Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Rack::Lint to ContentSecurityPolicy::Middleware tests #48812

Merged
merged 1 commit into from Jul 28, 2023
Merged

Add Rack::Lint to ContentSecurityPolicy::Middleware tests #48812

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 4 additions & 0 deletions actionpack/lib/action_dispatch/constants.rb
View file
Open in desktop
Expand Up @@ -8,12 +8,16 @@ module Constants
if Gem::Version.new(Rack::RELEASE) < Gem::Version.new("3")
VARY = "Vary"
CONTENT_ENCODING = "Content-Encoding"
CONTENT_SECURITY_POLICY = "Content-Security-Policy"
CONTENT_SECURITY_POLICY_REPORT_ONLY = "Content-Security-Policy-Report-Only"
LOCATION = "Location"
FEATURE_POLICY = "Feature-Policy"
X_REQUEST_ID = "X-Request-Id"
else
VARY = "vary"
CONTENT_ENCODING = "content-encoding"
CONTENT_SECURITY_POLICY = "content-security-policy"
CONTENT_SECURITY_POLICY_REPORT_ONLY = "content-security-policy-report-only"
LOCATION = "location"
FEATURE_POLICY = "feature-policy"
X_REQUEST_ID = "x-request-id"
Expand Down
11 changes: 4 additions & 7 deletions actionpack/lib/action_dispatch/http/content_security_policy.rb
View file
Open in desktop
Expand Up @@ -25,10 +25,6 @@ module ActionDispatch # :nodoc:
# end
class ContentSecurityPolicy
class Middleware
CONTENT_TYPE = "Content-Type"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was not used / referenced.

POLICY = "Content-Security-Policy"
POLICY_REPORT_ONLY = "Content-Security-Policy-Report-Only"

def initialize(app)
@app = app
end
Expand Down Expand Up @@ -57,14 +53,15 @@ def call(env)
private
def header_name(request)
if request.content_security_policy_report_only
POLICY_REPORT_ONLY
ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY
else
POLICY
ActionDispatch::Constants::CONTENT_SECURITY_POLICY
end
end

def policy_present?(headers)
headers[POLICY] || headers[POLICY_REPORT_ONLY]
headers[ActionDispatch::Constants::CONTENT_SECURITY_POLICY] ||
headers[ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY]
end
end

Expand Down
55 changes: 55 additions & 0 deletions actionpack/test/dispatch/content_security_policy_test.rb
View file
Open in desktop
Expand Up @@ -302,6 +302,51 @@ def test_raises_runtime_error_when_unexpected_source
end
end

class ContentSecurityPolicyMiddlewareTest < ActiveSupport::TestCase
def setup
@env = Rack::MockRequest.env_for("", {})
@env["action_dispatch.content_security_policy"] = ActionDispatch::ContentSecurityPolicy.new do |p|
p.default_src -> { :self }
end
@env["action_dispatch.content_security_policy_nonce_generator"] = proc { "iyhD0Yc0W+c=" }
@env["action_dispatch.content_security_policy_report_only"] = false
@env["action_dispatch.show_exceptions"] = :none

@default_csp = "default-src 'self' https: http:"
end

def test_rack_lint
app = proc { [200, {}, []] }

assert_nothing_raised do
Rack::Lint.new(
ActionDispatch::ContentSecurityPolicy::Middleware.new(
Rack::Lint.new(app)
)
).call(@env)
end
end

def test_does_not_override_app_content_security_policy
app = proc { [200, { ActionDispatch::Constants::CONTENT_SECURITY_POLICY => @default_csp }, []] }
_, headers, _ = Rack::Lint.new(
ActionDispatch::ContentSecurityPolicy::Middleware.new(Rack::Lint.new(app))
).call(@env)

assert_equal @default_csp, headers[ActionDispatch::Constants::CONTENT_SECURITY_POLICY]
end

def test_does_not_override_app_content_security_policy_report_only
nunosilva800 marked this conversation as resolved.
Show resolved Hide resolved
app = proc { [200, { ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY => @default_csp }, []] }
@env["action_dispatch.content_security_policy_report_only"] = true
_, headers, _ = Rack::Lint.new(
ActionDispatch::ContentSecurityPolicy::Middleware.new(Rack::Lint.new(app))
).call(@env)

assert_equal @default_csp, headers[ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY]
end
end

class DefaultContentSecurityPolicyIntegrationTest < ActionDispatch::IntegrationTest
class PolicyController < ActionController::Base
def index
Expand Down Expand Up @@ -338,8 +383,10 @@ def call(env)
end

APP = build_app(ROUTES) do |middleware|
middleware.use Rack::Lint
middleware.use PolicyConfigMiddleware
middleware.use ActionDispatch::ContentSecurityPolicy::Middleware
middleware.use Rack::Lint
end

def app
Expand Down Expand Up @@ -488,8 +535,10 @@ def call(env)
end

APP = build_app(ROUTES) do |middleware|
middleware.use Rack::Lint
middleware.use PolicyConfigMiddleware
middleware.use ActionDispatch::ContentSecurityPolicy::Middleware
middleware.use Rack::Lint
end

def app
Expand Down Expand Up @@ -604,8 +653,10 @@ def call(env)
end

APP = build_app(ROUTES) do |middleware|
middleware.use Rack::Lint
middleware.use PolicyConfigMiddleware
middleware.use ActionDispatch::ContentSecurityPolicy::Middleware
middleware.use Rack::Lint
end

def app
Expand Down Expand Up @@ -660,8 +711,10 @@ def call(env)
end

APP = build_app(ROUTES) do |middleware|
middleware.use Rack::Lint
middleware.use PolicyConfigMiddleware
middleware.use ActionDispatch::ContentSecurityPolicy::Middleware
middleware.use Rack::Lint
end

def app
Expand Down Expand Up @@ -732,8 +785,10 @@ def call(env)
end

APP = build_app(ROUTES) do |middleware|
middleware.use Rack::Lint
middleware.use PolicyConfigMiddleware
middleware.use ActionDispatch::ContentSecurityPolicy::Middleware
middleware.use Rack::Lint
end

def app
Expand Down