secure_headers 0.1.1 → 0.2.0

data/.gitignore

@@ -3,6 +3,7 @@
 .bundle
 .config
 .yardoc
+*.log
 Gemfile.lock
 InstalledFiles
 _yardoc
@@ -15,3 +16,11 @@ spec/reports
 test/tmp
 test/version_tmp
 tmp
+
+/fixtures/rails_3_2_12/log/test.log
+/fixtures/rails_3_2_12_no_init/log/test.log
+*.sqlite3
+test.sqlite3
+*test.sqlite3
+/fixtures/rails_3_2_12_no_init/db/test.sqlite3
+/fixtures/rails_3_2_12/db/test.sqlite3

data/.travis.yml

@@ -1,5 +1,6 @@
 rvm:
   - "1.9.3"
-  - jruby-19mode
-  - jruby-18mode
   - "1.8.7"
+#  - jruby-19mode
+#  - jruby-18mode
+#script: ./travis.sh

data/Gemfile

@@ -3,6 +3,10 @@ source 'https://rubygems.org'
 gemspec
 
 group :test do
+  gem 'rails', '3.2.12'
+  gem 'sqlite3', :platform => [:ruby, :mswin, :mingw]
+  gem 'jdbc-sqlite3', :platform => :jruby
+  gem 'rspec-rails'
   gem 'guard-spork'
   gem 'guard-rspec'
   gem 'growl'

data/Guardfile

@@ -1,4 +1,4 @@
-guard 'spork', :rspec_env => { 'RAILS_ENV' => 'test' } do
+guard 'spork', :aggressive_kill => false do
   watch('spec/spec_helper.rb') { :rspec }
 end
 

data/HISTORY.md

@@ -1,3 +1,17 @@
+0.2.0
+=======
+
+- 0.1.0 introduced a serious regression in which child controllers overwrote parent controller config values
+- Decoupling of CSP headers and the request object. Allows you to generate static values to save cycles:
+
+```ruby
+FIREFOX = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Firefox", :ssl => true).value
+CHROME = SecureHeaders::ContentSecurityPolicy.new(config, :ua => "Chrome", :ssl => true).value
+```
+- :forward_endpoint now acts as the endpoint that reports are forwarded to (when using the internal forwarder feature for cross-host reporting)
+- Skeleton applications have been added to test isolated application configurations
+- Cleanup by @bemurphy
+
 0.1.1
 =======
 

data/README.md

@@ -1,4 +1,4 @@
-# SecureHeaders [![Build Status](https://travis-ci.org/twitter/secureheaders.png?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/twitter/secureheaders)
+# SecureHeaders [![Build Status](https://travis-ci.org/twitter/secureheaders.png?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.png)](https://codeclimate.com/github/twitter/secureheaders)
 
 The gem will automatically apply several headers that are related to security.  This includes:
 - Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack.  [CSP 1.1 Specification](https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html)
@@ -44,7 +44,7 @@ This gem makes a few assumptions about how you will use some features.  For exam
 * It adds 'chrome-extension:' to your CSP directives by default.  This helps drastically reduce the amount of reports, but you can also disable this feature by supplying :disable_chrome_extension => true.
 * It fills any blank directives with the value in :default_src  Getting a default\-src report is pretty useless.  This way, you will always know what type of violation occurred. You can disable this feature by supplying :disable_fill_missing => true.
 * It copies the connect\-src value to xhr\-src for AJAX requests.
-* Firefox does not support cross\-origin CSP reports.  If we are using Firefox, AND the value for :report_uri does not satisfy the same\-origin requirements, we will instead forward to an internal endpoint (`FF_CSP_ENDPOINT`).  This is also the case if :report_uri only contains a path, which we assume will be cross host. This endpoint will in turn forward the request to the value in :report_uri without restriction. More information can be found in the "Note on Firefox handling of CSP" section.
+* Firefox does not support cross\-origin CSP reports.  If we are using Firefox, AND the value for :report_uri does not satisfy the same\-origin requirements, we will instead forward to an internal endpoint (`FF_CSP_ENDPOINT`).  This is also the case if :report_uri only contains a path, which we assume will be cross host. This endpoint will in turn forward the request to the value in :forward_endpoint without restriction. More information can be found in the "Note on Firefox handling of CSP" section.
 
 
 ## Configuration

data/Rakefile

@@ -7,6 +7,47 @@ require 'net/https'
 desc "Run RSpec"
 RSpec::Core::RakeTask.new do |t|
   t.verbose = false
+   t.rspec_opts = "--format progress"
+end
+
+task :default => :all_spec
+
+desc "Run all specs, and test fixture apps"
+task :all_spec => :spec do
+  pwd = Dir.pwd
+  Dir.chdir 'fixtures/rails_3_2_12'
+  puts Dir.pwd
+  str = `bundle install >> /dev/null; bundle exec rspec spec`
+  puts str
+  unless $? == 0
+    Dir.chdir pwd
+    fail "Header tests with app not using initializer failed exit code: #{$?}"
+  end
+
+  Dir.chdir pwd
+  Dir.chdir 'fixtures/rails_3_2_12_no_init'
+  puts Dir.pwd
+  puts `bundle install >> /dev/null; bundle exec rspec spec`
+
+  unless $? == 0
+    fail "Header tests with app not using initializer failed"
+    Dir.chdir pwd
+  end
+end
+
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'SecureHeaders'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('lib/**/*.rb')
 end
 
 UPDATE_URI = 'https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1'
@@ -124,4 +165,3 @@ def mozilla_license
 # ***** END LICENSE BLOCK *****
 EOM
 end
-task :default => :spec

data/app/controllers/content_security_policy_controller.rb

@@ -5,14 +5,22 @@ class ContentSecurityPolicyController < ActionController::Base
   CA_FILE = File.expand_path(File.join('..','..', '..', 'config', 'curl-ca-bundle.crt'), __FILE__)
 
   def scribe
-    csp = ::SecureHeaders::Configuration.csp
+    csp = ::SecureHeaders::Configuration.csp || {}
 
-    forward_endpoint = csp[:forward_endpoint] if csp
-    if forward_endpoint.nil?
-      head :ok
-      return
+    forward_endpoint = csp[:forward_endpoint]
+    if forward_endpoint
+      forward_params_to(forward_endpoint)
     end
 
+    head :ok
+  rescue StandardError => e
+    log_warning(forward_endpoint, e)
+    head :bad_request
+  end
+
+  private
+
+  def forward_params_to(forward_endpoint)
     uri = URI.parse(forward_endpoint)
     http = Net::HTTP.new(uri.host, uri.port)
     if uri.scheme == 'https'
@@ -28,11 +36,6 @@ class ContentSecurityPolicyController < ActionController::Base
     else
       http.request(request)
     end
-
-    head :ok
-  rescue StandardError => e
-    Rails.logger.warn("Unable to POST CSP report to #{forward_endpoint} because #{e}") if defined?(Rails.logger)
-    head :bad_request
   end
 
   def use_ssl request
@@ -41,4 +44,10 @@ class ContentSecurityPolicyController < ActionController::Base
     request.verify_mode = OpenSSL::SSL::VERIFY_PEER
     request.verify_depth = 9
   end
+
+  def log_warning(forward_endpoint, e)
+    if defined?(Rails.logger)
+      Rails.logger.warn("Unable to POST CSP report to #{forward_endpoint} because #{e}")
+    end
+  end
 end

data/fixtures/rails_3_2_12/.rspec

@@ -0,0 +1 @@
+--color --format progress

data/fixtures/rails_3_2_12/Gemfile

@@ -0,0 +1,14 @@
+source 'https://rubygems.org'
+
+gem 'rails', '3.2.12'
+gem 'sqlite3'
+gem 'rspec-rails', '>= 2.0.0'
+gem 'secure_headers', :path => '../..'
+gem 'spork'
+gem 'debugger', :platform => :ruby_19
+gem 'ruby-debug', :platform => :ruby_18
+gem 'guard-rspec'
+gem 'guard-spork'
+gem 'rb-fsevent'
+gem 'growl'
+

data/fixtures/rails_3_2_12/Guardfile

@@ -0,0 +1,14 @@
+guard 'spork', :rspec_port => 1234, :aggressive_kill => false do
+  watch('spec/spec_helper.rb') { :rspec }
+end
+
+guard 'rspec', :cli => "--color --drb --drb-port 1234", :keep_failed => true, :all_after_pass => true, :focus_on_failed => true do
+  watch(%r{^spec/.+_spec\.rb$})
+  watch('../../../lib')
+  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/lib/#{m[1]}_spec.rb" }
+  watch('spec/spec_helper.rb')  { "spec" }
+  watch(%r{^app/controllers/(.+)_(controller)\.rb$})  { |m| ["spec/routing/#{m[1]}_routing_spec.rb", "spec/#{m[2]}s/#{m[1]}_#{m[2]}_spec.rb", "spec/acceptance/#{m[1]}_spec.rb"] }
+  watch(%r{^spec/support/(.+)\.rb$})                  { "spec" }
+  watch('app/controllers/application_controller.rb')  { "spec/controllers" }
+end
+

data/fixtures/rails_3_2_12/README.rdoc

@@ -0,0 +1,261 @@
+== Welcome to Rails
+
+Rails is a web-application framework that includes everything needed to create
+database-backed web applications according to the Model-View-Control pattern.
+
+This pattern splits the view (also called the presentation) into "dumb"
+templates that are primarily responsible for inserting pre-built data in between
+HTML tags. The model contains the "smart" domain objects (such as Account,
+Product, Person, Post) that holds all the business logic and knows how to
+persist themselves to a database. The controller handles the incoming requests
+(such as Save New Account, Update Product, Show Post) by manipulating the model
+and directing data to the view.
+
+In Rails, the model is handled by what's called an object-relational mapping
+layer entitled Active Record. This layer allows you to present the data from
+database rows as objects and embellish these data objects with business logic
+methods. You can read more about Active Record in
+link:files/vendor/rails/activerecord/README.html.
+
+The controller and view are handled by the Action Pack, which handles both
+layers by its two parts: Action View and Action Controller. These two layers
+are bundled in a single package due to their heavy interdependence. This is
+unlike the relationship between the Active Record and Action Pack that is much
+more separate. Each of these packages can be used independently outside of
+Rails. You can read more about Action Pack in
+link:files/vendor/rails/actionpack/README.html.
+
+
+== Getting Started
+
+1. At the command prompt, create a new Rails application:
+       <tt>rails new myapp</tt> (where <tt>myapp</tt> is the application name)
+
+2. Change directory to <tt>myapp</tt> and start the web server:
+       <tt>cd myapp; rails server</tt> (run with --help for options)
+
+3. Go to http://localhost:3000/ and you'll see:
+       "Welcome aboard: You're riding Ruby on Rails!"
+
+4. Follow the guidelines to start developing your application. You can find
+the following resources handy:
+
+* The Getting Started Guide: http://guides.rubyonrails.org/getting_started.html
+* Ruby on Rails Tutorial Book: http://www.railstutorial.org/
+
+
+== Debugging Rails
+
+Sometimes your application goes wrong. Fortunately there are a lot of tools that
+will help you debug it and get it back on the rails.
+
+First area to check is the application log files. Have "tail -f" commands
+running on the server.log and development.log. Rails will automatically display
+debugging and runtime information to these files. Debugging info will also be
+shown in the browser on requests from 127.0.0.1.
+
+You can also log your own messages directly into the log file from your code
+using the Ruby logger class from inside your controllers. Example:
+
+  class WeblogController < ActionController::Base
+    def destroy
+      @weblog = Weblog.find(params[:id])
+      @weblog.destroy
+      logger.info("#{Time.now} Destroyed Weblog ID ##{@weblog.id}!")
+    end
+  end
+
+The result will be a message in your log file along the lines of:
+
+  Mon Oct 08 14:22:29 +1000 2007 Destroyed Weblog ID #1!
+
+More information on how to use the logger is at http://www.ruby-doc.org/core/
+
+Also, Ruby documentation can be found at http://www.ruby-lang.org/. There are
+several books available online as well:
+
+* Programming Ruby: http://www.ruby-doc.org/docs/ProgrammingRuby/ (Pickaxe)
+* Learn to Program: http://pine.fm/LearnToProgram/ (a beginners guide)
+
+These two books will bring you up to speed on the Ruby language and also on
+programming in general.
+
+
+== Debugger
+
+Debugger support is available through the debugger command when you start your
+Mongrel or WEBrick server with --debugger. This means that you can break out of
+execution at any point in the code, investigate and change the model, and then,
+resume execution! You need to install ruby-debug to run the server in debugging
+mode. With gems, use <tt>sudo gem install ruby-debug</tt>. Example:
+
+  class WeblogController < ActionController::Base
+    def index
+      @posts = Post.all
+      debugger
+    end
+  end
+
+So the controller will accept the action, run the first line, then present you
+with a IRB prompt in the server window. Here you can do things like:
+
+  >> @posts.inspect
+  => "[#<Post:0x14a6be8
+          @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>,
+       #<Post:0x14a6620
+          @attributes={"title"=>"Rails", "body"=>"Only ten..", "id"=>"2"}>]"
+  >> @posts.first.title = "hello from a debugger"
+  => "hello from a debugger"
+
+...and even better, you can examine how your runtime objects actually work:
+
+  >> f = @posts.first
+  => #<Post:0x13630c4 @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>
+  >> f.
+  Display all 152 possibilities? (y or n)
+
+Finally, when you're ready to resume execution, you can enter "cont".
+
+
+== Console
+
+The console is a Ruby shell, which allows you to interact with your
+application's domain model. Here you'll have all parts of the application
+configured, just like it is when the application is running. You can inspect
+domain models, change values, and save to the database. Starting the script
+without arguments will launch it in the development environment.
+
+To start the console, run <tt>rails console</tt> from the application
+directory.
+
+Options:
+
+* Passing the <tt>-s, --sandbox</tt> argument will rollback any modifications
+  made to the database.
+* Passing an environment name as an argument will load the corresponding
+  environment. Example: <tt>rails console production</tt>.
+
+To reload your controllers and models after launching the console run
+<tt>reload!</tt>
+
+More information about irb can be found at:
+link:http://www.rubycentral.org/pickaxe/irb.html
+
+
+== dbconsole
+
+You can go to the command line of your database directly through <tt>rails
+dbconsole</tt>. You would be connected to the database with the credentials
+defined in database.yml. Starting the script without arguments will connect you
+to the development database. Passing an argument will connect you to a different
+database, like <tt>rails dbconsole production</tt>. Currently works for MySQL,
+PostgreSQL and SQLite 3.
+
+== Description of Contents
+
+The default directory structure of a generated Ruby on Rails application:
+
+  |-- app
+  |   |-- assets
+  |       |-- images
+  |       |-- javascripts
+  |       `-- stylesheets
+  |   |-- controllers
+  |   |-- helpers
+  |   |-- mailers
+  |   |-- models
+  |   `-- views
+  |       `-- layouts
+  |-- config
+  |   |-- environments
+  |   |-- initializers
+  |   `-- locales
+  |-- db
+  |-- doc
+  |-- lib
+  |   `-- tasks
+  |-- log
+  |-- public
+  |-- script
+  |-- test
+  |   |-- fixtures
+  |   |-- functional
+  |   |-- integration
+  |   |-- performance
+  |   `-- unit
+  |-- tmp
+  |   |-- cache
+  |   |-- pids
+  |   |-- sessions
+  |   `-- sockets
+  `-- vendor
+      |-- assets
+          `-- stylesheets
+      `-- plugins
+
+app
+  Holds all the code that's specific to this particular application.
+
+app/assets
+  Contains subdirectories for images, stylesheets, and JavaScript files.
+
+app/controllers
+  Holds controllers that should be named like weblogs_controller.rb for
+  automated URL mapping. All controllers should descend from
+  ApplicationController which itself descends from ActionController::Base.
+
+app/models
+  Holds models that should be named like post.rb. Models descend from
+  ActiveRecord::Base by default.
+
+app/views
+  Holds the template files for the view that should be named like
+  weblogs/index.html.erb for the WeblogsController#index action. All views use
+  eRuby syntax by default.
+
+app/views/layouts
+  Holds the template files for layouts to be used with views. This models the
+  common header/footer method of wrapping views. In your views, define a layout
+  using the <tt>layout :default</tt> and create a file named default.html.erb.
+  Inside default.html.erb, call <% yield %> to render the view using this
+  layout.
+
+app/helpers
+  Holds view helpers that should be named like weblogs_helper.rb. These are
+  generated for you automatically when using generators for controllers.
+  Helpers can be used to wrap functionality for your views into methods.
+
+config
+  Configuration files for the Rails environment, the routing map, the database,
+  and other dependencies.
+
+db
+  Contains the database schema in schema.rb. db/migrate contains all the
+  sequence of Migrations for your schema.
+
+doc
+  This directory is where your application documentation will be stored when
+  generated using <tt>rake doc:app</tt>
+
+lib
+  Application specific libraries. Basically, any kind of custom code that
+  doesn't belong under controllers, models, or helpers. This directory is in
+  the load path.
+
+public
+  The directory available for the web server. Also contains the dispatchers and the
+  default HTML files. This should be set as the DOCUMENT_ROOT of your web
+  server.
+
+script
+  Helper scripts for automation and generation.
+
+test
+  Unit and functional tests along with fixtures. When using the rails generate
+  command, template test files will be generated for you and placed in this
+  directory.
+
+vendor
+  External libraries that the application depends on. Also includes the plugins
+  subdirectory. If the app has frozen rails, those gems also go here, under
+  vendor/rails/. This directory is in the load path.