RubyGems - secure_headers - Versions diffs - 6.0.0.alpha01 → 6.0.0.alpha02 - Mend

secure_headers 6.0.0.alpha01 → 6.0.0.alpha02

Potentially problematic release.

This version of secure_headers might be problematic. Click here for more details.

Files changed (8) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +2 -2
data/README.md +2 -2
data/docs/upgrading-to-6-0.md +4 -0
data/lib/secure_headers/view_helper.rb +9 -8
data/secure_headers.gemspec +1 -1
data/spec/lib/secure_headers/view_helpers_spec.rb +28 -0
metadata +2 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: cd74fc8e9c9057255c1e6c75bc78554ec6751459
-  data.tar.gz: 2f72e782c0800b5bf124d841a0d556d321b1cb5f
+  metadata.gz: b9072ed41af027bbc9628b2e58751bf765c6af1a
+  data.tar.gz: e5344d4ea5226225629bd7449ebcba94c15a27d8
 SHA512:
-  metadata.gz: 53ff0d4849c3892fbf4e35270c011d9d6c8da3984958fdc17f9669b32f0d9d39542dc4411323fe93bbf21137f0c8cfe26565a5836548061414153a2abd2dd949
-  data.tar.gz: 7472a097ae0926655aace8f5f719a4306920b08e4a1b798a588034d51a1446f51f442deb7c3f298d23481d52f2aa1b210ffb40b629671f449f63b7570a7ec2b0
+  metadata.gz: 920786c9cc2df0f8dfc2bae3911fa2ca99207e4d61605e7c1c942d76d678b0e0f83240263694adc1d556057120f17e2b73bd96bf260465a4222c768ab124ef5c
+  data.tar.gz: cb185bf133a9ea8c7e1cd50b6ae1d718e1455402c5f165224f04cefadfb6028136129f2261cf47ae404bddd08c6bf7fa08420be5a1056eb2d00fb06fd3227b23

data/CHANGELOG.md CHANGED

@@ -1,10 +1,10 @@
 ## 6.0
 - See the [upgrading to 6.0](docs/upgrading-to-6-0.md) guide for the breaking changes.
-=======
 ## 5.0.5
-A release to deprecate `SecureHeaders::Configuration#get` in prep for 6.x
+- A release to deprecate `SecureHeaders::Configuration#get` in prep for 6.x
 ## 5.0.4

data/README.md CHANGED

@@ -1,6 +1,6 @@
 # Secure Headers [![Build Status](https://travis-ci.org/twitter/secureheaders.svg?branch=master)](http://travis-ci.org/twitter/secureheaders) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.svg)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.svg)](https://coveralls.io/r/twitter/secureheaders)
-**master represents 5.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md) and [upgrading to 5.x doc](docs/upgrading-to-5-0.md) for instructions on how to upgrade. Bug fixes should go in the 3.x branch for now.
+**master represents 6.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), or [upgrading to 6.x doc](docs/upgrading-to-6-0.md) for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now.
 **The [3.x](https://github.com/twitter/secureheaders/tree/2.x) branch is moving into maintenance mode**. See the [upgrading to 3.x doc](docs/upgrading-to-3-0.md) for instructions on how to upgrade including the differences and benefits of using the 3.x branch.
@@ -77,7 +77,7 @@ SecureHeaders::Configuration.default do |config|
     preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
     # directive values: these values will directly translate into source directives
-    default_src: %w(https: 'self'),
+    default_src: %w('none'),
     base_uri: %w('self'),
     block_all_mixed_content: true, # see http://www.w3.org/TR/mixed-content/
     child_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set.

data/docs/upgrading-to-6-0.md CHANGED

@@ -35,6 +35,10 @@ These classes are typically not directly instantiated by users of SecureHeaders.
 This method is not typically directly called by users of SecureHeaders. Given that named overrides are no longer statically stored, fetching them no longer makes sense.
+## `content_security_policy_nonce` has been renamed
+While tag helpers such as `nonced_javascript_tag` and `nonced_style_tag`, the value for the nonce was available via `content_security_policy_nonce`. Rails 5.2 has implemented a method with the same name but clashes with the number of arguments. It has been renamed to`_content_security_policy_nonce` and will likely be removed in future versions.
 ## Configuration headers are no longer cached
 Prior to 6.0.0 SecureHeaders pre-built and cached the headers that corresponded to the default configuration. The same was also done for named overrides. However, now that named overrides are applied dynamically, those can no longer be cached. As a result, caching has been removed in the name of simplicity. Some micro-benchmarks indicate this shouldn't be a performance problem and will help to eliminate a class of bugs entirely.

data/lib/secure_headers/view_helper.rb CHANGED

@@ -19,7 +19,7 @@ module SecureHeaders
     #
     # Returns an html-safe link tag with the nonce attribute.
     def nonced_stylesheet_link_tag(*args, &block)
-      opts = extract_options(args).merge(nonce: content_security_policy_nonce(:style))
+      opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:style))
       stylesheet_link_tag(*args, opts, &block)
     end
@@ -37,7 +37,7 @@ module SecureHeaders
     #
     # Returns an html-safe script tag with the nonce attribute.
     def nonced_javascript_include_tag(*args, &block)
-      opts = extract_options(args).merge(nonce: content_security_policy_nonce(:script))
+      opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:script))
       javascript_include_tag(*args, opts, &block)
     end
@@ -47,7 +47,7 @@ module SecureHeaders
     #
     # Returns an html-safe script tag with the nonce attribute.
     def nonced_javascript_pack_tag(*args, &block)
-      opts = extract_options(args).merge(nonce: content_security_policy_nonce(:script))
+      opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:script))
       javascript_pack_tag(*args, opts, &block)
     end
@@ -57,7 +57,7 @@ module SecureHeaders
     #
     # Returns an html-safe link tag with the nonce attribute.
     def nonced_stylesheet_pack_tag(*args, &block)
-      opts = extract_options(args).merge(nonce: content_security_policy_nonce(:style))
+      opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:style))
       stylesheet_pack_tag(*args, opts, &block)
     end
@@ -66,7 +66,7 @@ module SecureHeaders
     # Instructs secure_headers to append a nonce to style/script-src directives.
     #
     # Returns a non-html-safe nonce value.
-    def content_security_policy_nonce(type)
+    def _content_security_policy_nonce(type)
       case type
       when :script
         SecureHeaders.content_security_policy_script_nonce(@_request)
@@ -74,13 +74,14 @@ module SecureHeaders
         SecureHeaders.content_security_policy_style_nonce(@_request)
       end
     end
+    alias_method :content_security_policy_nonce, :_content_security_policy_nonce
     def content_security_policy_script_nonce
-      content_security_policy_nonce(:script)
+      _content_security_policy_nonce(:script)
     end
     def content_security_policy_style_nonce
-      content_security_policy_nonce(:style)
+      _content_security_policy_nonce(:style)
     end
     ##
@@ -152,7 +153,7 @@ module SecureHeaders
       else
         content_or_options.html_safe # :'(
       end
-      content_tag type, content, options.merge(nonce: content_security_policy_nonce(type))
+      content_tag type, content, options.merge(nonce: _content_security_policy_nonce(type))
     end
     def extract_options(args)

data/secure_headers.gemspec CHANGED

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "6.0.0.alpha01"
+  gem.version       = "6.0.0.alpha02"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["neil.matatall@gmail.com"]
   gem.description   = "Manages application of security headers with many safe defaults."

data/spec/lib/secure_headers/view_helpers_spec.rb CHANGED

@@ -97,6 +97,12 @@ TEMPLATE
   end
 end
+class MessageWithConflictingMethod < Message
+  def content_security_policy_nonce
+    "rails-nonce"
+  end
+end
 module SecureHeaders
   describe ViewHelpers do
     let(:app) { lambda { |env| [200, env, "app"] } }
@@ -159,5 +165,27 @@ module SecureHeaders
         expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'#{Regexp.escape(expected_style_hash)}'/)
       end
     end
+    it "avoids calling content_security_policy_nonce internally" do
+      begin
+        allow(SecureRandom).to receive(:base64).and_return("abc123")
+        expected_hash = "sha256-3/URElR9+3lvLIouavYD/vhoICSNKilh15CzI/nKqg8="
+        Configuration.instance_variable_set(:@script_hashes, filename => ["'#{expected_hash}'"])
+        expected_style_hash = "sha256-7oYK96jHg36D6BM042er4OfBnyUDTG3pH1L8Zso3aGc="
+        Configuration.instance_variable_set(:@style_hashes, filename => ["'#{expected_style_hash}'"])
+        # render erb that calls out to helpers.
+        MessageWithConflictingMethod.new(request).result
+        _, env = middleware.call request.env
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/script-src[^;]*'#{Regexp.escape(expected_hash)}'/)
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/script-src[^;]*'nonce-abc123'/)
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'nonce-abc123'/)
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'#{Regexp.escape(expected_style_hash)}'/)
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).not_to match(/rails-nonce/)
+      end
+    end
   end
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 6.0.0.alpha01
+  version: 6.0.0.alpha02
 platform: ruby
 authors:
 - Neil Matatall
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-02-13 00:00:00.000000000 Z
+date: 2018-03-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake