secure_headers 1.1.0 → 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (7) hide show
  1. data/HISTORY.md +7 -0
  2. data/app/controllers/content_security_policy_controller.rb +22 -0
  3. data/lib/secure_headers/version.rb +1 -1
  4. data/spec/controllers/content_security_policy_controller_spec.rb +16 -0
  5. data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb +1 -1
  6. data/spec/lib/secure_headers/headers/x_frame_options_spec.rb +3 -4
  7. metadata +2 -2
data/HISTORY.md CHANGED
@@ -1,3 +1,10 @@
1
+ 1.1.1
2
+ ======
3
+
4
+ Bug fix release.
5
+ - Parsing of CSP reports was busted.
6
+ - Forwarded reports did not include the original referer, ip, UA
7
+
1
8
  1.1.0
2
9
  ======
3
10
 
data/app/controllers/content_security_policy_controller.rb CHANGED
@@ -27,7 +27,20 @@ class ContentSecurityPolicyController < ActionController::Base
27
27
  use_ssl(http)
28
28
  end
29
29
 
30
+ if request.content_type == "application/csp-report"
31
+ request.body.rewind
32
+ params.merge!(ActiveSupport::JSON.decode(request.body.read))
33
+ end
34
+
35
+ ua = request.user_agent
36
+ xff = forwarded_for
37
+
30
38
  request = Net::HTTP::Post.new(uri.to_s)
39
+ request.initialize_http_header({
40
+ 'User-Agent' => ua,
41
+ 'X-Forwarded-For' => xff,
42
+ 'Content-Type' => 'application/json',
43
+ })
31
44
  request.body = params.to_json
32
45
 
33
46
  # fire and forget
@@ -38,6 +51,15 @@ class ContentSecurityPolicyController < ActionController::Base
38
51
  end
39
52
  end
40
53
 
54
+ def forwarded_for
55
+ req_xff = request.env["HTTP_X_FORWARDED_FOR"]
56
+ if req_xff && req_xff != ""
57
+ "#{req_xff}, #{request.remote_ip}"
58
+ else
59
+ request.remote_ip
60
+ end
61
+ end
62
+
41
63
  def use_ssl request
42
64
  request.use_ssl = true
43
65
  request.ca_file = CA_FILE
data/lib/secure_headers/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module SecureHeaders
2
- VERSION = "1.1.0"
2
+ VERSION = "1.1.1"
3
3
  end
data/spec/controllers/content_security_policy_controller_spec.rb CHANGED
@@ -11,6 +11,21 @@ describe ContentSecurityPolicyController do
11
11
  }
12
12
  }
13
13
 
14
+ class FakeRequest
15
+ def user_agent
16
+ "Foo"
17
+ end
18
+ def env
19
+ {"HTTP_X_FORWARDED_FOR" => ""}
20
+ end
21
+ def remote_ip
22
+ "123.12.45.67"
23
+ end
24
+ def content_type
25
+ "application/json"
26
+ end
27
+ end
28
+
14
29
  describe "#csp" do
15
30
  let(:request) { double().as_null_object }
16
31
  let(:endpoint) { "https://example.com" }
@@ -20,6 +35,7 @@ describe ContentSecurityPolicyController do
20
35
  SecureHeaders::Configuration.stub(:csp).and_return({:report_uri => endpoint, :forward_endpoint => secondary_endpoint})
21
36
  subject.should_receive :head
22
37
  subject.stub(:params).and_return(params)
38
+ subject.stub(:request).and_return(FakeRequest.new)
23
39
  Net::HTTP.any_instance.stub(:request)
24
40
  end
25
41
 
data/spec/lib/secure_headers/headers/x_content_type_options_spec.rb CHANGED
@@ -27,7 +27,7 @@ module SecureHeaders
27
27
  it "doesn't accept anything besides no-sniff" do
28
28
  lambda {
29
29
  XContentTypeOptions.new("donkey")
30
- }.should raise_error(XContentTypeOptionsBuildError)
30
+ }.should raise_error
31
31
  end
32
32
  end
33
33
  end
data/spec/lib/secure_headers/headers/x_frame_options_spec.rb CHANGED
@@ -13,19 +13,18 @@ module SecureHeaders
13
13
  it "allows SAMEORIGIN" do
14
14
  lambda {
15
15
  XFrameOptions.new("SAMEORIGIN").value
16
- }.should_not raise_error(XFOBuildError)
16
+ }.should_not raise_error
17
17
  end
18
18
 
19
19
  it "allows DENY" do
20
20
  lambda {
21
21
  XFrameOptions.new("DENY").value
22
- }.should_not raise_error(XFOBuildError)
23
- end
22
+ }.should_not raise_error end
24
23
 
25
24
  it "allows ALLOW-FROM*" do
26
25
  lambda {
27
26
  XFrameOptions.new("ALLOW-FROM: example.com").value
28
- }.should_not raise_error(XFOBuildError)
27
+ }.should_not raise_error
29
28
  end
30
29
  it "does not allow garbage" do
31
30
  lambda {
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.0
4
+ version: 1.1.1
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2013-11-11 00:00:00.000000000 Z
12
+ date: 2013-12-19 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: rake