http-headers-verifier 0.0.8 → 1.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/.travis.yml +1 -0
- data/Gemfile.lock +4 -4
- data/README.md +18 -17
- data/exe/http-headers-verifier.rb +16 -9
- data/lib/http_headers_validations.rb +2 -2
- data/lib/version.rb +2 -2
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 876dc11e91a8009ab043e297d62037a84173ef5fedd2379a2665eaea4ec73634
|
4
|
+
data.tar.gz: 8896e7c6348ccbf0d9d40dfb35615434bd39d401377e5dcc171a440d46b35a36
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: af6e40055c06216f0406d83afd089826bcb652a760aaf1d3d3fead45658e1434978a2aef6403ec08f91b6730568643b794a1d57aaf4473bf142bdeed1ed1bb26
|
7
|
+
data.tar.gz: 358bdc7bfff3659f2e19c3717ea3783b922606e19c4677a3bea2c5a2bc3853eb04fba0c50f999a2bf603b3798c90c88106584899b1d5ec61ba08b346f8f0a38e
|
data/.gitignore
CHANGED
data/.travis.yml
CHANGED
data/Gemfile.lock
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
http-headers-verifier (
|
4
|
+
http-headers-verifier (1.0.2)
|
5
5
|
typhoeus (~> 1.4)
|
6
6
|
|
7
7
|
GEM
|
@@ -9,9 +9,9 @@ GEM
|
|
9
9
|
specs:
|
10
10
|
byebug (9.1.0)
|
11
11
|
diff-lcs (1.4.4)
|
12
|
-
ethon (0.
|
13
|
-
ffi (>= 1.
|
14
|
-
ffi (1.
|
12
|
+
ethon (0.15.0)
|
13
|
+
ffi (>= 1.15.0)
|
14
|
+
ffi (1.15.5)
|
15
15
|
rake (13.0.1)
|
16
16
|
rspec (3.9.0)
|
17
17
|
rspec-core (~> 3.9.0)
|
data/README.md
CHANGED
@@ -3,28 +3,13 @@
|
|
3
3
|
[![Gem Version](https://badge.fury.io/rb/http-headers-verifier.svg)](https://badge.fury.io/rb/http-headers-verifier)
|
4
4
|
[![Build Status](https://travis-ci.org/AvnerCohen/http-headers-verifier.svg?branch=master)](https://travis-ci.org/AvnerCohen/http-headers-verifier)
|
5
5
|
|
6
|
-
Verify a pre-defined HTTP headers configurations.
|
6
|
+
Assertation framework for http-headers on top of live endpoints, Verify a pre-defined HTTP headers configurations.
|
7
|
+
|
7
8
|
Unlike some other similar projects, this is not meant to enforce best practices, instead it is meant to define policies on top of headers and enforce them.
|
8
9
|
As a side effect, this means you can define specific OWASP (for example) best practices and verify them, but unlike testing for best practices, this is inteneded to verify an expected headers configuration behavior.
|
9
10
|
|
10
11
|
Relevant use cases are for example when updating nginx/caddy configuration or when moving from one web-server to another and expecting to maintain a specific set of header config.
|
11
12
|
|
12
|
-
## Installation
|
13
|
-
|
14
|
-
Add this line to your application's Gemfile:
|
15
|
-
|
16
|
-
```ruby
|
17
|
-
gem 'http-headers-verifier'
|
18
|
-
```
|
19
|
-
|
20
|
-
And then execute:
|
21
|
-
|
22
|
-
$ bundle
|
23
|
-
|
24
|
-
Or install it yourself as:
|
25
|
-
|
26
|
-
$ gem install http-headers-verifier
|
27
|
-
|
28
13
|
### Usage
|
29
14
|
|
30
15
|
```sh
|
@@ -65,6 +50,22 @@ Starting verification of policies default, hs-default, hs-production:
|
|
65
50
|
😱 Failed !
|
66
51
|
```
|
67
52
|
|
53
|
+
## Installation
|
54
|
+
|
55
|
+
Add this line to your application's Gemfile:
|
56
|
+
|
57
|
+
```ruby
|
58
|
+
gem 'http-headers-verifier'
|
59
|
+
```
|
60
|
+
|
61
|
+
And then execute:
|
62
|
+
|
63
|
+
$ bundle
|
64
|
+
|
65
|
+
Or install it yourself as:
|
66
|
+
|
67
|
+
$ gem install http-headers-verifier
|
68
|
+
|
68
69
|
|
69
70
|
### Configuration
|
70
71
|
|
@@ -9,6 +9,7 @@ require_relative '../lib/http_headers_utils'
|
|
9
9
|
|
10
10
|
FILE_NAME_PREFIX = 'headers-rules-'
|
11
11
|
HTTP_TIMEOUT_IN_SECONDS = 3
|
12
|
+
SET_COOKIE_NAME = 'set-cookie'
|
12
13
|
|
13
14
|
if ARGV.length != 3 && ARGV.length != 2
|
14
15
|
puts "usage: http-headers-verifier.rb [comma seperated policy names] [url] [?verbose]"
|
@@ -40,15 +41,15 @@ def verify_headers!(actual_headers, rules)
|
|
40
41
|
actual_headers.each do |expected_pair|
|
41
42
|
actual_header, actual_value = expected_pair[0]
|
42
43
|
next if checked_already.include? actual_header
|
43
|
-
next if actual_header.downcase ==
|
44
|
+
next if actual_header.downcase == SET_COOKIE_NAME
|
44
45
|
actual_value = actual_headers[actual_header]
|
45
46
|
actual_header_errors = HttpHeadersValidations.assert_extra_header(actual_header, actual_value,
|
46
47
|
rules[:ignored_headers], rules[:headers_to_avoid])
|
47
48
|
errors.push(actual_header_errors) unless actual_header_errors.nil?
|
48
49
|
end
|
49
50
|
|
50
|
-
unless actual_headers[
|
51
|
-
[actual_headers[
|
51
|
+
unless actual_headers[SET_COOKIE_NAME].nil?
|
52
|
+
[actual_headers[SET_COOKIE_NAME]].flatten.each do |cookie_str|
|
52
53
|
parsed_cookie = NaiveCookie.new(cookie_str)
|
53
54
|
error_text, failed = HttpHeadersValidations.assert_cookie_value(parsed_cookie, rules[:cookie_attr])
|
54
55
|
errors.push(error_text) if failed
|
@@ -65,12 +66,18 @@ end
|
|
65
66
|
def read_policies!(policy_files_names)
|
66
67
|
settings = {headers: [], ignored_headers: [], cookie_attr: {}, headers_to_avoid: []}
|
67
68
|
policy_files_names.each do |policy_name|
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
69
|
+
file_name = "./#{FILE_NAME_PREFIX}#{policy_name}.yml"
|
70
|
+
if File.exist?(file_name)
|
71
|
+
policy_data = YAML.load_file(file_name)
|
72
|
+
settings[:headers].push(policy_data['headers']) unless policy_data['headers'].nil?
|
73
|
+
settings[:ignored_headers].push(policy_data['ignored_headers']) unless policy_data['ignored_headers'].nil?
|
74
|
+
settings[:cookie_attr].merge!(policy_data['cookie_attr']) unless policy_data['cookie_attr'].nil?
|
75
|
+
settings[:headers_to_avoid].push(policy_data['headers_to_avoid']) unless policy_data['headers_to_avoid'].nil?
|
76
|
+
else
|
77
|
+
puts "💔 Misconfiguration, file #{file_name}, does not exist."
|
78
|
+
exit 1
|
79
|
+
end
|
80
|
+
|
74
81
|
end
|
75
82
|
|
76
83
|
settings[:headers].flatten!
|
@@ -15,7 +15,7 @@ module HttpHeadersValidations
|
|
15
15
|
text = "Expected Header '#{expected_header}' matched!"
|
16
16
|
else
|
17
17
|
failed = true
|
18
|
-
text = "Expected Header '#{HttpHeadersUtils.bold(expected_header)}' failed!
|
18
|
+
text = "Expected Header '#{HttpHeadersUtils.bold(expected_header)}' failed! \nExpected Value:\n#{expected_value} \nActual Value:\n#{actual_value}."
|
19
19
|
end
|
20
20
|
icon = failed ? "🛑" : "🍏"
|
21
21
|
|
@@ -37,7 +37,7 @@ module HttpHeadersValidations
|
|
37
37
|
else
|
38
38
|
icon = "⚠️"
|
39
39
|
failed = false
|
40
|
-
text = "Warning: Extra Header '#{HttpHeadersUtils.bold(actual_header)}' with value '#{actual_value}'
|
40
|
+
text = "Warning: Extra Header '#{HttpHeadersUtils.bold(actual_header)}' with value '#{actual_value}' was unexpected."
|
41
41
|
end
|
42
42
|
|
43
43
|
report(text, failed, icon)
|
data/lib/version.rb
CHANGED
@@ -1,3 +1,3 @@
|
|
1
1
|
module HttpHeadersVerifier
|
2
|
-
VERSION = "
|
3
|
-
end
|
2
|
+
VERSION = "1.0.2"
|
3
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: http-headers-verifier
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 1.0.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Avner Cohen
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-06-23 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|