Fix issue with downgrade fnctions stripping out any directive not end…

…ing with '-src'
Munter · Feb 22, 2017 · 0bc3473 · 0bc3473
1 parent b55052f
commit 0bc3473
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 10 deletions.
diff --git a/lib/downgradeCsp2ToCsp1.js b/lib/downgradeCsp2ToCsp1.js
@@ -13,8 +13,9 @@ function stripPathsFromSourceExpression(sourceExpression) {
 }
 
 module.exports = function downgradeCsp2ToCsp1(parsedCsp) {
-    return Object.keys(parsedCsp).reduce((newCsp, directiveName) => {
-        if (/Src$/.test(directiveName)) {
+    return Object.keys(parsedCsp)
+        .filter(directiveName => /Src$/.test(directiveName))
+        .reduce((newCsp, directiveName) => {
             const oldValue = parsedCsp[directiveName];
             // Filter away nonces and hashes
             const newValue = oldValue.filter(token => !/^'(?:nonce|sha\d+-)/i.test(token));
@@ -26,8 +27,7 @@ module.exports = function downgradeCsp2ToCsp1(parsedCsp) {
 
             // Strip paths from source expressions and remove duplicates
             newCsp[directiveName] = Array.from(new Set(newValue.map(stripPathsFromSourceExpression)));
-        }
 
-        return newCsp;
-    }, {});
+            return newCsp;
+        }, Object.assign({}, parsedCsp));
 };
diff --git a/lib/downgradeCsp3ToCsp2.js b/lib/downgradeCsp3ToCsp2.js
@@ -1,6 +1,7 @@
 module.exports = function downgradeCsp3ToCsp2(parsedCsp) {
-    return Object.keys(parsedCsp).reduce((newCsp, directiveName) => {
-        if (/Src$/.test(directiveName)) {
+    return Object.keys(parsedCsp)
+        .filter(directiveName => /Src$/.test(directiveName))
+        .reduce((newCsp, directiveName) => {
             const oldValue = parsedCsp[directiveName];
             // Remove unsafe-hashed-attributes and strict-dynamic
             const newValue = parsedCsp[directiveName].filter(token => !/^'(?:unsafe-hashed-attributes|strict-dynamic)'$/i.test(token));
@@ -10,8 +11,7 @@ module.exports = function downgradeCsp3ToCsp2(parsedCsp) {
             }
 
             newCsp[directiveName] = Array.from(new Set(newValue));
-        }
 
-        return newCsp;
-    }, {});
+            return newCsp;
+        }, Object.assign({}, parsedCsp));
 };
diff --git a/test/downgradeCsp2ToCsp1.js b/test/downgradeCsp2ToCsp1.js
@@ -25,6 +25,10 @@ expect.addAssertion('<object|string> to come out as <object|string>', (expect, s
 });
 
 describe('downgradeCsp2ToCsp1', () => {
+    it('should leave all directives not ending in -src untouched', () => {
+        expect('report-uri http://mntr.dk', 'to come out as', 'report-uri http://mntr.dk');
+    });
+
     it('should leave unsafe-inline', () => {
         expect("script-src 'unsafe-inline'", 'to come out as', "script-src 'unsafe-inline'");
     });

diff --git a/test/downgradeCsp3ToCsp2.js b/test/downgradeCsp3ToCsp2.js
@@ -25,6 +25,10 @@ expect.addAssertion('<object|string> to come out as <object|string>', (expect, s
 });
 
 describe('downgradeCsp3ToCsp2', () => {
+    it('should leave all directives not ending in -src untouched', () => {
+        expect('report-uri http://mntr.dk', 'to come out as', 'report-uri http://mntr.dk');
+    });
+
     it("should replace 'unsafe-hashed-attributes' with 'unsafe-inline'", () => {
         expect("script-src 'unsafe-hashed-attributes'", 'to come out as', "script-src 'unsafe-inline'");
     });