jekyll-content-security-policy-generator 1.0.0 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 28a188afee0ba93d3d3bd236bd98488a704b272641f46ec67b8dbedd5c3fd1e4
-  data.tar.gz: 54139e64294dcdf090b19722c19599d8016f0947ef3ddb5125c6ca6d962f936e
+  metadata.gz: ec29dad0ececf9db2097db0a584d176f845047a4e680e64aee0e574606de95e9
+  data.tar.gz: 57d57a9c9f96944d3e252161cc167959a2d943debe285339f26f4308e99c6b9f
 SHA512:
-  metadata.gz: 8e79e6caadd31fd4db7b47369f9d4a509cc760d869a5d317d55ad2816b58ff956c176827185ffcaa8a24ff41695f7dc02ecfd6a95c9c2285b256356105afc182
-  data.tar.gz: ddf59999929ba6ee97fc77082674a28444e5f896d35ddc206f29d275b3120bef193097ff4be6d07f0d4e873bdf2036460a07844cb1d59f0b21468ed6b7c6b88e
+  metadata.gz: edaf01605a12f29c012a795219467a81d7c785380c205aac2e78e0b3cb8ac1d4a21e34112e0fb94113ba77e011ce412c5cee90dfeac9fc49c73cf83eb5d45ff4
+  data.tar.gz: 8ff8a12e60688ba77ae30dbd5c0844f94f8dba0786574549e656f5f3f280bfc9d14f6efc7b6f19e2b027520880a40a5e745886ca493e8444fffb068142072988

data/.gitignore

@@ -0,0 +1,6 @@
+_site
+.sass-cache
+.jekyll-metadata
+*.gem
+.idea/
+.DS_Store

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2021 strongscot <mail@strongscot.com> (https://strongscot.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/Makefile

@@ -0,0 +1,36 @@
+CWD := $(shell pwd)
+
+.PHONY: all
+all: build
+
+.PHONY: start
+start:
+	@bundle exec jekyll serve --verbose
+
+.PHONY: build
+build: clean
+	@gem build *.gemspec
+	@echo ::: BUILD :::
+
+.PHONY: install
+install: deps
+	-@rm -f Gemfile.lock &>/dev/null || true
+	@bundle install
+	@echo ::: INSTALL :::
+
+.PHONY: push
+push: build
+	@gem push *.gem
+	@echo ::: PUSH :::
+
+.PHONY: clean
+clean:
+	-@rm -rf *.gem &>/dev/null || true
+	@echo ::: CLEAN :::
+
+.PHONY: deps
+deps: bundle
+	@echo ::: DEPS :::
+.PHONY: bundle
+bundle:
+	@if ! o=$$(which bundle); then gem install bundle jekyll; fi

data/README.md

@@ -0,0 +1,37 @@
+# jekyll-content-security-policy-generator Plugin
+
+This Jekyll plugin automatically builds an HTML content-security-policy for a Jekyll site. The plugin
+will scan ```.html``` files generated by Jekyll and attempt to locate images, styles, scripts, frames etc and build a
+content security policy HTML meta tag. The script will also generate SHA256 hashes for inline scripts and styles. If
+the script finds elements with style attributes ```<div style="color: red"></div>```, the script will extract the style
+information and build a style element to which will also pass through the content security policy generation.
+
+## Goal
+
+To speed up development of Jekyll based sites whilst also helping to generate secure HTMl files protected from XSS.
+
+## Features
+
+* Scans for ```.html``` files generated by Jekyll.
+* Finds inline scripts such as ```<script>alert("Hello World!");</script>``` and generates an SHA256 hash.
+* Finds inline styles such as ```<style>.hello { color: "red"; }</style>``` and generates an SHA256 hash.
+* Creates or reuses an HTTP meta tag for the content security policy.
+* Finds all images, styles, scripts and frames with external URLs and builds CSP.
+* Converts style attributes into ```<style>``` elements.
+
+## Installation
+
+Install the gem:
+
+```gem install jekyll-content-security-policy-generator```
+
+Then add this to your _config.yml:
+
+```
+plugins:
+  - jekyll-content-security-policy-generator
+```
+
+## Support
+
+https://strongscot.com

data/jekyll-content-security-policy-generator.gemspec

@@ -0,0 +1,21 @@
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "jekyll-content-security-policy-generator/version"
+Gem::Specification.new do |spec|
+  spec.name          = "jekyll-content-security-policy-generator"
+  spec.summary       = "Helps generate a content security policy."
+  spec.description   = "Helps generate a content security policy. Locates inline scripts, images, frames etc."
+  spec.version       = JekyllContentSecurityPolicyGenerator::VERSION
+  spec.authors       = ["strongscot"]
+  spec.email         = ["mail@strongscot.com"]
+  spec.homepage      = "https://github.com/strongscot/jekyll-content-security-policy-generator"
+  spec.licenses      = ["MIT"]
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r!^(test|spec|features)/!)  }
+  spec.require_paths = ["lib"]
+  spec.add_dependency "jekyll"
+  spec.add_dependency "nokogiri"
+  spec.add_dependency "digest"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec"
+  spec.add_development_dependency "rubocop"
+end

data/lib/jekyll-content-security-policy-generator.rb

@@ -0,0 +1,5 @@
+require_relative "jekyll-content-security-policy-generator/version"
+require_relative "jekyll-content-security-policy-generator/hook"
+
+module JekyllContentSecurityPolicyGenerator
+end

data/lib/jekyll-content-security-policy-generator/hook.rb

@@ -0,0 +1,268 @@
+require 'jekyll'
+require 'nokogiri'
+require 'digest'
+require 'open-uri'
+
+##
+# Provides the ability to generate a content security policy for inline scripts and styles.
+# Will reuse an existing CSP or generate a new one and insert in HEAD.
+module Jekyll
+
+  module JekyllContentSecurityPolicyGenerator
+
+    ##
+    # Provides the ability to generate a content security policy for inline scripts and styles.
+    # Will reuse an existing CSP or generate a new one and insert in HEAD.
+    class ContentSecurityPolicyGenerator
+      def initialize(document_html)
+        @document_html = document_html
+        @nokogiri = Nokogiri::HTML(document_html)
+
+        @csp_frame_src = ['\'self\'']
+        @csp_image_src = ['\'self\'']
+        @csp_style_src = ['\'self\'']
+        @csp_script_src = ['\'self\'']
+        @csp_unknown = []
+      end
+
+      ##
+      # Creates an HTML content security policy meta tag.
+      def generate_convert_security_policy_meta_tag
+        meta_content = ""
+
+        if @csp_frame_src.length > 0
+          meta_content += "frame-src " + @csp_frame_src.join(' ') + '; '
+        end
+
+        if @csp_image_src.length > 0
+          meta_content += "img-src " + @csp_image_src.join(' ') + '; '
+        end
+
+        if @csp_style_src.length > 0
+          meta_content += "style-src " + @csp_style_src.join(' ') + '; '
+        end
+
+        if @csp_script_src.length > 0
+          meta_content += "script-src " + @csp_script_src.join(' ') + '; '
+        end
+
+        if @csp_unknown.length > 0
+          @csp_unknown.each do |find|
+            find_name = find[0]
+            find = find.drop(1)
+            meta_content += find_name + " " + find.join(' ') + '; '
+          end
+        end
+
+        if @nokogiri.at("head")
+          Jekyll.logger.info "Generated content security policy, inserted in HEAD."
+          @nokogiri.at("head") << "<meta http-equiv=\"Content-Security-Policy\" content=\"" + meta_content + "\">"
+        elsif @nokogiri.at("body")
+          Jekyll.logger.info "Generated content security policy, inserted in BODY."
+          @nokogiri.at("body") << "<meta http-equiv=\"Content-Security-Policy\" content=\"" + meta_content + "\">"
+        else
+          Jekyll.logger.error "Generated content security policy but found no-where to insert it."
+        end
+
+      end
+
+      ##
+      # Parse an existing content security policy meta tag
+      def parse_existing_meta_element()
+        csp = @nokogiri.at('meta[http-equiv="Content-Security-Policy"]')
+
+        if csp
+          content = csp.attr('content')
+          content = content.strip! || content
+          policies = content.split(';')
+
+          policies.each do |policy|
+            policy = policy.strip! || policy
+
+            if policy.include? ' '
+              policy_parts = policy.split(' ')
+
+              if policy_parts[0] == 'script-src'
+                @csp_script_src.concat(policy_parts.drop(1))
+                @csp_script_src = @csp_script_src.uniq
+              elsif policy_parts[0] == 'style-src'
+                @csp_style_src.concat(policy_parts.drop(1))
+                @csp_style_src = @csp_style_src.uniq
+              elsif policy_parts[0] == 'image-src'
+                @csp_image_src.concat(policy_parts.drop(1))
+                @csp_image_src = @csp_image_src.uniq
+              elsif policy_parts[0] == 'frame-src'
+                @csp_frame_src.concat(policy_parts.drop(1))
+                @csp_frame_src = @csp_frame_src.uniq
+              else
+                @csp_unknown.concat([policy_parts])
+              end
+
+            else
+              Jekyll.logger.warn "Incorrect existing content security policy meta tag found, skipping."
+            end
+          end
+        end
+      end
+
+      ##
+      # This function converts elements with style="color:red" attributes into inline styles
+      def convert_all_inline_styles_attributes
+        @nokogiri.css('*').each do |find|
+          find_src = find.attr('style')
+
+          if find_src
+            if find.attr('id')
+              element_id = find.attr('id')
+            else
+              element_id = Digest::MD5.hexdigest find_src + "#{Random.rand(11)}"
+              find["id"] = element_id
+            end
+
+            new_element = "<style>#" + element_id + " { " + find_src + " } </style>"
+            find.remove_attribute("style")
+
+            if @nokogiri.at('head')
+              @nokogiri.at('head') << new_element
+              Jekyll.logger.info'Converting style attribute to inline style, inserted into HEAD.'
+            else
+              if @nokogiri.at('body')
+                @nokogiri.at('body') << new_element
+                Jekyll.logger.info'Converting style attribute to inline style, inserted into BODY.'
+              else
+                Jekyll.logger.warn'Unable to convert style attribute to inline style, no HEAD or BODY found.'
+              end
+            end
+          end
+        end
+      end
+
+      ##
+      # Find all images
+      def find_images
+        @nokogiri.css('img').each do |find|
+          find_src = find.attr('src')
+
+          if find_src.start_with?('http', 'https')
+            @csp_image_src.push find_src.match(/(.*\/)+(.*$)/)[1]
+          end
+        end
+      end
+
+      ##
+      # Find all scripts
+      def find_scripts
+        @nokogiri.css('script').each do |find|
+          if find.attr('src')
+            find_src = find.attr('src')
+
+            if find_src.start_with?('http', 'https')
+              @csp_script_src.push find_src.match(/(.*\/)+(.*$)/)[1]
+            end
+
+          else
+            @csp_script_src.push self.generate_sha256_content_hash find.content
+          end
+        end
+      end
+
+      ##
+      # Find all stylesheets
+      def find_styles
+        @nokogiri.css('style').each do |find|
+          if find.attr('src')
+            find_src = find.attr('src')
+
+            if find_src.start_with?('http', 'https')
+              @csp_style_src.push find_src.match(/(.*\/)+(.*$)/)[1]
+            end
+
+          else
+            @csp_style_src.push self.generate_sha256_content_hash find.content
+          end
+        end
+      end
+
+      ##
+      # Find all iframes
+      def find_iframes
+        @nokogiri.css('iframe').each do |find|
+          find_src = find.attr('src')
+
+          if find_src.start_with?('http', 'https')
+            @csp_frame_src.push find_src.match(/(.*\/)+(.*$)/)[1]
+          end
+        end
+      end
+
+      ##
+      # Generate a content hash
+      def generate_sha256_content_hash(content)
+        hash = Digest::SHA2.base64digest content
+        "'sha256-#{hash}'"
+      end
+
+      ##
+      # Builds an HTML meta tag based on the found inline scripts and style hashes
+      def run
+        self.parse_existing_meta_element
+
+        self.convert_all_inline_styles_attributes
+
+        # Find elements in document
+        self.find_images
+        self.find_styles
+        self.find_scripts
+        self.find_iframes
+
+        self.generate_convert_security_policy_meta_tag
+
+        @nokogiri.to_html
+      end
+    end
+
+    ##
+    # Write the file contents back.
+    def write_file_contents(dest, content)
+      FileUtils.mkdir_p(File.dirname(dest))
+      File.open(dest, 'w') do |f|
+        f.write(content)
+      end
+    end
+
+    ##
+    # Write document contents
+    def write(dest)
+      dest_path = destination(dest)
+      if File.extname(dest_path) == ".html"
+        content_security_policy_generator = ContentSecurityPolicyGenerator.new output
+        output = content_security_policy_generator.run
+      end
+
+      write_file_contents(dest_path, output)
+    end
+
+  end
+
+  class Document
+    include JekyllContentSecurityPolicyGenerator
+
+    ##
+    # Write document contents
+    def write(dest)
+      super dest
+      trigger_hooks(:post_write)
+    end
+  end
+
+  class Page
+    include JekyllContentSecurityPolicyGenerator
+
+    ##
+    # Write page contents
+    def write(dest)
+      super dest
+      Jekyll::Hooks.trigger hook_owner, :post_write, self
+    end
+  end
+end

data/lib/jekyll-content-security-policy-generator/version.rb

@@ -0,0 +1,3 @@
+module JekyllContentSecurityPolicyGenerator
+  VERSION = "1.5.0".freeze
+end

metadata

@@ -1,29 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: jekyll-content-security-policy-generator
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.5.0
 platform: ruby
 authors:
 - strongscot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-04-05 00:00:00.000000000 Z
+date: 2021-04-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jekyll
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -56,51 +56,60 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '11.0'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '11.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.5'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.5'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '0.52'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '0.52'
-description: Helps generate a content security policy for inline scripts and styles.
+        version: '0'
+description: Helps generate a content security policy. Locates inline scripts, images,
+  frames etc.
 email:
 - mail@strongscot.com
 executables: []
 extensions: []
 extra_rdoc_files: []
-files: []
+files:
+- ".gitignore"
+- LICENSE
+- Makefile
+- README.md
+- jekyll-content-security-policy-generator.gemspec
+- lib/jekyll-content-security-policy-generator.rb
+- lib/jekyll-content-security-policy-generator/hook.rb
+- lib/jekyll-content-security-policy-generator/version.rb
 homepage: https://github.com/strongscot/jekyll-content-security-policy-generator
 licenses:
 - MIT
@@ -123,5 +132,5 @@ requirements: []
 rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
-summary: Helps generate a content security policy for inline scripts and styles.
+summary: Helps generate a content security policy.
 test_files: []