New: Rule SRI #875
New: Rule SRI #875
Conversation
|
The spec talks about |
packages/rule-sri/README.md
Outdated
| @@ -0,0 +1,145 @@ | |||
| # Require scripts and styles to use Subresource integrity (`sri`) | |||
packages/rule-sri/README.md
Outdated
| ## Why is this important? | ||
|
|
||
| Nowadays it's very common to use third party resources from CDNs or different | ||
| services (analytics, ads, etc.) and thus increasing the risk surface of your |
|
|
||
| Subresource integrity [is a standard][sri spec] that mitigates this by ensuring | ||
| that an exact representation of a resource, and only that representation, loads | ||
| and executes. |
There was a problem hiding this comment.
Maybe we should add a warning that this is only guaranteed over HTTPS?
There was a problem hiding this comment.
I put a comment in the latest comment in the next paragraph
packages/rule-sri/README.md
Outdated
| * When using a cross-origin resource (e.g.: using a script hosted in a third | ||
| party CDN), the `<script>` tag needs to have a valid | ||
| [`crossorigin` attribute][crossorigin]. | ||
| * The resource needs to be served on a [secure context][secure context] |
packages/rule-sri/README.md
Outdated
| (i.e.: HTTPS) | ||
| * The hash from the `integrity` attribute needs to be the same as the one | ||
| calculated using the response's body. | ||
| * If multiple hashes are provided, at least one needs to be valid |
| Same-origin resource with hash function less secure than `sha384`: | ||
|
|
||
| ```html | ||
| <script src="/script.js" integrity="sha256-validHashHere"> |
There was a problem hiding this comment.
Maybe to be consistent we should use a random hash?
There was a problem hiding this comment.
I was thinking about that, but I though it was clearer this way so users reading about SRI for the first time know they need to calculate the hash and replace it.
packages/rule-sri/README.md
Outdated
| ```json | ||
| "sri": ["warning", { | ||
| "baseline": "sha512" | ||
| } |
packages/rule-sri/package.json
Outdated
| }, | ||
| "repository": "sonarwhal/sonarwhal", | ||
| "scripts": { | ||
| "build": "npm run clean && npm-run-all build:*", |
There was a problem hiding this comment.
Add "build-release": "npm run clean && npm run build:assets && tsc --inlineSourceMap false --removeComments true",
packages/rule-sri/package.json
Outdated
| "extends": "../../../../.nycrc" | ||
| }, | ||
| "peerDependencies": { | ||
| "sonarwhal": "^1.0.0" |
There was a problem hiding this comment.
Actually 1.0.3, things move fast!
packages/rule-sri/package.json
Outdated
| "watch:test": "ava --watch", | ||
| "watch:ts": "npm run build:ts -- --watch" | ||
| }, | ||
| "version": "0.1.0" |
packages/rule-sri/package.json
Outdated
| @@ -0,0 +1,69 @@ | |||
| { | |||
| "author": "", | |||
packages/rule-sri/package.json
Outdated
| "watch:test": "ava --watch", | ||
| "watch:ts": "npm run build:ts -- --watch" | ||
| }, | ||
| "version": "0.1.0" |
packages/rule-sri/package.json
Outdated
| "eslint-plugin-markdown": "^1.0.0-beta.7", | ||
| "eslint-plugin-typescript": "^0.10.0", | ||
| "markdownlint-cli": "^0.7.0", | ||
| "npm-link-check": "^2.0.0", |
There was a problem hiding this comment.
I think this ca be removed?
packages/rule-sri/src/index.ts
Outdated
| * @fileoverview Require scripts and styles to use Subresource Integrity | ||
| */ | ||
|
|
||
| import * as sri from './sri'; |
There was a problem hiding this comment.
Maybe we should just make a convention that if there is a single rule in a package we use rule.ts for the name of the file?
packages/rule-sri/src/sri.ts
Outdated
|
|
||
| import { Category } from 'sonarwhal/dist/src/lib/enums/category'; | ||
| import { RuleContext } from 'sonarwhal/dist/src/lib/rule-context'; | ||
| // The list of types depends on the events you want to capture. |
packages/rule-sri/src/sri.ts
Outdated
| debug('Is eligible for integrity validation?'); | ||
|
|
||
| const { element, resource } = evt; | ||
| const resourceOrigin: string = new URL(resource).origin; |
There was a problem hiding this comment.
Maybe use same-origin as things may be more complex then this?
There was a problem hiding this comment.
I actually think this code is better than the code in that package. It's using the old url.parse and doing some magic, and we get for free the origin if we use new URL. Maybe we could add a method in misc so we can remove that dependency from the project.
There was a problem hiding this comment.
Maybe we could add a method in misc so we can remove that dependency from the project.
👍
There was a problem hiding this comment.
I've created #879 for this
packages/rule-sri/src/sri.ts
Outdated
| const { element, resource } = evt; | ||
| const resourceOrigin: string = new URL(resource).origin; | ||
|
|
||
| // CORS validation only applies to scripts, styles are OK |
There was a problem hiding this comment.
Why are styles ok? Maybe provide a link?
There was a problem hiding this comment.
That's the link that's just above in the method description
packages/rule-sri/src/sri.ts
Outdated
| debug('Is integrity attribute valid?'); | ||
| const { element, resource } = evt; | ||
| const integrity = element.getAttribute('integrity'); | ||
| const integrityRegExp = /^sha(256|384|512)-/; |
There was a problem hiding this comment.
What if I have multiple integrity attributes?
There was a problem hiding this comment.
I've added another test. Only the first instance is accessible via getAttribute. Additionally, it looks like Chrome tries to download the file twice if the first hash is invalid, but only the first attribute is accessible. I've left the code of the test commented with an explanation.
packages/rule-sri/src/sri.ts
Outdated
| } | ||
|
|
||
| // cross-origin scripts need to be loaded with a valid "crossorigin" attribute (ie.: anonymous or use-credentials) | ||
| const crossorigin = element.getAttribute('crossorigin'); |
|
@alrra all your feedback should be included. @sonarwhal/core this is ready for another round. |
|
Also, maybe add this to |
|
👍
…________________________________
From: Cătălin Mariș <notifications@github.com>
Sent: Monday, March 12, 2018 9:36:06 PM
To: sonarwhal/sonarwhal
Cc: Anton Molleda; Author
Subject: Re: [sonarwhal/sonarwhal] New: Rule SRI (#875)
Also, maybe add this to configuration-web-recommended?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#875 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AAlBgoVmT3Wi25XdZBHoncLGW4McqPsOks5td0y2gaJpZM4Sl4p7>.
|
| @@ -0,0 +1,201 @@ | |||
| Apache License | |||
There was a problem hiding this comment.
Maybe we should make the release script add this file automatically for new packages?
There was a problem hiding this comment.
It's taken care by the generators. I wouldn't change anything TBH.
packages/rule-sri/README.md
Outdated
| @@ -0,0 +1,145 @@ | |||
| # Require scripts and styles to use subresource integrity (`sri`) | |||
packages/rule-sri/README.md
Outdated
| @@ -0,0 +1,145 @@ | |||
| # Require scripts and styles to use subresource integrity (`sri`) | |||
|
|
|||
| `sri` warns about requesting scripts or styles without using Subresource | |||
| ## Why is this important? | ||
|
|
||
| Nowadays it's very common to use third party resources from CDNs or different | ||
| services (analytics, ads, etc.), and thus, increasing the risk surface of your |
There was a problem hiding this comment.
I'm pretty sure it's increasing
packages/rule-sri/README.md
Outdated
|
|
||
| Nowadays it's very common to use third party resources from CDNs or different | ||
| services (analytics, ads, etc.), and thus, increasing the risk surface of your | ||
| web application. |
packages/rule-sri/README.md
Outdated
| * [The `integrity` attribute has to be valid][sri format]. I.e.: it should | ||
| contain something in the form of `sha(256|384|512)-HASH`, where `HASH` is | ||
| the hashed value of the downlaoded body's response using the previous | ||
| algorithm (`sha256`, `sha384`, or `sha512`). |
There was a problem hiding this comment.
previously specified algorithm?
packages/rule-sri/README.md
Outdated
| contain something in the form of `sha(256|384|512)-HASH`, where `HASH` is | ||
| the hashed value of the downlaoded body's response using the previous | ||
| algorithm (`sha256`, `sha384`, or `sha512`). | ||
| * The minium cryptographic hash function used has to be [`sha384`][collisions]. |
There was a problem hiding this comment.
for consistency with the others:
used has to be => used is
packages/rule-sri/README.md
Outdated
| the hashed value of the downlaoded body's response using the previous | ||
| algorithm (`sha256`, `sha384`, or `sha512`). | ||
| * The minium cryptographic hash function used has to be [`sha384`][collisions]. | ||
| If multiple are provided, the highest one will be used to determine if the |
packages/rule-sri/src/rule.ts
Outdated
| * * base64 | ||
| * * `sha384-hash` | ||
| */ | ||
| private calculateHash(content: string, sha): string { |
packages/rule-sri/src/rule.ts
Outdated
| * No need to report anything, but we can stop processing things right away. | ||
| */ | ||
| const isScript: boolean = element.nodeName === 'SCRIPT' && !!element.getAttribute('src'); | ||
| const isStyle: boolean = element.nodeName === 'LINK' && element.getAttribute('rel') === 'stylesheet'; |
There was a problem hiding this comment.
normalizeString(element.getAttribute('rel')) === 'stylesheet';
|
Feedback is pushed |
Pull request checklist
Make sure you:
For non-trivial changes, please make sure you also:
Short description of the change(s)
Close #26