From 450c425d47cb4ff346c009bf6193057cee85fcc6 Mon Sep 17 00:00:00 2001 From: Eugen Kuksa Date: Mon, 29 Feb 2016 22:01:06 +0100 Subject: [PATCH 1/4] Update gem: secure_headers to 3.0.2. This version uses a Rack middleware to add the headers. As a consecience, we cannot test in rspec whether or not the headers are set. `curl -I http://localhost:3000` can be used to check the headers manually. --- Gemfile | 2 +- app/controllers/application_controller.rb | 1 - config/initializers/security_headers.rb | 3 +-- spec/controllers/home_controller_spec.rb | 8 -------- 4 files changed, 2 insertions(+), 12 deletions(-) diff --git a/Gemfile b/Gemfile index c8e567346..91bfd8388 100644 --- a/Gemfile +++ b/Gemfile @@ -2,7 +2,7 @@ source 'https://rubygems.org' gem 'rails', '~> 3.2.22' gem 'rack-protection', '~> 1.5.3' -gem 'secure_headers', '~> 2.5.1' +gem 'secure_headers', '~> 3.0.3' gem 'rack-mini-profiler', require: false diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 76f5ff08c..fd7599b04 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -7,7 +7,6 @@ class ApplicationController < ActionController::Base end protect_from_forgery - ensure_security_headers include Pagination include PathHelpers diff --git a/config/initializers/security_headers.rb b/config/initializers/security_headers.rb index 578333981..c9ba7299c 100644 --- a/config/initializers/security_headers.rb +++ b/config/initializers/security_headers.rb @@ -1,5 +1,5 @@ ::SecureHeaders::Configuration.default do |config| - config.hsts = 'max_age=99; include_subdomains=true' + config.hsts = 'max-age=99; includeSubdomains' config.x_frame_options = 'DENY' config.x_content_type_options = 'nosniff' config.x_xss_protection = '1; mode=block' @@ -16,6 +16,5 @@ media_src: %w('self'), object_src: %w('self'), child_src: %w('self'), - disable_chrome_extension: true, } end diff --git a/spec/controllers/home_controller_spec.rb b/spec/controllers/home_controller_spec.rb index 637ac000b..a58ec46fb 100644 --- a/spec/controllers/home_controller_spec.rb +++ b/spec/controllers/home_controller_spec.rb @@ -1,18 +1,10 @@ require 'spec_helper' describe HomeController do - describe "show" do before { get :show } it { should respond_with :success } it { should render_template :show } - - describe 'csp headers' do - subject{ response.headers["Content-Security-Policy-Report-Only"] } - it{ should include "style-src 'self' 'unsafe-inline';" } - it{ should include "script-src 'self';" } - it{ should include "default-src 'self';" } - end end context 'on GET to index' do From ff957f8983cd287ee7171fb51d1831eba039bdf1 Mon Sep 17 00:00:00 2001 From: Eugen Kuksa Date: Mon, 29 Feb 2016 22:00:22 +0100 Subject: [PATCH 2/4] Bundle update. --- Gemfile.lock | 75 +++++++++++++++++++++++++++------------------------- 1 file changed, 39 insertions(+), 36 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index b43c5ddba..d116c576e 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -84,9 +84,8 @@ GEM addressable (2.3.8) ansi (1.5.0) arel (3.0.3) - autoprefixer-rails (6.3.1) + autoprefixer-rails (6.3.3.1) execjs - json bcrypt (3.1.10) better_errors (2.1.1) coderay (>= 1.0.0) @@ -99,7 +98,7 @@ GEM sass (>= 3.3.0) bootstrap-select-rails (1.6.3) builder (3.0.4) - byebug (8.2.1) + byebug (8.2.2) cancan (1.6.10) capistrano (3.4.0) i18n @@ -108,7 +107,7 @@ GEM capistrano-bundler (1.1.4) capistrano (~> 3.1) sshkit (~> 1.2) - capistrano-rails (1.1.5) + capistrano-rails (1.1.6) capistrano (~> 3.1) capistrano-bundler (~> 1.1) capistrano-rvm (0.1.2) @@ -120,7 +119,7 @@ GEM rack (>= 1.0.0) rack-test (>= 0.5.4) xpath (~> 2.0) - celluloid (0.17.2) + celluloid (0.17.3) celluloid-essentials celluloid-extras celluloid-fsm @@ -133,7 +132,7 @@ GEM timers (>= 4.1.1) celluloid-fsm (0.20.5) timers (>= 4.1.1) - celluloid-io (0.17.2) + celluloid-io (0.17.3) celluloid (>= 0.17.2) nio4r (>= 1.1) timers (>= 4.1.1) @@ -144,7 +143,7 @@ GEM choice (0.2.0) chunky_png (1.3.5) cliver (0.3.2) - coderay (1.1.0) + coderay (1.1.1) coffee-rails (3.2.2) coffee-script (>= 2.2.0) railties (~> 3.2.0) @@ -167,19 +166,24 @@ GEM connection_pool (2.2.0) crack (0.4.3) safe_yaml (~> 1.0.0) - cucumber (1.3.20) + cucumber (2.3.2) builder (>= 2.1.2) + cucumber-core (~> 1.4.0) + cucumber-wire (~> 0.0.1) diff-lcs (>= 1.1.3) - gherkin (~> 2.12) + gherkin (~> 3.2.0) multi_json (>= 1.7.5, < 2.0) multi_test (>= 0.1.2) - cucumber-rails (1.4.2) + cucumber-core (1.4.0) + gherkin (~> 3.2.0) + cucumber-rails (1.4.3) capybara (>= 1.1.2, < 3) - cucumber (>= 1.3.8, < 2) - mime-types (>= 1.16, < 3) + cucumber (>= 1.3.8, < 3) + mime-types (>= 1.16, < 4) nokogiri (~> 1.5) - rails (>= 3, < 5) - d3_rails (3.5.11) + railties (>= 3, < 5) + cucumber-wire (0.0.1) + d3_rails (3.5.16) railties (>= 3.1.0) dagnabit (3.0.1) activerecord (>= 2.3.0) @@ -187,7 +191,7 @@ GEM rails (>= 3.0.0) database_cleaner (1.5.1) debug_inspector (0.0.2) - devise (3.5.5) + devise (3.5.6) bcrypt (~> 3.0) orm_adapter (~> 0.1) railties (>= 3.2.6, < 5) @@ -196,7 +200,7 @@ GEM warden (~> 1.2.3) diff-lcs (1.2.5) docile (1.1.5) - domain_name (0.5.25) + domain_name (0.5.20160216) unf (>= 0.0.5, < 1.0.0) dotenv (1.0.2) easy_translate (0.5.0) @@ -233,14 +237,14 @@ GEM sigar (~> 0.7.3) state_machine thor - facter (2.4.4) + facter (2.4.6) CFPropertyList (~> 2.2.6) factory_girl (4.5.0) activesupport (>= 3.0.0) factory_girl_rails (4.5.0) factory_girl (~> 4.5.0) railties (>= 3.0.0) - faker (1.6.1) + faker (1.6.3) i18n (~> 0.5) faraday (0.9.2) multipart-post (>= 1.2, < 3) @@ -250,8 +254,7 @@ GEM foreigner (1.7.4) activerecord (>= 3.0.0) formatador (0.2.5) - gherkin (2.12.2) - multi_json (~> 1.3) + gherkin (3.2.0) haml (4.0.7) tilt haml-rails (0.4) @@ -272,7 +275,7 @@ GEM has_scope (0.6.0) actionpack (>= 3.2, < 5) activesupport (>= 3.2, < 5) - hashdiff (0.2.3) + hashdiff (0.3.0) hashie (3.4.3) highline (1.7.8) hike (1.2.3) @@ -316,7 +319,7 @@ GEM jquery-ui-rails (5.0.5) railties (>= 3.2.16) json (1.8.3) - json-schema (2.6.0) + json-schema (2.6.1) addressable (~> 2.3.8) json-stream (0.2.1) kaminari (0.16.3) @@ -347,7 +350,7 @@ GEM net-ssh (>= 2.6.5) net-ssh (3.0.2) netrc (0.11.0) - nio4r (1.2.0) + nio4r (1.2.1) nokogiri (1.6.7.2) mini_portile2 (~> 2.0.0.rc2) options (2.3.2) @@ -371,7 +374,7 @@ GEM pry (~> 0.10) pry-rails (0.3.4) pry (>= 0.9.10) - puma (2.15.3) + puma (3.0.2) quiet_assets (1.1.0) railties (>= 3.1, < 5.0) rack (1.4.7) @@ -393,7 +396,7 @@ GEM activesupport (= 3.2.22.2) bundler (~> 1.0) railties (= 3.2.22.2) - rails-erd (1.4.5) + rails-erd (1.4.6) activerecord (>= 3.2) activesupport (>= 3.2) choice (~> 0.2.0) @@ -405,10 +408,10 @@ GEM rake (>= 0.8.7) rdoc (~> 3.4) thor (>= 0.14.6, < 2.0) - rainbow (2.0.0) + rainbow (2.1.0) rake (10.5.0) rb-fsevent (0.9.7) - rb-inotify (0.9.5) + rb-inotify (0.9.7) ffi (>= 0.5.0) rdf (1.99.1) link_header (~> 0.0, >= 0.0.8) @@ -444,7 +447,7 @@ GEM http-cookie (>= 1.0.2, < 2.0) mime-types (>= 1.16, < 3.0) netrc (~> 0.7) - rspec-activemodel-mocks (1.0.2) + rspec-activemodel-mocks (1.0.3) activemodel (>= 3.0) activesupport (>= 3.0) rspec-mocks (>= 2.99, < 4.0) @@ -477,8 +480,8 @@ GEM railties (~> 3.2.0) sass (>= 3.1.10) tilt (~> 1.3) - secure_headers (2.5.1) - user_agent_parser + secure_headers (3.0.3) + useragent shoulda (3.5.0) shoulda-context (~> 1.0, >= 1.0.1) shoulda-matchers (>= 1.4.1, < 3.0) @@ -500,7 +503,7 @@ GEM simple_form (2.1.3) actionpack (~> 3.0) activemodel (~> 3.0) - simplecov (0.11.1) + simplecov (0.11.2) docile (~> 1.1.0) json (~> 1.8) simplecov-html (~> 0.10.0) @@ -534,7 +537,7 @@ GEM tilt (1.4.1) timers (4.1.1) hitimes - tins (1.8.1) + tins (1.8.2) treetop (1.4.15) polyglot polyglot (>= 0.3.1) @@ -545,12 +548,12 @@ GEM underscore-rails (1.8.3) unf (0.1.4) unf_ext - unf_ext (0.0.7.1) - user_agent_parser (2.3.0) + unf_ext (0.0.7.2) + useragent (0.16.5) uuid (2.3.8) macaddr (~> 1.0) vcr (3.0.1) - warden (1.2.4) + warden (1.2.6) rack (>= 1.0) webmock (1.22.6) addressable (>= 2.3.6) @@ -641,7 +644,7 @@ DEPENDENCIES ruby-graphviz (~> 1.2.2) rugged (~> 0.23.2) sass-rails (~> 3.2.6) - secure_headers (~> 2.5.1) + secure_headers (~> 3.0.3) shoulda (~> 3.5.0) shoulda_routing_macros (~> 0.1.2) sidekiq (~> 3.5.3) From c2c26ed1d69fc639354ff5865b2ba2c1951ced41 Mon Sep 17 00:00:00 2001 From: Eugen Kuksa Date: Mon, 7 Mar 2016 09:44:11 +0100 Subject: [PATCH 3/4] Lock gem cucumber to 1.x. --- Gemfile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index 91bfd8388..107a8e4dd 100644 --- a/Gemfile +++ b/Gemfile @@ -145,7 +145,11 @@ group :test do gem 'poltergeist', '~> 1.8.0' gem 'launchy', '~> 2.4.3' - gem 'cucumber-rails', '~> 1.4', require: false + gem 'cucumber-rails', '~> 1.4.2', require: false + # Versions >= 2.0 are not supported by our formatter. + # This is a dependency of cucumber-rails. We need to limit the version to 1.x + gem 'cucumber', '~> 1.3', require: false + # Code Coverage Analysis gem 'simplecov', '~> 0.11.0', require: false From d8b8f27eb4fbc58fcac3489baec82360682ea502 Mon Sep 17 00:00:00 2001 From: Eugen Kuksa Date: Mon, 7 Mar 2016 09:44:16 +0100 Subject: [PATCH 4/4] Bundle update. --- Gemfile.lock | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index d116c576e..94793794b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -86,7 +86,7 @@ GEM arel (3.0.3) autoprefixer-rails (6.3.3.1) execjs - bcrypt (3.1.10) + bcrypt (3.1.11) better_errors (2.1.1) coderay (>= 1.0.0) erubis (>= 2.6.6) @@ -166,23 +166,18 @@ GEM connection_pool (2.2.0) crack (0.4.3) safe_yaml (~> 1.0.0) - cucumber (2.3.2) + cucumber (1.3.20) builder (>= 2.1.2) - cucumber-core (~> 1.4.0) - cucumber-wire (~> 0.0.1) diff-lcs (>= 1.1.3) - gherkin (~> 3.2.0) + gherkin (~> 2.12) multi_json (>= 1.7.5, < 2.0) multi_test (>= 0.1.2) - cucumber-core (1.4.0) - gherkin (~> 3.2.0) cucumber-rails (1.4.3) capybara (>= 1.1.2, < 3) cucumber (>= 1.3.8, < 3) mime-types (>= 1.16, < 4) nokogiri (~> 1.5) railties (>= 3, < 5) - cucumber-wire (0.0.1) d3_rails (3.5.16) railties (>= 3.1.0) dagnabit (3.0.1) @@ -254,7 +249,8 @@ GEM foreigner (1.7.4) activerecord (>= 3.0.0) formatador (0.2.5) - gherkin (3.2.0) + gherkin (2.12.2) + multi_json (~> 1.3) haml (4.0.7) tilt haml-rails (0.4) @@ -374,14 +370,14 @@ GEM pry (~> 0.10) pry-rails (0.3.4) pry (>= 0.9.10) - puma (3.0.2) + puma (3.1.0) quiet_assets (1.1.0) railties (>= 3.1, < 5.0) rack (1.4.7) rack-cache (1.6.1) rack (>= 0.4) - rack-mini-profiler (0.9.8) - rack (>= 1.1.3) + rack-mini-profiler (0.9.9.2) + rack (>= 1.2.0) rack-protection (1.5.3) rack rack-ssl (1.3.4) @@ -585,7 +581,8 @@ DEPENDENCIES codemirror-rails! coffee-rails (~> 3.2.2) compass (~> 1.0.3) - cucumber-rails (~> 1.4) + cucumber (~> 1.3) + cucumber-rails (~> 1.4.2) d3_rails (~> 3.5.6) dagnabit (~> 3.0.1) data_migrate (~> 1.2.0)