DMleadgen
46d973904b
Next.js website for Rocky Mountain Vending company featuring: - Product catalog with Stripe integration - Service areas and parts pages - Admin dashboard with Clerk authentication - SEO optimized pages with JSON-LD structured data Co-authored-by: Cursor <cursoragent@cursor.com>
156 lines
4.6 KiB
Text
156 lines
4.6 KiB
Text
/**
|
|
* @fileoverview Collection of CSP parser checks which can be used to find
|
|
* common syntax mistakes like missing semicolons, invalid directives or
|
|
* invalid keywords.
|
|
* @author lwe@google.com (Lukas Weichselbaum)
|
|
*
|
|
* @license
|
|
* Copyright 2016 Google Inc. All rights reserved.
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
import * as csp from '../csp';
|
|
import {Csp, Keyword} from '../csp';
|
|
|
|
import {Finding, Severity, Type} from '../finding';
|
|
|
|
|
|
/**
|
|
* Checks if the csp contains invalid directives.
|
|
*
|
|
* Example policy where this check would trigger:
|
|
* foobar-src foo.bar
|
|
*
|
|
* @param parsedCsp A parsed csp.
|
|
*/
|
|
export function checkUnknownDirective(parsedCsp: Csp): Finding[] {
|
|
const findings: Finding[] = [];
|
|
|
|
for (const directive of Object.keys(parsedCsp.directives)) {
|
|
if (csp.isDirective(directive)) {
|
|
// Directive is known.
|
|
continue;
|
|
}
|
|
|
|
if (directive.endsWith(':')) {
|
|
findings.push(new Finding(
|
|
Type.UNKNOWN_DIRECTIVE, 'CSP directives don\'t end with a colon.',
|
|
Severity.SYNTAX, directive));
|
|
} else {
|
|
findings.push(new Finding(
|
|
Type.UNKNOWN_DIRECTIVE,
|
|
'Directive "' + directive + '" is not a known CSP directive.',
|
|
Severity.SYNTAX, directive));
|
|
}
|
|
}
|
|
|
|
return findings;
|
|
}
|
|
|
|
|
|
/**
|
|
* Checks if semicolons are missing in the csp.
|
|
*
|
|
* Example policy where this check would trigger (missing semicolon before
|
|
* start of object-src):
|
|
* script-src foo.bar object-src 'none'
|
|
*
|
|
* @param parsedCsp A parsed csp.
|
|
*/
|
|
export function checkMissingSemicolon(parsedCsp: Csp): Finding[] {
|
|
const findings: Finding[] = [];
|
|
|
|
for (const [directive, directiveValues] of Object.entries(
|
|
parsedCsp.directives)) {
|
|
if (directiveValues === undefined) {
|
|
continue;
|
|
}
|
|
for (const value of directiveValues) {
|
|
// If we find a known directive inside a directive value, it is very
|
|
// likely that a semicolon was forgoten.
|
|
if (csp.isDirective(value)) {
|
|
findings.push(new Finding(
|
|
Type.MISSING_SEMICOLON,
|
|
'Did you forget the semicolon? ' +
|
|
'"' + value + '" seems to be a directive, not a value.',
|
|
Severity.SYNTAX, directive, value));
|
|
}
|
|
}
|
|
}
|
|
|
|
return findings;
|
|
}
|
|
|
|
|
|
/**
|
|
* Checks if csp contains invalid keywords.
|
|
*
|
|
* Example policy where this check would trigger:
|
|
* script-src 'notAkeyword'
|
|
*
|
|
* @param parsedCsp A parsed csp.
|
|
*/
|
|
export function checkInvalidKeyword(parsedCsp: Csp): Finding[] {
|
|
const findings: Finding[] = [];
|
|
const keywordsNoTicks =
|
|
Object.values(Keyword).map((k) => k.replace(/'/g, ''));
|
|
|
|
for (const [directive, directiveValues] of Object.entries(
|
|
parsedCsp.directives)) {
|
|
if (directiveValues === undefined) {
|
|
continue;
|
|
}
|
|
for (const value of directiveValues) {
|
|
// Check if single ticks have been forgotten.
|
|
if (keywordsNoTicks.some((k) => k === value) ||
|
|
value.startsWith('nonce-') ||
|
|
value.match(/^(sha256|sha384|sha512)-/)) {
|
|
findings.push(new Finding(
|
|
Type.INVALID_KEYWORD,
|
|
'Did you forget to surround "' + value + '" with single-ticks?',
|
|
Severity.SYNTAX, directive, value));
|
|
continue;
|
|
}
|
|
|
|
// Continue, if the value doesn't start with single tick.
|
|
// All CSP keywords start with a single tick.
|
|
if (!value.startsWith('\'')) {
|
|
continue;
|
|
}
|
|
|
|
if (directive === csp.Directive.REQUIRE_TRUSTED_TYPES_FOR) {
|
|
// Continue, if it's an allowed Trusted Types sink.
|
|
if (value === csp.TrustedTypesSink.SCRIPT) {
|
|
continue;
|
|
}
|
|
} else if (directive === csp.Directive.TRUSTED_TYPES) {
|
|
// Continue, if it's an allowed Trusted Types keyword.
|
|
if (value === '\'allow-duplicates\'' || value === '\'none\'') {
|
|
continue;
|
|
}
|
|
} else {
|
|
// Continue, if it's a valid keyword.
|
|
if (csp.isKeyword(value) || csp.isHash(value) || csp.isNonce(value)) {
|
|
continue;
|
|
}
|
|
}
|
|
|
|
findings.push(new Finding(
|
|
Type.INVALID_KEYWORD, value + ' seems to be an invalid CSP keyword.',
|
|
Severity.SYNTAX, directive, value));
|
|
}
|
|
}
|
|
|
|
return findings;
|
|
}
|
|
|