stop

upgrade insecure
Merge pull request #11 from TerribleDev/2.0
2018-11-15 12:46:21 -05:00 · 2018-11-15 12:39:44 -05:00 · 2018-11-04 09:36:48 -05:00 · 2018-11-04 09:34:31 -05:00
10 changed files with 31 additions and 25 deletions
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -14,12 +14,12 @@ build_script:
          dotnet pack src\HardHat\HardHat.csproj --configuration Release --output ..\..\output /p:Version=0.0.1-build-$env:APPVEYOR_BUILD_NUMBER
        }
 test_script:
- ps: dotnet test src\HardHat.UnitTests\HardHat.UnitTests.csproj
+- ps: dotnet test src\HardHat.UnitTests\HardHat.UnitTests.csproj /p:CollectCoverage=true /p:CoverletOutputFormat=opencover
 artifacts:
 - path: output\**.nupkg
 deploy:
 - provider: NuGet
  api_key:
-    secure: bGn7M6dHOJ3QjwYIv7e34tcY/n9cCUZmL1MnM6jRfmnJOOfwlrS+cdRj2n8Wf31n
+    secure: //tKHlb2yqAtpxnR6p9IAtXwQNaq8UYYyIFSD0QVF3XnEasIxG2gTWdmWuG87fUX
  on:
    appveyor_repo_tag: true
--- a/src/HardHat.Example/HardHat.Example.csproj
+++ b/src/HardHat.Example/HardHat.Example.csproj
@@ -1,12 +1,11 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">

  <PropertyGroup>
-    <TargetFramework>netcoreapp1.0</TargetFramework>
+    <TargetFramework>netcoreapp2.1</TargetFramework>
    <PreserveCompilationContext>true</PreserveCompilationContext>
    <AssemblyName>HardHat.Example</AssemblyName>
    <OutputType>Exe</OutputType>
    <PackageId>HardHat.Example</PackageId>
-    <PackageTargetFallback>$(PackageTargetFallback);dotnet5.6;portable-net45+win8</PackageTargetFallback>
  </PropertyGroup>

  <ItemGroup>
@@ -20,19 +19,7 @@
  </ItemGroup>

  <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Diagnostics" Version="1.0.2" />
-    <PackageReference Include="Microsoft.AspNetCore.Mvc" Version="1.0.3" />
-    <PackageReference Include="Microsoft.AspNetCore.Routing" Version="1.0.3" />
-    <PackageReference Include="Microsoft.AspNetCore.Server.IISIntegration" Version="1.0.2" />
-    <PackageReference Include="Microsoft.AspNetCore.Server.Kestrel" Version="1.0.3" />
-    <PackageReference Include="Microsoft.AspNetCore.StaticFiles" Version="1.0.2" />
-    <PackageReference Include="Microsoft.Extensions.Configuration.EnvironmentVariables" Version="1.0.2" />
-    <PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="1.0.2" />
-    <PackageReference Include="Microsoft.Extensions.Logging" Version="1.0.2" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="1.0.2" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Debug" Version="1.0.2" />
-    <PackageReference Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="1.0.2" />
-    <PackageReference Include="Microsoft.VisualStudio.Web.BrowserLink" Version="1.0.1" />
+    <PackageReference Include="Microsoft.AspNetCore.App" />
  </ItemGroup>

  <Target Name="PrepublishScript" BeforeTargets="PrepareForPublish">
--- a/src/HardHat.Example/Startup.cs
+++ b/src/HardHat.Example/Startup.cs
@@ -37,7 +37,6 @@ namespace HardHat.Example
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
-                app.UseBrowserLink();
            }
            else
            {
--- a/src/HardHat.UnitTests/CSPBuilderTests.cs
+++ b/src/HardHat.UnitTests/CSPBuilderTests.cs
@@ -25,10 +25,11 @@ namespace HardHat.UnitTests
                FormAction = new HashSet<string>() { "http://*.example.com" },
                FrameAncestors = new HashSet<string>() { "http://*.example.com" },
                PluginTypes = new HashSet<string>() { "http://*.example.com" },
-                Sandbox = SandboxOption.AllowPointerLock
+                Sandbox = SandboxOption.AllowPointerLock,
+                UpgradeInsecureResponse = true

            });
-            Assert.Equal<string>(@"default-src 'self' 'none' http://*.example.com; script-src http://*.example.com; style-src http://*.example.com; img-src http://*.example.com; connect-src http://*.example.com; font-src http://*.example.com; object-src http://*.example.com; media-src http://*.example.com; child-src http://*.example.com; form-action http://*.example.com; frame-ancestors http://*.example.com; sandbox allow-pointer-lock; plugin-types http://*.example.com;", builder);
+            Assert.Equal<string>(@"default-src 'self' 'none' http://*.example.com; script-src http://*.example.com; style-src http://*.example.com; img-src http://*.example.com; connect-src http://*.example.com; font-src http://*.example.com; object-src http://*.example.com; media-src http://*.example.com; child-src http://*.example.com; form-action http://*.example.com; frame-ancestors http://*.example.com; sandbox allow-pointer-lock; plugin-types http://*.example.com; upgrade-insecure-requests;", builder);
        }

        [Fact]
--- a/src/HardHat.UnitTests/HardHat.UnitTests.csproj
+++ b/src/HardHat.UnitTests/HardHat.UnitTests.csproj
@@ -1,9 +1,13 @@
 <Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
-    <TargetFramework>netcoreapp1.1</TargetFramework>
+    <TargetFramework>netcoreapp2.1</TargetFramework>
  </PropertyGroup>
  <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="1.1.2" />
+    <PackageReference Include="coverlet.msbuild" Version="2.3.1">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
+    <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="2.1.1" />
    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="15.0.0" />
    <PackageReference Include="Moq" Version="4.7.25" />
    <PackageReference Include="xunit" Version="2.2.0" />
--- a/src/HardHat/Builders/ContentSecurityHeaderBuilder.cs
+++ b/src/HardHat/Builders/ContentSecurityHeaderBuilder.cs
@@ -13,6 +13,10 @@ namespace HardHat.Builders
            {
                throw new ArgumentNullException(nameof(policy));
            }
+            if(policy.DefaultSrc.Count > 0 && policy.DefaultSrc.Contains(CSPConstants.None))
+            {
+                //todo throw exception in this case
+            }
            if (policy.DefaultSrc != null && policy.DefaultSrc.Count > 0)
            {
                stringBuilder.Append(Constants.CSPDirectives.DefaultSrc);
@@ -91,6 +95,10 @@ namespace HardHat.Builders
                stringBuilder.Append(Constants.CSPDirectives.PluginTypes);
                stringBuilder.Append($" {string.Join(" ", policy.PluginTypes)}; ");
            }
+            if(policy.UpgradeInsecureResponse) 
+            {
+                stringBuilder.Append($"{Constants.CSPDirectives.UpgradeInsecureRequests}; ");
+            }
            return stringBuilder.ToString().TrimEnd();
        }
    }
--- a/src/HardHat/Constants.cs
+++ b/src/HardHat/Constants.cs
@@ -52,6 +52,7 @@
            internal const string FormAction = "form-action";
            internal const string FrameAncestors = "frame-ancestors";
            internal const string PluginTypes = "plugin-types";
+            internal const string UpgradeInsecureRequests = "upgrade-insecure-requests";
        }
    }
 }
--- a/src/HardHat/ContentSecurityPolicy.cs
+++ b/src/HardHat/ContentSecurityPolicy.cs
@@ -68,5 +68,7 @@ namespace HardHat
        /// </summary>
        public bool OnlySendReport { get; set;  } = false;

+        public bool UpgradeInsecureResponse { get; set; } = false;
+
    }
 }
--- a/src/HardHat/ContentSecurityPolicyBuilder.cs
+++ b/src/HardHat/ContentSecurityPolicyBuilder.cs
@@ -204,6 +204,11 @@ namespace HardHat
            Policy.Sandbox = sandboxOption ?? throw new ArgumentNullException(nameof(sandboxOption));
            return this;
        }
+        public ContentSecurityPolicyBuilder WithUpgradeInsecureResponse(bool enable = true) 
+        {
+            Policy.UpgradeInsecureResponse = enable;
+            return this;
+        }
        public ContentSecurityPolicy BuildPolicy() => Policy;

    }
--- a/src/HardHat/HardHat.csproj
+++ b/src/HardHat/HardHat.csproj
@@ -3,19 +3,18 @@
  <PropertyGroup>
    <Description>.Net core Middleware, Add various headers to help secure your site. Disable XSS attacks with Content Security Policies, and make sure browsers do not mime sniff</Description>
    <Authors>Tommy Parnell</Authors>
-    <TargetFramework>netstandard1.6</TargetFramework>
+    <TargetFramework>netstandard2.0</TargetFramework>
    <AssemblyName>HardHat</AssemblyName>
    <PackageId>HardHat</PackageId>
    <PackageTags>xss;clickjack;clickjacking;security;.net core;Middleware;core;Content Security Policy;CSP</PackageTags>
    <PackageIconUrl>https://media.githubusercontent.com/media/TerribleDev/HardHat/master/Hat.png</PackageIconUrl>
    <PackageProjectUrl>https://github.com/TerribleDev/HardHat</PackageProjectUrl>
    <PackageLicenseUrl>https://opensource.org/licenses/MIT</PackageLicenseUrl>
-    <PackageTargetFallback>$(PackageTargetFallback);dnxcore50</PackageTargetFallback>
    <SourceLinkServerType>GitHub</SourceLinkServerType>
  </PropertyGroup>

  <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="1.0.2" />
+    <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="2.1.1" />
    <PackageReference Include="SourceLink.Create.CommandLine" Version="2.4.0" PrivateAssets="All" /> 
  </ItemGroup>
Author	SHA1	Message	Date
Tommy Parnell	9c4db3c5cb	stop	2018-11-15 12:46:21 -05:00
Tommy Parnell	83949b45d1	upgrade insecure	2018-11-15 12:39:44 -05:00
Tommy Parnell	1709e44e55	Merge pull request #11 from TerribleDev/2.0 upgrade to 2.0	2018-11-04 09:36:48 -05:00
Tommy Parnell	74f99573a5	upgrade to 2.0	2018-11-04 09:34:31 -05:00