RubyGems - secure_headers - Versions diffs - 0.1.0 - Mend

secure_headers 0.1.0

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (30) hide show

data/.gitignore +17 -0
data/.rvmrc +1 -0
data/.travis.yml +5 -0
data/Gemfile +13 -0
data/Guardfile +10 -0
data/HISTORY.md +22 -0
data/LICENSE +202 -0
data/README.md +318 -0
data/Rakefile +127 -0
data/app/controllers/content_security_policy_controller.rb +44 -0
data/config/curl-ca-bundle.crt +5420 -0
data/config/routes.rb +3 -0
data/lib/secure_headers.rb +115 -0
data/lib/secure_headers/headers/content_security_policy.rb +300 -0
data/lib/secure_headers/headers/strict_transport_security.rb +53 -0
data/lib/secure_headers/headers/x_content_type_options.rb +40 -0
data/lib/secure_headers/headers/x_frame_options.rb +40 -0
data/lib/secure_headers/headers/x_xss_protection.rb +54 -0
data/lib/secure_headers/railtie.rb +37 -0
data/lib/secure_headers/version.rb +3 -0
data/secure-headers.gemspec +23 -0
data/spec/controllers/content_security_policy_controller_spec.rb +74 -0
data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +382 -0
data/spec/lib/secure_headers/headers/strict_transport_security_spec.rb +66 -0
data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +35 -0
data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +38 -0
data/spec/lib/secure_headers/headers/x_xss_protection_spec.rb +41 -0
data/spec/lib/secure_headers_spec.rb +252 -0
data/spec/spec_helper.rb +25 -0
metadata +116 -0

@@ -0,0 +1,3 @@
+Rails.application.routes.draw do
+  post SecureHeaders::ContentSecurityPolicy::FF_CSP_ENDPOINT => "content_security_policy#scribe"
+end

data/lib/secure_headers.rb ADDED

@@ -0,0 +1,115 @@
+module SecureHeaders
+  module Configuration
+    class << self
+      attr_accessor :hsts, :x_frame_options, :x_content_type_options,
+        :x_xss_protection, :csp
+      def configure &block
+        instance_eval &block
+      end
+    end
+  end
+  class << self
+    def append_features(base)
+      base.module_eval do
+        @@secure_headers_options = nil
+        extend ClassMethods
+        include InstanceMethods
+        # jank?
+        def self.secure_headers_options=(opts)
+          @@secure_headers_options = opts
+        end
+        def self.secure_headers_options
+          @@secure_headers_options
+        end
+      end
+    end
+  end
+  module ClassMethods
+    def ensure_security_headers options = {}, *args
+      self.secure_headers_options = options
+      before_filter :set_security_headers
+    end
+    # we can't use ||= because I'm overloading false => disable, nil => default
+    # both of which trigger the conditional assignment
+    def options_for(type, options)
+      options.nil? ? ::SecureHeaders::Configuration.send(type) : options
+    end
+  end
+  module InstanceMethods
+    def set_security_headers(options = self.class.secure_headers_options || {})
+      brwsr = Brwsr::Browser.new(:ua => request.env['HTTP_USER_AGENT'])
+      set_hsts_header(options[:hsts]) if request.ssl?
+      set_x_frame_options_header(options[:x_frame_options])
+      set_csp_header(request, options[:csp]) unless broken_implementation?(brwsr)
+      set_x_xss_protection_header(options[:x_xss_protection])
+      if brwsr.ie?
+        set_x_content_type_options_header(options[:x_content_type_options])
+      end
+    end
+    def set_csp_header(request, options=nil)
+      options = self.class.options_for :csp, options
+      return if options == false
+      header = ContentSecurityPolicy.new(request, options)
+      set_header(header.name, header.value)
+      if options && options[:experimental] && options[:enforce]
+        header = ContentSecurityPolicy.new(request, options, :experimental => true)
+        set_header(header.name, header.value)
+      end
+    end
+    def set_a_header(name, klass, options=nil)
+      options = self.class.options_for name, options
+      return if options == false
+      header = klass.new(options)
+      set_header(header.name, header.value)
+    end
+    def set_x_frame_options_header(options=nil)
+      set_a_header(:x_frame_options, XFrameOptions, options)
+    end
+    def set_x_content_type_options_header(options=nil)
+      set_a_header(:x_content_type_options, XContentTypeOptions, options)
+    end
+    def set_x_xss_protection_header(options=nil)
+      set_a_header(:x_xss_protection, XXssProtection, options)
+    end
+    def set_hsts_header(options=nil)
+      set_a_header(:hsts, StrictTransportSecurity, options)
+    end
+    def set_header(name, value)
+      response.headers[name] = value
+    end
+    private
+    def broken_implementation?(browser)
+      #IOS 5 sometimes refuses to load external resources even when whitelisted with CSP
+      return browser.ios5?
+    end
+  end
+end
+require "secure_headers/version"
+require "secure_headers/headers/content_security_policy"
+require "secure_headers/headers/x_frame_options"
+require "secure_headers/headers/strict_transport_security"
+require "secure_headers/headers/x_xss_protection"
+require "secure_headers/headers/x_content_type_options"
+require "secure_headers/railtie"
+require "brwsr"

data/lib/secure_headers/headers/content_security_policy.rb ADDED

@@ -0,0 +1,300 @@
+require 'uri'
+require 'brwsr'
+module SecureHeaders
+  class ContentSecurityPolicyBuildError < StandardError; end
+  class ContentSecurityPolicy
+    module Constants
+      WEBKIT_CSP_HEADER = "default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-src https://* about: javascript:; img-src chrome-extension:"
+      FIREFOX_CSP_HEADER = "options eval-script inline-script; allow https://* data:; frame-src https://* about: javascript:; img-src chrome-extension:"
+      FIREFOX_CSP_HEADER_NAME = 'X-Content-Security-Policy'
+      WEBKIT_CSP_HEADER_NAME = 'X-WebKit-CSP'
+      STANDARD_HEADER_NAME = "Content-Security-Policy"
+      FF_CSP_ENDPOINT = "/content_security_policy/forward_report"
+      WEBKIT_DIRECTIVES = DIRECTIVES = [:default_src, :script_src, :frame_src, :style_src, :img_src, :media_src, :font_src, :object_src, :connect_src]
+      FIREFOX_DIRECTIVES = DIRECTIVES + [:xhr_src, :frame_ancestors] - [:connect_src]
+      META = [:enforce, :http_additions, :disable_chrome_extension, :disable_fill_missing, :forward_endpoint]
+    end
+    include Constants
+    META.each do |meta|
+      attr_accessor meta
+    end
+    attr_reader :browser, :ssl_request, :report_uri, :request_uri
+    alias :enforce? :enforce
+    alias :disable_chrome_extension? :disable_chrome_extension
+    alias :disable_fill_missing? :disable_fill_missing
+    alias :ssl_request? :ssl_request
+    def initialize(request=nil, config=nil, options={})
+      @experimental = !!options.delete(:experimental)
+      if config
+        configure request, config
+      elsif request
+        parse_request request
+      end
+    end
+    def configure request, opts
+      @config = opts.dup
+      experimental_config = @config.delete(:experimental)
+      if @experimental && experimental_config
+        @config[:http_additions] = experimental_config[:http_additions]
+        @config.merge!(experimental_config)
+      end
+      parse_request request
+      META.each do |meta|
+        self.send(meta.to_s + "=", @config.delete(meta))
+      end
+      @report_uri = @config.delete(:report_uri)
+      normalize_csp_options
+      normalize_reporting_endpoint
+      filter_unsupported_directives
+    end
+    def name
+      base = if browser.ie?
+               STANDARD_HEADER_NAME
+             elsif browser.firefox?
+               # can't use supports_standard because FF18 does not support this part of the standard.
+               FIREFOX_CSP_HEADER_NAME
+             else
+               WEBKIT_CSP_HEADER_NAME
+             end
+      if !enforce || @experimental
+        base += "-Report-Only"
+      end
+      base
+    end
+    def value
+      return @config if @config.is_a?(String)
+      if @config.nil?
+        return supports_standard? ? WEBKIT_CSP_HEADER : FIREFOX_CSP_HEADER
+      end
+      build_value
+    end
+    def directives
+      # can't use supports_standard because FF18 does not support this part of the standard.
+      browser.firefox? ? FIREFOX_DIRECTIVES : WEBKIT_DIRECTIVES
+    end
+    private
+    def build_value
+      fill_directives unless disable_fill_missing?
+      add_missing_chrome_extension_values unless disable_chrome_extension?
+      append_http_additions unless ssl_request?
+      header_value = build_impl_specific_directives
+      header_value += generic_directives(@config)
+      header_value += report_uri_directive(@report_uri)
+      #store the value for next time
+      @config = header_value
+      header_value.strip
+    rescue StandardError => e
+      raise ContentSecurityPolicyBuildError.new("Couldn't build CSP header :( #{e}")
+    end
+    def fill_directives
+      return unless @config[:default_src]
+      default = @config[:default_src]
+      directives.each do |directive|
+        unless @config[directive]
+          @config[directive] = default
+        end
+      end
+      @config
+    end
+    def add_missing_chrome_extension_values
+      directives.each do |directive|
+        next unless @config[directive]
+        if !@config[directive].include?('chrome-extension:')
+          @config[directive] << 'chrome-extension:'
+        end
+      end
+    end
+    def append_http_additions
+      return unless http_additions
+      http_additions.each do |k, v|
+        @config[k] ||= []
+        @config[k] << v
+      end
+    end
+    def normalize_csp_options
+      @config.each do |k,v|
+        @config[k] = v.split if v.is_a? String
+        @config[k] = @config[k].map do |val|
+          translate_dir_value(val)
+        end
+      end
+    end
+    def filter_unsupported_directives
+      if browser.firefox?
+        # can't use supports_standard because FF18 does not support this part of the standard.
+        @config[:xhr_src] = @config.delete(:connect_src) if @config[:connect_src]
+      else
+        @config.delete(:frame_ancestors)
+      end
+    end
+    # translates 'inline','self', 'none' and 'eval' to their respective impl-specific values.
+    def translate_dir_value val
+      if %w{inline eval}.include?(val)
+        translate_inline_or_eval(val)
+        # self/none are special sources/src-dir-values and need to be quoted in chrome
+      elsif %{self none}.include?(val)
+        "'#{val}'"
+      else
+        val
+      end
+    end
+    # inline/eval => impl-specific values
+    def translate_inline_or_eval val
+      # can't use supports_standard because FF18 does not support this part of the standard.
+      if browser.firefox?
+        val == 'inline' ? 'inline-script' : 'eval-script'
+      else
+        val == 'inline' ? "'unsafe-inline'" : "'unsafe-eval'"
+      end
+    end
+    # if we have a forwarding endpoint setup and we are not on the same origin as our report_uri
+    # or only a path was supplied (in which case we assume cross-host)
+    # we need to forward the request for Firefox.
+    def normalize_reporting_endpoint
+      if browser.firefox? && (!same_origin? || URI.parse(report_uri).host.nil?)
+        if forward_endpoint
+          @report_uri = FF_CSP_ENDPOINT
+        else
+          @report_uri = nil
+        end
+      end
+    end
+    def supports_standard?
+      !browser.firefox? || (browser.firefox? && browser.version.to_i >= 18)
+    end
+    def build_impl_specific_directives
+      header_value = ""
+      default = expect_directive_value(:default_src)
+      # firefox 18 still requires the use of the options value, but can substitute default-src for allow
+      if browser.firefox?
+        header_value += build_firefox_specific_preamble(default) || ''
+      else
+        header_value += "default-src #{default.join(" ")}; " if default.any?
+      end
+      header_value
+    end
+    def build_firefox_specific_preamble(default_src_value)
+      header_value = ''
+      if supports_standard?
+        header_value += "default-src #{default_src_value.join(" ")}; " if default_src_value.any?
+      elsif default_src_value
+        header_value += "allow #{default_src_value.join(" ")}; " if default_src_value.any?
+      end
+      options_directive = build_options_directive
+      header_value += "options #{options_directive.join(" ")}; " if options_directive.any?
+      header_value
+    end
+    def expect_directive_value key
+      @config.delete(key) {|k| raise ContentSecurityPolicyBuildError.new("Expected to find #{k} directive value")}
+    end
+    # moves inline/eval values from script-src to options
+    # discards those values in the style-src directive
+    def build_options_directive
+      options_directive = []
+      @config.each do |directive, val|
+        next if val.is_a?(String)
+        new_val = []
+        val.each do |token|
+          if ['inline-script', 'eval-script'].include?(token)
+            # Firefox does not support blocking inline styles ATM
+            # https://bugzilla.mozilla.org/show_bug.cgi?id=763879
+            unless directive?(directive, "style_src") || options_directive.include?(token)
+              options_directive << token
+            end
+          else
+            new_val << token
+          end
+        end
+        @config[directive] = new_val
+      end
+      options_directive
+    end
+    def same_origin?
+      return if report_uri.nil?
+      origin = URI.parse(request_uri)
+      uri = URI.parse(report_uri)
+      uri.host == origin.host && origin.port == uri.port && origin.scheme == uri.scheme
+    end
+    def directive? val, name
+      val.to_s.casecmp(name) == 0
+    end
+    def report_uri_directive(report_uri)
+      report_uri.nil? ? '' : "report-uri #{report_uri};"
+    end
+    def generic_directives(config)
+      header_value = ''
+      if config[:img_src]
+        config[:img_src] = config[:img_src] + ['data:'] unless config[:img_src].include?('data:')
+      else
+        config[:img_src] = ['data:']
+      end
+      config.keys.sort_by{|k| k.to_s}.each do |k| # ensure consistent ordering
+        header_value += "#{symbol_to_hyphen_case(k)} #{config[k].join(" ")}; "
+      end
+      header_value
+    end
+    def symbol_to_hyphen_case sym
+      sym.to_s.gsub('_', '-')
+    end
+    def parse_request request
+      @browser = Brwsr::Browser.new(:ua => request.env['HTTP_USER_AGENT'])
+      @ssl_request = request.ssl?
+      @request_uri = if request.respond_to?(:original_url)
+        # rails 3.1+
+        request.original_url
+      else
+        # rails 2/3.0
+        request.url
+      end
+    end
+  end
+end

data/lib/secure_headers/headers/strict_transport_security.rb ADDED

@@ -0,0 +1,53 @@
+module SecureHeaders
+  class STSBuildError < StandardError; end
+  class StrictTransportSecurity
+    module Constants
+      HSTS_HEADER_NAME = 'Strict-Transport-Security'
+      HSTS_MAX_AGE = "631138519"
+      DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
+      VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?\z/i
+      MESSAGE = "The config value supplied for the HSTS header was invalid."
+    end
+    include Constants
+    def initialize(config = nil)
+      @config = config
+      validate_config unless @config.nil?
+    end
+    def name
+      return HSTS_HEADER_NAME
+    end
+    def value
+      case @config
+      when String
+        return @config
+      when NilClass
+        return DEFAULT_VALUE
+      end
+      max_age = @config.fetch(:max_age, HSTS_MAX_AGE)
+      value = "max-age=" + max_age
+      value += "; includeSubdomains" if @config[:include_subdomains]
+      value
+    end
+    private
+    def validate_config
+      if @config.is_a? Hash
+        if !@config[:max_age]
+          raise STSBuildError.new("No max-age was supplied.")
+        elsif @config[:max_age] !~ /\A\d+\z/
+          raise STSBuildError.new("max-age must be a number. #{@config[:max_age]} was supplied.")
+        end
+      else
+        @config = @config.to_s
+        raise STSBuildError.new(MESSAGE) unless @config =~ VALID_STS_HEADER
+      end
+    end
+  end
+end