secure_headers 6.4.0 → 6.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: e5372953d5180d45526a777c1b66e7e86a8ccfca08f6b7b613549d8ba1509a6e
4
- data.tar.gz: 0d1cc3b012df7b1cfd549bcf09063a390945b05c03009acda31017f859ff7d2d
3
+ metadata.gz: bafd5e6390db0f1975599ab34f1293986a5c0a1ced14f6cfeca47fd114ce87d4
4
+ data.tar.gz: 177dc27fa8238fe1a8baa238f6baa244b2c03393f61269e9b417e5ea3a4a4bba
5
5
  SHA512:
6
- metadata.gz: 35844f24ecb678a83548492545403bc174a6d0ce74896f7817d93cb30f62d97b415ea876dccd3efbed7cad3e5dd5c9cda4f676f7dc2c858b2f2010f2c33a0f73
7
- data.tar.gz: 196a212de355c06a2a3fee6c22302fb1bfd7471dba402124adc7072f90dbd0c4a5b3ee8fa7604d0b164479717bfb65050d3b4802948410b61aba3382d5c8eb39
6
+ metadata.gz: 7a24f853958892e2780dec3cfd8f631d394c959cda6d3f8be5d701792fc1ce57d4141ca88e7b0980fcac979cc855a0c5bc9165a05b314fe281ce092a438f1fe1
7
+ data.tar.gz: c082a3ee192452712f8e9c7ed18d5c21b5b3eb1712c3d9a4df44220093cf1be09a8e5384f5c8a8909820f1e0048c6d3b6915cc29081288bcf13361bf8cf7dbed
@@ -1,5 +1,5 @@
1
1
  name: Build + Test
2
- on: [pull_request]
2
+ on: [pull_request, push]
3
3
 
4
4
  jobs:
5
5
  build:
@@ -7,7 +7,7 @@ jobs:
7
7
  runs-on: ubuntu-latest
8
8
  strategy:
9
9
  matrix:
10
- ruby: [ '2.5', '2.6', '2.7', '3.0', '3.1' ]
10
+ ruby: [ '2.6', '2.7', '3.0', '3.1' ]
11
11
 
12
12
  steps:
13
13
  - uses: actions/checkout@v2
data/.ruby-version CHANGED
@@ -1 +1 @@
1
- 2.6.6
1
+ 3.1.1
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## 6.5.0
2
+
3
+ - CSP: Remove source expression deduplication. (@lgarron) https://github.com/github/secure_headers/pull/499
4
+
1
5
  ## 6.4.0
2
6
 
3
7
  - CSP: Add support for trusted-types, require-trusted-types-for directive (@JackMc): https://github.com/github/secure_headers/pull/486
@@ -133,7 +133,7 @@ module SecureHeaders
133
133
  unless directive == REPORT_URI || @preserve_schemes
134
134
  source_list = strip_source_schemes(source_list)
135
135
  end
136
- dedup_source_list(source_list)
136
+ source_list.uniq
137
137
  end
138
138
  end
139
139
 
@@ -151,24 +151,6 @@ module SecureHeaders
151
151
  end
152
152
  end
153
153
 
154
- # Removes duplicates and sources that already match an existing wild card.
155
- #
156
- # e.g. *.github.com asdf.github.com becomes *.github.com
157
- def dedup_source_list(sources)
158
- sources = sources.uniq
159
- wild_sources = sources.select { |source| source =~ STAR_REGEXP }
160
-
161
- if wild_sources.any?
162
- schemes = sources.map { |source| [source, URI(source).scheme] }.to_h
163
- sources.reject do |source|
164
- !wild_sources.include?(source) &&
165
- wild_sources.any? { |pattern| schemes[pattern] == schemes[source] && File.fnmatch(pattern, source) }
166
- end
167
- else
168
- sources
169
- end
170
- end
171
-
172
154
  # Private: append a nonce to the script/style directories if script_nonce
173
155
  # or style_nonce are provided.
174
156
  def populate_nonces(directive, source_list)
@@ -189,7 +189,7 @@ module SecureHeaders
189
189
  ].freeze
190
190
 
191
191
  REQUIRE_SRI_FOR_VALUES = Set.new(%w(script style))
192
- REQUIRE_TRUSTED_TYPES_FOR_VALUES = Set.new(%w(script))
192
+ REQUIRE_TRUSTED_TYPES_FOR_VALUES = Set.new(%w('script'))
193
193
 
194
194
  module ClassMethods
195
195
  # Public: generate a header name, value array that is user-agent-aware.
@@ -393,7 +393,7 @@ module SecureHeaders
393
393
 
394
394
  # Private: validates that a require trusted types for expression:
395
395
  # 1. is an array of strings
396
- # 2. is a subset of ["script"]
396
+ # 2. is a subset of ["'script'"]
397
397
  def validate_require_trusted_types_for_source_expression!(directive, require_trusted_types_for_expression)
398
398
  ensure_array_of_strings!(directive, require_trusted_types_for_expression)
399
399
  unless require_trusted_types_for_expression.to_set.subset?(REQUIRE_TRUSTED_TYPES_FOR_VALUES)
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module SecureHeaders
4
- VERSION = "6.4.0"
4
+ VERSION = "6.5.0"
5
5
  end
@@ -9,12 +9,12 @@ Gem::Specification.new do |gem|
9
9
  gem.version = SecureHeaders::VERSION
10
10
  gem.authors = ["Neil Matatall"]
11
11
  gem.email = ["neil.matatall@gmail.com"]
12
- gem.description = "Manages application of security headers with many safe defaults."
13
- gem.summary = 'Add easily configured security headers to responses
12
+ gem.summary = "Manages application of security headers with many safe defaults."
13
+ gem.description = 'Add easily configured security headers to responses
14
14
  including content-security-policy, x-frame-options,
15
15
  strict-transport-security, etc.'
16
16
  gem.homepage = "https://github.com/twitter/secureheaders"
17
- gem.license = "Apache Public License 2.0"
17
+ gem.license = "MIT"
18
18
  gem.files = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
19
19
  gem.executables = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
20
20
  gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
@@ -48,12 +48,12 @@ module SecureHeaders
48
48
  expect(csp.value).to eq("default-src * 'unsafe-inline' 'unsafe-eval' data: blob:")
49
49
  end
50
50
 
51
- it "minifies source expressions based on overlapping wildcards" do
51
+ it "does not minify source expressions based on overlapping wildcards" do
52
52
  config = {
53
53
  default_src: %w(a.example.org b.example.org *.example.org https://*.example.org)
54
54
  }
55
55
  csp = ContentSecurityPolicy.new(config)
56
- expect(csp.value).to eq("default-src *.example.org")
56
+ expect(csp.value).to eq("default-src a.example.org b.example.org *.example.org")
57
57
  end
58
58
 
59
59
  it "removes http/s schemes from hosts" do
@@ -101,8 +101,13 @@ module SecureHeaders
101
101
  expect(csp.value).to eq("default-src example.org; block-all-mixed-content")
102
102
  end
103
103
 
104
- it "deduplicates any source expressions" do
105
- csp = ContentSecurityPolicy.new(default_src: %w(example.org example.org example.org))
104
+ it "handles wildcard subdomain with wildcard port" do
105
+ csp = ContentSecurityPolicy.new(default_src: %w(https://*.example.org:*))
106
+ expect(csp.value).to eq("default-src *.example.org:*")
107
+ end
108
+
109
+ it "deduplicates source expressions that match exactly (after scheme stripping)" do
110
+ csp = ContentSecurityPolicy.new(default_src: %w(example.org https://example.org example.org))
106
111
  expect(csp.value).to eq("default-src example.org")
107
112
  end
108
113
 
@@ -197,8 +202,8 @@ module SecureHeaders
197
202
  end
198
203
 
199
204
  it "supports trusted-types directive with 'none'" do
200
- csp = ContentSecurityPolicy.new({trusted_types: %w(none)})
201
- expect(csp.value).to eq("trusted-types none")
205
+ csp = ContentSecurityPolicy.new({trusted_types: %w('none')})
206
+ expect(csp.value).to eq("trusted-types 'none'")
202
207
  end
203
208
 
204
209
  it "allows duplicate policy names in trusted-types directive" do
@@ -45,7 +45,7 @@ module SecureHeaders
45
45
  plugin_types: %w(application/x-shockwave-flash),
46
46
  prefetch_src: %w(fetch.com),
47
47
  require_sri_for: %w(script style),
48
- require_trusted_types_for: %w(script),
48
+ require_trusted_types_for: %w('script'),
49
49
  script_src: %w('self'),
50
50
  style_src: %w('unsafe-inline'),
51
51
  upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.4.0
4
+ version: 6.5.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-08-02 00:00:00.000000000 Z
11
+ date: 2022-10-25 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -24,7 +24,10 @@ dependencies:
24
24
  - - ">="
25
25
  - !ruby/object:Gem::Version
26
26
  version: '0'
27
- description: Manages application of security headers with many safe defaults.
27
+ description: |-
28
+ Add easily configured security headers to responses
29
+ including content-security-policy, x-frame-options,
30
+ strict-transport-security, etc.
28
31
  email:
29
32
  - neil.matatall@gmail.com
30
33
  executables: []
@@ -99,9 +102,9 @@ files:
99
102
  - spec/spec_helper.rb
100
103
  homepage: https://github.com/twitter/secureheaders
101
104
  licenses:
102
- - Apache Public License 2.0
105
+ - MIT
103
106
  metadata: {}
104
- post_install_message:
107
+ post_install_message:
105
108
  rdoc_options: []
106
109
  require_paths:
107
110
  - lib
@@ -116,11 +119,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
116
119
  - !ruby/object:Gem::Version
117
120
  version: '0'
118
121
  requirements: []
119
- rubygems_version: 3.2.9
120
- signing_key:
122
+ rubygems_version: 3.3.7
123
+ signing_key:
121
124
  specification_version: 4
122
- summary: Add easily configured security headers to responses including content-security-policy,
123
- x-frame-options, strict-transport-security, etc.
125
+ summary: Manages application of security headers with many safe defaults.
124
126
  test_files:
125
127
  - spec/lib/secure_headers/configuration_spec.rb
126
128
  - spec/lib/secure_headers/headers/clear_site_data_spec.rb