RubyGems - secure_headers - Versions diffs - 2.4.0 → 2.4.1 - Mend

secure_headers 2.4.0 → 2.4.1

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (9) hide show

checksums.yaml +4 -4
data/README.md +2 -1
data/lib/secure_headers/headers/content_security_policy.rb +111 -48
data/lib/secure_headers/version.rb +1 -1
data/lib/secure_headers/view_helper.rb +0 -1
data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb +0 -1
data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +26 -4
data/spec/lib/secure_headers_spec.rb +2 -2
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bdc7e4cc47367102f2318244051b544e4bc5d611
-  data.tar.gz: f4bb9651462b15c056ab9720a0c079283e9c2462
+  metadata.gz: 333c51c1bbbed7415696fa0e8fd7e3147ddcf542
+  data.tar.gz: 798eae0a9dc303a0c72c946e74aa76a2f36e229c
 SHA512:
-  metadata.gz: 888729b84ba1eb266c25c3bbc218c270f9e262bcbf490363a2daad6202803f4ba71a21f59c1a36e816a06c01ab8d28126ba81e05ae4f37ac36a53ee670af8420
-  data.tar.gz: 26640f0a917396faf083eaff557316d4a376e6956ae95915cfb5c815de3269a6ec5cb9a9f6a7684d871d8ff634dc586bb6a6a20dd79ece6cee034d5ec8f20648
+  metadata.gz: 80224aff2b4a8230de68b0338dd5ca4ef19c56b929fe59693d3f01395f7b4c3cab57170b389044dacd0745e43d07cf98951f13de48d646cc17cf8a40befe4d90
+  data.tar.gz: 7f663e76802e8c2282908eb2eefce7a040cf9f5c04da49b825bd147854879a900577f22f9a8e918a973d3019e840e95d08aec6eaeeb3836c6233fb0db0dd8982

data/README.md CHANGED Viewed

@@ -61,6 +61,7 @@ The following methods are going to be called, unless they are provided in a `ski
     :form_action => "'self' github.com",
     :frame_ancestors => "'none'",
     :plugin_types => 'application/x-shockwave-flash',
+    :block_all_mixed_content => '' # see [http://www.w3.org/TR/mixed-content/]()
     :report_uri => '//example.com/uri-directive'
   }
   config.hpkp = {
@@ -99,7 +100,7 @@ Sometimes you need to override your content security policy for a given endpoint
 1. Override the `secure_header_options_for` class instance method. e.g.
 ```ruby
-class SomethingController < ApplicationController
+class SomethingController < ApplicationController
   def wumbus
     # gets style-src override
   end

data/lib/secure_headers/headers/content_security_policy.rb CHANGED Viewed

@@ -11,7 +11,8 @@ module SecureHeaders
       DEFAULT_CSP_HEADER = "default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-src https: about: javascript:; img-src data:"
       HEADER_NAME = "Content-Security-Policy"
       ENV_KEY = 'secure_headers.content_security_policy'
-      DIRECTIVES = [
+      DIRECTIVES_1_0 = [
         :default_src,
         :connect_src,
         :font_src,
@@ -19,20 +20,53 @@ module SecureHeaders
         :img_src,
         :media_src,
         :object_src,
+        :sandbox,
         :script_src,
         :style_src,
+        :report_uri
+      ].freeze
+      DIRECTIVES_2_0 = [
+        DIRECTIVES_1_0,
         :base_uri,
         :child_src,
         :form_action,
         :frame_ancestors,
         :plugin_types
-      ]
+      ].flatten.freeze
-      OTHER = [
-        :report_uri
-      ]
-      ALL_DIRECTIVES = DIRECTIVES + OTHER
+      # All the directives currently under consideration for CSP level 3.
+      # https://w3c.github.io/webappsec/specs/CSP2/
+      DIRECTIVES_3_0 = [
+        DIRECTIVES_2_0,
+        :manifest_src,
+        :reflected_xss
+      ].flatten.freeze
+      # All the directives that are not currently in a formal spec, but have
+      # been implemented somewhere.
+      DIRECTIVES_DRAFT = [
+        :block_all_mixed_content,
+      ].freeze
+      SAFARI_DIRECTIVES = DIRECTIVES_1_0
+      FIREFOX_UNSUPPORTED_DIRECTIVES = [
+        :block_all_mixed_content,
+        :child_src,
+        :plugin_types
+      ].freeze
+      FIREFOX_DIRECTIVES = (
+        DIRECTIVES_2_0 - FIREFOX_UNSUPPORTED_DIRECTIVES
+      ).freeze
+      CHROME_DIRECTIVES = (
+        DIRECTIVES_2_0 + DIRECTIVES_DRAFT
+      ).freeze
+      ALL_DIRECTIVES = [DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0 + DIRECTIVES_DRAFT].flatten.uniq.sort
       CONFIG_KEY = :csp
     end
@@ -99,33 +133,55 @@ module SecureHeaders
       @ua = options[:ua]
       @ssl_request = !!options.delete(:ssl)
       @request_uri = options.delete(:request_uri)
+      @http_additions = config.delete(:http_additions)
+      @disable_img_src_data_uri = !!config.delete(:disable_img_src_data_uri)
+      @tag_report_uri = !!config.delete(:tag_report_uri)
+      @script_hashes = config.delete(:script_hashes) || []
+      @app_name = config.delete(:app_name)
+      @app_name = @app_name.call(@controller) if @app_name.respond_to?(:call)
+      @enforce = config.delete(:enforce)
+      @enforce = @enforce.call(@controller) if @enforce.respond_to?(:call)
+      @enforce = !!@enforce
       # Config values can be string, array, or lamdba values
       @config = config.inject({}) do |hash, (key, value)|
         config_val = value.respond_to?(:call) ? value.call(@controller) : value
-        if DIRECTIVES.include?(key) # directives need to be normalized to arrays of strings
+        if ALL_DIRECTIVES.include?(key.to_sym) # directives need to be normalized to arrays of strings
           config_val = config_val.split if config_val.is_a? String
           if config_val.is_a?(Array)
             config_val = config_val.map do |val|
               translate_dir_value(val)
             end.flatten.uniq
           end
+        elsif key != :script_hash_middleware
+          raise ArgumentError.new("Unknown directive supplied: #{key}")
         end
         hash[key] = config_val
         hash
       end
-      @http_additions = @config.delete(:http_additions)
-      @app_name = @config.delete(:app_name)
-      @report_uri = @config.delete(:report_uri)
-      @enforce = !!@config.delete(:enforce)
-      @disable_img_src_data_uri = !!@config.delete(:disable_img_src_data_uri)
-      @tag_report_uri = !!@config.delete(:tag_report_uri)
-      @script_hashes = @config.delete(:script_hashes) || []
+      # normalize and tag the report-uri
+      if @config[:report_uri]
+        @config[:report_uri] = @config[:report_uri].map do |report_uri|
+          if report_uri.start_with?('//')
+            report_uri = if @ssl_request
+                           "https:" + report_uri
+                         else
+                           "http:" + report_uri
+                         end
+          end
+          if @tag_report_uri
+            report_uri = "#{report_uri}?enforce=#{@enforce}"
+            report_uri += "&app_name=#{@app_name}" if @app_name
+          end
+          report_uri
+        end
+      end
       add_script_hashes if @script_hashes.any?
+      strip_unsupported_directives
     end
     ##
@@ -160,13 +216,20 @@ module SecureHeaders
     def to_json
       build_value
-      @config.to_json.gsub(/(\w+)_src/, "\\1-src")
+      @config.inject({}) do |hash, (key, value)|
+        if ALL_DIRECTIVES.include?(key)
+          hash[key.to_s.gsub(/(\w+)_(\w+)/, "\\1-\\2")] = value
+        end
+        hash
+      end.to_json
     end
     def self.from_json(*json_configs)
       json_configs.inject({}) do |combined_config, one_config|
-        one_config = one_config.gsub(/(\w+)-src/, "\\1_src")
-        config = JSON.parse(one_config, :symbolize_names => true)
+        config = JSON.parse(one_config).inject({}) do |hash, (key, value)|
+          hash[key.gsub(/(\w+)-(\w+)/, "\\1_\\2").to_sym] = value
+          hash
+        end
         combined_config.merge(config) do |_, lhs, rhs|
           lhs | rhs
         end
@@ -182,10 +245,7 @@ module SecureHeaders
     def build_value
       raise "Expected to find default_src directive value" unless @config[:default_src]
       append_http_additions unless ssl_request?
-      header_value = [
-        generic_directives,
-        report_uri_directive
-      ].join.strip
+      generic_directives
     end
     def append_http_additions
@@ -204,7 +264,7 @@ module SecureHeaders
         warn "[DEPRECATION] using self/none may not be supported in the future. Instead use 'self'/'none' instead."
         "'#{val}'"
       elsif val == 'nonce'
-        if supports_nonces?(@ua)
+        if supports_nonces?
           self.class.set_nonce(@controller, nonce)
           ["'nonce-#{nonce}'", "'unsafe-inline'"]
         else
@@ -215,27 +275,9 @@ module SecureHeaders
       end
     end
-    def report_uri_directive
-      return '' if @report_uri.nil?
-      if @report_uri.start_with?('//')
-        @report_uri = if @ssl_request
-                        "https:" + @report_uri
-                      else
-                        "http:" + @report_uri
-                      end
-      end
-      if @tag_report_uri
-        @report_uri = "#{@report_uri}?enforce=#{@enforce}"
-        @report_uri += "&app_name=#{@app_name}" if @app_name
-      end
-      "report-uri #{@report_uri};"
-    end
+    # ensures defualt_src is first and report_uri is last
     def generic_directives
-      header_value = ''
+      header_value = build_directive(:default_src)
       data_uri = @disable_img_src_data_uri ? [] : ["data:"]
       if @config[:img_src]
         @config[:img_src] = @config[:img_src] + data_uri unless @config[:img_src].include?('data:')
@@ -243,19 +285,40 @@ module SecureHeaders
         @config[:img_src] = @config[:default_src] + data_uri
       end
-      DIRECTIVES.each do |directive_name|
-        header_value += build_directive(directive_name) if @config[directive_name]
+      (ALL_DIRECTIVES - [:default_src, :report_uri]).each do |directive_name|
+        if @config[directive_name]
+          header_value += build_directive(directive_name)
+        end
       end
-      header_value
+      header_value += build_directive(:report_uri) if @config[:report_uri]
+      header_value.strip
     end
     def build_directive(key)
       "#{self.class.symbol_to_hyphen_case(key)} #{@config[key].join(" ")}; "
     end
-    def supports_nonces?(user_agent)
-      parsed_ua = UserAgentParser.parse(user_agent)
+    def strip_unsupported_directives
+      @config.select! { |key, _| supported_directives.include?(key) }
+    end
+    def supported_directives
+      @supported_directives ||= case UserAgentParser.parse(@ua).family
+      when "Chrome"
+        CHROME_DIRECTIVES
+      when "Safari"
+        SAFARI_DIRECTIVES
+      when "Firefox"
+        FIREFOX_DIRECTIVES
+      else
+        DIRECTIVES_1_0
+      end
+    end
+    def supports_nonces?
+      parsed_ua = UserAgentParser.parse(@ua)
       ["Chrome", "Opera", "Firefox"].include?(parsed_ua.family)
     end
   end

data/lib/secure_headers/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module SecureHeaders
-  VERSION = "2.4.0"
+  VERSION = "2.4.1"
 end

data/lib/secure_headers/view_helper.rb CHANGED Viewed

@@ -27,7 +27,6 @@ module SecureHeaders
           if raise_error_on_unrecognized_hash
             raise UnexpectedHashedScriptException.new(message)
           else
-            puts message
             request.env[HASHES_ENV_KEY] = (request.env[HASHES_ENV_KEY] || []) << hash_value
           end
         end

data/spec/lib/secure_headers/headers/content_security_policy/script_hash_middleware_spec.rb CHANGED Viewed

@@ -10,7 +10,6 @@ module SecureHeaders
     let(:default_config) do
       {
-        :disable_fill_missing => true,
         :default_src => 'https://*',
         :report_uri => '/csp_report',
         :script_src => "'unsafe-inline' 'unsafe-eval' https://* data:",

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb CHANGED Viewed

@@ -5,9 +5,10 @@ module SecureHeaders
     let(:default_opts) do
       {
         :default_src => 'https:',
-        :report_uri => '/csp_report',
+        :img_src => "https: data:",
         :script_src => "'unsafe-inline' 'unsafe-eval' https: data:",
-        :style_src => "'unsafe-inline' https: about:"
+        :style_src => "'unsafe-inline' https: about:",
+        :report_uri => '/csp_report'
       }
     end
     let(:controller) { DummyClass.new }
@@ -58,7 +59,7 @@ module SecureHeaders
     it "exports a policy to JSON" do
       policy = ContentSecurityPolicy.new(default_opts)
-      expected = %({"default-src":["https:"],"script-src":["'unsafe-inline'","'unsafe-eval'","https:","data:"],"style-src":["'unsafe-inline'","https:","about:"],"img-src":["https:","data:"]})
+      expected = %({"default-src":["https:"],"img-src":["https:","data:"],"script-src":["'unsafe-inline'","'unsafe-eval'","https:","data:"],"style-src":["'unsafe-inline'","https:","about:"],"report-uri":["/csp_report"]})
       expect(policy.to_json).to eq(expected)
     end
@@ -141,6 +142,27 @@ module SecureHeaders
     end
     describe "#value" do
+      context "browser sniffing" do
+        let(:complex_opts) do
+          ALL_DIRECTIVES.inject({}) { |memo, directive| memo[directive] = "'self'"; memo }.merge(:block_all_mixed_content => '')
+        end
+        it "does not filter any directives for Chrome" do
+          policy = ContentSecurityPolicy.new(complex_opts, :request => request_for(CHROME))
+          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; block-all-mixed-content ; child-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self' data:; media-src 'self'; object-src 'self'; plugin-types 'self'; sandbox 'self'; script-src 'self'; style-src 'self'; report-uri 'self';")
+        end
+        it "filters blocked-all-mixed-content, child-src, and plugin-types for firefox" do
+          policy = ContentSecurityPolicy.new(complex_opts, :request => request_for(FIREFOX))
+          expect(policy.value).to eq("default-src 'self'; base-uri 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self' data:; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self'; style-src 'self'; report-uri 'self';")
+        end
+        it "filters base-uri, blocked-all-mixed-content, child-src, form-action, frame-ancestors, and plugin-types for safari" do
+          policy = ContentSecurityPolicy.new(complex_opts, :request => request_for(SAFARI))
+          expect(policy.value).to eq("default-src 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data:; media-src 'self'; object-src 'self'; sandbox 'self'; script-src 'self'; style-src 'self'; report-uri 'self';")
+        end
+      end
       it "raises an exception when default-src is missing" do
         csp = ContentSecurityPolicy.new({:script_src => 'anything'}, :request => request_for(CHROME))
         expect {
@@ -248,7 +270,7 @@ module SecureHeaders
         it "adds directive values for headers on http" do
           csp = ContentSecurityPolicy.new(options, :request => request_for(CHROME))
-          expect(csp.value).to eq("default-src https:; frame-src http:; img-src http: data:; script-src 'unsafe-inline' 'unsafe-eval' https: data:; style-src 'unsafe-inline' https: about:; report-uri /csp_report;")
+          expect(csp.value).to eq("default-src https:; frame-src http:; img-src https: data: http:; script-src 'unsafe-inline' 'unsafe-eval' https: data:; style-src 'unsafe-inline' https: about:; report-uri /csp_report;")
         end
         it "does not add the directive values if requesting https" do

data/spec/lib/secure_headers_spec.rb CHANGED Viewed

@@ -166,7 +166,7 @@ describe SecureHeaders do
     end
     it "produces a hash of headers given a hash as config" do
-      hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:", :disable_fill_missing => true})
+      hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:"})
       expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'none'; img-src data:;")
       expect_default_values(hash)
     end
@@ -186,7 +186,7 @@ describe SecureHeaders do
         }
       end
-      hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:", :disable_fill_missing => true})
+      hash = SecureHeaders::header_hash(:csp => {:default_src => "'none'", :img_src => "data:"})
       ::SecureHeaders::Configuration.configure do |config|
         config.hsts = nil
         config.hpkp = nil

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 2.4.0
+  version: 2.4.1
 platform: ruby
 authors:
 - Neil Matatall
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-10-01 00:00:00.000000000 Z
+date: 2015-10-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake