Skip to content

Commit

Permalink
getDefaultDirectives should do a deep copy
Browse files Browse the repository at this point in the history
See [#463] and [#465].

[#463]: #463
[#465]: #465
  • Loading branch information
sohrb authored and EvanHahn committed Sep 28, 2024
1 parent 2e5fb1b commit a603b0b
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

- **Breaking:** `Strict-Transport-Security` now has a max-age of 365 days, up from 180
- **Breaking:** `Content-Security-Policy` middleware now throws an error if a directive should have quotes but does not, such as `self` instead of `'self'`. See [#454](https://github.com/helmetjs/helmet/issues/454)
- **Breaking:** `Content-Security-Policy`'s `getDefaultDirectives` now returns a deep copy. This only affects users who were mutating the result
- **Breaking:** `Strict-Transport-Security` now throws an error when "includeSubDomains" option is misspelled. This was previously a warning

### Removed
Expand Down
2 changes: 1 addition & 1 deletion middlewares/content-security-policy/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ const SHOULD_BE_QUOTED: ReadonlySet<string> = new Set([
"wasm-unsafe-eval",
]);

const getDefaultDirectives = () => ({ ...DEFAULT_DIRECTIVES });
const getDefaultDirectives = () => structuredClone(DEFAULT_DIRECTIVES);

const dashify = (str: string): string =>
str.replace(/[A-Z]/g, (capitalLetter) => "-" + capitalLetter.toLowerCase());
Expand Down
10 changes: 10 additions & 0 deletions test/content-security-policy.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -581,4 +581,14 @@ describe("getDefaultDirectives", () => {
contentSecurityPolicy.getDefaultDirectives,
);
});

it("returns a new copy each time", () => {
const one = getDefaultDirectives();
one["worker-src"] = ["ignored.example"];
(one["img-src"] as Array<string>).push("ignored.example");

const two = getDefaultDirectives();
expect(two).not.toHaveProperty("worker-src");
expect(two["img-src"]).not.toContain("ignored.example");
});
});

0 comments on commit a603b0b

Please sign in to comment.