secure_headers 1.4.1 → 2.0.0.pre

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.


This version of secure_headers might be problematic. Click here for more details.

Files changed (32) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +4 -8
  3. data/Gemfile +2 -2
  4. data/Guardfile +8 -0
  5. data/README.md +102 -48
  6. data/Rakefile +0 -116
  7. data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +1 -1
  8. data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb +2 -1
  9. data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +1 -1
  10. data/fixtures/rails_3_2_12/config/script_hashes.yml +5 -0
  11. data/fixtures/rails_3_2_12/config.ru +3 -0
  12. data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +50 -18
  13. data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +1 -1
  14. data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +1 -2
  15. data/lib/secure_headers/hash_helper.rb +7 -0
  16. data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +22 -0
  17. data/lib/secure_headers/headers/content_security_policy.rb +141 -137
  18. data/lib/secure_headers/railtie.rb +0 -22
  19. data/lib/secure_headers/version.rb +1 -1
  20. data/lib/secure_headers/view_helper.rb +68 -0
  21. data/lib/secure_headers.rb +51 -17
  22. data/lib/tasks/tasks.rake +48 -0
  23. data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +47 -0
  24. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +83 -208
  25. data/spec/lib/secure_headers_spec.rb +16 -62
  26. data/spec/spec_helper.rb +25 -1
  27. metadata +22 -24
  28. data/HISTORY.md +0 -162
  29. data/app/controllers/content_security_policy_controller.rb +0 -76
  30. data/config/curl-ca-bundle.crt +0 -5420
  31. data/config/routes.rb +0 -3
  32. data/spec/controllers/content_security_policy_controller_spec.rb +0 -90
data/config/routes.rb DELETED
@@ -1,3 +0,0 @@
1
- Rails.application.routes.draw do
2
- post SecureHeaders::ContentSecurityPolicy::FF_CSP_ENDPOINT => "content_security_policy#scribe"
3
- end
@@ -1,90 +0,0 @@
1
- require 'spec_helper'
2
-
3
- describe ContentSecurityPolicyController do
4
- let(:params) {
5
- {
6
- "csp-report" => {
7
- "document-uri" => "http://localhost:3001/csp","violated-directive" => "script-src 'none'",
8
- "original-policy" => "default-src https://* 'unsafe-eval'; frame-src 'self'; img-src https://*; report-uri http://localhost:3001/scribes/csp_report; script-src 'none'; style-src 'unsafe-inline' 'self';",
9
- "blocked-uri" => "http://localhost:3001/stuff.js"
10
- }
11
- }
12
- }
13
-
14
- class FakeRequest
15
- def user_agent
16
- "Foo"
17
- end
18
- def env
19
- {"HTTP_X_FORWARDED_FOR" => ""}
20
- end
21
- def remote_ip
22
- "123.12.45.67"
23
- end
24
- def content_type
25
- "application/json"
26
- end
27
- end
28
-
29
- describe "#csp" do
30
- let(:request) { double().as_null_object }
31
- let(:endpoint) { "https://example.com" }
32
- let(:secondary_endpoint) { "https://internal.example.com" }
33
-
34
- before(:each) do
35
- allow(SecureHeaders::Configuration).to receive(:csp).and_return({:report_uri => endpoint, :forward_endpoint => secondary_endpoint})
36
- expect(subject).to receive :head
37
- allow(subject).to receive(:params).and_return(params)
38
- allow(subject).to receive(:request).and_return(FakeRequest.new)
39
- allow_any_instance_of(Net::HTTP).to receive(:request)
40
- end
41
-
42
- context "delivery endpoint" do
43
- it "posts over ssl" do
44
- expect(subject).to receive(:use_ssl)
45
- subject.scribe
46
- end
47
-
48
- it "posts over plain http" do
49
- allow(SecureHeaders::Configuration).to receive(:csp).and_return(:report_uri => 'http://example.com')
50
- expect(subject).not_to receive(:use_ssl)
51
- subject.scribe
52
- end
53
- end
54
-
55
- it "makes a POST request" do
56
- allow(Net::HTTP).to receive(:new).and_return(request)
57
- expect(request).to receive(:request).with(instance_of(::Net::HTTP::Post))
58
- allow(params).to receive(:to_json)
59
- subject.scribe
60
- end
61
-
62
- it "POSTs to the configured forward_endpoint" do
63
- expect(Net::HTTP::Post).to receive(:new).with(secondary_endpoint).and_return(request)
64
- subject.scribe
65
- end
66
-
67
- it "does not POST if there is no forwarder configured" do
68
- allow(SecureHeaders::Configuration).to receive(:csp).and_return({})
69
- expect(Net::HTTP::Post).not_to receive(:new)
70
- subject.scribe
71
- end
72
-
73
- it "eliminates known phony CSP reports" do
74
- allow(SecureHeaders::Configuration).to receive(:csp).and_return(:report_uri => nil)
75
- expect(Net::HTTP::Post).not_to receive :new
76
- subject.scribe
77
- end
78
-
79
- it "logs errors when it cannot forward the CSP report" do
80
- class Rails; def logger; end; end
81
- logger = double(:repond_to? => true)
82
- allow(Rails).to receive(:logger).and_return(logger)
83
-
84
- allow(SecureHeaders::Configuration).to receive(:csp).and_raise(StandardError)
85
-
86
- expect(logger).to receive(:warn)
87
- subject.scribe
88
- end
89
- end
90
- end