From 6ceedd5b0cebb139091cf8c9bc017b67437e4ad1 Mon Sep 17 00:00:00 2001 From: Claude Date: Sat, 6 Jun 2026 05:07:12 +0000 Subject: [PATCH] fix(csp): flag wildcard object-src as a security risk object-src was missing from the wildcard-directive check. An explicit `object-src *` allowed plugins (Flash, Java applets) to load from any origin, bypassing even a strict script-src, because plugin content is not subject to CSP script controls. Adds object-src to the checked directive list and two covering tests. https://claude.ai/code/session_012BC1VP4X5zcbRhbqd8SyRB --- src/rules.ts | 5 ++++- test/analyzer.test.ts | 12 ++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/src/rules.ts b/src/rules.ts index db5d48c..fc97bb2 100644 --- a/src/rules.ts +++ b/src/rules.ts @@ -113,7 +113,10 @@ export function checkCSP(headers: RawHeaders): HeaderFinding { // fetch/navigation directive — not just as the first token of default-src/ // script-src. img-src/style-src/font-src/media-src are intentionally omitted // as a wildcard there is low-risk and commonly legitimate. - const wildcardDirectives = ['default-src', 'script-src', 'connect-src', 'form-action', 'frame-src', 'worker-src']; + // object-src is included because it controls plugin content (Flash, Java + // applets); a wildcard bypasses script-src restrictions entirely since plugins + // can execute arbitrary code without being subject to CSP script controls. + const wildcardDirectives = ['default-src', 'script-src', 'connect-src', 'form-action', 'frame-src', 'worker-src', 'object-src']; const wildcarded = wildcardDirectives.filter(d => { const sources = extractCspDirective(raw, d); return sources !== undefined && sources.includes('*'); diff --git a/test/analyzer.test.ts b/test/analyzer.test.ts index da35ca9..a0a97ee 100644 --- a/test/analyzer.test.ts +++ b/test/analyzer.test.ts @@ -198,6 +198,18 @@ describe('checkCSP', () => { expect(r.score).toBe(18); }); + it('detects wildcard in object-src', () => { + const r = checkCSP({ 'content-security-policy': "default-src 'self'; form-action 'self'; object-src *" }); + expect(r.findings.some(f => /Wildcard.*object-src/i.test(f))).toBe(true); + expect(r.score).toBeLessThan(20); + }); + + it('does not flag a restrictive object-src', () => { + const r = checkCSP({ 'content-security-policy': "default-src 'self'; form-action 'self'; base-uri 'self'; object-src 'none'" }); + expect(r.findings.some(f => /object-src/i.test(f))).toBe(false); + expect(r.score).toBe(20); + }); + it('clean CSP returns score 20', () => { const r = checkCSP({ 'content-security-policy': "default-src 'self'; form-action 'self'; base-uri 'self'" }); expect(r.score).toBe(20);