Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content-Security-Policy getDefaultDirectives should return a deep copy #463

Closed
EvanHahn opened this issue Apr 27, 2024 · 3 comments
Closed

Content-Security-Policy getDefaultDirectives should return a deep copy #463

EvanHahn opened this issue Apr 27, 2024 · 3 comments
Labels
good starter task
Milestone
v8.0.0

Comments

@EvanHahn
Copy link
Member

getDefaultDirectives returns a shallow copy:

helmet/middlewares/content-security-policy/index.ts

Line 71 in 6475da1

const getDefaultDirectives = () => ({ ...DEFAULT_DIRECTIVES });

Someone could mutate this object and cause chaos. We should:

  1. Update this function to do a simple deep clone. I wouldn't pull in a library for this; I would update this function to return a copy.
  2. Add a test to ensure that each call gives a separate copy. Try mutating one and verify that the change doesn't appear if you call getDefaultDirectives again.

This is technically a breaking change so it should be made against the v8.0.0 branch.
@EvanHahn EvanHahn added this to the v8.0.0 milestone Apr 27, 2024
@sohrb sohrb mentioned this issue Apr 28, 2024
Merged
@sohrb
Copy link
Contributor

sohrb commented Apr 28, 2024
edited
Loading

Two things to note:

  • I do not see how the original code allowed for unsafe mutation since the spread operator is returning a copy (all be it a shallow one).
  • the structuredClone API provided by Node does perform a deep copy but doesn't copy functions. Is that a deal breaker?

@EvanHahn
Copy link
Member Author

You could cause a problem if you mutate one of the arrays. For example:

const one = getDefaultDirectives();
one["script-src"].push("https://garbage.example");

const two = getDefaultDirectives();
console.log(two["script-src"]);
// => ["'self'", "https://garbage.example"]

EvanHahn pushed a commit that referenced this issue Apr 29, 2024
@sohrb
getDefaultDirectives should do a deep copy
d9319b8 
See [#463] and [#465].

[#463]: #463
[#465]: #465
@EvanHahn
Copy link
Member Author

Done in d9319b8/#465.

EvanHahn pushed a commit that referenced this issue May 25, 2024
@sohrb @EvanHahn
getDefaultDirectives should do a deep copy
f43935a 
See [#463] and [#465].

[#463]: #463
[#465]: #465
EvanHahn pushed a commit that referenced this issue Jun 1, 2024
@sohrb @EvanHahn
getDefaultDirectives should do a deep copy
e8707b4 
See [#463] and [#465].

[#463]: #463
[#465]: #465
EvanHahn pushed a commit that referenced this issue Sep 28, 2024
@sohrb @EvanHahn
getDefaultDirectives should do a deep copy
a603b0b 
See [#463] and [#465].

[#463]: #463
[#465]: #465
EvanHahn pushed a commit that referenced this issue Sep 28, 2024
@sohrb @EvanHahn
getDefaultDirectives should do a deep copy
a8befb3 
See [#463] and [#465].

[#463]: #463
[#465]: #465
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good starter task
Milestone
v8.0.0
Development

No branches or pull requests
2 participants
@EvanHahn @sohrb