RubyGems - secure_headers - Versions diffs - 2.4.0 → 2.4.1 - Mend

secure_headers 2.4.0 → 2.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (9) hide show

checksums.yaml +4 -4
data/README.md +2 -1
data/lib/secure_headers/headers/content_security_policy.rb +111 -48
data/lib/secure_headers/version.rb +1 -1
data/lib/secure_headers/view_helper.rb +0 -1
data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +0 -1
data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +26 -4
data/spec/lib/secure_headers_spec.rb +2 -2
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bdc7e4cc47367102f2318244051b544e4bc5d611
-  data.tar.gz: f4bb9651462b15c056ab9720a0c079283e9c2462
+  metadata.gz: 333c51c1bbbed7415696fa0e8fd7e3147ddcf542
+  data.tar.gz: 798eae0a9dc303a0c72c946e74aa76a2f36e229c
 SHA512:
-  metadata.gz: 888729b84ba1eb266c25c3bbc218c270f9e262bcbf490363a2daad6202803f4ba71a21f59c1a36e816a06c01ab8d28126ba81e05ae4f37ac36a53ee670af8420
-  data.tar.gz: 26640f0a917396faf083eaff557316d4a376e6956ae95915cfb5c815de3269a6ec5cb9a9f6a7684d871d8ff634dc586bb6a6a20dd79ece6cee034d5ec8f20648
+  metadata.gz: 80224aff2b4a8230de68b0338dd5ca4ef19c56b929fe59693d3f01395f7b4c3cab57170b389044dacd0745e43d07cf98951f13de48d646cc17cf8a40befe4d90
+  data.tar.gz: 7f663e76802e8c2282908eb2eefce7a040cf9f5c04da49b825bd147854879a900577f22f9a8e918a973d3019e840e95d08aec6eaeeb3836c6233fb0db0dd8982

data/README.md CHANGED Viewed

@@ -61,6 +61,7 @@ The following methods are going to be called, unless they are provided in a `ski
     :form_action => "'self' github.com",
     :frame_ancestors => "'none'",
     :plugin_types => 'application/x-shockwave-flash',
+    :block_all_mixed_content => '' # see [http://www.w3.org/TR/mixed-content/]()
     :report_uri => '//example.com/uri-directive'
   }
   config.hpkp = {
@@ -99,7 +100,7 @@ Sometimes you need to override your content security policy for a given endpoint
 1. Override the `secure_header_options_for` class instance method. e.g.
 ```ruby
-class SomethingController < ApplicationController
+class SomethingController < ApplicationController
   def wumbus
     # gets style-src override
   end

data/lib/secure_headers/headers/content_security_policy.rb CHANGED Viewed

@@ -11,7 +11,8 @@ module SecureHeaders
       DEFAULT_CSP_HEADER = "default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-src https: about: javascript:; img-src data:"
       HEADER_NAME = "Content-Security-Policy"
       ENV_KEY = 'secure_headers.content_security_policy'
-      DIRECTIVES = [
+      DIRECTIVES_1_0 = [
         :default_src,
         :connect_src,
         :font_src,
@@ -19,20 +20,53 @@ module SecureHeaders
         :img_src,
         :media_src,
         :object_src,
+        :sandbox,
         :script_src,
         :style_src,
+        :report_uri
+      ].freeze
+      DIRECTIVES_2_0 = [
+        DIRECTIVES_1_0,
         :base_uri,
         :child_src,
         :form_action,
         :frame_ancestors,
         :plugin_types
-      ]
+      ].flatten.freeze
-      OTHER = [
-        :report_uri
-      ]
-      ALL_DIRECTIVES = DIRECTIVES + OTHER
+      # All the directives currently under consideration for CSP level 3.
+      # https://w3c.github.io/webappsec/specs/CSP2/
+      DIRECTIVES_3_0 = [
+        DIRECTIVES_2_0,
+        :manifest_src,
+        :reflected_xss
+      ].flatten.freeze
+      # All the directives that are not currently in a formal spec, but have
+      # been implemented somewhere.
+      DIRECTIVES_DRAFT = [
+        :block_all_mixed_content,
+      ].freeze
+      SAFARI_DIRECTIVES = DIRECTIVES_1_0
+      FIREFOX_UNSUPPORTED_DIRECTIVES = [
+        :block_all_mixed_content,
+        :child_src,
+        :plugin_types
+      ].freeze
+      FIREFOX_DIRECTIVES = (
+        DIRECTIVES_2_0 - FIREFOX_UNSUPPORTED_DIRECTIVES
+      ).freeze
+      CHROME_DIRECTIVES = (
+        DIRECTIVES_2_0 + DIRECTIVES_DRAFT
+      ).freeze
+      ALL_DIRECTIVES = [DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0 + DIRECTIVES_DRAFT].flatten.uniq.sort
       CONFIG_KEY = :csp
     end
@@ -99,33 +133,55 @@ module SecureHeaders
       @ua = options[:ua]
       @ssl_request = !!options.delete(:ssl)
       @request_uri = options.delete(:request_uri)
+      @http_additions = config.delete(:http_additions)
+      @disable_img_src_data_uri = !!config.delete(:disable_img_src_data_uri)
+      @tag_report_uri = !!config.delete(:tag_report_uri)
+      @script_hashes = config.delete(:script_hashes) || []
+      @app_name = config.delete(:app_name)
+      @app_name = @app_name.call(@controller) if @app_name.respond_to?(:call)
+      @enforce = config.delete(:enforce)
+      @enforce = @enforce.call(@controller) if @enforce.respond_to?(:call)
+      @enforce = !!@enforce
       # Config values can be string, array, or lamdba values
       @config = config.inject({}) do |hash, (key, value)|
         config_val = value.respond_to?(:call) ? value.call(@controller) : value
-        if DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings
+        if ALL_DIRECTIVES.include?(key.to_sym) # directives need to be normalized to arrays of strings
           config_val = config_val.split if config_val.is_a? String
           if config_val.is_a?(Array)
             config_val = config_val.map do |val|
               translate_dir_value(val)
             end.flatten.uniq
           end
+        elsif key != :script_hash_middleware
+          raise ArgumentError.new("Unknown directive supplied: #{key}")
         end
         hash[key] = config_val
         hash
       end
-      @http_additions = @config.delete(:http_additions)
-      @app_name = @config.delete(:app_name)
-      @report_uri = @config.delete(:report_uri)
-      @enforce = !!@config.delete(:enforce)
-      @disable_img_src_data_uri = !!@config.delete(:disable_img_src_data_uri)
-      @tag_report_uri = !!@config.delete(:tag_report_uri)
-      @script_hashes = @config.delete(:script_hashes) || []
+      # normalize and tag the report-uri
+      if @config[:report_uri]
+        @config[:report_uri] = @config[:report_uri].map do |report_uri|
+          if report_uri.start_with?('//')
+            report_uri = if @ssl_request
+                           "https:" + report_uri
+                         else
+                           "http:" + report_uri
+                         end
+          end
+          if @tag_report_uri
+            report_uri = "#{report_uri}?enforce=#{@enforce}"
+            report_uri += "&app_name=#{@app_name}" if @app_name
+          end
+          report_uri
+        end
+      end
       add_script_hashes if @script_hashes.any?
+      strip_unsupported_directives
     end
     ##
@@ -160,13 +216,20 @@ module SecureHeaders
     def to_json
       build_value
-      @config.to_json.gsub(/(\w+)_src/, "\\1-src")
+      @config.inject({}) do |hash, (key, value)|
+        if ALL_DIRECTIVES.include?(key)
+          hash[key.to_s.gsub(/(\w+)_(\w+)/, "\\1-\\2")] = value
+        end
+        hash
+      end.to_json
     end
     def self.from_json(*json_configs)
       json_configs.inject({}) do |combined_config, one_config|
-        one_config = one_config.gsub(/(\w+)-src/, "\\1_src")
-        config = JSON.parse(one_config, :symbolize_names => true)
+        config = JSON.parse(one_config).inject({}) do |hash, (key, value)|
+          hash[key.gsub(/(\w+)-(\w+)/, "\\1_\\2").to_sym] = value
+          hash
+        end
         combined_config.merge(config) do |_, lhs, rhs|
           lhs | rhs
         end
@@ -182,10 +245,7 @@ module SecureHeaders
     def build_value
       raise "Expected to find default_src directive value" unless @config[:default_src]
       append_http_additions unless ssl_request?
-      header_value = [
-        generic_directives,
-        report_uri_directive
-      ].join.strip
+      generic_directives
     end
     def append_http_additions
@@ -204,7 +264,7 @@ module SecureHeaders
         warn "[DEPRECATION] using self/none may not be supported in the future. Instead use 'self'/'none' instead."
         "'#{val}'"
       elsif val == 'nonce'
-        if supports_nonces?(@ua)
+        if supports_nonces?
           self.class.set_nonce(@controller, nonce)
           ["'nonce-#{nonce}'", "'unsafe-inline'"]
         else
@@ -215,27 +275,9 @@ module SecureHeaders
       end
     end
-    def report_uri_directive
-      return '' if @report_uri.nil?
-      if @report_uri.start_with?('//')
-        @report_uri = if @ssl_request
-                        "https:" + @report_uri
-                      else
-                        "http:" + @report_uri
-                      end
-      end
-      if @tag_report_uri
-        @report_uri = "#{@report_uri}?enforce=#{@enforce}"
-        @report_uri += "&app_name=#{@app_name}" if @app_name
-      end
-      "report-uri #{@report_uri};"
-    end
+    # ensures defualt_src is first and report_uri is last
     def generic_directives
-      header_value = ''
+      header_value = build_directive(:default_src)
       data_uri = @disable_img_src_data_uri ? [] : ["data:"]
       if @config[:img_src]
         @config[:img_src] = @config[:img_src] + data_uri unless @config[:img_src].include?('data:')
@@ -243,19 +285,40 @@ module SecureHeaders
         @config[:img_src] = @config[:default_src] + data_uri
       end
-      DIRECTIVES.each do |directive_name|
-        header_value += build_directive(directive_name) if @config[directive_name]
+      (ALL_DIRECTIVES - [:default_src, :report_uri]).each do |directive_name|
+        if @config[directive_name]
+          header_value += build_directive(directive_name)
+        end
       end
-      header_value
+      header_value += build_directive(:report_uri) if @config[:report_uri]
+      header_value.strip
     end
     def build_directive(key)
       "#{self.class.symbol_to_hyphen_case(key)} #{@config[key].join(" ")}; "
     end
-    def supports_nonces?(user_agent)
-      parsed_ua = UserAgentParser.parse(user_agent)
+    def strip_unsupported_directives
+      @config.select! { |key, _| supported_directives.include?(key) }
+    end
+    def supported_directives
+      @supported_directives ||= case UserAgentParser.parse(@ua).family
+      when "Chrome"
+        CHROME_DIRECTIVES
+      when "Safari"
+        SAFARI_DIRECTIVES
+      when "Firefox"
+        FIREFOX_DIRECTIVES
+      else
+        DIRECTIVES_1_0
+      end
+    end
+    def supports_nonces?
+      parsed_ua = UserAgentParser.parse(@ua)
       ["Chrome", "Opera", "Firefox"].include?(parsed_ua.family)
     end
   end

data/lib/secure_headers/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module SecureHeaders
-  VERSION = "2.4.0"
+  VERSION = "2.4.1"
 end

data/lib/secure_headers/view_helper.rb CHANGED Viewed

@@ -27,7 +27,6 @@ module SecureHeaders
           if raise_error_on_unrecognized_hash
             raise UnexpectedHashedScriptException.new(message)
           else
-            puts message
             request.env[HASHES_ENV_KEY] = (request.env[HASHES_ENV_KEY] || []) << hash_value
           end
         end

data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb CHANGED Viewed

@@ -10,7 +10,6 @@ module SecureHeaders
     let(:default_config) do
       {
-        :disable_fill_missing => true,
         :default_src => 'https://*',
         :report_uri => '/csp_report',
         :script_src => "'unsafe-inline' 'unsafe-eval' https://* data:",

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb CHANGED Viewed

@@ -5,9 +5,10 @@ module SecureHeaders
     let(:default_opts) do
       {
         :default_src => 'https:',
-        :report_uri => '/csp_report',
+        :img_src => "https: data:",
         :script_src => "'unsafe-inline' 'unsafe-eval' https: data:",
-        :style_src => "'unsafe-inline' https: about:"
+        :style_src => "'unsafe-inline' https: about:",
+        :report_uri => '/csp_report'
       }
     end
     let(:controller) { DummyClass.new }
@@ -58,7 +59,7 @@ module SecureHeaders
     it "exports a policy to JSON" do
       policy = ContentSecurityPolicy.new(default_opts)
-      expected = %({"default-src":["https:"],"script-src":["'unsafe-inline'","'unsafe-eval'","https:","data:"],"style-src":["'unsafe-inline'","https:","about:"],"img-src":["https:","data:"]})
+      expected = %({"default-src":["https:"],"img-src":["https:","data:"],"script-src":["'unsafe-inline'","'unsafe-eval'","https:","data:"],"style-src":["'unsafe-inline'","https:","about:"],"report-uri":["/csp_report"]})
       expect(policy.to_json).to eq(expected)
     end
@@ -141,6 +142,27 @@ module SecureHeaders
     end
     describe "#value" do
+      context "browser sniffing" do
+        let(:complex_opts) do
+          ALL_DIRECTIVES.inject({}) { |memo, directive| memo[directive] = "'self'"; memo }.merge(:block_all_mixed_content => '')
+        end
+        it "does not filter any directives for Chrome" do
+          policy = ContentSecurityPolicy.new(complex_opts, :request => request_for(CHROME))
+          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; block-all-mixed-content ; child-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self' data:; media-src 'self'; object-src 'self'; plugin-types 'self'; sandbox 'self'; script-src 'self'; style-src 'self'; report-uri 'self';")
+        end
+        it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
+          policy = ContentSecurityPolicy.new(complex_opts, :request => request_for(FIREFOX))
+          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self' data:; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self'; style-src 'self'; report-uri 'self';")
+        end
+        it "filters base-uri, blocked-all-mixed-content, child-src, form-action, frame-ancestors, and plugin-types for safari" do
+          policy = ContentSecurityPolicy.new(complex_opts, :request => request_for(SAFARI))
+          expect(policy.value).to eq("default-src 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data:; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self'; style-src 'self'; report-uri 'self';")
+        end
+      end
       it "raises an exception when default-src is missing" do
         csp = ContentSecurityPolicy.new({:script_src => 'anything'}, :request => request_for(CHROME))
         expect {
@@ -248,7 +270,7 @@ module SecureHeaders
         it "adds directive values for headers on http" do
           csp = ContentSecurityPolicy.new(options, :request => request_for(CHROME))
-          expect(csp.value).to eq("default-src https:; frame-src http:; img-src http: data:; script-src 'unsafe-inline' 'unsafe-eval' https: data:; style-src 'unsafe-inline' https: about:; report-uri /csp_report;")
+          expect(csp.value).to eq("default-src https:; frame-src http:; img-src https: data: http:; script-src 'unsafe-inline' 'unsafe-eval' https: data:; style-src 'unsafe-inline' https: about:; report-uri /csp_report;")
         end
         it "does not add the directive values if requesting https" do

data/spec/lib/secure_headers_spec.rb CHANGED Viewed

@@ -166,7 +166,7 @@ describe SecureHeaders do
     end
     it "produces a hash of headers given a hash as config" do
-      hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:", :disable_fill_missing => true})
+      hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:"})
       expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'none'; img-src data:;")
       expect_default_values(hash)
     end
@@ -186,7 +186,7 @@ describe SecureHeaders do
         }
       end
-      hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:", :disable_fill_missing => true})
+      hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:"})
       ::SecureHeaders::Configuration.configure do |config|
         config.hsts = nil
         config.hpkp = nil

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 2.4.0
+  version: 2.4.1
 platform: ruby
 authors:
 - Neil Matatall
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-10-01 00:00:00.000000000 Z
+date: 2015-10-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake