secure_headers 1.3.4 → 2.0.0.pre

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (65) hide show
  1. checksums.yaml +5 -13
  2. data/.gitignore +4 -8
  3. data/.travis.yml +0 -3
  4. data/Gemfile +4 -5
  5. data/Guardfile +4 -2
  6. data/README.md +102 -48
  7. data/Rakefile +0 -116
  8. data/fixtures/rails_3_2_12/Gemfile +0 -5
  9. data/fixtures/rails_3_2_12/app/controllers/things_controller.rb +0 -1
  10. data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +1 -4
  11. data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb +2 -1
  12. data/fixtures/rails_3_2_12/config/application.rb +0 -54
  13. data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +1 -1
  14. data/fixtures/rails_3_2_12/config/routes.rb +0 -57
  15. data/fixtures/rails_3_2_12/config/script_hashes.yml +5 -0
  16. data/fixtures/rails_3_2_12/config.ru +3 -0
  17. data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +50 -18
  18. data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +1 -1
  19. data/fixtures/rails_3_2_12_no_init/Gemfile +0 -6
  20. data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +1 -2
  21. data/fixtures/rails_3_2_12_no_init/app/controllers/things_controller.rb +1 -1
  22. data/fixtures/rails_3_2_12_no_init/app/views/layouts/application.html.erb +0 -2
  23. data/fixtures/rails_3_2_12_no_init/app/views/things/index.html.erb +0 -21
  24. data/fixtures/rails_3_2_12_no_init/config/application.rb +0 -48
  25. data/fixtures/rails_3_2_12_no_init/config/routes.rb +0 -57
  26. data/lib/secure_headers/hash_helper.rb +7 -0
  27. data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +22 -0
  28. data/lib/secure_headers/headers/content_security_policy.rb +141 -133
  29. data/lib/secure_headers/railtie.rb +0 -22
  30. data/lib/secure_headers/version.rb +1 -1
  31. data/lib/secure_headers/view_helper.rb +68 -0
  32. data/lib/secure_headers.rb +50 -16
  33. data/lib/tasks/tasks.rake +48 -0
  34. data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +47 -0
  35. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +83 -208
  36. data/spec/lib/secure_headers_spec.rb +16 -62
  37. data/spec/spec_helper.rb +25 -1
  38. metadata +19 -40
  39. data/HISTORY.md +0 -162
  40. data/app/controllers/content_security_policy_controller.rb +0 -75
  41. data/config/curl-ca-bundle.crt +0 -5420
  42. data/config/routes.rb +0 -3
  43. data/fixtures/rails_3_2_12/config/environments/development.rb +0 -37
  44. data/fixtures/rails_3_2_12/config/environments/production.rb +0 -67
  45. data/fixtures/rails_3_2_12/config/initializers/backtrace_silencers.rb +0 -7
  46. data/fixtures/rails_3_2_12/config/initializers/inflections.rb +0 -15
  47. data/fixtures/rails_3_2_12/config/initializers/mime_types.rb +0 -5
  48. data/fixtures/rails_3_2_12/config/initializers/secret_token.rb +0 -7
  49. data/fixtures/rails_3_2_12/config/initializers/session_store.rb +0 -8
  50. data/fixtures/rails_3_2_12/config/initializers/wrap_parameters.rb +0 -14
  51. data/fixtures/rails_3_2_12/config/locales/en.yml +0 -5
  52. data/fixtures/rails_3_2_12_no_init/app/views/things/_form.html.erb +0 -17
  53. data/fixtures/rails_3_2_12_no_init/app/views/things/edit.html.erb +0 -6
  54. data/fixtures/rails_3_2_12_no_init/app/views/things/new.html.erb +0 -5
  55. data/fixtures/rails_3_2_12_no_init/app/views/things/show.html.erb +0 -5
  56. data/fixtures/rails_3_2_12_no_init/config/environments/development.rb +0 -37
  57. data/fixtures/rails_3_2_12_no_init/config/environments/production.rb +0 -67
  58. data/fixtures/rails_3_2_12_no_init/config/initializers/backtrace_silencers.rb +0 -7
  59. data/fixtures/rails_3_2_12_no_init/config/initializers/inflections.rb +0 -15
  60. data/fixtures/rails_3_2_12_no_init/config/initializers/mime_types.rb +0 -5
  61. data/fixtures/rails_3_2_12_no_init/config/initializers/secret_token.rb +0 -7
  62. data/fixtures/rails_3_2_12_no_init/config/initializers/session_store.rb +0 -8
  63. data/fixtures/rails_3_2_12_no_init/config/initializers/wrap_parameters.rb +0 -14
  64. data/fixtures/rails_3_2_12_no_init/config/locales/en.yml +0 -5
  65. data/spec/controllers/content_security_policy_controller_spec.rb +0 -90
@@ -1,90 +1,154 @@
1
1
  require 'uri'
2
2
  require 'base64'
3
+ require 'securerandom'
3
4
 
4
5
  module SecureHeaders
5
6
  class ContentSecurityPolicyBuildError < StandardError; end
6
7
  class ContentSecurityPolicy < Header
7
8
  module Constants
8
- DEFAULT_CSP_HEADER = "default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-src https://* about: javascript:; img-src data:"
9
- STANDARD_HEADER_NAME = "Content-Security-Policy"
10
- FF_CSP_ENDPOINT = "/content_security_policy/forward_report"
11
- DIRECTIVES = [:default_src, :script_src, :frame_src, :style_src, :img_src, :media_src, :font_src, :object_src, :connect_src]
12
- META = [:disable_chrome_extension, :disable_fill_missing, :forward_endpoint]
9
+ DEFAULT_CSP_HEADER = "default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-src https: about: javascript:; img-src data:"
10
+ HEADER_NAME = "Content-Security-Policy"
11
+ ENV_KEY = 'secure_headers.content_security_policy'
12
+ DIRECTIVES = [
13
+ :default_src,
14
+ :connect_src,
15
+ :font_src,
16
+ :frame_src,
17
+ :img_src,
18
+ :media_src,
19
+ :object_src,
20
+ :script_src,
21
+ :style_src
22
+ ]
23
+
24
+ NON_DEFAULT_SOURCES = [
25
+ :base_uri,
26
+ :child_src,
27
+ :form_action,
28
+ :frame_ancestors,
29
+ :plugin_types,
30
+ :referrer,
31
+ :reflected_xss
32
+ ]
33
+
34
+ ALL_DIRECTIVES = DIRECTIVES + NON_DEFAULT_SOURCES
13
35
  end
14
36
  include Constants
15
37
 
16
- attr_accessor *META
17
- attr_reader :browser, :ssl_request, :report_uri, :request_uri, :experimental
18
-
19
- alias :disable_chrome_extension? :disable_chrome_extension
38
+ attr_reader :disable_fill_missing, :ssl_request
20
39
  alias :disable_fill_missing? :disable_fill_missing
21
40
  alias :ssl_request? :ssl_request
22
41
 
42
+ class << self
43
+ def generate_nonce
44
+ SecureRandom.base64(32).chomp
45
+ end
46
+
47
+ def set_nonce(controller, nonce = generate_nonce)
48
+ controller.instance_variable_set(:@content_security_policy_nonce, nonce)
49
+ end
50
+
51
+ def add_to_env(request, controller, config)
52
+ set_nonce(controller)
53
+ options = options_from_request(request).merge(:controller => controller)
54
+ request.env[Constants::ENV_KEY] = {
55
+ :config => config,
56
+ :options => options,
57
+ }
58
+ end
59
+
60
+ def options_from_request(request)
61
+ {
62
+ :ssl => request.ssl?,
63
+ :ua => request.env['HTTP_USER_AGENT'],
64
+ :request_uri => request_uri_from_request(request),
65
+ }
66
+ end
67
+
68
+ def request_uri_from_request(request)
69
+ if request.respond_to?(:original_url)
70
+ # rails 3.1+
71
+ request.original_url
72
+ else
73
+ # rails 2/3.0
74
+ request.url
75
+ end
76
+ end
77
+
78
+ def symbol_to_hyphen_case sym
79
+ sym.to_s.gsub('_', '-')
80
+ end
81
+ end
82
+
23
83
  # +options+ param contains
24
- # :experimental use experimental block for config
84
+ # :controller used for setting instance variables for nonces/hashes
25
85
  # :ssl_request used to determine if http_additions should be used
26
- # :request_uri used to determine if firefox should send the report directly
27
- # or use the forwarding endpoint
28
86
  # :ua the user agent (or just use Firefox/Chrome/MSIE/etc)
29
87
  #
30
88
  # :report used to determine what :ssl_request, :ua, and :request_uri are set to
31
89
  def initialize(config=nil, options={})
32
- @experimental = !!options.delete(:experimental)
33
- @controller = options.delete(:controller)
90
+ return unless config
34
91
 
35
92
  if options[:request]
36
- parse_request(options[:request])
37
- else
38
- @ua = options[:ua]
39
- # fails open, assumes http. Bad idea? Will always include http additions.
40
- # could also fail if not supplied.
41
- @ssl_request = !!options.delete(:ssl)
42
- # a nil value here means we always assume we are not on the same host,
43
- # which causes all FF csp reports to go through the forwarder
44
- @request_uri = options.delete(:request_uri)
93
+ options = options.merge(self.class.options_from_request(options[:request]))
45
94
  end
46
95
 
47
- configure(config) if config
48
- end
96
+ @controller = options[:controller]
97
+ @ua = options[:ua]
98
+ @ssl_request = !!options.delete(:ssl)
99
+ @request_uri = options.delete(:request_uri)
49
100
 
50
- def nonce
51
- @nonce ||= SecureRandom.base64(32).chomp
52
- end
101
+ # Config values can be string, array, or lamdba values
102
+ @config = config.inject({}) do |hash, (key, value)|
103
+ config_val = value.respond_to?(:call) ? value.call : value
53
104
 
54
- def configure(config)
55
- @config = config.dup
105
+ if ALL_DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings
106
+ config_val = config_val.split if config_val.is_a? String
107
+ if config_val.is_a?(Array)
108
+ config_val = config_val.map do |val|
109
+ translate_dir_value(val)
110
+ end.flatten.uniq
111
+ end
112
+ end
56
113
 
57
- experimental_config = @config.delete(:experimental)
58
- if @experimental && experimental_config
59
- @config[:http_additions] = experimental_config[:http_additions]
60
- @config.merge!(experimental_config)
114
+ hash[key] = config_val
115
+ hash
61
116
  end
62
117
 
63
- # these values don't support lambdas because this needs to be rewritten
64
118
  @http_additions = @config.delete(:http_additions)
65
119
  @app_name = @config.delete(:app_name)
120
+ @report_uri = @config.delete(:report_uri)
66
121
 
67
- normalize_csp_options
68
-
69
- META.each do |meta|
70
- self.send("#{meta}=", @config.delete(meta))
71
- end
72
-
122
+ @disable_fill_missing = !!@config.delete(:disable_fill_missing)
73
123
  @enforce = !!@config.delete(:enforce)
74
- @tag_report_uri = @config.delete(:tag_report_uri)
124
+ @tag_report_uri = !!@config.delete(:tag_report_uri)
125
+ @script_hashes = @config.delete(:script_hashes) || []
75
126
 
76
- normalize_reporting_endpoint
127
+ add_script_hashes if @script_hashes.any?
77
128
  fill_directives unless disable_fill_missing?
78
129
  end
79
130
 
131
+ ##
132
+ # Return or initialize the nonce value used for this header.
133
+ # If a reference to a controller is passed in the config, this method
134
+ # will check if a nonce has already been set and use it.
135
+ def nonce
136
+ @nonce ||= @controller.instance_variable_get(:@content_security_policy_nonce) || self.class.generate_nonce
137
+ end
138
+
139
+ ##
140
+ # Returns the name to use for the header. Either "Content-Security-Policy" or
141
+ # "Content-Security-Policy-Report-Only"
80
142
  def name
81
- base = STANDARD_HEADER_NAME
82
- if !@enforce || experimental
143
+ base = HEADER_NAME
144
+ if !@enforce
83
145
  base += "-Report-Only"
84
146
  end
85
147
  base
86
148
  end
87
149
 
150
+ ##
151
+ # Return the value of the CSP header
88
152
  def value
89
153
  return @config if @config.is_a?(String)
90
154
  if @config
@@ -96,26 +160,28 @@ module SecureHeaders
96
160
 
97
161
  private
98
162
 
163
+ def add_script_hashes
164
+ @config[:script_src] << @script_hashes.map {|hash| "'#{hash}'"} << ["'unsafe-inline'"]
165
+ end
166
+
99
167
  def build_value
100
168
  raise "Expected to find default_src directive value" unless @config[:default_src]
101
169
  append_http_additions unless ssl_request?
102
170
  header_value = [
103
- generic_directives(@config),
171
+ generic_directives,
172
+ non_default_directives,
104
173
  report_uri_directive
105
174
  ].join.strip
106
- rescue StandardError => e
107
- raise ContentSecurityPolicyBuildError.new("Couldn't build CSP header :( #{e}")
108
175
  end
109
176
 
110
177
  def fill_directives
111
- return unless @config[:default_src]
112
- default = @config[:default_src]
113
- DIRECTIVES.each do |directive|
114
- unless @config[directive]
115
- @config[directive] = default
178
+ if default = @config[:default_src]
179
+ DIRECTIVES.each do |directive|
180
+ unless @config[directive]
181
+ @config[directive] = default
182
+ end
116
183
  end
117
184
  end
118
- @config
119
185
  end
120
186
 
121
187
  def append_http_additions
@@ -126,74 +192,20 @@ module SecureHeaders
126
192
  end
127
193
  end
128
194
 
129
- def normalize_csp_options
130
- @config = @config.inject({}) do |hash, (key, value)|
131
- # lambdas
132
- config_val = value.respond_to?(:call) ? value.call : value
133
- # space-delimeted strings
134
- config_val = config_val.split if config_val.is_a? String
135
- # array of strings
136
- if config_val.respond_to?(:map) #skip booleans
137
- config_val = config_val.map do |val|
138
- translate_dir_value(val)
139
- end.flatten.uniq
140
- end
141
-
142
- hash[key] = config_val
143
- hash
144
- end
145
-
146
- @report_uri = @config.delete(:report_uri).join(" ") if @config[:report_uri]
147
- end
148
-
149
- # translates 'inline','self', 'none' and 'eval' to their respective impl-specific values.
150
195
  def translate_dir_value val
151
196
  if %w{inline eval}.include?(val)
152
197
  val == 'inline' ? "'unsafe-inline'" : "'unsafe-eval'"
153
- # self/none are special sources/src-dir-values and need to be quoted in chrome
198
+ # self/none are special sources/src-dir-values and need to be quoted
154
199
  elsif %{self none}.include?(val)
155
200
  "'#{val}'"
156
201
  elsif val == 'nonce'
157
- @controller.instance_variable_set(:@content_security_policy_nonce, nonce)
202
+ self.class.set_nonce(@controller, nonce)
158
203
  ["'nonce-#{nonce}'", "'unsafe-inline'"]
159
204
  else
160
205
  val
161
206
  end
162
207
  end
163
208
 
164
- # if we have a forwarding endpoint setup and we are not on the same origin as our report_uri
165
- # or only a path was supplied (in which case we assume cross-host)
166
- # we need to forward the request for Firefox.
167
- def normalize_reporting_endpoint
168
- if @ua && @ua =~ /Firefox/
169
- if same_origin? || report_uri.nil? || URI.parse(report_uri).host.nil?
170
- return
171
- end
172
-
173
- if forward_endpoint
174
- @report_uri = FF_CSP_ENDPOINT
175
- end
176
- end
177
-
178
- if @tag_report_uri
179
- @report_uri = "#{@report_uri}?enforce=#{@enforce}"
180
- @report_uri += "&app_name=#{@app_name}" if @app_name
181
- end
182
- end
183
-
184
- def same_origin?
185
- return unless report_uri && request_uri
186
-
187
- begin
188
- origin = URI.parse(request_uri)
189
- uri = URI.parse(report_uri)
190
- rescue URI::InvalidURIError
191
- return false
192
- end
193
-
194
- uri.host == origin.host && origin.port == uri.port && origin.scheme == uri.scheme
195
- end
196
-
197
209
  def report_uri_directive
198
210
  return '' if @report_uri.nil?
199
211
 
@@ -205,44 +217,40 @@ module SecureHeaders
205
217
  end
206
218
  end
207
219
 
220
+ if @tag_report_uri
221
+ @report_uri = "#{@report_uri}?enforce=#{@enforce}"
222
+ @report_uri += "&app_name=#{@app_name}" if @app_name
223
+ end
224
+
208
225
  "report-uri #{@report_uri};"
209
226
  end
210
227
 
211
- def generic_directives(config)
228
+ def generic_directives
212
229
  header_value = ''
213
- if config[:img_src]
214
- config[:img_src] = config[:img_src] + ['data:'] unless config[:img_src].include?('data:')
230
+ if @config[:img_src]
231
+ @config[:img_src] = @config[:img_src] + ['data:'] unless @config[:img_src].include?('data:')
215
232
  else
216
- config[:img_src] = config[:default_src] + ['data:']
233
+ @config[:img_src] = @config[:default_src] + ['data:']
217
234
  end
218
235
 
219
- header_value = build_directive(:default_src)
220
- config.keys.sort_by{|k| k.to_s}.each do |k| # ensure consistent ordering
221
- header_value += build_directive(k)
236
+ DIRECTIVES.each do |directive_name|
237
+ header_value += build_directive(directive_name) if @config[directive_name]
222
238
  end
223
239
 
224
240
  header_value
225
241
  end
226
242
 
227
- # build and deletes the directive
228
- def build_directive(key)
229
- "#{symbol_to_hyphen_case(key)} #{@config.delete(key).join(" ")}; "
230
- end
243
+ def non_default_directives
244
+ header_value = ''
245
+ NON_DEFAULT_SOURCES.each do |directive_name|
246
+ header_value += build_directive(directive_name) if @config[directive_name]
247
+ end
231
248
 
232
- def symbol_to_hyphen_case sym
233
- sym.to_s.gsub('_', '-')
249
+ header_value
234
250
  end
235
251
 
236
- def parse_request request
237
- @ssl_request = request.ssl?
238
- @ua = request.env['HTTP_USER_AGENT']
239
- @request_uri = if request.respond_to?(:original_url)
240
- # rails 3.1+
241
- request.original_url
242
- else
243
- # rails 2/3.0
244
- request.url
245
- end
252
+ def build_directive(key)
253
+ "#{self.class.symbol_to_hyphen_case(key)} #{@config[key].join(" ")}; "
246
254
  end
247
255
  end
248
256
  end
@@ -16,26 +16,4 @@ else
16
16
  include ::SecureHeaders
17
17
  end
18
18
  end
19
-
20
- module SecureHeaders
21
- module Routing
22
- module MapperExtensions
23
- def csp_endpoint
24
- @set.add_route(ContentSecurityPolicy::FF_CSP_ENDPOINT, {:controller => "content_security_policy", :action => "scribe"})
25
- end
26
- end
27
- end
28
- end
29
-
30
- if defined?(ActiveSupport::Dependencies)
31
- if ActiveSupport::Dependencies.autoload_paths
32
- ActiveSupport::Dependencies.autoload_paths << File.expand_path(File.join("..", "..", "..", "app", "controllers"), __FILE__)
33
- else
34
- ActiveSupport::Dependencies.autoload_paths = [File.expand_path(File.join("..", "..", "..", "app", "controllers"), __FILE__)]
35
- end
36
- end
37
-
38
- if defined? ActionController::Routing
39
- ActionController::Routing::RouteSet::Mapper.send :include, ::SecureHeaders::Routing::MapperExtensions
40
- end
41
19
  end
@@ -1,3 +1,3 @@
1
1
  module SecureHeaders
2
- VERSION = "1.3.4"
2
+ VERSION = "2.0.0.pre"
3
3
  end
@@ -0,0 +1,68 @@
1
+ module SecureHeaders
2
+ class UnexpectedHashedScriptException < StandardError
3
+
4
+ end
5
+
6
+ module ViewHelpers
7
+ include SecureHeaders::HashHelper
8
+ SECURE_HEADERS_RAKE_TASK = "rake secure_headers:generate_hashes"
9
+
10
+ def nonced_style_tag(content = nil, &block)
11
+ nonced_tag(content, :style, block)
12
+ end
13
+
14
+ def nonced_javascript_tag(content = nil, &block)
15
+ nonced_tag(content, :script, block)
16
+ end
17
+
18
+ def hashed_javascript_tag(raise_error_on_unrecognized_hash = false, &block)
19
+ content = capture(&block)
20
+
21
+ if ['development', 'test'].include?(ENV["RAILS_ENV"])
22
+ hash_value = hash_source(content)
23
+ file_path = File.join('app', 'views', self.instance_variable_get(:@virtual_path) + '.html.erb')
24
+ script_hashes = controller.instance_variable_get(:@script_hashes)[file_path]
25
+ unless script_hashes && script_hashes.include?(hash_value)
26
+ message = unexpected_hash_error_message(file_path, hash_value, content)
27
+ if raise_error_on_unrecognized_hash
28
+ raise UnexpectedHashedScriptException.new(message)
29
+ else
30
+ puts message
31
+ request.env[HASHES_ENV_KEY] = (request.env[HASHES_ENV_KEY] || []) << hash_value
32
+ end
33
+ end
34
+ end
35
+
36
+ content_tag :script, content
37
+ end
38
+
39
+ private
40
+
41
+ def nonced_tag(content, type, block)
42
+ content = if block
43
+ capture(&block)
44
+ else
45
+ content.html_safe # :'(
46
+ end
47
+
48
+ content_tag type, content, :nonce => @content_security_policy_nonce
49
+ end
50
+
51
+ def unexpected_hash_error_message(file_path, hash_value, content)
52
+ <<-EOF
53
+ \n\n*** WARNING: Unrecognized hash in #{file_path}!!! Value: #{hash_value} ***
54
+ <script>#{content}</script>
55
+ *** This is fine in dev/test, but will raise exceptions in production. ***
56
+ *** Run #{SECURE_HEADERS_RAKE_TASK} or add the following to config/script_hashes.yml:***
57
+ #{file_path}:
58
+ - #{hash_value}\n\n
59
+ EOF
60
+ end
61
+ end
62
+ end
63
+
64
+ module ActionView #:nodoc:
65
+ module Helpers #:nodoc:
66
+ include SecureHeaders::ViewHelpers
67
+ end
68
+ end
@@ -1,11 +1,17 @@
1
1
  module SecureHeaders
2
+ SCRIPT_HASH_CONFIG_FILE = 'config/script_hashes.yml'
3
+ HASHES_ENV_KEY = 'secure_headers.script_hashes'
4
+
2
5
  module Configuration
3
6
  class << self
4
7
  attr_accessor :hsts, :x_frame_options, :x_content_type_options,
5
- :x_xss_protection, :csp, :x_download_options
8
+ :x_xss_protection, :csp, :x_download_options, :script_hashes
6
9
 
7
10
  def configure &block
8
11
  instance_eval &block
12
+ if File.exists?(SCRIPT_HASH_CONFIG_FILE)
13
+ ::SecureHeaders::Configuration.script_hashes = YAML.load(File.open(SCRIPT_HASH_CONFIG_FILE))
14
+ end
9
15
  end
10
16
  end
11
17
  end
@@ -33,6 +39,7 @@ module SecureHeaders
33
39
 
34
40
  def ensure_security_headers options = {}
35
41
  self.secure_headers_options = options
42
+ before_filter :prep_script_hash
36
43
  before_filter :set_hsts_header
37
44
  before_filter :set_x_frame_options_header
38
45
  before_filter :set_csp_header
@@ -49,7 +56,6 @@ module SecureHeaders
49
56
  end
50
57
 
51
58
  module InstanceMethods
52
- # Re-added for backwards compat.
53
59
  def set_security_headers(options = self.class.secure_headers_options)
54
60
  set_csp_header(request, options[:csp])
55
61
  set_hsts_header(options[:hsts])
@@ -59,28 +65,54 @@ module SecureHeaders
59
65
  set_x_download_options_header(options[:x_download_options])
60
66
  end
61
67
 
62
- # backwards compatibility jank, to be removed in 1.0. Old API required a request
63
- # object when it didn't really need to.
64
68
  # set_csp_header - uses the request accessor and SecureHeader::Configuration settings
65
69
  # set_csp_header(+Rack::Request+) - uses the parameter and and SecureHeader::Configuration settings
66
70
  # set_csp_header(+Hash+) - uses the request accessor and options from parameters
67
71
  # set_csp_header(+Rack::Request+, +Hash+)
68
- def set_csp_header(req = nil, options=nil)
69
- # hack to help generating headers statically
70
- if req.is_a?(Hash)
71
- options = req
72
+ def set_csp_header(req = nil, config=nil)
73
+ if req.is_a?(Hash) || req.is_a?(FalseClass)
74
+ config = req
72
75
  end
73
76
 
74
- options = self.class.secure_headers_options[:csp] if options.nil?
75
- options = self.class.options_for :csp, options
77
+ config = self.class.secure_headers_options[:csp] if config.nil?
78
+ config = self.class.options_for :csp, config
76
79
 
77
- return if options == false
80
+ return if config == false
81
+
82
+ if config && config[:script_hash_middleware]
83
+ ContentSecurityPolicy.add_to_env(request, self, config)
84
+ else
85
+ csp_header = ContentSecurityPolicy.new(config, :request => request, :controller => self)
86
+ set_header(csp_header)
87
+ end
88
+ end
89
+
90
+
91
+ def prep_script_hash
92
+ if ::SecureHeaders::Configuration.script_hashes
93
+ @script_hashes = ::SecureHeaders::Configuration.script_hashes.dup
94
+ ActiveSupport::Notifications.subscribe("render_partial.action_view") do |event_name, start_at, end_at, id, payload|
95
+ save_hash_for_later payload
96
+ end
97
+
98
+ ActiveSupport::Notifications.subscribe("render_template.action_view") do |event_name, start_at, end_at, id, payload|
99
+ save_hash_for_later payload
100
+ end
101
+ end
102
+ end
103
+
104
+ def save_hash_for_later payload
105
+ matching_hashes = @script_hashes[payload[:identifier].gsub(Rails.root.to_s + "/", "")] || []
106
+
107
+ if payload[:layout]
108
+ # We're assuming an html.erb layout for now. Will need to handle mustache too, just not sure of the best way to do this
109
+ layout_hashes = @script_hashes[File.join("app", "views", payload[:layout]) + '.html.erb']
110
+
111
+ matching_hashes << layout_hashes if layout_hashes
112
+ end
78
113
 
79
- csp_header = ContentSecurityPolicy.new(options, :request => request, :controller => self)
80
- set_header(csp_header)
81
- if options && options[:experimental] && options[:enforce]
82
- experimental_header = ContentSecurityPolicy.new(options, :experimental => true, :request => request, :controller => self)
83
- set_header(experimental_header)
114
+ if matching_hashes.any?
115
+ request.env[HASHES_ENV_KEY] = ((request.env[HASHES_ENV_KEY] || []) << matching_hashes).flatten
84
116
  end
85
117
  end
86
118
 
@@ -136,3 +168,5 @@ require "secure_headers/headers/x_xss_protection"
136
168
  require "secure_headers/headers/x_content_type_options"
137
169
  require "secure_headers/headers/x_download_options"
138
170
  require "secure_headers/railtie"
171
+ require "secure_headers/hash_helper"
172
+ require "secure_headers/view_helper"
@@ -0,0 +1,48 @@
1
+ INLINE_SCRIPT_REGEX = /(<script(\s*(?!src)([\w\-])+=([\"\'])[^\"\']+\4)*\s*>)(.*?)<\/script>/mx
2
+ INLINE_HASH_HELPER_REGEX = /<%=\s?hashed_javascript_tag(.*?)\s+do\s?%>(.*?)<%\s*end\s*%>/mx
3
+ SCRIPT_HASH_CONFIG_FILE = 'config/script_hashes.yml'
4
+
5
+ namespace :secure_headers do
6
+ include SecureHeaders::HashHelper
7
+
8
+ def is_erb?(filename)
9
+ filename =~ /\.erb\Z/
10
+ end
11
+
12
+ def generate_inline_script_hashes(filename)
13
+ file = File.read(filename)
14
+ hashes = []
15
+
16
+ [INLINE_SCRIPT_REGEX, INLINE_HASH_HELPER_REGEX].each do |regex|
17
+ file.gsub(regex) do # TODO don't use gsub
18
+ inline_script = Regexp.last_match.captures.last
19
+ if (filename =~ /\.mustache\Z/ && inline_script =~ /\{\{.*\}\}/) || (is_erb?(filename) && inline_script =~ /<%.*%>/)
20
+ puts "Looks like there's some dynamic content inside of a script tag :-/"
21
+ puts "That pretty much means the hash value will never match."
22
+ puts "Code: " + inline_script
23
+ puts "=" * 20
24
+ end
25
+
26
+ hashes << hash_source(inline_script)
27
+ end
28
+ end
29
+
30
+ hashes
31
+ end
32
+
33
+ task :generate_hashes do |t, args|
34
+ script_hashes = {}
35
+ Dir.glob("app/{views,templates}/**/*.{erb,mustache}") do |filename|
36
+ hashes = generate_inline_script_hashes(filename)
37
+ if hashes.any?
38
+ script_hashes[filename] = hashes
39
+ end
40
+ end
41
+
42
+ File.open(SCRIPT_HASH_CONFIG_FILE, 'w') do |file|
43
+ file.write(script_hashes.to_yaml)
44
+ end
45
+
46
+ puts "Script hashes from " + script_hashes.keys.size.to_s + " files added to #{SCRIPT_HASH_CONFIG_FILE}"
47
+ end
48
+ end
@@ -0,0 +1,47 @@
1
+ require 'spec_helper'
2
+ require 'secure_headers/headers/content_security_policy/script_hash_middleware'
3
+
4
+ module SecureHeaders
5
+ describe ContentSecurityPolicy::ScriptHashMiddleware do
6
+
7
+ let(:app) { double(:call => [200, headers, '']) }
8
+ let(:env) { double }
9
+ let(:headers) { double }
10
+
11
+ let(:default_config) do
12
+ {
13
+ :disable_fill_missing => true,
14
+ :default_src => 'https://*',
15
+ :report_uri => '/csp_report',
16
+ :script_src => 'inline eval https://* data:',
17
+ :style_src => "inline https://* about:"
18
+ }
19
+ end
20
+
21
+ def should_assign_header name, value
22
+ expect(headers).to receive(:[]=).with(name, value)
23
+ end
24
+
25
+ def call_middleware(hashes = [])
26
+ options = {
27
+ :ua => USER_AGENTS[:chrome]
28
+ }
29
+ expect(env).to receive(:[]).with(HASHES_ENV_KEY).and_return(hashes)
30
+ expect(env).to receive(:[]).with(ENV_KEY).and_return(
31
+ :config => default_config,
32
+ :options => options
33
+ )
34
+ ContentSecurityPolicy::ScriptHashMiddleware.new(app).call(env)
35
+ end
36
+
37
+ it "adds hashes stored in env to the header" do
38
+ should_assign_header(HEADER_NAME + "-Report-Only", /script-src[^;]*'sha256-/)
39
+ call_middleware(['sha256-abc123'])
40
+ end
41
+
42
+ it "leaves things alone when no hashes are saved to env" do
43
+ should_assign_header(HEADER_NAME + "-Report-Only", /script-src[^;]*(?!'sha256-)/)
44
+ call_middleware()
45
+ end
46
+ end
47
+ end