Merge d1f0162 into 5c47914

github · Mar 25, 2018 · a70f728 · a70f728
2 parents 5c47914 + d1f0162
commit a70f728
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 8 deletions.
diff --git a/lib/secure_headers/view_helper.rb b/lib/secure_headers/view_helper.rb
@@ -19,7 +19,7 @@ def nonced_style_tag(content_or_options = {}, &block)
     #
     # Returns an html-safe link tag with the nonce attribute.
     def nonced_stylesheet_link_tag(*args, &block)
-      opts = extract_options(args).merge(nonce: content_security_policy_nonce(:style))
+      opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:style))
 
       stylesheet_link_tag(*args, opts, &block)
     end
@@ -37,7 +37,7 @@ def nonced_javascript_tag(content_or_options = {}, &block)
     #
     # Returns an html-safe script tag with the nonce attribute.
     def nonced_javascript_include_tag(*args, &block)
-      opts = extract_options(args).merge(nonce: content_security_policy_nonce(:script))
+      opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:script))
 
       javascript_include_tag(*args, opts, &block)
     end
@@ -47,7 +47,7 @@ def nonced_javascript_include_tag(*args, &block)
     #
     # Returns an html-safe script tag with the nonce attribute.
     def nonced_javascript_pack_tag(*args, &block)
-      opts = extract_options(args).merge(nonce: content_security_policy_nonce(:script))
+      opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:script))
 
       javascript_pack_tag(*args, opts, &block)
     end
@@ -57,7 +57,7 @@ def nonced_javascript_pack_tag(*args, &block)
     #
     # Returns an html-safe link tag with the nonce attribute.
     def nonced_stylesheet_pack_tag(*args, &block)
-      opts = extract_options(args).merge(nonce: content_security_policy_nonce(:style))
+      opts = extract_options(args).merge(nonce: _content_security_policy_nonce(:style))
 
       stylesheet_pack_tag(*args, opts, &block)
     end
@@ -66,21 +66,22 @@ def nonced_stylesheet_pack_tag(*args, &block)
     # Instructs secure_headers to append a nonce to style/script-src directives.
     #
     # Returns a non-html-safe nonce value.
-    def content_security_policy_nonce(type)
+    def _content_security_policy_nonce(type)
       case type
       when :script
         SecureHeaders.content_security_policy_script_nonce(@_request)
       when :style
         SecureHeaders.content_security_policy_style_nonce(@_request)
       end
     end
+    alias_method :content_security_policy_nonce, :_content_security_policy_nonce
 
     def content_security_policy_script_nonce
-      content_security_policy_nonce(:script)
+      _content_security_policy_nonce(:script)
     end
 
     def content_security_policy_style_nonce
-      content_security_policy_nonce(:style)
+      _content_security_policy_nonce(:style)
     end
 
     ##
@@ -152,7 +153,7 @@ def nonced_tag(type, content_or_options, block)
       else
         content_or_options.html_safe # :'(
       end
-      content_tag type, content, options.merge(nonce: content_security_policy_nonce(type))
+      content_tag type, content, options.merge(nonce: _content_security_policy_nonce(type))
     end
 
     def extract_options(args)

diff --git a/spec/lib/secure_headers/view_helpers_spec.rb b/spec/lib/secure_headers/view_helpers_spec.rb
@@ -97,6 +97,12 @@ def request
   end
 end
 
+class MessageWithConflictingMethod < Message
+  def content_security_policy_nonce
+    "rails-nonce"
+  end
+end
+
 module SecureHeaders
   describe ViewHelpers do
     let(:app) { lambda { |env| [200, env, "app"] } }
@@ -159,5 +165,27 @@ module SecureHeaders
         expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'#{Regexp.escape(expected_style_hash)}'/)
       end
     end
+
+    it "avoids calling content_security_policy_nonce internally" do
+      begin
+        allow(SecureRandom).to receive(:base64).and_return("abc123")
+
+        expected_hash = "sha256-3/URElR9+3lvLIouavYD/vhoICSNKilh15CzI/nKqg8="
+        Configuration.instance_variable_set(:@script_hashes, filename => ["'#{expected_hash}'"])
+        expected_style_hash = "sha256-7oYK96jHg36D6BM042er4OfBnyUDTG3pH1L8Zso3aGc="
+        Configuration.instance_variable_set(:@style_hashes, filename => ["'#{expected_style_hash}'"])
+
+        # render erb that calls out to helpers.
+        MessageWithConflictingMethod.new(request).result
+        _, env = middleware.call request.env
+
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/script-src[^;]*'#{Regexp.escape(expected_hash)}'/)
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/script-src[^;]*'nonce-abc123'/)
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'nonce-abc123'/)
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).to match(/style-src[^;]*'#{Regexp.escape(expected_style_hash)}'/)
+
+        expect(env[ContentSecurityPolicyConfig::HEADER_NAME]).not_to match(/rails-nonce/)
+      end
+    end
   end
 end