RubyGems - secure_headers - Versions diffs - 3.8.0 → 3.9.0 - Mend

secure_headers 3.8.0 → 3.9.0

Files changed (6) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d605beb08177e1325edd0726b0cb551d3ac71b6dc6da7c1261d6f30b60db7695
-  data.tar.gz: f166e3735db90264366d654520269fb3cfb696ce9747c1ce92c11927d3322cb2
+  metadata.gz: 6e2f294d6c2130a1f629bf3dba2a88da71fa2b80a015cb7dc96bcbbcb88d1d59
+  data.tar.gz: 767021dbec7d023bbcb629b3315ad10ff989e2c6ae7ceff9ffc5614b05fa3ba5
 SHA512:
-  metadata.gz: 784ea802225dbe362fa66d56022f13a1e8d58f71cac325959a7c28c4cb0f0acc25a478f794ef1286d3e951abb06f5c2fd25a3e448170643db6946c97027a3fe6
-  data.tar.gz: 19abcb3f648b322ac8db0ca9352e53a758be5253d110e67224e8632366efde66a034f9777dc77946ef897dbc99e9dbf72edca743a1b184ca8b336c0a63296f7c
+  metadata.gz: 86d16e60409fca6b72e16321100a6afc3cc1fded1fb79c004778c8cdae2872ed4751205e90274f4b2c0517a70763c896692d9bd547f3b5b9144b8479b93268d5
+  data.tar.gz: a2462e058ad88292d40e5a7e4e23e0a5ba431a8a114616f1e1d77bd5218e99ed0b68f4e7b0cf9e3480e10ca2e34e97d60e3b7b1d77db8b71da71c031f4cdaa52

data/CHANGELOG.md CHANGED

@@ -1,3 +1,7 @@
+## 3.9.0
+Fixes newline injection issue
 ## 3.8.0
 Fixes semicolon injection issue reported by @mvgijssel see https://github.com/twitter/secure_headers/issues/418

@@ -144,10 +144,10 @@ module SecureHeaders
       return unless source_list && source_list.any?
       normalized_source_list = minify_source_list(directive, source_list).join(" ")
-      if normalized_source_list.include?(";")
-        Kernel.warn("#{directive} contains a ; in '#{normalized_source_list}' which will raise an error in future versions. It has been replaced with a blank space.")
+      if normalized_source_list =~ /(\n|;)/
+        Kernel.warn("#{directive} contains a #{$1} in #{normalized_source_list.inspect} which will raise an error in future versions. It has been replaced with a blank space.")
       end
-      escaped_source_list = normalized_source_list.gsub(";", " ")
+      escaped_source_list = normalized_source_list.gsub(/[\n;]/, " ")
       [symbol_to_hyphen_case(directive), escaped_source_list].join(" ").strip
     end

data/secure_headers.gemspec CHANGED

@@ -1,7 +1,7 @@
 # -*- encoding: utf-8 -*-
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "3.8.0"
+  gem.version       = "3.9.0"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = 'Manages application of security headers with many safe defaults.'

@@ -28,10 +28,15 @@ module SecureHeaders
       end
       it "deprecates and escapes semicolons in directive source lists" do
-        expect(Kernel).to receive(:warn).with("frame_ancestors contains a ; in 'google.com;script-src *;.;' which will raise an error in future versions. It has been replaced with a blank space.")
+        expect(Kernel).to receive(:warn).with(%(frame_ancestors contains a ; in "google.com;script-src *;.;" which will raise an error in future versions. It has been replaced with a blank space.))
         expect(ContentSecurityPolicy.new(frame_ancestors: %w(https://google.com;script-src https://*;.;)).value).to eq("frame-ancestors google.com script-src * .")
       end
+      it "deprecates and escapes semicolons in directive source lists" do
+        expect(Kernel).to receive(:warn).with(%(frame_ancestors contains a \n in "\\nfoo.com\\nhacked" which will raise an error in future versions. It has been replaced with a blank space.))
+        expect(ContentSecurityPolicy.new(frame_ancestors: ["\nfoo.com\nhacked"]).value).to eq("frame-ancestors  foo.com hacked")
+      end
       it "discards 'none' values if any other source expressions are present" do
         csp = ContentSecurityPolicy.new(default_opts.merge(child_src: %w('self' 'none')))
         expect(csp.value).not_to include("'none'")

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 3.8.0
+  version: 3.9.0
 platform: ruby
 authors:
 - Neil Matatall