fastify-helmet - npm Package Compare versions

Comparing version 5.3.0 to 5.3.1

index.js

@@ -25,2 +25,5 @@ 'use strict'
     app.addHook('onRequest', function (req, reply, next) {
+      // prevent object reference #118
+      const directives = { ...cspDirectives }
+
       // create csp nonce
@@ -34,11 +37,11 @@ reply.cspNonce = {
       // allow both script-src or scriptSrc syntax
-      const scriptKey = Array.isArray(cspDirectives['script-src']) ? 'script-src' : 'scriptSrc'
-      cspDirectives[scriptKey] = Array.isArray(cspDirectives.scriptSrc) ? cspDirectives.scriptSrc : []
-      cspDirectives[scriptKey].push('nonce-' + reply.cspNonce.script)
+      const scriptKey = Array.isArray(directives['script-src']) ? 'script-src' : 'scriptSrc'
+      directives[scriptKey] = Array.isArray(directives[scriptKey]) ? [...directives[scriptKey]] : []
+      directives[scriptKey].push(`'nonce-${reply.cspNonce.script}'`)
       // allow both style-src or styleSrc syntax
-      const styleKey = Array.isArray(cspDirectives['style-src']) ? 'style-src' : 'styleSrc'
-      cspDirectives[styleKey] = Array.isArray(cspDirectives.styleSrc) ? cspDirectives.styleSrc : []
-      cspDirectives[styleKey].push('nonce-' + reply.cspNonce.style)
+      const styleKey = Array.isArray(directives['style-src']) ? 'style-src' : 'styleSrc'
+      directives[styleKey] = Array.isArray(directives[styleKey]) ? [...directives[styleKey]] : []
+      directives[styleKey].push(`'nonce-${reply.cspNonce.style}'`)
 
-      const cspMiddleware = helmet.contentSecurityPolicy({ directives: cspDirectives, reportOnly: cspReportOnly })
+      const cspMiddleware = helmet.contentSecurityPolicy({ directives, reportOnly: cspReportOnly })
       cspMiddleware(req.raw, reply.raw, next)
@@ -45,0 +48,0 @@ })

package.json

 {
   "name": "fastify-helmet",
-  "version": "5.3.0",
+  "version": "5.3.1",
   "description": "Important security headers for Fastify",
@@ -5,0 +5,0 @@ "main": "index.js",

README.md

 # fastify-helmet
-[![npm version](https://img.shields.io/npm/v/fastify-helmet)](https://www.npmjs.com/package/fastify-helmet)
-![CI workflow](https://github.com/fastify/fastify-helmet/workflows/CI%20workflow/badge.svg)
+
+![CI](https://github.com/fastify/fastify-helmet/workflows/CI/badge.svg)
+[![NPM version](https://img.shields.io/npm/v/fastify-helmet)](https://www.npmjs.com/package/fastify-helmet)
 [![Known Vulnerabilities](https://snyk.io/test/github/fastify/fastify-helmet/badge.svg)](https://snyk.io/test/github/fastify/fastify-helmet)
@@ -5,0 +6,0 @@ [![Coverage Status](https://coveralls.io/repos/github/fastify/fastify-helmet/badge.svg?branch=master)](https://coveralls.io/github/fastify/fastify-helmet?branch=master)

test.js

@@ -151,18 +151,14 @@ 'use strict'
 
-  let cspCache, res
+  let res
 
-  try {
-    res = await fastify.inject({ method: 'GET', url: '/' })
-    cspCache = res.json()
-    t.ok(cspCache.script)
-    t.ok(cspCache.style)
+  res = await fastify.inject({ method: 'GET', url: '/' })
+  const cspCache = res.json()
+  t.ok(cspCache.script)
+  t.ok(cspCache.style)
 
-    res = await fastify.inject({ method: 'GET', url: '/' })
-    const newCsp = res.json()
-    t.notEqual(cspCache, newCsp)
-    t.ok(cspCache.script)
-    t.ok(cspCache.style)
-  } catch (err) {
-    t.error(err)
-  }
+  res = await fastify.inject({ method: 'GET', url: '/' })
+  const newCsp = res.json()
+  t.notEqual(cspCache, newCsp)
+  t.ok(cspCache.script)
+  t.ok(cspCache.style)
 })
@@ -190,13 +186,102 @@
 
-  try {
-    const res = await fastify.inject({ method: 'GET', url: '/' })
-    const cspCache = res.json()
-    t.ok(cspCache.script)
-    t.ok(cspCache.style)
-    t.includes(res.headers, {
-      'content-security-policy': `default-src 'self';script-src 'self' nonce-${cspCache.script};style-src 'self' nonce-${cspCache.style}`
-    })
-  } catch (err) {
-    t.error(err)
-  }
+  const res = await fastify.inject({ method: 'GET', url: '/' })
+  const cspCache = res.json()
+  t.ok(cspCache.script)
+  t.ok(cspCache.style)
+  t.includes(res.headers, {
+    'content-security-policy': `default-src 'self';script-src 'self' 'nonce-${cspCache.script}';style-src 'self' 'nonce-${cspCache.style}'`
+  })
 })
+
+test('nonce array is not stacked in csp header', async (t) => {
+  t.plan(8)
+
+  const fastify = Fastify()
+  fastify.register(helmet, {
+    enableCSPNonces: true,
+    contentSecurityPolicy: {
+      directives: {
+        defaultSrc: ["'self'"],
+        scriptSrc: ["'self'"],
+        styleSrc: ["'self'"]
+      }
+    }
+  })
+
+  fastify.get('/', (request, reply) => {
+    t.ok(reply.cspNonce)
+    reply.send(reply.cspNonce)
+  })
+
+  let res = await fastify.inject({ method: 'GET', url: '/' })
+  let cspCache = res.json()
+  t.ok(cspCache.script)
+  t.ok(cspCache.style)
+  t.includes(res.headers, {
+    'content-security-policy': `default-src 'self';script-src 'self' 'nonce-${cspCache.script}';style-src 'self' 'nonce-${cspCache.style}'`
+  })
+
+  res = await fastify.inject({ method: 'GET', url: '/' })
+  cspCache = res.json()
+  t.ok(cspCache.script)
+  t.ok(cspCache.style)
+  t.includes(res.headers, {
+    'content-security-policy': `default-src 'self';script-src 'self' 'nonce-${cspCache.script}';style-src 'self' 'nonce-${cspCache.style}'`
+  })
+})
+
+test('access the correct options property', async (t) => {
+  t.plan(4)
+
+  const fastify = Fastify()
+  fastify.register(helmet, {
+    enableCSPNonces: true,
+    contentSecurityPolicy: {
+      directives: {
+        ...helmet.contentSecurityPolicy.getDefaultDirectives(),
+        'script-src': ["'self'", "'unsafe-eval'", "'unsafe-inline'"],
+        'style-src': ["'self'", "'unsafe-inline'"]
+      }
+    }
+  })
+
+  fastify.get('/', (request, reply) => {
+    t.ok(reply.cspNonce)
+    reply.send(reply.cspNonce)
+  })
+
+  const res = await fastify.inject({ method: 'GET', url: '/' })
+  const cspCache = res.json()
+  t.ok(cspCache.script)
+  t.ok(cspCache.style)
+  t.includes(res.headers, {
+    'content-security-policy': `default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self' 'unsafe-eval' 'unsafe-inline' 'nonce-${cspCache.script}';script-src-attr 'none';style-src 'self' 'unsafe-inline' 'nonce-${cspCache.style}';upgrade-insecure-requests`
+  })
+})
+
+test('do not set script-src or style-src', async (t) => {
+  t.plan(4)
+
+  const fastify = Fastify()
+  fastify.register(helmet, {
+    enableCSPNonces: true,
+    contentSecurityPolicy: {
+      directives: {
+        defaultSrc: ["'self'"]
+      }
+    }
+  })
+
+  fastify.get('/', (request, reply) => {
+    t.ok(reply.cspNonce)
+    reply.send(reply.cspNonce)
+  })
+
+  const res = await fastify.inject({ method: 'GET', url: '/' })
+  const cspCache = res.json()
+  t.ok(cspCache.script)
+  t.ok(cspCache.style)
+  t.includes(res.headers, {
+    'content-security-policy': `default-src 'self';script-src 'nonce-${cspCache.script}';style-src 'nonce-${cspCache.style}'`
+  })
+})

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

21241

increased by15.3%

Lines of code

414

increased by22.12%

Number of lines in readme file

119

increased by0.85%

Number of medium supply chain risk alerts

0

decreased by-100%

No dependency changes