secure_headers 6.3.0 → 6.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ce02dddd749c70448cb50004e8ee21cfd5676283c5c119c595efe882985c9d63
-  data.tar.gz: 59f44239dc9f07aa93280c7455ca6561f96cba05834cdf43f3b2cda37ca2d70d
+  metadata.gz: 7b136a1c21b128826c37c798c9e20db99b1d5a5c035001ed8289692ed8f0096f
+  data.tar.gz: d93c60ba6357a9cd8f64c16b53c9f2843753101e1669fb1bbaea56e549d89466
 SHA512:
-  metadata.gz: b3d764be6a8dd9715feed0efd02216567d5c75c87a4a7016de6d43fe2e907a20425ea2708ea6384b3fe8e2c47b5a91d964febb0ea227ba3d257f821eb766b2ff
-  data.tar.gz: f157d965478100e2eebbd3c875e94d2e6c8b66631fa2cbc06bb5316815b5c33234a15a0956087902f39f74b9d38a6f834cae76b338e8c8355bca21261914973c
+  metadata.gz: 13083c3da3a4f68d445be6012a1fa6e37c052e6ac6bdc457d379d725383142c8698f91c2d1a6fc75f13bfad52298e291131e9828bb6f6a1fc6b8cba9bc3d5892
+  data.tar.gz: 92214a6b589ba640e504e58f07b051351a7eea7bce87701730101a68a29045fe81c90d79600f00a36ee7bf3e4c5c7c4071ad74b01bab5e40c53751858bc198d7

data/.github/workflows/build.yml

@@ -0,0 +1,24 @@
+name: Build + Test
+on: [pull_request]
+
+jobs:
+  build:
+    name: Build + Test
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby: [ '2.4', '2.5', '2.6', '2.7' ]
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby ${{ matrix.ruby }}
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+    - name: Build and test with Rake
+      run: |
+        gem install bundler
+        bundle install --jobs 4 --retry 3 --without guard
+        bundle exec rspec spec
+        bundle exec rubocop
+

data/.github/workflows/sync.yml

@@ -0,0 +1,20 @@
+# This workflow ensures the "master" branch is always up-to-date with the
+# "main" branch (our default one)
+name: sync_main_branch
+on:
+  push:
+    branches: [ main ]
+jobs:
+  catch_up:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@v2
+        with:
+         fetch-depth: 0
+      - name: Merge development into master, then push it
+        run: |
+          git pull
+          git checkout master
+          git merge main
+          git push

data/.rubocop.yml

@@ -1,3 +1,4 @@
 inherit_gem:
   rubocop-github:
     - config/default.yml
+require: rubocop-performance

data/.ruby-version

@@ -1 +1 @@
-2.6.5
+2.6.6

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 6.3.1
+
+Fixes deprecation warnings when running under ruby 2.7
+
 ## 6.3.0
 
 Fixes newline injection issue
@@ -372,7 +376,7 @@ Adds `upgrade-insecure-requests` support for requests from Firefox and Chrome (a
 
 ## 3.0.0
 
-secure_headers 3.0.0 is a near-complete, not-entirely-backward-compatible rewrite. Please see the [upgrade guide](https://github.com/twitter/secureheaders/blob/master/docs/upgrading-to-3-0.md) for an in-depth explanation of the changes and the suggested upgrade path.
+secure_headers 3.0.0 is a near-complete, not-entirely-backward-compatible rewrite. Please see the [upgrade guide](https://github.com/twitter/secureheaders/blob/main/docs/upgrading-to-3-0.md) for an in-depth explanation of the changes and the suggested upgrade path.
 
 ## 2.5.1 - 2016-02-16 18:11:11 UTC - Remove noisy deprecation warning
 

data/Gemfile

@@ -11,6 +11,7 @@ group :test do
   gem "rspec"
   gem "rubocop", "< 0.68"
   gem "rubocop-github"
+  gem "rubocop-performance"
   gem "term-ansicolor"
   gem "tins"
 end

data/README.md

@@ -1,6 +1,6 @@
-# Secure Headers [![Build Status](https://travis-ci.org/twitter/secure_headers.svg?branch=master)](http://travis-ci.org/twitter/secure_headers) [![Code Climate](https://codeclimate.com/github/twitter/secureheaders.svg)](https://codeclimate.com/github/twitter/secureheaders) [![Coverage Status](https://coveralls.io/repos/twitter/secureheaders/badge.svg)](https://coveralls.io/r/twitter/secureheaders)
+# Secure Headers ![Build + Test](https://github.com/github/secure_headers/workflows/Build%20+%20Test/badge.svg?branch=main)
 
-**master represents 6.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), or [upgrading to 6.x doc](docs/upgrading-to-6-0.md) for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now.
+**main branch represents 6.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), or [upgrading to 6.x doc](docs/upgrading-to-6-0.md) for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now.
 
 The gem will automatically apply several headers that are related to security.  This includes:
 - Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack.  [CSP 2 Specification](http://www.w3.org/TR/CSP2/)
@@ -117,7 +117,48 @@ SecureHeaders::Configuration.override(:api) do |config|
 end
 ```
 
-However, I would consider these headers anyways depending on your load and bandwidth requirements. 
+However, I would consider these headers anyways depending on your load and bandwidth requirements.
+
+## Acknowledgements
+
+This project originated within the Security team at Twitter. An archived fork from the point of transition is here: https://github.com/twitter-archive/secure_headers.
+
+Contributors include:
+* Neil Matatall @oreoshake
+* Chris Aniszczyk
+* Artur Dryomov
+* Bjørn Mæland
+* Arthur Chiu
+* Jonathan Viney
+* Jeffrey Horn
+* David Collazo
+* Brendon Murphy
+* William Makley
+* Reed Loden
+* Noah Kantrowitz
+* Wyatt Anderson
+* Salimane Adjao Moustapha
+* Francois Chagnon
+* Jeff Hodges
+* Ian Melven
+* Darío Javier Cravero
+* Logan Hasson
+* Raul E Rangel
+* Steve Agalloco
+* Nate Collings
+* Josh Kalderimis
+* Alex Kwiatkowski
+* Julich Mera
+* Jesse Storimer
+* Tom Daniels
+* Kolja Dummann
+* Jean-Philippe Doyle
+* Blake Hitchcock
+* vanderhoorn
+* orthographic-pedant
+* Narsimham Chelluri
+
+If you've made a contribution and see your name missing from the list, make a PR and add it!
 
 ## Similar libraries
 

data/docs/named_overrides_and_appends.md

@@ -1,6 +1,6 @@
 ## Named Appends
 
-Named Appends are blocks of code that can be reused and composed during requests. e.g. If a certain partial is rendered conditionally, and the csp needs to be adjusted for that partial, you can create a named append for that situation. The value returned by the block will be passed into `append_content_security_policy_directives`. The current request object is passed as an argument to the block for even more flexibility.
+Named Appends are blocks of code that can be reused and composed during requests. e.g. If a certain partial is rendered conditionally, and the csp needs to be adjusted for that partial, you can create a named append for that situation. The value returned by the block will be passed into `append_content_security_policy_directives`. The current request object is passed as an argument to the block for even more flexibility. Reusing a configuration name is not allowed and will throw an exception.
 
 ```ruby
 def show
@@ -91,6 +91,8 @@ class MyController < ApplicationController
 end
 ```
 
+Reusing a configuration name is not allowed and will throw an exception.
+
 By default, a no-op configuration is provided. No headers will be set when this default override is used.
 
 ```ruby

data/lib/secure_headers/configuration.rb

@@ -43,6 +43,9 @@ module SecureHeaders
       def override(name, &block)
         @overrides ||= {}
         raise "Provide a configuration block" unless block_given?
+        if named_append_or_override_exists?(name)
+          raise AlreadyConfiguredError, "Configuration already exists"
+        end
         @overrides[name] = block
       end
 
@@ -59,6 +62,9 @@ module SecureHeaders
       def named_append(name, &block)
         @appends ||= {}
         raise "Provide a configuration block" unless block_given?
+        if named_append_or_override_exists?(name)
+          raise AlreadyConfiguredError, "Configuration already exists"
+        end
         @appends[name] = block
       end
 
@@ -68,6 +74,11 @@ module SecureHeaders
 
       private
 
+      def named_append_or_override_exists?(name)
+        (defined?(@appends) && @appends.key?(name)) ||
+          (defined?(@overrides) && @overrides.key?(name))
+      end
+
       # Public: perform a basic deep dup. The shallow copy provided by dup/clone
       # can lead to modifying parent objects.
       def deep_copy(config)

data/lib/secure_headers/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SecureHeaders
-  VERSION = "6.3.0"
+  VERSION = "6.3.1"
 end

data/lib/secure_headers/view_helper.rb

@@ -21,7 +21,7 @@ module SecureHeaders
     def nonced_stylesheet_link_tag(*args, &block)
       opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:style))
 
-      stylesheet_link_tag(*args, opts, &block)
+      stylesheet_link_tag(*args, **opts, &block)
     end
 
     # Public: create a script tag using the content security policy nonce.
@@ -39,7 +39,7 @@ module SecureHeaders
     def nonced_javascript_include_tag(*args, &block)
       opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:script))
 
-      javascript_include_tag(*args, opts, &block)
+      javascript_include_tag(*args, **opts, &block)
     end
 
     # Public: create a script Webpacker pack tag using the content security policy nonce.
@@ -49,7 +49,7 @@ module SecureHeaders
     def nonced_javascript_pack_tag(*args, &block)
       opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:script))
 
-      javascript_pack_tag(*args, opts, &block)
+      javascript_pack_tag(*args, **opts, &block)
     end
 
     # Public: create a stylesheet Webpacker link tag using the content security policy nonce.
@@ -59,7 +59,7 @@ module SecureHeaders
     def nonced_stylesheet_pack_tag(*args, &block)
       opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:style))
 
-      stylesheet_pack_tag(*args, opts, &block)
+      stylesheet_pack_tag(*args, **opts, &block)
     end
 
     # Public: use the content security policy nonce for this request directly.

data/spec/lib/secure_headers/configuration_spec.rb

@@ -34,6 +34,60 @@ module SecureHeaders
       expect(Configuration.overrides(:test_override)).to_not be_nil
     end
 
+    describe "#override" do
+      it "raises on configuring an existing override" do
+        set_override = Proc.new {
+          Configuration.override(:test_override) do |config|
+            config.x_frame_options = "DENY"
+          end
+        }
+
+        set_override.call
+
+        expect { set_override.call }
+          .to raise_error(Configuration::AlreadyConfiguredError, "Configuration already exists")
+      end
+
+      it "raises when a named append with the given name exists" do
+        Configuration.named_append(:test_override) do |config|
+          config.x_frame_options = "DENY"
+        end
+
+        expect do
+          Configuration.override(:test_override) do |config|
+            config.x_frame_options = "SAMEORIGIN"
+          end
+        end.to raise_error(Configuration::AlreadyConfiguredError, "Configuration already exists")
+      end
+    end
+
+    describe "#named_append" do
+      it "raises on configuring an existing append" do
+        set_override = Proc.new {
+          Configuration.named_append(:test_override) do |config|
+            config.x_frame_options = "DENY"
+          end
+        }
+
+        set_override.call
+
+        expect { set_override.call }
+          .to raise_error(Configuration::AlreadyConfiguredError, "Configuration already exists")
+      end
+
+      it "raises when an override with the given name exists" do
+        Configuration.override(:test_override) do |config|
+          config.x_frame_options = "DENY"
+        end
+
+        expect do
+          Configuration.named_append(:test_override) do |config|
+            config.x_frame_options = "SAMEORIGIN"
+          end
+        end.to raise_error(Configuration::AlreadyConfiguredError, "Configuration already exists")
+      end
+    end
+
     it "deprecates the secure_cookies configuration" do
       expect {
         Configuration.default do |config|

data/spec/spec_helper.rb

@@ -45,10 +45,20 @@ module SecureHeaders
       def clear_default_config
         remove_instance_variable(:@default_config) if defined?(@default_config)
       end
+
+      def clear_overrides
+        remove_instance_variable(:@overrides) if defined?(@overrides)
+      end
+
+      def clear_appends
+        remove_instance_variable(:@appends) if defined?(@appends)
+      end
     end
   end
 end
 
 def reset_config
   SecureHeaders::Configuration.clear_default_config
+  SecureHeaders::Configuration.clear_overrides
+  SecureHeaders::Configuration.clear_appends
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_headers
 version: !ruby/object:Gem::Version
-  version: 6.3.0
+  version: 6.3.1
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-01-21 00:00:00.000000000 Z
+date: 2020-06-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -33,12 +33,13 @@ extra_rdoc_files: []
 files:
 - ".github/ISSUE_TEMPLATE.md"
 - ".github/PULL_REQUEST_TEMPLATE.md"
+- ".github/workflows/build.yml"
+- ".github/workflows/sync.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
 - ".ruby-gemset"
 - ".ruby-version"
-- ".travis.yml"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md

data/.travis.yml

@@ -1,28 +0,0 @@
-language: ruby
-
-rvm:
-  - ruby-head
-  - 2.5
-  - 2.6
-  - 2.7
-  - jruby-head
-
-env:
-  - SUITE=rspec spec
-  - SUITE=rubocop
-
-script: bundle exec $SUITE
-
-matrix:
-  allow_failures:
-    - rvm: jruby-head
-    - rvm: ruby-head
-
-before_install:
-  - gem update --system
-  - gem --version
-  - gem update bundler
-bundler_args: --without guard -j 3
-
-sudo: false
-cache: bundler