-
Notifications
You must be signed in to change notification settings - Fork 640
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New: Rule SRI #875
New: Rule SRI #875
Conversation
The spec talks about |
packages/rule-sri/README.md
Outdated
@@ -0,0 +1,145 @@ | |||
# Require scripts and styles to use Subresource integrity (`sri`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Subresource
=> subresource
packages/rule-sri/README.md
Outdated
## Why is this important? | ||
|
||
Nowadays it's very common to use third party resources from CDNs or different | ||
services (analytics, ads, etc.) and thus increasing the risk surface of your |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
, and thus,
|
||
Subresource integrity [is a standard][sri spec] that mitigates this by ensuring | ||
that an exact representation of a resource, and only that representation, loads | ||
and executes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should add a warning that this is only guaranteed over HTTPS?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I put a comment in the latest comment in the next paragraph
packages/rule-sri/README.md
Outdated
* When using a cross-origin resource (e.g.: using a script hosted in a third | ||
party CDN), the `<script>` tag needs to have a valid | ||
[`crossorigin` attribute][crossorigin]. | ||
* The resource needs to be served on a [secure context][secure context] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The resource is served...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
packages/rule-sri/README.md
Outdated
(i.e.: HTTPS) | ||
* The hash from the `integrity` attribute needs to be the same as the one | ||
calculated using the response's body. | ||
* If multiple hashes are provided, at least one needs to be valid |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
valid.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
Same-origin resource with hash function less secure than `sha384`: | ||
|
||
```html | ||
<script src="/script.js" integrity="sha256-validHashHere"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe to be consistent we should use a random hash?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking about that, but I though it was clearer this way so users reading about SRI for the first time know they need to calculate the hash and replace it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok.
packages/rule-sri/README.md
Outdated
```json | ||
"sri": ["warning", { | ||
"baseline": "sha512" | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
}]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
packages/rule-sri/package.json
Outdated
}, | ||
"repository": "sonarwhal/sonarwhal", | ||
"scripts": { | ||
"build": "npm run clean && npm-run-all build:*", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add "build-release": "npm run clean && npm run build:assets && tsc --inlineSourceMap false --removeComments true",
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
packages/rule-sri/package.json
Outdated
"extends": "../../../../.nycrc" | ||
}, | ||
"peerDependencies": { | ||
"sonarwhal": "^1.0.0" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1.0.1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually 1.0.3
, things move fast!
packages/rule-sri/package.json
Outdated
"watch:test": "ava --watch", | ||
"watch:ts": "npm run build:ts -- --watch" | ||
}, | ||
"version": "0.1.0" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add "private": true
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
packages/rule-sri/package.json
Outdated
@@ -0,0 +1,69 @@ | |||
{ | |||
"author": "", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
packages/rule-sri/package.json
Outdated
"watch:test": "ava --watch", | ||
"watch:ts": "npm run build:ts -- --watch" | ||
}, | ||
"version": "0.1.0" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1.0.0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
packages/rule-sri/package.json
Outdated
"eslint-plugin-markdown": "^1.0.0-beta.7", | ||
"eslint-plugin-typescript": "^0.10.0", | ||
"markdownlint-cli": "^0.7.0", | ||
"npm-link-check": "^2.0.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this ca be removed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
packages/rule-sri/src/index.ts
Outdated
* @fileoverview Require scripts and styles to use Subresource Integrity | ||
*/ | ||
|
||
import * as sri from './sri'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should just make a convention that if there is a single rule in a package we use rule.ts
for the name of the file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
packages/rule-sri/src/sri.ts
Outdated
|
||
import { Category } from 'sonarwhal/dist/src/lib/enums/category'; | ||
import { RuleContext } from 'sonarwhal/dist/src/lib/rule-context'; | ||
// The list of types depends on the events you want to capture. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove this line.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
packages/rule-sri/src/sri.ts
Outdated
debug('Is eligible for integrity validation?'); | ||
|
||
const { element, resource } = evt; | ||
const resourceOrigin: string = new URL(resource).origin; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe use same-origin as things may be more complex then this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I actually think this code is better than the code in that package. It's using the old url.parse
and doing some magic, and we get for free the origin
if we use new URL
. Maybe we could add a method in misc
so we can remove that dependency from the project.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we could add a method in misc so we can remove that dependency from the project.
👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've created #879 for this
packages/rule-sri/src/sri.ts
Outdated
const { element, resource } = evt; | ||
const resourceOrigin: string = new URL(resource).origin; | ||
|
||
// CORS validation only applies to scripts, styles are OK |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are styles ok? Maybe provide a link?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's the link that's just above in the method description
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK.
packages/rule-sri/src/sri.ts
Outdated
debug('Is integrity attribute valid?'); | ||
const { element, resource } = evt; | ||
const integrity = element.getAttribute('integrity'); | ||
const integrityRegExp = /^sha(256|384|512)-/; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if I have multiple integrity
attributes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added another test. Only the first instance is accessible via getAttribute
. Additionally, it looks like Chrome tries to download the file twice if the first hash is invalid, but only the first attribute is accessible. I've left the code of the test commented with an explanation.
packages/rule-sri/src/sri.ts
Outdated
} | ||
|
||
// cross-origin scripts need to be loaded with a valid "crossorigin" attribute (ie.: anonymous or use-credentials) | ||
const crossorigin = element.getAttribute('crossorigin'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use normalizeString?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
@alrra all your feedback should be included. @sonarwhal/core this is ready for another round. |
Also, maybe add this to |
👍
…________________________________
From: Cătălin Mariș <notifications@github.com>
Sent: Monday, March 12, 2018 9:36:06 PM
To: sonarwhal/sonarwhal
Cc: Anton Molleda; Author
Subject: Re: [sonarwhal/sonarwhal] New: Rule SRI (#875)
Also, maybe add this to configuration-web-recommended?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#875 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AAlBgoVmT3Wi25XdZBHoncLGW4McqPsOks5td0y2gaJpZM4Sl4p7>.
|
@@ -0,0 +1,201 @@ | |||
Apache License |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should make the release script add this file automatically for new packages?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's taken care by the generators. I wouldn't change anything TBH.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK.
packages/rule-sri/README.md
Outdated
@@ -0,0 +1,145 @@ | |||
# Require scripts and styles to use subresource integrity (`sri`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sri
=> @sonarwhal/rule-sri
packages/rule-sri/README.md
Outdated
@@ -0,0 +1,145 @@ | |||
# Require scripts and styles to use subresource integrity (`sri`) | |||
|
|||
`sri` warns about requesting scripts or styles without using Subresource |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
styles => stylesheets
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Subresource => subresource
## Why is this important? | ||
|
||
Nowadays it's very common to use third party resources from CDNs or different | ||
services (analytics, ads, etc.), and thus, increasing the risk surface of your |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
increase
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm pretty sure it's increasing
packages/rule-sri/README.md
Outdated
|
||
Nowadays it's very common to use third party resources from CDNs or different | ||
services (analytics, ads, etc.), and thus, increasing the risk surface of your | ||
web application. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
web site/app. ?
packages/rule-sri/README.md
Outdated
* [The `integrity` attribute has to be valid][sri format]. I.e.: it should | ||
contain something in the form of `sha(256|384|512)-HASH`, where `HASH` is | ||
the hashed value of the downlaoded body's response using the previous | ||
algorithm (`sha256`, `sha384`, or `sha512`). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
previously specified algorithm?
packages/rule-sri/README.md
Outdated
contain something in the form of `sha(256|384|512)-HASH`, where `HASH` is | ||
the hashed value of the downlaoded body's response using the previous | ||
algorithm (`sha256`, `sha384`, or `sha512`). | ||
* The minium cryptographic hash function used has to be [`sha384`][collisions]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for consistency with the others:
used has to be => used is
packages/rule-sri/README.md
Outdated
the hashed value of the downlaoded body's response using the previous | ||
algorithm (`sha256`, `sha384`, or `sha512`). | ||
* The minium cryptographic hash function used has to be [`sha384`][collisions]. | ||
If multiple are provided, the highest one will be used to determine if the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
multiple ones
packages/rule-sri/src/rule.ts
Outdated
* * base64 | ||
* * `sha384-hash` | ||
*/ | ||
private calculateHash(content: string, sha): string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sha: string
packages/rule-sri/src/rule.ts
Outdated
* No need to report anything, but we can stop processing things right away. | ||
*/ | ||
const isScript: boolean = element.nodeName === 'SCRIPT' && !!element.getAttribute('src'); | ||
const isStyle: boolean = element.nodeName === 'LINK' && element.getAttribute('rel') === 'stylesheet'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
normalizeString(element.getAttribute('rel')) === 'stylesheet';
Feedback is pushed |
Pull request checklist
Make sure you:
For non-trivial changes, please make sure you also:
Short description of the change(s)
Close #26