govuk_app_config 7.2.1 → 8.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/ci.yml +15 -2
  3. data/CHANGELOG.md +8 -0
  4. data/lib/govuk_app_config/govuk_content_security_policy.rb +2 -9
  5. data/lib/govuk_app_config/govuk_logging.rb +4 -0
  6. data/lib/govuk_app_config/version.rb +1 -1
  7. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f921d89549f7203b1e80f23a4e7b4c7c20634120eac39d551a05ba41fc986625
4
- data.tar.gz: 7af7692a9eec9676df25822f2988d00fe73a863cfabf2e4294c51747f1bff743
3
+ metadata.gz: 86a7c7bbd8a1996a9e919b875f782fc90a1c5fca1f5356dfa219c76868f2a2cf
4
+ data.tar.gz: 0e1ea3f6bbe677dc656e4b99d27d43c49e6b67368120b3cf2a0a2cd1e754928b
5
5
  SHA512:
6
- metadata.gz: f0e6360036a9b2c80c96899d00129a0e270fbb15b7d070d67fa54abe45c2c02f38ed3ed95c4aa0c055b4934217030f504c049b9ac09c7a0d0c3a2dfd0c3b00ee
7
- data.tar.gz: f5c29754f917bb57d50dfe8658d5d1c0c91fcfaded23ca2563595e59a40f46f59f52efb440d8599a7118b4182a2fce41c9286fa207fc13aff71b6d652ef3efc2
6
+ metadata.gz: 0e5360f08d06a6e24f922a214746fabf2a981ba048ca81b6ac11441f759d7b4044e725f9ca9672206645adbe06541aef480e51e4e4ba553fcde2c881adb75704
7
+ data.tar.gz: f64dfad4c602b668a01685b384956a7f8f3d593fb3876f19357ac142d97c36de10d54224958115070d10596d9f9e06c51fd812685def74267d646052e8aa5fe1
data/.github/workflows/ci.yml CHANGED
@@ -1,4 +1,15 @@
1
- on: [push, pull_request]
1
+ on:
2
+ push:
3
+ branches:
4
+ - main
5
+ pull_request:
6
+ workflow_dispatch:
7
+ inputs:
8
+ ref:
9
+ description: 'The branch, tag or SHA to checkout'
10
+ default: main
11
+ type: string
12
+
2
13
  jobs:
3
14
  # Run the test suite against multiple Ruby and Rails versions
4
15
  test_matrix:
@@ -10,6 +21,8 @@ jobs:
10
21
  runs-on: ubuntu-latest
11
22
  steps:
12
23
  - uses: actions/checkout@v3
24
+ with:
25
+ ref: ${{ inputs.ref || github.ref }}
13
26
  - uses: ruby/setup-ruby@v1
14
27
  with:
15
28
  ruby-version: ${{ matrix.ruby }}
@@ -24,7 +37,7 @@ jobs:
24
37
  runs-on: ubuntu-latest
25
38
  steps:
26
39
  - run: echo "All matrix tests have passed 🚀"
27
-
40
+
28
41
  publish:
29
42
  needs: test
30
43
  if: ${{ github.ref == 'refs/heads/main' }}
data/CHANGELOG.md CHANGED
@@ -1,3 +1,11 @@
1
+ # 8.0.1
2
+
3
+ * Change the "source" field in Rails logs from logstasher from string representing IP host address to an empty object.
4
+
5
+ # 8.0.0
6
+
7
+ * BREAKING: Content Security Policy forbids the use of inline style attributes.
8
+
1
9
  # 7.2.1
2
10
 
3
11
  * Allow prometheus binding to fail with a warning rather than a crash ([#294](https://github.com/alphagov/govuk_app_config/pull/294))
data/lib/govuk_app_config/govuk_content_security_policy.rb CHANGED
@@ -56,17 +56,10 @@ module GovukContentSecurityPolicy
56
56
  "www.youtube-nocookie.com"
57
57
 
58
58
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
59
- # Note: we purposely don't include `data:` or `unsafe-eval` because
59
+ # Note: we purposely don't include `data:`, `unsafe-inline` or `unsafe-eval` because
60
60
  # they are security risks, if you need them for a legacy app please only apply them at
61
61
  # an app level.
62
- policy.style_src :self,
63
- *GOOGLE_STATIC_DOMAINS,
64
- # This allows `style=""` attributes and `<style>` elements.
65
- # As of January 2023 our intentions to remove this were scuppered
66
- # by Govspeak [1] using inline styles on tables. Until that
67
- # is resolved we'll keep unsafe_inline
68
- # [1]: https://github.com/alphagov/govspeak/blob/5642fcc4231f215d1c58ad7feb30ca42fb8cfb91/lib/govspeak/html_sanitizer.rb#L72-L73
69
- :unsafe_inline
62
+ policy.style_src :self, *GOOGLE_STATIC_DOMAINS
70
63
 
71
64
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
72
65
  # Note: we purposely don't include data here because it produces a security risk.
data/lib/govuk_app_config/govuk_logging.rb CHANGED
@@ -48,6 +48,10 @@ module GovukLogging
48
48
  Rails.application.config.logstasher.view_enabled = false
49
49
  Rails.application.config.logstasher.job_enabled = false
50
50
 
51
+ # Elasticsearch index expect source to be an object and logstash defaults
52
+ # source to be the host IP address causing logs to be dropped.
53
+ Rails.application.config.logstasher.source = {}
54
+
51
55
  Rails.application.config.logstasher.logger = Logger.new(
52
56
  $real_stdout, # rubocop:disable Style/GlobalVars
53
57
  level: Rails.logger.level,
data/lib/govuk_app_config/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module GovukAppConfig
2
- VERSION = "7.2.1".freeze
2
+ VERSION = "8.0.1".freeze
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: govuk_app_config
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.2.1
4
+ version: 8.0.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - GOV.UK Dev
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2023-05-11 00:00:00.000000000 Z
11
+ date: 2023-06-12 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: logstasher