csp_report 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 05a155d3f898df467ac1e1ba299b76435abb6cc8
+  data.tar.gz: 7f60f67557dc034b38a44dc7721723229fec8aee
+SHA512:
+  metadata.gz: fc57db819032fd643e5fa128f1ed56c224e37055a94cfba0c31f7bb217ccd0d62b18aa3b6ecbe3bf5ef4afdba39d72a460667584fae501e7968b4aec04494c3b
+  data.tar.gz: cbc0d14b8b29a1ad437819c7f900880d7e7d9bfcda727d92b030bc6634ceb21abedea50a5add355312babe1af25071d8e9df01b228396fa7ec5ce3adfde84991

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2013 YOURNAME
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,129 @@
+CspReport
+=========
+
+This gem provides a Rails engine that manages the CSP violations reported by
+the client browser (when supported).
+
+**Disclaimer**
+
+This is a rough cut gem for the moment. It won't look like much in the report
+page. However, elements have a class so you can add some CSS style before I
+ add some clean ones in the gem.
+
+What is CSP
+===========
+
+CSP (Content Security Policy) is a way to limit cross site scripting by relying
+on the browser as a last line of defense. It does not mean the other anti XSS
+practices are to be forgotten though.
+
+For more information, consult
+* [The W3C policy](http://www.w3.org/TR/CSP/)
+* [Wikipedia](http://en.wikipedia.org/wiki/Content_Security_Policy)
+* [The Google Chrome explanation](https://developer.chrome.com/extensions/contentSecurityPolicy.html)
+
+[Browser supporting CSP](http://caniuse.com/#search=csp)
+
+Tested in Chrome 27 and shown to work with the *'Content-Security-Policy'* new
+directive.
+Safari 6 already supports it but with the *'X-Webkit-CSP'* directive. However, it
+seems the *report_uri* parameter is not yet supported there.
+
+Features
+========
+
+* Provides a *csp_report* resource that stores the reported violations.
+
+Install
+=======
+
+1. In your *Gemfile*, add the following
+```ruby
+	gem csp_report
+```
+
+Don't forget to run `bundle install` afterwards
+
+2. Retrieve the db migration files from the gem and install them
+```shell
+	rake csp_report:install:migrations
+	rake db:migrate
+```
+
+3. In your *config/routes.rb*, you need to import the csp routes, like so
+```ruby
+	mount CspReport::Engine, at: 'csp'
+```
+
+where the *at* parameter acts as a url encapsulation for the gem routes. For
+example, with the above lines, you would create a */csp/csp_reports* set of
+routes in your application
+
+4. You need to configure a CSP on your server response, with the *report_uri*
+parameters pointing to the configured REST resource above. Following the setup
+above, one solution is to find this in your application_controller.rb file:
+```ruby
+	class ApplicationController
+		protect_from_forgery
+
+		before_filter :csp
+	
+		def csp
+			response.headers['Content-Security-Policy'] = "script-src 'self'; report-uri /csp/csp_reports"
+		end
+	end
+```
+
+5. You're all set. Accessing *application_root_url*/csp/csp_reports will display
+a list of all the CSP violation that were reported.
+
+Trying it out
+=============
+
+With the policy set as an example above (*script 'self'*), inline javascript is
+not authorized. Just put some
+```html
+	<script>
+		alert('test')
+	</script>
+```
+
+in one of your HTML rendered file and launch it in a browser. If the setup is
+correct and you browser supports CSP, the script will not play (no pop-up) and 
+you'll have one more record in the /csp/csp_reports list.
+
+Why using this gem
+==================
+
+CSP is yet another layer of protection, basically relying on the browser to do
+some level of control. This is a way to prevent some man in the middle attack 
+where someone intercepts the server response and try to change it. While not
+foolproof, it's a good additional security layer.
+
+This gem comes in handy for 2 reasons:
+* First, when activating CSP directives on your existing site, it is likely 
+that you'll have a hard
+time figuring out all the sources you are using. By recording all the breaches,
+ this gem allows you to setup a policy, run a crawler for example, and then 
+look at what is reported as breaches. It will help you getting rid of your 
+inline js and so on.
+* Second, in normal production mode, it'll help you monitor the situation and 
+see if your server has been victim of some injection (if some input is not 
+sanitize properly) or if your users are being attacked in some way (in which 
+case you might gather stats and maybe warn them in one way or another).
+
+To come
+=======
+
+* Generators to ease the manual install process
+* Generators to help create the proper policies
+
+License
+=======
+
+This project is under a MIT-LICENSE.
+
+Author
+======
+
+[Gregory Bataille](https://github.com/gbataille)

data/Rakefile

@@ -0,0 +1,29 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'CspReport'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path("../spec/dummy/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+
+Bundler::GemHelper.install_tasks
+
+require 'rspec/core'
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec => 'app:db:test:prepare') do |spec|
+  spec.pattern = FileList['spec/**/*_spec.rb']
+end
+
+task :default => :spec
+task :test => :spec
+

data/app/assets/javascripts/csp_report/application.js

@@ -0,0 +1,13 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file.
+//
+// Read Sprockets README (https://github.com/sstephenson/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require_tree .

data/app/assets/stylesheets/csp_report/application.css

@@ -0,0 +1,13 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or vendor/assets/stylesheets of plugins, if any, can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the top of the
+ * compiled file, but it's generally better to create a new file per style scope.
+ *
+ *= require_self
+ *= require_tree .
+ */

data/app/assets/stylesheets/csp_report/csp_report.css.sass

@@ -0,0 +1,15 @@
+.csp-report.report-table
+  border-style: solid
+  border-color: #0000AA
+  border-width: 5px
+  border-collapse: collapse
+
+.csp-report.report-cell
+  padding: 5px
+  border-style: solid
+  border-width: 2px
+
+.csp-report.report-header
+  padding: 5px
+  border-style: solid
+  border-width: 3px

data/app/controllers/csp_report/application_controller.rb

@@ -0,0 +1,4 @@
+module CspReport
+  class ApplicationController < ActionController::Base
+  end
+end

data/app/controllers/csp_report/csp_reports_controller.rb

@@ -0,0 +1,26 @@
+require_dependency "csp_report/application_controller"
+
+class CspReport::CspReportsController < ApplicationController
+  # The browser submitting the report will not have any CSRF token
+  skip_before_filter :verify_authenticity_token
+
+  #Only provided as an API
+  respond_to :json
+
+  def index
+    @reports = CspReport::CspReport.all
+  end
+
+  def create
+    param = request.request_parameters()['csp-report']
+    report = CspReport::CspReport.new do |r|
+      r.document_uri = param['document-uri']
+      r.referrer = param['referrer']
+      r.violated_directive = param['violated-directive']
+      r.original_policy = param['original-policy']
+      r.blocked_uri = param['blocked-uri']
+    end
+    report.save!
+    render status: 200, nothing: true
+  end
+end

data/app/helpers/csp_report/application_helper.rb

@@ -0,0 +1,4 @@
+module CspReport
+  module ApplicationHelper
+  end
+end

data/app/models/csp_report/csp_report.rb

@@ -0,0 +1,4 @@
+module CspReport
+  class CspReport < ActiveRecord::Base
+  end
+end

data/app/views/csp_report/csp_reports/index.html.haml

@@ -0,0 +1,27 @@
+=stylesheet_link_tag "csp_report/csp_report.css"
+
+%table.csp-report.report-table
+  %tr.csp-report.report-row
+    %th.csp-report.report-header
+      ID
+    %th.csp-report.report-header
+      Document URI
+    %th.csp-report.report-header
+      Referrer
+    %th.csp-report.report-header
+      Server Policy
+    %th.csp-report.report-header
+      Violated Directive
+    %th.csp-report.report-header
+      Blocked URI
+    %th.csp-report.report-header
+      Reported At
+  - @reports.each do |report|
+    %tr.csp-report.report-row
+      %td.csp-report.report-cell=report.id
+      %td.csp-report.report-cell=report.document_uri
+      %td.csp-report.report-cell=report.referrer
+      %td.csp-report.report-cell=report.original_policy
+      %td.csp-report.report-cell=report.violated_directive
+      %td.csp-report.report-cell=report.blocked_uri
+      %td.csp-report.report-cell=report.created_at

data/app/views/layouts/csp_report/application.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>CspReport</title>
+  <%= stylesheet_link_tag    "csp_report/application", media: "all" %>
+  <%= javascript_include_tag "csp_report/application" %>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

data/config/routes.rb

@@ -0,0 +1,4 @@
+CspReport::Engine.routes.draw do
+  resources :csp_reports
+
+end

data/db/migrate/20130630091108_create_csp_report_csp_reports.rb

@@ -0,0 +1,13 @@
+class CreateCspReportCspReports < ActiveRecord::Migration
+  def change
+    create_table :csp_report_csp_reports do |t|
+      t.string :document_uri
+      t.string :referrer
+      t.string :blocked_uri
+      t.string :violated_directive
+      t.string :original_policy
+
+      t.timestamps
+    end
+  end
+end

data/lib/csp_report.rb

@@ -0,0 +1,6 @@
+require "csp_report/engine"
+require "haml-rails"
+require "sass-rails"
+
+module CspReport
+end

data/lib/csp_report/engine.rb

@@ -0,0 +1,12 @@
+module CspReport
+  class Engine < ::Rails::Engine
+    isolate_namespace CspReport
+
+    config.generators do |g|
+      g.test_framework      :rspec,        :fixture => false
+      g.fixture_replacement :factory_girl, :dir => 'spec/factories'
+      g.assets false
+      g.helper false
+    end
+  end
+end

data/lib/csp_report/version.rb

@@ -0,0 +1,3 @@
+module CspReport
+  VERSION = "0.1.0".freeze
+end

data/lib/tasks/csp_report_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :csp_report do
+#   # Task goes here
+# end

data/spec/controllers/csp_report/csp_reports_controller_spec.rb

@@ -0,0 +1,7 @@
+require 'spec_helper'
+
+module CspReport
+  describe CspReportsController do
+
+  end
+end

data/spec/dummy/README.rdoc

@@ -0,0 +1,28 @@
+== README
+
+This README would normally document whatever steps are necessary to get the
+application up and running.
+
+Things you may want to cover:
+
+* Ruby version
+
+* System dependencies
+
+* Configuration
+
+* Database creation
+
+* Database initialization
+
+* How to run the test suite
+
+* Services (job queues, cache servers, search engines, etc.)
+
+* Deployment instructions
+
+* ...
+
+
+Please feel free to use a different markup language if you do not plan to run
+<tt>rake doc:app</tt>.

data/spec/dummy/Rakefile

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+
+Dummy::Application.load_tasks

data/spec/dummy/app/assets/javascripts/application.js

@@ -0,0 +1,13 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file.
+//
+// Read Sprockets README (https://github.com/sstephenson/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require_tree .