secure_headers 3.4.1 → 3.5.0.pre

data/lib/secure_headers/headers/content_security_policy.rb

@@ -1,8 +1,8 @@
 require_relative 'policy_management'
+require_relative 'content_security_policy_config'
 require 'useragent'
 
 module SecureHeaders
-  class ContentSecurityPolicyConfigError < StandardError; end
   class ContentSecurityPolicy
     include PolicyManagement
 
@@ -10,28 +10,34 @@ module SecureHeaders
     VERSION_46 = ::UserAgent::Version.new("46")
 
     def initialize(config = nil, user_agent = OTHER)
-      @config = Configuration.send(:deep_copy, config || DEFAULT_CONFIG)
+      @config = if config.is_a?(Hash)
+        if config[:report_only]
+          ContentSecurityPolicyReportOnlyConfig.new(config || DEFAULT_CONFIG)
+        else
+          ContentSecurityPolicyConfig.new(config || DEFAULT_CONFIG)
+        end
+      elsif config.nil?
+        ContentSecurityPolicyConfig.new(DEFAULT_CONFIG)
+      else
+        config
+      end
+
       @parsed_ua = if user_agent.is_a?(UserAgent::Browsers::Base)
         user_agent
       else
         UserAgent.parse(user_agent)
       end
-      normalize_child_frame_src
-      @report_only = @config[:report_only]
-      @preserve_schemes = @config[:preserve_schemes]
-      @script_nonce = @config[:script_nonce]
-      @style_nonce = @config[:style_nonce]
+      @frame_src = normalize_child_frame_src
+      @preserve_schemes = @config.preserve_schemes
+      @script_nonce = @config.script_nonce
+      @style_nonce = @config.style_nonce
     end
 
     ##
     # Returns the name to use for the header. Either "Content-Security-Policy" or
     # "Content-Security-Policy-Report-Only"
     def name
-      if @report_only
-        REPORT_ONLY
-      else
-        HEADER_NAME
-      end
+      @config.class.const_get(:HEADER_NAME)
     end
 
     ##
@@ -49,16 +55,16 @@ module SecureHeaders
     # frame-src is deprecated, child-src is being implemented. They are
     # very similar and in most cases, the same value can be used for both.
     def normalize_child_frame_src
-      if @config[:frame_src] && @config[:child_src] && @config[:frame_src] != @config[:child_src]
+      if @config.frame_src && @config.child_src && @config.frame_src != @config.child_src
         Kernel.warn("#{Kernel.caller.first}: [DEPRECATION] both :child_src and :frame_src supplied and do not match. This can lead to inconsistent behavior across browsers.")
-      elsif @config[:frame_src]
-        Kernel.warn("#{Kernel.caller.first}: [DEPRECATION] :frame_src is deprecated, use :child_src instead. Provided: #{@config[:frame_src]}.")
+      elsif @config.frame_src
+        Kernel.warn("#{Kernel.caller.first}: [DEPRECATION] :frame_src is deprecated, use :child_src instead. Provided: #{@config.frame_src}.")
       end
 
       if supported_directives.include?(:child_src)
-        @config[:child_src] = @config[:child_src] || @config[:frame_src]
+        @config.child_src || @config.frame_src
       else
-        @config[:frame_src] = @config[:frame_src] || @config[:child_src]
+        @config.frame_src || @config.child_src
       end
     end
 
@@ -73,9 +79,9 @@ module SecureHeaders
       directives.map do |directive_name|
         case DIRECTIVE_VALUE_TYPES[directive_name]
         when :boolean
-          symbol_to_hyphen_case(directive_name) if @config[directive_name]
+          symbol_to_hyphen_case(directive_name) if @config.directive_value(directive_name)
         when :string
-          [symbol_to_hyphen_case(directive_name), @config[directive_name]].join(" ")
+          [symbol_to_hyphen_case(directive_name), @config.directive_value(directive_name)].join(" ")
         else
           build_directive(directive_name)
         end
@@ -88,11 +94,19 @@ module SecureHeaders
     #
     # Returns a string representing a directive.
     def build_directive(directive)
-      return if @config[directive].nil?
-
-      source_list = @config[directive].compact
-      return if source_list.empty?
-
+      source_list = case directive
+      when :child_src
+        if supported_directives.include?(:child_src)
+          @frame_src
+        end
+      when :frame_src
+        unless supported_directives.include?(:child_src)
+          @frame_src
+        end
+      else
+        @config.directive_value(directive)
+      end
+      return unless source_list && source_list.any?
       normalized_source_list = minify_source_list(directive, source_list)
       [symbol_to_hyphen_case(directive), normalized_source_list].join(" ")
     end
@@ -101,16 +115,17 @@ module SecureHeaders
     # If a directive contains 'none' but has other values, 'none' is ommitted.
     # Schemes are stripped (see http://www.w3.org/TR/CSP2/#match-source-expression)
     def minify_source_list(directive, source_list)
+      source_list = source_list.compact
       if source_list.include?(STAR)
         keep_wildcard_sources(source_list)
       else
-        populate_nonces!(directive, source_list)
-        reject_all_values_if_none!(source_list)
+        source_list = populate_nonces(directive, source_list)
+        source_list = reject_all_values_if_none(source_list)
 
         unless directive == REPORT_URI || @preserve_schemes
-          strip_source_schemes!(source_list)
+          source_list = strip_source_schemes(source_list)
         end
-        dedup_source_list(source_list).join(" ")
+        dedup_source_list(source_list)
       end
     end
 
@@ -120,8 +135,12 @@ module SecureHeaders
     end
 
     # Discard any 'none' values if more directives are supplied since none may override values.
-    def reject_all_values_if_none!(source_list)
-      source_list.reject! { |value| value == NONE } if source_list.length > 1
+    def reject_all_values_if_none(source_list)
+      if source_list.length > 1
+        source_list.reject { |value| value == NONE }
+      else
+        source_list
+      end
     end
 
     # Removes duplicates and sources that already match an existing wild card.
@@ -143,12 +162,14 @@ module SecureHeaders
 
     # Private: append a nonce to the script/style directories if script_nonce
     # or style_nonce are provided.
-    def populate_nonces!(directive, source_list)
+    def populate_nonces(directive, source_list)
       case directive
       when SCRIPT_SRC
         append_nonce(source_list, @script_nonce)
       when STYLE_SRC
         append_nonce(source_list, @style_nonce)
+      else
+        source_list
       end
     end
 
@@ -165,19 +186,23 @@ module SecureHeaders
           source_list << UNSAFE_INLINE
         end
       end
+
+      source_list
     end
 
     # Private: return the list of directives that are supported by the user agent,
     # starting with default-src and ending with report-uri.
     def directives
-      [DEFAULT_SRC,
+      [
+        DEFAULT_SRC,
         BODY_DIRECTIVES.select { |key| supported_directives.include?(key) },
-        REPORT_URI].flatten.select { |directive| @config.key?(directive) }
+        REPORT_URI
+      ].flatten
     end
 
     # Private: Remove scheme from source expressions.
-    def strip_source_schemes!(source_list)
-      source_list.map! { |source_expression| source_expression.sub(HTTP_SCHEME_REGEX, "") }
+    def strip_source_schemes(source_list)
+      source_list.map { |source_expression| source_expression.sub(HTTP_SCHEME_REGEX, "") }
     end
 
     # Private: determine which directives are supported for the given user agent.

data/lib/secure_headers/headers/content_security_policy_config.rb

@@ -0,0 +1,128 @@
+module SecureHeaders
+  module DynamicConfig
+    def self.included(base)
+      base.send(:attr_writer, :modified)
+      base.send(:attr_reader, *base.attrs)
+      base.attrs.each do |attr|
+        base.send(:define_method, "#{attr}=") do |value|
+          if self.class.attrs.include?(attr)
+            value = value.dup if PolicyManagement::DIRECTIVE_VALUE_TYPES[attr] == :source_list
+            prev_value = self.instance_variable_get("@#{attr}")
+            self.instance_variable_set("@#{attr}", value)
+            if prev_value != self.instance_variable_get("@#{attr}")
+              @modified = true
+            end
+          else
+            raise ContentSecurityPolicyConfigError, "Unknown config directive: #{attr}=#{value}"
+          end
+        end
+      end
+    end
+
+    def initialize(hash)
+      from_hash(hash)
+      @modified = false
+    end
+
+    def update_directive(directive, value)
+      self.send("#{directive}=", value)
+    end
+
+    def directive_value(directive)
+      if self.class.attrs.include?(directive)
+        self.send(directive)
+      end
+    end
+
+    def modified?
+      @modified
+    end
+
+    def merge(new_hash)
+      ContentSecurityPolicy.combine_policies(self.to_h, new_hash)
+    end
+
+    def merge!(new_hash)
+      from_hash(new_hash)
+    end
+
+    def append(new_hash)
+      from_hash(ContentSecurityPolicy.combine_policies(self.to_h, new_hash))
+    end
+
+    def to_h
+      self.class.attrs.each_with_object({}) do |key, hash|
+        hash[key] = self.send(key)
+      end.reject { |_, v| v.nil? }
+    end
+
+    def dup
+      self.class.new(self.to_h)
+    end
+
+    def opt_out?
+      false
+    end
+
+    def ==(o)
+      self.class == o.class && self.to_h == o.to_h
+    end
+
+    alias_method :[], :directive_value
+    alias_method :[]=, :update_directive
+
+    private
+    def from_hash(hash)
+      hash.keys.reject { |k| hash[k].nil? }.map do |k|
+        if self.class.attrs.include?(k)
+          self.send("#{k}=", hash[k])
+        else
+          raise ContentSecurityPolicyConfigError, "Unknown config directive: #{k}=#{hash[k]}"
+        end
+      end
+    end
+  end
+
+  class ContentSecurityPolicyConfigError < StandardError; end
+  class ContentSecurityPolicyConfig
+    CONFIG_KEY = :csp
+    HEADER_NAME = "Content-Security-Policy".freeze
+
+    def self.attrs
+      PolicyManagement::ALL_DIRECTIVES + PolicyManagement::META_CONFIGS + PolicyManagement::NONCES
+    end
+
+    include DynamicConfig
+
+    # based on what was suggested in https://github.com/rails/rails/pull/24961/files
+    DEFAULT = {
+      default_src: %w('self' https:),
+      font_src: %w('self' https: data:),
+      img_src: %w('self' https: data:),
+      object_src: %w('none'),
+      script_src: %w(https:),
+      style_src: %w('self' https: 'unsafe-inline')
+    }
+
+    def report_only?
+      false
+    end
+
+    def make_report_only
+      ContentSecurityPolicyReportOnlyConfig.new(self.to_h)
+    end
+  end
+
+  class ContentSecurityPolicyReportOnlyConfig < ContentSecurityPolicyConfig
+    CONFIG_KEY = :csp_report_only
+    HEADER_NAME = "Content-Security-Policy-Report-Only".freeze
+
+    def report_only?
+      true
+    end
+
+    def make_report_only
+      self
+    end
+  end
+end

data/lib/secure_headers/headers/policy_management.rb

@@ -7,9 +7,6 @@ module SecureHeaders
     MODERN_BROWSERS = %w(Chrome Opera Firefox)
     DEFAULT_VALUE = "default-src https:".freeze
     DEFAULT_CONFIG = { default_src: %w(https:) }.freeze
-    HEADER_NAME = "Content-Security-Policy".freeze
-    REPORT_ONLY = "Content-Security-Policy-Report-Only".freeze
-    HEADER_NAMES = [HEADER_NAME, REPORT_ONLY]
     DATA_PROTOCOL = "data:".freeze
     BLOB_PROTOCOL = "blob:".freeze
     SELF = "'self'".freeze
@@ -158,13 +155,13 @@ module SecureHeaders
       PLUGIN_TYPES              => :source_list,
       REFLECTED_XSS             => :string,
       REPORT_URI                => :source_list,
-      SANDBOX                   => :string,
+      SANDBOX                   => :source_list,
       SCRIPT_SRC                => :source_list,
       STYLE_SRC                 => :source_list,
       UPGRADE_INSECURE_REQUESTS => :boolean
     }.freeze
 
-    CONFIG_KEY = :csp
+
     STAR_REGEXP = Regexp.new(Regexp.escape(STAR))
     HTTP_SCHEME_REGEX = %r{\Ahttps?://}
 
@@ -181,6 +178,11 @@ module SecureHeaders
       :preserve_schemes
     ].freeze
 
+    NONCES = [
+      :script_nonce,
+      :style_nonce
+    ].freeze
+
     module ClassMethods
       # Public: generate a header name, value array that is user-agent-aware.
       #
@@ -196,9 +198,11 @@ module SecureHeaders
       # Does not validate the invididual values of the source expression (e.g.
       # script_src => h*t*t*p: will not raise an exception)
       def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise ContentSecurityPolicyConfigError.new(":default_src is required") unless config[:default_src]
-        config.each do |key, value|
+        return if config.nil? || config.opt_out?
+        raise ContentSecurityPolicyConfigError.new(":default_src is required") unless config.directive_value(:default_src)
+        ContentSecurityPolicyConfig.attrs.each do |key|
+          value = config.directive_value(key)
+          next unless value
           if META_CONFIGS.include?(key)
             raise ContentSecurityPolicyConfigError.new("#{key} must be a boolean value") unless boolean?(value) || value.nil?
           else
@@ -207,18 +211,6 @@ module SecureHeaders
         end
       end
 
-      # Public: determine if merging +additions+ will cause a change to the
-      # actual value of the config.
-      #
-      # e.g. config = { script_src: %w(example.org google.com)} and
-      # additions = { script_src: %w(google.com)} then idempotent_additions? would return
-      # because google.com is already in the config.
-      def idempotent_additions?(config, additions)
-        return true if config == OPT_OUT && additions == OPT_OUT
-        return false if config == OPT_OUT
-        config == combine_policies(config, additions)
-      end
-
       # Public: combine the values from two different configs.
       #
       # original - the main config
@@ -233,7 +225,7 @@ module SecureHeaders
       # 3. if a value in additions does exist in the original config, the two
       # values are joined.
       def combine_policies(original, additions)
-        if original == OPT_OUT
+        if original == {}
           raise ContentSecurityPolicyConfigError.new("Attempted to override an opt-out CSP config.")
         end
 

data/secure_headers.gemspec

@@ -1,7 +1,7 @@
 # -*- encoding: utf-8 -*-
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "3.4.1"
+  gem.version       = "3.5.0.pre"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = 'Security related headers all in one gem.'

data/spec/lib/secure_headers/configuration_spec.rb

@@ -36,8 +36,8 @@ module SecureHeaders
 
       config = Configuration.get(:test_override)
       noop = Configuration.get(Configuration::NOOP_CONFIGURATION)
-      [:csp, :dynamic_csp, :cookies].each do |key|
-        expect(config.send(key)).to eq(noop.send(key)), "Value not copied: #{key}."
+      [:csp, :csp_report_only, :cookies].each do |key|
+        expect(config.send(key)).to eq(noop.send(key))
       end
     end
 
@@ -65,7 +65,7 @@ module SecureHeaders
       default = Configuration.get
       override = Configuration.get(:override)
 
-      expect(override.csp).not_to eq(default.csp)
+      expect(override.csp.directive_value(:default_src)).not_to be(default.csp.directive_value(:default_src))
     end
 
     it "allows you to override an override" do
@@ -78,9 +78,9 @@ module SecureHeaders
       end
 
       original_override = Configuration.get(:override)
-      expect(original_override.csp).to eq(default_src: %w('self'))
+      expect(original_override.csp.to_h).to eq(default_src: %w('self'))
       override_config = Configuration.get(:second_override)
-      expect(override_config.csp).to eq(default_src: %w('self'), script_src: %w(example.org))
+      expect(override_config.csp.to_h).to eq(default_src: %w('self'), script_src: %w('self' example.org))
     end
 
     it "deprecates the secure_cookies configuration" do

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -14,11 +14,11 @@ module SecureHeaders
 
     describe "#name" do
       context "when in report-only mode" do
-        specify { expect(ContentSecurityPolicy.new(default_opts.merge(report_only: true)).name).to eq(ContentSecurityPolicy::HEADER_NAME + "-Report-Only") }
+        specify { expect(ContentSecurityPolicy.new(default_opts.merge(report_only: true)).name).to eq(ContentSecurityPolicyReportOnlyConfig::HEADER_NAME) }
       end
 
       context "when in enforce mode" do
-        specify { expect(ContentSecurityPolicy.new(default_opts).name).to eq(ContentSecurityPolicy::HEADER_NAME) }
+        specify { expect(ContentSecurityPolicy.new(default_opts).name).to eq(ContentSecurityPolicyConfig::HEADER_NAME) }
       end
     end