RubyGems - secure_headers - Versions diffs - 1.1.0 → 1.1.1 - Mend

secure_headers 1.1.0 → 1.1.1

This version of secure_headers might be problematic. Click here for more details.

Files changed (7) hide show

data/HISTORY.md CHANGED

@@ -1,3 +1,10 @@
+1.1.1
+======
+Bug fix release.
+- Parsing of CSP reports was busted.
+- Forwarded reports did not include the original referer, ip, UA
 1.1.0
 ======

@@ -27,7 +27,20 @@ class ContentSecurityPolicyController < ActionController::Base
       use_ssl(http)
     end
+    if request.content_type == "application/csp-report"
+      request.body.rewind
+      params.merge!(ActiveSupport::JSON.decode(request.body.read))
+    end
+    ua = request.user_agent
+    xff = forwarded_for
     request = Net::HTTP::Post.new(uri.to_s)
+    request.initialize_http_header({
+      'User-Agent' => ua,
+      'X-Forwarded-For' => xff,
+      'Content-Type' => 'application/json',
+    })
     request.body = params.to_json
     # fire and forget
@@ -38,6 +51,15 @@ class ContentSecurityPolicyController < ActionController::Base
     end
   end
+  def forwarded_for
+    req_xff = request.env["HTTP_X_FORWARDED_FOR"]
+    if req_xff && req_xff != ""
+      "#{req_xff}, #{request.remote_ip}"
+    else
+      request.remote_ip
+    end
+  end
   def use_ssl request
     request.use_ssl = true
     request.ca_file = CA_FILE

@@ -1,3 +1,3 @@
 module SecureHeaders
-  VERSION = "1.1.0"
+  VERSION = "1.1.1"
 end

@@ -11,6 +11,21 @@ describe ContentSecurityPolicyController do
     }
   }
+  class FakeRequest
+    def user_agent
+      "Foo"
+    end
+    def env
+      {"HTTP_X_FORWARDED_FOR" => ""}
+    end
+    def remote_ip
+      "123.12.45.67"
+    end
+    def content_type
+      "application/json"
+    end
+  end
   describe "#csp" do
     let(:request) { double().as_null_object }
     let(:endpoint) { "https://example.com" }
@@ -20,6 +35,7 @@ describe ContentSecurityPolicyController do
       SecureHeaders::Configuration.stub(:csp).and_return({:report_uri => endpoint, :forward_endpoint => secondary_endpoint})
       subject.should_receive :head
       subject.stub(:params).and_return(params)
+      subject.stub(:request).and_return(FakeRequest.new)
       Net::HTTP.any_instance.stub(:request)
     end

@@ -27,7 +27,7 @@ module SecureHeaders
         it "doesn't accept anything besides no-sniff" do
           lambda {
             XContentTypeOptions.new("donkey")
-          }.should raise_error(XContentTypeOptionsBuildError)
+          }.should raise_error
         end
       end
     end

@@ -13,19 +13,18 @@ module SecureHeaders
         it "allows SAMEORIGIN" do
           lambda {
             XFrameOptions.new("SAMEORIGIN").value
-          }.should_not raise_error(XFOBuildError)
+          }.should_not raise_error
         end
         it "allows DENY" do
           lambda {
             XFrameOptions.new("DENY").value
-          }.should_not raise_error(XFOBuildError)
-        end
+          }.should_not raise_error        end
         it "allows ALLOW-FROM*" do
           lambda {
             XFrameOptions.new("ALLOW-FROM: example.com").value
-          }.should_not raise_error(XFOBuildError)
+          }.should_not raise_error
         end
         it "does not allow garbage" do
           lambda {

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.1.1
   prerelease:
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-11-11 00:00:00.000000000 Z
+date: 2013-12-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake