csp_report 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/MIT-LICENSE +20 -0
- data/README.md +129 -0
- data/Rakefile +29 -0
- data/app/assets/javascripts/csp_report/application.js +13 -0
- data/app/assets/stylesheets/csp_report/application.css +13 -0
- data/app/assets/stylesheets/csp_report/csp_report.css.sass +15 -0
- data/app/controllers/csp_report/application_controller.rb +4 -0
- data/app/controllers/csp_report/csp_reports_controller.rb +26 -0
- data/app/helpers/csp_report/application_helper.rb +4 -0
- data/app/models/csp_report/csp_report.rb +4 -0
- data/app/views/csp_report/csp_reports/index.html.haml +27 -0
- data/app/views/layouts/csp_report/application.html.erb +14 -0
- data/config/routes.rb +4 -0
- data/db/migrate/20130630091108_create_csp_report_csp_reports.rb +13 -0
- data/lib/csp_report.rb +6 -0
- data/lib/csp_report/engine.rb +12 -0
- data/lib/csp_report/version.rb +3 -0
- data/lib/tasks/csp_report_tasks.rake +4 -0
- data/spec/controllers/csp_report/csp_reports_controller_spec.rb +7 -0
- data/spec/dummy/README.rdoc +28 -0
- data/spec/dummy/Rakefile +6 -0
- data/spec/dummy/app/assets/javascripts/application.js +13 -0
- data/spec/dummy/app/assets/stylesheets/application.css +13 -0
- data/spec/dummy/app/controllers/application_controller.rb +5 -0
- data/spec/dummy/app/helpers/application_helper.rb +2 -0
- data/spec/dummy/app/views/layouts/application.html.erb +14 -0
- data/spec/dummy/bin/bundle +3 -0
- data/spec/dummy/bin/rails +4 -0
- data/spec/dummy/bin/rake +4 -0
- data/spec/dummy/config.ru +4 -0
- data/spec/dummy/config/application.rb +23 -0
- data/spec/dummy/config/boot.rb +5 -0
- data/spec/dummy/config/database.yml +25 -0
- data/spec/dummy/config/environment.rb +5 -0
- data/spec/dummy/config/environments/development.rb +29 -0
- data/spec/dummy/config/environments/production.rb +80 -0
- data/spec/dummy/config/environments/test.rb +36 -0
- data/spec/dummy/config/initializers/backtrace_silencers.rb +7 -0
- data/spec/dummy/config/initializers/filter_parameter_logging.rb +4 -0
- data/spec/dummy/config/initializers/inflections.rb +16 -0
- data/spec/dummy/config/initializers/mime_types.rb +5 -0
- data/spec/dummy/config/initializers/secret_token.rb +12 -0
- data/spec/dummy/config/initializers/session_store.rb +3 -0
- data/spec/dummy/config/initializers/wrap_parameters.rb +14 -0
- data/spec/dummy/config/locales/en.yml +23 -0
- data/spec/dummy/config/routes.rb +4 -0
- data/spec/dummy/db/development.sqlite3 +0 -0
- data/spec/dummy/db/schema.rb +16 -0
- data/spec/dummy/db/test.sqlite3 +0 -0
- data/spec/dummy/log/development.log +3 -0
- data/spec/dummy/log/test.log +4 -0
- data/spec/dummy/public/404.html +58 -0
- data/spec/dummy/public/422.html +58 -0
- data/spec/dummy/public/500.html +57 -0
- data/spec/dummy/public/favicon.ico +0 -0
- data/spec/factories/csp_report_csp_reports.rb +11 -0
- data/spec/models/csp_report/csp_report_spec.rb +7 -0
- data/spec/spec_helper.rb +18 -0
- metadata +240 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 05a155d3f898df467ac1e1ba299b76435abb6cc8
|
4
|
+
data.tar.gz: 7f60f67557dc034b38a44dc7721723229fec8aee
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: fc57db819032fd643e5fa128f1ed56c224e37055a94cfba0c31f7bb217ccd0d62b18aa3b6ecbe3bf5ef4afdba39d72a460667584fae501e7968b4aec04494c3b
|
7
|
+
data.tar.gz: cbc0d14b8b29a1ad437819c7f900880d7e7d9bfcda727d92b030bc6634ceb21abedea50a5add355312babe1af25071d8e9df01b228396fa7ec5ce3adfde84991
|
data/MIT-LICENSE
ADDED
@@ -0,0 +1,20 @@
|
|
1
|
+
Copyright 2013 YOURNAME
|
2
|
+
|
3
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
4
|
+
a copy of this software and associated documentation files (the
|
5
|
+
"Software"), to deal in the Software without restriction, including
|
6
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
7
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
8
|
+
permit persons to whom the Software is furnished to do so, subject to
|
9
|
+
the following conditions:
|
10
|
+
|
11
|
+
The above copyright notice and this permission notice shall be
|
12
|
+
included in all copies or substantial portions of the Software.
|
13
|
+
|
14
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
15
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
16
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
17
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
18
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
19
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
20
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.md
ADDED
@@ -0,0 +1,129 @@
|
|
1
|
+
CspReport
|
2
|
+
=========
|
3
|
+
|
4
|
+
This gem provides a Rails engine that manages the CSP violations reported by
|
5
|
+
the client browser (when supported).
|
6
|
+
|
7
|
+
**Disclaimer**
|
8
|
+
|
9
|
+
This is a rough cut gem for the moment. It won't look like much in the report
|
10
|
+
page. However, elements have a class so you can add some CSS style before I
|
11
|
+
add some clean ones in the gem.
|
12
|
+
|
13
|
+
What is CSP
|
14
|
+
===========
|
15
|
+
|
16
|
+
CSP (Content Security Policy) is a way to limit cross site scripting by relying
|
17
|
+
on the browser as a last line of defense. It does not mean the other anti XSS
|
18
|
+
practices are to be forgotten though.
|
19
|
+
|
20
|
+
For more information, consult
|
21
|
+
* [The W3C policy](http://www.w3.org/TR/CSP/)
|
22
|
+
* [Wikipedia](http://en.wikipedia.org/wiki/Content_Security_Policy)
|
23
|
+
* [The Google Chrome explanation](https://developer.chrome.com/extensions/contentSecurityPolicy.html)
|
24
|
+
|
25
|
+
[Browser supporting CSP](http://caniuse.com/#search=csp)
|
26
|
+
|
27
|
+
Tested in Chrome 27 and shown to work with the *'Content-Security-Policy'* new
|
28
|
+
directive.
|
29
|
+
Safari 6 already supports it but with the *'X-Webkit-CSP'* directive. However, it
|
30
|
+
seems the *report_uri* parameter is not yet supported there.
|
31
|
+
|
32
|
+
Features
|
33
|
+
========
|
34
|
+
|
35
|
+
* Provides a *csp_report* resource that stores the reported violations.
|
36
|
+
|
37
|
+
Install
|
38
|
+
=======
|
39
|
+
|
40
|
+
1. In your *Gemfile*, add the following
|
41
|
+
```ruby
|
42
|
+
gem csp_report
|
43
|
+
```
|
44
|
+
|
45
|
+
Don't forget to run `bundle install` afterwards
|
46
|
+
|
47
|
+
2. Retrieve the db migration files from the gem and install them
|
48
|
+
```shell
|
49
|
+
rake csp_report:install:migrations
|
50
|
+
rake db:migrate
|
51
|
+
```
|
52
|
+
|
53
|
+
3. In your *config/routes.rb*, you need to import the csp routes, like so
|
54
|
+
```ruby
|
55
|
+
mount CspReport::Engine, at: 'csp'
|
56
|
+
```
|
57
|
+
|
58
|
+
where the *at* parameter acts as a url encapsulation for the gem routes. For
|
59
|
+
example, with the above lines, you would create a */csp/csp_reports* set of
|
60
|
+
routes in your application
|
61
|
+
|
62
|
+
4. You need to configure a CSP on your server response, with the *report_uri*
|
63
|
+
parameters pointing to the configured REST resource above. Following the setup
|
64
|
+
above, one solution is to find this in your application_controller.rb file:
|
65
|
+
```ruby
|
66
|
+
class ApplicationController
|
67
|
+
protect_from_forgery
|
68
|
+
|
69
|
+
before_filter :csp
|
70
|
+
|
71
|
+
def csp
|
72
|
+
response.headers['Content-Security-Policy'] = "script-src 'self'; report-uri /csp/csp_reports"
|
73
|
+
end
|
74
|
+
end
|
75
|
+
```
|
76
|
+
|
77
|
+
5. You're all set. Accessing *application_root_url*/csp/csp_reports will display
|
78
|
+
a list of all the CSP violation that were reported.
|
79
|
+
|
80
|
+
Trying it out
|
81
|
+
=============
|
82
|
+
|
83
|
+
With the policy set as an example above (*script 'self'*), inline javascript is
|
84
|
+
not authorized. Just put some
|
85
|
+
```html
|
86
|
+
<script>
|
87
|
+
alert('test')
|
88
|
+
</script>
|
89
|
+
```
|
90
|
+
|
91
|
+
in one of your HTML rendered file and launch it in a browser. If the setup is
|
92
|
+
correct and you browser supports CSP, the script will not play (no pop-up) and
|
93
|
+
you'll have one more record in the /csp/csp_reports list.
|
94
|
+
|
95
|
+
Why using this gem
|
96
|
+
==================
|
97
|
+
|
98
|
+
CSP is yet another layer of protection, basically relying on the browser to do
|
99
|
+
some level of control. This is a way to prevent some man in the middle attack
|
100
|
+
where someone intercepts the server response and try to change it. While not
|
101
|
+
foolproof, it's a good additional security layer.
|
102
|
+
|
103
|
+
This gem comes in handy for 2 reasons:
|
104
|
+
* First, when activating CSP directives on your existing site, it is likely
|
105
|
+
that you'll have a hard
|
106
|
+
time figuring out all the sources you are using. By recording all the breaches,
|
107
|
+
this gem allows you to setup a policy, run a crawler for example, and then
|
108
|
+
look at what is reported as breaches. It will help you getting rid of your
|
109
|
+
inline js and so on.
|
110
|
+
* Second, in normal production mode, it'll help you monitor the situation and
|
111
|
+
see if your server has been victim of some injection (if some input is not
|
112
|
+
sanitize properly) or if your users are being attacked in some way (in which
|
113
|
+
case you might gather stats and maybe warn them in one way or another).
|
114
|
+
|
115
|
+
To come
|
116
|
+
=======
|
117
|
+
|
118
|
+
* Generators to ease the manual install process
|
119
|
+
* Generators to help create the proper policies
|
120
|
+
|
121
|
+
License
|
122
|
+
=======
|
123
|
+
|
124
|
+
This project is under a MIT-LICENSE.
|
125
|
+
|
126
|
+
Author
|
127
|
+
======
|
128
|
+
|
129
|
+
[Gregory Bataille](https://github.com/gbataille)
|
data/Rakefile
ADDED
@@ -0,0 +1,29 @@
|
|
1
|
+
begin
|
2
|
+
require 'bundler/setup'
|
3
|
+
rescue LoadError
|
4
|
+
puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
|
5
|
+
end
|
6
|
+
|
7
|
+
require 'rdoc/task'
|
8
|
+
|
9
|
+
RDoc::Task.new(:rdoc) do |rdoc|
|
10
|
+
rdoc.rdoc_dir = 'rdoc'
|
11
|
+
rdoc.title = 'CspReport'
|
12
|
+
rdoc.options << '--line-numbers'
|
13
|
+
rdoc.rdoc_files.include('lib/**/*.rb')
|
14
|
+
end
|
15
|
+
|
16
|
+
APP_RAKEFILE = File.expand_path("../spec/dummy/Rakefile", __FILE__)
|
17
|
+
load 'rails/tasks/engine.rake'
|
18
|
+
|
19
|
+
Bundler::GemHelper.install_tasks
|
20
|
+
|
21
|
+
require 'rspec/core'
|
22
|
+
require 'rspec/core/rake_task'
|
23
|
+
RSpec::Core::RakeTask.new(:spec => 'app:db:test:prepare') do |spec|
|
24
|
+
spec.pattern = FileList['spec/**/*_spec.rb']
|
25
|
+
end
|
26
|
+
|
27
|
+
task :default => :spec
|
28
|
+
task :test => :spec
|
29
|
+
|
@@ -0,0 +1,13 @@
|
|
1
|
+
// This is a manifest file that'll be compiled into application.js, which will include all the files
|
2
|
+
// listed below.
|
3
|
+
//
|
4
|
+
// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
|
5
|
+
// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
|
6
|
+
//
|
7
|
+
// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
|
8
|
+
// compiled file.
|
9
|
+
//
|
10
|
+
// Read Sprockets README (https://github.com/sstephenson/sprockets#sprockets-directives) for details
|
11
|
+
// about supported directives.
|
12
|
+
//
|
13
|
+
//= require_tree .
|
@@ -0,0 +1,13 @@
|
|
1
|
+
/*
|
2
|
+
* This is a manifest file that'll be compiled into application.css, which will include all the files
|
3
|
+
* listed below.
|
4
|
+
*
|
5
|
+
* Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
|
6
|
+
* or vendor/assets/stylesheets of plugins, if any, can be referenced here using a relative path.
|
7
|
+
*
|
8
|
+
* You're free to add application-wide styles to this file and they'll appear at the top of the
|
9
|
+
* compiled file, but it's generally better to create a new file per style scope.
|
10
|
+
*
|
11
|
+
*= require_self
|
12
|
+
*= require_tree .
|
13
|
+
*/
|
@@ -0,0 +1,15 @@
|
|
1
|
+
.csp-report.report-table
|
2
|
+
border-style: solid
|
3
|
+
border-color: #0000AA
|
4
|
+
border-width: 5px
|
5
|
+
border-collapse: collapse
|
6
|
+
|
7
|
+
.csp-report.report-cell
|
8
|
+
padding: 5px
|
9
|
+
border-style: solid
|
10
|
+
border-width: 2px
|
11
|
+
|
12
|
+
.csp-report.report-header
|
13
|
+
padding: 5px
|
14
|
+
border-style: solid
|
15
|
+
border-width: 3px
|
@@ -0,0 +1,26 @@
|
|
1
|
+
require_dependency "csp_report/application_controller"
|
2
|
+
|
3
|
+
class CspReport::CspReportsController < ApplicationController
|
4
|
+
# The browser submitting the report will not have any CSRF token
|
5
|
+
skip_before_filter :verify_authenticity_token
|
6
|
+
|
7
|
+
#Only provided as an API
|
8
|
+
respond_to :json
|
9
|
+
|
10
|
+
def index
|
11
|
+
@reports = CspReport::CspReport.all
|
12
|
+
end
|
13
|
+
|
14
|
+
def create
|
15
|
+
param = request.request_parameters()['csp-report']
|
16
|
+
report = CspReport::CspReport.new do |r|
|
17
|
+
r.document_uri = param['document-uri']
|
18
|
+
r.referrer = param['referrer']
|
19
|
+
r.violated_directive = param['violated-directive']
|
20
|
+
r.original_policy = param['original-policy']
|
21
|
+
r.blocked_uri = param['blocked-uri']
|
22
|
+
end
|
23
|
+
report.save!
|
24
|
+
render status: 200, nothing: true
|
25
|
+
end
|
26
|
+
end
|
@@ -0,0 +1,27 @@
|
|
1
|
+
=stylesheet_link_tag "csp_report/csp_report.css"
|
2
|
+
|
3
|
+
%table.csp-report.report-table
|
4
|
+
%tr.csp-report.report-row
|
5
|
+
%th.csp-report.report-header
|
6
|
+
ID
|
7
|
+
%th.csp-report.report-header
|
8
|
+
Document URI
|
9
|
+
%th.csp-report.report-header
|
10
|
+
Referrer
|
11
|
+
%th.csp-report.report-header
|
12
|
+
Server Policy
|
13
|
+
%th.csp-report.report-header
|
14
|
+
Violated Directive
|
15
|
+
%th.csp-report.report-header
|
16
|
+
Blocked URI
|
17
|
+
%th.csp-report.report-header
|
18
|
+
Reported At
|
19
|
+
- @reports.each do |report|
|
20
|
+
%tr.csp-report.report-row
|
21
|
+
%td.csp-report.report-cell=report.id
|
22
|
+
%td.csp-report.report-cell=report.document_uri
|
23
|
+
%td.csp-report.report-cell=report.referrer
|
24
|
+
%td.csp-report.report-cell=report.original_policy
|
25
|
+
%td.csp-report.report-cell=report.violated_directive
|
26
|
+
%td.csp-report.report-cell=report.blocked_uri
|
27
|
+
%td.csp-report.report-cell=report.created_at
|
@@ -0,0 +1,14 @@
|
|
1
|
+
<!DOCTYPE html>
|
2
|
+
<html>
|
3
|
+
<head>
|
4
|
+
<title>CspReport</title>
|
5
|
+
<%= stylesheet_link_tag "csp_report/application", media: "all" %>
|
6
|
+
<%= javascript_include_tag "csp_report/application" %>
|
7
|
+
<%= csrf_meta_tags %>
|
8
|
+
</head>
|
9
|
+
<body>
|
10
|
+
|
11
|
+
<%= yield %>
|
12
|
+
|
13
|
+
</body>
|
14
|
+
</html>
|
data/config/routes.rb
ADDED
@@ -0,0 +1,13 @@
|
|
1
|
+
class CreateCspReportCspReports < ActiveRecord::Migration
|
2
|
+
def change
|
3
|
+
create_table :csp_report_csp_reports do |t|
|
4
|
+
t.string :document_uri
|
5
|
+
t.string :referrer
|
6
|
+
t.string :blocked_uri
|
7
|
+
t.string :violated_directive
|
8
|
+
t.string :original_policy
|
9
|
+
|
10
|
+
t.timestamps
|
11
|
+
end
|
12
|
+
end
|
13
|
+
end
|
data/lib/csp_report.rb
ADDED
@@ -0,0 +1,12 @@
|
|
1
|
+
module CspReport
|
2
|
+
class Engine < ::Rails::Engine
|
3
|
+
isolate_namespace CspReport
|
4
|
+
|
5
|
+
config.generators do |g|
|
6
|
+
g.test_framework :rspec, :fixture => false
|
7
|
+
g.fixture_replacement :factory_girl, :dir => 'spec/factories'
|
8
|
+
g.assets false
|
9
|
+
g.helper false
|
10
|
+
end
|
11
|
+
end
|
12
|
+
end
|
@@ -0,0 +1,28 @@
|
|
1
|
+
== README
|
2
|
+
|
3
|
+
This README would normally document whatever steps are necessary to get the
|
4
|
+
application up and running.
|
5
|
+
|
6
|
+
Things you may want to cover:
|
7
|
+
|
8
|
+
* Ruby version
|
9
|
+
|
10
|
+
* System dependencies
|
11
|
+
|
12
|
+
* Configuration
|
13
|
+
|
14
|
+
* Database creation
|
15
|
+
|
16
|
+
* Database initialization
|
17
|
+
|
18
|
+
* How to run the test suite
|
19
|
+
|
20
|
+
* Services (job queues, cache servers, search engines, etc.)
|
21
|
+
|
22
|
+
* Deployment instructions
|
23
|
+
|
24
|
+
* ...
|
25
|
+
|
26
|
+
|
27
|
+
Please feel free to use a different markup language if you do not plan to run
|
28
|
+
<tt>rake doc:app</tt>.
|
data/spec/dummy/Rakefile
ADDED
@@ -0,0 +1,13 @@
|
|
1
|
+
// This is a manifest file that'll be compiled into application.js, which will include all the files
|
2
|
+
// listed below.
|
3
|
+
//
|
4
|
+
// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
|
5
|
+
// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
|
6
|
+
//
|
7
|
+
// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
|
8
|
+
// compiled file.
|
9
|
+
//
|
10
|
+
// Read Sprockets README (https://github.com/sstephenson/sprockets#sprockets-directives) for details
|
11
|
+
// about supported directives.
|
12
|
+
//
|
13
|
+
//= require_tree .
|