matt/Rocky_Mountain_Vending
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Rocky_Mountain_Vending/.pnpm-store/v10/files/16/470f781884e20962d54bdf0f3a23518202d3a95fb02dddf6f31118ddcda25d699b95721f538b3bdcb8e16298d0fb7978f5e3a3ea1c07db99d8ded2d3eee928
DMleadgen 46d973904b
Initial commit: Rocky Mountain Vending website 
Next.js website for Rocky Mountain Vending company featuring:
- Product catalog with Stripe integration
- Service areas and parts pages
- Admin dashboard with Clerk authentication
- SEO optimized pages with JSON-LD structured data

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 16:22:15 -07:00

126 lines
3.9 KiB
Text
Raw Blame History

/**
* @author lwe@google.com (Lukas Weichselbaum)
*
* @license
* Copyright 2016 Google Inc. All rights reserved.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
import {CheckerFunction} from './checks/checker';
import * as parserChecks from './checks/parser_checks';
import * as securityChecks from './checks/security_checks';
import * as strictcspChecks from './checks/strictcsp_checks';
import * as csp from './csp';
import {Csp, Version} from './csp';
import {Finding} from './finding';
/**
* A class to hold a CSP Evaluator.
* Evaluates a parsed CSP and reports security findings.
* @unrestricted
*/
export class CspEvaluator {
version: Version;
csp: Csp;
/**
* List of findings reported by checks.
*
*/
findings: Finding[] = [];
/**
* @param parsedCsp A parsed Content Security Policy.
* @param cspVersion CSP version to apply checks for.
*/
constructor(parsedCsp: Csp, cspVersion?: Version, findings?: Finding[]) {
/**
* CSP version.
*/
this.version = cspVersion || csp.Version.CSP3;
/**
* Parsed CSP.
*/
this.csp = parsedCsp;
/**
* List of findings reported by checks.
*/
this.findings = findings || [];
}
/**
* Evaluates a parsed CSP against a set of checks
* @param parsedCspChecks list of checks to run on the parsed CSP (i.e.
* checks like backward compatibility checks, which are independent of the
* actual CSP version).
* @param effectiveCspChecks list of checks to run on the effective CSP.
* @return List of Findings.
* @export
*/
evaluate(
parsedCspChecks?: CheckerFunction[],
effectiveCspChecks?: CheckerFunction[]): Finding[] {
this.findings = [];
const checks = effectiveCspChecks || DEFAULT_CHECKS;
// We're applying checks on the policy as it would be seen by a browser
// supporting a specific version of CSP.
// For example a browser supporting only CSP1 will ignore nonces and
// therefore 'unsafe-inline' would not get ignored if a policy has nonces.
const effectiveCsp = this.csp.getEffectiveCsp(this.version, this.findings);
// Checks independent of CSP version.
if (parsedCspChecks) {
for (const check of parsedCspChecks) {
this.findings = this.findings.concat(check(this.csp));
}
}
// Checks dependent on CSP version.
for (const check of checks) {
this.findings = this.findings.concat(check(effectiveCsp));
}
return this.findings;
}
}
/**
* Set of default checks to run.
*/
export const DEFAULT_CHECKS: CheckerFunction[] = [
securityChecks.checkScriptUnsafeInline, securityChecks.checkScriptUnsafeEval,
securityChecks.checkPlainUrlSchemes, securityChecks.checkWildcards,
securityChecks.checkMissingDirectives,
securityChecks.checkScriptAllowlistBypass,
securityChecks.checkFlashObjectAllowlistBypass, securityChecks.checkIpSource,
securityChecks.checkNonceLength, securityChecks.checkSrcHttp,
securityChecks.checkDeprecatedDirective, parserChecks.checkUnknownDirective,
parserChecks.checkMissingSemicolon, parserChecks.checkInvalidKeyword
];
/**
* Strict CSP and backward compatibility checks.
*/
export const STRICTCSP_CHECKS: CheckerFunction[] = [
strictcspChecks.checkStrictDynamic,
strictcspChecks.checkStrictDynamicNotStandalone,
strictcspChecks.checkUnsafeInlineFallback,
strictcspChecks.checkAllowlistFallback,
strictcspChecks.checkRequiresTrustedTypesForScripts
];
Reference in a new issue View git blame Copy permalink