Skip to content

Commit

Permalink
Merge pull request #233 from Santandersecurityresearch/develop
Browse files Browse the repository at this point in the history
Merge dev to master
  • Loading branch information
javixeneize authored Apr 13, 2022
2 parents 426ef45 + df0a4a5 commit c2098d5
Show file tree
Hide file tree
Showing 44 changed files with 2,727 additions and 1,724 deletions.
13 changes: 12 additions & 1 deletion .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,20 @@ updates:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "daily"
interval: "daily"
target-branch: "develop"
reviewers:
- "danielcuthbert"
- "javixeneize"
- "pealtrufo"
- "emilejq"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
target-branch: "develop"
reviewers:
- "danielcuthbert"
- "javixeneize"
- "pealtrufo"
- "emilejq"
10 changes: 6 additions & 4 deletions .github/workflows/pull_request.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,12 @@ jobs:
python-version: ${{ matrix.python-version }}

- name: Install PIP Dependencies
run: pip install -r requirements_dev.txt
run: |
pip install -r requirements.txt
pip install -r requirements_dev.txt
- name: Test with Nosetests
run: python -m nose --with-xunit --xunit-file=${{ matrix.python-version }}.results.xml
- name: Test with pytest
run: python -m pytest --junitxml ${{ matrix.python-version }}.results.xml

- name: Upload Test results
uses: actions/upload-artifact@master
Expand All @@ -36,7 +38,7 @@ jobs:

- name: Safety dependency scan
run: python -m safety check

- name: Checkout origin branch if PR 'to-branch' is master
if: github.base_ref == 'master'
uses: actions/checkout@v2
Expand Down
30 changes: 16 additions & 14 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Dr Header Release Task

on:
on:
push:
branches: [ master ]

Expand All @@ -12,19 +12,21 @@ jobs:
matrix:
python-version: [3.7]
steps:
- name: Checkout Code
- name: Checkout Code
uses: actions/checkout@v2

- name: Set up Python
uses: actions/setup-python@v1
with:
python-version: ${{ matrix.python-version }}

- name: Install dependencies
run: pip install -r requirements_dev.txt

- name: Test with Nosetests
run: python -m nose --with-xunit --xunit-file=${{ matrix.python-version }}.results.xml
run: |
pip install -r requirements.txt
pip install -r requirements_dev.txt
- name: Test with pytest
run: python -m pytest --junitxml ${{ matrix.python-version }}.results.xml

- name: Flake8 styles
run: python -m flake8 drheader
Expand All @@ -38,12 +40,12 @@ jobs:
- name: Make Wheel
run: |
python3 setup.py sdist bdist_wheel
- name: Dump build info for release
run: |
git log --pretty=oneline > changelog
python3 setup.py --version > version
python3 setup.py --version > version
- name: Get bumpversion
run: echo "VERSION"=$(grep -i 'current_version = ' setup.cfg | head -1 | tr -d 'current_version = ') >> $GITHUB_ENV

Expand All @@ -57,25 +59,25 @@ jobs:
release_name: Release v${{ env.VERSION }}
draft: false
prerelease: false

- name: Upload Wheel
id: upload_wheel
uses: actions/upload-release-asset@v1.0.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ./dist/drheader-${{ env.VERSION }}-py2.py3-none-any.whl
asset_name: DrHeader Wheel
asset_content_type: application/x-python-wheel

- name: Upload Changelog
id: upload_changelog
uses: actions/upload-release-asset@v1.0.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: changelog
asset_name: DrHeader changelog
asset_content_type: text/plain
Expand Down
20 changes: 10 additions & 10 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,34 +56,34 @@ Ready to contribute? Here's how to set up
1. Fork the <span class="title-ref">drheader</span> repo on GitHub.

2. Clone your fork locally:

$ git clone git@github.com:your_name_here/drheader.git

3. Install your local copy into a virtualenv. Assuming you have
virtualenvwrapper installed, this is how you set up your fork for
local development:

$ mkvirtualenv drheader
$ cd drheader/
$ python setup.py develop

4. Create a branch for local development:

$ git checkout -b name-of-your-bugfix-or-feature

Now you can make your changes locally.

5. When you're done making changes, check that your changes pass flake8
and the tests, including testing other Python versions with tox:

$ flake8 drheader tests
$ python setup.py test or py.test
$ py.test
$ tox

To get flake8 and tox, just pip install them into your virtualenv.

6. Commit your changes and push your branch to GitHub:

$ git add .
$ git commit -m "Your detailed description of your changes."
$ git push origin name-of-your-bugfix-or-feature
Expand All @@ -95,8 +95,8 @@ Ready to contribute? Here's how to set up
When submitting a pull request, please ensure that:

1. You submit it to 'develop' branch and there's no conflicts.
2. You check all tests are passing and have created new ones if change not covered in current test suite.
2. You check all tests are passing and have created new ones if change not covered in current test suite.
3. You update `README.md` if functionality has been added or modified. If you are creating new classes or methods, please use docstring to document the code.
4. You update `RULES.md` when extending or modifying the way rules can be used, adding documentation and examples for the new/modified feature.
4. You update `RULES.md` when extending or modifying the way rules can be used, adding documentation and examples for the new/modified feature.
5. Code works for Python >= 3.7
6. Once PR is submitted, workflow steps are successful (e.g.: Flake8, Bandit, Safety, etc.)
1 change: 1 addition & 0 deletions MANIFEST.in
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ include LICENSE
include README.md
include RULES.md
include drheader/*.yml
include drheader/resources/delimiters.json

recursive-include tests *
recursive-exclude * __pycache__
Expand Down
23 changes: 21 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ It is also possible to call drHEADer from within an existing project, and this i
from drheader import Drheader

# create drheader instance
drheader_instance = Drheader(headers={'X-XSS-Protection': '1; mode=block'}, status_code=200)
drheader_instance = Drheader(headers={'X-XSS-Protection': '1; mode=block'})

report = drheader_instance.analyze()
print(report)
Expand Down Expand Up @@ -124,6 +124,25 @@ drheader_instance = Drheader(url="http://test.com", verify=False)

Other arguments may be included in the future such as _timeout_, *allow_redirects* or _proxies_.

#### Cross-Origin Isolation
The default rules in drHEADer support cross-origin isolation via the `Cross-Origin-Embedder-Policy` and
`Cross-Origin-Opener-Policy` headers. Due to the potential for this to break websites that have not yet properly
configured their sub-resources for cross-origin isolation, these validations are opt-in at analysis time. If you want to
enforce these cross-origin isolation validations, you must pass the `cross-origin-isolated` flag.

Using the CLI:
```shell
$ drheader scan single https://example.com --cross-origin-isolated
```

In a project:
```python
import drheader

drheader_instance = drheader.Drheader(url='https://example.com')
drheader_instance.analyze(cross_origin_isolated=True)
```

## How Do I Customise drHEADer Rules?

DrHEADer relies on a yaml file that defines the policy it will use when auditing security headers. The file is located at `./drheader/rules.yml`, and you can customise it to fit your particular needs. Please follow this [link](RULES.md) if you want to know more.
Expand All @@ -137,7 +156,7 @@ DrHEADer relies on a yaml file that defines the policy it will use when auditing
We have a lot of ideas for drHEADer, and will push often as a result. Some of the things you'll see shortly are:

* Building on the Python library to make it easier to embed in your own projects.
* Releasing the API, which is seperate from the core library - the API allows you to hit URLs or endpoints at scale
* Releasing the API, which is separate from the core library - the API allows you to hit URLs or endpoints at scale
* Better integration into MiTM proxies.

## Who Is Behind It?
Expand Down
14 changes: 7 additions & 7 deletions RELEASING.md
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
# Releasing

Our approach to releasing new versions is quite simple. A new version will be released everytime there's a push to master branch.
Our approach to releasing new versions is quite simple. A new version will be released everytime there's a push to master branch.

We've managed to have all the process to bump version for next release in the different files fully automated by using [github actions](https://github.com/features/actions).
We've managed to have all the process to bump version for next release in the different files fully automated by using [GitHub Actions](https://github.com/features/actions).

We currently have 2 github actions configured in this repo, which will be triggered when:
We currently have 2 GitHub Actions configured in this repo, which will be triggered when:

* There's a pull request.
* If the PR is to a non master branch, this action will run standard checks like nosetests, flake8, bandit and safety to ensure everything is good with the code.
* If the PR is to a non-master branch, this action will run standard checks like pytest, flake8, bandit and safety to ensure everything is good with the code.
* If the PR is to the master branch, this action will run standard checks, automatically bump release version number in appropriate files and commit those changes to the pull request branch.
* There are changes pushed to master branch.
* This action will run standard checks, create the wheel, the release/tag using the version previously bumped and publish the artefact to Pypi

To bump version in files prior to release, we use [bump2version](https://github.com/c4urself/bump2version). The configuration for it to know what is the current version, what files need to have the version bumped up and what is the next version is in `setup.cfg`.
To bump version in files prior to release, we use [bump2version](https://github.com/c4urself/bump2version). The configuration for it to know what is the current version, what files need to have the version bumped up and what is the next version is in `setup.cfg`.

```ini
[bumpversion]
Expand All @@ -36,6 +36,6 @@ replace = __version__ = '{new_version}'
...
```

With this configuration, we are specifying that only those three files need to have the version bumped before release. By default, `bump2version` bumps a minor version (ie . from 1.2.2 to 1.3.0), but if we want it to be a major version or a patch bump, we only need to specify the `new_version` attribute in the configuration with the version we want to use for the release.
With this configuration, we are specifying that only those three files need to have the version bumped before release. By default, `bump2version` bumps a minor version (ie . from 1.2.2 to 1.3.0), but if we want it to be a major version or a patch bump, we only need to specify the `new_version` attribute in the configuration with the version we want to use for the release.

**Note**: Master and develop branches are protected. It means that we require commits to be pushed through pull requests, status checks to pass before merging and restrict who can push to those branches. We aimed to have the release process fully automated, but because issues described [here](https://gh.neting.ccmunity/t5/GitHub-Actions/How-to-push-to-protected-branches-in-a-GitHub-Action/td-p/29609) or [here](https://gh.neting.ccmunity/t5/GitHub-Actions/Automatic-version-update-in-protected-branch/m-p/56469#M9895) when using github actions for this, we decided that disabling this protection in **develop** branch just when a PR from develop to master is submitted would be a good approach for us, so that the action that bumps the versions and commits the changes back can complete successfuly.
**Note**: Master and develop branches are protected. It means that we require commits to be pushed through pull requests, status checks to pass before merging and restrict who can push to those branches. We aimed to have the release process fully automated, but because issues described [here](https://gh.neting.ccmunity/t5/GitHub-Actions/How-to-push-to-protected-branches-in-a-GitHub-Action/td-p/29609) or [here](https://gh.neting.ccmunity/t5/GitHub-Actions/Automatic-version-update-in-protected-branch/m-p/56469#M9895) when using GitHub Actions for this, we decided that disabling this protection in **develop** branch just when a PR from develop to master is submitted would be a good approach for us, so that the action that bumps the versions and commits the changes back can complete successfully.
Loading

0 comments on commit c2098d5

Please sign in to comment.