RubyGems - secure_headers - Versions diffs - 2.5.3 → 3.0.0.pre - Mend

secure_headers 2.5.3 → 3.0.0.pre

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (125) hide show

data/fixtures/rails_3_2_22_no_init/spec/controllers/things_controller_spec.rb DELETED Viewed

@@ -1,54 +0,0 @@
-require 'spec_helper'
-# This controller is meant to be something that inherits config from application controller
-# all values are defaulted because no initializer is configured, and the values in app controller
-# only provide csp => false
-describe ThingsController, :type => :controller do
-  describe "headers" do
-    it "sets the X-XSS-Protection header" do
-      get :index
-      expect(response.headers['X-XSS-Protection']).to eq(SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
-    end
-    it "sets the X-Frame-Options header" do
-      get :index
-      expect(response.headers['X-Frame-Options']).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
-    end
-    it "sets the X-WebKit-CSP header" do
-      get :index
-      expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
-    end
-    #mock ssl
-    it "sets the Strict-Transport-Security header" do
-      request.env['HTTPS'] = 'on'
-      get :index
-      expect(response.headers['Strict-Transport-Security']).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
-    end
-    it "sets the X-Download-Options header" do
-      get :index
-      expect(response.headers['X-Download-Options']).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
-    end
-    it "sets the X-Content-Type-Options header" do
-      get :index
-      expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
-    end
-    it "sets the X-Permitted-Cross-Domain-Policies" do
-      get :index
-      expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
-    end
-    context "using IE" do
-      it "sets the X-Content-Type-Options header" do
-        request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
-        get :index
-        expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
-      end
-    end
-  end
-end

data/fixtures/rails_3_2_22_no_init/spec/spec_helper.rb DELETED Viewed

@@ -1,5 +0,0 @@
-require 'rubygems'
-ENV["RAILS_ENV"] ||= 'test'
-require File.expand_path("../../config/environment", __FILE__)
-require 'rspec/rails'

data/fixtures/rails_3_2_22_no_init/vendor/assets/javascripts/.gitkeep DELETED Viewed

File without changes

data/fixtures/rails_3_2_22_no_init/vendor/assets/stylesheets/.gitkeep DELETED Viewed

File without changes

data/fixtures/rails_3_2_22_no_init/vendor/plugins/.gitkeep DELETED Viewed

File without changes

data/fixtures/rails_4_1_8/Gemfile DELETED Viewed

@@ -1,5 +0,0 @@
-source 'https://rubygems.org'
-gem 'rails', '4.1.8'
-gem 'rspec-rails', '>= 2.0.0'
-gem 'secure_headers', :path => '../..'

data/fixtures/rails_4_1_8/README.rdoc DELETED Viewed

@@ -1,28 +0,0 @@
-== README
-This README would normally document whatever steps are necessary to get the
-application up and running.
-Things you may want to cover:
-* Ruby version
-* System dependencies
-* Configuration
-* Database creation
-* Database initialization
-* How to run the test suite
-* Services (job queues, cache servers, search engines, etc.)
-* Deployment instructions
-* ...
-Please feel free to use a different markup language if you do not plan to run
-<tt>rake doc:app</tt>.

data/fixtures/rails_4_1_8/Rakefile DELETED Viewed

@@ -1,6 +0,0 @@
-# Add your own tasks in files placed in lib/tasks ending in .rake,
-# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
-require File.expand_path('../config/application', __FILE__)
-Rails.application.load_tasks

data/fixtures/rails_4_1_8/app/controllers/application_controller.rb DELETED Viewed

@@ -1,4 +0,0 @@
-class ApplicationController < ActionController::Base
-  protect_from_forgery
-  ensure_security_headers
-end

data/fixtures/rails_4_1_8/app/controllers/concerns/.keep DELETED Viewed

File without changes

data/fixtures/rails_4_1_8/app/controllers/other_things_controller.rb DELETED Viewed

@@ -1,5 +0,0 @@
-class OtherThingsController < ApplicationController
-  def index
-  end
-end

data/fixtures/rails_4_1_8/app/controllers/things_controller.rb DELETED Viewed

@@ -1,5 +0,0 @@
-class ThingsController < ApplicationController
-  ensure_security_headers :csp => false
-  def index
-  end
-end

data/fixtures/rails_4_1_8/app/models/.keep DELETED Viewed

File without changes

data/fixtures/rails_4_1_8/app/models/concerns/.keep DELETED Viewed

File without changes

data/fixtures/rails_4_1_8/app/views/layouts/application.html.erb DELETED Viewed

@@ -1,11 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-  <title>Rails418</title>
-</head>
-<body>
-<%= yield %>
-<script>console.log("oh hell yes")</script>
-</body>
-</html>

data/fixtures/rails_4_1_8/app/views/other_things/index.html.erb DELETED Viewed

	@@ -1,2 +0,0 @@
1	- index
2	- <script>console.log("oh what")</script>

data/fixtures/rails_4_1_8/app/views/things/index.html.erb DELETED Viewed

	@@ -1 +0,0 @@
1	- things

data/fixtures/rails_4_1_8/config/application.rb DELETED Viewed

@@ -1,15 +0,0 @@
-require File.expand_path('../boot', __FILE__)
-require "action_controller/railtie"
-require "sprockets/railtie"
-# Require the gems listed in Gemfile, including any gems
-# you've limited to :test, :development, or :production.
-Bundler.require(*Rails.groups)
-module Rails418
-  class Application < Rails::Application
-  end
-end

data/fixtures/rails_4_1_8/config/boot.rb DELETED Viewed

@@ -1,4 +0,0 @@
-# Set up gems listed in the Gemfile.
-ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
-require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])

data/fixtures/rails_4_1_8/config/environment.rb DELETED Viewed

@@ -1,5 +0,0 @@
-# Load the Rails application.
-require File.expand_path('../application', __FILE__)
-# Initialize the Rails application.
-Rails.application.initialize!

data/fixtures/rails_4_1_8/config/environments/test.rb DELETED Viewed

@@ -1,10 +0,0 @@
-Rails418::Application.configure do
-  config.cache_classes = true
-  config.eager_load = false
-  config.serve_static_assets  = true
-  config.static_cache_control = 'public, max-age=3600'
-  config.consider_all_requests_local       = true
-  config.action_controller.perform_caching = false
-  config.action_dispatch.show_exceptions = false
-  config.action_controller.allow_forgery_protection = false
-end

data/fixtures/rails_4_1_8/config/initializers/secure_headers.rb DELETED Viewed

@@ -1,16 +0,0 @@
-::SecureHeaders::Configuration.configure do |config|
-  config.hsts = { :max_age => 10.years.to_i.to_s, :include_subdomains => false }
-  config.x_frame_options = 'DENY'
-  config.x_content_type_options = "nosniff"
-  config.x_xss_protection = {:value => 0}
-  config.x_permitted_cross_domain_policies = 'none'
-  csp = {
-    :default_src => "'self'",
-    :script_src => "'self' nonce",
-    :report_uri => 'somewhere',
-    :script_hash_middleware => true,
-    :enforce => false # false means warnings only
-  }
-  config.csp = csp
-end

data/fixtures/rails_4_1_8/config/routes.rb DELETED Viewed

@@ -1,4 +0,0 @@
-Rails.application.routes.draw do
-  resources :things
-  match ':controller(/:action(/:id))(.:format)', :via => [:get, :post]
-end

data/fixtures/rails_4_1_8/config/script_hashes.yml DELETED Viewed

@@ -1,5 +0,0 @@
----
-app/views/layouts/application.html.erb:
-- sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=
-app/views/other_things/index.html.erb:
-- sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=

data/fixtures/rails_4_1_8/config/secrets.yml DELETED Viewed

@@ -1,22 +0,0 @@
-# Be sure to restart your server when you modify this file.
-# Your secret key is used for verifying the integrity of signed cookies.
-# If you change this key, all old signed cookies will become invalid!
-# Make sure the secret is at least 30 characters and all random,
-# no regular words or you'll be exposed to dictionary attacks.
-# You can use `rake secret` to generate a secure secret key.
-# Make sure the secrets in this file are kept private
-# if you're sharing your code publicly.
-development:
-  secret_key_base: ddba38f932720d8f18257f2a05dc278963a29cf569c45aa97ff4e9fc9bbc78af5a03fcf135caad45caee66ac09f8f9913c1f5e338a61213f420eefa8dd6363d2
-test:
-  secret_key_base: f73abd7eab84fa7af5a2fc0a9c2727c5bad47433e51aa0c9c6b0782dac176a8e7f337e1f93adc6d6fc17027e67a533040b6408e54d72dea2eec6e5b9820dbcb9
-# Do not keep production secrets in the repository,
-# instead read values from the environment.
-production:
-  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

data/fixtures/rails_4_1_8/config.ru DELETED Viewed

@@ -1,4 +0,0 @@
-# This file is used by Rack-based servers to start the application.
-require ::File.expand_path('../config/environment',  __FILE__)
-run Rails.application

data/fixtures/rails_4_1_8/lib/assets/.keep DELETED Viewed

File without changes

data/fixtures/rails_4_1_8/lib/tasks/.keep DELETED Viewed

File without changes

data/fixtures/rails_4_1_8/log/.keep DELETED Viewed

File without changes

data/fixtures/rails_4_1_8/spec/controllers/other_things_controller_spec.rb DELETED Viewed

@@ -1,83 +0,0 @@
-require 'spec_helper'
-require 'secure_headers/headers/content_security_policy/script_hash_middleware'
-describe OtherThingsController, :type => :controller do
-  include Rack::Test::Methods
-  def app
-    OtherThingsController.action(:index)
-  end
-  def request(opts = {})
-    options = opts.merge(
-      {
-        'HTTPS' => 'on',
-        'HTTP_USER_AGENT' => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/537.22 (KHTML like Gecko) Chrome/25.0.1364.99 Safari/537.22"
-      }
-    )
-    Rack::MockRequest.env_for('/', options)
-  end
-  describe "headers" do
-    before(:each) do
-      _, @env = app.call(request)
-    end
-    it "sets the X-XSS-Protection header" do
-      get '/'
-      expect(@env['X-XSS-Protection']).to eq('0')
-    end
-    it "sets the X-Frame-Options header" do
-      get '/'
-      expect(@env['X-Frame-Options']).to eq('DENY')
-    end
-    it "sets the CSP header with a local reference to a nonce" do
-      middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
-      _, env = middleware.call(request(@env))
-      expect(env['Content-Security-Policy-Report-Only']).to match(/script-src[^;]*'nonce-[a-zA-Z0-9\+\/=]{44}'/)
-    end
-    it "sets the required hashes to whitelist inline script" do
-      middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
-      _, env = middleware.call(request(@env))
-      hashes = ['sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=', 'sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=']
-      hashes.each do |hash|
-        expect(env['Content-Security-Policy-Report-Only']).to include(hash)
-      end
-    end
-    it "sets the Strict-Transport-Security header" do
-      get '/'
-      expect(@env['Strict-Transport-Security']).to eq("max-age=315576000")
-    end
-    it "sets the X-Download-Options header" do
-      get '/'
-      expect(@env['X-Download-Options']).to eq('noopen')
-    end
-    it "sets the X-Content-Type-Options header" do
-      get '/'
-      expect(@env['X-Content-Type-Options']).to eq("nosniff")
-    end
-    it "sets the X-Permitted-Cross-Domain-Policies" do
-      get '/'
-      expect(@env['X-Permitted-Cross-Domain-Policies']).to eq("none")
-    end
-    context "using IE" do
-      it "sets the X-Content-Type-Options header" do
-        @env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
-        get '/'
-        expect(@env['X-Content-Type-Options']).to eq("nosniff")
-      end
-    end
-  end
-end

data/fixtures/rails_4_1_8/spec/controllers/things_controller_spec.rb DELETED Viewed

@@ -1,59 +0,0 @@
-# config.action_dispatch.default_headers defaults to:
-# {"X-Frame-Options"=>"SAMEORIGIN", "X-XSS-Protection"=>"1; mode=block", "X-Content-Type-Options"=>"nosniff"}
-# so we want to set our specs to expect something else to ensure secureheaders is taking precedence
-require 'spec_helper'
-# This controller is meant to be something that inherits config from application controller
-# all values are defaulted because no initializer is configured, and the values in app controller
-# only provide csp => false
-describe ThingsController, :type => :controller do
-  describe "headers" do
-    it "sets the X-XSS-Protection header" do
-      get :index
-      expect(response.headers['X-XSS-Protection']).to eq('0')
-    end
-    it "sets the X-Frame-Options header" do
-      get :index
-      expect(response.headers['X-Frame-Options']).to eq('DENY')
-    end
-    it "does not set CSP header" do
-      get :index
-      expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
-    end
-    #mock ssl
-    it "sets the Strict-Transport-Security header" do
-      request.env['HTTPS'] = 'on'
-      get :index
-      expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
-    end
-    it "sets the X-Download-Options header" do
-      get :index
-      expect(response.headers['X-Download-Options']).to eq('noopen')
-    end
-    it "sets the X-Content-Type-Options header" do
-      get :index
-      expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
-    end
-    it "sets the X-Permitted-Cross-Domain-Policies" do
-      get :index
-      expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
-    end
-    context "using IE" do
-      it "sets the X-Content-Type-Options header" do
-        request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
-        get :index
-        expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
-      end
-    end
-  end
-end

data/fixtures/rails_4_1_8/spec/spec_helper.rb DELETED Viewed

@@ -1,15 +0,0 @@
-require 'rubygems'
-#uncomment the following line to use spork with the debugger
-#require 'spork/ext/ruby-debug'
-# Spork.prefork do
-  # Loading more in this block will cause your tests to run faster. However,
-  # if you change any configuration or code from libraries loaded here, you'll
-  # need to restart spork for it take effect.
-# This file is copied to spec/ when you run 'rails generate rspec:install'
-  ENV["RAILS_ENV"] ||= 'test'
-  require File.expand_path("../../config/environment", __FILE__)
-  require 'rspec/rails'
-# end

data/fixtures/rails_4_1_8/vendor/assets/javascripts/.keep DELETED Viewed

File without changes

data/fixtures/rails_4_1_8/vendor/assets/stylesheets/.keep DELETED Viewed

File without changes

data/lib/secure_headers/controller_extension.rb DELETED Viewed

@@ -1,158 +0,0 @@
-module SecureHeaders
-  module ControllerExtension
-    class << self
-      def append_features(base)
-        base.module_eval do
-          extend ClassMethods
-          include InstanceMethods
-        end
-      end
-    end
-    module ClassMethods
-      attr_writer :secure_headers_options
-      def secure_headers_options
-        if @secure_headers_options
-          @secure_headers_options
-        elsif superclass.respond_to?(:secure_headers_options) # stop at application_controller
-          superclass.secure_headers_options
-        else
-          {}
-        end
-      end
-      def ensure_security_headers options = {}
-        if RUBY_VERSION == "1.8.7"
-          warn "[DEPRECATION] secure_headers ruby 1.8.7 support will dropped in the next release"
-        end
-        self.secure_headers_options = options
-        hook = respond_to?(:before_action) ? :before_action : :before_filter
-        ::SecureHeaders::ALL_FILTER_METHODS.each do |method|
-          send(hook, method)
-        end
-      end
-    end
-    module InstanceMethods
-      def set_security_headers(options = self.class.secure_headers_options)
-        set_csp_header(request, options[:csp])
-        set_hsts_header(options[:hsts])
-        set_hpkp_header(options[:hpkp])
-        set_x_frame_options_header(options[:x_frame_options])
-        set_x_xss_protection_header(options[:x_xss_protection])
-        set_x_content_type_options_header(options[:x_content_type_options])
-        set_x_download_options_header(options[:x_download_options])
-        set_x_permitted_cross_domain_policies_header(options[:x_permitted_cross_domain_policies])
-      end
-      # set_csp_header - uses the request accessor and SecureHeader::Configuration settings
-      # set_csp_header(+Rack::Request+) - uses the parameter and and SecureHeader::Configuration settings
-      # set_csp_header(+Hash+) - uses the request accessor and options from parameters
-      # set_csp_header(+Rack::Request+, +Hash+)
-      def set_csp_header(req = nil, config=nil)
-        if req.is_a?(Hash) || req.is_a?(FalseClass)
-          config = req
-        end
-        config = self.class.secure_headers_options[:csp] if config.nil?
-        config = secure_header_options_for :csp, config
-        return if config == false
-        if config && config[:script_hash_middleware]
-          ContentSecurityPolicy.add_to_env(request, self, config)
-        else
-          csp_header = ContentSecurityPolicy.new(config, :request => request, :controller => self)
-          set_header(csp_header)
-        end
-      end
-      def prep_script_hash
-        if ::SecureHeaders::Configuration.script_hashes
-          @script_hashes = ::SecureHeaders::Configuration.script_hashes.dup
-          ActiveSupport::Notifications.subscribe("render_partial.action_view") do |event_name, start_at, end_at, id, payload|
-            save_hash_for_later payload
-          end
-          ActiveSupport::Notifications.subscribe("render_template.action_view") do |event_name, start_at, end_at, id, payload|
-            save_hash_for_later payload
-          end
-        end
-      end
-      def save_hash_for_later payload
-        matching_hashes = @script_hashes[payload[:identifier].gsub(Rails.root.to_s + "/", "")] || []
-        if payload[:layout]
-          # We're assuming an html.erb layout for now. Will need to handle mustache too, just not sure of the best way to do this
-          layout_hashes = @script_hashes[File.join("app", "views", payload[:layout]) + '.html.erb']
-          matching_hashes << layout_hashes if layout_hashes
-        end
-        if matching_hashes.any?
-          request.env[HASHES_ENV_KEY] = ((request.env[HASHES_ENV_KEY] || []) << matching_hashes).flatten
-        end
-      end
-      def set_x_frame_options_header(options=self.class.secure_headers_options[:x_frame_options])
-        set_a_header(:x_frame_options, XFrameOptions, options)
-      end
-      def set_x_content_type_options_header(options=self.class.secure_headers_options[:x_content_type_options])
-        set_a_header(:x_content_type_options, XContentTypeOptions, options)
-      end
-      def set_x_xss_protection_header(options=self.class.secure_headers_options[:x_xss_protection])
-        set_a_header(:x_xss_protection, XXssProtection, options)
-      end
-      def set_hsts_header(options=self.class.secure_headers_options[:hsts])
-        return unless request.ssl?
-        set_a_header(:hsts, StrictTransportSecurity, options)
-      end
-      def set_hpkp_header(options=self.class.secure_headers_options[:hpkp])
-        return unless request.ssl?
-        config = secure_header_options_for :hpkp, options
-        return if config == false || config.nil?
-        hpkp_header = PublicKeyPins.new(config)
-        set_header(hpkp_header)
-      end
-      def set_x_download_options_header(options=self.class.secure_headers_options[:x_download_options])
-        set_a_header(:x_download_options, XDownloadOptions, options)
-      end
-      def set_x_permitted_cross_domain_policies_header(options=self.class.secure_headers_options[:x_permitted_cross_domain_policies])
-        set_a_header(:x_permitted_cross_domain_policies, XPermittedCrossDomainPolicies, options)
-      end
-      private
-      # we can't use ||= because I'm overloading false => disable, nil => default
-      # both of which trigger the conditional assignment
-      def secure_header_options_for(type, options)
-        options.nil? ? ::SecureHeaders::Configuration.send(type) : options
-      end
-      def set_a_header(name, klass, options=nil)
-        options = secure_header_options_for(name, options)
-        return if options == false
-        set_header(SecureHeaders::get_a_header(klass, options))
-      end
-      def set_header(name_or_header, value=nil)
-        if name_or_header.is_a?(Header)
-          header = name_or_header
-          response.headers[header.name] = header.value
-        else
-          response.headers[name_or_header] = value
-        end
-      end
-    end
-  end
-end

data/lib/secure_headers/hash_helper.rb DELETED Viewed

@@ -1,7 +0,0 @@
-module SecureHeaders
-  module HashHelper
-    def hash_source(inline_script, digest = :SHA256)
-      [digest.to_s.downcase, "-", [[Digest.const_get(digest).hexdigest(inline_script)].pack("H*")].pack("m").chomp].join
-    end
-  end
-end

data/lib/secure_headers/header.rb DELETED Viewed

@@ -1,5 +0,0 @@
-module SecureHeaders
-  class Header
-  end
-end

data/lib/secure_headers/headers/content_security_policy/script_hash_middleware.rb DELETED Viewed

@@ -1,22 +0,0 @@
-module SecureHeaders
-  class ContentSecurityPolicy
-    class ScriptHashMiddleware
-      def initialize(app)
-        @app = app
-      end
-      def call(env)
-        status, headers, response = @app.call(env)
-        metadata = env[ContentSecurityPolicy::ENV_KEY]
-        if !metadata.nil?
-          config, options = metadata.values_at(:config, :options)
-          config.merge!(:script_hashes => env[HASHES_ENV_KEY])
-          csp_header = ContentSecurityPolicy.new(config, options)
-          headers[csp_header.name] = csp_header.value
-        end
-        [status, headers, response]
-      end
-    end
-  end
-end

data/lib/secure_headers/version.rb DELETED Viewed

@@ -1,3 +0,0 @@
-module SecureHeaders
-  VERSION = "2.5.3"
-end