govuk_app_config 9.2.0 → 9.4.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +9 -0
  3. data/govuk_app_config.gemspec +1 -1
  4. data/lib/govuk_app_config/govuk_content_security_policy.rb +5 -0
  5. data/lib/govuk_app_config/govuk_prometheus_exporter.rb +39 -2
  6. data/lib/govuk_app_config/version.rb +1 -1
  7. metadata +5 -5
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: a879f92fed2a4b6f098a3a1bbd367853413b3314c4d45f3d38802897cc9ecc68
4
- data.tar.gz: 2dcd94fb037f6799cf9ce5229cb3ba6b7e391063091c3f3a65e4085d5eab9195
3
+ metadata.gz: 273b6b6ef65edc0acb8786a4e5352dfbd0c06d54ed7df78b71352f513b74ba22
4
+ data.tar.gz: a929e8ecabac4aada60d6c31337d1f36b7ce077a259fa596124f44cfc7c8ab0c
5
5
  SHA512:
6
- metadata.gz: cab7cd78d7ffd83c19e37ad9bcd7865b3c1d7731baf1dd607556d3a758e99288b56186786fa20789011fc84f340e83caa7df6c1d9324c63d934f9b15733e6003
7
- data.tar.gz: c547b53fca4fa5ad8f9f4444451dd8facc04bfcbe2312dfe5f591ac6236c6df90f9c49c7d0c3ab2a2cdcd25336b50ab3b23711cf137804286040e1b39b383d0d
6
+ metadata.gz: 86bf49ce98b88af4c0781a94797eeb55cd4007830004fa6ed90c65dd19e4b0b409897b53f10b0293f2e5120ea3241517e3c08548527d34daab165e8f838b0e06
7
+ data.tar.gz: fa89fb00c3e24406151b4e5cdce2f54596ecf56846192b1dfc378f3237a00beffb129805d205a0d001e6ce2205ae4d404b468b6fd240a3011e0a41aa8ad3e06f
data/CHANGELOG.md CHANGED
@@ -1,3 +1,12 @@
1
+ # 9.4.0
2
+
3
+ * Disallow any domain from embeding a page to prevent clickjacking ([#322](https://github.com/alphagov/govuk_app_config/pull/322))
4
+ * Fix GovukContentSecurityPolicy test ([#324](https://github.com/alphagov/govuk_app_config/pull/324))
5
+
6
+ # 9.3.0
7
+
8
+ * Get prometheus labels from controller, not params ([#320](https://github.com/alphagov/govuk_app_config/pull/320))
9
+
1
10
  # 9.2.0
2
11
 
3
12
  * Default to Prometheus histograms, not summaries ([#318](https://github.com/alphagov/govuk_app_config/pull/318))
data/govuk_app_config.gemspec CHANGED
@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
22
22
 
23
23
  spec.add_dependency "logstasher", "~> 2.1"
24
24
  spec.add_dependency "opentelemetry-exporter-otlp", ">= 0.25", "< 0.27"
25
- spec.add_dependency "opentelemetry-instrumentation-all", ">= 0.39.1", "< 0.41.0"
25
+ spec.add_dependency "opentelemetry-instrumentation-all", ">= 0.39.1", "< 0.51.0"
26
26
  spec.add_dependency "opentelemetry-sdk", "~> 1.2"
27
27
  spec.add_dependency "plek", ">= 4", "< 6"
28
28
  spec.add_dependency "prometheus_exporter", "~> 2.0"
data/lib/govuk_app_config/govuk_content_security_policy.rb CHANGED
@@ -80,6 +80,11 @@ module GovukContentSecurityPolicy
80
80
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
81
81
  policy.frame_src :self, *GOVUK_DOMAINS, "www.youtube.com", "www.youtube-nocookie.com" # Allow youtube embeds
82
82
 
83
+ # Disallow any domain from embeding a page using <frame>, <iframe>, <object>, or <embed> to prevent clickjacking
84
+ #
85
+ # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
86
+ policy.frame_ancestors :none
87
+
83
88
  policy.report_uri ENV["GOVUK_CSP_REPORT_URI"] if ENV.include?("GOVUK_CSP_REPORT_URI")
84
89
  end
85
90
 
data/lib/govuk_app_config/govuk_prometheus_exporter.rb CHANGED
@@ -4,6 +4,43 @@ require "prometheus_exporter/server"
4
4
  require "prometheus_exporter/middleware"
5
5
 
6
6
  module GovukPrometheusExporter
7
+ #
8
+ # See https://github.com/discourse/prometheus_exporter/pull/293
9
+ #
10
+ # RailsMiddleware can be removed and replaced with the default middleware if
11
+ # that PR is merged / released
12
+ #
13
+ class RailsMiddleware < PrometheusExporter::Middleware
14
+ def default_labels(env, _result)
15
+ controller_instance = env["action_controller.instance"]
16
+ action = controller = nil
17
+ if controller_instance
18
+ action = controller_instance.action_name
19
+ controller = controller_instance.controller_name
20
+ elsif (cors = env["rack.cors"]) && cors.respond_to?(:preflight?) && cors.preflight?
21
+ # if the Rack CORS Middleware identifies the request as a preflight request,
22
+ # the stack doesn't get to the point where controllers/actions are defined
23
+ action = "preflight"
24
+ controller = "preflight"
25
+ end
26
+ {
27
+ action: action || "other",
28
+ controller: controller || "other",
29
+ }
30
+ end
31
+ end
32
+
33
+ class SinatraMiddleware < PrometheusExporter::Middleware
34
+ def default_labels(_env, _result)
35
+ # The default prometheus exporter middleware uses the controller and
36
+ # action as labels. These aren't meaningful in Sinatra applications, and
37
+ # other options (such as request.path_info) have potentially very high
38
+ # cardinality. For now, just accept that we can't be more specific than
39
+ # the application / pod and don't provide any other labels
40
+ {}
41
+ end
42
+ end
43
+
7
44
  def self.should_configure
8
45
  # Allow us to force the Prometheus Exporter for persistent Rake tasks...
9
46
  if ENV["GOVUK_PROMETHEUS_EXPORTER"] == "force"
@@ -50,11 +87,11 @@ module GovukPrometheusExporter
50
87
  server.start
51
88
 
52
89
  if defined?(Rails)
53
- Rails.application.middleware.unshift PrometheusExporter::Middleware, instrument: :prepend
90
+ Rails.application.middleware.unshift RailsMiddleware, instrument: :prepend
54
91
  end
55
92
 
56
93
  if defined?(Sinatra)
57
- Sinatra.use PrometheusExporter::Middleware
94
+ Sinatra.use SinatraMiddleware
58
95
  end
59
96
  rescue Errno::EADDRINUSE
60
97
  warn "Could not start Prometheus metrics server as address already in use."
data/lib/govuk_app_config/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module GovukAppConfig
2
- VERSION = "9.2.0".freeze
2
+ VERSION = "9.4.0".freeze
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: govuk_app_config
3
3
  version: !ruby/object:Gem::Version
4
- version: 9.2.0
4
+ version: 9.4.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - GOV.UK Dev
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2023-09-14 00:00:00.000000000 Z
11
+ date: 2023-10-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: logstasher
@@ -53,7 +53,7 @@ dependencies:
53
53
  version: 0.39.1
54
54
  - - "<"
55
55
  - !ruby/object:Gem::Version
56
- version: 0.41.0
56
+ version: 0.51.0
57
57
  type: :runtime
58
58
  prerelease: false
59
59
  version_requirements: !ruby/object:Gem::Requirement
@@ -63,7 +63,7 @@ dependencies:
63
63
  version: 0.39.1
64
64
  - - "<"
65
65
  - !ruby/object:Gem::Version
66
- version: 0.41.0
66
+ version: 0.51.0
67
67
  - !ruby/object:Gem::Dependency
68
68
  name: opentelemetry-sdk
69
69
  requirement: !ruby/object:Gem::Requirement
@@ -375,7 +375,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
375
375
  - !ruby/object:Gem::Version
376
376
  version: '0'
377
377
  requirements: []
378
- rubygems_version: 3.4.19
378
+ rubygems_version: 3.4.20
379
379
  signing_key:
380
380
  specification_version: 4
381
381
  summary: Base configuration for GOV.UK applications