Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Rack::Lint to ContentSecurityPolicy::Middleware tests #48812

Merged
merged 1 commit into from Jul 28, 2023
Merged

Add Rack::Lint to ContentSecurityPolicy::Middleware tests #48812

merged 1 commit into from Jul 28, 2023

Conversation

nunosilva800
Copy link
Contributor

@nunosilva800 nunosilva800 commented Jul 26, 2023
edited

Motivation / Background

To ensure Rails is and remains compliant with the Rack 3 spec we can add Rack::Lint to the Rails middleware tests.

Detail

This adds additional test coverage to ContentSecurityPolicy::Middleware to validate that its input and output follow the Rack SPEC.

The changes made are because of:

Added tests to ensure that CSP headers set by an app are not overridden, regardless of the casing.
An example of this is Sidekiq: https://github.com/sidekiq/sidekiq/blob/b3225ce/lib/sidekiq/web/application.rb#L353

Additional information

Checklist

Before submitting the PR make sure the following are checked:

  • This Pull Request is related to one change. Changes that are unrelated should be opened in separate PRs.
  • Commit message has a detailed description of what changed and why. If this PR fixes a related issue include it in the commit message. Ex: [Fix #issue-number]
  • Tests are added or updated if you fix a bug or add a feature.
  • CHANGELOG files are updated for the changed libraries if there is a behavior change or additional feature. Minor bug fixes and documentation changes should not be included.

@rails-bot rails-bot bot added the actionpack label Jul 26, 2023
@skipkayhil skipkayhil mentioned this pull request Jul 26, 2023
Closed
@nunosilva800 nunosilva800 force-pushed the ns-rack-lint-content-security-policy-middleware branch 2 times, most recently from 50feb03 to bccbb33 Compare July 27, 2023 15:22
nunosilva800
nunosilva800 commented Jul 27, 2023
View reviewed changes
actionpack/lib/action_dispatch/http/content_security_policy.rb
@@ -25,9 +25,8 @@ module ActionDispatch # :nodoc:
# end
class ContentSecurityPolicy
class Middleware
CONTENT_TYPE = "Content-Type"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was not used / referenced.

actionpack/lib/action_dispatch/http/content_security_policy.rb Outdated Show resolved Hide resolved
actionpack/lib/action_dispatch/http/content_security_policy.rb Outdated Show resolved Hide resolved
@nunosilva800 nunosilva800 force-pushed the ns-rack-lint-content-security-policy-middleware branch from bccbb33 to 5094853 Compare July 27, 2023 16:41
skipkayhil
skipkayhil reviewed Jul 27, 2023
View reviewed changes
actionpack/test/dispatch/content_security_policy_test.rb Outdated
Comment on lines 330 to 337
def test_does_not_override_app_content_security_policy
app = proc { [200, { "content-security-policy" => @default_csp }, []] }
_, headers, _ = Rack::Lint.new(
ActionDispatch::ContentSecurityPolicy::Middleware.new(Rack::Lint.new(app))
).call(@env)

assert_equal @default_csp, headers["content-security-policy"]
end

def test_does_not_override_app_content_security_policy_for_rack_v2
app = proc { [200, { "Content-Security-Policy" => @default_csp }, []] }
_, headers, _ = ActionDispatch::ContentSecurityPolicy::Middleware.new(app).call(@env)

assert_equal @default_csp, headers["content-security-policy"]
end
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When using conditional headers, we'll probably have to make this a single test that also uses conditional headers

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I opted to drop this v2 test as I don't know how to set the gem version for this test only.
Perhaps that is overthinking it anyway, as these dependencies should be set by the environment.

I did this in my local machine fwiw:

% export RACK=2.2.4             
% bundle
# ...

% bundle show rack 
/home/spin/.bundle/rails/gems/rack-2.2.4

% bin/test test/dispatch/content_security_policy_test.rb     
#...
34 runs, 190 assertions, 0 failures, 0 errors, 0 skips

@guilleiguaran guilleiguaran self-assigned this Jul 27, 2023
@nunosilva800
Add Rack::Lint to ContentSecurityPolicy::Middleware tests
d1381dc 
To ensure Rails is and remains compliant with [the Rack 3
spec](https://github.com/rack/rack/blob/6d16306192349e665e4ec820a9bfcc0967009b6a/UPGRADE-GUIDE.md)
we can add `Rack::Lint` to the Rails middleware tests.

This adds additional test coverage to
`ContentSecurityPolicy::Middleware` to validate that its input and
output follow the Rack SPEC.

The changes made are because of:
- [Response Headers must be lower case](https://github.com/rack/rack/blob/6d16306192349e665e4ec820a9bfcc0967009b6a/UPGRADE-GUIDE.md#response-headers-must-be-lower-case)

Added tests to ensure that CSP headers set by an app are not overridden,
regardless of the casing.
An example of this is Sidekiq: https://github.com/sidekiq/sidekiq/blob/b3225ce/lib/sidekiq/web/application.rb#L353
@nunosilva800 nunosilva800 force-pushed the ns-rack-lint-content-security-policy-middleware branch from 5094853 to d1381dc Compare July 28, 2023 09:37
skipkayhil
skipkayhil approved these changes Jul 28, 2023
View reviewed changes
Copy link
Member

@skipkayhil skipkayhil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

@guilleiguaran guilleiguaran merged commit 1788f67 into rails:main Jul 28, 2023
9 checks passed
@nunosilva800 nunosilva800 deleted the ns-rack-lint-content-security-policy-middleware branch July 28, 2023 17:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skipkayhil skipkayhil skipkayhil approved these changes

@guilleiguaran guilleiguaran Awaiting requested review from guilleiguaran

@adrianna-chang-shopify adrianna-chang-shopify Awaiting requested review from adrianna-chang-shopify

Assignees

@guilleiguaran guilleiguaran

Labels
actionpack
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@nunosilva800 @guilleiguaran @skipkayhil @adrianna-chang-shopify