secure_headers 3.0.0.pre → 3.0.0.pre1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/lib/secure_headers/headers/content_security_policy.rb +8 -4
  3. data/secure_headers.gemspec +1 -1
  4. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +14 -3
  5. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: c8e754c1f97c8f87f3492dac27f5f4b39cc8c9a8
4
- data.tar.gz: 72d1d6ec611315a483923e2aad37c4db381809ff
3
+ metadata.gz: 54b745f9955363c185766acb0a39ebf913a88151
4
+ data.tar.gz: 315ec9e43586e58f76c359b51c9ed3cdc83eb51e
5
5
  SHA512:
6
- metadata.gz: 9ee17384b25c81996bafc490b8283abd17d2704139d8de0a1ffacef372e51fb355884d8f3a898e3c30dd3f52c9be0ce6daa55a19d1ba4d0e6c60d53ffd5ce91e
7
- data.tar.gz: 9f09f04cc2bdd6a3710c7967817150977cef728054a8437f7a10dd51e39e07c9ae049ccce8ea6c00e013884ab3bf7afebad1d68e4a1dacf775681e78940836d9
6
+ metadata.gz: 6842017c4fe05a04c391f8fb447fb524b77ec8577348b5f44c062a772565a32032a71801529ed24e918570a1b55defb4a273240c9c6edbfcd9eb222836c95428
7
+ data.tar.gz: c54f33d09186b27857246371a0af1a3d4f7699dc0d0796b532255aa0513c848810570271a78263b59f57a510fb00a9529b3454ddddea7a118dad088b574ff188
data/lib/secure_headers/headers/content_security_policy.rb CHANGED
@@ -13,6 +13,7 @@ module SecureHeaders
13
13
  REPORT_ONLY = "Content-Security-Policy-Report-Only".freeze
14
14
  HEADER_NAMES = [HEADER_NAME, REPORT_ONLY]
15
15
  DATA_PROTOCOL = "data:".freeze
16
+ BLOB_PROTOCOL = "blob:".freeze
16
17
  SELF = "'self'".freeze
17
18
  NONE = "'none'".freeze
18
19
  STAR = "*".freeze
@@ -141,7 +142,9 @@ module SecureHeaders
141
142
  WILDCARD_SOURCES = [
142
143
  UNSAFE_EVAL,
143
144
  UNSAFE_INLINE,
144
- STAR
145
+ STAR,
146
+ DATA_PROTOCOL,
147
+ BLOB_PROTOCOL
145
148
  ]
146
149
 
147
150
  class << self
@@ -243,11 +246,11 @@ module SecureHeaders
243
246
  # Does not validate the invididual values of the source expression (e.g.
244
247
  # script_src => h*t*t*p: will not raise an exception)
245
248
  def validate_source_expression!(key, value)
246
- # source expressions
247
249
  unless ContentSecurityPolicy::ALL_DIRECTIVES.include?(key)
248
250
  raise ContentSecurityPolicyConfigError.new("Unknown directive #{key}")
249
251
  end
250
- unless value.is_a?(Array) && value.all? { |v| v.is_a?(String) }
252
+
253
+ unless value.is_a?(Array) && value.compact.all? { |v| v.is_a?(String) }
251
254
  raise ContentSecurityPolicyConfigError.new("#{key} must be an array of strings")
252
255
  end
253
256
 
@@ -317,7 +320,7 @@ module SecureHeaders
317
320
  else
318
321
  build_directive(directive_name)
319
322
  end
320
- end.join("; ")
323
+ end.compact.join("; ")
321
324
  end
322
325
 
323
326
  # Private: builds a string that represents one directive in a minified form.
@@ -330,6 +333,7 @@ module SecureHeaders
330
333
  # Returns a string representing a directive.
331
334
  def build_directive(directive_name)
332
335
  source_list = @config[directive_name].compact
336
+ return if source_list.empty?
333
337
 
334
338
  value = if source_list.include?(STAR)
335
339
  # Discard trailing entries (excluding unsafe-*) since * accomplishes the same.
data/secure_headers.gemspec CHANGED
@@ -1,7 +1,7 @@
1
1
  # -*- encoding: utf-8 -*-
2
2
  Gem::Specification.new do |gem|
3
3
  gem.name = "secure_headers"
4
- gem.version = "3.0.0.pre"
4
+ gem.version = "3.0.0.pre1"
5
5
  gem.authors = ["Neil Matatall"]
6
6
  gem.email = ["neil.matatall@gmail.com"]
7
7
  gem.description = 'Security related headers all in one gem.'
data/spec/lib/secure_headers/headers/content_security_policy_spec.rb CHANGED
@@ -47,6 +47,12 @@ module SecureHeaders
47
47
  end.to raise_error(ContentSecurityPolicyConfigError)
48
48
  end
49
49
 
50
+ it "allows nil values" do
51
+ expect do
52
+ CSP.validate_config!(default_src: %w('self'), script_src: ["https:", nil])
53
+ end.to_not raise_error
54
+ end
55
+
50
56
  it "rejects unknown directives / config" do
51
57
  expect do
52
58
  CSP.validate_config!(default_src: %w('self'), default_src_totally_mispelled: "steve")
@@ -109,9 +115,9 @@ module SecureHeaders
109
115
  expect(csp.value).not_to include("'none'")
110
116
  end
111
117
 
112
- it "discards source expressions besides unsafe-* expressions when * is present" do
113
- csp = ContentSecurityPolicy.new(default_src: %w(* 'unsafe-inline' 'unsafe-eval' http: https: example.org))
114
- expect(csp.value).to eq("default-src * 'unsafe-inline' 'unsafe-eval'")
118
+ it "discards source expressions (besides unsafe-* and non-host source values) when * is present" do
119
+ csp = ContentSecurityPolicy.new(default_src: %w(* 'unsafe-inline' 'unsafe-eval' http: https: example.org data: blob:))
120
+ expect(csp.value).to eq("default-src * 'unsafe-inline' 'unsafe-eval' data: blob:")
115
121
  end
116
122
 
117
123
  it "minifies source expressions based on overlapping wildcards" do
@@ -137,6 +143,11 @@ module SecureHeaders
137
143
  expect(csp.value).to eq("default-src example.org")
138
144
  end
139
145
 
146
+ it "does not add a directive if the value is an empty array (or all nil)" do
147
+ csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], script_src: [nil])
148
+ expect(csp.value).to eq("default-src example.org")
149
+ end
150
+
140
151
  it "deduplicates any source expressions" do
141
152
  csp = ContentSecurityPolicy.new(default_src: %w(example.org example.org example.org))
142
153
  expect(csp.value).to eq("default-src example.org")
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.0.pre
4
+ version: 3.0.0.pre1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall