Skip to content

Commit

Permalink
Merge pull request #37 from marekdedic/header-quoting
Browse files Browse the repository at this point in the history 
Always quoting header values
  • Loading branch information
@marekdedic
marekdedic authored Jun 30, 2024
2 parents f0a66bb + 0a17a08 commit ef9fe97
Show file tree
Hide file tree
Showing 37 changed files with 44 additions and 40 deletions.
2 changes: 1 addition & 1 deletion __tests__/specs/Header/Header-add-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header add X-Content-Type-Options nosniff
Header add X-Content-Type-Options "nosniff"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/Header-always-set-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header always set X-Content-Type-Options nosniff
Header always set X-Content-Type-Options "nosniff"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/Header-append-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header append X-Content-Type-Options nosniff
Header append X-Content-Type-Options "nosniff"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/Header-merge-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header merge X-Content-Type-Options nosniff
Header merge X-Content-Type-Options "nosniff"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/Header-set-envVar-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set X-Content-Type-Options nosniff env=MY_VAR
Header set X-Content-Type-Options "nosniff" env=MY_VAR
2 changes: 1 addition & 1 deletion __tests__/specs/Header/Header-set-envVar-unset-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set X-Content-Type-Options nosniff env=!MY_VAR
Header set X-Content-Type-Options "nosniff" env=!MY_VAR
2 changes: 1 addition & 1 deletion __tests__/specs/Header/Header-set-expression-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set X-Content-Type-Options nosniff "expr=%{md5:foo}"
Header set X-Content-Type-Options "nosniff" "expr=%{md5:foo}"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/Header-set-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set X-Content-Type-Options nosniff
Header set X-Content-Type-Options "nosniff"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/Header-setifempty-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header setifempty X-Content-Type-Options nosniff
Header setifempty X-Content-Type-Options "nosniff"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/Permissions-Policy/all-combination-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set Permissions-Policy accelerometer=*, ambient-light-sensor=(src), attribution-reporting=(self src), autoplay=(self), battery=(self "https://site1.example"), bluetooth=(src), camera=*, compute-pressure=(src "https://site1.example" "http://site2.example"), display-capture=(self src "https://site1.example" "http://site2.example" "https://site3.example"), document-domain=(src), encrypted-media=(self src), execution-while-not-rendered=(src), execution-while-out-of-viewport=(self), fullscreen=(src), gamepad=(src), geolocation=(self), gyroscope=(self), hid=(self "https://site1.example"), identity-credentials-get=*, idle-detection=*, local-fonts=*, magnetometer=(self src "https://site1.example" "http://site2.example" "https://site3.example"), microphone=(self src), midi=(self src), otp-credentials=(src), payment=(self src "https://site1.example" "http://site2.example" "https://site3.example"), picture-in-picture=(self), publickey-credentials-create=(), publickey-credentials-get=(src), screen-wake-lock=*, serial=*, speaker-selection=(src "https://site1.example" "http://site2.example"), storage-access=(src), usb=*, web-share=(), window-management=*, xr-spatial-tracking=()
Header set Permissions-Policy "accelerometer=*, ambient-light-sensor=(src), attribution-reporting=(self src), autoplay=(self), battery=(self \"https://site1.example\"), bluetooth=(src), camera=*, compute-pressure=(src \"https://site1.example\" \"http://site2.example\"), display-capture=(self src \"https://site1.example\" \"http://site2.example\" \"https://site3.example\"), document-domain=(src), encrypted-media=(self src), execution-while-not-rendered=(src), execution-while-out-of-viewport=(self), fullscreen=(src), gamepad=(src), geolocation=(self), gyroscope=(self), hid=(self \"https://site1.example\"), identity-credentials-get=*, idle-detection=*, local-fonts=*, magnetometer=(self src \"https://site1.example\" \"http://site2.example\" \"https://site3.example\"), microphone=(self src), midi=(self src), otp-credentials=(src), payment=(self src \"https://site1.example\" \"http://site2.example\" \"https://site3.example\"), picture-in-picture=(self), publickey-credentials-create=(), publickey-credentials-get=(src), screen-wake-lock=*, serial=*, speaker-selection=(src \"https://site1.example\" \"http://site2.example\"), storage-access=(src), usb=*, web-share=(), window-management=*, xr-spatial-tracking=()"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/Permissions-Policy/fullscreen-all-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set Permissions-Policy fullscreen=*
Header set Permissions-Policy "fullscreen=*"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/Permissions-Policy/fullscreen-combination-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set Permissions-Policy fullscreen=(self src "https://site1.example" "http://site2.example" "https://site3.example")
Header set Permissions-Policy "fullscreen=(self src \"https://site1.example\" \"http://site2.example\" \"https://site3.example\")"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/Permissions-Policy/fullscreen-empty-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set Permissions-Policy fullscreen=()
Header set Permissions-Policy "fullscreen=()"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/Permissions-Policy/fullscreen-list-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set Permissions-Policy fullscreen=("https://site1.example" "http://site2.example" "https://site3.example")
Header set Permissions-Policy "fullscreen=(\"https://site1.example\" \"http://site2.example\" \"https://site3.example\")"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/Permissions-Policy/fullscreen-self-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set Permissions-Policy fullscreen=(self)
Header set Permissions-Policy "fullscreen=(self)"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/Permissions-Policy/fullscreen-src-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set Permissions-Policy fullscreen=(src)
Header set Permissions-Policy "fullscreen=(src)"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/Referrer-Policy/no-referrer-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set Referrer-Policy no-referrer
Header set Referrer-Policy "no-referrer"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/Referrer-Policy/no-referrer-when-downgrade-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set Referrer-Policy no-referrer-when-downgrade
Header set Referrer-Policy "no-referrer-when-downgrade"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/Referrer-Policy/origin-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set Referrer-Policy origin
Header set Referrer-Policy "origin"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/Referrer-Policy/origin-when-cross-origin-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set Referrer-Policy origin-when-cross-origin
Header set Referrer-Policy "origin-when-cross-origin"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/Referrer-Policy/same-origin-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set Referrer-Policy same-origin
Header set Referrer-Policy "same-origin"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/Referrer-Policy/strict-origin-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set Referrer-Policy strict-origin
Header set Referrer-Policy "strict-origin"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/Referrer-Policy/strict-origin-when-cross-origin-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set Referrer-Policy strict-origin-when-cross-origin
Header set Referrer-Policy "strict-origin-when-cross-origin"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/Referrer-Policy/unsafe-url-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set Referrer-Policy unsafe-url
Header set Referrer-Policy "unsafe-url"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/Strict-Transport-Security/maxAge-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set Strict-Transport-Security max-age=42
Header set Strict-Transport-Security "max-age=42"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/Strict-Transport-Security/preload-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set Strict-Transport-Security max-age=31536000; includeSubDomains; preload
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/Strict-Transport-Security/subdomains-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set Strict-Transport-Security max-age=42; includeSubDomains
Header set Strict-Transport-Security "max-age=42; includeSubDomains"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/X-Content-Type-Options/nosniff-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set X-Content-Type-Options nosniff
Header set X-Content-Type-Options "nosniff"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/X-Frame-Options/deny-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set X-Frame-Options DENY
Header set X-Frame-Options "DENY"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/X-Frame-Options/sameorigin-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set X-Frame-Options SAMEORIGIN
Header set X-Frame-Options "SAMEORIGIN"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/X-Xss-Protection/block-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set X-Xss-Protection 1; mode=block
Header set X-Xss-Protection "1; mode=block"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/X-Xss-Protection/disabled-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set X-Xss-Protection 0
Header set X-Xss-Protection "0"
2 changes: 1 addition & 1 deletion __tests__/specs/Header/headers/X-Xss-Protection/sanitize-output.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Header set X-Xss-Protection 1
Header set X-Xss-Protection "1"
11 changes: 7 additions & 4 deletions src/directives/Header.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,10 +100,13 @@ export function buildHeader(spec: HeaderSpecUnion): string {
parts.push(spec.action, spec.header);
if (["add", "append", "merge", "set", "setifempty"].includes(spec.action)) {
parts.push(
buildHeaderValue(
spec.header,
(spec as { value: HeaderValueSpecMap[keyof HeaderValueSpecMap] }).value,
),
'"' +
buildHeaderValue(
spec.header,
(spec as { value: HeaderValueSpecMap[keyof HeaderValueSpecMap] })
.value,
) +
'"',
);
} else if (["edit", "edit*"].includes(spec.action)) {
parts.push('"' + escapeValue((spec as { value: string }).value) + '"');
Expand Down
2 changes: 1 addition & 1 deletion src/directives/Header/ContentSecurityPolicy.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -185,5 +185,5 @@ export function buildContentSecurityPolicyValue(
),
);
}
return '"' + parts.join("; ") + '"';
return parts.join("; ");
}
3 changes: 2 additions & 1 deletion src/directives/Header/PermissionsPolicy.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,8 @@ function buildAllowlist(allowlist: PermissionsPolicyAllowlist): string {
return "*";
}
const list =
allowlist.origins?.map((origin) => '"' + escapeValue(origin) + '"') ?? [];
allowlist.origins?.map((origin) => '\\"' + escapeValue(origin) + '\\"') ??
[];
if (allowlist.src === true) {
list.unshift("src");
}
Expand Down
2 changes: 1 addition & 1 deletion src/directives/Header/XXssProtection.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ export function buildXXssProtectionValue(spec: XXssProtectionSpec): string {
return "0";
case "sanitize":
if (spec.reportUri !== undefined) {
return '"1; report=' + escapeValue(spec.reportUri) + '"';
return "1; report=" + escapeValue(spec.reportUri);
}
return "1";
}
Expand Down

0 comments on commit ef9fe97

Please sign in to comment.