govuk_app_config 9.2.0 → 9.4.0
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 273b6b6ef65edc0acb8786a4e5352dfbd0c06d54ed7df78b71352f513b74ba22
|
4
|
+
data.tar.gz: a929e8ecabac4aada60d6c31337d1f36b7ce077a259fa596124f44cfc7c8ab0c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 86bf49ce98b88af4c0781a94797eeb55cd4007830004fa6ed90c65dd19e4b0b409897b53f10b0293f2e5120ea3241517e3c08548527d34daab165e8f838b0e06
|
7
|
+
data.tar.gz: fa89fb00c3e24406151b4e5cdce2f54596ecf56846192b1dfc378f3237a00beffb129805d205a0d001e6ce2205ae4d404b468b6fd240a3011e0a41aa8ad3e06f
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,12 @@
|
|
1
|
+
# 9.4.0
|
2
|
+
|
3
|
+
* Disallow any domain from embeding a page to prevent clickjacking ([#322](https://github.com/alphagov/govuk_app_config/pull/322))
|
4
|
+
* Fix GovukContentSecurityPolicy test ([#324](https://github.com/alphagov/govuk_app_config/pull/324))
|
5
|
+
|
6
|
+
# 9.3.0
|
7
|
+
|
8
|
+
* Get prometheus labels from controller, not params ([#320](https://github.com/alphagov/govuk_app_config/pull/320))
|
9
|
+
|
1
10
|
# 9.2.0
|
2
11
|
|
3
12
|
* Default to Prometheus histograms, not summaries ([#318](https://github.com/alphagov/govuk_app_config/pull/318))
|
data/govuk_app_config.gemspec
CHANGED
@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
|
|
22
22
|
|
23
23
|
spec.add_dependency "logstasher", "~> 2.1"
|
24
24
|
spec.add_dependency "opentelemetry-exporter-otlp", ">= 0.25", "< 0.27"
|
25
|
-
spec.add_dependency "opentelemetry-instrumentation-all", ">= 0.39.1", "< 0.
|
25
|
+
spec.add_dependency "opentelemetry-instrumentation-all", ">= 0.39.1", "< 0.51.0"
|
26
26
|
spec.add_dependency "opentelemetry-sdk", "~> 1.2"
|
27
27
|
spec.add_dependency "plek", ">= 4", "< 6"
|
28
28
|
spec.add_dependency "prometheus_exporter", "~> 2.0"
|
@@ -80,6 +80,11 @@ module GovukContentSecurityPolicy
|
|
80
80
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
|
81
81
|
policy.frame_src :self, *GOVUK_DOMAINS, "www.youtube.com", "www.youtube-nocookie.com" # Allow youtube embeds
|
82
82
|
|
83
|
+
# Disallow any domain from embeding a page using <frame>, <iframe>, <object>, or <embed> to prevent clickjacking
|
84
|
+
#
|
85
|
+
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
|
86
|
+
policy.frame_ancestors :none
|
87
|
+
|
83
88
|
policy.report_uri ENV["GOVUK_CSP_REPORT_URI"] if ENV.include?("GOVUK_CSP_REPORT_URI")
|
84
89
|
end
|
85
90
|
|
@@ -4,6 +4,43 @@ require "prometheus_exporter/server"
|
|
4
4
|
require "prometheus_exporter/middleware"
|
5
5
|
|
6
6
|
module GovukPrometheusExporter
|
7
|
+
#
|
8
|
+
# See https://github.com/discourse/prometheus_exporter/pull/293
|
9
|
+
#
|
10
|
+
# RailsMiddleware can be removed and replaced with the default middleware if
|
11
|
+
# that PR is merged / released
|
12
|
+
#
|
13
|
+
class RailsMiddleware < PrometheusExporter::Middleware
|
14
|
+
def default_labels(env, _result)
|
15
|
+
controller_instance = env["action_controller.instance"]
|
16
|
+
action = controller = nil
|
17
|
+
if controller_instance
|
18
|
+
action = controller_instance.action_name
|
19
|
+
controller = controller_instance.controller_name
|
20
|
+
elsif (cors = env["rack.cors"]) && cors.respond_to?(:preflight?) && cors.preflight?
|
21
|
+
# if the Rack CORS Middleware identifies the request as a preflight request,
|
22
|
+
# the stack doesn't get to the point where controllers/actions are defined
|
23
|
+
action = "preflight"
|
24
|
+
controller = "preflight"
|
25
|
+
end
|
26
|
+
{
|
27
|
+
action: action || "other",
|
28
|
+
controller: controller || "other",
|
29
|
+
}
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
class SinatraMiddleware < PrometheusExporter::Middleware
|
34
|
+
def default_labels(_env, _result)
|
35
|
+
# The default prometheus exporter middleware uses the controller and
|
36
|
+
# action as labels. These aren't meaningful in Sinatra applications, and
|
37
|
+
# other options (such as request.path_info) have potentially very high
|
38
|
+
# cardinality. For now, just accept that we can't be more specific than
|
39
|
+
# the application / pod and don't provide any other labels
|
40
|
+
{}
|
41
|
+
end
|
42
|
+
end
|
43
|
+
|
7
44
|
def self.should_configure
|
8
45
|
# Allow us to force the Prometheus Exporter for persistent Rake tasks...
|
9
46
|
if ENV["GOVUK_PROMETHEUS_EXPORTER"] == "force"
|
@@ -50,11 +87,11 @@ module GovukPrometheusExporter
|
|
50
87
|
server.start
|
51
88
|
|
52
89
|
if defined?(Rails)
|
53
|
-
Rails.application.middleware.unshift
|
90
|
+
Rails.application.middleware.unshift RailsMiddleware, instrument: :prepend
|
54
91
|
end
|
55
92
|
|
56
93
|
if defined?(Sinatra)
|
57
|
-
Sinatra.use
|
94
|
+
Sinatra.use SinatraMiddleware
|
58
95
|
end
|
59
96
|
rescue Errno::EADDRINUSE
|
60
97
|
warn "Could not start Prometheus metrics server as address already in use."
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: govuk_app_config
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 9.
|
4
|
+
version: 9.4.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- GOV.UK Dev
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-
|
11
|
+
date: 2023-10-05 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: logstasher
|
@@ -53,7 +53,7 @@ dependencies:
|
|
53
53
|
version: 0.39.1
|
54
54
|
- - "<"
|
55
55
|
- !ruby/object:Gem::Version
|
56
|
-
version: 0.
|
56
|
+
version: 0.51.0
|
57
57
|
type: :runtime
|
58
58
|
prerelease: false
|
59
59
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -63,7 +63,7 @@ dependencies:
|
|
63
63
|
version: 0.39.1
|
64
64
|
- - "<"
|
65
65
|
- !ruby/object:Gem::Version
|
66
|
-
version: 0.
|
66
|
+
version: 0.51.0
|
67
67
|
- !ruby/object:Gem::Dependency
|
68
68
|
name: opentelemetry-sdk
|
69
69
|
requirement: !ruby/object:Gem::Requirement
|
@@ -375,7 +375,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
375
375
|
- !ruby/object:Gem::Version
|
376
376
|
version: '0'
|
377
377
|
requirements: []
|
378
|
-
rubygems_version: 3.4.
|
378
|
+
rubygems_version: 3.4.20
|
379
379
|
signing_key:
|
380
380
|
specification_version: 4
|
381
381
|
summary: Base configuration for GOV.UK applications
|