RubyGems - secure_headers - Versions diffs - 5.1.0 → 5.2.0 - Mend

secure_headers 5.1.0 → 5.2.0

Files changed (6) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 32ea96aca183a8341bec40b998486beed14d59e8
-  data.tar.gz: 3081354f4bd486f5ea49d22f680d1ac2d36de4aa
+  metadata.gz: 1b901bf6e9f4127c81ec207e46599054feb18f32
+  data.tar.gz: 642585cfc04901c83ff5d90ea1600f5ef141fec4
 SHA512:
-  metadata.gz: cc8c64abdabaab458be788ee09a18984bab17cb8a01ef6eb76c75099cfaa5b8fc5962f5094e39f7067ebece388794e7f53a2e44f2fecdbfe4146a59a981211df
-  data.tar.gz: f8c369a5a2ac0e7547e231100c2a946a9204684d4db33206cc3baf0dd786b99c5a6d05cdaaaca5fcb439530a6d385d029c265dbc84f9b6ff665df52ad1191537
+  metadata.gz: 8e304a7d52e6dbf0a4fd2bb114201ba781e8565fd9ecbd4977e6169f922101f186c7024194c81ecd780376f2e4c18f7af3bd88f98cd2b86301b15de5e4148c44
+  data.tar.gz: 9d5e1e8f35954baea9e4fcec70af22e7f3c2d8b16deaa98d6c882c9373c9a76556a711696b081920d9279df96375dd6e2a473e265c9bfbf2e12a6f9a62da486f

data/CHANGELOG.md CHANGED

@@ -1,3 +1,7 @@
+## 5.2.0
+Fixes newline injection issue
 ## 5.1.0
 Fixes semicolon injection issue reported by @mvgijssel see https://github.com/twitter/secure_headers/issues/418

@@ -140,11 +140,11 @@ module SecureHeaders
       if source_list != OPT_OUT && source_list && source_list.any?
         minified_source_list = minify_source_list(directive, source_list).join(" ")
-        if minified_source_list.include?(";")
-          Kernel.warn("#{directive} contains a ; in '#{minified_source_list}' which will raise an error in future versions. It has been replaced with a blank space.")
+        if minified_source_list =~ /(\n|;)/
+          Kernel.warn("#{directive} contains a #{$1} in #{minified_source_list.inspect} which will raise an error in future versions. It has been replaced with a blank space.")
         end
-        escaped_source_list = minified_source_list.gsub(";", " ")
+        escaped_source_list = minified_source_list.gsub(/[\n;]/, " ")
         [symbol_to_hyphen_case(directive), escaped_source_list].join(" ").strip
       end
     end

data/secure_headers.gemspec CHANGED

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "5.1.0"
+  gem.version       = "5.2.0"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = "Manages application of security headers with many safe defaults."

@@ -29,10 +29,15 @@ module SecureHeaders
       end
       it "deprecates and escapes semicolons in directive source lists" do
-        expect(Kernel).to receive(:warn).with("frame_ancestors contains a ; in 'google.com;script-src *;.;' which will raise an error in future versions. It has been replaced with a blank space.")
+        expect(Kernel).to receive(:warn).with(%(frame_ancestors contains a ; in "google.com;script-src *;.;" which will raise an error in future versions. It has been replaced with a blank space.))
         expect(ContentSecurityPolicy.new(frame_ancestors: %w(https://google.com;script-src https://*;.;)).value).to eq("frame-ancestors google.com script-src * .")
       end
+      it "deprecates and escapes semicolons in directive source lists" do
+        expect(Kernel).to receive(:warn).with(%(frame_ancestors contains a \n in "\\nfoo.com\\nhacked" which will raise an error in future versions. It has been replaced with a blank space.))
+        expect(ContentSecurityPolicy.new(frame_ancestors: ["\nfoo.com\nhacked"]).value).to eq("frame-ancestors  foo.com hacked")
+      end
       it "discards 'none' values if any other source expressions are present" do
         csp = ContentSecurityPolicy.new(default_opts.merge(child_src: %w('self' 'none')))
         expect(csp.value).not_to include("'none'")

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 5.1.0
+  version: 5.2.0
 platform: ruby
 authors:
 - Neil Matatall