Diff of the two buildlogs: -- --- b1/build.log 2023-05-22 10:04:29.046722991 +0000 +++ b2/build.log 2023-05-22 10:06:07.814393737 +0000 @@ -1,6 +1,6 @@ I: pbuilder: network access will be disabled during build -I: Current time: Sun May 21 22:02:58 -12 2023 -I: pbuilder-time-stamp: 1684749778 +I: Current time: Mon Jun 24 06:27:33 +14 2024 +I: pbuilder-time-stamp: 1719160053 I: Building the build Environment I: extracting base tarball [/var/cache/pbuilder/bookworm-reproducible-base.tgz] I: copying local configuration @@ -16,7 +16,7 @@ I: copying [./ruby-secure-headers_6.3.2.orig.tar.gz] I: copying [./ruby-secure-headers_6.3.2-1.debian.tar.xz] I: Extracting source -gpgv: Signature made Fri Jun 25 07:55:35 2021 -12 +gpgv: Signature made Sat Jun 26 09:55:35 2021 +14 gpgv: using RSA key D30863E26020E543F4719A838F53E0193B294B75 gpgv: Can't check signature: No public key dpkg-source: warning: cannot verify inline signature for ./ruby-secure-headers_6.3.2-1.dsc: no acceptable signature found @@ -28,52 +28,84 @@ dpkg-source: info: applying 03-fix-library-path.patch I: Not using root during the build. I: Installing the build-deps -I: user script /srv/workspace/pbuilder/28560/tmp/hooks/D02_print_environment starting +I: user script /srv/workspace/pbuilder/17448/tmp/hooks/D01_modify_environment starting +debug: Running on codethink13-arm64. +I: Changing host+domainname to test build reproducibility +I: Adding a custom variable just for the fun of it... +I: Changing /bin/sh to bash +'/bin/sh' -> '/bin/bash' +lrwxrwxrwx 1 root root 9 Jun 24 06:27 /bin/sh -> /bin/bash +I: Setting pbuilder2's login shell to /bin/bash +I: Setting pbuilder2's GECOS to second user,second room,second work-phone,second home-phone,second other +I: user script /srv/workspace/pbuilder/17448/tmp/hooks/D01_modify_environment finished +I: user script /srv/workspace/pbuilder/17448/tmp/hooks/D02_print_environment starting I: set - BUILDDIR='/build' - BUILDUSERGECOS='first user,first room,first work-phone,first home-phone,first other' - BUILDUSERNAME='pbuilder1' - BUILD_ARCH='arm64' - DEBIAN_FRONTEND='noninteractive' + BASH=/bin/sh + BASHOPTS=checkwinsize:cmdhist:complete_fullquote:extquote:force_fignore:globasciiranges:globskipdots:hostcomplete:interactive_comments:patsub_replacement:progcomp:promptvars:sourcepath + BASH_ALIASES=() + BASH_ARGC=() + BASH_ARGV=() + BASH_CMDS=() + BASH_LINENO=([0]="12" [1]="0") + BASH_LOADABLES_PATH=/usr/local/lib/bash:/usr/lib/bash:/opt/local/lib/bash:/usr/pkg/lib/bash:/opt/pkg/lib/bash:. + BASH_SOURCE=([0]="/tmp/hooks/D02_print_environment" [1]="/tmp/hooks/D02_print_environment") + BASH_VERSINFO=([0]="5" [1]="2" [2]="15" [3]="1" [4]="release" [5]="aarch64-unknown-linux-gnu") + BASH_VERSION='5.2.15(1)-release' + BUILDDIR=/build + BUILDUSERGECOS='second user,second room,second work-phone,second home-phone,second other' + BUILDUSERNAME=pbuilder2 + BUILD_ARCH=arm64 + DEBIAN_FRONTEND=noninteractive DEB_BUILD_OPTIONS='buildinfo=+all reproducible=+all parallel=8 ' - DISTRIBUTION='bookworm' - HOME='/var/lib/jenkins' - HOST_ARCH='arm64' + DIRSTACK=() + DISTRIBUTION=bookworm + EUID=0 + FUNCNAME=([0]="Echo" [1]="main") + GROUPS=() + HOME=/var/lib/jenkins + HOSTNAME=i-capture-the-hostname + HOSTTYPE=aarch64 + HOST_ARCH=arm64 IFS=' ' - LANG='C' - LANGUAGE='en_US:en' - LC_ALL='C' - MAIL='/var/mail/root' - OPTIND='1' - PATH='/usr/sbin:/usr/bin:/sbin:/bin:/usr/games' - PBCURRENTCOMMANDLINEOPERATION='build' - PBUILDER_OPERATION='build' - PBUILDER_PKGDATADIR='/usr/share/pbuilder' - PBUILDER_PKGLIBDIR='/usr/lib/pbuilder' - PBUILDER_SYSCONFDIR='/etc' - PPID='28560' - PS1='# ' - PS2='> ' + LANG=C + LANGUAGE=nl_BE:nl + LC_ALL=C + MACHTYPE=aarch64-unknown-linux-gnu + MAIL=/var/mail/root + OPTERR=1 + OPTIND=1 + OSTYPE=linux-gnu + PATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path + PBCURRENTCOMMANDLINEOPERATION=build + PBUILDER_OPERATION=build + PBUILDER_PKGDATADIR=/usr/share/pbuilder + PBUILDER_PKGLIBDIR=/usr/lib/pbuilder + PBUILDER_SYSCONFDIR=/etc + PIPESTATUS=([0]="0") + POSIXLY_CORRECT=y + PPID=17448 PS4='+ ' - PWD='/' - SHELL='/bin/bash' - SHLVL='2' - SUDO_COMMAND='/usr/bin/timeout -k 18.1h 18h /usr/bin/ionice -c 3 /usr/bin/nice /usr/sbin/pbuilder --build --configfile /srv/reproducible-results/rbuild-debian/r-b-build.9VJMjMlI/pbuilderrc_HUfw --distribution bookworm --hookdir /etc/pbuilder/first-build-hooks --debbuildopts -b --basetgz /var/cache/pbuilder/bookworm-reproducible-base.tgz --buildresult /srv/reproducible-results/rbuild-debian/r-b-build.9VJMjMlI/b1 --logfile b1/build.log ruby-secure-headers_6.3.2-1.dsc' - SUDO_GID='117' - SUDO_UID='110' - SUDO_USER='jenkins' - TERM='unknown' - TZ='/usr/share/zoneinfo/Etc/GMT+12' - USER='root' - USERNAME='root' - _='/usr/bin/systemd-run' - http_proxy='http://192.168.101.16:3128' + PWD=/ + SHELL=/bin/bash + SHELLOPTS=braceexpand:errexit:hashall:interactive-comments:posix + SHLVL=3 + SUDO_COMMAND='/usr/bin/timeout -k 24.1h 24h /usr/bin/ionice -c 3 /usr/bin/nice -n 11 /usr/bin/unshare --uts -- /usr/sbin/pbuilder --build --configfile /srv/reproducible-results/rbuild-debian/r-b-build.9VJMjMlI/pbuilderrc_URyN --distribution bookworm --hookdir /etc/pbuilder/rebuild-hooks --debbuildopts -b --basetgz /var/cache/pbuilder/bookworm-reproducible-base.tgz --buildresult /srv/reproducible-results/rbuild-debian/r-b-build.9VJMjMlI/b2 --logfile b2/build.log --extrapackages usrmerge ruby-secure-headers_6.3.2-1.dsc' + SUDO_GID=117 + SUDO_UID=110 + SUDO_USER=jenkins + TERM=unknown + TZ=/usr/share/zoneinfo/Etc/GMT-14 + UID=0 + USER=root + USERNAME=root + _='I: set' + http_proxy=http://192.168.101.16:3128 I: uname -a - Linux codethink12-arm64 4.15.0-211-generic #222-Ubuntu SMP Tue Apr 18 18:58:27 UTC 2023 aarch64 GNU/Linux + Linux i-capture-the-hostname 4.15.0-211-generic #222-Ubuntu SMP Tue Apr 18 18:58:27 UTC 2023 aarch64 GNU/Linux I: ls -l /bin - lrwxrwxrwx 1 root root 7 May 20 22:26 /bin -> usr/bin -I: user script /srv/workspace/pbuilder/28560/tmp/hooks/D02_print_environment finished + lrwxrwxrwx 1 root root 7 Jun 22 06:49 /bin -> usr/bin +I: user script /srv/workspace/pbuilder/17448/tmp/hooks/D02_print_environment finished -> Attempting to satisfy build-dependencies -> Creating pbuilder-satisfydepends-dummy package Package: pbuilder-satisfydepends-dummy @@ -277,7 +309,7 @@ Get: 154 http://deb.debian.org/debian bookworm/main arm64 ruby-rspec-mocks all 3.12.0c0e1m1s0-1 [79.5 kB] Get: 155 http://deb.debian.org/debian bookworm/main arm64 ruby-rspec all 3.12.0c0e1m1s0-1 [5084 B] Get: 156 http://deb.debian.org/debian bookworm/main arm64 ruby-useragent all 0.16.8-1.1 [12.0 kB] -Fetched 47.4 MB in 6s (8337 kB/s) +Fetched 47.4 MB in 4s (11.2 MB/s) debconf: delaying package configuration, since apt-utils is not installed Selecting previously unselected package libpython3.11-minimal:arm64. (Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 19616 files and directories currently installed.) @@ -924,8 +956,17 @@ Writing extended state information... Building tag database... -> Finished parsing the build-deps +Reading package lists... +Building dependency tree... +Reading state information... +usrmerge is already the newest version (35). +0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. I: Building the package -I: Running cd /build/ruby-secure-headers-6.3.2/ && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" HOME="/nonexistent/first-build" dpkg-buildpackage -us -uc -b && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" HOME="/nonexistent/first-build" dpkg-genchanges -S > ../ruby-secure-headers_6.3.2-1_source.changes +I: user script /srv/workspace/pbuilder/17448/tmp/hooks/A99_set_merged_usr starting +Re-configuring usrmerge... +I: user script /srv/workspace/pbuilder/17448/tmp/hooks/A99_set_merged_usr finished +hostname: Temporary failure in name resolution +I: Running cd /build/ruby-secure-headers-6.3.2/ && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path" HOME="/nonexistent/second-build" dpkg-buildpackage -us -uc -b && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path" HOME="/nonexistent/second-build" dpkg-genchanges -S > ../ruby-secure-headers_6.3.2-1_source.changes dpkg-buildpackage: info: source package ruby-secure-headers dpkg-buildpackage: info: source version 6.3.2-1 dpkg-buildpackage: info: source distribution unstable @@ -959,7 +1000,7 @@ dh_auto_install --destdir=debian/ruby-secure-headers/ -O--buildsystem=ruby dh_ruby --install /build/ruby-secure-headers-6.3.2/debian/ruby-secure-headers W: DH_RUBY_GEM_INSTALL_BLACKLIST_APPEND is deprecated, please use DH_RUBY_GEM_INSTALL_EXCLUDE instead (needs gem2deb >= 1.6~) -/usr/bin/ruby3.1 -S gem build --config-file /dev/null --verbose /tmp/d20230521-3167-do1g4o/gemspec +/usr/bin/ruby3.1 -S gem build --config-file /dev/null --verbose /tmp/d20240624-758-rq8bsq/gemspec Failed to load /dev/null because it doesn't contain valid YAML hash WARNING: license value 'Apache Public License 2.0' is invalid. Use a license identifier from http://spdx.org/licenses or 'Nonstandard' for a nonstandard license. @@ -971,7 +1012,7 @@ Name: secure_headers Version: 6.3.2 File: secure_headers-6.3.2.gem -/usr/bin/ruby3.1 -S gem install --config-file /dev/null --verbose --local --verbose --no-document --ignore-dependencies --install-dir debian/ruby-secure-headers/usr/share/rubygems-integration/all /tmp/d20230521-3167-do1g4o/secure_headers-6.3.2.gem +/usr/bin/ruby3.1 -S gem install --config-file /dev/null --verbose --local --verbose --no-document --ignore-dependencies --install-dir debian/ruby-secure-headers/usr/share/rubygems-integration/all /tmp/d20240624-758-rq8bsq/secure_headers-6.3.2.gem Failed to load /dev/null because it doesn't contain valid YAML hash /build/ruby-secure-headers-6.3.2/debian/ruby-secure-headers/usr/share/rubygems-integration/all/gems/secure_headers-6.3.2/lib/secure_headers.rb /build/ruby-secure-headers-6.3.2/debian/ruby-secure-headers/usr/share/rubygems-integration/all/gems/secure_headers-6.3.2/lib/secure_headers/configuration.rb @@ -1028,278 +1069,250 @@ [Coveralls] Set up the SimpleCov formatter. [Coveralls] Using SimpleCov's default settings. -Randomized with seed 25803 - -SecureHeaders::Configuration - stores an override - has an 'noop' override - deprecates the secure_cookies configuration - has a default config - allows OPT_OUT - allows me to be explicit too - gives cookies a default config - dup results in a copy of the default config - #override - raises when a named append with the given name exists - raises on configuring an existing override - #named_append - raises on configuring an existing append - raises when an override with the given name exists - -SecureHeaders::XDownloadOptions - is expected to eq ["X-Download-Options", "noopen"] - is expected to eq ["X-Download-Options", "noopen"] - invalid configuration values - accepts nil - accepts noopen - doesn't accept anything besides noopen - -SecureHeaders::XPermittedCrossDomainPolicies - is expected to eq ["X-Permitted-Cross-Domain-Policies", "master-only"] - is expected to eq ["X-Permitted-Cross-Domain-Policies", "none"] - invlaid configuration values - doesn't accept invalid values - valid configuration values - accepts nil - accepts 'by-ftp-filename' - accepts 'master-only' - accepts 'all' - accepts 'by-content-type' - -SecureHeaders::PolicyManagement - #validate_config! - requires :upgrade_insecure_requests to be a boolean value - rejects anything not of the form type/subtype as a plugin-type value - requires a :default_src value - accepts anything of the form allow-* as a sandbox value - requires a :script_src value - rejects anything not of the form allow-* as a sandbox value - accepts true as a sandbox policy - allows report_only to be set in a report-only config - performs light validation on source lists - accepts anything of the form type/subtype as a plugin-type value - requires :preserve_schemes to be a truthy value - allows nil values - requires :report_only to be a truthy value - requires all source lists to be an array of strings - accepts all keys - rejects unknown directives / config - doesn't allow report_only to be set in a non-report-only config - accepts OPT_OUT as a script-src value - requires :block_all_mixed_content to be a boolean value - #combine_policies - does not combine the default-src value for directives that don't fall back to default sources - overrides the report_only flag - raises an error if appending to a OPT_OUT policy - combines directives where the original value is nil and the hash is frozen - combines the default-src value with the override if the directive was unconfigured - overrides the :block_all_mixed_content flag - -SecureHeaders::ExpectCertificateTransparency - is expected to eq "max-age=1234" - is expected to eq "enforce, max-age=1234, report-uri=\"https://report-uri.io/expect-ct\"" - is expected to eq "max-age=1234" - is expected to eq "max-age=1234, report-uri=\"https://report-uri.io/expect-ct\"" - is expected to eq "enforce, max-age=1234" - with an invalid configuration - raises an exception when max-age is not provided - raises an exception when configuration isn't a hash - raises an exception with an invalid enforce value - raises an exception with an invalid max-age - -SecureHeaders::XContentTypeOptions - #value - is expected to eq ["X-Content-Type-Options", "nosniff"] - is expected to eq ["X-Content-Type-Options", "nosniff"] - invalid configuration values - accepts nosniff - doesn't accept anything besides no-sniff - accepts nil - -SecureHeaders::XFrameOptions - #value - is expected to eq ["X-Frame-Options", "DENY"] - is expected to eq ["X-Frame-Options", "sameorigin"] - with invalid configuration - allows DENY - allows ALLOW-FROM* - allows SAMEORIGIN - does not allow garbage +Randomized with seed 1556 SecureHeaders::Cookie preserves existing attributes - does not tamper with cookies when using OPT_OUT is used applies httponly, secure, and samesite by default prevents duplicate flagging of attributes + does not tamper with cookies when using OPT_OUT is used + HttpOnly cookies + when configured with a boolean + flags cookies as HttpOnly + when configured with a Hash + flags cookies as HttpOnly when whitelisted + does not flag cookies as HttpOnly when excluded SameSite cookies + flags SameSite=Strict flags properly when both lax and strict are configured - flags SameSite=Lax when configured with a boolean - flags SameSite=Strict when configured with a boolean - does not flag cookies as SameSite=None when excluded - flags SameSite=Strict when configured with a boolean + does not flag cookies as SameSite=Strict when excluded + does not flag cookies as SameSite=Lax when excluded + flags SameSite=None when configured with a boolean + samesite: true sets all cookies to samesite=lax flags SameSite=None + flags SameSite=Lax when configured with a boolean flags SameSite=Lax - flags SameSite=Strict ignores configuration if the cookie is already flagged - does not flag cookies as SameSite=Lax when excluded - does not flag cookies as SameSite=Strict when excluded - samesite: true sets all cookies to samesite=lax - flags SameSite=None when configured with a boolean - HttpOnly cookies - when configured with a Hash - does not flag cookies as HttpOnly when excluded - flags cookies as HttpOnly when whitelisted - when configured with a boolean - flags cookies as HttpOnly + does not flag cookies as SameSite=None when excluded + flags SameSite=Strict when configured with a boolean + flags SameSite=Strict when configured with a boolean Secure cookies - when configured with a boolean - flags cookies as Secure when configured with a Hash - does not flag cookies as Secure when excluded flags cookies as Secure when whitelisted + does not flag cookies as Secure when excluded + when configured with a boolean + flags cookies as Secure -SecureHeaders::StrictTransportSecurity - #value - is expected to eq ["Strict-Transport-Security", "max-age=631138519"] - is expected to eq ["Strict-Transport-Security", "max-age=1234; includeSubdomains; preload"] - with an invalid configuration - with a string argument - raises an exception if max-age is not supplied - raises an exception with an invalid max-age - raises an exception with an invalid format +with an invalid configuration + raises an exception when SameSite lax and strict enforcement modes are configured with booleans + raises an exception when configured with false + raises an exception when both lax and strict only filters are provided to SameSite configurations + raises an exception when SameSite strict and lax enforcement modes are configured with booleans + raises an exception when SameSite lax and strict enforcement modes are configured with booleans + raises an exception when both only and except filters are provided + raises an exception when not configured with a Hash + raises an exception when configured without a boolean(true or OPT_OUT)/Hash + raises an exception when SameSite none and lax enforcement modes are configured with booleans + raises an exception when SameSite is not configured with a Hash + raises an exception when both lax and strict only filters are provided to SameSite configurations + raises an exception when SameSite lax and none enforcement modes are configured with booleans + raises an exception when both only and except filters are provided to SameSite configurations + raises an exception when SameSite none and strict enforcement modes are configured with booleans + raises an exception when SameSite strict and none enforcement modes are configured with booleans + +SecureHeaders::ViewHelpers + raises an error when using hashed content without precomputed hashes + raises an error when using previously unknown hashed content with precomputed hashes for a given file + avoids calling content_security_policy_nonce internally + raises an error when using hashed content with precomputed hashes, but none for the given file + adds known hash values to the corresponding headers when the helper is used SecureHeaders::ContentSecurityPolicy - #name - when in report-only mode - is expected to eq "Content-Security-Policy-Report-Only" - when in enforce mode - is expected to eq "Content-Security-Policy" #value - discards 'none' values if any other source expressions are present - deprecates and escapes semicolons in directive source lists - supports script-src-attr directive - creates maximally strict sandbox policy when passed no sandbox token values - includes navigate-to - deprecates and escapes semicolons in directive source lists - creates sandbox policy when passed valid sandbox token values - does not add a directive if the value is an empty array (or all nil) - removes http/s schemes from hosts - does not add a directive if the value is nil - supports style-src-attr directive allows script as a require-sri-src - supports style-src-elem directive - does not emit a warning when using frame-src - allows style as a require-sri-src does not build directives with a value of OPT_OUT (and bypasses directive requirements) - does not remove schemes when :preserve_schemes is true - creates maximally strict sandbox policy when passed true supports strict-dynamic and opting out of the appended 'unsafe-inline' - discards source expressions (besides unsafe-* and non-host source values) when * is present - does add a boolean directive if the value is true removes nil from source lists - allows script and style as a require-sri-src - does not add a boolean directive if the value is false - supports strict-dynamic - minifies source expressions based on overlapping wildcards + creates sandbox policy when passed valid sandbox token values + does not remove schemes when :preserve_schemes is true uses a safe but non-breaking default value + does not add a directive if the value is an empty array (or all nil) + minifies source expressions based on overlapping wildcards + deprecates and escapes semicolons in directive source lists + discards source expressions (besides unsafe-* and non-host source values) when * is present does not remove schemes from report-uri values - supports script-src-elem directive + allows style as a require-sri-src + allows script and style as a require-sri-src + creates maximally strict sandbox policy when passed true includes prefetch-src + includes navigate-to + creates maximally strict sandbox policy when passed no sandbox token values + supports style-src-elem directive + does not add a boolean directive if the value is false + supports style-src-attr directive + does not emit a warning when using frame-src deduplicates any source expressions + deprecates and escapes semicolons in directive source lists + does add a boolean directive if the value is true + supports strict-dynamic + supports script-src-elem directive + discards 'none' values if any other source expressions are present + supports script-src-attr directive + removes http/s schemes from hosts + does not add a directive if the value is nil + #name + when in enforce mode + is expected to eq "Content-Security-Policy" + when in report-only mode + is expected to eq "Content-Security-Policy-Report-Only" -with an invalid configuration - raises an exception when both lax and strict only filters are provided to SameSite configurations - raises an exception when SameSite is not configured with a Hash - raises an exception when configured with false - raises an exception when SameSite lax and strict enforcement modes are configured with booleans - raises an exception when SameSite none and lax enforcement modes are configured with booleans - raises an exception when both lax and strict only filters are provided to SameSite configurations - raises an exception when SameSite none and strict enforcement modes are configured with booleans - raises an exception when configured without a boolean(true or OPT_OUT)/Hash - raises an exception when SameSite lax and strict enforcement modes are configured with booleans - raises an exception when not configured with a Hash - raises an exception when both only and except filters are provided - raises an exception when SameSite strict and lax enforcement modes are configured with booleans - raises an exception when SameSite strict and none enforcement modes are configured with booleans - raises an exception when SameSite lax and none enforcement modes are configured with booleans - raises an exception when both only and except filters are provided to SameSite configurations +SecureHeaders::XFrameOptions + #value + is expected to eq ["X-Frame-Options", "DENY"] + is expected to eq ["X-Frame-Options", "sameorigin"] + with invalid configuration + does not allow garbage + allows DENY + allows ALLOW-FROM* + allows SAMEORIGIN -SecureHeaders::ReferrerPolicy - is expected to eq ["Referrer-Policy", "origin-when-cross-origin, strict-origin-when-cross-origin"] - is expected to eq ["Referrer-Policy", "no-referrer"] - is expected to eq ["Referrer-Policy", "origin-when-cross-origin"] - invalid configuration values - doesn't accept invalid values - doesn't accept invalid types - valid configuration values - accepts 'same-origin' - accepts nil - accepts 'no-referrer' - accepts 'strict-origin-when-cross-origin' - accepts 'origin-when-cross-origin' - accepts array of policy values - accepts 'unsafe-url' - accepts 'origin' - accepts 'strict-origin' - accepts 'no-referrer-when-downgrade' +SecureHeaders::XContentTypeOptions + #value + is expected to eq ["X-Content-Type-Options", "nosniff"] + is expected to eq ["X-Content-Type-Options", "nosniff"] + invalid configuration values + accepts nosniff + doesn't accept anything besides no-sniff + accepts nil -SecureHeaders::ViewHelpers - avoids calling content_security_policy_nonce internally - adds known hash values to the corresponding headers when the helper is used - raises an error when using hashed content without precomputed hashes - raises an error when using previously unknown hashed content with precomputed hashes for a given file - raises an error when using hashed content with precomputed hashes, but none for the given file +SecureHeaders::ClearSiteData + make_header + returns all types with `true` config + returns nil with nil config + returns specified types + returns nil with opt-out config + returns nil with empty config + validate_config! + fails for Array of non-String config + succeeds for Array of Strings config + succeeds for opt-out config + succeeds for empty config + succeeds for `true` config + fails for other types of config + succeeds for `nil` config + make_header_value + returns a string of quoted values that are comma separated + +SecureHeaders::PolicyManagement + #validate_config! + performs light validation on source lists + requires :upgrade_insecure_requests to be a boolean value + rejects anything not of the form allow-* as a sandbox value + allows nil values + allows report_only to be set in a report-only config + requires a :script_src value + doesn't allow report_only to be set in a non-report-only config + requires :preserve_schemes to be a truthy value + requires all source lists to be an array of strings + accepts true as a sandbox policy + accepts anything of the form allow-* as a sandbox value + accepts anything of the form type/subtype as a plugin-type value + requires :block_all_mixed_content to be a boolean value + accepts OPT_OUT as a script-src value + requires a :default_src value + rejects anything not of the form type/subtype as a plugin-type value + requires :report_only to be a truthy value + rejects unknown directives / config + accepts all keys + #combine_policies + raises an error if appending to a OPT_OUT policy + does not combine the default-src value for directives that don't fall back to default sources + overrides the report_only flag + overrides the :block_all_mixed_content flag + combines the default-src value with the override if the directive was unconfigured + combines directives where the original value is nil and the hash is frozen + +SecureHeaders::ExpectCertificateTransparency + is expected to eq "max-age=1234, report-uri=\"https://report-uri.io/expect-ct\"" + is expected to eq "max-age=1234" + is expected to eq "max-age=1234" + is expected to eq "enforce, max-age=1234, report-uri=\"https://report-uri.io/expect-ct\"" + is expected to eq "enforce, max-age=1234" + with an invalid configuration + raises an exception with an invalid max-age + raises an exception when max-age is not provided + raises an exception when configuration isn't a hash + raises an exception with an invalid enforce value SecureHeaders - raises and ArgumentError when referencing an override that has not been set + raises a AlreadyConfiguredError if trying to configure and default has already been set raises a NotYetConfiguredError if trying to opt-out of unconfigured headers + raises and ArgumentError when referencing an override that has not been set raises a NotYetConfiguredError if default has not been set - raises a AlreadyConfiguredError if trying to configure and default has already been set + validation + validates your clear site data config upon configuration + validates your xfo config upon configuration + validates your xdo config upon configuration + validates your hsts config upon configuration + validates your xcto config upon configuration + raises errors for unknown directives + validates your x_permitted_cross_domain_policies config upon configuration + validates your cookies config upon configuration + validates your x_xss config upon configuration + validates your referrer_policy config upon configuration + validates your csp config upon configuration #header_hash_for allows you to opt out of individual headers via API - allows you to opt out entirely - Overrides the current default config if default config changes during request - allows you to override X-Frame-Options settings produces a hash of headers with default config - Carries options over when using overrides - allows you to override opting out does not set the HSTS header if request is over HTTP + allows you to override opting out + Overrides the current default config if default config changes during request + Carries options over when using overrides + allows you to override X-Frame-Options settings + allows you to opt out entirely content security policy - appends a nonce to the script-src when used supports named appends - appends a nonce to a missing script-src value appends a hash to a missing script-src value - overrides individual directives - appends a value to csp directive - Raises an error if csp_report_only is used with `report_only: false` overrides non-existant directives + Raises an error if csp_report_only is used with `report_only: false` + overrides individual directives + appends a nonce to a missing script-src value does not support the deprecated `report_only: true` format + appends a nonce to the script-src when used + appends a value to csp directive setting two headers - allows overriding both policies - allows overriding the report only policy - allows appending to the enforced policy allows you to opt-out of enforced CSP sets different headers when the configs are different + allows overriding the report only policy + allows appending to the enforced policy + allows overriding both policies + allows appending to both policies + allows overriding the enforced policy sets identical values when the configs are the same allows appending to the report only policy - allows overriding the enforced policy - allows appending to both policies when inferring which config to modify + updates both headers if both are configured updates the report only header when configured updates the enforced header when configured - updates both headers if both are configured - validation - validates your clear site data config upon configuration - validates your x_xss config upon configuration - raises errors for unknown directives - validates your hsts config upon configuration - validates your xcto config upon configuration - validates your x_permitted_cross_domain_policies config upon configuration - validates your xfo config upon configuration - validates your cookies config upon configuration - validates your xdo config upon configuration - validates your csp config upon configuration - validates your referrer_policy config upon configuration + +SecureHeaders::ReferrerPolicy + is expected to eq ["Referrer-Policy", "origin-when-cross-origin"] + is expected to eq ["Referrer-Policy", "origin-when-cross-origin, strict-origin-when-cross-origin"] + is expected to eq ["Referrer-Policy", "no-referrer"] + valid configuration values + accepts 'strict-origin-when-cross-origin' + accepts 'same-origin' + accepts 'no-referrer' + accepts 'no-referrer-when-downgrade' + accepts 'origin' + accepts 'unsafe-url' + accepts 'strict-origin' + accepts nil + accepts 'origin-when-cross-origin' + accepts array of policy values + invalid configuration values + doesn't accept invalid types + doesn't accept invalid values SecureHeaders::Middleware respects overrides @@ -1312,44 +1325,72 @@ cookies should not be flagged does not flags cookies as secure cookies - sets the secure cookie flag correctly on interleaved http/https requests disables secure cookies for non-https requests - flags cookies with a combination of SameSite configurations flags cookies from configuration + flags cookies with a combination of SameSite configurations + sets the secure cookie flag correctly on interleaved http/https requests + +SecureHeaders::Configuration + stores an override + dup results in a copy of the default config + has an 'noop' override + gives cookies a default config + deprecates the secure_cookies configuration + allows me to be explicit too + has a default config + allows OPT_OUT + #named_append + raises on configuring an existing append + raises when an override with the given name exists + #override + raises when a named append with the given name exists + raises on configuring an existing override + +SecureHeaders::StrictTransportSecurity + #value + is expected to eq ["Strict-Transport-Security", "max-age=631138519"] + is expected to eq ["Strict-Transport-Security", "max-age=1234; includeSubdomains; preload"] + with an invalid configuration + with a string argument + raises an exception with an invalid format + raises an exception with an invalid max-age + raises an exception if max-age is not supplied + +SecureHeaders::XDownloadOptions + is expected to eq ["X-Download-Options", "noopen"] + is expected to eq ["X-Download-Options", "noopen"] + invalid configuration values + accepts nil + doesn't accept anything besides noopen + accepts noopen + +SecureHeaders::XPermittedCrossDomainPolicies + is expected to eq ["X-Permitted-Cross-Domain-Policies", "none"] + is expected to eq ["X-Permitted-Cross-Domain-Policies", "master-only"] + valid configuration values + accepts 'all' + accepts 'by-ftp-filename' + accepts 'master-only' + accepts 'by-content-type' + accepts nil + invlaid configuration values + doesn't accept invalid values SecureHeaders::XXssProtection - is expected to eq ["X-XSS-Protection", "1; mode=block; report=https://www.secure.com/reports"] is expected to eq ["X-XSS-Protection", "1; mode=block"] + is expected to eq ["X-XSS-Protection", "1; mode=block; report=https://www.secure.com/reports"] with invalid configuration should raise an error when providing a string that is not valid when using a hash value should raise an error if mode != block - should allow string values ('1' or '0' are the only valid strings) should raise an error if an invalid key is supplied should raise an error if no value key is supplied + should allow string values ('1' or '0' are the only valid strings) -SecureHeaders::ClearSiteData - validate_config! - fails for Array of non-String config - succeeds for `nil` config - fails for other types of config - succeeds for empty config - succeeds for opt-out config - succeeds for Array of Strings config - succeeds for `true` config - make_header_value - returns a string of quoted values that are comma separated - make_header - returns all types with `true` config - returns nil with opt-out config - returns nil with empty config - returns specified types - returns nil with nil config - -Finished in 0.55329 seconds (files took 1.46 seconds to load) +Finished in 0.51481 seconds (files took 1.38 seconds to load) 240 examples, 0 failures -Randomized with seed 25803 +Randomized with seed 1556 [Coveralls] Outside the CI environment, not sending data. @@ -1382,12 +1423,14 @@ dpkg-buildpackage: info: binary-only upload (no source included) dpkg-genchanges: info: including full source code in upload I: copying local configuration +I: user script /srv/workspace/pbuilder/17448/tmp/hooks/B01_cleanup starting +I: user script /srv/workspace/pbuilder/17448/tmp/hooks/B01_cleanup finished I: unmounting dev/ptmx filesystem I: unmounting dev/pts filesystem I: unmounting dev/shm filesystem I: unmounting proc filesystem I: unmounting sys filesystem I: cleaning the build env -I: removing directory /srv/workspace/pbuilder/28560 and its subdirectories -I: Current time: Sun May 21 22:04:27 -12 2023 -I: pbuilder-time-stamp: 1684749867 +I: removing directory /srv/workspace/pbuilder/17448 and its subdirectories +I: Current time: Mon Jun 24 06:29:05 +14 2024 +I: pbuilder-time-stamp: 1719160145