secure_headers 6.0.0.alpha01 → 6.0.0.alpha02

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of secure_headers might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: cd74fc8e9c9057255c1e6c75bc78554ec6751459
4
- data.tar.gz: 2f72e782c0800b5bf124d841a0d556d321b1cb5f
3
+ metadata.gz: b9072ed41af027bbc9628b2e58751bf765c6af1a
4
+ data.tar.gz: e5344d4ea5226225629bd7449ebcba94c15a27d8
5
5
  SHA512:
6
- metadata.gz: 53ff0d4849c3892fbf4e35270c011d9d6c8da3984958fdc17f9669b32f0d9d39542dc4411323fe93bbf21137f0c8cfe26565a5836548061414153a2abd2dd949
7
- data.tar.gz: 7472a097ae0926655aace8f5f719a4306920b08e4a1b798a588034d51a1446f51f442deb7c3f298d23481d52f2aa1b210ffb40b629671f449f63b7570a7ec2b0
6
+ metadata.gz: 920786c9cc2df0f8dfc2bae3911fa2ca99207e4d61605e7c1c942d76d678b0e0f83240263694adc1d556057120f17e2b73bd96bf260465a4222c768ab124ef5c
7
+ data.tar.gz: cb185bf133a9ea8c7e1cd50b6ae1d718e1455402c5f165224f04cefadfb6028136129f2261cf47ae404bddd08c6bf7fa08420be5a1056eb2d00fb06fd3227b23
@@ -1,10 +1,10 @@
1
1
  ## 6.0
2
2
 
3
3
  - See the [upgrading to 6.0](docs/upgrading-to-6-0.md) guide for the breaking changes.
4
- =======
4
+
5
5
  ## 5.0.5
6
6
 
7
- A release to deprecate `SecureHeaders::Configuration#get` in prep for 6.x
7
+ - A release to deprecate `SecureHeaders::Configuration#get` in prep for 6.x
8
8
 
9
9
  ## 5.0.4
10
10
 
data/README.md CHANGED
@@ -1,6 +1,6 @@
1
1
  # Secure Headers [![Build Status](https://travis-ci.org/twitter/secureheaders.svg?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.svg)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.svg)](https://coveralls.io/r/twitter/secureheaders)
2
2
 
3
- **master represents 5.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md) and [upgrading to 5.x doc](docs/upgrading-to-5-0.md) for instructions on how to upgrade. Bug fixes should go in the 3.x branch for now.
3
+ **master represents 6.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), or [upgrading to 6.x doc](docs/upgrading-to-6-0.md) for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now.
4
4
 
5
5
  **The [3.x](https://github.com/twitter/secureheaders/tree/2.x) branch is moving into maintenance mode**. See the [upgrading to 3.x doc](docs/upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
6
6
 
@@ -77,7 +77,7 @@ SecureHeaders::Configuration.default do |config|
77
77
  preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
78
78
 
79
79
  # directive values: these values will directly translate into source directives
80
- default_src: %w(https: 'self'),
80
+ default_src: %w('none'),
81
81
  base_uri: %w('self'),
82
82
  block_all_mixed_content: true, # see http://www.w3.org/TR/mixed-content/
83
83
  child_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set.
@@ -35,6 +35,10 @@ These classes are typically not directly instantiated by users of SecureHeaders.
35
35
 
36
36
  This method is not typically directly called by users of SecureHeaders. Given that named overrides are no longer statically stored, fetching them no longer makes sense.
37
37
 
38
+ ## `content_security_policy_nonce` has been renamed
39
+
40
+ While tag helpers such as `nonced_javascript_tag` and `nonced_style_tag`, the value for the nonce was available via `content_security_policy_nonce`. Rails 5.2 has implemented a method with the same name but clashes with the number of arguments. It has been renamed to`_content_security_policy_nonce` and will likely be removed in future versions.
41
+
38
42
  ## Configuration headers are no longer cached
39
43
 
40
44
  Prior to 6.0.0 SecureHeaders pre-built and cached the headers that corresponded to the default configuration. The same was also done for named overrides. However, now that named overrides are applied dynamically, those can no longer be cached. As a result, caching has been removed in the name of simplicity. Some micro-benchmarks indicate this shouldn't be a performance problem and will help to eliminate a class of bugs entirely.
@@ -19,7 +19,7 @@ module SecureHeaders
19
19
  #
20
20
  # Returns an html-safe link tag with the nonce attribute.
21
21
  def nonced_stylesheet_link_tag(*args, &block)
22
- opts = extract_options(args).merge(nonce: content_security_policy_nonce(:style))
22
+ opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:style))
23
23
 
24
24
  stylesheet_link_tag(*args, opts, &block)
25
25
  end
@@ -37,7 +37,7 @@ module SecureHeaders
37
37
  #
38
38
  # Returns an html-safe script tag with the nonce attribute.
39
39
  def nonced_javascript_include_tag(*args, &block)
40
- opts = extract_options(args).merge(nonce: content_security_policy_nonce(:script))
40
+ opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:script))
41
41
 
42
42
  javascript_include_tag(*args, opts, &block)
43
43
  end
@@ -47,7 +47,7 @@ module SecureHeaders
47
47
  #
48
48
  # Returns an html-safe script tag with the nonce attribute.
49
49
  def nonced_javascript_pack_tag(*args, &block)
50
- opts = extract_options(args).merge(nonce: content_security_policy_nonce(:script))
50
+ opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:script))
51
51
 
52
52
  javascript_pack_tag(*args, opts, &block)
53
53
  end
@@ -57,7 +57,7 @@ module SecureHeaders
57
57
  #
58
58
  # Returns an html-safe link tag with the nonce attribute.
59
59
  def nonced_stylesheet_pack_tag(*args, &block)
60
- opts = extract_options(args).merge(nonce: content_security_policy_nonce(:style))
60
+ opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:style))
61
61
 
62
62
  stylesheet_pack_tag(*args, opts, &block)
63
63
  end
@@ -66,7 +66,7 @@ module SecureHeaders
66
66
  # Instructs secure_headers to append a nonce to style/script-src directives.
67
67
  #
68
68
  # Returns a non-html-safe nonce value.
69
- def content_security_policy_nonce(type)
69
+ def _content_security_policy_nonce(type)
70
70
  case type
71
71
  when :script
72
72
  SecureHeaders.content_security_policy_script_nonce(@_request)
@@ -74,13 +74,14 @@ module SecureHeaders
74
74
  SecureHeaders.content_security_policy_style_nonce(@_request)
75
75
  end
76
76
  end
77
+ alias_method :content_security_policy_nonce, :_content_security_policy_nonce
77
78
 
78
79
  def content_security_policy_script_nonce
79
- content_security_policy_nonce(:script)
80
+ _content_security_policy_nonce(:script)
80
81
  end
81
82
 
82
83
  def content_security_policy_style_nonce
83
- content_security_policy_nonce(:style)
84
+ _content_security_policy_nonce(:style)
84
85
  end
85
86
 
86
87
  ##
@@ -152,7 +153,7 @@ module SecureHeaders
152
153
  else
153
154
  content_or_options.html_safe # :'(
154
155
  end
155
- content_tag type, content, options.merge(nonce: content_security_policy_nonce(type))
156
+ content_tag type, content, options.merge(nonce: _content_security_policy_nonce(type))
156
157
  end
157
158
 
158
159
  def extract_options(args)
@@ -2,7 +2,7 @@
2
2
  # frozen_string_literal: true
3
3
  Gem::Specification.new do |gem|
4
4
  gem.name = "secure_headers"
5
- gem.version = "6.0.0.alpha01"
5
+ gem.version = "6.0.0.alpha02"
6
6
  gem.authors = ["Neil Matatall"]
7
7
  gem.email = ["neil.matatall@gmail.com"]
8
8
  gem.description = "Manages application of security headers with many safe defaults."
@@ -97,6 +97,12 @@ TEMPLATE
97
97
  end
98
98
  end
99
99
 
100
+ class MessageWithConflictingMethod < Message
101
+ def content_security_policy_nonce
102
+ "rails-nonce"
103
+ end
104
+ end
105
+
100
106
  module SecureHeaders
101
107
  describe ViewHelpers do
102
108
  let(:app) { lambda { |env| [200, env, "app"] } }
@@ -159,5 +165,27 @@ module SecureHeaders
159
165
  expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'#{Regexp.escape(expected_style_hash)}'/)
160
166
  end
161
167
  end
168
+
169
+ it "avoids calling content_security_policy_nonce internally" do
170
+ begin
171
+ allow(SecureRandom).to receive(:base64).and_return("abc123")
172
+
173
+ expected_hash = "sha256-3/URElR9+3lvLIouavYD/vhoICSNKilh15CzI/nKqg8="
174
+ Configuration.instance_variable_set(:@script_hashes, filename => ["'#{expected_hash}'"])
175
+ expected_style_hash = "sha256-7oYK96jHg36D6BM042er4OfBnyUDTG3pH1L8Zso3aGc="
176
+ Configuration.instance_variable_set(:@style_hashes, filename => ["'#{expected_style_hash}'"])
177
+
178
+ # render erb that calls out to helpers.
179
+ MessageWithConflictingMethod.new(request).result
180
+ _, env = middleware.call request.env
181
+
182
+ expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/script-src[^;]*'#{Regexp.escape(expected_hash)}'/)
183
+ expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/script-src[^;]*'nonce-abc123'/)
184
+ expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'nonce-abc123'/)
185
+ expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'#{Regexp.escape(expected_style_hash)}'/)
186
+
187
+ expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).not_to match(/rails-nonce/)
188
+ end
189
+ end
162
190
  end
163
191
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.0.0.alpha01
4
+ version: 6.0.0.alpha02
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-02-13 00:00:00.000000000 Z
11
+ date: 2018-03-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake