RubyGems - secure_headers - Versions diffs - 5.0.4 → 5.2.0 - Mend

secure_headers 5.0.4 → 5.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

checksums.yaml +4 -4
data/.travis.yml +3 -3
data/CHANGELOG.md +12 -0
data/Gemfile +2 -1
data/lib/secure_headers.rb +2 -2
data/lib/secure_headers/configuration.rb +6 -2
data/lib/secure_headers/headers/clear_site_data.rb +1 -1
data/lib/secure_headers/headers/content_security_policy.rb +8 -2
data/secure_headers.gemspec +1 -10
data/spec/lib/secure_headers/configuration_spec.rb +18 -13
data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +10 -0
data/spec/lib/secure_headers/headers/policy_management_spec.rb +6 -6
data/spec/lib/secure_headers/middleware_spec.rb +2 -2
data/spec/lib/secure_headers/view_helpers_spec.rb +1 -1
metadata +3 -8

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d30a295775010a197058029cc447bdf51ad1f93e
-  data.tar.gz: 79a4928de6fe2508ebdfed92cfe36ba1d70cdce8
+  metadata.gz: 1b901bf6e9f4127c81ec207e46599054feb18f32
+  data.tar.gz: 642585cfc04901c83ff5d90ea1600f5ef141fec4
 SHA512:
-  metadata.gz: 206573552433a49370adf984f538091ac3bd4c2e6ee0ba521f949762e145259725a3938ab2ec5124b5556fdd1502388ac8dd7e8d5fcc947c9f96e3ed78947cfa
-  data.tar.gz: c53aab77376ad2d8fac21c2d684cc02dcf14322cd51591d7048f0865315a60b6266ce7f066651040b8d626adf311101e31b2b1690ce1e3b18190ea42f90f24ac
+  metadata.gz: 8e304a7d52e6dbf0a4fd2bb114201ba781e8565fd9ecbd4977e6169f922101f186c7024194c81ecd780376f2e4c18f7af3bd88f98cd2b86301b15de5e4148c44
+  data.tar.gz: 9d5e1e8f35954baea9e4fcec70af22e7f3c2d8b16deaa98d6c882c9373c9a76556a711696b081920d9279df96375dd6e2a473e265c9bfbf2e12a6f9a62da486f

data/.travis.yml CHANGED Viewed

@@ -2,9 +2,9 @@ language: ruby
 rvm:
   - ruby-head
-  - 2.4.2
-  - 2.3.5
-  - 2.2.8
+  - 2.6
+  - 2.5
+  - 2.4
   - jruby-head
 env:

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,15 @@
+## 5.2.0
+Fixes newline injection issue
+## 5.1.0
+Fixes semicolon injection issue reported by @mvgijssel see https://github.com/twitter/secure_headers/issues/418
+## 5.0.5
+A release to deprecate `SecureHeaders::Configuration#get` in prep for 6.x
 ## 5.0.4
 - Adds support for `nonced_stylesheet_pack_tag` #373 (@paulfri)

data/Gemfile CHANGED Viewed

@@ -9,7 +9,7 @@ group :test do
   gem "pry-nav"
   gem "rack"
   gem "rspec"
-  gem "rubocop"
+  gem "rubocop", "< 0.68"
   gem "rubocop-github"
   gem "term-ansicolor"
   gem "tins"
@@ -19,4 +19,5 @@ group :guard do
   gem "growl"
   gem "guard-rspec", platforms: [:ruby_19, :ruby_20, :ruby_21, :ruby_22, :ruby_23, :ruby_24]
   gem "rb-fsevent"
+  gem "terminal-notifier-guard"
 end

data/lib/secure_headers.rb CHANGED Viewed

@@ -196,7 +196,7 @@ module SecureHeaders
     #
     # name - the name of the previously configured override.
     def use_secure_headers_override(request, name)
-      if config = Configuration.get(name)
+      if config = Configuration.get(name, internal: true)
         override_secure_headers_request_config(request, config)
       else
         raise ArgumentError.new("no override by the name of #{name} has been configured")
@@ -228,7 +228,7 @@ module SecureHeaders
     # Falls back to the global config
     def config_for(request, prevent_dup = false)
       config = request.env[SECURE_HEADERS_CONFIG] ||
-        Configuration.get(Configuration::DEFAULT_CONFIG)
+        Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
       # Global configs are frozen, per-request configs are not. When we're not

data/lib/secure_headers/configuration.rb CHANGED Viewed

@@ -28,7 +28,7 @@ module SecureHeaders
       #
       # Returns: the newly created config
       def override(name, base = DEFAULT_CONFIG, &block)
-        unless get(base)
+        unless get(base, internal: true)
           raise NotYetConfiguredError, "#{base} policy not yet supplied"
         end
         override = @configurations[base].dup
@@ -40,7 +40,11 @@ module SecureHeaders
       #
       # Returns the configuration with a given name or raises a
       # NotYetConfiguredError if `default` has not been called.
-      def get(name = DEFAULT_CONFIG)
+      def get(name = DEFAULT_CONFIG, internal: false)
+        unless internal
+          Kernel.warn "#{Kernel.caller.first}: [DEPRECATION] `#get` is deprecated. It will be removed in the next major release. Use SecureHeaders::Configuration.dup to retrieve the default config."
+        end
         if @configurations.nil?
           raise NotYetConfiguredError, "Default policy not yet supplied"
         end

data/lib/secure_headers/headers/clear_site_data.rb CHANGED Viewed

@@ -48,7 +48,7 @@ module SecureHeaders
       #
       # Returns a String of quoted values that are comma separated.
       def make_header_value(types)
-        types.map { |t| "\"#{t}\""}.join(", ")
+        types.map { |t| %("#{t}") }.join(", ")
       end
     end
   end

data/lib/secure_headers/headers/content_security_policy.rb CHANGED Viewed

@@ -138,8 +138,14 @@ module SecureHeaders
       end
       if source_list != OPT_OUT && source_list && source_list.any?
-        normalized_source_list = minify_source_list(directive, source_list)
-        [symbol_to_hyphen_case(directive), normalized_source_list].join(" ")
+        minified_source_list = minify_source_list(directive, source_list).join(" ")
+        if minified_source_list =~ /(\n|;)/
+          Kernel.warn("#{directive} contains a #{$1} in #{minified_source_list.inspect} which will raise an error in future versions. It has been replaced with a blank space.")
+        end
+        escaped_source_list = minified_source_list.gsub(/[\n;]/, " ")
+        [symbol_to_hyphen_case(directive), escaped_source_list].join(" ").strip
       end
     end

data/secure_headers.gemspec CHANGED Viewed

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "5.0.4"
+  gem.version       = "5.2.0"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = "Manages application of security headers with many safe defaults."
@@ -17,13 +17,4 @@ Gem::Specification.new do |gem|
   gem.require_paths = ["lib"]
   gem.add_development_dependency "rake"
   gem.add_dependency "useragent", ">= 0.15.0"
-  # TODO: delete this after 4.1 is cut or a number of 4.0.x releases have occurred
-  gem.post_install_message = <<-POST_INSTALL
-**********
-:wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-5-0.md
-**********
-  POST_INSTALL
 end

data/spec/lib/secure_headers/configuration_spec.rb CHANGED Viewed

@@ -9,15 +9,20 @@ module SecureHeaders
     end
     it "has a default config" do
-      expect(Configuration.get(Configuration::DEFAULT_CONFIG)).to_not be_nil
+      expect(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)).to_not be_nil
+    end
+    it "warns when using deprecated internal-ish #get API" do
+      expect(Kernel).to receive(:warn).once.with(/`#get` is deprecated/)
+      Configuration.get(Configuration::DEFAULT_CONFIG)
     end
     it "has an 'noop' config" do
-      expect(Configuration.get(Configuration::NOOP_CONFIGURATION)).to_not be_nil
+      expect(Configuration.get(Configuration::NOOP_CONFIGURATION, internal: true)).to_not be_nil
     end
     it "precomputes headers upon creation" do
-      default_config = Configuration.get(Configuration::DEFAULT_CONFIG)
+      default_config = Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
       header_hash = default_config.cached_headers.each_with_object({}) do |(key, value), hash|
         header_name, header_value = if key == :csp
           value["Chrome"]
@@ -35,8 +40,8 @@ module SecureHeaders
         # do nothing, just copy it
       end
-      config = Configuration.get(:test_override)
-      noop = Configuration.get(Configuration::NOOP_CONFIGURATION)
+      config = Configuration.get(:test_override, internal: true)
+      noop = Configuration.get(Configuration::NOOP_CONFIGURATION, internal: true)
       [:csp, :csp_report_only, :cookies].each do |key|
         expect(config.send(key)).to eq(noop.send(key))
       end
@@ -47,7 +52,7 @@ module SecureHeaders
         config.x_content_type_options = OPT_OUT
       end
-      expect(Configuration.get.cached_headers).to_not eq(Configuration.get(:test_override).cached_headers)
+      expect(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).cached_headers).to_not eq(Configuration.get(:test_override, internal: true).cached_headers)
     end
     it "stores an override of the global config" do
@@ -55,7 +60,7 @@ module SecureHeaders
         config.x_frame_options = "DENY"
       end
-      expect(Configuration.get(:test_override)).to_not be_nil
+      expect(Configuration.get(:test_override, internal: true)).to_not be_nil
     end
     it "deep dup's config values when overriding so the original cannot be modified" do
@@ -63,8 +68,8 @@ module SecureHeaders
         config.csp[:default_src] << "'self'"
       end
-      default = Configuration.get
-      override = Configuration.get(:override)
+      default = Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
+      override = Configuration.get(:override, internal: true)
       expect(override.csp.directive_value(:default_src)).not_to be(default.csp.directive_value(:default_src))
     end
@@ -78,9 +83,9 @@ module SecureHeaders
         config.csp = config.csp.merge(script_src: %w(example.org))
       end
-      original_override = Configuration.get(:override)
+      original_override = Configuration.get(:override, internal: true)
       expect(original_override.csp.to_h).to eq(default_src: %w('self'), script_src: %w('self'))
-      override_config = Configuration.get(:second_override)
+      override_config = Configuration.get(:second_override, internal: true)
       expect(override_config.csp.to_h).to eq(default_src: %w('self'), script_src: %w('self' example.org))
     end
@@ -101,7 +106,7 @@ module SecureHeaders
         config.cookies = OPT_OUT
       end
-      config = Configuration.get
+      config = Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
       expect(config.cookies).to eq(OPT_OUT)
     end
@@ -110,7 +115,7 @@ module SecureHeaders
         config.cookies = {httponly: true, secure: true, samesite: {lax: false}}
       end
-      config = Configuration.get
+      config = Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
       expect(config.cookies).to eq({httponly: true, secure: true, samesite: {lax: false}})
     end
   end

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb CHANGED Viewed

@@ -28,6 +28,16 @@ module SecureHeaders
         expect(ContentSecurityPolicy.new.value).to eq("default-src https:; form-action 'self'; img-src https: data: 'self'; object-src 'none'; script-src https:; style-src 'self' 'unsafe-inline' https:")
       end
+      it "deprecates and escapes semicolons in directive source lists" do
+        expect(Kernel).to receive(:warn).with(%(frame_ancestors contains a ; in "google.com;script-src *;.;" which will raise an error in future versions. It has been replaced with a blank space.))
+        expect(ContentSecurityPolicy.new(frame_ancestors: %w(https://google.com;script-src https://*;.;)).value).to eq("frame-ancestors google.com script-src * .")
+      end
+      it "deprecates and escapes semicolons in directive source lists" do
+        expect(Kernel).to receive(:warn).with(%(frame_ancestors contains a \n in "\\nfoo.com\\nhacked" which will raise an error in future versions. It has been replaced with a blank space.))
+        expect(ContentSecurityPolicy.new(frame_ancestors: ["\nfoo.com\nhacked"]).value).to eq("frame-ancestors  foo.com hacked")
+      end
       it "discards 'none' values if any other source expressions are present" do
         csp = ContentSecurityPolicy.new(default_opts.merge(child_src: %w('self' 'none')))
         expect(csp.value).not_to include("'none'")

data/spec/lib/secure_headers/headers/policy_management_spec.rb CHANGED Viewed

@@ -152,7 +152,7 @@ module SecureHeaders
             script_src: %w('self'),
           }
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, style_src: %w(anothercdn.com))
+        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, style_src: %w(anothercdn.com))
         csp = ContentSecurityPolicy.new(combined_config)
         expect(csp.name).to eq(ContentSecurityPolicyConfig::HEADER_NAME)
         expect(csp.value).to eq("default-src https:; script-src 'self'; style-src https: anothercdn.com")
@@ -167,7 +167,7 @@ module SecureHeaders
           }.freeze
         end
         report_uri = "https://report-uri.io/asdf"
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, report_uri: [report_uri])
+        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, report_uri: [report_uri])
         csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
         expect(csp.value).to include("report-uri #{report_uri}")
       end
@@ -183,7 +183,7 @@ module SecureHeaders
         non_default_source_additions = ContentSecurityPolicy::NON_FETCH_SOURCES.each_with_object({}) do |directive, hash|
           hash[directive] = %w("http://example.org)
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, non_default_source_additions)
+        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, non_default_source_additions)
         ContentSecurityPolicy::NON_FETCH_SOURCES.each do |directive|
           expect(combined_config[directive]).to eq(%w("http://example.org))
@@ -198,7 +198,7 @@ module SecureHeaders
             report_only: false
           }
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, report_only: true)
+        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, report_only: true)
         csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
         expect(csp.name).to eq(ContentSecurityPolicyReportOnlyConfig::HEADER_NAME)
       end
@@ -211,7 +211,7 @@ module SecureHeaders
             block_all_mixed_content: false
           }
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, block_all_mixed_content: true)
+        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, block_all_mixed_content: true)
         csp = ContentSecurityPolicy.new(combined_config)
         expect(csp.value).to eq("default-src https:; block-all-mixed-content; script-src 'self'")
       end
@@ -221,7 +221,7 @@ module SecureHeaders
           config.csp = OPT_OUT
         end
         expect do
-          ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, script_src: %w(anothercdn.com))
+          ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, script_src: %w(anothercdn.com))
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
     end

data/spec/lib/secure_headers/middleware_spec.rb CHANGED Viewed

@@ -50,7 +50,7 @@ module SecureHeaders
       end
       request = Rack::Request.new({})
       SecureHeaders.use_secure_headers_override(request, "my_custom_config")
-      expect(request.env[SECURE_HEADERS_CONFIG]).to be(Configuration.get("my_custom_config"))
+      expect(request.env[SECURE_HEADERS_CONFIG]).to be(Configuration.get("my_custom_config", internal: true))
       _, env = middleware.call request.env
       expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match("example.org")
     end
@@ -66,7 +66,7 @@ module SecureHeaders
       end
       it "allows opting out of cookie protection with OPT_OUT alone" do
-        Configuration.default { |config| config.cookies = OPT_OUT}
+        Configuration.default { |config| config.cookies = OPT_OUT }
         # do NOT make this request https. non-https requests modify a config,
         # causing an exception when operating on OPT_OUT. This ensures we don't

data/spec/lib/secure_headers/view_helpers_spec.rb CHANGED Viewed

@@ -67,7 +67,7 @@ TEMPLATE
     end
     if options.is_a?(Hash)
-      options = options.map {|k, v| " #{k}=#{v}"}
+      options = options.map { |k, v| " #{k}=#{v}" }
     end
     "<#{type}#{options}>#{content}</#{type}>"
   end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 5.0.4
+  version: 5.2.0
 platform: ruby
 authors:
 - Neil Matatall
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-12-05 00:00:00.000000000 Z
+date: 2020-01-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -114,12 +114,7 @@ homepage: https://github.com/twitter/secureheaders
 licenses:
 - Apache Public License 2.0
 metadata: {}
-post_install_message: |2+
-  **********
-  :wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-5-0.md
-  **********
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib