From 62fce26ec7d1476f2004b88d75588360f25383b0 Mon Sep 17 00:00:00 2001 From: Brian Anglin Date: Sun, 24 Sep 2017 15:11:01 -0700 Subject: [PATCH 1/7] First pass at CSP --- Gemfile | 7 ++++--- Gemfile.lock | 4 ++++ app/controllers/pages_controller.rb | 6 +++++- config/application.rb | 16 ++++++++++++++++ 4 files changed, 29 insertions(+), 4 deletions(-) diff --git a/Gemfile b/Gemfile index 4f6d0f858e..87fc09703f 100644 --- a/Gemfile +++ b/Gemfile @@ -57,9 +57,10 @@ gem "rails-i18n", "~> 5.0", ">= 5.0.1" gem "redis-namespace", "~> 1.5", ">= 1.5.3" gem "ruby-progressbar", "~> 1.8", ">= 1.8.1", require: false -gem "sass-rails", "~> 5.0", ">= 5.0.6" -gem "sidekiq", "~> 5.0", ">= 5.0.4" -gem "sprockets", "~> 3.7", ">= 3.7.1" +gem "sass-rails", "~> 5.0", ">= 5.0.6" +gem "secure_headers", "~> 4.0", ">= 4.0.0" +gem "sidekiq", "~> 5.0", ">= 5.0.4" +gem "sprockets", "~> 3.7", ">= 3.7.1" gem "turbolinks", github: "turbolinks/turbolinks-classic", ref: "37a7c296232d20a61bd1946f600da7f2009189db" gem "typhoeus", "~> 1.3" diff --git a/Gemfile.lock b/Gemfile.lock index ae8ac9eea7..4e3493e081 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -390,6 +390,8 @@ GEM scss_lint (0.54.0) rake (>= 0.9, < 13) sass (~> 3.4.20) + secure_headers (4.0.0) + useragent (>= 0.15.0) shellany (0.0.1) sidekiq (5.0.4) concurrent-ruby (~> 1.0) @@ -427,6 +429,7 @@ GEM execjs (>= 0.3.0, < 3) unicode-display_width (1.3.0) uniform_notifier (1.10.0) + useragent (0.16.8) vcr (3.0.3) web-console (3.5.1) actionview (>= 5.0) @@ -502,6 +505,7 @@ DEPENDENCIES ruby-progressbar (~> 1.8, >= 1.8.1) sass-rails (~> 5.0, >= 5.0.6) scss_lint (~> 0.54.0) + secure_headers (~> 4.0, >= 4.0.0) sidekiq (~> 5.0, >= 5.0.4) simplecov (~> 0.15.0) spring (~> 2.0, >= 2.0.2) diff --git a/app/controllers/pages_controller.rb b/app/controllers/pages_controller.rb index bc91189811..5a90540dc1 100644 --- a/app/controllers/pages_controller.rb +++ b/app/controllers/pages_controller.rb @@ -6,6 +6,10 @@ class PagesController < ApplicationController skip_before_action :authenticate_user! def home - redirect_to organizations_path if logged_in? + if logged_in? + redirect_to organizations_path + else + use_content_security_policy_named_append(:unauthed_video) + end end end diff --git a/config/application.rb b/config/application.rb index 2eb9abe623..035535d302 100644 --- a/config/application.rb +++ b/config/application.rb @@ -43,6 +43,22 @@ class Application < Rails::Application # Use SideKiq for background jobs config.active_job.queue_adapter = :sidekiq + # Setup Secure Headers with default values + SecureHeaders::Configuration.default do |config| + config.csp = { + default_src: %w(https: 'self'), + style_src: %w('self' 'unsafe-inline'), + script_src: %w('self'), + } + end + + SecureHeaders::Configuration.named_append(:unauthed_video) do |request| + { + script_src: %w(https://www.youtube.com https://s.ytimg.com), + child_src: %w(https://www.youtube.com/ https://s.ytimg.com) + } + end + # Health checks endpoint for monitoring if ENV["PINGLISH_ENABLED"] == "true" config.middleware.use Pinglish do |ping| From 91f32eebe48a5bc544b1536fc012759d60e24d53 Mon Sep 17 00:00:00 2001 From: Brian Anglin Date: Sun, 24 Sep 2017 15:55:05 -0700 Subject: [PATCH 2/7] Adds data: and githubusercontent to img_src --- config/application.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/application.rb b/config/application.rb index 035535d302..3b0961ebc1 100644 --- a/config/application.rb +++ b/config/application.rb @@ -49,9 +49,12 @@ class Application < Rails::Application default_src: %w(https: 'self'), style_src: %w('self' 'unsafe-inline'), script_src: %w('self'), + img_src: %w('self' data: *.githubusercontent.com), } end + # Provide additional permissions on home page for video + # `unauthed_video` SecureHeaders::Configuration.named_append(:unauthed_video) do |request| { script_src: %w(https://www.youtube.com https://s.ytimg.com), From a56b3a4cfa8901be4732ff51a9bf1df0d06bbdc8 Mon Sep 17 00:00:00 2001 From: Brian Anglin Date: Sun, 24 Sep 2017 15:56:21 -0700 Subject: [PATCH 3/7] Bumps jquery-datetimepicker-rails to remove eval --- Gemfile | 2 +- Gemfile.lock | 10 ++++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/Gemfile b/Gemfile index 87fc09703f..5e04de4493 100644 --- a/Gemfile +++ b/Gemfile @@ -27,7 +27,7 @@ gem "flipper-ui", "~> 0.10.2" gem "geo_pattern", "~> 1.4" -gem "jquery-datetimepicker-rails", "~> 2.4", ">= 2.4.1.0" +gem "jquery-datetimepicker-rails", :git => 'git://github.com/anglinb/jquery-datetimepicker-rails.git', :tag => 'v2.4.1.1' gem "jquery-turbolinks", "~> 2.1" gem "kaminari", "~> 1.0", ">= 1.0.1" diff --git a/Gemfile.lock b/Gemfile.lock index 4e3493e081..15d3f31792 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,3 +1,10 @@ +GIT + remote: git://github.com/anglinb/jquery-datetimepicker-rails.git + revision: 2936a01c0fd6b3167cfa59b30e98a7fc776f8fdc + tag: v2.4.1.1 + specs: + jquery-datetimepicker-rails (2.4.1.1) + GIT remote: https://github.com/Soliah/peek-sidekiq.git revision: 261c857578ae6dc189506a35194785a4db51e54c @@ -187,7 +194,6 @@ GEM hashdiff (0.3.6) hashie (3.5.6) i18n (0.8.6) - jquery-datetimepicker-rails (2.4.1.0) jquery-turbolinks (2.1.0) railties (>= 3.1.0) turbolinks @@ -469,7 +475,7 @@ DEPENDENCIES foreman (~> 0.84.0) geo_pattern (~> 1.4) guard-rspec (~> 4.7, >= 4.7.3) - jquery-datetimepicker-rails (~> 2.4, >= 2.4.1.0) + jquery-datetimepicker-rails! jquery-turbolinks (~> 2.1) kaminari (~> 1.0, >= 1.0.1) knapsack (~> 1.14, >= 1.14.1) From 94e678a029291f8d2c1775a9654f050e13864d04 Mon Sep 17 00:00:00 2001 From: Brian Anglin Date: Sun, 24 Sep 2017 16:41:35 -0700 Subject: [PATCH 4/7] Fix linter issues --- Gemfile | 2 +- config/application.rb | 16 +++++++++------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/Gemfile b/Gemfile index 5e04de4493..0797d886c9 100644 --- a/Gemfile +++ b/Gemfile @@ -27,7 +27,7 @@ gem "flipper-ui", "~> 0.10.2" gem "geo_pattern", "~> 1.4" -gem "jquery-datetimepicker-rails", :git => 'git://github.com/anglinb/jquery-datetimepicker-rails.git', :tag => 'v2.4.1.1' +gem "jquery-datetimepicker-rails", git: "git://github.com/anglinb/jquery-datetimepicker-rails.git", tag: "v2.4.1.1" gem "jquery-turbolinks", "~> 2.1" gem "kaminari", "~> 1.0", ">= 1.0.1" diff --git a/config/application.rb b/config/application.rb index 3b0961ebc1..e24e2c6794 100644 --- a/config/application.rb +++ b/config/application.rb @@ -44,23 +44,25 @@ class Application < Rails::Application config.active_job.queue_adapter = :sidekiq # Setup Secure Headers with default values + # rubocop:disable Lint/PercentStringArray SecureHeaders::Configuration.default do |config| config.csp = { - default_src: %w(https: 'self'), - style_src: %w('self' 'unsafe-inline'), - script_src: %w('self'), - img_src: %w('self' data: *.githubusercontent.com), + default_src: %w[https: 'self'], + style_src: %w['self' 'unsafe-inline'], + script_src: %w['self'], + img_src: %w['self' data: *.githubusercontent.com] } end # Provide additional permissions on home page for video # `unauthed_video` - SecureHeaders::Configuration.named_append(:unauthed_video) do |request| + SecureHeaders::Configuration.named_append(:unauthed_video) do { - script_src: %w(https://www.youtube.com https://s.ytimg.com), - child_src: %w(https://www.youtube.com/ https://s.ytimg.com) + script_src: %w[https://www.youtube.com https://s.ytimg.com], + child_src: %w[https://www.youtube.com/ https://s.ytimg.com] } end + # rubocop:enable Style/WordArray # Health checks endpoint for monitoring if ENV["PINGLISH_ENABLED"] == "true" From 5285f61a37e1c0436007aff0492fd56c7388792a Mon Sep 17 00:00:00 2001 From: Brian Anglin Date: Wed, 27 Sep 2017 14:24:48 -0700 Subject: [PATCH 5/7] Moves intialization to seperate file --- config/application.rb | 21 --------------------- config/initializers/secure_headers.rb | 20 ++++++++++++++++++++ 2 files changed, 20 insertions(+), 21 deletions(-) create mode 100644 config/initializers/secure_headers.rb diff --git a/config/application.rb b/config/application.rb index e24e2c6794..2eb9abe623 100644 --- a/config/application.rb +++ b/config/application.rb @@ -43,27 +43,6 @@ class Application < Rails::Application # Use SideKiq for background jobs config.active_job.queue_adapter = :sidekiq - # Setup Secure Headers with default values - # rubocop:disable Lint/PercentStringArray - SecureHeaders::Configuration.default do |config| - config.csp = { - default_src: %w[https: 'self'], - style_src: %w['self' 'unsafe-inline'], - script_src: %w['self'], - img_src: %w['self' data: *.githubusercontent.com] - } - end - - # Provide additional permissions on home page for video - # `unauthed_video` - SecureHeaders::Configuration.named_append(:unauthed_video) do - { - script_src: %w[https://www.youtube.com https://s.ytimg.com], - child_src: %w[https://www.youtube.com/ https://s.ytimg.com] - } - end - # rubocop:enable Style/WordArray - # Health checks endpoint for monitoring if ENV["PINGLISH_ENABLED"] == "true" config.middleware.use Pinglish do |ping| diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb new file mode 100644 index 0000000000..09579b6ea8 --- /dev/null +++ b/config/initializers/secure_headers.rb @@ -0,0 +1,20 @@ +# Setup Secure Headers with default values +# rubocop:disable Lint/PercentStringArray +SecureHeaders::Configuration.default do |config| + config.csp = { + default_src: %w[https: 'self'], + style_src: %w['self' 'unsafe-inline'], + script_src: %w['self'], + img_src: %w['self' data: *.githubusercontent.com] + } +end + +# Provide additional permissions on home page for video +# `unauthed_video` +SecureHeaders::Configuration.named_append(:unauthed_video) do + { + script_src: %w[https://www.youtube.com https://s.ytimg.com], + child_src: %w[https://www.youtube.com/ https://s.ytimg.com] + } +end +# rubocop:enable Lint/PercentStringArray From 2982c004da8e646da3f12e7887d66c297fa123df Mon Sep 17 00:00:00 2001 From: Brian Anglin Date: Wed, 27 Sep 2017 14:25:27 -0700 Subject: [PATCH 6/7] Fixes tagging scheme for jquery-rails --- Gemfile | 2 +- Gemfile.lock | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile b/Gemfile index 0797d886c9..4f0ae98482 100644 --- a/Gemfile +++ b/Gemfile @@ -27,7 +27,7 @@ gem "flipper-ui", "~> 0.10.2" gem "geo_pattern", "~> 1.4" -gem "jquery-datetimepicker-rails", git: "git://github.com/anglinb/jquery-datetimepicker-rails.git", tag: "v2.4.1.1" +gem "jquery-datetimepicker-rails", git: "git://github.com/anglinb/jquery-datetimepicker-rails.git", tag: "v2.5.4.0" gem "jquery-turbolinks", "~> 2.1" gem "kaminari", "~> 1.0", ">= 1.0.1" diff --git a/Gemfile.lock b/Gemfile.lock index 15d3f31792..66821796dc 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,9 +1,9 @@ GIT remote: git://github.com/anglinb/jquery-datetimepicker-rails.git - revision: 2936a01c0fd6b3167cfa59b30e98a7fc776f8fdc - tag: v2.4.1.1 + revision: 535e81708a45ef077b408b6e5a5c47196cbf911f + tag: v2.5.4.0 specs: - jquery-datetimepicker-rails (2.4.1.1) + jquery-datetimepicker-rails (2.5.4.0) GIT remote: https://github.com/Soliah/peek-sidekiq.git From cf3f2edab613e67dddf12f42c44d8c5962938eae Mon Sep 17 00:00:00 2001 From: Mark Tareshawty Date: Wed, 27 Sep 2017 18:00:41 -0400 Subject: [PATCH 7/7] Fix linting issues --- config/initializers/secure_headers.rb | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb index 09579b6ea8..0859564118 100644 --- a/config/initializers/secure_headers.rb +++ b/config/initializers/secure_headers.rb @@ -1,11 +1,12 @@ +# frozen_string_literal: true + # Setup Secure Headers with default values -# rubocop:disable Lint/PercentStringArray SecureHeaders::Configuration.default do |config| config.csp = { - default_src: %w[https: 'self'], - style_src: %w['self' 'unsafe-inline'], - script_src: %w['self'], - img_src: %w['self' data: *.githubusercontent.com] + default_src: ["https:", "'self'"], + style_src: ["'self',", "'unsafe-inline'"], + script_src: ["'self'"], + img_src: ["'self'", "data:", "*.githubusercontent.com"] } end @@ -13,8 +14,7 @@ # `unauthed_video` SecureHeaders::Configuration.named_append(:unauthed_video) do { - script_src: %w[https://www.youtube.com https://s.ytimg.com], - child_src: %w[https://www.youtube.com/ https://s.ytimg.com] + script_src: ["https://www.youtube.com", "https://s.ytimg.com"], + child_src: ["https://www.youtube.com", "https://s.ytimg.com"] } end -# rubocop:enable Lint/PercentStringArray