Merge pull request #478 from rollbar/jon/secure-headers-fixes

SecureHeaders fixes
rollbar · Aug 31, 2016 · 00156c8 · 00156c8
2 parents a44e819 + 86aa4f2
commit 00156c8
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 4 deletions.
diff --git a/gemfiles/rails50.gemfile b/gemfiles/rails50.gemfile
@@ -32,7 +32,6 @@ end
 
 # We need last sinatra that uses rack 2.x
 gem 'sinatra', :git => 'https://github.com/sinatra/sinatra'
-gem 'rack-protection', :git => 'https://github.com/sinatra/rack-protection'
 gem 'resque'
 gem 'delayed_job', :require => false
 gem 'redis'

diff --git a/lib/rollbar/middleware/js.rb b/lib/rollbar/middleware/js.rb
@@ -116,7 +116,7 @@ def js_snippet
       end
 
       def script_tag(content, env)
-        if defined?(::SecureHeaders) && ::SecureHeaders.respond_to?(:content_security_policy_script_nonce)
+        if append_nonce?
           nonce = ::SecureHeaders.content_security_policy_script_nonce(::Rack::Request.new(env))
           script_tag_content = "\n<script type=\"text/javascript\" nonce=\"#{nonce}\">#{content}</script>"
         else
@@ -130,6 +130,12 @@ def html_safe_if_needed(string)
         string = string.html_safe if string.respond_to?(:html_safe)
         string
       end
+
+      def append_nonce?
+        defined?(::SecureHeaders) && ::SecureHeaders.respond_to?(:content_security_policy_script_nonce) &&
+          defined?(::SecureHeaders::Configuration) &&
+          !::SecureHeaders::Configuration.get.current_csp[:script_src].to_a.include?("'unsafe-inline'")
+      end
     end
   end
 end
diff --git a/lib/rollbar/plugins/rails.rb b/lib/rollbar/plugins/rails.rb
@@ -31,7 +31,7 @@ module Frameworks
           # customer is using SecureHeaders > 3.0
           class Rails
             def load(plugin)
-              plugin_execute = plugin_execute_proc(plugin)
+              plugin_execute = plugin_execute_proc_body(plugin)
 
               return after_secure_headers(&plugin_execute) if secure_headers_middleware?
 
@@ -42,7 +42,7 @@ def after_secure_headers(&block)
               Rollbar::Railtie.initializer('rollbar.js.frameworks.rails', :after => 'secure_headers.middleware', &block)
             end
 
-            def plugin_execute_proc(plugin)
+            def plugin_execute_proc_body(plugin)
               proc do
                 plugin.execute do
                   if Rollbar.configuration.js_enabled

diff --git a/spec/rollbar/middleware/js_spec.rb b/spec/rollbar/middleware/js_spec.rb
@@ -107,6 +107,10 @@
         before do
           Object.const_set('SecureHeaders', Module.new)
           SecureHeaders.const_set('VERSION', '3.0.0')
+          SecureHeaders.const_set('Configuration', Module.new {
+            def self.get
+            end
+          })
           allow(SecureHeaders).to receive(:content_security_policy_script_nonce) { 'lorem-ipsum-nonce' }
         end
 
@@ -115,13 +119,32 @@
         end
 
         it 'renders the snippet and config in the response with nonce in script tag when SecureHeaders installed' do
+          secure_headers_config = double(:configuration, :current_csp => {})
+          allow(SecureHeaders::Configuration).to receive(:get).and_return(secure_headers_config)
           res_status, res_headers, response = subject.call(env)
+
           new_body = response.body.join
 
           expect(new_body).to include('<script type="text/javascript" nonce="lorem-ipsum-nonce">')
           expect(new_body).to include("var _rollbarConfig = #{config[:options].to_json};")
           expect(new_body).to include(snippet)
         end
+
+        it 'renders the snippet in the response without nonce if SecureHeaders script_src includes \'unsafe-inline\'' do
+          secure_headers_config = double(:configuration, :current_csp => {
+                                           :script_src => %w('unsafe-inline')
+                                         })
+          allow(SecureHeaders::Configuration).to receive(:get).and_return(secure_headers_config)
+
+          res_status, res_headers, response = subject.call(env)
+          new_body = response.body.join
+
+          expect(new_body).to include('<script type="text/javascript">')
+          expect(new_body).to include("var _rollbarConfig = #{config[:options].to_json};")
+          expect(new_body).to include(snippet)
+
+          SecureHeaders.send(:remove_const, 'Configuration')
+        end
       end
 
       context 'having a html 200 response and SecureHeaders < 3.0.0 defined' do