http-headers-verifier 0.0.8 → 1.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 531d8103a717ddddb331edf9ee498798e77922d2fbcfd86f2c959b8d4ceae456
-  data.tar.gz: 11da67aa7fee1007f1d5c3ff429d4c4595509620ac775a7e3d2a71e2b706d669
+  metadata.gz: 876dc11e91a8009ab043e297d62037a84173ef5fedd2379a2665eaea4ec73634
+  data.tar.gz: 8896e7c6348ccbf0d9d40dfb35615434bd39d401377e5dcc171a440d46b35a36
 SHA512:
-  metadata.gz: 9a0a85e6979c75e1459c886eb77a5b3998a27733929e4d451dbbdf6b39cd002f990d6e2abd1ce7837ed0d73512179661bd3a0854626d8b19306e2332c0ebe889
-  data.tar.gz: d27664777f65d3c6271c8ab6a8344e3036e1043a9a884d0a38d70a9cd5d5910c2d38bc1f332e0e337c35a46497c8617386cbc8e09346731dee634c7581b239dd
+  metadata.gz: af6e40055c06216f0406d83afd089826bcb652a760aaf1d3d3fead45658e1434978a2aef6403ec08f91b6730568643b794a1d57aaf4473bf142bdeed1ed1bb26
+  data.tar.gz: 358bdc7bfff3659f2e19c3717ea3783b922606e19c4677a3bea2c5a2bc3853eb04fba0c50f999a2bf603b3798c90c88106584899b1d5ec61ba08b346f8f0a38e

data/.gitignore

@@ -7,6 +7,7 @@
 /spec/reports/
 /tmp/
 
+headers-rules-*.*
 # rspec failure tracking
 .rspec_status
 *.gem

data/.travis.yml

@@ -4,4 +4,5 @@ language: ruby
 cache: bundler
 rvm:
   - 2.6.3
+  - truffleruby-head
 before_install: gem install bundler -v 1.17.2

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    http-headers-verifier (0.0.8)
+    http-headers-verifier (1.0.2)
       typhoeus (~> 1.4)
 
 GEM
@@ -9,9 +9,9 @@ GEM
   specs:
     byebug (9.1.0)
     diff-lcs (1.4.4)
-    ethon (0.12.0)
-      ffi (>= 1.3.0)
-    ffi (1.13.1)
+    ethon (0.15.0)
+      ffi (>= 1.15.0)
+    ffi (1.15.5)
     rake (13.0.1)
     rspec (3.9.0)
       rspec-core (~> 3.9.0)

data/README.md

@@ -3,28 +3,13 @@
 [![Gem Version](https://badge.fury.io/rb/http-headers-verifier.svg)](https://badge.fury.io/rb/http-headers-verifier)
 [![Build Status](https://travis-ci.org/AvnerCohen/http-headers-verifier.svg?branch=master)](https://travis-ci.org/AvnerCohen/http-headers-verifier)
 
-Verify a pre-defined HTTP headers configurations.
+Assertation framework for http-headers on top of live endpoints, Verify a pre-defined HTTP headers configurations.
+
 Unlike some other similar projects, this is not meant to enforce best practices, instead it is meant to define policies on top of headers and enforce them.
 As a side effect, this means you can define specific OWASP (for example) best practices and verify them, but unlike testing for best practices, this is inteneded to verify an expected headers configuration behavior.
 
 Relevant use cases are for example when updating nginx/caddy configuration or when moving from one web-server to another and expecting to maintain a specific set of header config.
 
-## Installation
-
-Add this line to your application's Gemfile:
-
-```ruby
-gem 'http-headers-verifier'
-```
-
-And then execute:
-
-    $ bundle
-
-Or install it yourself as:
-
-    $ gem install http-headers-verifier
-
 ### Usage
 
 ```sh
@@ -65,6 +50,22 @@ Starting verification of policies default, hs-default, hs-production:
 😱  Failed !
 ```
 
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'http-headers-verifier'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install http-headers-verifier
+
 
 ### Configuration
 

data/exe/http-headers-verifier.rb

@@ -9,6 +9,7 @@ require_relative '../lib/http_headers_utils'
 
 FILE_NAME_PREFIX = 'headers-rules-'
 HTTP_TIMEOUT_IN_SECONDS = 3
+SET_COOKIE_NAME = 'set-cookie'
 
 if ARGV.length != 3 && ARGV.length != 2
     puts "usage: http-headers-verifier.rb [comma seperated policy names] [url] [?verbose]"
@@ -40,15 +41,15 @@ def verify_headers!(actual_headers, rules)
     actual_headers.each do |expected_pair|
         actual_header, actual_value = expected_pair[0]
         next if checked_already.include? actual_header
-        next if actual_header.downcase ==  'set-cookie'
+        next if actual_header.downcase ==  SET_COOKIE_NAME
         actual_value = actual_headers[actual_header]
         actual_header_errors = HttpHeadersValidations.assert_extra_header(actual_header, actual_value,
                                       rules[:ignored_headers], rules[:headers_to_avoid])
         errors.push(actual_header_errors)  unless actual_header_errors.nil?
     end
 
-    unless actual_headers["set-cookie"].nil?
-        [actual_headers["set-cookie"]].flatten.each do |cookie_str|
+    unless actual_headers[SET_COOKIE_NAME].nil?
+        [actual_headers[SET_COOKIE_NAME]].flatten.each do |cookie_str|
             parsed_cookie = NaiveCookie.new(cookie_str)
             error_text, failed = HttpHeadersValidations.assert_cookie_value(parsed_cookie, rules[:cookie_attr])
             errors.push(error_text) if failed
@@ -65,12 +66,18 @@ end
 def read_policies!(policy_files_names)
     settings = {headers: [], ignored_headers: [], cookie_attr: {}, headers_to_avoid: []}
     policy_files_names.each do |policy_name|
-        policy_data = YAML.load_file("./#{FILE_NAME_PREFIX}#{policy_name}.yml")
-        
-        settings[:headers].push(policy_data['headers']) unless policy_data['headers'].nil?
-        settings[:ignored_headers].push(policy_data['ignored_headers']) unless policy_data['ignored_headers'].nil?
-        settings[:cookie_attr].merge!(policy_data['cookie_attr']) unless policy_data['cookie_attr'].nil?
-        settings[:headers_to_avoid].push(policy_data['headers_to_avoid'])  unless policy_data['headers_to_avoid'].nil?
+        file_name = "./#{FILE_NAME_PREFIX}#{policy_name}.yml"
+        if File.exist?(file_name) 
+            policy_data = YAML.load_file(file_name)
+            settings[:headers].push(policy_data['headers']) unless policy_data['headers'].nil?
+            settings[:ignored_headers].push(policy_data['ignored_headers']) unless policy_data['ignored_headers'].nil?
+            settings[:cookie_attr].merge!(policy_data['cookie_attr']) unless policy_data['cookie_attr'].nil?
+            settings[:headers_to_avoid].push(policy_data['headers_to_avoid'])  unless policy_data['headers_to_avoid'].nil?
+        else
+            puts "💔  Misconfiguration, file #{file_name}, does not exist."
+            exit 1
+        end
+
     end
 
     settings[:headers].flatten!

data/lib/http_headers_validations.rb

@@ -15,7 +15,7 @@ module HttpHeadersValidations
             text = "Expected Header '#{expected_header}' matched!"
         else
             failed = true
-            text = "Expected Header '#{HttpHeadersUtils.bold(expected_header)}' failed! '#{expected_value}' #{HttpHeadersUtils.bold('was')} '#{actual_value}'."
+            text = "Expected Header '#{HttpHeadersUtils.bold(expected_header)}' failed! \nExpected Value:\n#{expected_value} \nActual Value:\n#{actual_value}."
         end
         icon = failed ? "🛑" : "🍏"
 
@@ -37,7 +37,7 @@ module HttpHeadersValidations
         else
             icon = "⚠️"
             failed = false
-            text = "Warning: Extra Header '#{HttpHeadersUtils.bold(actual_header)}' with value '#{actual_value}' wasn't unexpected."
+            text = "Warning: Extra Header '#{HttpHeadersUtils.bold(actual_header)}' with value '#{actual_value}' was unexpected."
         end
 
         report(text, failed, icon)

data/lib/version.rb

@@ -1,3 +1,3 @@
 module HttpHeadersVerifier
-    VERSION = "0.0.8"
-end
+    VERSION = "1.0.2"
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: http-headers-verifier
 version: !ruby/object:Gem::Version
-  version: 0.0.8
+  version: 1.0.2
 platform: ruby
 authors:
 - Avner Cohen
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-08-18 00:00:00.000000000 Z
+date: 2022-06-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler