Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chore/2.0.0 rc.1 #448

Merged
merged 98 commits into from
May 30, 2024
Merged

Chore/2.0.0 rc.1 #448

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
98 commits
Select commit Hold shift + click to select a range
f75d01f
perf: avoid cheerio in favor of regex
GalacticHypernova Mar 23, 2024
68a0de5
perf: avoid unnecessary loop
GalacticHypernova Mar 23, 2024
ca027ce
wip: add external script and link regexes
GalacticHypernova Mar 26, 2024
1aa070b
fix: more specific regex patterns
GalacticHypernova Mar 26, 2024
b7b3a65
wip: rework SRI to regex
GalacticHypernova Mar 26, 2024
0b09dd6
wip: 04-cspSsgHashes.ts
GalacticHypernova Mar 26, 2024
5524431
wip: provide a weakmap for both links and scripts
GalacticHypernova Mar 27, 2024
0540a9b
wip: refactor to Map due to no native support for strings
GalacticHypernova Mar 27, 2024
659b39d
perf: set cache and refactor to 1 map
GalacticHypernova Mar 27, 2024
631951a
fix: parenthesis
GalacticHypernova Mar 27, 2024
6123f65
wip: more work
GalacticHypernova Mar 27, 2024
6b8a9b6
wip: csp hashes
GalacticHypernova Mar 29, 2024
67905dd
wip: rework cspssg to regex
GalacticHypernova Mar 31, 2024
34497c9
fix: return match
GalacticHypernova Mar 31, 2024
08638ae
wip: refactor cspssr to regex
GalacticHypernova Mar 31, 2024
6b80492
fix: check for word boundary
GalacticHypernova Mar 31, 2024
06c9533
Update 04-cspSsgHashes.ts
GalacticHypernova Mar 31, 2024
70b707c
fix: return $
GalacticHypernova Mar 31, 2024
83e36c2
fix: don't manipulate the strings
GalacticHypernova Mar 31, 2024
e8bee97
chore: retrying with loop
GalacticHypernova Mar 31, 2024
49e1db4
fix: typo
GalacticHypernova Mar 31, 2024
9b5bf56
fix: regex range
GalacticHypernova Apr 2, 2024
548e74a
fix: regex range
GalacticHypernova Apr 2, 2024
a646f67
fix: provide proper integrity pattern
GalacticHypernova Apr 2, 2024
85c029c
fix: provide proper integrity pattern
GalacticHypernova Apr 2, 2024
3fcf350
fix: no escape plus
GalacticHypernova Apr 2, 2024
ceabd95
fix: no escape plus
GalacticHypernova Apr 2, 2024
fe2386f
fix: capture whole substr
GalacticHypernova Apr 2, 2024
b46bb8a
Merge branch 'main' into patch-2
GalacticHypernova Apr 4, 2024
e8d705a
Merge branch 'main' into patch-2
GalacticHypernova Apr 12, 2024
b1ef1e7
wip: refactor inclusive pattern
GalacticHypernova Apr 12, 2024
0361b4d
wip: refactor inclusive pattern
GalacticHypernova Apr 12, 2024
5bfe98e
Merge remote-tracking branch 'origin/main' into pr/404
GalacticHypernova Apr 26, 2024
b7497df
fix: use string replace
GalacticHypernova Apr 26, 2024
a24e9e2
SSG pre-rendered headers
vejja Apr 25, 2024
1d8db8a
add hook feature
vejja Apr 29, 2024
c77c3c0
doc update
vejja Apr 29, 2024
75f5dcd
minor fixes
vejja Apr 29, 2024
49bf562
Merge branch 'feat/virtual-sri' into feat/ssg-headers
vejja Apr 29, 2024
bd27138
Merge branch 'main' into feat/ssg-headers
vejja Apr 29, 2024
47d38b3
add security headers on non-html resources
vejja May 3, 2024
ec1428c
put allResources mode under config option
vejja May 5, 2024
284a1e4
fix tests and remove options guard
vejja May 5, 2024
8fbc9e7
doc update
vejja May 5, 2024
a9f0574
minor corrections to docs
vejja May 5, 2024
b4504aa
modifications as per code review
vejja May 6, 2024
1712786
2.0.0-beta.0
vejja May 6, 2024
34c2fc0
move unbuild config to package.json
vejja May 7, 2024
fdfbc9f
auto-import defuReplaceArray
vejja May 8, 2024
47ed844
Merge pull request #441 from Baroshem/feat/ssg-headers
Baroshem May 10, 2024
5ab25ae
Merge branch 'main' into patch-2
GalacticHypernova May 10, 2024
90a46d3
insert csp meta after charset meta
vejja May 10, 2024
a41b3fe
Merge branch 'chore/2.0.0-rc.1' into GalacticHypernova-patch-2
vejja May 10, 2024
80f4516
update recombine
vejja May 10, 2024
ae43392
fix types
vejja May 10, 2024
dc276a3
remove cheerio and unused cache
vejja May 10, 2024
c8d8dbc
make 'as' capturing group optional in LINK_RE
vejja May 10, 2024
7e1ee61
remove unused pre-processing step
vejja May 10, 2024
b11755d
use readonly loop for scanning hashes
vejja May 10, 2024
fd760b1
no Section type redefinition, skip adding CSP meta if no pre-render
vejja May 10, 2024
fbc39a7
add security to docs
vejja May 11, 2024
d99b6f3
fix package latest specifier
vejja May 11, 2024
86911bf
deactivate exportToPresets
vejja May 12, 2024
32e45ff
temp fix: delete array entry for nitro-prerender
vejja May 12, 2024
a2c7366
2.0.0-beta.1
vejja May 12, 2024
24c1ca3
fix array values in prerendered headers
vejja May 12, 2024
59f2347
2.0.0-beta.2
vejja May 12, 2024
98c9b1c
2.0.0-beta.3
vejja May 12, 2024
2e2a2a1
log faulty headers to build output
vejja May 12, 2024
13bbc38
2.0.0-beta.4
vejja May 12, 2024
5ee94cb
update nuxt-security version for docs
vejja May 12, 2024
386ab77
remove headers logs from build output
vejja May 12, 2024
b5fddb7
2.0.0-beta.5
vejja May 12, 2024
99d6dee
Merge pull request #451 from Baroshem/feat/score-banner
vejja May 17, 2024
60ddf61
Merge pull request #404 from GalacticHypernova/patch-2
vejja May 17, 2024
6c8d01f
Merge pull request #449 from Baroshem/fix/csp-meta-charset-v2
vejja May 17, 2024
738ce9b
adapt filtering regexp to conform to CodeQL recommendation
vejja May 21, 2024
944acbc
update default headers values
vejja May 11, 2024
6831dda
spread options for storage drivers
vejja May 13, 2024
71ba82a
fix rateLimiter driver types
vejja May 21, 2024
6cee48f
update doc for --host
vejja May 21, 2024
3584775
Merge pull request #456 from Baroshem/447-not-working-on-dev-on-netwo…
Baroshem May 22, 2024
5466dda
Merge pull request #450 from Baroshem/feat/owasp-defaults
Baroshem May 22, 2024
d40ced0
Merge pull request #452 from Baroshem/fix/storage-driver-options
Baroshem May 22, 2024
71fa772
fix: remove navigate-to csp directive
GalacticHypernova May 25, 2024
b1d3853
fix: remove navigate-to csp directive from docs
GalacticHypernova May 25, 2024
f117c33
fix(types): allow request size limiters to be optional
GalacticHypernova May 25, 2024
ff49301
fix(types): allow rate limiter props to be optional
GalacticHypernova May 25, 2024
ada9409
fix(types): force route specific config to use all props as required
GalacticHypernova May 27, 2024
7b3f70f
fix: |
GalacticHypernova May 27, 2024
caa5a1c
fix: add missing closing bracket
GalacticHypernova May 27, 2024
f537b32
fix: use the correct branch
GalacticHypernova May 27, 2024
0963bfd
fix: use the correct branch
GalacticHypernova May 27, 2024
49339c0
Merge branch 'chore/2.0.0-rc.1' into patch-4
GalacticHypernova May 27, 2024
bc00b3a
fix(types): allow throwError to stay optional
GalacticHypernova May 27, 2024
1346bc3
Merge pull request #457 from GalacticHypernova/patch-3
vejja May 28, 2024
6f6ecc1
Merge pull request #458 from GalacticHypernova/patch-4
vejja May 28, 2024
1bdb71d
fix required types not respected
vejja May 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
14 changes: 4 additions & 10 deletions src/runtime/nitro/plugins/30-cspSsgHashes.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,11 @@ import { resolveSecurityRules } from '../context'
import { generateHash } from '../../../utils/hash'
import type { Section } from '../../../types/module'

/*
FOLLOWING PATTERN NOT IN USE:
Placeholder until a proper caching strategy is though of:
/<script((?=[^>]+src="([\w:.-\/]+)")(?:(?![^>]+integrity="[\w-]+")|(?=[^>]+integrity="([\w-])"))[^>]+)(?:\/>|><\/script>)/g
Allows to obtain integrity from both scripts with integrity and those without (useful for 03)
*/

const INLINE_SCRIPT_RE = /<script(?![^>]*?\bsrc="[\w:.\-\\/]+")[^>]*>(.*?)<\/script>/g
const STYLE_RE = /<style[^>]*>(.*?)<\/style>/g
const SCRIPT_RE = /<script(?=[^>]+\bsrc="[^"]+")(?=[^>]+\bintegrity="([\w\-+/=]+)")[^>]+(?:\/>|><\/script>)/g
const LINK_RE = /<link(?=[^>]+\brel="(stylesheet|preload|modulepreload)")(?=[^>]+\bintegrity="([\w\-+/=]+)")(?=(?:[^>]+\bas="(\w+)")?)[^>]+>/g
const INLINE_SCRIPT_RE = /<script(?![^>]*?\bsrc="[\w:.\-\\/]+")[^>]*>(.*?)<\/script>/gi
const STYLE_RE = /<style[^>]*>(.*?)<\/style>/gi
const SCRIPT_RE = /<script(?=[^>]+\bsrc="[^"]+")(?=[^>]+\bintegrity="([\w\-+/=]+)")[^>]+(?:\/>|><\/script[^>]*?>)/gi
const LINK_RE = /<link(?=[^>]+\brel="(stylesheet|preload|modulepreload)")(?=[^>]+\bintegrity="([\w\-+/=]+)")(?=(?:[^>]+\bas="(\w+)")?)[^>]+>/gi



Expand Down
6 changes: 3 additions & 3 deletions src/runtime/nitro/plugins/40-cspSsrNonce.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@ import { defineNitroPlugin } from '#imports'
import crypto from 'node:crypto'
import { resolveSecurityRules } from '../context'

const LINK_RE = /<link([^>]*?>)/g
const SCRIPT_RE = /<script([^>]*?>)/g
const STYLE_RE = /<style([^>]*?>)/g
const LINK_RE = /<link([^>]*?>)/gi
vejja marked this conversation as resolved.
Show resolved Hide resolved
const SCRIPT_RE = /<script([^>]*?>)/gi
const STYLE_RE = /<style([^>]*?>)/gi


/**
Expand Down