secure_headers 3.0.2 → 3.0.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +19 -0
  3. data/lib/secure_headers/headers/content_security_policy.rb +11 -1
  4. data/secure_headers.gemspec +1 -1
  5. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +23 -2
  6. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 38f8848bc8ed124b3cf8a37194bb521f780a35f9
4
- data.tar.gz: 62c0b9f67c175c1492ef29a5be347f19a37f84e4
3
+ metadata.gz: 8ce791545252f765e19db9b42b88d0dec3c7f14a
4
+ data.tar.gz: 5a677c30789119f527ea04f940de663a98344339
5
5
  SHA512:
6
- metadata.gz: ff5d974553272fbe6aba27b4d1f2b005c7d6a6493475bc94ce73535b2fbd19b87d9cb6ddf17a03d814ce59b9f3170511cc531d8b1e8d83bdb8bf6d3bed4a6cfe
7
- data.tar.gz: d254d604fdb85af4727d25c2229d7b8f7bbc950e947a75e71c1b94ca1b79cbbcea96549ec29ee832ac63ea94eed779de2e85e12b3a9fcce09bc58193d948ffe9
6
+ metadata.gz: c861e7c69de1e69d4a53090a33b9c2f699900ee728d55694f0e7df7c32f430bebc65a9304cf0a8536c4663ed97c678340065a17a1ce6862c000b1c7984989d29
7
+ data.tar.gz: cc33e4d244bbd8bdc46960594d5d6de0bae38bcac6b282f5be9a8a32807d6ad2eb737e28553335cc74223a8ede8c6d592207bd5ee168fb05bf91c04118c8ec69
data/CHANGELOG.md CHANGED
@@ -1,3 +1,22 @@
1
+ ## 3.0.3
2
+
3
+ Bug fix for handling policy merges where appending a non-default source value (report-uri, plugin-types, frame-ancestors, base-uri, and form-action) would be combined with the default-src value. Appending a directive that doesn't exist in the current policy combines the new value with `default-src` to mimic the actual behavior of the addition. However, this does not make sense for non-default-src values (a.k.a. "fetch directives") and can lead to unexpected behavior like a `report-uri` value of `*`. Previously, this config:
4
+
5
+ ```
6
+ {
7
+ default_src => %w(*)
8
+ }
9
+ ```
10
+
11
+ When appending:
12
+
13
+ ```
14
+ {
15
+ report_uri => %w(https://report-uri.io/asdf)
16
+ }
17
+
18
+ Would result in `default-src *; report-uri *` which doesn't make any sense at all.
19
+
1
20
  ## 3.0.2
2
21
 
3
22
  Bug fix for handling CSP configs that supply a frozen hash. If a directive value is `nil`, then appending to a config with a frozen hash would cause an error since we're trying to modify a frozen hash. See https://github.com/twitter/secureheaders/pull/223.
data/lib/secure_headers/headers/content_security_policy.rb CHANGED
@@ -55,6 +55,16 @@ module SecureHeaders
55
55
  FRAME_ANCESTORS = :frame_ancestors
56
56
  PLUGIN_TYPES = :plugin_types
57
57
 
58
+ # These are directives that do not inherit the default-src value. This is
59
+ # useful when calling #combine_policies.
60
+ NON_DEFAULT_SOURCES = [
61
+ BASE_URI,
62
+ FORM_ACTION,
63
+ FRAME_ANCESTORS,
64
+ PLUGIN_TYPES,
65
+ REPORT_URI
66
+ ]
67
+
58
68
  DIRECTIVES_2_0 = [
59
69
  DIRECTIVES_1_0,
60
70
  BASE_URI,
@@ -214,7 +224,7 @@ module SecureHeaders
214
224
 
215
225
  # in case we would be appending to an empty directive, fill it with the default-src value
216
226
  additions.keys.each do |directive|
217
- unless original[directive] || !source_list?(directive)
227
+ unless original[directive] || !source_list?(directive) || NON_DEFAULT_SOURCES.include?(directive)
218
228
  original[directive] = original[:default_src]
219
229
  end
220
230
  end
data/secure_headers.gemspec CHANGED
@@ -1,7 +1,7 @@
1
1
  # -*- encoding: utf-8 -*-
2
2
  Gem::Specification.new do |gem|
3
3
  gem.name = "secure_headers"
4
- gem.version = "3.0.2"
4
+ gem.version = "3.0.3"
5
5
  gem.authors = ["Neil Matatall"]
6
6
  gem.email = ["neil.matatall@gmail.com"]
7
7
  gem.description = 'Security related headers all in one gem.'
data/spec/lib/secure_headers/headers/content_security_policy_spec.rb CHANGED
@@ -124,8 +124,29 @@ module SecureHeaders
124
124
  report_only: false
125
125
  }.freeze
126
126
  end
127
- combined_config = CSP.combine_policies(Configuration.get.csp, report_uri: %w(https://report-uri.io/asdf))
128
- expect(combined_config[:report_uri]).to_not be_nil
127
+ report_uri = "https://report-uri.io/asdf"
128
+ combined_config = CSP.combine_policies(Configuration.get.csp, report_uri: [report_uri])
129
+ csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
130
+ expect(csp.value).to include("report-uri #{report_uri}")
131
+ end
132
+
133
+ it "does not combine the default-src value for directives that don't fall back to default sources" do
134
+ Configuration.default do |config|
135
+ config.csp = {
136
+ default_src: %w('self'),
137
+ report_only: false
138
+ }.freeze
139
+ end
140
+ non_default_source_additions = CSP::NON_DEFAULT_SOURCES.each_with_object({}) do |directive, hash|
141
+ hash[directive] = %w("http://example.org)
142
+ end
143
+ combined_config = CSP.combine_policies(Configuration.get.csp, non_default_source_additions)
144
+
145
+ CSP::NON_DEFAULT_SOURCES.each do |directive|
146
+ expect(combined_config[directive]).to eq(%w("http://example.org))
147
+ end
148
+
149
+ ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox]).value
129
150
  end
130
151
 
131
152
  it "overrides the report_only flag" do
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.2
4
+ version: 3.0.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall