From 6246e41d3483c2f66a8e05ec6f6971fbb6c12322 Mon Sep 17 00:00:00 2001 From: Ben Newman Date: Tue, 3 Jul 2018 12:38:17 -0400 Subject: [PATCH 1/2] Improve File hashing logic in bundler.js. Follow-up to https://github.com/meteor/meteor/pull/9933. As recommended by @abernix, the sha1 hash of every file is now computed from the file's sha512 hash, so we don't have to hash the entire contents of the file twice with two different algorithms. Other changes/improvements: * Invalidate the hashes when/if `File#setContents` is called. * Ignore `options.hash` and just compute hashes from actual file contents. Disagreement here would be worse than any performance benefits from precomputing the hash. --- tools/fs/watch.js | 10 +++++----- tools/isobuild/bundler.js | 22 +++++++--------------- 2 files changed, 12 insertions(+), 20 deletions(-) diff --git a/tools/fs/watch.js b/tools/fs/watch.js index beaeff45125..35c0952249b 100644 --- a/tools/fs/watch.js +++ b/tools/fs/watch.js @@ -261,19 +261,19 @@ export function readFile(absPath) { }; export function sha1(...args) { - return Profile("sha1", function () { + return Profile.run("sha1", function () { var hash = createHash('sha1'); args.forEach(arg => hash.update(arg)); return hash.digest('hex'); - })(); + }); } -export function sri(...args) { - return Profile("sri", function () { +export function sha512(...args) { + return Profile.run("sha512", function () { var hash = createHash('sha512'); args.forEach(arg => hash.update(arg)); return hash.digest('base64'); - })(); + }); } export function readDirectory({absPath, include, exclude, names}) { diff --git a/tools/isobuild/bundler.js b/tools/isobuild/bundler.js index 5d006c31a24..510da31f7db 100644 --- a/tools/isobuild/bundler.js +++ b/tools/isobuild/bundler.js @@ -529,8 +529,6 @@ export class NodeModulesDirectory { // Allowed options: // - sourcePath: path to file on disk that will provide our contents // - data: contents of the file as a Buffer -// - hash: optional, sha1 hash of the file contents, if known -// - sri: sha512 hash of file contents in base64 encoding // - sourceMap: if 'data' is given, can be given instead of // sourcePath. a string or a JS Object. Will be stored as Object. // - cacheable @@ -599,7 +597,6 @@ class File { this.assets = null; this._contents = options.data || null; // contents, if known, as a Buffer - this._hashOfContents = options.hash || null; this._hash = null; this._sri = null; } @@ -615,13 +612,9 @@ class File { hash() { if (! this._hash) { - if (! this._hashOfContents) { - this._hashOfContents = watch.sha1(this.contents()); - } - this._hash = watch.sha1( String(File._salt()), - this._hashOfContents, + this.sri(), ); } @@ -630,10 +623,11 @@ class File { sri() { if (! this._sri) { - this._sri = watch.sri(this.contents()); + this._sri = watch.sha512(this.contents()); } + return this._sri; - } + } // Omit encoding to get a buffer, or provide something like 'utf8' // to get a string @@ -650,12 +644,10 @@ class File { } setContents(b) { - if (!(b instanceof Buffer)) { - throw new Error("Must set contents to a Buffer"); - } + assert.ok(Buffer.isBuffer(b), "Must pass Buffer to File#setContents"); this._contents = b; - // Un-cache hash. - this._hashOfContents = this._hash = null; + // Bust the hash cache. + this._hash = this._sri = null; } size() { From eb2a0b0f8259a54b38a3b2b152bec1e2691bbff8 Mon Sep 17 00:00:00 2001 From: Ben Newman Date: Tue, 3 Jul 2018 12:50:31 -0400 Subject: [PATCH 2/2] Mention sub-resource integrity support in History.md. --- History.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/History.md b/History.md index ebf27d40b29..fbc38e148a1 100644 --- a/History.md +++ b/History.md @@ -10,6 +10,11 @@ `uglify-es` that appears to be (more actively) maintained. [Issue #10042](https://github.com/meteor/meteor/issues/10042) +* Sub-resource integrity hashes (sha512) can now be enabled for static CSS + and JS assets by calling `WebAppInternals.enableSubresourceIntegrity()`. + [PR #9933](https://github.com/meteor/meteor/pull/9933) + [PR #10050](https://github.com/meteor/meteor/pull/10050) + ## v1.7.0.3, 2018-06-13 * Fixed [Issue #9991](https://github.com/meteor/meteor/issues/9991),