RubyGems - secure_headers - Versions diffs - 6.2.0 → 6.3.0 - Mend

secure_headers 6.2.0 → 6.3.0

Files changed (6) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6aed18c8a69d4ddb01e664faca9c6db1e4b4cb6fa26203b9f3c1f20ace3001bb
-  data.tar.gz: 1a347b7ffa5efd650131b9d9bacff110ba6b08b3cb9dc5a93b6c70de6f1d3359
+  metadata.gz: ce02dddd749c70448cb50004e8ee21cfd5676283c5c119c595efe882985c9d63
+  data.tar.gz: 59f44239dc9f07aa93280c7455ca6561f96cba05834cdf43f3b2cda37ca2d70d
 SHA512:
-  metadata.gz: a0ff8c0e7b81d8a1b543d54ff7cd4b4186521276242cff4614839f6d4abcf9313c66f0b935358d3f0f283052111000c84dbc7da40374563f9b82df8b39281d3a
-  data.tar.gz: d22831fc277d3ecbd7d9923d8ff3ad724c0fcdab88b75389edaaa2ec8c4b0653908ef756c2fc642d8328643dca6e0417769e2b323066bb357a1230c33c17df97
+  metadata.gz: b3d764be6a8dd9715feed0efd02216567d5c75c87a4a7016de6d43fe2e907a20425ea2708ea6384b3fe8e2c47b5a91d964febb0ea227ba3d257f821eb766b2ff
+  data.tar.gz: f157d965478100e2eebbd3c875e94d2e6c8b66631fa2cbc06bb5316815b5c33234a15a0956087902f39f74b9d38a6f834cae76b338e8c8355bca21261914973c

data/CHANGELOG.md CHANGED

@@ -1,3 +1,7 @@
+## 6.3.0
+Fixes newline injection issue
 ## 6.2.0
 Fixes semicolon injection issue reported by @mvgijssel see https://github.com/twitter/secure_headers/issues/418

@@ -106,11 +106,11 @@ module SecureHeaders
       if source_list != OPT_OUT && source_list && source_list.any?
         minified_source_list = minify_source_list(directive, source_list).join(" ")
-        if minified_source_list.include?(";")
-          Kernel.warn("#{directive} contains a ; in '#{minified_source_list}' which will raise an error in future versions. It has been replaced with a blank space.")
+        if minified_source_list =~ /(\n|;)/
+          Kernel.warn("#{directive} contains a #{$1} in #{minified_source_list.inspect} which will raise an error in future versions. It has been replaced with a blank space.")
         end
-        escaped_source_list = minified_source_list.gsub(";", " ")
+        escaped_source_list = minified_source_list.gsub(/[\n;]/, " ")
         [symbol_to_hyphen_case(directive), escaped_source_list].join(" ").strip
       end
     end

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module SecureHeaders
-  VERSION = "6.2.0"
+  VERSION = "6.3.0"
 end

@@ -29,10 +29,15 @@ module SecureHeaders
       end
       it "deprecates and escapes semicolons in directive source lists" do
-        expect(Kernel).to receive(:warn).with("frame_ancestors contains a ; in 'google.com;script-src *;.;' which will raise an error in future versions. It has been replaced with a blank space.")
+        expect(Kernel).to receive(:warn).with(%(frame_ancestors contains a ; in "google.com;script-src *;.;" which will raise an error in future versions. It has been replaced with a blank space.))
         expect(ContentSecurityPolicy.new(frame_ancestors: %w(https://google.com;script-src https://*;.;)).value).to eq("frame-ancestors google.com script-src * .")
       end
+      it "deprecates and escapes semicolons in directive source lists" do
+        expect(Kernel).to receive(:warn).with(%(frame_ancestors contains a \n in "\\nfoo.com\\nhacked" which will raise an error in future versions. It has been replaced with a blank space.))
+        expect(ContentSecurityPolicy.new(frame_ancestors: ["\nfoo.com\nhacked"]).value).to eq("frame-ancestors  foo.com hacked")
+      end
       it "discards 'none' values if any other source expressions are present" do
         csp = ContentSecurityPolicy.new(default_opts.merge(child_src: %w('self' 'none')))
         expect(csp.value).not_to include("'none'")

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 6.2.0
+  version: 6.3.0
 platform: ruby
 authors:
 - Neil Matatall