secure_headers 2.5.3 → 3.0.0.pre

data/lib/secure_headers/view_helper.rb

@@ -1,61 +1,45 @@
 module SecureHeaders
-  class UnexpectedHashedScriptException < StandardError
-
-  end
-
   module ViewHelpers
-    include SecureHeaders::HashHelper
-    SECURE_HEADERS_RAKE_TASK = "rake secure_headers:generate_hashes"
-
-    def nonced_style_tag(content = nil, &block)
-      nonced_tag(content, :style, block)
+    # Public: create a style tag using the content security policy nonce.
+    # Instructs secure_headers to append a nonce to style/script-src directives.
+    #
+    # Returns an html-safe style tag with the nonce attribute.
+    def nonced_style_tag(content_or_options = nil, &block)
+      nonced_tag(:style, content_or_options, block)
     end
 
-    def nonced_javascript_tag(content = nil, &block)
-      nonced_tag(content, :script, block)
+    # Public: create a script tag using the content security policy nonce.
+    # Instructs secure_headers to append a nonce to style/script-src directives.
+    #
+    # Returns an html-safe script tag with the nonce attribute.
+    def nonced_javascript_tag(content_or_options = nil, &block)
+      nonced_tag(:script, content_or_options, block)
     end
 
-    def hashed_javascript_tag(raise_error_on_unrecognized_hash = false, &block)
-      content = capture(&block)
-
-      if ['development', 'test'].include?(ENV["RAILS_ENV"])
-        hash_value = hash_source(content)
-        file_path = File.join('app', 'views', self.instance_variable_get(:@virtual_path) + '.html.erb')
-        script_hashes = controller.instance_variable_get(:@script_hashes)[file_path]
-        unless script_hashes && script_hashes.include?(hash_value)
-          message = unexpected_hash_error_message(file_path, hash_value, content)
-          if raise_error_on_unrecognized_hash
-            raise UnexpectedHashedScriptException.new(message)
-          else
-            request.env[HASHES_ENV_KEY] = (request.env[HASHES_ENV_KEY] || []) << hash_value
-          end
-        end
+    # Public: use the content security policy nonce for this request directly.
+    # Instructs secure_headers to append a nonce to style/script-src directives.
+    #
+    # Returns a non-html-safe nonce value.
+    def content_security_policy_nonce(type)
+      case type
+      when :script
+        SecureHeaders.content_security_policy_script_nonce(@_request)
+      when :style
+        SecureHeaders.content_security_policy_style_nonce(@_request)
       end
-
-      content_tag :script, content
     end
 
     private
 
-    def nonced_tag(content, type, block)
+    def nonced_tag(type, content_or_options, block)
+      options = {}
       content = if block
+        options = content_or_options
         capture(&block)
       else
-        content.html_safe # :'(
+        content_or_options.html_safe # :'(
       end
-
-      content_tag type, content, :nonce => @content_security_policy_nonce
-    end
-
-    def unexpected_hash_error_message(file_path, hash_value, content)
-      <<-EOF
-\n\n*** WARNING: Unrecognized hash in #{file_path}!!! Value: #{hash_value} ***
-<script>#{content}</script>
-*** This is fine in dev/test, but will raise exceptions in production. ***
-*** Run #{SECURE_HEADERS_RAKE_TASK} or add the following to config/script_hashes.yml:***
-#{file_path}:
-- #{hash_value}\n\n
-      EOF
+      content_tag type, content, options.merge(nonce: content_security_policy_nonce(type))
     end
   end
 end

data/lib/secure_headers.rb

@@ -1,5 +1,4 @@
-require "secure_headers/version"
-require "secure_headers/header"
+require "secure_headers/configuration"
 require "secure_headers/headers/public_key_pins"
 require "secure_headers/headers/content_security_policy"
 require "secure_headers/headers/x_frame_options"
@@ -8,86 +7,280 @@ require "secure_headers/headers/x_xss_protection"
 require "secure_headers/headers/x_content_type_options"
 require "secure_headers/headers/x_download_options"
 require "secure_headers/headers/x_permitted_cross_domain_policies"
-require "secure_headers/controller_extension"
+require "secure_headers/middleware"
 require "secure_headers/railtie"
-require "secure_headers/hash_helper"
 require "secure_headers/view_helper"
+require "useragent"
 
+# All headers (except for hpkp) have a default value. Provide SecureHeaders::OPT_OUT
+# or ":optout_of_protection" as a config value to disable a given header
 module SecureHeaders
-  SCRIPT_HASH_CONFIG_FILE = 'config/script_hashes.yml'
-  HASHES_ENV_KEY = 'secure_headers.script_hashes'
+  OPT_OUT = :opt_out_of_protection
+  SECURE_HEADERS_CONFIG = "secure_headers_request_config".freeze
+  NONCE_KEY = "secure_headers_content_security_policy_nonce".freeze
+  HTTPS = "https".freeze
+  CSP = ContentSecurityPolicy
 
   ALL_HEADER_CLASSES = [
-    SecureHeaders::ContentSecurityPolicy,
-    SecureHeaders::StrictTransportSecurity,
-    SecureHeaders::PublicKeyPins,
-    SecureHeaders::XContentTypeOptions,
-    SecureHeaders::XDownloadOptions,
-    SecureHeaders::XFrameOptions,
-    SecureHeaders::XPermittedCrossDomainPolicies,
-    SecureHeaders::XXssProtection
-  ]
-
-  ALL_FILTER_METHODS = [
-    :prep_script_hash,
-    :set_hsts_header,
-    :set_hpkp_header,
-    :set_x_frame_options_header,
-    :set_csp_header,
-    :set_x_xss_protection_header,
-    :set_x_content_type_options_header,
-    :set_x_download_options_header,
-    :set_x_permitted_cross_domain_policies_header
-  ]
-
-  module Configuration
-    class << self
-      attr_accessor :hsts, :x_frame_options, :x_content_type_options,
-        :x_xss_protection, :csp, :x_download_options, :script_hashes,
-        :x_permitted_cross_domain_policies, :hpkp
-
-      # For preparation for the secure_headers 3.x change.
-      def default &block
-        instance_eval &block
-        if File.exists?(SCRIPT_HASH_CONFIG_FILE)
-          ::SecureHeaders::Configuration.script_hashes = YAML.load(File.open(SCRIPT_HASH_CONFIG_FILE))
-        end
+    ContentSecurityPolicy,
+    StrictTransportSecurity,
+    PublicKeyPins,
+    XContentTypeOptions,
+    XDownloadOptions,
+    XFrameOptions,
+    XPermittedCrossDomainPolicies,
+    XXssProtection
+  ].freeze
+
+  ALL_HEADERS_BESIDES_CSP = (ALL_HEADER_CLASSES - [CSP]).freeze
+
+  # Headers set on http requests (excludes STS and HPKP)
+  HTTP_HEADER_CLASSES =
+    (ALL_HEADER_CLASSES - [StrictTransportSecurity, PublicKeyPins]).freeze
+
+  class << self
+    # Public: override a given set of directives for the current request. If a
+    # value already exists for a given directive, it will be overridden.
+    #
+    # If CSP was previously OPT_OUT, a new blank policy is used.
+    #
+    # additions - a hash containing directives. e.g.
+    #    script_src: %w(another-host.com)
+    def override_content_security_policy_directives(request, additions)
+      config = config_for(request).dup
+      if config.csp == OPT_OUT
+        config.csp = {}
+      end
+      config.csp.merge!(additions)
+      override_secure_headers_request_config(request, config)
+    end
+
+    # Public: appends source values to the current configuration. If no value
+    # is set for a given directive, the value will be merged with the default-src
+    # value. If a value exists for the given directive, the values will be combined.
+    #
+    # additions - a hash containing directives. e.g.
+    #    script_src: %w(another-host.com)
+    def append_content_security_policy_directives(request, additions)
+      config = config_for(request).dup
+      config.csp = CSP.combine_policies(config.csp, additions)
+      override_secure_headers_request_config(request, config)
+    end
+
+    # Public: override X-Frame-Options settings for this request.
+    #
+    # value - deny, sameorigin, or allowall
+    #
+    # Returns the current config
+    def override_x_frame_options(request, value)
+      default_config = config_for(request).dup
+      default_config.x_frame_options = value
+      override_secure_headers_request_config(request, default_config)
+    end
+
+    # Public: opts out of setting a given header by creating a temporary config
+    # and setting the given headers config to OPT_OUT.
+    def opt_out_of_header(request, header_key)
+      config = config_for(request).dup
+      config.send("#{header_key}=", OPT_OUT)
+      override_secure_headers_request_config(request, config)
+    end
+
+    # Public: opts out of setting all headers by telling secure_headers to use
+    # the NOOP configuration.
+    def opt_out_of_all_protection(request)
+      use_secure_headers_override(request, Configuration::NOOP_CONFIGURATION)
+    end
+
+    # Public: Builds the hash of headers that should be applied base on the
+    # request.
+    #
+    # StrictTransportSecurity and PublicKeyPins are not applied to http requests.
+    # See #config_for to determine which config is used for a given request.
+    #
+    # Returns a hash of header names => header values. The value
+    # returned is meant to be merged into the header value from `@app.call(env)`
+    # in Rack middleware.
+    def header_hash_for(request)
+      config = config_for(request)
+
+      headers = if cached_headers = config.cached_headers
+        use_cached_headers(cached_headers, request)
+      else
+        build_headers(config, request)
       end
 
-      def configure &block
-        warn "[DEPRECATION] `configure` is removed in secure_headers 3.x. Instead use `default`."
-        default &block
+      headers
+    end
+
+    # Public: specify which named override will be used for this request.
+    # Raises an argument error if no named override exists.
+    #
+    # name - the name of the previously configured override.
+    def use_secure_headers_override(request, name)
+      if config = Configuration.get(name)
+        override_secure_headers_request_config(request, config)
+      else
+        raise ArgumentError.new("no override by the name of #{name} has been configured")
       end
     end
-  end
 
-  class << self
-    def append_features(base)
-      base.send(:include, ControllerExtension)
+    # Public: gets or creates a nonce for CSP.
+    #
+    # The nonce will be added to script_src
+    #
+    # Returns the nonce
+    def content_security_policy_script_nonce(request)
+      content_security_policy_nonce(request, CSP::SCRIPT_SRC)
+    end
+
+    # Public: gets or creates a nonce for CSP.
+    #
+    # The nonce will be added to style_src
+    #
+    # Returns the nonce
+    def content_security_policy_style_nonce(request)
+      content_security_policy_nonce(request, CSP::STYLE_SRC)
+    end
+
+    private
+
+    # Private: gets or creates a nonce for CSP.
+    #
+    # Returns the nonce
+    def content_security_policy_nonce(request, script_or_style)
+      request.env[NONCE_KEY] ||= SecureRandom.base64(32).chomp
+      nonce_key = script_or_style == CSP::SCRIPT_SRC ? :script_nonce : :style_nonce
+      append_content_security_policy_directives(request, nonce_key => request.env[NONCE_KEY])
+      request.env[NONCE_KEY]
+    end
+
+    # Private: convenience method for specifying which configuration object should
+    # be used for this request.
+    #
+    # Returns the config.
+    def override_secure_headers_request_config(request, config)
+      request.env[SECURE_HEADERS_CONFIG] = config
     end
 
-    def header_hash(options = nil)
-      ALL_HEADER_CLASSES.inject({}) do |memo, klass|
-        # must use !options[key].nil? because 'false' represents opting out, nil
-        # represents use global default.
-        config = if options.is_a?(Hash) && !options[klass::Constants::CONFIG_KEY].nil?
-          options[klass::Constants::CONFIG_KEY]
+    # Private: determines which headers are applicable to a given request.
+    #
+    # Returns a list of classes whose corresponding header values are valid for
+    # this request.
+    def header_classes_for(request)
+      if request.scheme == HTTPS
+        ALL_HEADER_CLASSES
+      else
+        HTTP_HEADER_CLASSES
+      end
+    end
+
+    # Private: do the heavy lifting of converting a configuration object
+    # to a hash of headers valid for this request.
+    #
+    # Returns a hash of header names / values.
+    def build_headers(config, request)
+      header_classes_for(request).each_with_object({}) do |klass, hash|
+        header_config = if config
+          config.fetch(klass::CONFIG_KEY)
+        end
+
+        header_name, value = if klass == CSP
+          make_header(klass, header_config, request.user_agent)
         else
-          ::SecureHeaders::Configuration.send(klass::Constants::CONFIG_KEY)
+          make_header(klass, header_config)
         end
+        hash[header_name] = value if value
+      end
+    end
 
-        unless klass == SecureHeaders::PublicKeyPins && !config.is_a?(Hash)
-          header = get_a_header(klass, config)
-          memo[header.name] = header.value if header
+    # Private: takes a precomputed hash of headers and returns the Headers
+    # customized for the request.
+    #
+    # Returns a hash of header names / values valid for a given request.
+    def use_cached_headers(default_headers, request)
+      header_classes_for(request).each_with_object({}) do |klass, hash|
+        if default_header = default_headers[klass::CONFIG_KEY]
+          header_name, value = if klass == CSP
+            default_csp_header_for_ua(default_header, request)
+          else
+            default_header
+          end
+          hash[header_name] = value
         end
-        memo
       end
     end
 
-    def get_a_header(klass, options)
-      return if options == false
-      klass.new(options)
+    # Private: Retreives the config for a given header type:
+    #
+    # Checks to see if there is an override for this request, then
+    # Checks to see if a named override is used for this request, then
+    # Falls back to the global config
+    def config_for(request)
+      request.env[SECURE_HEADERS_CONFIG] ||
+        Configuration.get(Configuration::DEFAULT_CONFIG)
+    end
+
+    # Private: chooses the applicable CSP header for the provided user agent.
+    #
+    # headers - a hash of header_config_key => [header_name, header_value]
+    #
+    # Returns a CSP [header, value] array
+    def default_csp_header_for_ua(headers, request)
+      family = UserAgent.parse(request.user_agent).browser
+      if CSP::VARIATIONS.key?(family)
+        headers[family]
+      else
+        headers[CSP::OTHER]
+      end
+    end
+
+    # Private: optionally build a header with a given configure
+    #
+    # klass - corresponding Class for a given header
+    # config - A string, symbol, or hash config for the header
+    # user_agent - A string representing the UA  (only used for CSP feature sniffing)
+    #
+    # Returns a 2 element array [header_name, header_value] or nil if config
+    # is OPT_OUT
+    def make_header(klass, header_config, user_agent = nil)
+      unless header_config == OPT_OUT
+        if klass == CSP
+          klass.make_header(header_config, user_agent)
+        else
+          klass.make_header(header_config)
+        end
+      end
     end
   end
 
+  # These methods are mixed into controllers and delegate to the class method
+  # with the same name.
+  def use_secure_headers_override(name)
+    SecureHeaders.use_secure_headers_override(request, name)
+  end
+
+  def content_security_policy_script_nonce
+    SecureHeaders.content_security_policy_script_nonce(request)
+  end
+
+  def content_security_policy_style_nonce
+    SecureHeaders.content_security_policy_style_nonce(request)
+  end
+
+  def opt_out_of_header(header_key)
+    SecureHeaders.opt_out_of_header(request, header_key)
+  end
+
+  def append_content_security_policy_directives(additions)
+    SecureHeaders.append_content_security_policy_directives(request, additions)
+  end
+
+  def override_content_security_policy_directives(additions)
+    SecureHeaders.override_content_security_policy_directives(request, additions)
+  end
+
+  def override_x_frame_options(value)
+    SecureHeaders.override_x_frame_options(request, value)
+  end
 end

data/secure_headers.gemspec

@@ -1,24 +1,19 @@
 # -*- encoding: utf-8 -*-
-lib = File.expand_path('../lib', __FILE__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'secure_headers/version'
-
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = SecureHeaders::VERSION
+  gem.version       = "3.0.0.pre"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
-  gem.description   = %q{Security related headers all in one gem.}
-  gem.summary       = %q{Add easily configured security headers to responses
+  gem.description   = 'Security related headers all in one gem.'
+  gem.summary       = 'Add easily configured security headers to responses
     including content-security-policy, x-frame-options,
-    strict-transport-security, etc.}
+    strict-transport-security, etc.'
   gem.homepage      = "https://github.com/twitter/secureheaders"
   gem.license       = "Apache Public License 2.0"
-  gem.files         = `git ls-files`.split($/)
-  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.files         = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
+  gem.executables   = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
   gem.add_development_dependency "rake"
-  gem.add_dependency "user_agent_parser"
-  gem.post_install_message = "[DEPRECATION] Development has stopped on the 2.x line of secure_headers. It will be maintained, but new features will be added to the 3.x branch. A lot has changed in secure_headers 3.x. A migration guide can be found in the documentation: https://github.com/twitter/secureheaders/blob/master/upgrading-to-3-0.md."
+  gem.add_dependency "useragent"
 end

data/spec/lib/secure_headers/configuration_spec.rb

@@ -0,0 +1,80 @@
+require 'spec_helper'
+
+module SecureHeaders
+  describe Configuration do
+    before(:each) do
+      reset_config
+      Configuration.default
+    end
+
+    it "has a default config" do
+      expect(Configuration.get(Configuration::DEFAULT_CONFIG)).to_not be_nil
+    end
+
+    it "has an 'noop' config" do
+      expect(Configuration.get(Configuration::NOOP_CONFIGURATION)).to_not be_nil
+    end
+
+    it "precomputes headers upon creation" do
+      default_config = Configuration.get(Configuration::DEFAULT_CONFIG)
+      header_hash = default_config.cached_headers.each_with_object({}) do |(key, value), hash|
+        header_name, header_value = if key == :csp
+          value["Chrome"]
+        else
+          value
+        end
+
+        hash[header_name] = header_value
+      end
+      expect_default_values(header_hash)
+    end
+
+    it "copies all config values except for the cached headers when dup" do
+      Configuration.override(:test_override, Configuration::NOOP_CONFIGURATION) do
+        # do nothing, just copy it
+      end
+
+      config = Configuration.get(:test_override)
+      noop = Configuration.get(Configuration::NOOP_CONFIGURATION)
+      [:hsts, :x_frame_options, :x_content_type_options, :x_xss_protection,
+        :x_download_options, :x_permitted_cross_domain_policies, :hpkp, :csp].each do |key|
+
+        expect(config.send(key)).to eq(noop.send(key)), "Value not copied: #{key}."
+      end
+    end
+
+    it "stores an override of the global config" do
+      Configuration.override(:test_override) do |config|
+        config.x_frame_options = "DENY"
+      end
+
+      expect(Configuration.get(:test_override)).to_not be_nil
+    end
+
+    it "deep dup's config values when overriding so the original cannot be modified" do
+      Configuration.override(:override) do |config|
+        config.csp[:default_src] << "'self'"
+      end
+
+      default = Configuration.get
+      override = Configuration.get(:override)
+
+      expect(override.csp).not_to eq(default.csp)
+    end
+
+    it "allows you to override an override" do
+      Configuration.override(:override) do |config|
+        config.csp = { default_src: %w('self')}
+      end
+
+      Configuration.override(:second_override, :override) do |config|
+        config.csp = config.csp.merge(script_src: %w(example.org))
+      end
+
+      original_override = Configuration.get(:override)
+      expect(original_override.csp).to eq(default_src: %w('self'))
+      override_config = Configuration.get(:second_override)
+      expect(override_config.csp).to eq(default_src: %w('self'), script_src: %w(example.org))
+    end
+  end
+end