DMleadgen
46d973904b
Next.js website for Rocky Mountain Vending company featuring: - Product catalog with Stripe integration - Service areas and parts pages - Admin dashboard with Clerk authentication - SEO optimized pages with JSON-LD structured data Co-authored-by: Cursor <cursoragent@cursor.com>
94 lines
3.2 KiB
Text
94 lines
3.2 KiB
Text
/**
|
|
* @license
|
|
* Copyright 2016 Google Inc. All rights reserved.
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*
|
|
* @fileoverview Tests for CSP Parser checks.
|
|
* @author lwe@google.com (Lukas Weichselbaum)
|
|
*/
|
|
|
|
import 'jasmine';
|
|
|
|
import {Finding, Severity} from '../finding';
|
|
import {CspParser} from '../parser';
|
|
|
|
import {CheckerFunction} from './checker';
|
|
import * as parserChecks from './parser_checks';
|
|
|
|
/**
|
|
* Runs a check on a CSP string.
|
|
*
|
|
* @param test CSP string.
|
|
* @param checkFunction check.
|
|
*/
|
|
function checkCsp(test: string, checkFunction: CheckerFunction): Finding[] {
|
|
const parsedCsp = (new CspParser(test)).csp;
|
|
return checkFunction(parsedCsp);
|
|
}
|
|
|
|
|
|
describe('Test parser checks', () => {
|
|
/** Tests for csp.parserChecks.checkUnknownDirective */
|
|
it('CheckUnknownDirective', () => {
|
|
const test = 'foobar-src http:';
|
|
|
|
const violations = checkCsp(test, parserChecks.checkUnknownDirective);
|
|
expect(violations.length).toBe(1);
|
|
expect(violations[0].severity).toBe(Severity.SYNTAX);
|
|
expect(violations[0].directive).toBe('foobar-src');
|
|
});
|
|
|
|
/** Tests for csp.parserChecks.checkMissingSemicolon */
|
|
it('CheckMissingSemicolon', () => {
|
|
const test = 'default-src foo.bar script-src \'none\'';
|
|
|
|
const violations = checkCsp(test, parserChecks.checkMissingSemicolon);
|
|
expect(violations.length).toBe(1);
|
|
expect(violations[0].severity).toBe(Severity.SYNTAX);
|
|
expect(violations[0].value).toBe('script-src');
|
|
});
|
|
|
|
/** Tests for csp.parserChecks.checkInvalidKeyword */
|
|
it('CheckInvalidKeywordForgottenSingleTicks', () => {
|
|
const test = 'script-src strict-dynamic nonce-test sha256-asdf';
|
|
|
|
const violations = checkCsp(test, parserChecks.checkInvalidKeyword);
|
|
expect(violations.length).toBe(3);
|
|
expect(violations.every((v) => v.severity === Severity.SYNTAX)).toBeTrue();
|
|
expect(violations.every((v) => v.description.includes('single-ticks')))
|
|
.toBeTrue();
|
|
});
|
|
|
|
it('CheckInvalidKeywordUnknownKeyword', () => {
|
|
const test = 'script-src \'foo-bar\'';
|
|
|
|
const violations = checkCsp(test, parserChecks.checkInvalidKeyword);
|
|
expect(violations.length).toBe(1);
|
|
expect(violations[0].severity).toBe(Severity.SYNTAX);
|
|
expect(violations[0].value).toBe('\'foo-bar\'');
|
|
});
|
|
|
|
it('CheckInvalidKeywordAllowsRequireTrustedTypesForScript', () => {
|
|
const test = 'require-trusted-types-for \'script\'';
|
|
|
|
const violations = checkCsp(test, parserChecks.checkInvalidKeyword);
|
|
expect(violations.length).toBe(0);
|
|
});
|
|
|
|
it('CheckInvalidKeywordAllowsTrustedTypesAllowDuplicateKeyword', () => {
|
|
const test = 'trusted-types \'allow-duplicates\' policy1';
|
|
|
|
const violations = checkCsp(test, parserChecks.checkInvalidKeyword);
|
|
expect(violations.length).toBe(0);
|
|
});
|
|
});
|