secure_headers 5.0.4 → 5.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d30a295775010a197058029cc447bdf51ad1f93e
-  data.tar.gz: 79a4928de6fe2508ebdfed92cfe36ba1d70cdce8
+  metadata.gz: 1b901bf6e9f4127c81ec207e46599054feb18f32
+  data.tar.gz: 642585cfc04901c83ff5d90ea1600f5ef141fec4
 SHA512:
-  metadata.gz: 206573552433a49370adf984f538091ac3bd4c2e6ee0ba521f949762e145259725a3938ab2ec5124b5556fdd1502388ac8dd7e8d5fcc947c9f96e3ed78947cfa
-  data.tar.gz: c53aab77376ad2d8fac21c2d684cc02dcf14322cd51591d7048f0865315a60b6266ce7f066651040b8d626adf311101e31b2b1690ce1e3b18190ea42f90f24ac
+  metadata.gz: 8e304a7d52e6dbf0a4fd2bb114201ba781e8565fd9ecbd4977e6169f922101f186c7024194c81ecd780376f2e4c18f7af3bd88f98cd2b86301b15de5e4148c44
+  data.tar.gz: 9d5e1e8f35954baea9e4fcec70af22e7f3c2d8b16deaa98d6c882c9373c9a76556a711696b081920d9279df96375dd6e2a473e265c9bfbf2e12a6f9a62da486f

data/.travis.yml

@@ -2,9 +2,9 @@ language: ruby
 
 rvm:
   - ruby-head
-  - 2.4.2
-  - 2.3.5
-  - 2.2.8
+  - 2.6
+  - 2.5
+  - 2.4
   - jruby-head
 
 env:

data/CHANGELOG.md

@@ -1,3 +1,15 @@
+## 5.2.0
+
+Fixes newline injection issue
+
+## 5.1.0
+
+Fixes semicolon injection issue reported by @mvgijssel see https://github.com/twitter/secure_headers/issues/418
+
+## 5.0.5
+
+A release to deprecate `SecureHeaders::Configuration#get` in prep for 6.x
+
 ## 5.0.4
 
 - Adds support for `nonced_stylesheet_pack_tag` #373 (@paulfri)

data/Gemfile

@@ -9,7 +9,7 @@ group :test do
   gem "pry-nav"
   gem "rack"
   gem "rspec"
-  gem "rubocop"
+  gem "rubocop", "< 0.68"
   gem "rubocop-github"
   gem "term-ansicolor"
   gem "tins"
@@ -19,4 +19,5 @@ group :guard do
   gem "growl"
   gem "guard-rspec", platforms: [:ruby_19, :ruby_20, :ruby_21, :ruby_22, :ruby_23, :ruby_24]
   gem "rb-fsevent"
+  gem "terminal-notifier-guard"
 end

data/lib/secure_headers.rb

@@ -196,7 +196,7 @@ module SecureHeaders
     #
     # name - the name of the previously configured override.
     def use_secure_headers_override(request, name)
-      if config = Configuration.get(name)
+      if config = Configuration.get(name, internal: true)
         override_secure_headers_request_config(request, config)
       else
         raise ArgumentError.new("no override by the name of #{name} has been configured")
@@ -228,7 +228,7 @@ module SecureHeaders
     # Falls back to the global config
     def config_for(request, prevent_dup = false)
       config = request.env[SECURE_HEADERS_CONFIG] ||
-        Configuration.get(Configuration::DEFAULT_CONFIG)
+        Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
 
 
       # Global configs are frozen, per-request configs are not. When we're not

data/lib/secure_headers/configuration.rb

@@ -28,7 +28,7 @@ module SecureHeaders
       #
       # Returns: the newly created config
       def override(name, base = DEFAULT_CONFIG, &block)
-        unless get(base)
+        unless get(base, internal: true)
           raise NotYetConfiguredError, "#{base} policy not yet supplied"
         end
         override = @configurations[base].dup
@@ -40,7 +40,11 @@ module SecureHeaders
       #
       # Returns the configuration with a given name or raises a
       # NotYetConfiguredError if `default` has not been called.
-      def get(name = DEFAULT_CONFIG)
+      def get(name = DEFAULT_CONFIG, internal: false)
+        unless internal
+          Kernel.warn "#{Kernel.caller.first}: [DEPRECATION] `#get` is deprecated. It will be removed in the next major release. Use SecureHeaders::Configuration.dup to retrieve the default config."
+        end
+
         if @configurations.nil?
           raise NotYetConfiguredError, "Default policy not yet supplied"
         end

data/lib/secure_headers/headers/clear_site_data.rb

@@ -48,7 +48,7 @@ module SecureHeaders
       #
       # Returns a String of quoted values that are comma separated.
       def make_header_value(types)
-        types.map { |t| "\"#{t}\""}.join(", ")
+        types.map { |t| %("#{t}") }.join(", ")
       end
     end
   end

data/lib/secure_headers/headers/content_security_policy.rb

@@ -138,8 +138,14 @@ module SecureHeaders
       end
 
       if source_list != OPT_OUT && source_list && source_list.any?
-        normalized_source_list = minify_source_list(directive, source_list)
-        [symbol_to_hyphen_case(directive), normalized_source_list].join(" ")
+        minified_source_list = minify_source_list(directive, source_list).join(" ")
+
+        if minified_source_list =~ /(\n|;)/
+          Kernel.warn("#{directive} contains a #{$1} in #{minified_source_list.inspect} which will raise an error in future versions. It has been replaced with a blank space.")
+        end
+
+        escaped_source_list = minified_source_list.gsub(/[\n;]/, " ")
+        [symbol_to_hyphen_case(directive), escaped_source_list].join(" ").strip
       end
     end
 

data/secure_headers.gemspec

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "5.0.4"
+  gem.version       = "5.2.0"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = "Manages application of security headers with many safe defaults."
@@ -17,13 +17,4 @@ Gem::Specification.new do |gem|
   gem.require_paths = ["lib"]
   gem.add_development_dependency "rake"
   gem.add_dependency "useragent", ">= 0.15.0"
-
-  # TODO: delete this after 4.1 is cut or a number of 4.0.x releases have occurred
-  gem.post_install_message = <<-POST_INSTALL
-
-**********
-:wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-5-0.md
-**********
-
-  POST_INSTALL
 end

data/spec/lib/secure_headers/configuration_spec.rb

@@ -9,15 +9,20 @@ module SecureHeaders
     end
 
     it "has a default config" do
-      expect(Configuration.get(Configuration::DEFAULT_CONFIG)).to_not be_nil
+      expect(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)).to_not be_nil
+    end
+
+    it "warns when using deprecated internal-ish #get API" do
+      expect(Kernel).to receive(:warn).once.with(/`#get` is deprecated/)
+      Configuration.get(Configuration::DEFAULT_CONFIG)
     end
 
     it "has an 'noop' config" do
-      expect(Configuration.get(Configuration::NOOP_CONFIGURATION)).to_not be_nil
+      expect(Configuration.get(Configuration::NOOP_CONFIGURATION, internal: true)).to_not be_nil
     end
 
     it "precomputes headers upon creation" do
-      default_config = Configuration.get(Configuration::DEFAULT_CONFIG)
+      default_config = Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
       header_hash = default_config.cached_headers.each_with_object({}) do |(key, value), hash|
         header_name, header_value = if key == :csp
           value["Chrome"]
@@ -35,8 +40,8 @@ module SecureHeaders
         # do nothing, just copy it
       end
 
-      config = Configuration.get(:test_override)
-      noop = Configuration.get(Configuration::NOOP_CONFIGURATION)
+      config = Configuration.get(:test_override, internal: true)
+      noop = Configuration.get(Configuration::NOOP_CONFIGURATION, internal: true)
       [:csp, :csp_report_only, :cookies].each do |key|
         expect(config.send(key)).to eq(noop.send(key))
       end
@@ -47,7 +52,7 @@ module SecureHeaders
         config.x_content_type_options = OPT_OUT
       end
 
-      expect(Configuration.get.cached_headers).to_not eq(Configuration.get(:test_override).cached_headers)
+      expect(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).cached_headers).to_not eq(Configuration.get(:test_override, internal: true).cached_headers)
     end
 
     it "stores an override of the global config" do
@@ -55,7 +60,7 @@ module SecureHeaders
         config.x_frame_options = "DENY"
       end
 
-      expect(Configuration.get(:test_override)).to_not be_nil
+      expect(Configuration.get(:test_override, internal: true)).to_not be_nil
     end
 
     it "deep dup's config values when overriding so the original cannot be modified" do
@@ -63,8 +68,8 @@ module SecureHeaders
         config.csp[:default_src] << "'self'"
       end
 
-      default = Configuration.get
-      override = Configuration.get(:override)
+      default = Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
+      override = Configuration.get(:override, internal: true)
 
       expect(override.csp.directive_value(:default_src)).not_to be(default.csp.directive_value(:default_src))
     end
@@ -78,9 +83,9 @@ module SecureHeaders
         config.csp = config.csp.merge(script_src: %w(example.org))
       end
 
-      original_override = Configuration.get(:override)
+      original_override = Configuration.get(:override, internal: true)
       expect(original_override.csp.to_h).to eq(default_src: %w('self'), script_src: %w('self'))
-      override_config = Configuration.get(:second_override)
+      override_config = Configuration.get(:second_override, internal: true)
       expect(override_config.csp.to_h).to eq(default_src: %w('self'), script_src: %w('self' example.org))
     end
 
@@ -101,7 +106,7 @@ module SecureHeaders
         config.cookies = OPT_OUT
       end
 
-      config = Configuration.get
+      config = Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
       expect(config.cookies).to eq(OPT_OUT)
     end
 
@@ -110,7 +115,7 @@ module SecureHeaders
         config.cookies = {httponly: true, secure: true, samesite: {lax: false}}
       end
 
-      config = Configuration.get
+      config = Configuration.get(Configuration::DEFAULT_CONFIG, internal: true)
       expect(config.cookies).to eq({httponly: true, secure: true, samesite: {lax: false}})
     end
   end

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb

@@ -28,6 +28,16 @@ module SecureHeaders
         expect(ContentSecurityPolicy.new.value).to eq("default-src https:; form-action 'self'; img-src https: data: 'self'; object-src 'none'; script-src https:; style-src 'self' 'unsafe-inline' https:")
       end
 
+      it "deprecates and escapes semicolons in directive source lists" do
+        expect(Kernel).to receive(:warn).with(%(frame_ancestors contains a ; in "google.com;script-src *;.;" which will raise an error in future versions. It has been replaced with a blank space.))
+        expect(ContentSecurityPolicy.new(frame_ancestors: %w(https://google.com;script-src https://*;.;)).value).to eq("frame-ancestors google.com script-src * .")
+      end
+
+      it "deprecates and escapes semicolons in directive source lists" do
+        expect(Kernel).to receive(:warn).with(%(frame_ancestors contains a \n in "\\nfoo.com\\nhacked" which will raise an error in future versions. It has been replaced with a blank space.))
+        expect(ContentSecurityPolicy.new(frame_ancestors: ["\nfoo.com\nhacked"]).value).to eq("frame-ancestors  foo.com hacked")
+      end
+
       it "discards 'none' values if any other source expressions are present" do
         csp = ContentSecurityPolicy.new(default_opts.merge(child_src: %w('self' 'none')))
         expect(csp.value).not_to include("'none'")

data/spec/lib/secure_headers/headers/policy_management_spec.rb

@@ -152,7 +152,7 @@ module SecureHeaders
             script_src: %w('self'),
           }
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, style_src: %w(anothercdn.com))
+        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, style_src: %w(anothercdn.com))
         csp = ContentSecurityPolicy.new(combined_config)
         expect(csp.name).to eq(ContentSecurityPolicyConfig::HEADER_NAME)
         expect(csp.value).to eq("default-src https:; script-src 'self'; style-src https: anothercdn.com")
@@ -167,7 +167,7 @@ module SecureHeaders
           }.freeze
         end
         report_uri = "https://report-uri.io/asdf"
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, report_uri: [report_uri])
+        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, report_uri: [report_uri])
         csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
         expect(csp.value).to include("report-uri #{report_uri}")
       end
@@ -183,7 +183,7 @@ module SecureHeaders
         non_default_source_additions = ContentSecurityPolicy::NON_FETCH_SOURCES.each_with_object({}) do |directive, hash|
           hash[directive] = %w("http://example.org)
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, non_default_source_additions)
+        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, non_default_source_additions)
 
         ContentSecurityPolicy::NON_FETCH_SOURCES.each do |directive|
           expect(combined_config[directive]).to eq(%w("http://example.org))
@@ -198,7 +198,7 @@ module SecureHeaders
             report_only: false
           }
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, report_only: true)
+        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, report_only: true)
         csp = ContentSecurityPolicy.new(combined_config, USER_AGENTS[:firefox])
         expect(csp.name).to eq(ContentSecurityPolicyReportOnlyConfig::HEADER_NAME)
       end
@@ -211,7 +211,7 @@ module SecureHeaders
             block_all_mixed_content: false
           }
         end
-        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, block_all_mixed_content: true)
+        combined_config = ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, block_all_mixed_content: true)
         csp = ContentSecurityPolicy.new(combined_config)
         expect(csp.value).to eq("default-src https:; block-all-mixed-content; script-src 'self'")
       end
@@ -221,7 +221,7 @@ module SecureHeaders
           config.csp = OPT_OUT
         end
         expect do
-          ContentSecurityPolicy.combine_policies(Configuration.get.csp.to_h, script_src: %w(anothercdn.com))
+          ContentSecurityPolicy.combine_policies(Configuration.get(Configuration::DEFAULT_CONFIG, internal: true).csp.to_h, script_src: %w(anothercdn.com))
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
     end

data/spec/lib/secure_headers/middleware_spec.rb

@@ -50,7 +50,7 @@ module SecureHeaders
       end
       request = Rack::Request.new({})
       SecureHeaders.use_secure_headers_override(request, "my_custom_config")
-      expect(request.env[SECURE_HEADERS_CONFIG]).to be(Configuration.get("my_custom_config"))
+      expect(request.env[SECURE_HEADERS_CONFIG]).to be(Configuration.get("my_custom_config", internal: true))
       _, env = middleware.call request.env
       expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match("example.org")
     end
@@ -66,7 +66,7 @@ module SecureHeaders
       end
 
       it "allows opting out of cookie protection with OPT_OUT alone" do
-        Configuration.default { |config| config.cookies = OPT_OUT}
+        Configuration.default { |config| config.cookies = OPT_OUT }
 
         # do NOT make this request https. non-https requests modify a config,
         # causing an exception when operating on OPT_OUT. This ensures we don't

data/spec/lib/secure_headers/view_helpers_spec.rb

@@ -67,7 +67,7 @@ TEMPLATE
     end
 
     if options.is_a?(Hash)
-      options = options.map {|k, v| " #{k}=#{v}"}
+      options = options.map { |k, v| " #{k}=#{v}" }
     end
     "<#{type}#{options}>#{content}</#{type}>"
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 5.0.4
+  version: 5.2.0
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-12-05 00:00:00.000000000 Z
+date: 2020-01-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -114,12 +114,7 @@ homepage: https://github.com/twitter/secureheaders
 licenses:
 - Apache Public License 2.0
 metadata: {}
-post_install_message: |2+
-
-  **********
-  :wave: secure_headers 5.0 introduces a lot of breaking changes (in the name of security!). It's highly likely you will need to update your secure_headers cookie configuration to avoid breaking things. See the upgrade guide for details: https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-5-0.md
-  **********
-
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib