RubyGems - secure_headers - Versions diffs - 2.2.4 → 2.3.0 - Mend

secure_headers 2.2.4 → 2.3.0

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (14) hide show

checksums.yaml +4 -4
data/README.md +30 -0
data/lib/secure_headers/headers/content_security_policy.rb +2 -0
data/lib/secure_headers/headers/public_key_pins.rb +1 -0
data/lib/secure_headers/headers/strict_transport_security.rb +1 -0
data/lib/secure_headers/headers/x_content_type_options.rb +2 -1
data/lib/secure_headers/headers/x_download_options.rb +1 -0
data/lib/secure_headers/headers/x_frame_options.rb +1 -0
data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb +1 -0
data/lib/secure_headers/headers/x_xss_protection.rb +1 -0
data/lib/secure_headers/version.rb +1 -1
data/lib/secure_headers.rb +48 -20
data/spec/lib/secure_headers_spec.rb +50 -0
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8a0931db8855224044856cad01f2226dfb325c93
-  data.tar.gz: bc3520f802677b2c7967d9e7ae928c5d6ef4d2ca
+  metadata.gz: 2ea3335e72b8eaea53c9fc03a77c008b73fc674c
+  data.tar.gz: 4097b301e8e7f18174abda1c6412f9652cd4c39a
 SHA512:
-  metadata.gz: 41b4ee3848c1261162c5a5e7f80931a1e7891a08ac0d1f49b5ebfae5ae819f0e8a5b3577499d4cd8d62eaf71d36218bb7bf97cd263d220a67a72e14c8a49dac6
-  data.tar.gz: acae6ac54a26a925e3fd74a2b24c50a00349cce8be8d9dca8d81ee1dbae68008defa925bb3a10f99996476687de0b632fca07cfc6d40bd7511dd8acc1cc7a0c1
+  metadata.gz: 53db0ad5f6d9e7a85bde9aa167a927e3bda91351ce2f57af0f505d1b6c0856ca50b295ad87e26c1b25fa0142a95d8ef8b11f12f562377e60a0b398454abdd5b9
+  data.tar.gz: a6c3c2366fcf08ed3749f6c6e9146e2fbc33fb167a504404e195bd9813c709b0d497c2c2fc64f138a482a5fcc68eb4d212895761722ae0beed4b49ccea481e81

data/README.md CHANGED Viewed

@@ -415,8 +415,38 @@ def before_load
 end
 ```
+### Using in rack middleware
+The `SecureHeaders::header_hash` generates a hash of all header values, which is useful for merging with rack middleware values.
+```ruby
+class MySecureHeaders
+  include SecureHeaders
+  def initialize(app)
+  @app = app
+ end
+ def call(env)
+   status, headers, response = @app.call(env)
+   security_headers = if override?
+     SecureHeaders::header_hash(:csp => false) # uses global config, but overrides CSP config
+   else
+     SecureHeaders::header_hash # uses global config
+   end
+   [status, headers.merge(security_headers), [response.body]]
+ end
+end
+module Testapp
+  class Application < Rails::Application
+    config.middleware.use MySecureHeaders
+  end
+end
+```
 ## Similar libraries
+* Rack [rack-secure_headers](https://github.com/harmoni/rack-secure_headers)
 * Node.js (express) [helmet](https://github.com/evilpacket/helmet) and [hood](https://github.com/seanmonstar/hood)
 * Node.js (hapi) [blankie](https://github.com/nlf/blankie)
 * J2EE Servlet >= 3.0 [headlines](https://github.com/sourceclear/headlines)

data/lib/secure_headers/headers/content_security_policy.rb CHANGED Viewed

@@ -40,7 +40,9 @@ module SecureHeaders
       SOURCE_DIRECTIVES = DIRECTIVES + NON_DEFAULT_SOURCES
       ALL_DIRECTIVES = DIRECTIVES + NON_DEFAULT_SOURCES + OTHER
+      CONFIG_KEY = :csp
     end
     include Constants
     attr_reader :disable_fill_missing, :ssl_request

data/lib/secure_headers/headers/public_key_pins.rb CHANGED Viewed

@@ -6,6 +6,7 @@ module SecureHeaders
       ENV_KEY = 'secure_headers.public_key_pins'
       HASH_ALGORITHMS = [:sha256]
       DIRECTIVES = [:max_age]
+      CONFIG_KEY = :hpkp
     end
     class << self
       def symbol_to_hyphen_case sym

data/lib/secure_headers/headers/strict_transport_security.rb CHANGED Viewed

@@ -8,6 +8,7 @@ module SecureHeaders
       DEFAULT_VALUE = "max-age=" + HSTS_MAX_AGE
       VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
       MESSAGE = "The config value supplied for the HSTS header was invalid."
+      CONFIG_KEY = :hsts
     end
     include Constants

data/lib/secure_headers/headers/x_content_type_options.rb CHANGED Viewed

@@ -5,6 +5,7 @@ module SecureHeaders
     module Constants
       X_CONTENT_TYPE_OPTIONS_HEADER_NAME = "X-Content-Type-Options"
       DEFAULT_VALUE = "nosniff"
+      CONFIG_KEY = :x_content_type_options
     end
     include Constants
@@ -37,4 +38,4 @@ module SecureHeaders
       end
     end
   end
-end
+end

data/lib/secure_headers/headers/x_download_options.rb CHANGED Viewed

@@ -4,6 +4,7 @@ module SecureHeaders
     module Constants
       XDO_HEADER_NAME = "X-Download-Options"
       DEFAULT_VALUE = 'noopen'
+      CONFIG_KEY = :x_download_options
     end
     include Constants

data/lib/secure_headers/headers/x_frame_options.rb CHANGED Viewed

@@ -5,6 +5,7 @@ module SecureHeaders
       XFO_HEADER_NAME = "X-Frame-Options"
       DEFAULT_VALUE = 'SAMEORIGIN'
       VALID_XFO_HEADER = /\A(SAMEORIGIN\z|DENY\z|ALLOW-FROM[:\s])/i
+      CONFIG_KEY = :x_frame_options
     end
     include Constants

data/lib/secure_headers/headers/x_permitted_cross_domain_policies.rb CHANGED Viewed

@@ -5,6 +5,7 @@ module SecureHeaders
       XPCDP_HEADER_NAME = "X-Permitted-Cross-Domain-Policies"
       DEFAULT_VALUE = 'none'
       VALID_POLICIES = %w(all none master-only by-content-type by-ftp-filename)
+      CONFIG_KEY = :x_permitted_cross_domain_policies
     end
     include Constants

data/lib/secure_headers/headers/x_xss_protection.rb CHANGED Viewed

@@ -5,6 +5,7 @@ module SecureHeaders
       X_XSS_PROTECTION_HEADER_NAME = 'X-XSS-Protection'
       DEFAULT_VALUE = "1"
       VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/i
+      CONFIG_KEY = :x_xss_protection
     end
     include Constants

data/lib/secure_headers/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module SecureHeaders
-  VERSION = "2.2.4"
+  VERSION = "2.3.0"
 end

data/lib/secure_headers.rb CHANGED Viewed

@@ -1,7 +1,32 @@
+require "secure_headers/version"
+require "secure_headers/header"
+require "secure_headers/headers/public_key_pins"
+require "secure_headers/headers/content_security_policy"
+require "secure_headers/headers/x_frame_options"
+require "secure_headers/headers/strict_transport_security"
+require "secure_headers/headers/x_xss_protection"
+require "secure_headers/headers/x_content_type_options"
+require "secure_headers/headers/x_download_options"
+require "secure_headers/headers/x_permitted_cross_domain_policies"
+require "secure_headers/railtie"
+require "secure_headers/hash_helper"
+require "secure_headers/view_helper"
 module SecureHeaders
   SCRIPT_HASH_CONFIG_FILE = 'config/script_hashes.yml'
   HASHES_ENV_KEY = 'secure_headers.script_hashes'
+  ALL_HEADER_CLASSES = [
+    SecureHeaders::ContentSecurityPolicy,
+    SecureHeaders::StrictTransportSecurity,
+    SecureHeaders::PublicKeyPins,
+    SecureHeaders::XContentTypeOptions,
+    SecureHeaders::XDownloadOptions,
+    SecureHeaders::XFrameOptions,
+    SecureHeaders::XPermittedCrossDomainPolicies,
+    SecureHeaders::XXssProtection
+  ]
   module Configuration
     class << self
       attr_accessor :hsts, :x_frame_options, :x_content_type_options,
@@ -24,6 +49,27 @@ module SecureHeaders
         include InstanceMethods
       end
     end
+    def header_hash(options = nil)
+      ALL_HEADER_CLASSES.inject({}) do |memo, klass|
+        config = if options.is_a?(Hash) && options[klass::Constants::CONFIG_KEY]
+          options[klass::Constants::CONFIG_KEY]
+        else
+          ::SecureHeaders::Configuration.send(klass::Constants::CONFIG_KEY)
+        end
+        unless klass == SecureHeaders::PublicKeyPins && !config.is_a?(Hash)
+          header = get_a_header(klass::Constants::CONFIG_KEY, klass, config)
+          memo[header.name] = header.value
+        end
+        memo
+      end
+    end
+    def get_a_header(name, klass, options)
+      return if options == false
+      klass.new(options)
+    end
   end
   module ClassMethods
@@ -161,13 +207,10 @@ module SecureHeaders
       options.nil? ? ::SecureHeaders::Configuration.send(type) : options
     end
     def set_a_header(name, klass, options=nil)
-      options = secure_header_options_for name, options
+      options = secure_header_options_for(name, options)
       return if options == false
-      header = klass.new(options)
-      set_header(header)
+      set_header(SecureHeaders::get_a_header(name, klass, options))
     end
     def set_header(name_or_header, value=nil)
@@ -180,18 +223,3 @@ module SecureHeaders
     end
   end
 end
-require "secure_headers/version"
-require "secure_headers/header"
-require "secure_headers/headers/public_key_pins"
-require "secure_headers/headers/content_security_policy"
-require "secure_headers/headers/x_frame_options"
-require "secure_headers/headers/strict_transport_security"
-require "secure_headers/headers/x_xss_protection"
-require "secure_headers/headers/x_content_type_options"
-require "secure_headers/headers/x_download_options"
-require "secure_headers/headers/x_permitted_cross_domain_policies"
-require "secure_headers/railtie"
-require "secure_headers/hash_helper"
-require "secure_headers/view_helper"

data/spec/lib/secure_headers_spec.rb CHANGED Viewed

@@ -159,6 +159,56 @@ describe SecureHeaders do
     end
   end
+  describe "SecureHeaders#header_hash" do
+    def expect_default_values(hash)
+      expect(hash[XFO_HEADER_NAME]).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
+      expect(hash[XDO_HEADER_NAME]).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
+      expect(hash[HSTS_HEADER_NAME]).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
+      expect(hash[X_XSS_PROTECTION_HEADER_NAME]).to eq(SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
+      expect(hash[X_CONTENT_TYPE_OPTIONS_HEADER_NAME]).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
+      expect(hash[XPCDP_HEADER_NAME]).to eq(SecureHeaders::XPermittedCrossDomainPolicies::Constants::DEFAULT_VALUE)
+    end
+    it "produces a hash of headers given a hash as config" do
+      hash = SecureHeaders::header_hash(:csp => {:default_src => 'none', :img_src => "data:", :disable_fill_missing => true})
+      expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'none'; img-src data:;")
+      expect_default_values(hash)
+    end
+    it "produces a hash with a mix of config values, override values, and default values" do
+      ::SecureHeaders::Configuration.configure do |config|
+        config.hsts = { :max_age => '123456'}
+        config.hpkp = {
+          :enforce => true,
+          :max_age => 1000000,
+          :include_subdomains => true,
+          :report_uri => '//example.com/uri-directive',
+          :pins => [
+            {:sha256 => 'abc'},
+            {:sha256 => '123'}
+          ]
+        }
+      end
+      hash = SecureHeaders::header_hash(:csp => {:default_src => 'none', :img_src => "data:", :disable_fill_missing => true})
+      ::SecureHeaders::Configuration.configure do |config|
+        config.hsts = nil
+        config.hpkp = nil
+      end
+      expect(hash['Content-Security-Policy-Report-Only']).to eq("default-src 'none'; img-src data:;")
+      expect(hash[XFO_HEADER_NAME]).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
+      expect(hash[HSTS_HEADER_NAME]).to eq("max-age=123456")
+      expect(hash[HPKP_HEADER_NAME]).to eq(%{max-age=1000000; pin-sha256="abc"; pin-sha256="123"; report-uri="//example.com/uri-directive"; includeSubDomains})
+    end
+    it "produces a hash of headers with default config" do
+      hash = SecureHeaders::header_hash
+      expect(hash['Content-Security-Policy-Report-Only']).to eq(SecureHeaders::ContentSecurityPolicy::Constants::DEFAULT_CSP_HEADER)
+      expect_default_values(hash)
+    end
+  end
   describe "#set_x_frame_options_header" do
     it "sets the X-Frame-Options header" do
       should_assign_header(XFO_HEADER_NAME, SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 2.2.4
+  version: 2.3.0
 platform: ruby
 authors:
 - Neil Matatall
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-08-26 00:00:00.000000000 Z
+date: 2015-09-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake