govuk_app_config 4.11.1 → 4.13.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3860b6855cbcf400a78ac81032a4db049ee483a6c60614eab68e19f9340331e2
-  data.tar.gz: 8151cbc7c4be367f57c8dbaafdc5755beb09e410f474d8a9830f1f3fc3e89382
+  metadata.gz: 19626391e07dadef9dce3abc326901bd86952b34532628b3ca0690d2cff2c314
+  data.tar.gz: 996320aff2dbeb2eae7d4fdd961461e33c39e2688ede77eaf7d5a92e5e6b9f84
 SHA512:
-  metadata.gz: c2af9398cbf1d148e39f4d48b315bb7c10443f05737713c50f933ad4e3c3f69e4e45c5d19f79cfeb1a55f102e2477702cd77edd04a7d3ba654053d8b0caf7149
-  data.tar.gz: 553747a1e310ab22a5ccf2cc8da122dafc8fd46402262edefdf2bd2e897f510fdc976198f505f57b8657c256621d40b3d49931ec0f0822abc877eda94fcda41a
+  metadata.gz: 880a5141ae35cbff8b463c49526fe9b41163fdf2c4a9fec6e1e6717a43f633f602e569449271be1609415b1d4f36b1c51782190ed40ced692ebd6daa722e7f73
+  data.tar.gz: 6b5e893f9abc787e20510f0e2a38565224df5902197f90a07cf861ca4fe7cc49ca306ea12e2440d858e888f1121d1c800767e2b774711749a8c7ea29a30955e4

data/.github/workflows/ci.yml

@@ -30,6 +30,6 @@ jobs:
     if: ${{ github.ref == 'refs/heads/main' }}
     permissions:
       contents: write
-    uses: alphagov/govuk-infrastructure/.github/workflows/publish-rubygem.yaml@main
+    uses: alphagov/govuk-infrastructure/.github/workflows/publish-rubygem.yml@main
     secrets:
       GEM_HOST_API_KEY: ${{ secrets.ALPHAGOV_RUBYGEMS_API_KEY }}

data/CHANGELOG.md

@@ -1,3 +1,16 @@
+# 4.13.0
+
+- Flush log writes to stdout immediately so that structured (JSON) logs are not lost on crash or delayed indefinitely.
+
+# 4.12.0
+
+* Allow `https://img.youtube.com` as a CSP image source
+* CSP only allows scripts, styles and fonts from self which reflects GOV.UK production behaviour
+* Set the default CSP behaviour to be allow communication only to self
+* Remove webchat scripts from the CSP, these are now handled in [government-frontend](https://github.com/alphagov/government-frontend/pull/2643)
+* Remove `www.signin.service.gov.uk` from the CSP as it is no-longer used in GOV.UK
+* Disallow data fonts in the global Content Security policy
+
 # 4.11.1
 
 - Remove govuk_i18n plural rules file

data/README.md

@@ -178,4 +178,4 @@ GovukPrometheusExporter.configure
 
 ## License
 
-[MIT License](LICENSE.md)
+[MIT License](LICENCE)

data/lib/govuk_app_config/govuk_content_security_policy.rb

@@ -1,12 +1,12 @@
 module GovukContentSecurityPolicy
   # Generate a Content Security Policy (CSP) directive.
   #
-  # See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP for more CSP info.
+  # Before making any changes please read our documentation: https://docs.publishing.service.gov.uk/manual/content-security-policy.html
   #
-  # The resulting policy should be checked with:
+  # If you are making a change here you should consider 2 basic rules of thumb:
   #
-  # - https://csp-evaluator.withgoogle.com
-  # - https://cspvalidator.org
+  # 1. Are you creating a XSS risk? Adding unsafe-* declarations, allowing data: URLs or being overly permissive (e.g. https) risks these
+  # 2. Is this change needed globally, if it's just one or two apps the change should be applied in them directly.
 
   GOVUK_DOMAINS = [
     "*.publishing.service.gov.uk",
@@ -26,64 +26,56 @@ module GovukContentSecurityPolicy
 
   def self.build_policy(policy)
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
-    policy.default_src :https, :self, *GOVUK_DOMAINS
+    policy.default_src :self
 
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
     policy.img_src :self,
-                   :data, # Base64 encoded images
+                   # This allows Base64 encoded images, but is a security
+                   # risk as it can embed third party resources.
+                   # As of December 2022, we intend to remove this prior
+                   # to making the CSP live.
+                   :data,
                    *GOVUK_DOMAINS,
                    *GOOGLE_ANALYTICS_DOMAINS, # Tracking pixels
                    # Speedcurve real user monitoring (RUM) - as per: https://support.speedcurve.com/docs/add-rum-to-your-csp
                    "lux.speedcurve.com",
                    # Some content still links to an old domain we used to use
-                   "assets.digital.cabinet-office.gov.uk"
+                   "assets.digital.cabinet-office.gov.uk",
+                   # Allow YouTube thumbnails
+                   "https://img.youtube.com"
 
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
     policy.script_src :self,
-                      *GOVUK_DOMAINS,
                       *GOOGLE_ANALYTICS_DOMAINS,
                       *GOOGLE_STATIC_DOMAINS,
-                      # Allow JSONP call to Verify to check whether the user is logged in
-                      "www.signin.service.gov.uk",
                       # Allow YouTube Embeds (Govspeak turns YouTube links into embeds)
                       "*.ytimg.com",
                       "www.youtube.com",
                       "www.youtube-nocookie.com",
-                      # Allow JSONP call to Nuance - HMRC web chat provider
-                      "hmrc-uk.digital.nuance.com",
-                      # Allow all inline scripts until we can conclusively
-                      # document all the inline scripts we use,
-                      # and there's a better way to filter out junk reports
+                      # This allows inline scripts and thus is a XSS risk.
+                      # As of December 2022, we intend to work towards removing
+                      # this from apps that don't use jQuery 1.12 (which needs
+                      # this) once we've set up nonces.
                       :unsafe_inline
 
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
     policy.style_src :self,
-                     *GOVUK_DOMAINS,
                      *GOOGLE_STATIC_DOMAINS,
-                     # We use the `style=""` attribute on some HTML elements
+                     # This allows style="" attributes and style elements.
+                     # As of December 2022, we intend to remove this prior
+                     # to making the CSP live due to the security risks it has.
                      :unsafe_inline
 
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
-    policy.font_src :self,
-                    *GOVUK_DOMAINS,
-                    :data # Used by some legacy fonts
+    # Note: we purposely don't include data here because it produces a security risk.
+    policy.font_src :self
 
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
     policy.connect_src :self,
                        *GOVUK_DOMAINS,
                        *GOOGLE_ANALYTICS_DOMAINS,
                        # Speedcurve real user monitoring (RUM) - as per: https://support.speedcurve.com/docs/add-rum-to-your-csp
-                       "lux.speedcurve.com",
-                       # Allow connecting to web chat from HMRC contact pages
-                       "www.tax.service.gov.uk",
-                       # Allow JSON call to Nuance - HMRC web chat provider
-                       "hmrc-uk.digital.nuance.com",
-                       # Allow JSON call to klick2contact - HMPO web chat provider
-                       "hmpowebchat.klick2contact.com",
-                       # Allow JSON call to Eckoh - HMPO web chat provider
-                       "omni.eckoh.uk",
-                       # Allow connecting to Verify to check whether the user is logged in
-                       "www.signin.service.gov.uk"
+                       "lux.speedcurve.com"
 
     # Disallow all <object>, <embed>, and <applet> elements
     #
@@ -99,6 +91,14 @@ module GovukContentSecurityPolicy
   def self.configure
     Rails.application.config.content_security_policy_report_only = ENV.include?("GOVUK_CSP_REPORT_ONLY")
 
-    Rails.application.config.content_security_policy(&method(:build_policy))
+    policy = Rails.application.config.content_security_policy(&method(:build_policy))
+
+    # # allow apps to customise the CSP by passing a block e.g:
+    # GovukContentSecuirtyPolicy.configure do |policy|
+    #   policy.image_src(*policy.image_src, "https://i.ytimg.com")
+    # end
+    yield(policy) if block_given?
+
+    policy
   end
 end

data/lib/govuk_app_config/govuk_logging.rb

@@ -12,36 +12,37 @@ module GovukLogging
     # `Rails.logger` calls or 'puts' statements. However these are not in a
     # JSON format which causes problems for the log file parsers.
     #
-    # To resolve this we've directed stdout to stderr, to cover any Rails
+    # To resolve this we redirect stdout to stderr, to cover any Rails
     # writing. This frees up the normal stdout for the logstasher logs.
+    #
+    # We also disable buffering, so that logs aren't lost on crash or delayed
+    # indefinitely while troubleshooting.
 
     # rubocop:disable Style/GlobalVars
     $real_stdout = $stdout.clone
+    $real_stdout.sync = true
     $stdout.reopen($stderr)
+    $stdout.sync = true
     # rubocop:enable Style/GlobalVars
 
     # Send Rails' logs to STDERR because they're not JSON formatted.
     Rails.logger = ActiveSupport::TaggedLogging.new(Logger.new($stderr, level: Rails.logger.level))
 
-    # Custom that will be added to the Rails request logs
     LogStasher.add_custom_fields do |fields|
-      # Mirrors Nginx request logging, e.g GET /path/here HTTP/1.1
+      # Mirrors Nginx request logging, e.g. GET /path/here HTTP/1.1
       fields[:request] = "#{request.request_method} #{request.fullpath} #{request.headers['SERVER_PROTOCOL']}"
 
-      # Pass request Id to logging
       fields[:govuk_request_id] = request.headers["GOVUK-Request-Id"]
-
       fields[:varnish_id] = request.headers["X-Varnish"]
-
       fields[:govuk_app_config] = GovukAppConfig::VERSION
     end
 
     Rails.application.config.logstasher.enabled = true
 
-    # Log controller actions so that we can graph response times
+    # Log controller actions so that we can graph response times.
     Rails.application.config.logstasher.controller_enabled = true
 
-    # The other loggers are not that interesting in production
+    # The other loggers are not that interesting in production.
     Rails.application.config.logstasher.mailer_enabled = false
     Rails.application.config.logstasher.record_enabled = false
     Rails.application.config.logstasher.view_enabled = false
@@ -59,11 +60,9 @@ module GovukLogging
     if defined?(GdsApi::Base)
       GdsApi::Base.default_options ||= {}
 
-      # The GDS API Adapters gem logs JSON to describe the requests it
-      # makes and the responses it gets, so direct this to the
-      # logstasher logger
-      GdsApi::Base.default_options[:logger] =
-        Rails.application.config.logstasher.logger
+      # The gds-api-adapters gem logs JSON to describe the requests it makes and
+      # the responses it gets, so direct this to the logstasher logger.
+      GdsApi::Base.default_options[:logger] = Rails.application.config.logstasher.logger
     end
 
     RailsExt::ActionDispatch.monkey_patch_log_error if RailsExt::ActionDispatch.should_monkey_patch_log_error?

data/lib/govuk_app_config/version.rb

@@ -1,3 +1,3 @@
 module GovukAppConfig
-  VERSION = "4.11.1".freeze
+  VERSION = "4.13.0".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: govuk_app_config
 version: !ruby/object:Gem::Version
-  version: 4.11.1
+  version: 4.13.0
 platform: ruby
 authors:
 - GOV.UK Dev
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-12-12 00:00:00.000000000 Z
+date: 2023-01-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logstasher
@@ -289,7 +289,7 @@ files:
 - ".ruby-version"
 - CHANGELOG.md
 - Gemfile
-- LICENSE.md
+- LICENCE
 - README.md
 - Rakefile
 - bin/console
@@ -336,7 +336,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.26
+rubygems_version: 3.4.3
 signing_key: 
 specification_version: 4
 summary: Base configuration for GOV.UK applications