secure_headers 1.4.1 → 2.0.0.pre
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of secure_headers might be problematic. Click here for more details.
- checksums.yaml +7 -0
- data/.gitignore +4 -8
- data/Gemfile +2 -2
- data/Guardfile +8 -0
- data/README.md +102 -48
- data/Rakefile +0 -116
- data/fixtures/rails_3_2_12/app/views/layouts/application.html.erb +1 -1
- data/fixtures/rails_3_2_12/app/views/other_things/index.html.erb +2 -1
- data/fixtures/rails_3_2_12/config/initializers/secure_headers.rb +1 -1
- data/fixtures/rails_3_2_12/config/script_hashes.yml +5 -0
- data/fixtures/rails_3_2_12/config.ru +3 -0
- data/fixtures/rails_3_2_12/spec/controllers/other_things_controller_spec.rb +50 -18
- data/fixtures/rails_3_2_12/spec/controllers/things_controller_spec.rb +1 -1
- data/fixtures/rails_3_2_12_no_init/app/controllers/other_things_controller.rb +1 -2
- data/lib/secure_headers/hash_helper.rb +7 -0
- data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb +22 -0
- data/lib/secure_headers/headers/content_security_policy.rb +141 -137
- data/lib/secure_headers/railtie.rb +0 -22
- data/lib/secure_headers/version.rb +1 -1
- data/lib/secure_headers/view_helper.rb +68 -0
- data/lib/secure_headers.rb +51 -17
- data/lib/tasks/tasks.rake +48 -0
- data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +47 -0
- data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +83 -208
- data/spec/lib/secure_headers_spec.rb +16 -62
- data/spec/spec_helper.rb +25 -1
- metadata +22 -24
- data/HISTORY.md +0 -162
- data/app/controllers/content_security_policy_controller.rb +0 -76
- data/config/curl-ca-bundle.crt +0 -5420
- data/config/routes.rb +0 -3
- data/spec/controllers/content_security_policy_controller_spec.rb +0 -90
data/config/routes.rb
DELETED
|
@@ -1,90 +0,0 @@
|
|
|
1
|
-
require 'spec_helper'
|
|
2
|
-
|
|
3
|
-
describe ContentSecurityPolicyController do
|
|
4
|
-
let(:params) {
|
|
5
|
-
{
|
|
6
|
-
"csp-report" => {
|
|
7
|
-
"document-uri" => "http://localhost:3001/csp","violated-directive" => "script-src 'none'",
|
|
8
|
-
"original-policy" => "default-src https://* 'unsafe-eval'; frame-src 'self'; img-src https://*; report-uri http://localhost:3001/scribes/csp_report; script-src 'none'; style-src 'unsafe-inline' 'self';",
|
|
9
|
-
"blocked-uri" => "http://localhost:3001/stuff.js"
|
|
10
|
-
}
|
|
11
|
-
}
|
|
12
|
-
}
|
|
13
|
-
|
|
14
|
-
class FakeRequest
|
|
15
|
-
def user_agent
|
|
16
|
-
"Foo"
|
|
17
|
-
end
|
|
18
|
-
def env
|
|
19
|
-
{"HTTP_X_FORWARDED_FOR" => ""}
|
|
20
|
-
end
|
|
21
|
-
def remote_ip
|
|
22
|
-
"123.12.45.67"
|
|
23
|
-
end
|
|
24
|
-
def content_type
|
|
25
|
-
"application/json"
|
|
26
|
-
end
|
|
27
|
-
end
|
|
28
|
-
|
|
29
|
-
describe "#csp" do
|
|
30
|
-
let(:request) { double().as_null_object }
|
|
31
|
-
let(:endpoint) { "https://example.com" }
|
|
32
|
-
let(:secondary_endpoint) { "https://internal.example.com" }
|
|
33
|
-
|
|
34
|
-
before(:each) do
|
|
35
|
-
allow(SecureHeaders::Configuration).to receive(:csp).and_return({:report_uri => endpoint, :forward_endpoint => secondary_endpoint})
|
|
36
|
-
expect(subject).to receive :head
|
|
37
|
-
allow(subject).to receive(:params).and_return(params)
|
|
38
|
-
allow(subject).to receive(:request).and_return(FakeRequest.new)
|
|
39
|
-
allow_any_instance_of(Net::HTTP).to receive(:request)
|
|
40
|
-
end
|
|
41
|
-
|
|
42
|
-
context "delivery endpoint" do
|
|
43
|
-
it "posts over ssl" do
|
|
44
|
-
expect(subject).to receive(:use_ssl)
|
|
45
|
-
subject.scribe
|
|
46
|
-
end
|
|
47
|
-
|
|
48
|
-
it "posts over plain http" do
|
|
49
|
-
allow(SecureHeaders::Configuration).to receive(:csp).and_return(:report_uri => 'http://example.com')
|
|
50
|
-
expect(subject).not_to receive(:use_ssl)
|
|
51
|
-
subject.scribe
|
|
52
|
-
end
|
|
53
|
-
end
|
|
54
|
-
|
|
55
|
-
it "makes a POST request" do
|
|
56
|
-
allow(Net::HTTP).to receive(:new).and_return(request)
|
|
57
|
-
expect(request).to receive(:request).with(instance_of(::Net::HTTP::Post))
|
|
58
|
-
allow(params).to receive(:to_json)
|
|
59
|
-
subject.scribe
|
|
60
|
-
end
|
|
61
|
-
|
|
62
|
-
it "POSTs to the configured forward_endpoint" do
|
|
63
|
-
expect(Net::HTTP::Post).to receive(:new).with(secondary_endpoint).and_return(request)
|
|
64
|
-
subject.scribe
|
|
65
|
-
end
|
|
66
|
-
|
|
67
|
-
it "does not POST if there is no forwarder configured" do
|
|
68
|
-
allow(SecureHeaders::Configuration).to receive(:csp).and_return({})
|
|
69
|
-
expect(Net::HTTP::Post).not_to receive(:new)
|
|
70
|
-
subject.scribe
|
|
71
|
-
end
|
|
72
|
-
|
|
73
|
-
it "eliminates known phony CSP reports" do
|
|
74
|
-
allow(SecureHeaders::Configuration).to receive(:csp).and_return(:report_uri => nil)
|
|
75
|
-
expect(Net::HTTP::Post).not_to receive :new
|
|
76
|
-
subject.scribe
|
|
77
|
-
end
|
|
78
|
-
|
|
79
|
-
it "logs errors when it cannot forward the CSP report" do
|
|
80
|
-
class Rails; def logger; end; end
|
|
81
|
-
logger = double(:repond_to? => true)
|
|
82
|
-
allow(Rails).to receive(:logger).and_return(logger)
|
|
83
|
-
|
|
84
|
-
allow(SecureHeaders::Configuration).to receive(:csp).and_raise(StandardError)
|
|
85
|
-
|
|
86
|
-
expect(logger).to receive(:warn)
|
|
87
|
-
subject.scribe
|
|
88
|
-
end
|
|
89
|
-
end
|
|
90
|
-
end
|