Merge branch 'main' into myersg86/main

Author: fletchto99

.github/workflows/build.yml

@@ -10,12 +10,12 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby: [ '2.6', '2.7', '3.0', '3.1', '3.2' ]
+        ruby: [ '2.7', '3.0', '3.1', '3.2', '3.4', '4.0' ]
 
     steps:
     - uses: actions/checkout@v4
     - name: Set up Ruby ${{ matrix.ruby }}
-      uses: ruby/setup-ruby@4a9ddd6f338a97768b8006bf671dfbad383215f4 #v1.190.0 tag
+      uses: ruby/setup-ruby@d697be2f83c6234b20877c3b5eac7a7f342f0d0c #v1.269.0 tag
       with:
         ruby-version: ${{ matrix.ruby }}
         bundler-cache: true

.rubocop.yml

@@ -1,4 +1,11 @@
 inherit_gem:
   rubocop-github:
     - config/default.yml
-require: rubocop-performance
+plugins: rubocop-performance
+
+AllCops:
+  TargetRubyVersion: 2.6
+
+# Disable cops that are not consistently available across all Ruby versions
+Lint/RedundantCopDisableDirective:
+  Enabled: false

README.md

@@ -1,4 +1,4 @@
-# Secure Headers ![Build + Test](https://github.com/github/secure_headers/workflows/Build%20+%20Test/badge.svg?branch=main)
+# Secure Headers [![Build + Test](https://github.com/github/secure_headers/actions/workflows/build.yml/badge.svg)](https://github.com/github/secure_headers/actions/workflows/build.yml)
 
 **main branch represents 7.x line**. See the [upgrading to 4.x doc](docs/upgrading-to-4-0.md), [upgrading to 5.x doc](docs/upgrading-to-5-0.md), [upgrading to 6.x doc](docs/upgrading-to-6-0.md) or [upgrading to 7.x doc](docs/upgrading-to-7-0.md) for instructions on how to upgrade. Bug fixes should go in the `6.x` branch for now.
 

lib/secure_headers.rb

@@ -208,7 +208,7 @@ def raise_on_unknown_target(target)
 
     def config_and_target(request, target)
       config = config_for(request)
-      target = guess_target(config) unless target
+      target ||= guess_target(config)
       raise_on_unknown_target(target)
       [config, target]
     end

lib/secure_headers/headers/clear_site_data.rb

@@ -11,43 +11,41 @@ class ClearSiteData
     EXECUTION_CONTEXTS = "executionContexts".freeze
     ALL_TYPES = [CACHE, COOKIES, STORAGE, EXECUTION_CONTEXTS]
 
-    class << self
-      # Public: make an clear-site-data header name, value pair
-      #
-      # Returns nil if not configured, returns header name and value if configured.
-      def make_header(config = nil, user_agent = nil)
-        case config
-        when nil, OPT_OUT, []
-          # noop
-        when Array
-          [HEADER_NAME, make_header_value(config)]
-        when true
-          [HEADER_NAME, make_header_value(ALL_TYPES)]
-        end
+    # Public: make an clear-site-data header name, value pair
+    #
+    # Returns nil if not configured, returns header name and value if configured.
+    def self.make_header(config = nil, user_agent = nil)
+      case config
+      when nil, OPT_OUT, []
+        # noop
+      when Array
+        [HEADER_NAME, make_header_value(config)]
+      when true
+        [HEADER_NAME, make_header_value(ALL_TYPES)]
       end
+    end
 
-      def validate_config!(config)
-        case config
-        when nil, OPT_OUT, true
-          # valid
-        when Array
-          unless config.all? { |t| t.is_a?(String) }
-            raise ClearSiteDataConfigError.new("types must be Strings")
-          end
-        else
-          raise ClearSiteDataConfigError.new("config must be an Array of Strings or `true`")
+    def self.validate_config!(config)
+      case config
+      when nil, OPT_OUT, true
+        # valid
+      when Array
+        unless config.all? { |t| t.is_a?(String) }
+          raise ClearSiteDataConfigError.new("types must be Strings")
         end
+      else
+        raise ClearSiteDataConfigError.new("config must be an Array of Strings or `true`")
       end
+    end
 
-      # Public: Transform a clear-site-data config (an Array of Strings) into a
-      # String that can be used as the value for the clear-site-data header.
-      #
-      # types - An Array of String of types of data to clear.
-      #
-      # Returns a String of quoted values that are comma separated.
-      def make_header_value(types)
-        types.map { |t| %("#{t}") }.join(", ")
-      end
+    # Public: Transform a clear-site-data config (an Array of Strings) into a
+    # String that can be used as the value for the clear-site-data header.
+    #
+    # types - An Array of String of types of data to clear.
+    #
+    # Returns a String of quoted values that are comma separated.
+    def self.make_header_value(types)
+      types.map { |t| %("#{t}") }.join(", ")
     end
   end
 end

lib/secure_headers/headers/cookie.rb

@@ -7,10 +7,8 @@ module SecureHeaders
   class CookiesConfigError < StandardError; end
   class Cookie
 
-    class << self
-      def validate_config!(config)
-        CookiesConfig.new(config).validate!
-      end
+    def self.validate_config!(config)
+      CookiesConfig.new(config).validate!
     end
 
     attr_reader :raw_cookie, :config

lib/secure_headers/headers/expect_certificate_transparency.rb

@@ -9,31 +9,29 @@ class ExpectCertificateTransparency
     REQUIRED_MAX_AGE_ERROR      = "max-age is a required directive.".freeze
     INVALID_MAX_AGE_ERROR       = "max-age must be a number.".freeze
 
-    class << self
-      # Public: Generate a expect-ct header.
-      #
-      # Returns nil if not configured, returns header name and value if
-      # configured.
-      def make_header(config, use_agent = nil)
-        return if config.nil? || config == OPT_OUT
+    # Public: Generate a expect-ct header.
+    #
+    # Returns nil if not configured, returns header name and value if
+    # configured.
+    def self.make_header(config, use_agent = nil)
+      return if config.nil? || config == OPT_OUT
 
-        header = new(config)
-        [HEADER_NAME, header.value]
-      end
+      header = new(config)
+      [HEADER_NAME, header.value]
+    end
 
-      def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise ExpectCertificateTransparencyConfigError.new(INVALID_CONFIGURATION_ERROR) unless config.is_a? Hash
+    def self.validate_config!(config)
+      return if config.nil? || config == OPT_OUT
+      raise ExpectCertificateTransparencyConfigError.new(INVALID_CONFIGURATION_ERROR) unless config.is_a? Hash
 
-        unless [true, false, nil].include?(config[:enforce])
-          raise ExpectCertificateTransparencyConfigError.new(INVALID_ENFORCE_VALUE_ERROR)
-        end
+      unless [true, false, nil].include?(config[:enforce])
+        raise ExpectCertificateTransparencyConfigError.new(INVALID_ENFORCE_VALUE_ERROR)
+      end
 
-        if !config[:max_age]
-          raise ExpectCertificateTransparencyConfigError.new(REQUIRED_MAX_AGE_ERROR)
-        elsif config[:max_age].to_s !~ /\A\d+\z/
-          raise ExpectCertificateTransparencyConfigError.new(INVALID_MAX_AGE_ERROR)
-        end
+      if !config[:max_age]
+        raise ExpectCertificateTransparencyConfigError.new(REQUIRED_MAX_AGE_ERROR)
+      elsif config[:max_age].to_s !~ /\A\d+\z/
+        raise ExpectCertificateTransparencyConfigError.new(INVALID_MAX_AGE_ERROR)
       end
     end
 

lib/secure_headers/headers/referrer_policy.rb

@@ -15,29 +15,27 @@ class ReferrerPolicy
       unsafe-url
     )
 
-    class << self
-      # Public: generate an Referrer Policy header.
-      #
-      # Returns a default header if no configuration is provided, or a
-      # header name and value based on the config.
-      def make_header(config = nil, user_agent = nil)
-        return if config == OPT_OUT
-        config ||= DEFAULT_VALUE
-        [HEADER_NAME, Array(config).join(", ")]
-      end
+    # Public: generate an Referrer Policy header.
+    #
+    # Returns a default header if no configuration is provided, or a
+    # header name and value based on the config.
+    def self.make_header(config = nil, user_agent = nil)
+      return if config == OPT_OUT
+      config ||= DEFAULT_VALUE
+      [HEADER_NAME, Array(config).join(", ")]
+    end
 
-      def validate_config!(config)
-        case config
-        when nil, OPT_OUT
-          # valid
-        when String, Array
-          config = Array(config)
-          unless config.all? { |t| t.is_a?(String) && VALID_POLICIES.include?(t.downcase) }
-            raise ReferrerPolicyConfigError.new("Value can only be one or more of #{VALID_POLICIES.join(", ")}")
-          end
-        else
-          raise TypeError.new("Must be a string or array of strings. Found #{config.class}: #{config}")
+    def self.validate_config!(config)
+      case config
+      when nil, OPT_OUT
+        # valid
+      when String, Array
+        config = Array(config)
+        unless config.all? { |t| t.is_a?(String) && VALID_POLICIES.include?(t.downcase) }
+          raise ReferrerPolicyConfigError.new("Value can only be one or more of #{VALID_POLICIES.join(", ")}")
         end
+      else
+        raise TypeError.new("Must be a string or array of strings. Found #{config.class}: #{config}")
       end
     end
   end

lib/secure_headers/headers/strict_transport_security.rb

@@ -9,21 +9,19 @@ class StrictTransportSecurity
     VALID_STS_HEADER = /\Amax-age=\d+(; includeSubdomains)?(; preload)?\z/i
     MESSAGE = "The config value supplied for the HSTS header was invalid. Must match #{VALID_STS_HEADER}"
 
-    class << self
-      # Public: generate an hsts header name, value pair.
-      #
-      # Returns a default header if no configuration is provided, or a
-      # header name and value based on the config.
-      def make_header(config = nil, user_agent = nil)
-        return if config == OPT_OUT
-        [HEADER_NAME, config || DEFAULT_VALUE]
-      end
+    # Public: generate an hsts header name, value pair.
+    #
+    # Returns a default header if no configuration is provided, or a
+    # header name and value based on the config.
+    def self.make_header(config = nil, user_agent = nil)
+      return if config == OPT_OUT
+      [HEADER_NAME, config || DEFAULT_VALUE]
+    end
 
-      def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise TypeError.new("Must be a string. Found #{config.class}: #{config} #{config.class}") unless config.is_a?(String)
-        raise STSConfigError.new(MESSAGE) unless config =~ VALID_STS_HEADER
-      end
+    def self.validate_config!(config)
+      return if config.nil? || config == OPT_OUT
+      raise TypeError.new("Must be a string. Found #{config.class}: #{config} #{config.class}") unless config.is_a?(String)
+      raise STSConfigError.new(MESSAGE) unless config =~ VALID_STS_HEADER
     end
   end
 end

lib/secure_headers/headers/x_content_type_options.rb

@@ -6,22 +6,20 @@ class XContentTypeOptions
     HEADER_NAME = "x-content-type-options".freeze
     DEFAULT_VALUE = "nosniff"
 
-    class << self
-      # Public: generate an X-Content-Type-Options header.
-      #
-      # Returns a default header if no configuration is provided, or a
-      # header name and value based on the config.
-      def make_header(config = nil, user_agent = nil)
-        return if config == OPT_OUT
-        [HEADER_NAME, config || DEFAULT_VALUE]
-      end
+    # Public: generate an X-Content-Type-Options header.
+    #
+    # Returns a default header if no configuration is provided, or a
+    # header name and value based on the config.
+    def self.make_header(config = nil, user_agent = nil)
+      return if config == OPT_OUT
+      [HEADER_NAME, config || DEFAULT_VALUE]
+    end
 
-      def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
-        unless config.casecmp(DEFAULT_VALUE) == 0
-          raise XContentTypeOptionsConfigError.new("Value can only be nil or 'nosniff'")
-        end
+    def self.validate_config!(config)
+      return if config.nil? || config == OPT_OUT
+      raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
+      unless config.casecmp(DEFAULT_VALUE) == 0
+        raise XContentTypeOptionsConfigError.new("Value can only be nil or 'nosniff'")
       end
     end
   end