secure_headers 6.4.0 → 6.5.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: e5372953d5180d45526a777c1b66e7e86a8ccfca08f6b7b613549d8ba1509a6e
4
- data.tar.gz: 0d1cc3b012df7b1cfd549bcf09063a390945b05c03009acda31017f859ff7d2d
3
+ metadata.gz: bafd5e6390db0f1975599ab34f1293986a5c0a1ced14f6cfeca47fd114ce87d4
4
+ data.tar.gz: 177dc27fa8238fe1a8baa238f6baa244b2c03393f61269e9b417e5ea3a4a4bba
5
5
  SHA512:
6
- metadata.gz: 35844f24ecb678a83548492545403bc174a6d0ce74896f7817d93cb30f62d97b415ea876dccd3efbed7cad3e5dd5c9cda4f676f7dc2c858b2f2010f2c33a0f73
7
- data.tar.gz: 196a212de355c06a2a3fee6c22302fb1bfd7471dba402124adc7072f90dbd0c4a5b3ee8fa7604d0b164479717bfb65050d3b4802948410b61aba3382d5c8eb39
6
+ metadata.gz: 7a24f853958892e2780dec3cfd8f631d394c959cda6d3f8be5d701792fc1ce57d4141ca88e7b0980fcac979cc855a0c5bc9165a05b314fe281ce092a438f1fe1
7
+ data.tar.gz: c082a3ee192452712f8e9c7ed18d5c21b5b3eb1712c3d9a4df44220093cf1be09a8e5384f5c8a8909820f1e0048c6d3b6915cc29081288bcf13361bf8cf7dbed
@@ -1,5 +1,5 @@
1
1
  name: Build + Test
2
- on: [pull_request]
2
+ on: [pull_request, push]
3
3
 
4
4
  jobs:
5
5
  build:
@@ -7,7 +7,7 @@ jobs:
7
7
  runs-on: ubuntu-latest
8
8
  strategy:
9
9
  matrix:
10
- ruby: [ '2.5', '2.6', '2.7', '3.0', '3.1' ]
10
+ ruby: [ '2.6', '2.7', '3.0', '3.1' ]
11
11
 
12
12
  steps:
13
13
  - uses: actions/checkout@v2
data/.ruby-version CHANGED
@@ -1 +1 @@
1
- 2.6.6
1
+ 3.1.1
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## 6.5.0
2
+
3
+ - CSP: Remove source expression deduplication. (@lgarron) https://github.com/github/secure_headers/pull/499
4
+
1
5
  ## 6.4.0
2
6
 
3
7
  - CSP: Add support for trusted-types, require-trusted-types-for directive (@JackMc): https://github.com/github/secure_headers/pull/486
@@ -133,7 +133,7 @@ module SecureHeaders
133
133
  unless directive == REPORT_URI || @preserve_schemes
134
134
  source_list = strip_source_schemes(source_list)
135
135
  end
136
- dedup_source_list(source_list)
136
+ source_list.uniq
137
137
  end
138
138
  end
139
139
 
@@ -151,24 +151,6 @@ module SecureHeaders
151
151
  end
152
152
  end
153
153
 
154
- # Removes duplicates and sources that already match an existing wild card.
155
- #
156
- # e.g. *.github.com asdf.github.com becomes *.github.com
157
- def dedup_source_list(sources)
158
- sources = sources.uniq
159
- wild_sources = sources.select { |source| source =~ STAR_REGEXP }
160
-
161
- if wild_sources.any?
162
- schemes = sources.map { |source| [source, URI(source).scheme] }.to_h
163
- sources.reject do |source|
164
- !wild_sources.include?(source) &&
165
- wild_sources.any? { |pattern| schemes[pattern] == schemes[source] && File.fnmatch(pattern, source) }
166
- end
167
- else
168
- sources
169
- end
170
- end
171
-
172
154
  # Private: append a nonce to the script/style directories if script_nonce
173
155
  # or style_nonce are provided.
174
156
  def populate_nonces(directive, source_list)
@@ -189,7 +189,7 @@ module SecureHeaders
189
189
  ].freeze
190
190
 
191
191
  REQUIRE_SRI_FOR_VALUES = Set.new(%w(script style))
192
- REQUIRE_TRUSTED_TYPES_FOR_VALUES = Set.new(%w(script))
192
+ REQUIRE_TRUSTED_TYPES_FOR_VALUES = Set.new(%w('script'))
193
193
 
194
194
  module ClassMethods
195
195
  # Public: generate a header name, value array that is user-agent-aware.
@@ -393,7 +393,7 @@ module SecureHeaders
393
393
 
394
394
  # Private: validates that a require trusted types for expression:
395
395
  # 1. is an array of strings
396
- # 2. is a subset of ["script"]
396
+ # 2. is a subset of ["'script'"]
397
397
  def validate_require_trusted_types_for_source_expression!(directive, require_trusted_types_for_expression)
398
398
  ensure_array_of_strings!(directive, require_trusted_types_for_expression)
399
399
  unless require_trusted_types_for_expression.to_set.subset?(REQUIRE_TRUSTED_TYPES_FOR_VALUES)
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module SecureHeaders
4
- VERSION = "6.4.0"
4
+ VERSION = "6.5.0"
5
5
  end
@@ -9,12 +9,12 @@ Gem::Specification.new do |gem|
9
9
  gem.version = SecureHeaders::VERSION
10
10
  gem.authors = ["Neil Matatall"]
11
11
  gem.email = ["neil.matatall@gmail.com"]
12
- gem.description = "Manages application of security headers with many safe defaults."
13
- gem.summary = 'Add easily configured security headers to responses
12
+ gem.summary = "Manages application of security headers with many safe defaults."
13
+ gem.description = 'Add easily configured security headers to responses
14
14
  including content-security-policy, x-frame-options,
15
15
  strict-transport-security, etc.'
16
16
  gem.homepage = "https://github.com/twitter/secureheaders"
17
- gem.license = "Apache Public License 2.0"
17
+ gem.license = "MIT"
18
18
  gem.files = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
19
19
  gem.executables = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
20
20
  gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
@@ -48,12 +48,12 @@ module SecureHeaders
48
48
  expect(csp.value).to eq("default-src * 'unsafe-inline' 'unsafe-eval' data: blob:")
49
49
  end
50
50
 
51
- it "minifies source expressions based on overlapping wildcards" do
51
+ it "does not minify source expressions based on overlapping wildcards" do
52
52
  config = {
53
53
  default_src: %w(a.example.org b.example.org *.example.org https://*.example.org)
54
54
  }
55
55
  csp = ContentSecurityPolicy.new(config)
56
- expect(csp.value).to eq("default-src *.example.org")
56
+ expect(csp.value).to eq("default-src a.example.org b.example.org *.example.org")
57
57
  end
58
58
 
59
59
  it "removes http/s schemes from hosts" do
@@ -101,8 +101,13 @@ module SecureHeaders
101
101
  expect(csp.value).to eq("default-src example.org; block-all-mixed-content")
102
102
  end
103
103
 
104
- it "deduplicates any source expressions" do
105
- csp = ContentSecurityPolicy.new(default_src: %w(example.org example.org example.org))
104
+ it "handles wildcard subdomain with wildcard port" do
105
+ csp = ContentSecurityPolicy.new(default_src: %w(https://*.example.org:*))
106
+ expect(csp.value).to eq("default-src *.example.org:*")
107
+ end
108
+
109
+ it "deduplicates source expressions that match exactly (after scheme stripping)" do
110
+ csp = ContentSecurityPolicy.new(default_src: %w(example.org https://example.org example.org))
106
111
  expect(csp.value).to eq("default-src example.org")
107
112
  end
108
113
 
@@ -197,8 +202,8 @@ module SecureHeaders
197
202
  end
198
203
 
199
204
  it "supports trusted-types directive with 'none'" do
200
- csp = ContentSecurityPolicy.new({trusted_types: %w(none)})
201
- expect(csp.value).to eq("trusted-types none")
205
+ csp = ContentSecurityPolicy.new({trusted_types: %w('none')})
206
+ expect(csp.value).to eq("trusted-types 'none'")
202
207
  end
203
208
 
204
209
  it "allows duplicate policy names in trusted-types directive" do
@@ -45,7 +45,7 @@ module SecureHeaders
45
45
  plugin_types: %w(application/x-shockwave-flash),
46
46
  prefetch_src: %w(fetch.com),
47
47
  require_sri_for: %w(script style),
48
- require_trusted_types_for: %w(script),
48
+ require_trusted_types_for: %w('script'),
49
49
  script_src: %w('self'),
50
50
  style_src: %w('unsafe-inline'),
51
51
  upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secure_headers
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.4.0
4
+ version: 6.5.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Neil Matatall
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-08-02 00:00:00.000000000 Z
11
+ date: 2022-10-25 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -24,7 +24,10 @@ dependencies:
24
24
  - - ">="
25
25
  - !ruby/object:Gem::Version
26
26
  version: '0'
27
- description: Manages application of security headers with many safe defaults.
27
+ description: |-
28
+ Add easily configured security headers to responses
29
+ including content-security-policy, x-frame-options,
30
+ strict-transport-security, etc.
28
31
  email:
29
32
  - neil.matatall@gmail.com
30
33
  executables: []
@@ -99,9 +102,9 @@ files:
99
102
  - spec/spec_helper.rb
100
103
  homepage: https://github.com/twitter/secureheaders
101
104
  licenses:
102
- - Apache Public License 2.0
105
+ - MIT
103
106
  metadata: {}
104
- post_install_message:
107
+ post_install_message:
105
108
  rdoc_options: []
106
109
  require_paths:
107
110
  - lib
@@ -116,11 +119,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
116
119
  - !ruby/object:Gem::Version
117
120
  version: '0'
118
121
  requirements: []
119
- rubygems_version: 3.2.9
120
- signing_key:
122
+ rubygems_version: 3.3.7
123
+ signing_key:
121
124
  specification_version: 4
122
- summary: Add easily configured security headers to responses including content-security-policy,
123
- x-frame-options, strict-transport-security, etc.
125
+ summary: Manages application of security headers with many safe defaults.
124
126
  test_files:
125
127
  - spec/lib/secure_headers/configuration_spec.rb
126
128
  - spec/lib/secure_headers/headers/clear_site_data_spec.rb