Merge pull request #1126 from riganti/recommend-integrity-hashes

Recommend users to use integrity hashes on scripts
riganti · Sep 5, 2021 · 4d1def0 · 4d1def0
2 parents df4100b + 2f4bf8d
commit 4d1def0
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 6 deletions.
diff --git a/src/Framework/Framework/Hosting/DotvvmRequestContextExtensions.cs b/src/Framework/Framework/Hosting/DotvvmRequestContextExtensions.cs
@@ -17,6 +17,7 @@
 using DotVVM.Framework.Routing;
 using DotVVM.Framework.Hosting;
 using DotVVM.Core.Storage;
+using DotVVM.Framework.Runtime;
 
 public static class DotvvmRequestContextExtensions
 {
@@ -236,4 +237,14 @@ public static void ReturnFile(this IDotvvmRequestContext context, Stream stream,
         context.SetRedirectResponse(context.TranslateVirtualPath("~/dotvvmReturnedFile?id=" + generatedFileId));
         throw new DotvvmInterruptRequestExecutionException(InterruptReason.ReturnFile, fileName);
     }
+
+    public static void DebugWarning(this IDotvvmRequestContext context, string message, Exception? relatedException = null, DotvvmBindableObject? relatedControl = null)
+    {
+        if (context.Configuration.Debug)
+        {
+            context.Services
+                .GetRequiredService<RuntimeWarningCollector>()
+                .Warn(new DotvvmRuntimeWarning(message, relatedException, relatedControl));
+        }
+    }
 }
diff --git a/src/Framework/Framework/ResourceManagement/LinkResourceBase.cs b/src/Framework/Framework/ResourceManagement/LinkResourceBase.cs
@@ -6,6 +6,7 @@
 using System.IO;
 using Newtonsoft.Json;
 using Microsoft.Extensions.DependencyInjection;
+using System.ComponentModel;
 
 namespace DotVVM.Framework.ResourceManagement
 {
@@ -18,7 +19,8 @@ public abstract class LinkResourceBase : ResourceBase, ILinkResource
         public IResourceLocation Location { get; set; }
         public ResourceLocationFallback? LocationFallback { get; set; }
         public string MimeType { get; private set; }
-        public bool VerifyResourceIntegrity { get; set; }
+        [DefaultValue(true)]
+        public bool VerifyResourceIntegrity { get; set; } = true;
         public string? IntegrityHash { get; set; }
 
         public LinkResourceBase(ResourceRenderPosition renderPosition, string mimeType, IResourceLocation location) : base(renderPosition)
@@ -104,19 +106,25 @@ protected string RenderLinkToString(IResourceLocation location, IDotvvmRequestCo
         protected string? ComputeIntegrityHash(IDotvvmRequestContext context)
         {
             var hasher = context.Services.GetRequiredService<IResourceHashService>();
-            var localLocation = GetLocations().OfType<ILocalResourceLocation>().First();
+            var localLocation = GetLocations().OfType<ILocalResourceLocation>().FirstOrDefault();
             if (localLocation != null) return hasher.GetIntegrityHash(localLocation, context);
             else return null;
         }
 
-        protected void AddIntegrityAttribute(IHtmlWriter writer, IDotvvmRequestContext context)
+        protected void AddIntegrityAttribute(IHtmlWriter writer, IDotvvmRequestContext context, string url)
         {
             var hash = IntegrityHash ?? ComputeIntegrityHash(context);
             if (hash != null)
             {
                 writer.AddAttribute("integrity", hash);
                 writer.AddAttribute("crossorigin", "anonymous");
             }
+            else
+            {
+                context.DebugWarning(
+                    $"Resource seems to be pointing to a 3rd party URL '{url}', but it does not have IntegrityHash specified. Please specify this property or serve the resource from your server (using FileResourceLocation) to eliminate the potential security risk. See https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity for more information."
+                );
+            }
         }
 
         protected void AddSrcAndIntegrity(IHtmlWriter writer, IDotvvmRequestContext context, string url, string srcAttributeName)
@@ -125,7 +133,7 @@ protected void AddSrcAndIntegrity(IHtmlWriter writer, IDotvvmRequestContext cont
 
             if (url.Contains("://") && VerifyResourceIntegrity)
             {
-                AddIntegrityAttribute(writer, context);
+                AddIntegrityAttribute(writer, context, url);
             }
         }
     }

diff --git a/src/Tests/Runtime/config-tests/ConfigurationSerializationTests.SerializeResources.json b/src/Tests/Runtime/config-tests/ConfigurationSerializationTests.SerializeResources.json
@@ -48,7 +48,6 @@
           "DebugUrl": "x"
         },
         "MimeType": "text/javascript",
-        "VerifyResourceIntegrity": true,
         "IntegrityHash": "hash, maybe"
       },
       "r2": {
@@ -93,7 +92,6 @@
           "DebugUrl": "s"
         },
         "MimeType": "text/css",
-        "VerifyResourceIntegrity": true,
         "IntegrityHash": "hash, maybe"
       }
     }