secure_headers 1.4.1 → 2.0.0.pre

data/lib/secure_headers/headers/content_security_policy.rb

@@ -1,93 +1,154 @@
 require 'uri'
 require 'base64'
+require 'securerandom'
 
 module SecureHeaders
   class ContentSecurityPolicyBuildError < StandardError; end
   class ContentSecurityPolicy < Header
     module Constants
-      DEFAULT_CSP_HEADER = "default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-src https://* about: javascript:; img-src data:"
-      STANDARD_HEADER_NAME = "Content-Security-Policy"
-      FF_CSP_ENDPOINT = "/content_security_policy/forward_report"
-      DIRECTIVES = [:default_src, :script_src, :frame_src, :style_src, :img_src, :media_src, :font_src, :object_src, :connect_src]
-      META = [:disable_chrome_extension, :disable_fill_missing, :forward_endpoint]
+      DEFAULT_CSP_HEADER = "default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-src https: about: javascript:; img-src data:"
+      HEADER_NAME = "Content-Security-Policy"
+      ENV_KEY = 'secure_headers.content_security_policy'
+      DIRECTIVES = [
+        :default_src,
+        :connect_src,
+        :font_src,
+        :frame_src,
+        :img_src,
+        :media_src,
+        :object_src,
+        :script_src,
+        :style_src
+      ]
+
+      NON_DEFAULT_SOURCES = [
+        :base_uri,
+        :child_src,
+        :form_action,
+        :frame_ancestors,
+        :plugin_types,
+        :referrer,
+        :reflected_xss
+      ]
+
+      ALL_DIRECTIVES = DIRECTIVES + NON_DEFAULT_SOURCES
     end
     include Constants
 
-    attr_accessor *META
-    attr_reader :browser, :ssl_request, :report_uri, :request_uri, :experimental
-
-    alias :disable_chrome_extension? :disable_chrome_extension
+    attr_reader :disable_fill_missing, :ssl_request
     alias :disable_fill_missing? :disable_fill_missing
     alias :ssl_request? :ssl_request
 
+    class << self
+      def generate_nonce
+        SecureRandom.base64(32).chomp
+      end
+
+      def set_nonce(controller, nonce = generate_nonce)
+        controller.instance_variable_set(:@content_security_policy_nonce, nonce)
+      end
+
+      def add_to_env(request, controller, config)
+        set_nonce(controller)
+        options = options_from_request(request).merge(:controller => controller)
+        request.env[Constants::ENV_KEY] = {
+          :config => config,
+          :options => options,
+        }
+      end
+
+      def options_from_request(request)
+        {
+          :ssl => request.ssl?,
+          :ua => request.env['HTTP_USER_AGENT'],
+          :request_uri => request_uri_from_request(request),
+        }
+      end
+
+      def request_uri_from_request(request)
+        if request.respond_to?(:original_url)
+          # rails 3.1+
+          request.original_url
+        else
+          # rails 2/3.0
+          request.url
+        end
+      end
+
+      def symbol_to_hyphen_case sym
+        sym.to_s.gsub('_', '-')
+      end
+    end
+
     # +options+ param contains
-    # :experimental use experimental block for config
+    # :controller used for setting instance variables for nonces/hashes
     # :ssl_request used to determine if http_additions should be used
-    # :request_uri used to determine if firefox should send the report directly
-    # or use the forwarding endpoint
     # :ua the user agent (or just use Firefox/Chrome/MSIE/etc)
     #
     # :report used to determine what :ssl_request, :ua, and :request_uri are set to
     def initialize(config=nil, options={})
-      @experimental = !!options.delete(:experimental)
-      if @experimental
-        warn "[DEPRECATION] 'experimental' config is removed in 2.0"
-      end
-      @controller = options.delete(:controller)
+      return unless config
 
       if options[:request]
-        parse_request(options[:request])
-      else
-        @ua = options[:ua]
-        # fails open, assumes http. Bad idea? Will always include http additions.
-        # could also fail if not supplied.
-        @ssl_request = !!options.delete(:ssl)
-        # a nil value here means we always assume we are not on the same host,
-        # which causes all FF csp reports to go through the forwarder
-        @request_uri = options.delete(:request_uri)
+        options = options.merge(self.class.options_from_request(options[:request]))
       end
 
-      configure(config) if config
-    end
+      @controller = options[:controller]
+      @ua = options[:ua]
+      @ssl_request = !!options.delete(:ssl)
+      @request_uri = options.delete(:request_uri)
 
-    def nonce
-      @nonce ||= SecureRandom.base64(32).chomp
-    end
+      # Config values can be string, array, or lamdba values
+      @config = config.inject({}) do |hash, (key, value)|
+        config_val = value.respond_to?(:call) ? value.call : value
 
-    def configure(config)
-      @config = config.dup
+        if ALL_DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings
+          config_val = config_val.split if config_val.is_a? String
+          if config_val.is_a?(Array)
+            config_val = config_val.map do |val|
+              translate_dir_value(val)
+            end.flatten.uniq
+          end
+        end
 
-      experimental_config = @config.delete(:experimental)
-      if @experimental && experimental_config
-        @config[:http_additions] = experimental_config[:http_additions]
-        @config.merge!(experimental_config)
+        hash[key] = config_val
+        hash
       end
 
-      # these values don't support lambdas because this needs to be rewritten
       @http_additions = @config.delete(:http_additions)
       @app_name = @config.delete(:app_name)
+      @report_uri = @config.delete(:report_uri)
 
-      normalize_csp_options
-
-      META.each do |meta|
-        self.send("#{meta}=", @config.delete(meta))
-      end
-
+      @disable_fill_missing = !!@config.delete(:disable_fill_missing)
       @enforce = !!@config.delete(:enforce)
-      @tag_report_uri = @config.delete(:tag_report_uri)
+      @tag_report_uri = !!@config.delete(:tag_report_uri)
+      @script_hashes = @config.delete(:script_hashes) || []
 
-      normalize_reporting_endpoint
+      add_script_hashes if @script_hashes.any?
       fill_directives unless disable_fill_missing?
     end
 
+    ##
+    # Return or initialize the nonce value used for this header.
+    # If a reference to a controller is passed in the config, this method
+    # will check if a nonce has already been set and use it.
+    def nonce
+      @nonce ||= @controller.instance_variable_get(:@content_security_policy_nonce) || self.class.generate_nonce
+    end
+
+    ##
+    # Returns the name to use for the header. Either "Content-Security-Policy" or
+    # "Content-Security-Policy-Report-Only"
     def name
-      base = STANDARD_HEADER_NAME
-      if !@enforce || experimental
+      base = HEADER_NAME
+      if !@enforce
         base += "-Report-Only"
       end
       base
     end
 
+    ##
+    # Return the value of the CSP header
     def value
       return @config if @config.is_a?(String)
       if @config
@@ -99,26 +160,28 @@ module SecureHeaders
 
     private
 
+    def add_script_hashes
+      @config[:script_src] << @script_hashes.map {|hash| "'#{hash}'"} << ["'unsafe-inline'"]
+    end
+
     def build_value
       raise "Expected to find default_src directive value" unless @config[:default_src]
       append_http_additions unless ssl_request?
       header_value = [
-        generic_directives(@config),
+        generic_directives,
+        non_default_directives,
         report_uri_directive
       ].join.strip
-    rescue StandardError => e
-      raise ContentSecurityPolicyBuildError.new("Couldn't build CSP header :( #{e}")
     end
 
     def fill_directives
-      return unless @config[:default_src]
-      default = @config[:default_src]
-      DIRECTIVES.each do |directive|
-        unless @config[directive]
-          @config[directive] = default
+      if default = @config[:default_src]
+        DIRECTIVES.each do |directive|
+          unless @config[directive]
+            @config[directive] = default
+          end
         end
       end
-      @config
     end
 
     def append_http_additions
@@ -129,75 +192,20 @@ module SecureHeaders
       end
     end
 
-    def normalize_csp_options
-      @config = @config.inject({}) do |hash, (key, value)|
-        # lambdas
-        config_val = value.respond_to?(:call) ? value.call : value
-        # space-delimeted strings
-        config_val = config_val.split if config_val.is_a? String
-        # array of strings
-        if config_val.respond_to?(:map) #skip booleans
-          config_val = config_val.map do |val|
-            translate_dir_value(val)
-          end.flatten.uniq
-        end
-
-        hash[key] = config_val
-        hash
-      end
-
-      @report_uri = @config.delete(:report_uri).join(" ") if @config[:report_uri]
-    end
-
-    # translates 'inline','self', 'none' and 'eval' to their respective impl-specific values.
     def translate_dir_value val
       if %w{inline eval}.include?(val)
         val == 'inline' ? "'unsafe-inline'" : "'unsafe-eval'"
-        # self/none are special sources/src-dir-values and need to be quoted in chrome
+        # self/none are special sources/src-dir-values and need to be quoted
       elsif %{self none}.include?(val)
         "'#{val}'"
       elsif val == 'nonce'
-        @controller.instance_variable_set(:@content_security_policy_nonce, nonce)
+        self.class.set_nonce(@controller, nonce)
         ["'nonce-#{nonce}'", "'unsafe-inline'"]
       else
         val
       end
     end
 
-    # if we have a forwarding endpoint setup and we are not on the same origin as our report_uri
-    # or only a path was supplied (in which case we assume cross-host)
-    # we need to forward the request for Firefox.
-    def normalize_reporting_endpoint
-      if @ua && @ua =~ /Firefox/
-        if same_origin? || report_uri.nil? || URI.parse(report_uri).host.nil?
-          return
-        end
-
-        if forward_endpoint
-          warn "[DEPRECATION] forwarder is removed in 2.0"
-          @report_uri = FF_CSP_ENDPOINT
-        end
-      end
-
-      if @tag_report_uri
-        @report_uri = "#{@report_uri}?enforce=#{@enforce}"
-        @report_uri += "&app_name=#{@app_name}" if @app_name
-      end
-    end
-
-    def same_origin?
-      return unless report_uri && request_uri
-
-      begin
-        origin = URI.parse(request_uri)
-        uri = URI.parse(report_uri)
-      rescue URI::InvalidURIError
-        return false
-      end
-
-      uri.host == origin.host && origin.port == uri.port && origin.scheme == uri.scheme
-    end
-
     def report_uri_directive
       return '' if @report_uri.nil?
 
@@ -209,44 +217,40 @@ module SecureHeaders
                       end
       end
 
+      if @tag_report_uri
+        @report_uri = "#{@report_uri}?enforce=#{@enforce}"
+        @report_uri += "&app_name=#{@app_name}" if @app_name
+      end
+
       "report-uri #{@report_uri};"
     end
 
-    def generic_directives(config)
+    def generic_directives
       header_value = ''
-      if config[:img_src]
-        config[:img_src] = config[:img_src] + ['data:'] unless config[:img_src].include?('data:')
+      if @config[:img_src]
+        @config[:img_src] = @config[:img_src] + ['data:'] unless @config[:img_src].include?('data:')
       else
-        config[:img_src] = config[:default_src] + ['data:']
+        @config[:img_src] = @config[:default_src] + ['data:']
       end
 
-      header_value = build_directive(:default_src)
-      config.keys.sort_by{|k| k.to_s}.each do |k| # ensure consistent ordering
-        header_value += build_directive(k)
+      DIRECTIVES.each do |directive_name|
+        header_value += build_directive(directive_name) if @config[directive_name]
       end
 
       header_value
     end
 
-    # build and deletes the directive
-    def build_directive(key)
-      "#{symbol_to_hyphen_case(key)} #{@config.delete(key).join(" ")}; "
-    end
+    def non_default_directives
+      header_value = ''
+      NON_DEFAULT_SOURCES.each do |directive_name|
+        header_value += build_directive(directive_name) if @config[directive_name]
+      end
 
-    def symbol_to_hyphen_case sym
-      sym.to_s.gsub('_', '-')
+      header_value
     end
 
-    def parse_request request
-      @ssl_request = request.ssl?
-      @ua = request.env['HTTP_USER_AGENT']
-      @request_uri = if request.respond_to?(:original_url)
-        # rails 3.1+
-        request.original_url
-      else
-        # rails 2/3.0
-        request.url
-      end
+    def build_directive(key)
+      "#{self.class.symbol_to_hyphen_case(key)} #{@config[key].join(" ")}; "
     end
   end
 end

data/lib/secure_headers/railtie.rb

@@ -16,26 +16,4 @@ else
       include ::SecureHeaders
     end
   end
-
-  module SecureHeaders
-    module Routing
-      module MapperExtensions
-        def csp_endpoint
-          @set.add_route(ContentSecurityPolicy::FF_CSP_ENDPOINT, {:controller => "content_security_policy", :action => "scribe"})
-        end
-      end
-    end
-  end
-
-  if defined?(ActiveSupport::Dependencies)
-    if ActiveSupport::Dependencies.autoload_paths
-      ActiveSupport::Dependencies.autoload_paths << File.expand_path(File.join("..", "..", "..", "app", "controllers"), __FILE__)
-    else
-      ActiveSupport::Dependencies.autoload_paths = [File.expand_path(File.join("..", "..", "..", "app", "controllers"), __FILE__)]
-    end
-  end
-
-  if defined? ActionController::Routing
-    ActionController::Routing::RouteSet::Mapper.send :include, ::SecureHeaders::Routing::MapperExtensions
-  end
 end

data/lib/secure_headers/version.rb

@@ -1,3 +1,3 @@
 module SecureHeaders
-  VERSION = "1.4.1"
+  VERSION = "2.0.0.pre"
 end

data/lib/secure_headers/view_helper.rb

@@ -0,0 +1,68 @@
+module SecureHeaders
+  class UnexpectedHashedScriptException < StandardError
+
+  end
+
+  module ViewHelpers
+    include SecureHeaders::HashHelper
+    SECURE_HEADERS_RAKE_TASK = "rake secure_headers:generate_hashes"
+
+    def nonced_style_tag(content = nil, &block)
+      nonced_tag(content, :style, block)
+    end
+
+    def nonced_javascript_tag(content = nil, &block)
+      nonced_tag(content, :script, block)
+    end
+
+    def hashed_javascript_tag(raise_error_on_unrecognized_hash = false, &block)
+      content = capture(&block)
+
+      if ['development', 'test'].include?(ENV["RAILS_ENV"])
+        hash_value = hash_source(content)
+        file_path = File.join('app', 'views', self.instance_variable_get(:@virtual_path) + '.html.erb')
+        script_hashes = controller.instance_variable_get(:@script_hashes)[file_path]
+        unless script_hashes && script_hashes.include?(hash_value)
+          message = unexpected_hash_error_message(file_path, hash_value, content)
+          if raise_error_on_unrecognized_hash
+            raise UnexpectedHashedScriptException.new(message)
+          else
+            puts message
+            request.env[HASHES_ENV_KEY] = (request.env[HASHES_ENV_KEY] || []) << hash_value
+          end
+        end
+      end
+
+      content_tag :script, content
+    end
+
+    private
+
+    def nonced_tag(content, type, block)
+      content = if block
+        capture(&block)
+      else
+        content.html_safe # :'(
+      end
+
+      content_tag type, content, :nonce => @content_security_policy_nonce
+    end
+
+    def unexpected_hash_error_message(file_path, hash_value, content)
+      <<-EOF
+\n\n*** WARNING: Unrecognized hash in #{file_path}!!! Value: #{hash_value} ***
+<script>#{content}</script>
+*** This is fine in dev/test, but will raise exceptions in production. ***
+*** Run #{SECURE_HEADERS_RAKE_TASK} or add the following to config/script_hashes.yml:***
+#{file_path}:
+- #{hash_value}\n\n
+      EOF
+    end
+  end
+end
+
+module ActionView #:nodoc:
+  module Helpers #:nodoc:
+    include SecureHeaders::ViewHelpers
+  end
+end

data/lib/secure_headers.rb

@@ -1,11 +1,17 @@
 module SecureHeaders
+  SCRIPT_HASH_CONFIG_FILE = 'config/script_hashes.yml'
+  HASHES_ENV_KEY = 'secure_headers.script_hashes'
+
   module Configuration
     class << self
       attr_accessor :hsts, :x_frame_options, :x_content_type_options,
-        :x_xss_protection, :csp, :x_download_options
+        :x_xss_protection, :csp, :x_download_options, :script_hashes
 
       def configure &block
         instance_eval &block
+        if File.exists?(SCRIPT_HASH_CONFIG_FILE)
+          ::SecureHeaders::Configuration.script_hashes = YAML.load(File.open(SCRIPT_HASH_CONFIG_FILE))
+        end
       end
     end
   end
@@ -33,6 +39,7 @@ module SecureHeaders
 
     def ensure_security_headers options = {}
       self.secure_headers_options = options
+      before_filter :prep_script_hash
       before_filter :set_hsts_header
       before_filter :set_x_frame_options_header
       before_filter :set_csp_header
@@ -49,7 +56,6 @@ module SecureHeaders
   end
 
   module InstanceMethods
-    # Re-added for backwards compat.
     def set_security_headers(options = self.class.secure_headers_options)
       set_csp_header(request, options[:csp])
       set_hsts_header(options[:hsts])
@@ -59,28 +65,54 @@ module SecureHeaders
       set_x_download_options_header(options[:x_download_options])
     end
 
-    # backwards compatibility jank, to be removed in 1.0. Old API required a request
-    # object when it didn't really need to.
     # set_csp_header - uses the request accessor and SecureHeader::Configuration settings
     # set_csp_header(+Rack::Request+) - uses the parameter and and SecureHeader::Configuration settings
     # set_csp_header(+Hash+) - uses the request accessor and options from parameters
     # set_csp_header(+Rack::Request+, +Hash+)
-    def set_csp_header(req = nil, options=nil)
-      # hack to help generating headers statically
-      if req.is_a?(Hash)
-        options = req
+    def set_csp_header(req = nil, config=nil)
+      if req.is_a?(Hash) || req.is_a?(FalseClass)
+        config = req
       end
 
-      options = self.class.secure_headers_options[:csp] if options.nil?
-      options = self.class.options_for :csp, options
+      config = self.class.secure_headers_options[:csp] if config.nil?
+      config = self.class.options_for :csp, config
 
-      return if options == false
+      return if config == false
+
+      if config && config[:script_hash_middleware]
+        ContentSecurityPolicy.add_to_env(request, self, config)
+      else
+        csp_header = ContentSecurityPolicy.new(config, :request => request, :controller => self)
+        set_header(csp_header)
+      end
+    end
+
+
+    def prep_script_hash
+      if ::SecureHeaders::Configuration.script_hashes
+        @script_hashes = ::SecureHeaders::Configuration.script_hashes.dup
+        ActiveSupport::Notifications.subscribe("render_partial.action_view") do |event_name, start_at, end_at, id, payload|
+          save_hash_for_later payload
+        end
 
-      csp_header = ContentSecurityPolicy.new(options, :request => request, :controller => self)
-      set_header(csp_header)
-      if options && options[:experimental] && options[:enforce]
-        experimental_header = ContentSecurityPolicy.new(options, :experimental => true, :request => request, :controller => self)
-        set_header(experimental_header)
+        ActiveSupport::Notifications.subscribe("render_template.action_view") do |event_name, start_at, end_at, id, payload|
+          save_hash_for_later payload
+        end
+      end
+    end
+
+    def save_hash_for_later payload
+      matching_hashes = @script_hashes[payload[:identifier].gsub(Rails.root.to_s + "/", "")] || []
+
+      if payload[:layout]
+        # We're assuming an html.erb layout for now. Will need to handle mustache too, just not sure of the best way to do this
+        layout_hashes = @script_hashes[File.join("app", "views", payload[:layout]) + '.html.erb']
+
+        matching_hashes << layout_hashes if layout_hashes
+      end
+
+      if matching_hashes.any?
+        request.env[HASHES_ENV_KEY] = ((request.env[HASHES_ENV_KEY] || []) << matching_hashes).flatten
       end
     end
 
@@ -126,7 +158,7 @@ module SecureHeaders
   end
 end
 
-require "securerandom"
+
 require "secure_headers/version"
 require "secure_headers/header"
 require "secure_headers/headers/content_security_policy"
@@ -136,3 +168,5 @@ require "secure_headers/headers/x_xss_protection"
 require "secure_headers/headers/x_content_type_options"
 require "secure_headers/headers/x_download_options"
 require "secure_headers/railtie"
+require "secure_headers/hash_helper"
+require "secure_headers/view_helper"

data/lib/tasks/tasks.rake

@@ -0,0 +1,48 @@
+INLINE_SCRIPT_REGEX = /(<script(\s*(?!src)([\w\-])+=([\"\'])[^\"\']+\4)*\s*>)(.*?)<\/script>/mx
+INLINE_HASH_HELPER_REGEX = /<%=\s?hashed_javascript_tag(.*?)\s+do\s?%>(.*?)<%\s*end\s*%>/mx
+SCRIPT_HASH_CONFIG_FILE = 'config/script_hashes.yml'
+
+namespace :secure_headers do
+  include SecureHeaders::HashHelper
+
+  def is_erb?(filename)
+    filename =~ /\.erb\Z/
+  end
+
+  def generate_inline_script_hashes(filename)
+    file = File.read(filename)
+    hashes = []
+
+    [INLINE_SCRIPT_REGEX, INLINE_HASH_HELPER_REGEX].each do |regex|
+      file.gsub(regex) do # TODO don't use gsub
+        inline_script = Regexp.last_match.captures.last
+        if (filename =~ /\.mustache\Z/ && inline_script =~ /\{\{.*\}\}/) || (is_erb?(filename) && inline_script =~ /<%.*%>/)
+          puts "Looks like there's some dynamic content inside of a script tag :-/"
+          puts "That pretty much means the hash value will never match."
+          puts "Code: " + inline_script
+          puts "=" * 20
+        end
+
+        hashes << hash_source(inline_script)
+      end
+    end
+
+    hashes
+  end
+
+  task :generate_hashes do |t, args|
+    script_hashes = {}
+    Dir.glob("app/{views,templates}/**/*.{erb,mustache}") do |filename|
+      hashes = generate_inline_script_hashes(filename)
+      if hashes.any?
+        script_hashes[filename] = hashes
+      end
+    end
+
+    File.open(SCRIPT_HASH_CONFIG_FILE, 'w') do |file|
+      file.write(script_hashes.to_yaml)
+    end
+
+    puts "Script hashes from " + script_hashes.keys.size.to_s + " files added to #{SCRIPT_HASH_CONFIG_FILE}"
+  end
+end