secure_headers 3.7.4 → 3.8.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (6) hide show
  1. checksums.yaml +5 -5
  2. data/CHANGELOG.md +4 -0
  3. data/lib/secure_headers/headers/content_security_policy.rb +8 -2
  4. data/secure_headers.gemspec +1 -1
  5. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +9 -0
  6. metadata +3 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: a365e7f904bc5b4eba16131acbfa3dae889c6b5b
4
- data.tar.gz: 750fb42f0641c07950c55082f946ea6ae6d8087f
2
+ SHA256:
3
+ metadata.gz: d605beb08177e1325edd0726b0cb551d3ac71b6dc6da7c1261d6f30b60db7695
4
+ data.tar.gz: f166e3735db90264366d654520269fb3cfb696ce9747c1ce92c11927d3322cb2
5
5
  SHA512:
6
- metadata.gz: ba3a0808f3f7f3136e265c687dd766bdc79598eac7eebc98b1ce8160f150716c4b085dfd83da1f4408abcb220eba8e681b29aaf07cb9d8bb196ac5b408c9d8af
7
- data.tar.gz: 54a80c904e4f06b9888e6d42669a06ecc81b4eea2482f0cf44fdf626c74d1cc79543d07fb6034e43685031d19efe15845e49bfbec9ce94efc49f1ccf2f41456a
6
+ metadata.gz: 784ea802225dbe362fa66d56022f13a1e8d58f71cac325959a7c28c4cb0f0acc25a478f794ef1286d3e951abb06f5c2fd25a3e448170643db6946c97027a3fe6
7
+ data.tar.gz: 19abcb3f648b322ac8db0ca9352e53a758be5253d110e67224e8632366efde66a034f9777dc77946ef897dbc99e9dbf72edca743a1b184ca8b336c0a63296f7c
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## 3.8.0
2
+
3
+ Fixes semicolon injection issue reported by @mvgijssel see https://github.com/twitter/secure_headers/issues/418
4
+
1
5
  ## 3.7.4
2
6
 
3
7
  Backport SameSite=None functionality into 3.x line
data/lib/secure_headers/headers/content_security_policy.rb CHANGED
@@ -142,8 +142,14 @@ module SecureHeaders
142
142
  @config.directive_value(directive)
143
143
  end
144
144
  return unless source_list && source_list.any?
145
- normalized_source_list = minify_source_list(directive, source_list)
146
- [symbol_to_hyphen_case(directive), normalized_source_list].join(" ")
145
+ normalized_source_list = minify_source_list(directive, source_list).join(" ")
146
+
147
+ if normalized_source_list.include?(";")
148
+ Kernel.warn("#{directive} contains a ; in '#{normalized_source_list}' which will raise an error in future versions. It has been replaced with a blank space.")
149
+ end
150
+ escaped_source_list = normalized_source_list.gsub(";", " ")
151
+
152
+ [symbol_to_hyphen_case(directive), escaped_source_list].join(" ").strip
147
153
  end
148
154
 
149
155
  # If a directive contains *, all other values are omitted.
data/secure_headers.gemspec CHANGED
@@ -1,7 +1,7 @@
1
1
  # -*- encoding: utf-8 -*-
2
2
  Gem::Specification.new do |gem|
3
3
  gem.name = "secure_headers"
4
- gem.version = "3.7.4"
4
+ gem.version = "3.8.0"
5
5
  gem.authors = ["Neil Matatall"]
6
6
  gem.email = ["neil.matatall@gmail.com"]
7
7
  gem.description = 'Manages application of security headers with many safe defaults.'
data/spec/lib/secure_headers/headers/content_security_policy_spec.rb CHANGED
@@ -23,6 +23,15 @@ module SecureHeaders
23
23
  end
24
24
 
25
25
  describe "#value" do
26
+ it "uses a safe but non-breaking default value" do
27
+ expect(ContentSecurityPolicy.new.value).to eq("default-src https:")
28
+ end
29
+
30
+ it "deprecates and escapes semicolons in directive source lists" do
31
+ expect(Kernel).to receive(:warn).with("frame_ancestors contains a ; in 'google.com;script-src *;.;' which will raise an error in future versions. It has been replaced with a blank space.")
32
+ expect(ContentSecurityPolicy.new(frame_ancestors: %w(https://google.com;script-src https://*;.;)).value).to eq("frame-ancestors google.com script-src * .")
33
+ end
34
+
26
35
  it "discards 'none' values if any other source expressions are present" do
27
36
  csp = ContentSecurityPolicy.new(default_opts.merge(child_src: %w('self' 'none')))
28
37
  expect(csp.value).not_to include("'none'")
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.7.4
4
+ version: 3.8.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-01-14 00:00:00.000000000 Z
11
+ date: 2020-01-21 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -127,8 +127,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
127
127
  - !ruby/object:Gem::Version
128
128
  version: '0'
129
129
  requirements: []
130
- rubyforge_project:
131
- rubygems_version: 2.5.2
130
+ rubygems_version: 3.1.2
132
131
  signing_key:
133
132
  specification_version: 4
134
133
  summary: Add easily configured security headers to responses including content-security-policy,