secure_headers 1.1.0 → 1.1.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of secure_headers might be problematic. Click here for more details.

data/HISTORY.md CHANGED
@@ -1,3 +1,10 @@
1
+ 1.1.1
2
+ ======
3
+
4
+ Bug fix release.
5
+ - Parsing of CSP reports was busted.
6
+ - Forwarded reports did not include the original referer, ip, UA
7
+
1
8
  1.1.0
2
9
  ======
3
10
 
@@ -27,7 +27,20 @@ class ContentSecurityPolicyController < ActionController::Base
27
27
  use_ssl(http)
28
28
  end
29
29
 
30
+ if request.content_type == "application/csp-report"
31
+ request.body.rewind
32
+ params.merge!(ActiveSupport::JSON.decode(request.body.read))
33
+ end
34
+
35
+ ua = request.user_agent
36
+ xff = forwarded_for
37
+
30
38
  request = Net::HTTP::Post.new(uri.to_s)
39
+ request.initialize_http_header({
40
+ 'User-Agent' => ua,
41
+ 'X-Forwarded-For' => xff,
42
+ 'Content-Type' => 'application/json',
43
+ })
31
44
  request.body = params.to_json
32
45
 
33
46
  # fire and forget
@@ -38,6 +51,15 @@ class ContentSecurityPolicyController < ActionController::Base
38
51
  end
39
52
  end
40
53
 
54
+ def forwarded_for
55
+ req_xff = request.env["HTTP_X_FORWARDED_FOR"]
56
+ if req_xff && req_xff != ""
57
+ "#{req_xff}, #{request.remote_ip}"
58
+ else
59
+ request.remote_ip
60
+ end
61
+ end
62
+
41
63
  def use_ssl request
42
64
  request.use_ssl = true
43
65
  request.ca_file = CA_FILE
@@ -1,3 +1,3 @@
1
1
  module SecureHeaders
2
- VERSION = "1.1.0"
2
+ VERSION = "1.1.1"
3
3
  end
@@ -11,6 +11,21 @@ describe ContentSecurityPolicyController do
11
11
  }
12
12
  }
13
13
 
14
+ class FakeRequest
15
+ def user_agent
16
+ "Foo"
17
+ end
18
+ def env
19
+ {"HTTP_X_FORWARDED_FOR" => ""}
20
+ end
21
+ def remote_ip
22
+ "123.12.45.67"
23
+ end
24
+ def content_type
25
+ "application/json"
26
+ end
27
+ end
28
+
14
29
  describe "#csp" do
15
30
  let(:request) { double().as_null_object }
16
31
  let(:endpoint) { "https://example.com" }
@@ -20,6 +35,7 @@ describe ContentSecurityPolicyController do
20
35
  SecureHeaders::Configuration.stub(:csp).and_return({:report_uri => endpoint, :forward_endpoint => secondary_endpoint})
21
36
  subject.should_receive :head
22
37
  subject.stub(:params).and_return(params)
38
+ subject.stub(:request).and_return(FakeRequest.new)
23
39
  Net::HTTP.any_instance.stub(:request)
24
40
  end
25
41
 
@@ -27,7 +27,7 @@ module SecureHeaders
27
27
  it "doesn't accept anything besides no-sniff" do
28
28
  lambda {
29
29
  XContentTypeOptions.new("donkey")
30
- }.should raise_error(XContentTypeOptionsBuildError)
30
+ }.should raise_error
31
31
  end
32
32
  end
33
33
  end
@@ -13,19 +13,18 @@ module SecureHeaders
13
13
  it "allows SAMEORIGIN" do
14
14
  lambda {
15
15
  XFrameOptions.new("SAMEORIGIN").value
16
- }.should_not raise_error(XFOBuildError)
16
+ }.should_not raise_error
17
17
  end
18
18
 
19
19
  it "allows DENY" do
20
20
  lambda {
21
21
  XFrameOptions.new("DENY").value
22
- }.should_not raise_error(XFOBuildError)
23
- end
22
+ }.should_not raise_error end
24
23
 
25
24
  it "allows ALLOW-FROM*" do
26
25
  lambda {
27
26
  XFrameOptions.new("ALLOW-FROM: example.com").value
28
- }.should_not raise_error(XFOBuildError)
27
+ }.should_not raise_error
29
28
  end
30
29
  it "does not allow garbage" do
31
30
  lambda {
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.0
4
+ version: 1.1.1
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2013-11-11 00:00:00.000000000 Z
12
+ date: 2013-12-19 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: rake