http-security 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 097f834633f8dfec6c6946ed5a1d6df6eb099dcf
+  data.tar.gz: 593a835d602354c2d1f815c211b743c53038e370
+SHA512:
+  metadata.gz: 5b2832989c451f162a1b0e5d41c9bca6be583f28a9d0f69e363ceed62e11b35f034d9a15db62ce35735a0209f6a3a48ccabb9ffdd3e781ba16094a7d7a831b7c
+  data.tar.gz: f70ba9dd6f347fc95c635ade11b081dd180a2bdd18a648ea20e80ba939d70a1fec4963927d9ab6786c3d6ae694dd45181c706e82d91da64f4cc7c5f0cc790ba3

data/.gitignore

@@ -0,0 +1,19 @@
+Gemfile.lock
+
+*.rbc
+.bundle
+.config
+coverage
+InstalledFiles
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+
+# YARD artifacts
+.yardoc
+_yardoc
+doc/

data/.rspec

@@ -0,0 +1 @@
+--colour --format documentation

data/.travis.yml

@@ -0,0 +1,21 @@
+language: ruby
+sudo: false
+rvm:
+- 1.9.3
+- 2.0
+- 2.1
+- ruby-head
+- jruby-19mode
+- jruby-head
+- rbx-2
+matrix:
+  allow_failures:
+  - rvm: rbx-2
+  - rvm: jruby-19mode
+  - rvm: jruby-head
+addons:
+  code_climate:
+    repo_token: 4e8013e9105e3dd8153da54825ce8fab58c7408dce36fa351ef35c51bb9b0b05
+notifications:
+  slack:
+    secure: awgcYPnPALqyAn3H58d+qzQYezzEyuqr71GmU9AsXuOa3sGM1JVqmUOqgoXeykBcV8EV5DEO+65fCkc+GnBxyPjnyYyvzW7VEcj3xQdxyVgn9fK0a76Mp+ywoWOPG7t4Z8dIK3PCT12QO+XgGWiLA9YG10eRtGRRD1V2PCKv41Y=

data/.yardopts

@@ -0,0 +1 @@
+--markup markdown --title "Security Headers Documentation" --protected

data/ChangeLog.md

@@ -0,0 +1,17 @@
+### 0.1.0 / 2015-07-09
+
+* Initial release:
+  * `Cache-Control`
+  * `Content-Security-Policy`
+  * `Content-Security-Policy-Report-Only`
+  * `Expires`
+  * `Pragma`
+  * `Public-Key-Pins`
+  * `Public-Key-Pins-Report-Only`
+  * `Set-Cookie`
+  * `Strict-Transport-Security`
+  * `X-Content-Type-Options`
+  * `X-Frame-Options`
+  * `X-Permitted-Cross-Domain-Policies`
+  * `X-XSS-Protection
+

data/Gemfile

@@ -0,0 +1,17 @@
+source 'https://rubygems.org'
+
+gemspec
+
+group :development do
+  gem 'nokogiri'
+
+  gem 'rake'
+  gem 'rubygems-tasks', '~> 0.2'
+
+  gem 'rspec', '~> 3.0'
+
+  gem 'kramdown'
+  gem 'yard', '~> 0.8'
+end
+
+gem "codeclimate-test-reporter", group: :test, require: nil

data/LICENSE.txt

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Trail of Bits
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,90 @@
+# HTTP Security
+
+* [Source](https://github.com/trailofbits/http-security)
+* [Issues](https://github.com/trailofbits/http-security/issues)
+* [Documentation](https://rubydoc.info/gems/http-security/frames)
+
+[![Code Climate](https://codeclimate.com/github/trailofbits/http-security.png)](https://codeclimate.com/github/trailofbits/http-security) [![Build Status](https://travis-ci.org/trailofbits/http-security.svg)](https://travis-ci.org/trailofbits/http-security) [![Test Coverage](https://codeclimate.com/github/trailofbits/http-security/badges/coverage.svg)](https://codeclimate.com/github/trailofbits/http-security)
+
+Security Headers is a parser for security-relevant HTTP headers. Each header
+value is parsed and validated according to the syntax specified in its relevant 
+RFC.
+
+Security Headers relies on [parslet] for constructing its parsing grammar.
+
+Currently parsed security headers are:
+
+* `Cache-Control`
+* `Content-Security-Policy`
+* `Content-Security-Policy-Report-Only`
+* `Expires`
+* `Pragma`
+* `Public-Key-Pins`
+* `Public-Key-Pins-Report-Only`
+* `Set-Cookie`
+* `Strict-Transport-Security`
+* `X-Content-Type-Options`
+* `X-Frame-Options`
+* `X-Permitted-Cross-Domain-Policies`
+* `X-XSS-Protection
+
+## Example
+
+    require 'net/https'
+    response = Net::HTTP.get_response(URI('https://twitter.com/'))
+
+    require 'http/security'
+    headers = HTTP::Security::Response.parse(response)
+
+    headers.cache_control
+    # => #<HTTP::Security::Headers::CacheControl:0x00000002f65778 @private=nil, @max_age=nil, @no_cache=true>
+
+    headers.content_security_policy
+    # => #<HTTP::Security::Headers::ContentSecurityPolicy:0x00000002d8e238 @default_src="https:"@12, @script_src="'unsafe-inline' 'unsafe-eval' https:"@172, @object_src="https:"@153, @style_src="'unsafe-inline' https:"@220, @img_src="https: blob: data:"@98, @media_src="https: blob:"@128, @frame_src="https: twitter:"@73, @font_src="https: data:"@49, @connect_src="https:"@32, @report_uri=[#<URI::HTTPS:0x00000002d94250 URL:https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;>], @sandbox=nil>
+
+    headers.expires
+    # => #<HTTP::Security::HTTPDate: Tue, 31 Mar 1981 00:00:00 GMT ((2444695j,0s,0n),+0s,2299161j)>
+
+    headers.pragma
+    # => #<HTTP::Security::Headers::Pragma:0x00000002ccc5e8 @no_cache=true>
+
+    headers.strict_transport_security
+    # => #<HTTP::Security::Headers::StrictTransportSecurity:0x00000002c928c0 @max_age=631138519, @include_sub_domains=nil>
+
+    headers.x_content_type_options
+    # => #<HTTP::Security::Headers::XContentTypeOptions:0x00000002a46e40 @no_sniff=true>
+
+    headers.x_frame_options
+    # => #<HTTP::Security::Headers::XFrameOptions:0x000000028163c8 @deny=nil, @same_origin=true, @allow_from=nil, @allow_all=nil>
+
+    headers.x_permitted_cross_domain_policies
+    # => nil
+
+    headers.x_xss_protection
+    # => #<HTTP::Security::Headers::XXSSProtection:0x0000000297a408 @enabled=true, @mode="block"@8, @report=nil>
+
+## Requirements
+
+* [ruby] >= 1.9.1
+* [parslet] ~> 1.5
+
+## Install
+
+    $ gem install http-security
+
+## Testing
+
+To run the RSpec tests:
+
+    $ rake spec
+
+To test the parser against the Alexa Top 100:
+
+    $ rake spec:gauntlet
+
+## License
+
+See the {file:LICENSE.txt} file.
+
+[ruby]: https://www.ruby-lang.org/
+[parslet]: http://kschiess.github.io/parslet/

data/Rakefile

@@ -0,0 +1,34 @@
+# encoding: utf-8
+
+require 'rubygems'
+
+begin
+  require 'bundler/setup'
+rescue LoadError => e
+  warn e.message
+  warn "Run `gem install bundler` to install Bundler."
+  exit -1
+end
+
+require 'rake'
+require 'rubygems/tasks'
+Gem::Tasks.new
+
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new
+
+namespace :spec do
+  desc "Tests SecurityHeaders::Parser against Alexa Top 500"
+  RSpec::Core::RakeTask.new(:gauntlet) do |t|
+    t.rspec_opts = '--tag gauntlet'
+  end
+end
+
+task :test    => :spec
+task :default => :spec
+
+require 'yard'
+YARD::Rake::YardocTask.new
+task :doc => :yard
+
+require_relative 'tasks/alexa'

data/http-security.gemspec

@@ -0,0 +1,23 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'http/security/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = "http-security"
+  gem.version       = HTTP::Security::VERSION
+  gem.authors       = ["Dominic Owen", "Hal Brodigan"]
+  gem.email         = ["dwowen20@gmail.com", "hal@trailofbits.com"]
+  gem.summary       = %q{HTTP Security Header Parser}
+  gem.description   = %q{HTTP Security Header Parser}
+  gem.homepage      = "https://github.com/trailofbits/http-security#readme"
+  gem.license       = "MIT"
+
+  gem.files         = `git ls-files`.split($/)
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+  gem.required_ruby_version = '>= 1.9.1'
+
+  gem.add_dependency 'parslet', '~> 1.5'
+  gem.add_development_dependency "bundler", "~> 1.0"
+end

data/lib/http/security.rb

@@ -0,0 +1,2 @@
+require 'http/security/version'
+require 'http/security/response'

data/lib/http/security/exceptions.rb

@@ -0,0 +1,8 @@
+require 'parslet'
+
+module HTTP
+  module Security
+    class InvalidHeader < Parslet::ParseFailed
+    end
+  end
+end

data/lib/http/security/headers.rb

@@ -0,0 +1,12 @@
+require 'http/security/headers/cache_control'
+require 'http/security/headers/content_security_policy'
+require 'http/security/headers/content_security_policy_report_only'
+require 'http/security/headers/pragma'
+require 'http/security/headers/public_key_pins'
+require 'http/security/headers/public_key_pins_report_only'
+require 'http/security/headers/set_cookie'
+require 'http/security/headers/strict_transport_security'
+require 'http/security/headers/x_content_type_options'
+require 'http/security/headers/x_frame_options'
+require 'http/security/headers/x_permitted_cross_domain_policies'
+require 'http/security/headers/x_xss_protection'

data/lib/http/security/headers/cache_control.rb

@@ -0,0 +1,36 @@
+module HTTP
+  module Security
+    module Headers
+      class CacheControl
+
+        attr_reader :max_age
+
+        def initialize(options={})
+          @private  = options[:private]
+          @max_age  = options[:max_age]
+          @no_cache = options[:no_cache]
+        end
+
+        def private?
+          !!@private
+        end
+
+        def no_cache?
+          !!@no_cache
+        end
+
+        def to_s
+          directives = []
+
+
+          directives << "private"             if @private
+          directives << "max-age=#{@max_age}" if @max_age
+          directives << "no-cache"            if @no_cache
+
+          return directives.join(', ')
+        end
+
+      end
+    end
+  end
+end

data/lib/http/security/headers/content_security_policy.rb

@@ -0,0 +1,71 @@
+module HTTP
+  module Security
+    module Headers
+      class ContentSecurityPolicy
+
+        attr_reader :default_src
+
+        attr_reader :script_src
+
+        attr_reader :object_src
+
+        attr_reader :style_src
+
+        attr_reader :img_src
+
+        attr_reader :media_src
+
+        attr_reader :frame_src
+
+        attr_reader :font_src
+
+        attr_reader :connect_src
+
+        # @return [Array<URI>]
+        attr_reader :report_uri
+
+        attr_reader :sandbox
+
+        def initialize(directives={})
+          @default_src = directives[:default_src]
+          @script_src = directives[:script_src]
+          @object_src = directives[:object_src]
+          @style_src = directives[:style_src]
+          @img_src = directives[:img_src]
+          @media_src = directives[:media_src]
+          @frame_src = directives[:frame_src]
+          @font_src = directives[:font_src]
+          @connect_src = directives[:connect_src]
+
+          @report_uri = Array(directives[:report_uri])
+          @sandbox    = directives[:sandbox]
+        end
+
+        def to_s
+          directives = []
+
+          directives << "default-src #{@default_src}" if @default_src
+          directives << "script-src #{@script_src}"   if @script_src
+          directives << "object-src #{@object_src}"   if @object_src
+          directives << "style-src #{@style_src}"     if @style_src
+          directives << "img-src #{@img_src}"         if @img_src
+          directives << "media-src #{@media_src}"     if @media_src
+          directives << "frame-src #{@frame_src}"     if @frame_src
+          directives << "font-src #{@font_src}"       if @font_src
+          directives << "connect-src #{@connect_src}" if @connect_src
+
+          if @sandbox
+            directives << "sandbox #{@sandbox}"
+          end
+
+          unless @report_uri.empty?
+            directives << "report-uri #{@report_uri.join(' ')}"
+          end
+
+          return directives.join('; ')
+        end
+
+      end
+    end
+  end
+end

data/lib/http/security/headers/content_security_policy_report_only.rb

@@ -0,0 +1,10 @@
+require 'http/security/headers/content_security_policy'
+
+module HTTP
+  module Security
+    module Headers
+      class ContentSecurityPolicyReportOnly < ContentSecurityPolicy
+      end
+    end
+  end
+end

data/lib/http/security/headers/pragma.rb

@@ -0,0 +1,24 @@
+module HTTP
+  module Security
+    module Headers
+      class Pragma
+
+        def initialize(directives={})
+          @no_cache = directives[:no_cache]
+        end
+
+        def no_cache?
+          !!@no_cache
+        end
+
+        def to_s
+          str = ''
+          str << 'no-cache' if @no_cache
+
+          return str
+        end
+
+      end
+    end
+  end
+end

data/lib/http/security/headers/public_key_pins.rb

@@ -0,0 +1,60 @@
+module HTTP
+  module Security
+    module Headers
+      class PublicKeyPins
+
+        # @return [Hash{Symbol,String => Array<String>}]
+        attr_reader :pin
+
+        # @return [Integer]
+        attr_reader :max_age
+
+        # @return [URI::HTTP]
+        attr_reader :report_uri
+
+        def initialize(options={})
+          @pin = {}
+
+          options.each do |key,value|
+            if (key.kind_of?(Symbol) && key =~ /^pin_/)
+              @pin[key[4..-1].to_sym] = Array(value)
+            elsif (key.kind_of?(String) && key.start_with?('pin-'))
+              @pin[key[4..-1]] = Array(value)
+            end
+          end
+
+          @max_age             = options[:max_age]
+          @include_sub_domains = options[:includesubdomains]
+          @report_uri          = options[:report_uri]
+          @strict              = options[:strict]
+        end
+
+        def include_sub_domains?
+          !!@include_sub_domains
+        end
+
+        def strict?
+          !!@strict
+        end
+
+        def to_s
+          directives = []
+
+          @pin.each do |algorithm,fingerprints|
+            Array(fingerprints).each do |fingerprint|
+              directives << "pin-#{algorithm}=#{fingerprint.dump}"
+            end
+          end
+
+          directives << "max-age=#{@max_age}"           if @max_age
+          directives << "includeSubdomains"             if @include_sub_domains
+          directives << "report-uri=\"#{@report_uri}\"" if @report_uri
+          directives << "strict"                        if @strict
+
+          return directives.join('; ')
+        end
+
+      end
+    end
+  end
+end