Skip to content

Commit

Permalink
escape semicolons by replacing them with spaces
Browse files Browse the repository at this point in the history 
See github/secure_headers#418
  • Loading branch information
@eleabrton @oreoshake
eleabrton authored and oreoshake committed May 26, 2021
1 parent de1c1d8 commit d594f18
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 3 deletions.
11 changes: 8 additions & 3 deletions lib/secure_headers/headers/content_security_policy.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,10 +103,15 @@ def build_media_type_list_directive(directive)
# Returns a string representing a directive.
def build_source_list_directive(directive)
source_list = @config.directive_value(directive)

if source_list != OPT_OUT && source_list && source_list.any?
normalized_source_list = minify_source_list(directive, source_list)
[symbol_to_hyphen_case(directive), normalized_source_list].join(" ")
minified_source_list = minify_source_list(directive, source_list).join(" ")

if minified_source_list.include?(";")
Kernel.warn("#{directive} contains a ; in '#{minified_source_list}' which will raise an error in future versions. It has been replaced with a blank space.")
end

escaped_source_list = minified_source_list.gsub(";", " ")
[symbol_to_hyphen_case(directive), escaped_source_list].join(" ").strip
end
end

Expand Down
5 changes: 5 additions & 0 deletions spec/lib/secure_headers/headers/content_security_policy_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,11 @@ module SecureHeaders
expect(ContentSecurityPolicy.new.value).to eq("default-src https:; form-action 'self'; img-src https: data: 'self'; object-src 'none'; script-src https:; style-src 'self' 'unsafe-inline' https:")
end

it "deprecates and escapes semicolons in directive source lists" do
expect(Kernel).to receive(:warn).with("frame_ancestors contains a ; in 'google.com;script-src *;.;' which will raise an error in future versions. It has been replaced with a blank space.")
expect(ContentSecurityPolicy.new(frame_ancestors: %w(https://google.com;script-src https://*;.;)).value).to eq("frame-ancestors google.com script-src * .")
end

it "discards 'none' values if any other source expressions are present" do
csp = ContentSecurityPolicy.new(default_opts.merge(child_src: %w('self' 'none')))
expect(csp.value).not_to include("'none'")
Expand Down

0 comments on commit d594f18

Please sign in to comment.