secure_headers 7.2.0 → 7.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a859861ca3a93245cbfa9c421b209c44800ff3b5bd92c26591bdd99dde7efd30
|
|
4
|
+
data.tar.gz: 8576b10d0855d453cf42ba9335cbe8deeb8f82258b04ada1c2f2ab01a04ae373
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 95d65823683591d7c3a4c26bc99b6849f16b4caecbd9c5c1fd73ffe22e75311cf2124d6ce1fd25670dd4c11120ce01dbb46cd003c15387f3bfebfe4592c3542f
|
|
7
|
+
data.tar.gz: ef35df794270845ab6807c50a9e37e1832c3e4e5293098038f2caf6b3635aae024a907df99ff9e5e4e0580fb7a7995d0d63f6d9b9e0452aca22f024b7be297e9
|
|
@@ -87,7 +87,7 @@ module SecureHeaders
|
|
|
87
87
|
elsif sandbox_list && sandbox_list.any?
|
|
88
88
|
[
|
|
89
89
|
symbol_to_hyphen_case(directive),
|
|
90
|
-
sandbox_list.uniq
|
|
90
|
+
scrub_directive_value(directive, sandbox_list.uniq.join(" "))
|
|
91
91
|
].join(" ")
|
|
92
92
|
end
|
|
93
93
|
end
|
|
@@ -97,7 +97,7 @@ module SecureHeaders
|
|
|
97
97
|
if media_type_list && media_type_list.any?
|
|
98
98
|
[
|
|
99
99
|
symbol_to_hyphen_case(directive),
|
|
100
|
-
media_type_list.uniq
|
|
100
|
+
scrub_directive_value(directive, media_type_list.uniq.join(" "))
|
|
101
101
|
].join(" ")
|
|
102
102
|
end
|
|
103
103
|
end
|
|
@@ -105,7 +105,29 @@ module SecureHeaders
|
|
|
105
105
|
def build_report_to_directive(directive)
|
|
106
106
|
return unless endpoint_name = @config.directive_value(directive)
|
|
107
107
|
if endpoint_name && endpoint_name.is_a?(String) && !endpoint_name.empty?
|
|
108
|
-
[symbol_to_hyphen_case(directive), endpoint_name].join(" ")
|
|
108
|
+
[symbol_to_hyphen_case(directive), scrub_directive_value(directive, endpoint_name)].join(" ")
|
|
109
|
+
end
|
|
110
|
+
end
|
|
111
|
+
|
|
112
|
+
# Bytes that would let a caller-controlled value break out of its
|
|
113
|
+
# directive and inject sibling CSP directives. CR/LF are included
|
|
114
|
+
# so naive downstreams that split on bare \r can't be used to
|
|
115
|
+
# smuggle directives either.
|
|
116
|
+
DIRECTIVE_INJECTION_REGEX = /[\n\r;]/.freeze
|
|
117
|
+
|
|
118
|
+
# Private: scrubs caller-controlled bytes that would let a value
|
|
119
|
+
# break out of its CSP directive (CR, LF, semicolon). Shared across
|
|
120
|
+
# every directive builder so sandbox / plugin-types / report-to /
|
|
121
|
+
# source-list all reject the same byte set with the same warn UX.
|
|
122
|
+
# Emits a single Kernel.warn per directive even when multiple
|
|
123
|
+
# offending bytes are present.
|
|
124
|
+
def scrub_directive_value(directive, value)
|
|
125
|
+
str = value.to_s
|
|
126
|
+
if str =~ DIRECTIVE_INJECTION_REGEX
|
|
127
|
+
Kernel.warn("#{directive} contains a #{$~[0].inspect} in #{str.inspect} which will raise an error in future versions. It has been replaced with a blank space.")
|
|
128
|
+
str.gsub(DIRECTIVE_INJECTION_REGEX, " ")
|
|
129
|
+
else
|
|
130
|
+
str
|
|
109
131
|
end
|
|
110
132
|
end
|
|
111
133
|
|
|
@@ -118,12 +140,7 @@ module SecureHeaders
|
|
|
118
140
|
source_list = @config.directive_value(directive)
|
|
119
141
|
if source_list != OPT_OUT && source_list && source_list.any?
|
|
120
142
|
minified_source_list = minify_source_list(directive, source_list).join(" ")
|
|
121
|
-
|
|
122
|
-
if minified_source_list =~ /(\n|;)/
|
|
123
|
-
Kernel.warn("#{directive} contains a #{$1} in #{minified_source_list.inspect} which will raise an error in future versions. It has been replaced with a blank space.")
|
|
124
|
-
end
|
|
125
|
-
|
|
126
|
-
escaped_source_list = minified_source_list.gsub(/[\n;]/, " ")
|
|
143
|
+
escaped_source_list = scrub_directive_value(directive, minified_source_list)
|
|
127
144
|
[symbol_to_hyphen_case(directive), escaped_source_list].join(" ").strip
|
|
128
145
|
end
|
|
129
146
|
end
|