fix: sort csp directives per w3 spec (#96)

unrolled · web-flow · commit 3d539f92663c · 2024-06-25T10:38:15.000-06:00
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -28,4 +28,4 @@ jobs:
           path: src/github.com/unrolled/secure
       - uses: golangci/golangci-lint-action@v4
         with:
-          working-directory: src/github.com/7shifts/seven-deploy
+          working-directory: src/github.com/unrolled/secure
diff --git a/cspbuilder/builder.go b/cspbuilder/builder.go
@@ -1,6 +1,7 @@
 package cspbuilder
 
 import (
+	"sort"
 	"strings"
 )
 
@@ -62,7 +63,16 @@ func (builder *Builder) MustBuild() string {
 func (builder *Builder) Build() (string, error) {
 	var sb strings.Builder
 
-	for directive := range builder.Directives {
+	// Pull the directive keys out.
+	directiveKeys := []string{}
+	for key := range builder.Directives {
+		directiveKeys = append(directiveKeys, key)
+	}
+
+	// Sort the policies: https://www.w3.org/TR/CSP3/#framework-policy
+	sort.Strings(directiveKeys)
+
+	for _, directive := range directiveKeys {
 		if sb.Len() > 0 {
 			sb.WriteString("; ")
 		}
diff --git a/cspbuilder/builder_test.go b/cspbuilder/builder_test.go
@@ -63,6 +63,7 @@ func TestContentSecurityPolicyBuilder_Build_MultipleDirectives(t *testing.T) {
 		directives map[string]([]string)
 		builder    Builder
 		wantParts  []string
+		wantFull   string
 		wantErr    bool
 	}{
 		{
@@ -86,6 +87,8 @@ func TestContentSecurityPolicyBuilder_Build_MultipleDirectives(t *testing.T) {
 				"trusted-types policy-1 policy-#=_/@.% 'allow-duplicates'",
 				"upgrade-insecure-requests",
 			},
+
+			wantFull: "default-src 'self' example.com *.example.com; frame-ancestors 'self' http://*.example.com; report-to group1; require-trusted-types-for 'script'; sandbox allow-scripts; trusted-types policy-1 policy-#=_/@.% 'allow-duplicates'; upgrade-insecure-requests",
 		},
 	}
 	for _, tt := range tests {
@@ -101,6 +104,10 @@ func TestContentSecurityPolicyBuilder_Build_MultipleDirectives(t *testing.T) {
 				return
 			}
 
+			if got != tt.wantFull {
+				t.Errorf("ContentSecurityPolicyBuilder.Build() full = %v, but wanted %v", got, tt.wantFull)
+			}
+
 			{
 				startsWithDirective := false
 

Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,7 @@ func TestContentSecurityPolicyBuilder_Build_MultipleDirectives(t *testing.T) {`
`63`	`63`	`directives map[string]([]string)`
`64`	`64`	`builder Builder`
`65`	`65`	`wantParts []string`
	`66`	`+ wantFull string`
`66`	`67`	`wantErr bool`
`67`	`68`	`}{`
`68`	`69`	`{`
`@@ -86,6 +87,8 @@ func TestContentSecurityPolicyBuilder_Build_MultipleDirectives(t *testing.T) {`
`86`	`87`	`"trusted-types policy-1 policy-#=_/@.% 'allow-duplicates'",`
`87`	`88`	`"upgrade-insecure-requests",`
`88`	`89`	`},`
	`90`	`+`
	`91`	`+ wantFull: "default-src 'self' example.com .example.com; frame-ancestors 'self' http://.example.com; report-to group1; require-trusted-types-for 'script'; sandbox allow-scripts; trusted-types policy-1 policy-#=_/@.% 'allow-duplicates'; upgrade-insecure-requests",`
`89`	`92`	`},`
`90`	`93`	`}`
`91`	`94`	`for _, tt := range tests {`
`@@ -101,6 +104,10 @@ func TestContentSecurityPolicyBuilder_Build_MultipleDirectives(t *testing.T) {`
`101`	`104`	`return`
`102`	`105`	`}`
`103`	`106`
	`107`	`+ if got != tt.wantFull {`
	`108`	`+ t.Errorf("ContentSecurityPolicyBuilder.Build() full = %v, but wanted %v", got, tt.wantFull)`
	`109`	`+ }`
	`110`	`+`
`104`	`111`	`{`
`105`	`112`	`startsWithDirective := false`
`106`	`113`