From 91ef5c8eb05348b8c46626a99ef18468b5fcfe94 Mon Sep 17 00:00:00 2001 From: Tsotne Gvadzabia Date: Thu, 1 Aug 2024 20:13:12 +0100 Subject: [PATCH 1/2] finish policy merging and tests --- packages/vite-plugin-hash-csp/src/utils.ts | 24 +++++++++++-- .../tests/policies.test.ts | 36 +++++++++++++++++++ 2 files changed, 57 insertions(+), 3 deletions(-) create mode 100644 packages/vite-plugin-hash-csp/tests/policies.test.ts diff --git a/packages/vite-plugin-hash-csp/src/utils.ts b/packages/vite-plugin-hash-csp/src/utils.ts index 4748a83..4dae77c 100644 --- a/packages/vite-plugin-hash-csp/src/utils.ts +++ b/packages/vite-plugin-hash-csp/src/utils.ts @@ -39,10 +39,28 @@ export const htmlFilter = createFilter("**.html"); export const mergePolicies = ( defaultPolicy: CSPPolicy, userPolicy: CSPPolicy | undefined -) => { +): CSPPolicy => { if (!userPolicy) return defaultPolicy; - // Simple object merge; we might be able to get away without deep merge - return { ...defaultPolicy, ...userPolicy }; + + const mergedPolicy: CSPPolicy = { ...defaultPolicy }; + + for (const key in userPolicy as CSPPolicy) { + const _key = key as keyof CSPPolicy; + if (userPolicy.hasOwnProperty(key)) { + const defaultValues = defaultPolicy[_key] || []; + const userValues = userPolicy[_key] || []; + + if (Array.isArray(userValues)) { + mergedPolicy[_key] = Array.from( + new Set([...defaultValues, ...userValues]) + ); + } else { + mergedPolicy[_key] = userValues; + } + } + } + + return mergedPolicy; }; export const parseOutliers = (outliers: Array) => { diff --git a/packages/vite-plugin-hash-csp/tests/policies.test.ts b/packages/vite-plugin-hash-csp/tests/policies.test.ts new file mode 100644 index 0000000..3d46afa --- /dev/null +++ b/packages/vite-plugin-hash-csp/tests/policies.test.ts @@ -0,0 +1,36 @@ +import { describe, expect, test } from "vitest"; +import { CSPPolicy } from "../src/types"; +import { mergePolicies } from "../src/utils"; +import { DEFAULT_POLICY } from "../src/policy/constants"; + +describe("Policy Tests", () => { + test("Simple Policy Merge", () => { + const policy: CSPPolicy = { + "frame-src": ["example.com"], + }; + const mergedPolicy = mergePolicies(DEFAULT_POLICY, policy); + + expect(mergedPolicy).toEqual({ + "default-src": ["'self'"], + "img-src": ["'self'", "data:"], + "script-src-elem": ["'self'"], + "style-src-elem": ["'self'"], + "frame-src": ["example.com"], + }); + }); + + test("Deep Policy Merge", () => { + const policy: CSPPolicy = { + "img-src": ["example.com"], + }; + + const mergedPolicy = mergePolicies(DEFAULT_POLICY, policy); + + expect(mergedPolicy).toEqual({ + "default-src": ["'self'"], + "img-src": ["'self'", "data:", "example.com"], + "script-src-elem": ["'self'"], + "style-src-elem": ["'self'"], + }); + }); +}); From 3c0dc0a07fc2593f739af3e4e6a85970a1f56a68 Mon Sep 17 00:00:00 2001 From: Tsotne Gvadzabia Date: Thu, 1 Aug 2024 20:23:24 +0100 Subject: [PATCH 2/2] workflow updates --- .github/workflows/release.yml | 14 ++++++++++++++ .github/workflows/triage.yml | 2 +- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8124a63..c76727e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,6 +23,20 @@ jobs: name: package-dist retention-days: 30 path: packages/vite-plugin-hash-csp/dist + - name: Run Unit Tests + run: pnpm p:test + + - name: Install Playwright Browsers + run: npx playwright install --with-deps chromium + + - name: Run tests + run: pnpm test + - uses: actions/upload-artifact@v4 + if: always() + with: + name: playwright-report + path: playwright-report/ + retention-days: 5 publish: runs-on: ubuntu-latest diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml index 1c5d057..59f0960 100644 --- a/.github/workflows/triage.yml +++ b/.github/workflows/triage.yml @@ -27,7 +27,7 @@ jobs: run: npx playwright install --with-deps chromium - name: Run tests - run: npm run test + run: pnpm test - uses: actions/upload-artifact@v4 if: always() with: