clarify, document, and test behavior when encountering unknown hashes

oreoshake · oreoshake · commit 99eed49b72d8 · 2016-04-14T10:15:38.000-10:00
diff --git a/README.md b/README.md
@@ -229,6 +229,7 @@ body {
 ```
 
 ```
+
 Content-Security-Policy: ...
   script-src 'nonce-/jRAxuLJsDXAxqhNBB7gg7h55KETtDQBXe4ZL+xIXwI=' ...;
   style-src 'nonce-/jRAxuLJsDXAxqhNBB7gg7h55KETtDQBXe4ZL+xIXwI=' ...;
@@ -286,26 +287,33 @@ styles:
   - "'sha256-HSGHqlRoKmHAGTAJ2Rq0piXX4CnEbOl1ArNd6ejp2TE='"
 ```
 
-```
-Content-Security-Policy: ...
- script-src 'sha256-yktKiAsZWmc8WpOyhnmhQoDf9G2dAZvuBBC+V0LGQhg=' ... ;
- style-src 'sha256-SLp6LO3rrKDJwsG9uJUxZapb4Wp2Zhj6Bu3l+d9rnAY=' 'sha256-HSGHqlRoKmHAGTAJ2Rq0piXX4CnEbOl1ArNd6ejp2TE=' ...;
-```
-
 ##### Helpers
 
-You can use a helper that will raise exceptions when it encounters unknown hash values. Note: this is pretty limited as it will only raise if called on a file with no associated hashes. It will not raise an error if an unknown script is added to a file with known hashses. Also, it won't compute dynamic hashes by design. The output of both helpers will be a plain `script`/`style` tag without modification.
+**This will not compute dynamic hashes** by design. The output of both helpers will be a plain `script`/`style` tag without modification and the known hashes for a given file will be added to `script-src`/`style-src` when `hashed_javascript_tag` and `hashed_style_tag` are used. You can use `raise_error_on_unrecognized_hash = true` to be extra paranoid that you have precomputed hash values for all of your inline content. By default, this will raise an error in non-production environments.
 
 ```erb
-<%= hashed_javascript_tag do %>
-console.log("hai");
+<%= hashed_style_tag do %>
+body {
+  background-color: black;
+}
 <% end %>
 
 <%= hashed_style_tag do %>
 body {
-  background-color: black;
+  font-size: 30px;
+  font-color: green;
 }
 <% end %>
+
+<%= hashed_javascript_tag do %>
+console.log(1)
+<% end %>
+```
+
+```
+Content-Security-Policy: ...
+ script-src 'sha256-yktKiAsZWmc8WpOyhnmhQoDf9G2dAZvuBBC+V0LGQhg=' ... ;
+ style-src 'sha256-SLp6LO3rrKDJwsG9uJUxZapb4Wp2Zhj6Bu3l+d9rnAY=' 'sha256-HSGHqlRoKmHAGTAJ2Rq0piXX4CnEbOl1ArNd6ejp2TE=' ...;
 ```
 
 ### Public Key Pins
diff --git a/lib/secure_headers/view_helper.rb b/lib/secure_headers/view_helper.rb
@@ -38,8 +38,7 @@ def content_security_policy_nonce(type)
     # Checks to see if the hashed code is expected and adds the hash source
     # value to the current CSP.
     #
-    # In development/test/etc. an exception will be raised. In production,
-    # it will dynamically compute the value so things don't break.
+    # By default, in development/test/etc. an exception will be raised.
     def hashed_javascript_tag(raise_error_on_unrecognized_hash = nil, &block)
       hashed_tag(
         :script,
@@ -70,16 +69,12 @@ def hashed_tag(type, directive, hashes, raise_error_on_unrecognized_hash, block)
       content = capture(&block)
       file_path = File.join('app', 'views', self.instance_variable_get(:@virtual_path) + '.html.erb')
 
-      if hashes.nil?
-        raise UnexpectedHashedScriptException.new(unexpected_hash_error_message(file_path, content))
-      end
+      if raise_error_on_unrecognized_hash
+        hash_value = hash_source(content)
+        message = unexpected_hash_error_message(file_path, content, hash_value)
 
-      if hashes[file_path].nil?
-        message = unexpected_hash_error_message(file_path, content)
-        if raise_error_on_unrecognized_hash
+        if hashes.nil? || hashes[file_path].nil? || !hashes[file_path].include?(hash_value)
           raise UnexpectedHashedScriptException.new(message)
-        else
-          warn message
         end
       end
 
@@ -88,8 +83,7 @@ def hashed_tag(type, directive, hashes, raise_error_on_unrecognized_hash, block)
       content_tag type, content
     end
 
-    def unexpected_hash_error_message(file_path, content)
-      hash_value = hash_source(content)
+    def unexpected_hash_error_message(file_path, content, hash_value)
       <<-EOF
 \n\n*** WARNING: Unrecognized hash in #{file_path}!!! Value: #{hash_value} ***
 #{content}
diff --git a/spec/lib/secure_headers/view_helpers_spec.rb b/spec/lib/secure_headers/view_helpers_spec.rb
@@ -6,7 +6,7 @@ class Message < ERB
 
   def self.template
 <<-TEMPLATE
-<% hashed_javascript_tag do %>
+<% hashed_javascript_tag(raise_error_on_unrecognized_hash = true) do %>
   console.log(1)
 <% end %>
 
@@ -67,17 +67,25 @@ module SecureHeaders
   describe ViewHelpers do
     let(:app) { lambda { |env| [200, env, "app"] } }
     let(:middleware) { Middleware.new(app) }
+    let(:request) { Rack::Request.new("HTTP_USER_AGENT" => USER_AGENTS[:chrome]) }
 
-    it "uses view helpers" do
+    before(:each) do
+      Configuration.default do |config|
+        config.csp[:script_src] = %w('self')
+        config.csp[:style_src] = %w('self')
+      end
+    end
+
+    it "raises an error when attempting to hash unknown content" do
+      expect {
+        Message.new(request).result
+      }.to raise_error(ViewHelpers::UnexpectedHashedScriptException)
+    end
+
+    it "adds known hash values to the corresponding headers when the helper is used" do
       begin
         allow(SecureRandom).to receive(:base64).and_return("abc123")
 
-        Configuration.default do |config|
-          config.csp[:script_src] = %w('self')
-          config.csp[:style_src] = %w('self')
-        end
-        request = Rack::Request.new("HTTP_USER_AGENT" => USER_AGENTS[:chrome])
-
         expected_hash = "sha256-3/URElR9+3lvLIouavYD/vhoICSNKilh15CzI/nKqg8="
         Configuration.instance_variable_set(:@script_hashes, "app/views/asdfs/index.html.erb" => ["'#{expected_hash}'"])
         expected_style_hash = "sha256-7oYK96jHg36D6BM042er4OfBnyUDTG3pH1L8Zso3aGc="
