Fix CSP copy boolean directives (#31326)

Use Object#deep_dup to safely duplicate policy values

2 files changed, 10 insertions, 5 deletions

diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb
index d10d4faf3d..c888a27720 100644
--- a/actionpack/lib/action_dispatch/http/content_security_policy.rb
+++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb
@@ -110,7 +110,7 @@ module ActionDispatch #:nodoc:
     end
 
     def initialize_copy(other)
-      @directives = copy_directives(other.directives)
+      @directives = other.directives.deep_dup
     end
 
     DIRECTIVES.each do |name, directive|
@@ -174,10 +174,6 @@ module ActionDispatch #:nodoc:
     end
 
     private
-      def copy_directives(directives)
-        directives.transform_values { |sources| sources.map(&:dup) }
-      end
-
       def apply_mappings(sources)
         sources.map do |source|
           case source
diff --git a/actionpack/test/dispatch/content_security_policy_test.rb b/actionpack/test/dispatch/content_security_policy_test.rb
index 8a1ac066e8..7c4a65a633 100644
--- a/actionpack/test/dispatch/content_security_policy_test.rb
+++ b/actionpack/test/dispatch/content_security_policy_test.rb
@@ -14,6 +14,15 @@ class ContentSecurityPolicyTest < ActiveSupport::TestCase
     assert_equal "script-src 'self';", @policy.build
   end
 
+  def test_dup
+    @policy.img_src :self
+    @policy.block_all_mixed_content
+    @policy.upgrade_insecure_requests
+    @policy.sandbox
+    copied = @policy.dup
+    assert_equal copied.build, @policy.build
+  end
+
   def test_mappings
     @policy.script_src :data
     assert_equal "script-src data:;", @policy.build