RubyGems - secure_headers - Versions diffs - 3.0.2 → 3.0.3 - Mend

secure_headers 3.0.2 → 3.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (6) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +19 -0
data/lib/secure_headers/headers/content_security_policy.rb +11 -1
data/secure_headers.gemspec +1 -1
data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +23 -2
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 38f8848bc8ed124b3cf8a37194bb521f780a35f9
-  data.tar.gz: 62c0b9f67c175c1492ef29a5be347f19a37f84e4
+  metadata.gz: 8ce791545252f765e19db9b42b88d0dec3c7f14a
+  data.tar.gz: 5a677c30789119f527ea04f940de663a98344339
 SHA512:
-  metadata.gz: ff5d974553272fbe6aba27b4d1f2b005c7d6a6493475bc94ce73535b2fbd19b87d9cb6ddf17a03d814ce59b9f3170511cc531d8b1e8d83bdb8bf6d3bed4a6cfe
-  data.tar.gz: d254d604fdb85af4727d25c2229d7b8f7bbc950e947a75e71c1b94ca1b79cbbcea96549ec29ee832ac63ea94eed779de2e85e12b3a9fcce09bc58193d948ffe9
+  metadata.gz: c861e7c69de1e69d4a53090a33b9c2f699900ee728d55694f0e7df7c32f430bebc65a9304cf0a8536c4663ed97c678340065a17a1ce6862c000b1c7984989d29
+  data.tar.gz: cc33e4d244bbd8bdc46960594d5d6de0bae38bcac6b282f5be9a8a32807d6ad2eb737e28553335cc74223a8ede8c6d592207bd5ee168fb05bf91c04118c8ec69

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,22 @@
+## 3.0.3
+Bug fix for handling policy merges where appending a non-default source value (report-uri, plugin-types, frame-ancestors, base-uri, and form-action) would be combined with the default-src value. Appending a directive that doesn't exist in the current policy combines the new value with `default-src` to mimic the actual behavior of the addition. However, this does not make sense for non-default-src values (a.k.a. "fetch directives") and can lead to unexpected behavior like a `report-uri` value of `*`. Previously, this config:
+```
+{
+  default_src => %w(*)
+}
+```
+When appending:
+```
+{
+  report_uri => %w(https://report-uri.io/asdf)
+}
+Would result in `default-src *; report-uri *` which doesn't make any sense at all.
 ## 3.0.2
 Bug fix for handling CSP configs that supply a frozen hash. If a directive value is `nil`, then appending to a config with a frozen hash would cause an error since we're trying to modify a frozen hash. See https://github.com/twitter/secureheaders/pull/223.

data/lib/secure_headers/headers/content_security_policy.rb CHANGED Viewed

@@ -55,6 +55,16 @@ module SecureHeaders
     FRAME_ANCESTORS = :frame_ancestors
     PLUGIN_TYPES = :plugin_types
+    # These are directives that do not inherit the default-src value. This is
+    # useful when calling #combine_policies.
+    NON_DEFAULT_SOURCES = [
+      BASE_URI,
+      FORM_ACTION,
+      FRAME_ANCESTORS,
+      PLUGIN_TYPES,
+      REPORT_URI
+    ]
     DIRECTIVES_2_0 = [
       DIRECTIVES_1_0,
       BASE_URI,
@@ -214,7 +224,7 @@ module SecureHeaders
         # in case we would be appending to an empty directive, fill it with the default-src value
         additions.keys.each do |directive|
-          unless original[directive] || !source_list?(directive)
+          unless original[directive] || !source_list?(directive) || NON_DEFAULT_SOURCES.include?(directive)
             original[directive] = original[:default_src]
           end
         end

data/secure_headers.gemspec CHANGED Viewed

@@ -1,7 +1,7 @@
 # -*- encoding: utf-8 -*-
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "3.0.2"
+  gem.version       = "3.0.3"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = 'Security related headers all in one gem.'

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb CHANGED Viewed

@@ -124,8 +124,29 @@ module SecureHeaders
             report_only: false
           }.freeze
         end
-        combined_config = CSP.combine_policies(Configuration.get.csp, report_uri: %w(https://report-uri.io/asdf))
-        expect(combined_config[:report_uri]).to_not be_nil
+        report_uri = "https://report-uri.io/asdf"
+        combined_config = CSP.combine_policies(Configuration.get.csp, report_uri: [report_uri])
+        csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
+        expect(csp.value).to include("report-uri #{report_uri}")
+      end
+      it "does not combine the default-src value for directives that don't fall back to default sources" do
+        Configuration.default do |config|
+          config.csp = {
+            default_src: %w('self'),
+            report_only: false
+          }.freeze
+        end
+        non_default_source_additions = CSP::NON_DEFAULT_SOURCES.each_with_object({}) do |directive, hash|
+          hash[directive] = %w("http://example.org)
+        end
+        combined_config = CSP.combine_policies(Configuration.get.csp, non_default_source_additions)
+        CSP::NON_DEFAULT_SOURCES.each do |directive|
+          expect(combined_config[directive]).to eq(%w("http://example.org))
+        end
+         ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox]).value
       end
       it "overrides the report_only flag" do

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 3.0.2
+  version: 3.0.3
 platform: ruby
 authors:
 - Neil Matatall