delete fixture apps
This commit is contained in:
Neil Matatall
Родитель
8d76eef30f
Коммит
441b7a1798
36
Rakefile
36
Rakefile
|
|
@ -10,41 +10,7 @@ RSpec::Core::RakeTask.new do |t|
|
|||
t.rspec_opts = "--format progress"
|
||||
end
|
||||
|
||||
task :default => :all_spec
|
||||
|
||||
desc "Run all specs, and test fixture apps"
|
||||
task :all_spec => :spec do
|
||||
pwd = Dir.pwd
|
||||
Dir.chdir 'fixtures/rails_3_2_22'
|
||||
puts Dir.pwd
|
||||
str = `bundle install >> /dev/null; bundle exec rspec spec`
|
||||
puts str
|
||||
unless $? == 0
|
||||
Dir.chdir pwd
|
||||
fail "Header tests with app not using initializer failed exit code: #{$?}"
|
||||
end
|
||||
|
||||
Dir.chdir pwd
|
||||
Dir.chdir 'fixtures/rails_3_2_22_no_init'
|
||||
puts Dir.pwd
|
||||
puts `bundle install >> /dev/null; bundle exec rspec spec`
|
||||
|
||||
unless $? == 0
|
||||
fail "Header tests with app not using initializer failed"
|
||||
Dir.chdir pwd
|
||||
end
|
||||
|
||||
Dir.chdir pwd
|
||||
Dir.chdir 'fixtures/rails_4_1_8'
|
||||
puts Dir.pwd
|
||||
puts `bundle install >> /dev/null; bundle exec rspec spec`
|
||||
|
||||
unless $? == 0
|
||||
fail "Header tests with Rails 4 failed"
|
||||
Dir.chdir pwd
|
||||
end
|
||||
|
||||
end
|
||||
task :default => :spec
|
||||
|
||||
begin
|
||||
require 'rdoc/task'
|
||||
|
|
|
|||
|
|
@ -1 +0,0 @@
|
|||
--color --format progress
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
source 'https://rubygems.org'
|
||||
|
||||
gem 'test-unit', '~> 3.0'
|
||||
gem 'rails', '3.2.22'
|
||||
gem 'rspec-rails', '>= 2.0.0'
|
||||
gem 'secure_headers', :path => '../..'
|
||||
|
|
@ -1,261 +0,0 @@
|
|||
== Welcome to Rails
|
||||
|
||||
Rails is a web-application framework that includes everything needed to create
|
||||
database-backed web applications according to the Model-View-Control pattern.
|
||||
|
||||
This pattern splits the view (also called the presentation) into "dumb"
|
||||
templates that are primarily responsible for inserting pre-built data in between
|
||||
HTML tags. The model contains the "smart" domain objects (such as Account,
|
||||
Product, Person, Post) that holds all the business logic and knows how to
|
||||
persist themselves to a database. The controller handles the incoming requests
|
||||
(such as Save New Account, Update Product, Show Post) by manipulating the model
|
||||
and directing data to the view.
|
||||
|
||||
In Rails, the model is handled by what's called an object-relational mapping
|
||||
layer entitled Active Record. This layer allows you to present the data from
|
||||
database rows as objects and embellish these data objects with business logic
|
||||
methods. You can read more about Active Record in
|
||||
link:files/vendor/rails/activerecord/README.html.
|
||||
|
||||
The controller and view are handled by the Action Pack, which handles both
|
||||
layers by its two parts: Action View and Action Controller. These two layers
|
||||
are bundled in a single package due to their heavy interdependence. This is
|
||||
unlike the relationship between the Active Record and Action Pack that is much
|
||||
more separate. Each of these packages can be used independently outside of
|
||||
Rails. You can read more about Action Pack in
|
||||
link:files/vendor/rails/actionpack/README.html.
|
||||
|
||||
|
||||
== Getting Started
|
||||
|
||||
1. At the command prompt, create a new Rails application:
|
||||
<tt>rails new myapp</tt> (where <tt>myapp</tt> is the application name)
|
||||
|
||||
2. Change directory to <tt>myapp</tt> and start the web server:
|
||||
<tt>cd myapp; rails server</tt> (run with --help for options)
|
||||
|
||||
3. Go to http://localhost:3000/ and you'll see:
|
||||
"Welcome aboard: You're riding Ruby on Rails!"
|
||||
|
||||
4. Follow the guidelines to start developing your application. You can find
|
||||
the following resources handy:
|
||||
|
||||
* The Getting Started Guide: http://guides.rubyonrails.org/getting_started.html
|
||||
* Ruby on Rails Tutorial Book: http://www.railstutorial.org/
|
||||
|
||||
|
||||
== Debugging Rails
|
||||
|
||||
Sometimes your application goes wrong. Fortunately there are a lot of tools that
|
||||
will help you debug it and get it back on the rails.
|
||||
|
||||
First area to check is the application log files. Have "tail -f" commands
|
||||
running on the server.log and development.log. Rails will automatically display
|
||||
debugging and runtime information to these files. Debugging info will also be
|
||||
shown in the browser on requests from 127.0.0.1.
|
||||
|
||||
You can also log your own messages directly into the log file from your code
|
||||
using the Ruby logger class from inside your controllers. Example:
|
||||
|
||||
class WeblogController < ActionController::Base
|
||||
def destroy
|
||||
@weblog = Weblog.find(params[:id])
|
||||
@weblog.destroy
|
||||
logger.info("#{Time.now} Destroyed Weblog ID ##{@weblog.id}!")
|
||||
end
|
||||
end
|
||||
|
||||
The result will be a message in your log file along the lines of:
|
||||
|
||||
Mon Oct 08 14:22:29 +1000 2007 Destroyed Weblog ID #1!
|
||||
|
||||
More information on how to use the logger is at http://www.ruby-doc.org/core/
|
||||
|
||||
Also, Ruby documentation can be found at http://www.ruby-lang.org/. There are
|
||||
several books available online as well:
|
||||
|
||||
* Programming Ruby: http://www.ruby-doc.org/docs/ProgrammingRuby/ (Pickaxe)
|
||||
* Learn to Program: http://pine.fm/LearnToProgram/ (a beginners guide)
|
||||
|
||||
These two books will bring you up to speed on the Ruby language and also on
|
||||
programming in general.
|
||||
|
||||
|
||||
== Debugger
|
||||
|
||||
Debugger support is available through the debugger command when you start your
|
||||
Mongrel or WEBrick server with --debugger. This means that you can break out of
|
||||
execution at any point in the code, investigate and change the model, and then,
|
||||
resume execution! You need to install ruby-debug to run the server in debugging
|
||||
mode. With gems, use <tt>sudo gem install ruby-debug</tt>. Example:
|
||||
|
||||
class WeblogController < ActionController::Base
|
||||
def index
|
||||
@posts = Post.all
|
||||
debugger
|
||||
end
|
||||
end
|
||||
|
||||
So the controller will accept the action, run the first line, then present you
|
||||
with a IRB prompt in the server window. Here you can do things like:
|
||||
|
||||
>> @posts.inspect
|
||||
=> "[#<Post:0x14a6be8
|
||||
@attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>,
|
||||
#<Post:0x14a6620
|
||||
@attributes={"title"=>"Rails", "body"=>"Only ten..", "id"=>"2"}>]"
|
||||
>> @posts.first.title = "hello from a debugger"
|
||||
=> "hello from a debugger"
|
||||
|
||||
...and even better, you can examine how your runtime objects actually work:
|
||||
|
||||
>> f = @posts.first
|
||||
=> #<Post:0x13630c4 @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>
|
||||
>> f.
|
||||
Display all 152 possibilities? (y or n)
|
||||
|
||||
Finally, when you're ready to resume execution, you can enter "cont".
|
||||
|
||||
|
||||
== Console
|
||||
|
||||
The console is a Ruby shell, which allows you to interact with your
|
||||
application's domain model. Here you'll have all parts of the application
|
||||
configured, just like it is when the application is running. You can inspect
|
||||
domain models, change values, and save to the database. Starting the script
|
||||
without arguments will launch it in the development environment.
|
||||
|
||||
To start the console, run <tt>rails console</tt> from the application
|
||||
directory.
|
||||
|
||||
Options:
|
||||
|
||||
* Passing the <tt>-s, --sandbox</tt> argument will rollback any modifications
|
||||
made to the database.
|
||||
* Passing an environment name as an argument will load the corresponding
|
||||
environment. Example: <tt>rails console production</tt>.
|
||||
|
||||
To reload your controllers and models after launching the console run
|
||||
<tt>reload!</tt>
|
||||
|
||||
More information about irb can be found at:
|
||||
link:http://www.rubycentral.org/pickaxe/irb.html
|
||||
|
||||
|
||||
== dbconsole
|
||||
|
||||
You can go to the command line of your database directly through <tt>rails
|
||||
dbconsole</tt>. You would be connected to the database with the credentials
|
||||
defined in database.yml. Starting the script without arguments will connect you
|
||||
to the development database. Passing an argument will connect you to a different
|
||||
database, like <tt>rails dbconsole production</tt>. Currently works for MySQL,
|
||||
PostgreSQL and SQLite 3.
|
||||
|
||||
== Description of Contents
|
||||
|
||||
The default directory structure of a generated Ruby on Rails application:
|
||||
|
||||
|-- app
|
||||
| |-- assets
|
||||
| |-- images
|
||||
| |-- javascripts
|
||||
| `-- stylesheets
|
||||
| |-- controllers
|
||||
| |-- helpers
|
||||
| |-- mailers
|
||||
| |-- models
|
||||
| `-- views
|
||||
| `-- layouts
|
||||
|-- config
|
||||
| |-- environments
|
||||
| |-- initializers
|
||||
| `-- locales
|
||||
|-- db
|
||||
|-- doc
|
||||
|-- lib
|
||||
| `-- tasks
|
||||
|-- log
|
||||
|-- public
|
||||
|-- script
|
||||
|-- test
|
||||
| |-- fixtures
|
||||
| |-- functional
|
||||
| |-- integration
|
||||
| |-- performance
|
||||
| `-- unit
|
||||
|-- tmp
|
||||
| |-- cache
|
||||
| |-- pids
|
||||
| |-- sessions
|
||||
| `-- sockets
|
||||
`-- vendor
|
||||
|-- assets
|
||||
`-- stylesheets
|
||||
`-- plugins
|
||||
|
||||
app
|
||||
Holds all the code that's specific to this particular application.
|
||||
|
||||
app/assets
|
||||
Contains subdirectories for images, stylesheets, and JavaScript files.
|
||||
|
||||
app/controllers
|
||||
Holds controllers that should be named like weblogs_controller.rb for
|
||||
automated URL mapping. All controllers should descend from
|
||||
ApplicationController which itself descends from ActionController::Base.
|
||||
|
||||
app/models
|
||||
Holds models that should be named like post.rb. Models descend from
|
||||
ActiveRecord::Base by default.
|
||||
|
||||
app/views
|
||||
Holds the template files for the view that should be named like
|
||||
weblogs/index.html.erb for the WeblogsController#index action. All views use
|
||||
eRuby syntax by default.
|
||||
|
||||
app/views/layouts
|
||||
Holds the template files for layouts to be used with views. This models the
|
||||
common header/footer method of wrapping views. In your views, define a layout
|
||||
using the <tt>layout :default</tt> and create a file named default.html.erb.
|
||||
Inside default.html.erb, call <% yield %> to render the view using this
|
||||
layout.
|
||||
|
||||
app/helpers
|
||||
Holds view helpers that should be named like weblogs_helper.rb. These are
|
||||
generated for you automatically when using generators for controllers.
|
||||
Helpers can be used to wrap functionality for your views into methods.
|
||||
|
||||
config
|
||||
Configuration files for the Rails environment, the routing map, the database,
|
||||
and other dependencies.
|
||||
|
||||
db
|
||||
Contains the database schema in schema.rb. db/migrate contains all the
|
||||
sequence of Migrations for your schema.
|
||||
|
||||
doc
|
||||
This directory is where your application documentation will be stored when
|
||||
generated using <tt>rake doc:app</tt>
|
||||
|
||||
lib
|
||||
Application specific libraries. Basically, any kind of custom code that
|
||||
doesn't belong under controllers, models, or helpers. This directory is in
|
||||
the load path.
|
||||
|
||||
public
|
||||
The directory available for the web server. Also contains the dispatchers and the
|
||||
default HTML files. This should be set as the DOCUMENT_ROOT of your web
|
||||
server.
|
||||
|
||||
script
|
||||
Helper scripts for automation and generation.
|
||||
|
||||
test
|
||||
Unit and functional tests along with fixtures. When using the rails generate
|
||||
command, template test files will be generated for you and placed in this
|
||||
directory.
|
||||
|
||||
vendor
|
||||
External libraries that the application depends on. Also includes the plugins
|
||||
subdirectory. If the app has frozen rails, those gems also go here, under
|
||||
vendor/rails/. This directory is in the load path.
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
#!/usr/bin/env rake
|
||||
# Add your own tasks in files placed in lib/tasks ending in .rake,
|
||||
# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
|
||||
|
||||
require File.expand_path('../config/application', __FILE__)
|
||||
|
||||
Rails3212::Application.load_tasks
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
class ApplicationController < ActionController::Base
|
||||
protect_from_forgery
|
||||
ensure_security_headers
|
||||
end
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
class OtherThingsController < ApplicationController
|
||||
def index
|
||||
|
||||
end
|
||||
end
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
class ThingsController < ApplicationController
|
||||
ensure_security_headers :csp => false
|
||||
def index
|
||||
end
|
||||
end
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>Rails3212</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<%= yield %>
|
||||
<script>console.log("oh hell nah")</script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
index
|
||||
<script>console.log("oh what")</script>
|
||||
|
|
@ -1 +0,0 @@
|
|||
things
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
# This file is used by Rack-based servers to start the application.
|
||||
|
||||
require ::File.expand_path('../config/environment', __FILE__)
|
||||
run Rails3212::Application
|
||||
|
||||
require 'secure_headers/headers/content_security_policy/script_hash_middleware'
|
||||
use ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
require File.expand_path('../boot', __FILE__)
|
||||
|
||||
require "action_controller/railtie"
|
||||
require "sprockets/railtie"
|
||||
|
||||
if defined?(Bundler)
|
||||
Bundler.require(*Rails.groups(:assets => %w(development test)))
|
||||
end
|
||||
|
||||
module Rails3212
|
||||
class Application < Rails::Application
|
||||
|
||||
end
|
||||
end
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
require 'rubygems'
|
||||
|
||||
# Set up gems listed in the Gemfile.
|
||||
ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
|
||||
|
||||
require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE'])
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
# Load the rails application
|
||||
require File.expand_path('../application', __FILE__)
|
||||
|
||||
# Initialize the rails application
|
||||
Rails3212::Application.initialize!
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
Rails3212::Application.configure do
|
||||
# Settings specified here will take precedence over those in config/application.rb
|
||||
|
||||
# The test environment is used exclusively to run your application's
|
||||
# test suite. You never need to work with it otherwise. Remember that
|
||||
# your test database is "scratch space" for the test suite and is wiped
|
||||
# and recreated between test runs. Don't rely on the data there!
|
||||
config.cache_classes = true
|
||||
|
||||
# Configure static asset server for tests with Cache-Control for performance
|
||||
config.serve_static_assets = true
|
||||
config.static_cache_control = "public, max-age=3600"
|
||||
|
||||
# Log error messages when you accidentally call methods on nil
|
||||
config.whiny_nils = true
|
||||
|
||||
# Show full error reports and disable caching
|
||||
config.consider_all_requests_local = true
|
||||
config.action_controller.perform_caching = false
|
||||
|
||||
# Raise exceptions instead of rendering exception templates
|
||||
config.action_dispatch.show_exceptions = false
|
||||
|
||||
# Disable request forgery protection in test environment
|
||||
config.action_controller.allow_forgery_protection = false
|
||||
|
||||
# Tell Action Mailer not to deliver emails to the real world.
|
||||
# The :test delivery method accumulates sent emails in the
|
||||
# ActionMailer::Base.deliveries array.
|
||||
# config.action_mailer.delivery_method = :test
|
||||
|
||||
# Raise exception on mass assignment protection for Active Record models
|
||||
# config.active_record.mass_assignment_sanitizer = :strict
|
||||
|
||||
# Print deprecation notices to the stderr
|
||||
config.active_support.deprecation = :stderr
|
||||
end
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
::SecureHeaders::Configuration.configure do |config|
|
||||
config.hsts = { :max_age => 10.years.to_i.to_s, :include_subdomains => false }
|
||||
config.x_frame_options = 'SAMEORIGIN'
|
||||
config.x_content_type_options = "nosniff"
|
||||
config.x_xss_protection = {:value => 1, :mode => 'block'}
|
||||
config.x_permitted_cross_domain_policies = 'none'
|
||||
csp = {
|
||||
:default_src => "'self'",
|
||||
:script_src => "'self' nonce",
|
||||
:report_uri => 'somewhere',
|
||||
:script_hash_middleware => true,
|
||||
:enforce => false # false means warnings only
|
||||
}
|
||||
|
||||
config.csp = csp
|
||||
end
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
Rails3212::Application.routes.draw do
|
||||
resources :things
|
||||
match ':controller(/:action(/:id))(.:format)'
|
||||
end
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
---
|
||||
app/views/layouts/application.html.erb:
|
||||
- sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=
|
||||
app/views/other_things/index.html.erb:
|
||||
- sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=
|
||||
|
|
@ -1,83 +0,0 @@
|
|||
require 'spec_helper'
|
||||
|
||||
require 'secure_headers/headers/content_security_policy/script_hash_middleware'
|
||||
|
||||
describe OtherThingsController, :type => :controller do
|
||||
include Rack::Test::Methods
|
||||
|
||||
def app
|
||||
OtherThingsController.action(:index)
|
||||
end
|
||||
|
||||
def request(opts = {})
|
||||
options = opts.merge(
|
||||
{
|
||||
'HTTPS' => 'on',
|
||||
'HTTP_USER_AGENT' => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/537.22 (KHTML like Gecko) Chrome/25.0.1364.99 Safari/537.22"
|
||||
}
|
||||
)
|
||||
|
||||
|
||||
Rack::MockRequest.env_for('/', options)
|
||||
end
|
||||
|
||||
|
||||
describe "headers" do
|
||||
before(:each) do
|
||||
_, @env = app.call(request)
|
||||
end
|
||||
|
||||
it "sets the X-XSS-Protection header" do
|
||||
get '/'
|
||||
expect(@env['X-XSS-Protection']).to eq('1; mode=block')
|
||||
end
|
||||
|
||||
it "sets the X-Frame-Options header" do
|
||||
get '/'
|
||||
expect(@env['X-Frame-Options']).to eq('SAMEORIGIN')
|
||||
end
|
||||
|
||||
it "sets the CSP header with a local reference to a nonce" do
|
||||
middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
|
||||
_, env = middleware.call(request(@env))
|
||||
expect(env['Content-Security-Policy-Report-Only']).to match(/script-src[^;]*'nonce-[a-zA-Z0-9\+\/=]{44}'/)
|
||||
end
|
||||
|
||||
it "sets the required hashes to whitelist inline script" do
|
||||
middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
|
||||
_, env = middleware.call(request(@env))
|
||||
hashes = ['sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=', 'sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=']
|
||||
hashes.each do |hash|
|
||||
expect(env['Content-Security-Policy-Report-Only']).to include(hash)
|
||||
end
|
||||
end
|
||||
|
||||
it "sets the Strict-Transport-Security header" do
|
||||
get '/'
|
||||
expect(@env['Strict-Transport-Security']).to eq("max-age=315576000")
|
||||
end
|
||||
|
||||
it "sets the X-Download-Options header" do
|
||||
get '/'
|
||||
expect(@env['X-Download-Options']).to eq('noopen')
|
||||
end
|
||||
|
||||
it "sets the X-Content-Type-Options header" do
|
||||
get '/'
|
||||
expect(@env['X-Content-Type-Options']).to eq("nosniff")
|
||||
end
|
||||
|
||||
it "sets the X-Permitted-Cross-Domain-Policies" do
|
||||
get '/'
|
||||
expect(@env['X-Permitted-Cross-Domain-Policies']).to eq("none")
|
||||
end
|
||||
|
||||
context "using IE" do
|
||||
it "sets the X-Content-Type-Options header" do
|
||||
@env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
||||
get '/'
|
||||
expect(@env['X-Content-Type-Options']).to eq("nosniff")
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -1,54 +0,0 @@
|
|||
require 'spec_helper'
|
||||
|
||||
# This controller is meant to be something that inherits config from application controller
|
||||
# all values are defaulted because no initializer is configured, and the values in app controller
|
||||
# only provide csp => false
|
||||
|
||||
describe ThingsController, :type => :controller do
|
||||
describe "headers" do
|
||||
it "sets the X-XSS-Protection header" do
|
||||
get :index
|
||||
expect(response.headers['X-XSS-Protection']).to eq('1; mode=block')
|
||||
end
|
||||
|
||||
it "sets the X-Frame-Options header" do
|
||||
get :index
|
||||
expect(response.headers['X-Frame-Options']).to eq('SAMEORIGIN')
|
||||
end
|
||||
|
||||
it "does not set CSP header" do
|
||||
get :index
|
||||
expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
|
||||
end
|
||||
|
||||
#mock ssl
|
||||
it "sets the Strict-Transport-Security header" do
|
||||
request.env['HTTPS'] = 'on'
|
||||
get :index
|
||||
expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
|
||||
end
|
||||
|
||||
it "sets the X-Download-Options header" do
|
||||
get :index
|
||||
expect(response.headers['X-Download-Options']).to eq('noopen')
|
||||
end
|
||||
|
||||
it "sets the X-Content-Type-Options header" do
|
||||
get :index
|
||||
expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
|
||||
end
|
||||
|
||||
it "sets the X-Permitted-Cross-Domain-Policies" do
|
||||
get :index
|
||||
expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
|
||||
end
|
||||
|
||||
context "using IE" do
|
||||
it "sets the X-Content-Type-Options header" do
|
||||
request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
||||
get :index
|
||||
expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
require 'rubygems'
|
||||
|
||||
#uncomment the following line to use spork with the debugger
|
||||
#require 'spork/ext/ruby-debug'
|
||||
|
||||
# Spork.prefork do
|
||||
# Loading more in this block will cause your tests to run faster. However,
|
||||
# if you change any configuration or code from libraries loaded here, you'll
|
||||
# need to restart spork for it take effect.
|
||||
# This file is copied to spec/ when you run 'rails generate rspec:install'
|
||||
ENV["RAILS_ENV"] ||= 'test'
|
||||
require File.expand_path("../../config/environment", __FILE__)
|
||||
require 'rspec/rails'
|
||||
# end
|
||||
|
||||
|
|
@ -1 +0,0 @@
|
|||
--color --format progress
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
source 'https://rubygems.org'
|
||||
|
||||
gem 'test-unit'
|
||||
gem 'rails', '3.2.22'
|
||||
gem 'rspec-rails', '>= 2.0.0'
|
||||
gem 'secure_headers', :path => '../..'
|
||||
|
|
@ -1,261 +0,0 @@
|
|||
== Welcome to Rails
|
||||
|
||||
Rails is a web-application framework that includes everything needed to create
|
||||
database-backed web applications according to the Model-View-Control pattern.
|
||||
|
||||
This pattern splits the view (also called the presentation) into "dumb"
|
||||
templates that are primarily responsible for inserting pre-built data in between
|
||||
HTML tags. The model contains the "smart" domain objects (such as Account,
|
||||
Product, Person, Post) that holds all the business logic and knows how to
|
||||
persist themselves to a database. The controller handles the incoming requests
|
||||
(such as Save New Account, Update Product, Show Post) by manipulating the model
|
||||
and directing data to the view.
|
||||
|
||||
In Rails, the model is handled by what's called an object-relational mapping
|
||||
layer entitled Active Record. This layer allows you to present the data from
|
||||
database rows as objects and embellish these data objects with business logic
|
||||
methods. You can read more about Active Record in
|
||||
link:files/vendor/rails/activerecord/README.html.
|
||||
|
||||
The controller and view are handled by the Action Pack, which handles both
|
||||
layers by its two parts: Action View and Action Controller. These two layers
|
||||
are bundled in a single package due to their heavy interdependence. This is
|
||||
unlike the relationship between the Active Record and Action Pack that is much
|
||||
more separate. Each of these packages can be used independently outside of
|
||||
Rails. You can read more about Action Pack in
|
||||
link:files/vendor/rails/actionpack/README.html.
|
||||
|
||||
|
||||
== Getting Started
|
||||
|
||||
1. At the command prompt, create a new Rails application:
|
||||
<tt>rails new myapp</tt> (where <tt>myapp</tt> is the application name)
|
||||
|
||||
2. Change directory to <tt>myapp</tt> and start the web server:
|
||||
<tt>cd myapp; rails server</tt> (run with --help for options)
|
||||
|
||||
3. Go to http://localhost:3000/ and you'll see:
|
||||
"Welcome aboard: You're riding Ruby on Rails!"
|
||||
|
||||
4. Follow the guidelines to start developing your application. You can find
|
||||
the following resources handy:
|
||||
|
||||
* The Getting Started Guide: http://guides.rubyonrails.org/getting_started.html
|
||||
* Ruby on Rails Tutorial Book: http://www.railstutorial.org/
|
||||
|
||||
|
||||
== Debugging Rails
|
||||
|
||||
Sometimes your application goes wrong. Fortunately there are a lot of tools that
|
||||
will help you debug it and get it back on the rails.
|
||||
|
||||
First area to check is the application log files. Have "tail -f" commands
|
||||
running on the server.log and development.log. Rails will automatically display
|
||||
debugging and runtime information to these files. Debugging info will also be
|
||||
shown in the browser on requests from 127.0.0.1.
|
||||
|
||||
You can also log your own messages directly into the log file from your code
|
||||
using the Ruby logger class from inside your controllers. Example:
|
||||
|
||||
class WeblogController < ActionController::Base
|
||||
def destroy
|
||||
@weblog = Weblog.find(params[:id])
|
||||
@weblog.destroy
|
||||
logger.info("#{Time.now} Destroyed Weblog ID ##{@weblog.id}!")
|
||||
end
|
||||
end
|
||||
|
||||
The result will be a message in your log file along the lines of:
|
||||
|
||||
Mon Oct 08 14:22:29 +1000 2007 Destroyed Weblog ID #1!
|
||||
|
||||
More information on how to use the logger is at http://www.ruby-doc.org/core/
|
||||
|
||||
Also, Ruby documentation can be found at http://www.ruby-lang.org/. There are
|
||||
several books available online as well:
|
||||
|
||||
* Programming Ruby: http://www.ruby-doc.org/docs/ProgrammingRuby/ (Pickaxe)
|
||||
* Learn to Program: http://pine.fm/LearnToProgram/ (a beginners guide)
|
||||
|
||||
These two books will bring you up to speed on the Ruby language and also on
|
||||
programming in general.
|
||||
|
||||
|
||||
== Debugger
|
||||
|
||||
Debugger support is available through the debugger command when you start your
|
||||
Mongrel or WEBrick server with --debugger. This means that you can break out of
|
||||
execution at any point in the code, investigate and change the model, and then,
|
||||
resume execution! You need to install ruby-debug to run the server in debugging
|
||||
mode. With gems, use <tt>sudo gem install ruby-debug</tt>. Example:
|
||||
|
||||
class WeblogController < ActionController::Base
|
||||
def index
|
||||
@posts = Post.all
|
||||
debugger
|
||||
end
|
||||
end
|
||||
|
||||
So the controller will accept the action, run the first line, then present you
|
||||
with a IRB prompt in the server window. Here you can do things like:
|
||||
|
||||
>> @posts.inspect
|
||||
=> "[#<Post:0x14a6be8
|
||||
@attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>,
|
||||
#<Post:0x14a6620
|
||||
@attributes={"title"=>"Rails", "body"=>"Only ten..", "id"=>"2"}>]"
|
||||
>> @posts.first.title = "hello from a debugger"
|
||||
=> "hello from a debugger"
|
||||
|
||||
...and even better, you can examine how your runtime objects actually work:
|
||||
|
||||
>> f = @posts.first
|
||||
=> #<Post:0x13630c4 @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>
|
||||
>> f.
|
||||
Display all 152 possibilities? (y or n)
|
||||
|
||||
Finally, when you're ready to resume execution, you can enter "cont".
|
||||
|
||||
|
||||
== Console
|
||||
|
||||
The console is a Ruby shell, which allows you to interact with your
|
||||
application's domain model. Here you'll have all parts of the application
|
||||
configured, just like it is when the application is running. You can inspect
|
||||
domain models, change values, and save to the database. Starting the script
|
||||
without arguments will launch it in the development environment.
|
||||
|
||||
To start the console, run <tt>rails console</tt> from the application
|
||||
directory.
|
||||
|
||||
Options:
|
||||
|
||||
* Passing the <tt>-s, --sandbox</tt> argument will rollback any modifications
|
||||
made to the database.
|
||||
* Passing an environment name as an argument will load the corresponding
|
||||
environment. Example: <tt>rails console production</tt>.
|
||||
|
||||
To reload your controllers and models after launching the console run
|
||||
<tt>reload!</tt>
|
||||
|
||||
More information about irb can be found at:
|
||||
link:http://www.rubycentral.org/pickaxe/irb.html
|
||||
|
||||
|
||||
== dbconsole
|
||||
|
||||
You can go to the command line of your database directly through <tt>rails
|
||||
dbconsole</tt>. You would be connected to the database with the credentials
|
||||
defined in database.yml. Starting the script without arguments will connect you
|
||||
to the development database. Passing an argument will connect you to a different
|
||||
database, like <tt>rails dbconsole production</tt>. Currently works for MySQL,
|
||||
PostgreSQL and SQLite 3.
|
||||
|
||||
== Description of Contents
|
||||
|
||||
The default directory structure of a generated Ruby on Rails application:
|
||||
|
||||
|-- app
|
||||
| |-- assets
|
||||
| |-- images
|
||||
| |-- javascripts
|
||||
| `-- stylesheets
|
||||
| |-- controllers
|
||||
| |-- helpers
|
||||
| |-- mailers
|
||||
| |-- models
|
||||
| `-- views
|
||||
| `-- layouts
|
||||
|-- config
|
||||
| |-- environments
|
||||
| |-- initializers
|
||||
| `-- locales
|
||||
|-- db
|
||||
|-- doc
|
||||
|-- lib
|
||||
| `-- tasks
|
||||
|-- log
|
||||
|-- public
|
||||
|-- script
|
||||
|-- test
|
||||
| |-- fixtures
|
||||
| |-- functional
|
||||
| |-- integration
|
||||
| |-- performance
|
||||
| `-- unit
|
||||
|-- tmp
|
||||
| |-- cache
|
||||
| |-- pids
|
||||
| |-- sessions
|
||||
| `-- sockets
|
||||
`-- vendor
|
||||
|-- assets
|
||||
`-- stylesheets
|
||||
`-- plugins
|
||||
|
||||
app
|
||||
Holds all the code that's specific to this particular application.
|
||||
|
||||
app/assets
|
||||
Contains subdirectories for images, stylesheets, and JavaScript files.
|
||||
|
||||
app/controllers
|
||||
Holds controllers that should be named like weblogs_controller.rb for
|
||||
automated URL mapping. All controllers should descend from
|
||||
ApplicationController which itself descends from ActionController::Base.
|
||||
|
||||
app/models
|
||||
Holds models that should be named like post.rb. Models descend from
|
||||
ActiveRecord::Base by default.
|
||||
|
||||
app/views
|
||||
Holds the template files for the view that should be named like
|
||||
weblogs/index.html.erb for the WeblogsController#index action. All views use
|
||||
eRuby syntax by default.
|
||||
|
||||
app/views/layouts
|
||||
Holds the template files for layouts to be used with views. This models the
|
||||
common header/footer method of wrapping views. In your views, define a layout
|
||||
using the <tt>layout :default</tt> and create a file named default.html.erb.
|
||||
Inside default.html.erb, call <% yield %> to render the view using this
|
||||
layout.
|
||||
|
||||
app/helpers
|
||||
Holds view helpers that should be named like weblogs_helper.rb. These are
|
||||
generated for you automatically when using generators for controllers.
|
||||
Helpers can be used to wrap functionality for your views into methods.
|
||||
|
||||
config
|
||||
Configuration files for the Rails environment, the routing map, the database,
|
||||
and other dependencies.
|
||||
|
||||
db
|
||||
Contains the database schema in schema.rb. db/migrate contains all the
|
||||
sequence of Migrations for your schema.
|
||||
|
||||
doc
|
||||
This directory is where your application documentation will be stored when
|
||||
generated using <tt>rake doc:app</tt>
|
||||
|
||||
lib
|
||||
Application specific libraries. Basically, any kind of custom code that
|
||||
doesn't belong under controllers, models, or helpers. This directory is in
|
||||
the load path.
|
||||
|
||||
public
|
||||
The directory available for the web server. Also contains the dispatchers and the
|
||||
default HTML files. This should be set as the DOCUMENT_ROOT of your web
|
||||
server.
|
||||
|
||||
script
|
||||
Helper scripts for automation and generation.
|
||||
|
||||
test
|
||||
Unit and functional tests along with fixtures. When using the rails generate
|
||||
command, template test files will be generated for you and placed in this
|
||||
directory.
|
||||
|
||||
vendor
|
||||
External libraries that the application depends on. Also includes the plugins
|
||||
subdirectory. If the app has frozen rails, those gems also go here, under
|
||||
vendor/rails/. This directory is in the load path.
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
#!/usr/bin/env rake
|
||||
# Add your own tasks in files placed in lib/tasks ending in .rake,
|
||||
# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
|
||||
|
||||
require File.expand_path('../config/application', __FILE__)
|
||||
|
||||
Rails3212::Application.load_tasks
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
class ApplicationController < ActionController::Base
|
||||
protect_from_forgery
|
||||
ensure_security_headers :csp => false
|
||||
end
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
class OtherThingsController < ApplicationController
|
||||
ensure_security_headers :csp => {:default_src => "'self'"}
|
||||
def index
|
||||
|
||||
end
|
||||
|
||||
def other_action
|
||||
render :text => 'yooooo'
|
||||
end
|
||||
|
||||
def secure_header_options_for(header, options)
|
||||
if params[:action] == "other_action"
|
||||
if header == :csp
|
||||
options.merge(:style_src => "'self'")
|
||||
end
|
||||
else
|
||||
options
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
class ThingsController < ApplicationController
|
||||
def index
|
||||
|
||||
end
|
||||
end
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>Rails3212</title>
|
||||
<%= stylesheet_link_tag "application", :media => "all" %>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<%= yield %>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -1 +0,0 @@
|
|||
index
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
# This file is used by Rack-based servers to start the application.
|
||||
|
||||
require ::File.expand_path('../config/environment', __FILE__)
|
||||
run Rails3212::Application
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
require File.expand_path('../boot', __FILE__)
|
||||
|
||||
# Pick the frameworks you want:
|
||||
require "action_controller/railtie"
|
||||
require "sprockets/railtie"
|
||||
|
||||
if defined?(Bundler)
|
||||
# If you precompile assets before deploying to production, use this line
|
||||
Bundler.require(*Rails.groups(:assets => %w(development test)))
|
||||
# If you want your assets lazily compiled in production, use this line
|
||||
# Bundler.require(:default, :assets, Rails.env)
|
||||
end
|
||||
|
||||
module Rails3212
|
||||
class Application < Rails::Application
|
||||
end
|
||||
end
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
require 'rubygems'
|
||||
|
||||
# Set up gems listed in the Gemfile.
|
||||
ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
|
||||
|
||||
require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE'])
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
# Load the rails application
|
||||
require File.expand_path('../application', __FILE__)
|
||||
|
||||
# Initialize the rails application
|
||||
Rails3212::Application.initialize!
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
Rails3212::Application.configure do
|
||||
# Settings specified here will take precedence over those in config/application.rb
|
||||
|
||||
# The test environment is used exclusively to run your application's
|
||||
# test suite. You never need to work with it otherwise. Remember that
|
||||
# your test database is "scratch space" for the test suite and is wiped
|
||||
# and recreated between test runs. Don't rely on the data there!
|
||||
config.cache_classes = true
|
||||
|
||||
# Configure static asset server for tests with Cache-Control for performance
|
||||
config.serve_static_assets = true
|
||||
config.static_cache_control = "public, max-age=3600"
|
||||
|
||||
# Log error messages when you accidentally call methods on nil
|
||||
config.whiny_nils = true
|
||||
|
||||
# Show full error reports and disable caching
|
||||
config.consider_all_requests_local = true
|
||||
config.action_controller.perform_caching = false
|
||||
|
||||
# Raise exceptions instead of rendering exception templates
|
||||
config.action_dispatch.show_exceptions = false
|
||||
|
||||
# Disable request forgery protection in test environment
|
||||
config.action_controller.allow_forgery_protection = false
|
||||
|
||||
# Tell Action Mailer not to deliver emails to the real world.
|
||||
# The :test delivery method accumulates sent emails in the
|
||||
# ActionMailer::Base.deliveries array.
|
||||
# config.action_mailer.delivery_method = :test
|
||||
|
||||
# Raise exception on mass assignment protection for Active Record models
|
||||
# config.active_record.mass_assignment_sanitizer = :strict
|
||||
|
||||
# Print deprecation notices to the stderr
|
||||
config.active_support.deprecation = :stderr
|
||||
end
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
Rails3212::Application.routes.draw do
|
||||
resources :things
|
||||
match ':controller(/:action(/:id))(.:format)'
|
||||
end
|
||||
|
|
@ -1,56 +0,0 @@
|
|||
require 'spec_helper'
|
||||
|
||||
describe OtherThingsController, :type => :controller do
|
||||
describe "headers" do
|
||||
it "sets the X-XSS-Protection header" do
|
||||
get :index
|
||||
expect(response.headers['X-XSS-Protection']).to eq(SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
|
||||
end
|
||||
|
||||
it "sets the X-Frame-Options header" do
|
||||
get :index
|
||||
expect(response.headers['X-Frame-Options']).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
|
||||
end
|
||||
|
||||
it "sets the CSP header" do
|
||||
get :index
|
||||
expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src 'self' data:;")
|
||||
end
|
||||
|
||||
it "sets per-action values based on secure_header_options_for" do
|
||||
# munges :style_src => self into policy
|
||||
get :other_action
|
||||
expect(response.headers['Content-Security-Policy-Report-Only']).to eq("default-src 'self'; img-src 'self' data:; style-src 'self';")
|
||||
end
|
||||
|
||||
#mock ssl
|
||||
it "sets the Strict-Transport-Security header" do
|
||||
request.env['HTTPS'] = 'on'
|
||||
get :index
|
||||
expect(response.headers['Strict-Transport-Security']).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
|
||||
end
|
||||
|
||||
it "sets the X-Download-Options header" do
|
||||
get :index
|
||||
expect(response.headers['X-Download-Options']).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
|
||||
end
|
||||
|
||||
it "sets the X-Content-Type-Options header" do
|
||||
get :index
|
||||
expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
|
||||
end
|
||||
|
||||
it "sets the X-Permitted-Cross-Domain-Policies" do
|
||||
get :index
|
||||
expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
|
||||
end
|
||||
|
||||
context "using IE" do
|
||||
it "sets the X-Content-Type-Options header" do
|
||||
request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
||||
get :index
|
||||
expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -1,54 +0,0 @@
|
|||
require 'spec_helper'
|
||||
|
||||
# This controller is meant to be something that inherits config from application controller
|
||||
# all values are defaulted because no initializer is configured, and the values in app controller
|
||||
# only provide csp => false
|
||||
|
||||
describe ThingsController, :type => :controller do
|
||||
describe "headers" do
|
||||
it "sets the X-XSS-Protection header" do
|
||||
get :index
|
||||
expect(response.headers['X-XSS-Protection']).to eq(SecureHeaders::XXssProtection::Constants::DEFAULT_VALUE)
|
||||
end
|
||||
|
||||
it "sets the X-Frame-Options header" do
|
||||
get :index
|
||||
expect(response.headers['X-Frame-Options']).to eq(SecureHeaders::XFrameOptions::Constants::DEFAULT_VALUE)
|
||||
end
|
||||
|
||||
it "sets the X-WebKit-CSP header" do
|
||||
get :index
|
||||
expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
|
||||
end
|
||||
|
||||
#mock ssl
|
||||
it "sets the Strict-Transport-Security header" do
|
||||
request.env['HTTPS'] = 'on'
|
||||
get :index
|
||||
expect(response.headers['Strict-Transport-Security']).to eq(SecureHeaders::StrictTransportSecurity::Constants::DEFAULT_VALUE)
|
||||
end
|
||||
|
||||
it "sets the X-Download-Options header" do
|
||||
get :index
|
||||
expect(response.headers['X-Download-Options']).to eq(SecureHeaders::XDownloadOptions::Constants::DEFAULT_VALUE)
|
||||
end
|
||||
|
||||
it "sets the X-Content-Type-Options header" do
|
||||
get :index
|
||||
expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
|
||||
end
|
||||
|
||||
it "sets the X-Permitted-Cross-Domain-Policies" do
|
||||
get :index
|
||||
expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
|
||||
end
|
||||
|
||||
context "using IE" do
|
||||
it "sets the X-Content-Type-Options header" do
|
||||
request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
||||
get :index
|
||||
expect(response.headers['X-Content-Type-Options']).to eq(SecureHeaders::XContentTypeOptions::Constants::DEFAULT_VALUE)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
require 'rubygems'
|
||||
|
||||
ENV["RAILS_ENV"] ||= 'test'
|
||||
require File.expand_path("../../config/environment", __FILE__)
|
||||
require 'rspec/rails'
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
source 'https://rubygems.org'
|
||||
|
||||
gem 'rails', '4.1.8'
|
||||
gem 'rspec-rails', '>= 2.0.0'
|
||||
gem 'secure_headers', :path => '../..'
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
== README
|
||||
|
||||
This README would normally document whatever steps are necessary to get the
|
||||
application up and running.
|
||||
|
||||
Things you may want to cover:
|
||||
|
||||
* Ruby version
|
||||
|
||||
* System dependencies
|
||||
|
||||
* Configuration
|
||||
|
||||
* Database creation
|
||||
|
||||
* Database initialization
|
||||
|
||||
* How to run the test suite
|
||||
|
||||
* Services (job queues, cache servers, search engines, etc.)
|
||||
|
||||
* Deployment instructions
|
||||
|
||||
* ...
|
||||
|
||||
|
||||
Please feel free to use a different markup language if you do not plan to run
|
||||
<tt>rake doc:app</tt>.
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
# Add your own tasks in files placed in lib/tasks ending in .rake,
|
||||
# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
|
||||
|
||||
require File.expand_path('../config/application', __FILE__)
|
||||
|
||||
Rails.application.load_tasks
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
class ApplicationController < ActionController::Base
|
||||
protect_from_forgery
|
||||
ensure_security_headers
|
||||
end
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
class OtherThingsController < ApplicationController
|
||||
def index
|
||||
|
||||
end
|
||||
end
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
class ThingsController < ApplicationController
|
||||
ensure_security_headers :csp => false
|
||||
def index
|
||||
end
|
||||
end
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>Rails418</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<%= yield %>
|
||||
<script>console.log("oh hell yes")</script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
index
|
||||
<script>console.log("oh what")</script>
|
||||
|
|
@ -1 +0,0 @@
|
|||
things
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
# This file is used by Rack-based servers to start the application.
|
||||
|
||||
require ::File.expand_path('../config/environment', __FILE__)
|
||||
run Rails.application
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
require File.expand_path('../boot', __FILE__)
|
||||
|
||||
require "action_controller/railtie"
|
||||
require "sprockets/railtie"
|
||||
|
||||
# Require the gems listed in Gemfile, including any gems
|
||||
# you've limited to :test, :development, or :production.
|
||||
Bundler.require(*Rails.groups)
|
||||
|
||||
|
||||
module Rails418
|
||||
class Application < Rails::Application
|
||||
|
||||
end
|
||||
end
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
# Set up gems listed in the Gemfile.
|
||||
ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
|
||||
|
||||
require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
# Load the Rails application.
|
||||
require File.expand_path('../application', __FILE__)
|
||||
|
||||
# Initialize the Rails application.
|
||||
Rails.application.initialize!
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
Rails418::Application.configure do
|
||||
config.cache_classes = true
|
||||
config.eager_load = false
|
||||
config.serve_static_assets = true
|
||||
config.static_cache_control = 'public, max-age=3600'
|
||||
config.consider_all_requests_local = true
|
||||
config.action_controller.perform_caching = false
|
||||
config.action_dispatch.show_exceptions = false
|
||||
config.action_controller.allow_forgery_protection = false
|
||||
end
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
::SecureHeaders::Configuration.configure do |config|
|
||||
config.hsts = { :max_age => 10.years.to_i.to_s, :include_subdomains => false }
|
||||
config.x_frame_options = 'DENY'
|
||||
config.x_content_type_options = "nosniff"
|
||||
config.x_xss_protection = {:value => 0}
|
||||
config.x_permitted_cross_domain_policies = 'none'
|
||||
csp = {
|
||||
:default_src => "'self'",
|
||||
:script_src => "'self' nonce",
|
||||
:report_uri => 'somewhere',
|
||||
:script_hash_middleware => true,
|
||||
:enforce => false # false means warnings only
|
||||
}
|
||||
|
||||
config.csp = csp
|
||||
end
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
Rails.application.routes.draw do
|
||||
resources :things
|
||||
match ':controller(/:action(/:id))(.:format)', :via => [:get, :post]
|
||||
end
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
---
|
||||
app/views/layouts/application.html.erb:
|
||||
- sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=
|
||||
app/views/other_things/index.html.erb:
|
||||
- sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
# Be sure to restart your server when you modify this file.
|
||||
|
||||
# Your secret key is used for verifying the integrity of signed cookies.
|
||||
# If you change this key, all old signed cookies will become invalid!
|
||||
|
||||
# Make sure the secret is at least 30 characters and all random,
|
||||
# no regular words or you'll be exposed to dictionary attacks.
|
||||
# You can use `rake secret` to generate a secure secret key.
|
||||
|
||||
# Make sure the secrets in this file are kept private
|
||||
# if you're sharing your code publicly.
|
||||
|
||||
development:
|
||||
secret_key_base: ddba38f932720d8f18257f2a05dc278963a29cf569c45aa97ff4e9fc9bbc78af5a03fcf135caad45caee66ac09f8f9913c1f5e338a61213f420eefa8dd6363d2
|
||||
|
||||
test:
|
||||
secret_key_base: f73abd7eab84fa7af5a2fc0a9c2727c5bad47433e51aa0c9c6b0782dac176a8e7f337e1f93adc6d6fc17027e67a533040b6408e54d72dea2eec6e5b9820dbcb9
|
||||
|
||||
# Do not keep production secrets in the repository,
|
||||
# instead read values from the environment.
|
||||
production:
|
||||
secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
|
||||
|
|
@ -1,83 +0,0 @@
|
|||
require 'spec_helper'
|
||||
|
||||
require 'secure_headers/headers/content_security_policy/script_hash_middleware'
|
||||
|
||||
describe OtherThingsController, :type => :controller do
|
||||
include Rack::Test::Methods
|
||||
|
||||
def app
|
||||
OtherThingsController.action(:index)
|
||||
end
|
||||
|
||||
def request(opts = {})
|
||||
options = opts.merge(
|
||||
{
|
||||
'HTTPS' => 'on',
|
||||
'HTTP_USER_AGENT' => "Mozilla/5.0 (Macintosh; Intel Mac OS X 1084) AppleWebKit/537.22 (KHTML like Gecko) Chrome/25.0.1364.99 Safari/537.22"
|
||||
}
|
||||
)
|
||||
|
||||
|
||||
Rack::MockRequest.env_for('/', options)
|
||||
end
|
||||
|
||||
|
||||
describe "headers" do
|
||||
before(:each) do
|
||||
_, @env = app.call(request)
|
||||
end
|
||||
|
||||
it "sets the X-XSS-Protection header" do
|
||||
get '/'
|
||||
expect(@env['X-XSS-Protection']).to eq('0')
|
||||
end
|
||||
|
||||
it "sets the X-Frame-Options header" do
|
||||
get '/'
|
||||
expect(@env['X-Frame-Options']).to eq('DENY')
|
||||
end
|
||||
|
||||
it "sets the CSP header with a local reference to a nonce" do
|
||||
middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
|
||||
_, env = middleware.call(request(@env))
|
||||
expect(env['Content-Security-Policy-Report-Only']).to match(/script-src[^;]*'nonce-[a-zA-Z0-9\+\/=]{44}'/)
|
||||
end
|
||||
|
||||
it "sets the required hashes to whitelist inline script" do
|
||||
middleware = ::SecureHeaders::ContentSecurityPolicy::ScriptHashMiddleware.new(app)
|
||||
_, env = middleware.call(request(@env))
|
||||
hashes = ['sha256-VjDxT7saxd2FgaUQQTWw/jsTnvonaoCP/ACWDBTpyhU=', 'sha256-ZXAcP8a0y1pPMTJW8pUr43c+XBkgYQBwHOPvXk9mq5A=']
|
||||
hashes.each do |hash|
|
||||
expect(env['Content-Security-Policy-Report-Only']).to include(hash)
|
||||
end
|
||||
end
|
||||
|
||||
it "sets the Strict-Transport-Security header" do
|
||||
get '/'
|
||||
expect(@env['Strict-Transport-Security']).to eq("max-age=315576000")
|
||||
end
|
||||
|
||||
it "sets the X-Download-Options header" do
|
||||
get '/'
|
||||
expect(@env['X-Download-Options']).to eq('noopen')
|
||||
end
|
||||
|
||||
it "sets the X-Content-Type-Options header" do
|
||||
get '/'
|
||||
expect(@env['X-Content-Type-Options']).to eq("nosniff")
|
||||
end
|
||||
|
||||
it "sets the X-Permitted-Cross-Domain-Policies" do
|
||||
get '/'
|
||||
expect(@env['X-Permitted-Cross-Domain-Policies']).to eq("none")
|
||||
end
|
||||
|
||||
context "using IE" do
|
||||
it "sets the X-Content-Type-Options header" do
|
||||
@env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
||||
get '/'
|
||||
expect(@env['X-Content-Type-Options']).to eq("nosniff")
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -1,59 +0,0 @@
|
|||
# config.action_dispatch.default_headers defaults to:
|
||||
# {"X-Frame-Options"=>"SAMEORIGIN", "X-XSS-Protection"=>"1; mode=block", "X-Content-Type-Options"=>"nosniff"}
|
||||
# so we want to set our specs to expect something else to ensure secureheaders is taking precedence
|
||||
|
||||
require 'spec_helper'
|
||||
|
||||
# This controller is meant to be something that inherits config from application controller
|
||||
# all values are defaulted because no initializer is configured, and the values in app controller
|
||||
# only provide csp => false
|
||||
|
||||
describe ThingsController, :type => :controller do
|
||||
|
||||
describe "headers" do
|
||||
it "sets the X-XSS-Protection header" do
|
||||
get :index
|
||||
expect(response.headers['X-XSS-Protection']).to eq('0')
|
||||
end
|
||||
|
||||
it "sets the X-Frame-Options header" do
|
||||
get :index
|
||||
expect(response.headers['X-Frame-Options']).to eq('DENY')
|
||||
end
|
||||
|
||||
it "does not set CSP header" do
|
||||
get :index
|
||||
expect(response.headers['Content-Security-Policy-Report-Only']).to eq(nil)
|
||||
end
|
||||
|
||||
#mock ssl
|
||||
it "sets the Strict-Transport-Security header" do
|
||||
request.env['HTTPS'] = 'on'
|
||||
get :index
|
||||
expect(response.headers['Strict-Transport-Security']).to eq("max-age=315576000")
|
||||
end
|
||||
|
||||
it "sets the X-Download-Options header" do
|
||||
get :index
|
||||
expect(response.headers['X-Download-Options']).to eq('noopen')
|
||||
end
|
||||
|
||||
it "sets the X-Content-Type-Options header" do
|
||||
get :index
|
||||
expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
|
||||
end
|
||||
|
||||
it "sets the X-Permitted-Cross-Domain-Policies" do
|
||||
get :index
|
||||
expect(response.headers['X-Permitted-Cross-Domain-Policies']).to eq("none")
|
||||
end
|
||||
|
||||
context "using IE" do
|
||||
it "sets the X-Content-Type-Options header" do
|
||||
request.env['HTTP_USER_AGENT'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
|
||||
get :index
|
||||
expect(response.headers['X-Content-Type-Options']).to eq("nosniff")
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
require 'rubygems'
|
||||
|
||||
#uncomment the following line to use spork with the debugger
|
||||
#require 'spork/ext/ruby-debug'
|
||||
|
||||
# Spork.prefork do
|
||||
# Loading more in this block will cause your tests to run faster. However,
|
||||
# if you change any configuration or code from libraries loaded here, you'll
|
||||
# need to restart spork for it take effect.
|
||||
# This file is copied to spec/ when you run 'rails generate rspec:install'
|
||||
ENV["RAILS_ENV"] ||= 'test'
|
||||
require File.expand_path("../../config/environment", __FILE__)
|
||||
require 'rspec/rails'
|
||||
# end
|
||||
|
||||
Загрузка…
Ссылка в новой задаче