fix: remove duplicate values from CSP directives

Author: crgwbr

csp/tests/test_templatetags.py

@@ -39,7 +39,7 @@ def test_async_attribute_with_falsey(self) -> None:
             {% script src="foo.com/bar.js" async=False %}
             {% endscript %}"""
 
-        expected = '<script nonce="{}" src="foo.com/bar.js" async=false>' "</script>"
+        expected = '<script nonce="{}" src="foo.com/bar.js" async=false></script>'
 
         self.assert_template_eq(*self.process_templates(tpl, expected))
 

csp/tests/test_utils.py

@@ -55,6 +55,7 @@ def test_default_src() -> None:
     policy = build_policy()
     policy_eq("default-src example.com example2.com", policy)
 
+
 @override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"default-src": {"example.com", "example2.com"}}})
 def test_default_src_is_set() -> None:
     policy = build_policy()
@@ -337,6 +338,35 @@ def test_only_nonce_in_value() -> None:
     policy_eq("default-src 'nonce-abc123'", policy)
 
 
+@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"img-src": ["example.com", "example.com"]}})
+def test_deduplicate_values() -> None:
+    """
+    GitHub issue #40 - given project settings as a tuple, and
+    an update/replace with a string, concatenate correctly.
+    """
+    policy = build_policy()
+    policy_eq("default-src 'self'; img-src example.com", policy)
+
+
+@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"img-src": ["example.com", "example.com"]}})
+def test_deduplicate_values_update() -> None:
+    """
+    GitHub issue #40 - given project settings as a tuple, and
+    an update/replace with a string, concatenate correctly.
+    """
+    policy = build_policy(update={"img-src": "example.com"})
+    policy_eq("default-src 'self'; img-src example.com", policy)
+
+
+@override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {"img-src": ("example.com",)}})
+def test_deduplicate_values_replace() -> None:
+    """
+    Demonstrate that GitHub issue #40 doesn't affect replacements
+    """
+    policy = build_policy(replace={"img-src": ["example2.com", "example2.com"]})
+    policy_eq("default-src 'self'; img-src example2.com", policy)
+
+
 def test_boolean_directives() -> None:
     for directive in ["upgrade-insecure-requests", "block-all-mixed-content"]:
         with override_settings(CONTENT_SECURITY_POLICY={"DIRECTIVES": {directive: True}}):

csp/utils.py

@@ -98,13 +98,18 @@ def build_policy(
             v = config[k]
         if v is not None:
             v = copy.copy(v)
-            if not isinstance(v, (list, tuple, set)):
+            if isinstance(v, set):
+                v = sorted(v)
+            if not isinstance(v, (list, tuple)):
                 v = (v,)
             csp[k] = v
 
     for k, v in update.items():
         if v is not None:
-            if not isinstance(v, (list, tuple, set)):
+            v = copy.copy(v)
+            if isinstance(v, set):
+                v = sorted(v)
+            if not isinstance(v, (list, tuple)):
                 v = (v,)
             if csp.get(k) is None:
                 csp[k] = v
@@ -117,19 +122,18 @@ def build_policy(
 
     for key, value in csp.items():
         # Check for boolean directives.
-        if len(value) == 1:
-            val = list(value)[0]
-            if isinstance(val, bool):
-                if value[0] is True:
-                    policy_parts[key] = ""
-                continue
+        if len(value) == 1 and isinstance(value[0], bool):
+            if value[0] is True:
+                policy_parts[key] = ""
+            continue
         if NONCE in value:
             if nonce:
                 value = [f"'nonce-{nonce}'" if v == NONCE else v for v in value]
             else:
                 # Strip the `NONCE` sentinel value if no nonce is provided.
                 value = [v for v in value if v != NONCE]
 
+        value = list(dict.fromkeys(value))  # Deduplicate
         policy_parts[key] = " ".join(value)
 
     if report_uri: