RubyGems - secure_headers - Versions diffs - 3.0.0.pre → 3.0.0.pre1 - Mend

secure_headers 3.0.0.pre → 3.0.0.pre1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (5) hide show

checksums.yaml +4 -4
data/lib/secure_headers/headers/content_security_policy.rb +8 -4
data/secure_headers.gemspec +1 -1
data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +14 -3
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c8e754c1f97c8f87f3492dac27f5f4b39cc8c9a8
-  data.tar.gz: 72d1d6ec611315a483923e2aad37c4db381809ff
+  metadata.gz: 54b745f9955363c185766acb0a39ebf913a88151
+  data.tar.gz: 315ec9e43586e58f76c359b51c9ed3cdc83eb51e
 SHA512:
-  metadata.gz: 9ee17384b25c81996bafc490b8283abd17d2704139d8de0a1ffacef372e51fb355884d8f3a898e3c30dd3f52c9be0ce6daa55a19d1ba4d0e6c60d53ffd5ce91e
-  data.tar.gz: 9f09f04cc2bdd6a3710c7967817150977cef728054a8437f7a10dd51e39e07c9ae049ccce8ea6c00e013884ab3bf7afebad1d68e4a1dacf775681e78940836d9
+  metadata.gz: 6842017c4fe05a04c391f8fb447fb524b77ec8577348b5f44c062a772565a32032a71801529ed24e918570a1b55defb4a273240c9c6edbfcd9eb222836c95428
+  data.tar.gz: c54f33d09186b27857246371a0af1a3d4f7699dc0d0796b532255aa0513c848810570271a78263b59f57a510fb00a9529b3454ddddea7a118dad088b574ff188

data/lib/secure_headers/headers/content_security_policy.rb CHANGED Viewed

@@ -13,6 +13,7 @@ module SecureHeaders
     REPORT_ONLY = "Content-Security-Policy-Report-Only".freeze
     HEADER_NAMES = [HEADER_NAME, REPORT_ONLY]
     DATA_PROTOCOL = "data:".freeze
+    BLOB_PROTOCOL = "blob:".freeze
     SELF = "'self'".freeze
     NONE = "'none'".freeze
     STAR = "*".freeze
@@ -141,7 +142,9 @@ module SecureHeaders
     WILDCARD_SOURCES = [
       UNSAFE_EVAL,
       UNSAFE_INLINE,
-      STAR
+      STAR,
+      DATA_PROTOCOL,
+      BLOB_PROTOCOL
     ]
     class << self
@@ -243,11 +246,11 @@ module SecureHeaders
       # Does not validate the invididual values of the source expression (e.g.
       # script_src => h*t*t*p: will not raise an exception)
       def validate_source_expression!(key, value)
-        # source expressions
         unless ContentSecurityPolicy::ALL_DIRECTIVES.include?(key)
           raise ContentSecurityPolicyConfigError.new("Unknown directive #{key}")
         end
-        unless value.is_a?(Array) && value.all? { |v| v.is_a?(String) }
+        unless value.is_a?(Array) && value.compact.all? { |v| v.is_a?(String) }
           raise ContentSecurityPolicyConfigError.new("#{key} must be an array of strings")
         end
@@ -317,7 +320,7 @@ module SecureHeaders
         else
           build_directive(directive_name)
         end
-      end.join("; ")
+      end.compact.join("; ")
     end
     # Private: builds a string that represents one directive in a minified form.
@@ -330,6 +333,7 @@ module SecureHeaders
     # Returns a string representing a directive.
     def build_directive(directive_name)
       source_list = @config[directive_name].compact
+      return if source_list.empty?
       value = if source_list.include?(STAR)
         # Discard trailing entries (excluding unsafe-*) since * accomplishes the same.

data/secure_headers.gemspec CHANGED Viewed

@@ -1,7 +1,7 @@
 # -*- encoding: utf-8 -*-
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "3.0.0.pre"
+  gem.version       = "3.0.0.pre1"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = 'Security related headers all in one gem.'

data/spec/lib/secure_headers/headers/content_security_policy_spec.rb CHANGED Viewed

@@ -47,6 +47,12 @@ module SecureHeaders
         end.to raise_error(ContentSecurityPolicyConfigError)
       end
+      it "allows nil values" do
+        expect do
+          CSP.validate_config!(default_src: %w('self'), script_src: ["https:", nil])
+        end.to_not raise_error
+      end
       it "rejects unknown directives / config" do
         expect do
           CSP.validate_config!(default_src: %w('self'), default_src_totally_mispelled: "steve")
@@ -109,9 +115,9 @@ module SecureHeaders
         expect(csp.value).not_to include("'none'")
       end
-      it "discards source expressions besides unsafe-* expressions when * is present" do
-        csp = ContentSecurityPolicy.new(default_src: %w(* 'unsafe-inline' 'unsafe-eval' http: https: example.org))
-        expect(csp.value).to eq("default-src * 'unsafe-inline' 'unsafe-eval'")
+      it "discards source expressions (besides unsafe-* and non-host source values) when * is present" do
+        csp = ContentSecurityPolicy.new(default_src: %w(* 'unsafe-inline' 'unsafe-eval' http: https: example.org data: blob:))
+        expect(csp.value).to eq("default-src * 'unsafe-inline' 'unsafe-eval' data: blob:")
       end
       it "minifies source expressions based on overlapping wildcards" do
@@ -137,6 +143,11 @@ module SecureHeaders
         expect(csp.value).to eq("default-src example.org")
       end
+      it "does not add a directive if the value is an empty array (or all nil)" do
+        csp = ContentSecurityPolicy.new(default_src: ["https://example.org"], script_src: [nil])
+        expect(csp.value).to eq("default-src example.org")
+      end
       it "deduplicates any source expressions" do
         csp = ContentSecurityPolicy.new(default_src: %w(example.org example.org example.org))
         expect(csp.value).to eq("default-src example.org")

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 3.0.0.pre
+  version: 3.0.0.pre1
 platform: ruby
 authors:
 - Neil Matatall