From 08bbbcabc402abcf328274bb2990d59b47580376 Mon Sep 17 00:00:00 2001 From: Pieter Vander Vennet Date: Wed, 23 Aug 2023 12:50:20 +0200 Subject: [PATCH] Fix: add script integrity, add check to validate that script integrity is always in place --- 404.html | 2 +- index.html | 3 +- scripts/generateRedirectFiles.ts | 32 +++++++++++++++++ statistics.html | 2 +- test/CodeQuality.spec.ts | 59 ++++++++++++++++++++++++++------ theme.html | 2 +- 6 files changed, 85 insertions(+), 15 deletions(-) create mode 100644 scripts/generateRedirectFiles.ts diff --git a/404.html b/404.html index 129c820db..8d425e109 100644 --- a/404.html +++ b/404.html @@ -50,7 +50,7 @@ - + diff --git a/index.html b/index.html index b58e3157d..4a29a7026 100644 --- a/index.html +++ b/index.html @@ -51,7 +51,8 @@
- + - + diff --git a/test/CodeQuality.spec.ts b/test/CodeQuality.spec.ts index d1f6eef14..dcf5d27eb 100644 --- a/test/CodeQuality.spec.ts +++ b/test/CodeQuality.spec.ts @@ -1,6 +1,10 @@ import { exec } from "child_process" import { describe, it } from "vitest" +import { parse as parse_html } from "node-html-parser" +import { readFileSync } from "fs" +import ScriptUtils from "../scripts/ScriptUtils" + /** * * @param forbidden: a GREP-regex. This means that '.' is a wildcard and should be escaped to match a literal dot @@ -64,6 +68,32 @@ function itAsync(name: string, promise: Promise) { it(name, wrap(promise)) } +function validateScriptIntegrityOf(path: string) { + const htmlContents = readFileSync(path, "utf8") + const doc = parse_html(htmlContents) + // @ts-ignore + const scripts = Array.from(doc.getElementsByTagName("script")) + for (const script of scripts) { + const src = script.getAttribute("src") + if (src === undefined) { + continue + } + if (src.startsWith("./")) { + // Local script - no check needed + continue + } + const integrity = script.getAttribute("integrity") + const ctx = "Script with source " + src + " in file " + path + if (integrity === undefined) { + throw new Error(ctx + " has no integrity value") + } + const crossorigin = script.getAttribute("crossorigin") + if (crossorigin !== "anonymous") { + throw new Error(ctx + " has crossorigin missing or not set to 'anonymous'") + } + } +} + describe("Code quality", () => { itAsync( "should not contain reverse", @@ -85,17 +115,24 @@ describe("Code quality", () => { "innerText is not allowed as it is not testable with fakeDom. Use 'textContent' instead." ) ) + + it("scripts with external sources should have an integrity hash", () => { + const htmlFiles = ScriptUtils.readDirRecSync(".", 1).filter((f) => f.endsWith(".html")) + for (const htmlFile of htmlFiles) { + validateScriptIntegrityOf(htmlFile) + } + }) /* - itAsync( - "should not contain 'import * as name from \"xyz.json\"'", - detectInCode( - 'import \\* as [a-zA-Z0-9_]\\+ from \\"[.-_/a-zA-Z0-9]\\+\\.json\\"', - "With vite, json files have a default export. Use import name from file.json instead" - ) - ) + itAsync( + "should not contain 'import * as name from \"xyz.json\"'", + detectInCode( + 'import \\* as [a-zA-Z0-9_]\\+ from \\"[.-_/a-zA-Z0-9]\\+\\.json\\"', + "With vite, json files have a default export. Use import name from file.json instead" + ) + ) /* - itAsync( - "should not contain '[\"default\"]'", - detectInCode('\\[\\"default\\"\\]', "Possible leftover of faulty default import") - )*/ + itAsync( + "should not contain '[\"default\"]'", + detectInCode('\\[\\"default\\"\\]', "Possible leftover of faulty default import") + )*/ }) diff --git a/theme.html b/theme.html index 10902c70f..43a5629dc 100644 --- a/theme.html +++ b/theme.html @@ -97,7 +97,7 @@ - +