secure_headers 3.7.4 → 3.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (6) hide show
  1. checksums.yaml +5 -5
  2. data/CHANGELOG.md +4 -0
  3. data/lib/secure_headers/headers/content_security_policy.rb +8 -2
  4. data/secure_headers.gemspec +1 -1
  5. data/spec/lib/secure_headers/headers/content_security_policy_spec.rb +9 -0
  6. metadata +3 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: a365e7f904bc5b4eba16131acbfa3dae889c6b5b
4
- data.tar.gz: 750fb42f0641c07950c55082f946ea6ae6d8087f
2
+ SHA256:
3
+ metadata.gz: d605beb08177e1325edd0726b0cb551d3ac71b6dc6da7c1261d6f30b60db7695
4
+ data.tar.gz: f166e3735db90264366d654520269fb3cfb696ce9747c1ce92c11927d3322cb2
5
5
  SHA512:
6
- metadata.gz: ba3a0808f3f7f3136e265c687dd766bdc79598eac7eebc98b1ce8160f150716c4b085dfd83da1f4408abcb220eba8e681b29aaf07cb9d8bb196ac5b408c9d8af
7
- data.tar.gz: 54a80c904e4f06b9888e6d42669a06ecc81b4eea2482f0cf44fdf626c74d1cc79543d07fb6034e43685031d19efe15845e49bfbec9ce94efc49f1ccf2f41456a
6
+ metadata.gz: 784ea802225dbe362fa66d56022f13a1e8d58f71cac325959a7c28c4cb0f0acc25a478f794ef1286d3e951abb06f5c2fd25a3e448170643db6946c97027a3fe6
7
+ data.tar.gz: 19abcb3f648b322ac8db0ca9352e53a758be5253d110e67224e8632366efde66a034f9777dc77946ef897dbc99e9dbf72edca743a1b184ca8b336c0a63296f7c
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## 3.8.0
2
+
3
+ Fixes semicolon injection issue reported by @mvgijssel see https://github.com/twitter/secure_headers/issues/418
4
+
1
5
  ## 3.7.4
2
6
 
3
7
  Backport SameSite=None functionality into 3.x line
data/lib/secure_headers/headers/content_security_policy.rb CHANGED
@@ -142,8 +142,14 @@ module SecureHeaders
142
142
  @config.directive_value(directive)
143
143
  end
144
144
  return unless source_list && source_list.any?
145
- normalized_source_list = minify_source_list(directive, source_list)
146
- [symbol_to_hyphen_case(directive), normalized_source_list].join(" ")
145
+ normalized_source_list = minify_source_list(directive, source_list).join(" ")
146
+
147
+ if normalized_source_list.include?(";")
148
+ Kernel.warn("#{directive} contains a ; in '#{normalized_source_list}' which will raise an error in future versions. It has been replaced with a blank space.")
149
+ end
150
+ escaped_source_list = normalized_source_list.gsub(";", " ")
151
+
152
+ [symbol_to_hyphen_case(directive), escaped_source_list].join(" ").strip
147
153
  end
148
154
 
149
155
  # If a directive contains *, all other values are omitted.
data/secure_headers.gemspec CHANGED
@@ -1,7 +1,7 @@
1
1
  # -*- encoding: utf-8 -*-
2
2
  Gem::Specification.new do |gem|
3
3
  gem.name = "secure_headers"
4
- gem.version = "3.7.4"
4
+ gem.version = "3.8.0"
5
5
  gem.authors = ["Neil Matatall"]
6
6
  gem.email = ["neil.matatall@gmail.com"]
7
7
  gem.description = 'Manages application of security headers with many safe defaults.'
data/spec/lib/secure_headers/headers/content_security_policy_spec.rb CHANGED
@@ -23,6 +23,15 @@ module SecureHeaders
23
23
  end
24
24
 
25
25
  describe "#value" do
26
+ it "uses a safe but non-breaking default value" do
27
+ expect(ContentSecurityPolicy.new.value).to eq("default-src https:")
28
+ end
29
+
30
+ it "deprecates and escapes semicolons in directive source lists" do
31
+ expect(Kernel).to receive(:warn).with("frame_ancestors contains a ; in 'google.com;script-src *;.;' which will raise an error in future versions. It has been replaced with a blank space.")
32
+ expect(ContentSecurityPolicy.new(frame_ancestors: %w(https://google.com;script-src https://*;.;)).value).to eq("frame-ancestors google.com script-src * .")
33
+ end
34
+
26
35
  it "discards 'none' values if any other source expressions are present" do
27
36
  csp = ContentSecurityPolicy.new(default_opts.merge(child_src: %w('self' 'none')))
28
37
  expect(csp.value).not_to include("'none'")
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.7.4
4
+ version: 3.8.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-01-14 00:00:00.000000000 Z
11
+ date: 2020-01-21 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -127,8 +127,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
127
127
  - !ruby/object:Gem::Version
128
128
  version: '0'
129
129
  requirements: []
130
- rubyforge_project:
131
- rubygems_version: 2.5.2
130
+ rubygems_version: 3.1.2
132
131
  signing_key:
133
132
  specification_version: 4
134
133
  summary: Add easily configured security headers to responses including content-security-policy,