http-headers-verifier 0.0.4 → 1.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/Gemfile.lock +1 -1
- data/README.md +18 -17
- data/exe/http-headers-verifier.rb +20 -10
- data/lib/http_headers_validations.rb +3 -3
- data/lib/version.rb +2 -2
- metadata +6 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8402eadfa491beb1ee890ba08d7c8634e3123e7afe641f4c67a6e6e69addc704
|
4
|
+
data.tar.gz: 44ae5406a60518423958d3d014da79ef5d4f88ae4d5ead52ff75a7ec1db96dd1
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1854d83ae3747570eecfb29111eea335e824a80dedbab08d952502b11af88cda5b0ec356c34954c9902a11c28d68edad89ad31106b251eeb128b3d737f3c03a3
|
7
|
+
data.tar.gz: 431f739312da4d44e001224baf15d7838686ad124819fc6e8d93ac608341beeeb35c267889bff13426dcb4b9e275b0452b9b07fa847517cf88d00e6d9e4fc0de
|
data/.gitignore
CHANGED
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
@@ -3,28 +3,13 @@
|
|
3
3
|
[![Gem Version](https://badge.fury.io/rb/http-headers-verifier.svg)](https://badge.fury.io/rb/http-headers-verifier)
|
4
4
|
[![Build Status](https://travis-ci.org/AvnerCohen/http-headers-verifier.svg?branch=master)](https://travis-ci.org/AvnerCohen/http-headers-verifier)
|
5
5
|
|
6
|
-
Verify a pre-defined HTTP headers configurations.
|
6
|
+
Assertation framework for http-headers on top of live endpoints, Verify a pre-defined HTTP headers configurations.
|
7
|
+
|
7
8
|
Unlike some other similar projects, this is not meant to enforce best practices, instead it is meant to define policies on top of headers and enforce them.
|
8
9
|
As a side effect, this means you can define specific OWASP (for example) best practices and verify them, but unlike testing for best practices, this is inteneded to verify an expected headers configuration behavior.
|
9
10
|
|
10
11
|
Relevant use cases are for example when updating nginx/caddy configuration or when moving from one web-server to another and expecting to maintain a specific set of header config.
|
11
12
|
|
12
|
-
## Installation
|
13
|
-
|
14
|
-
Add this line to your application's Gemfile:
|
15
|
-
|
16
|
-
```ruby
|
17
|
-
gem 'http-headers-verifier'
|
18
|
-
```
|
19
|
-
|
20
|
-
And then execute:
|
21
|
-
|
22
|
-
$ bundle
|
23
|
-
|
24
|
-
Or install it yourself as:
|
25
|
-
|
26
|
-
$ gem install http-headers-verifier
|
27
|
-
|
28
13
|
### Usage
|
29
14
|
|
30
15
|
```sh
|
@@ -65,6 +50,22 @@ Starting verification of policies default, hs-default, hs-production:
|
|
65
50
|
😱 Failed !
|
66
51
|
```
|
67
52
|
|
53
|
+
## Installation
|
54
|
+
|
55
|
+
Add this line to your application's Gemfile:
|
56
|
+
|
57
|
+
```ruby
|
58
|
+
gem 'http-headers-verifier'
|
59
|
+
```
|
60
|
+
|
61
|
+
And then execute:
|
62
|
+
|
63
|
+
$ bundle
|
64
|
+
|
65
|
+
Or install it yourself as:
|
66
|
+
|
67
|
+
$ gem install http-headers-verifier
|
68
|
+
|
68
69
|
|
69
70
|
### Configuration
|
70
71
|
|
@@ -15,15 +15,16 @@ if ARGV.length != 3 && ARGV.length != 2
|
|
15
15
|
exit 2
|
16
16
|
end
|
17
17
|
|
18
|
-
policy_arg, url, verbose = ARGV
|
18
|
+
policy_arg, @url, verbose = ARGV
|
19
19
|
@policies = policy_arg.split(',')
|
20
20
|
|
21
21
|
HttpHeadersUtils.verbose = !verbose.nil?
|
22
22
|
|
23
|
-
|
23
|
+
request_results = Typhoeus.get(@url, timeout: HTTP_TIMEOUT_IN_SECONDS, followlocation: true)
|
24
|
+
actual_headers = request_results.headers
|
24
25
|
|
25
26
|
def verify_headers!(actual_headers, rules)
|
26
|
-
puts "Testing url: #{url}"
|
27
|
+
puts "Testing url: #{@url}"
|
27
28
|
puts "Starting verification of policies #{HttpHeadersUtils.bold(@policies.join(", "))}:"
|
28
29
|
errors = []
|
29
30
|
checked_already = Set.new
|
@@ -64,12 +65,18 @@ end
|
|
64
65
|
def read_policies!(policy_files_names)
|
65
66
|
settings = {headers: [], ignored_headers: [], cookie_attr: {}, headers_to_avoid: []}
|
66
67
|
policy_files_names.each do |policy_name|
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
68
|
+
file_name = "./#{FILE_NAME_PREFIX}#{policy_name}.yml"
|
69
|
+
if File.exist?(file_name)
|
70
|
+
policy_data = YAML.load_file(file_name)
|
71
|
+
settings[:headers].push(policy_data['headers']) unless policy_data['headers'].nil?
|
72
|
+
settings[:ignored_headers].push(policy_data['ignored_headers']) unless policy_data['ignored_headers'].nil?
|
73
|
+
settings[:cookie_attr].merge!(policy_data['cookie_attr']) unless policy_data['cookie_attr'].nil?
|
74
|
+
settings[:headers_to_avoid].push(policy_data['headers_to_avoid']) unless policy_data['headers_to_avoid'].nil?
|
75
|
+
else
|
76
|
+
puts "💔 Misconfiguration, file #{file_name}, does not exist."
|
77
|
+
exit 1
|
78
|
+
end
|
79
|
+
|
73
80
|
end
|
74
81
|
|
75
82
|
settings[:headers].flatten!
|
@@ -80,7 +87,10 @@ def read_policies!(policy_files_names)
|
|
80
87
|
end
|
81
88
|
|
82
89
|
|
83
|
-
if
|
90
|
+
if request_results.return_code != :ok
|
91
|
+
puts "🤕 Request to url #{@url} failed - #{request_results.return_code}, bailing out. "
|
92
|
+
exit 0
|
93
|
+
elsif verify_headers!(actual_headers, read_policies!(@policies))
|
84
94
|
puts "😎 Success !"
|
85
95
|
exit 0
|
86
96
|
else
|
@@ -9,13 +9,13 @@ module HttpHeadersValidations
|
|
9
9
|
end
|
10
10
|
|
11
11
|
def self.assert_expected_header(expected_header, expected_value, actual_value)
|
12
|
-
if (expected_value.is_a?(Regexp) && actual_value.match?(expected_value)) ||
|
12
|
+
if (!actual_value.nil? && expected_value.is_a?(Regexp) && actual_value.match?(expected_value)) ||
|
13
13
|
(expected_value.to_s == actual_value.to_s)
|
14
14
|
failed = false
|
15
15
|
text = "Expected Header '#{expected_header}' matched!"
|
16
16
|
else
|
17
17
|
failed = true
|
18
|
-
text = "Expected Header '#{HttpHeadersUtils.bold(expected_header)}' failed! '#{expected_value}' was '#{actual_value}'."
|
18
|
+
text = "Expected Header '#{HttpHeadersUtils.bold(expected_header)}' failed! '#{expected_value}' #{HttpHeadersUtils.bold('was')} '#{actual_value}'."
|
19
19
|
end
|
20
20
|
icon = failed ? "🛑" : "🍏"
|
21
21
|
|
@@ -37,7 +37,7 @@ module HttpHeadersValidations
|
|
37
37
|
else
|
38
38
|
icon = "⚠️"
|
39
39
|
failed = false
|
40
|
-
text = "Warning: Extra Header '#{HttpHeadersUtils.bold(actual_header)}' with value '#{actual_value}'
|
40
|
+
text = "Warning: Extra Header '#{HttpHeadersUtils.bold(actual_header)}' with value '#{actual_value}' was unexpected."
|
41
41
|
end
|
42
42
|
|
43
43
|
report(text, failed, icon)
|
data/lib/version.rb
CHANGED
@@ -1,3 +1,3 @@
|
|
1
1
|
module HttpHeadersVerifier
|
2
|
-
VERSION = "
|
3
|
-
end
|
2
|
+
VERSION = "1.0.1"
|
3
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: http-headers-verifier
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 1.0.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Avner Cohen
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-
|
11
|
+
date: 2020-08-25 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -122,7 +122,7 @@ metadata:
|
|
122
122
|
homepage_uri: https://github.com/AvnerCohen/http-headers-verifier
|
123
123
|
source_code_uri: https://github.com/AvnerCohen/http-headers-verifier
|
124
124
|
bug_tracker_uri: https://github.com/AvnerCohen/http-headers-verifier/issues
|
125
|
-
post_install_message:
|
125
|
+
post_install_message:
|
126
126
|
rdoc_options: []
|
127
127
|
require_paths:
|
128
128
|
- lib
|
@@ -137,8 +137,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
137
137
|
- !ruby/object:Gem::Version
|
138
138
|
version: '0'
|
139
139
|
requirements: []
|
140
|
-
rubygems_version: 3.
|
141
|
-
signing_key:
|
140
|
+
rubygems_version: 3.1.4
|
141
|
+
signing_key:
|
142
142
|
specification_version: 4
|
143
143
|
summary: Verify a pre-defined HTTP headers configurations.
|
144
144
|
test_files: []
|