.new(token)
+        validate_uniqueness!(directive, directives)
+
+        directives << directive
+      end
+    end
+
+    private
+
+    def validate_uniqueness!(directive, directives)
+      return if directives.none? { |d| d.same_name?(directive) }
+
+      raise(DuplicateDirective, directive.name)
+    end
+  end
+end

data/lib/csp_util/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module CSPUtil
+  VERSION = '1.0.2'.freeze
+end

data/lib/csp_util.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+require_relative 'csp_util/errors'
+require_relative 'csp_util/directive'
+require_relative 'csp_util/parse_directives'

metadata

@@ -0,0 +1,113 @@
+--- !ruby/object:Gem::Specification
+name: csp-util
+version: !ruby/object:Gem::Version
+  version: 1.0.2
+platform: ruby
+authors:
+- Templarbit
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-01-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.7'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email: 
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".ruby-version"
+- ".travis.yml"
+- Gemfile
+- LICENSE
+- README.md
+- csp-util.gemspec
+- lib/csp_util.rb
+- lib/csp_util/directive.rb
+- lib/csp_util/errors.rb
+- lib/csp_util/parse_directives.rb
+- lib/csp_util/version.rb
+homepage: https://github.com/templarbit/ruby-csp-util
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - "~>"
+    - !ruby/object:Gem::Version
+      version: '2.2'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.4
+signing_key: 
+specification_version: 4
+summary: Content-Security-Policy utils
+test_files: []