kopia lustrzana https://gitlab.com/rysiekpl/libresilient
Merge branch 'wip-integrity-check-plugin' into 'master'
Implement integrity check plugin Closes #20 See merge request rysiekpl/libresilient!7merge-requests/8/merge
commit
a90a9793a8
|
@ -0,0 +1,208 @@
|
|||
describe("plugin: integrity-check", () => {
|
||||
|
||||
beforeEach(() => {
|
||||
global.nodeFetch = require('node-fetch')
|
||||
global.Request = global.nodeFetch.Request
|
||||
global.Response = global.nodeFetch.Response
|
||||
global.crypto = require('crypto').webcrypto
|
||||
global.Blob = require('buffer').Blob;
|
||||
jest.resetModules();
|
||||
self = global
|
||||
global.btoa = (bin) => {
|
||||
return Buffer.from(bin, 'binary').toString('base64')
|
||||
}
|
||||
|
||||
global.LibResilientPluginConstructors = new Map()
|
||||
LR = {
|
||||
log: (component, ...items)=>{
|
||||
console.debug(component + ' :: ', ...items)
|
||||
}
|
||||
}
|
||||
|
||||
global.resolvingFetch = jest.fn((url, init)=>{
|
||||
return Promise.resolve(
|
||||
new Response(
|
||||
['{"test": "success"}'],
|
||||
{
|
||||
type: "application/json",
|
||||
status: 200,
|
||||
statusText: "OK",
|
||||
headers: {
|
||||
'ETag': 'TestingETagHeader'
|
||||
},
|
||||
url: url
|
||||
}
|
||||
)
|
||||
)
|
||||
})
|
||||
|
||||
init = {
|
||||
name: 'integrity-check',
|
||||
uses: [
|
||||
{
|
||||
name: 'resolve-all',
|
||||
description: 'Resolves all',
|
||||
version: '0.0.1',
|
||||
fetch: resolvingFetch
|
||||
}
|
||||
],
|
||||
requireIntegrity: false
|
||||
}
|
||||
requestInit = {
|
||||
integrity: "sha256-eiMrFuthzteJuj8fPwUMyNQMb2SMW7VITmmt2oAxGj0="
|
||||
}
|
||||
self.log = function(component, ...items) {
|
||||
console.debug(component + ' :: ', ...items)
|
||||
}
|
||||
})
|
||||
|
||||
test("it should register in LibResilientPluginConstructors", () => {
|
||||
require("../../plugins/integrity-check.js");
|
||||
expect(LibResilientPluginConstructors.get('integrity-check')(LR, init).name).toEqual('integrity-check');
|
||||
});
|
||||
|
||||
test("it should throw an error when there aren't any wrapped plugins configured", async () => {
|
||||
require("../../plugins/integrity-check.js");
|
||||
init = {
|
||||
name: 'integrity-check',
|
||||
uses: []
|
||||
}
|
||||
|
||||
expect.assertions(2);
|
||||
try {
|
||||
await LibResilientPluginConstructors.get('integrity-check')(LR, init).fetch('https://resilient.is/test.json')
|
||||
} catch (e) {
|
||||
expect(e).toBeInstanceOf(Error)
|
||||
expect(e.toString()).toMatch('Expected exactly one plugin to wrap')
|
||||
}
|
||||
});
|
||||
|
||||
test("it should throw an error when there are more than one wrapped plugins configured", async () => {
|
||||
require("../../plugins/integrity-check.js");
|
||||
init = {
|
||||
name: 'integrity-check',
|
||||
uses: [{
|
||||
name: 'plugin-1'
|
||||
},{
|
||||
name: 'plugin-2'
|
||||
}]
|
||||
}
|
||||
|
||||
expect.assertions(2);
|
||||
try {
|
||||
await LibResilientPluginConstructors.get('integrity-check')(LR, init).fetch('https://resilient.is/test.json')
|
||||
} catch (e) {
|
||||
expect(e).toBeInstanceOf(Error)
|
||||
expect(e.toString()).toMatch('Expected exactly one plugin to wrap')
|
||||
}
|
||||
});
|
||||
|
||||
test("it should throw an error when an unsupported digest algorithm is used", async () => {
|
||||
require("../../plugins/integrity-check.js");
|
||||
|
||||
expect.assertions(1);
|
||||
try {
|
||||
await LibResilientPluginConstructors.get('integrity-check')(LR, init).fetch('https://resilient.is/test.json', {
|
||||
integrity: "sha000-eiMrFuthzteJuj8fPwUMyNQMb2SMW7VITmmt2oAxGj0="
|
||||
})
|
||||
} catch (e) {
|
||||
expect(e.toString()).toMatch('No digest matched')
|
||||
}
|
||||
});
|
||||
|
||||
test("it should return data from the wrapped plugin when no integrity data is available and requireIntegrity is false", async () => {
|
||||
require("../../plugins/integrity-check.js");
|
||||
|
||||
const response = await LibResilientPluginConstructors.get('integrity-check')(LR, init).fetch('https://resilient.is/test.json');
|
||||
|
||||
expect(resolvingFetch).toHaveBeenCalled();
|
||||
expect(await response.json()).toEqual({test: "success"})
|
||||
expect(response.url).toEqual('https://resilient.is/test.json')
|
||||
});
|
||||
|
||||
test("it should reject no integrity data is available but requireIntegrity is true", async () => {
|
||||
require("../../plugins/integrity-check.js");
|
||||
init.requireIntegrity = true
|
||||
|
||||
expect.assertions(2);
|
||||
try {
|
||||
await LibResilientPluginConstructors.get('integrity-check')(LR, init).fetch('https://resilient.is/test.json')
|
||||
} catch (e) {
|
||||
expect(e).toBeInstanceOf(Error)
|
||||
expect(e.toString()).toMatch('Integrity data required but not provided for')
|
||||
}
|
||||
});
|
||||
|
||||
test("it should check integrity and return data from the wrapped plugin if SHA-256 integrity data matches", async () => {
|
||||
require("../../plugins/integrity-check.js");
|
||||
|
||||
const response = await LibResilientPluginConstructors.get('integrity-check')(LR, init).fetch('https://resilient.is/test.json', requestInit);
|
||||
|
||||
expect(resolvingFetch).toHaveBeenCalled();
|
||||
expect(await response.json()).toEqual({test: "success"})
|
||||
expect(response.url).toEqual('https://resilient.is/test.json')
|
||||
});
|
||||
|
||||
test("it should check integrity and return data from the wrapped plugin if SHA-384 integrity data matches", async () => {
|
||||
require("../../plugins/integrity-check.js");
|
||||
|
||||
const response = await LibResilientPluginConstructors.get('integrity-check')(LR, init).fetch('https://resilient.is/test.json', {
|
||||
integrity: "sha384-x4iqiH3PIPD51TibGEhTju/WhidcIEcnrpdklYEtIS87f96c4nLyj6CuwUp8kyOo"
|
||||
});
|
||||
|
||||
expect(resolvingFetch).toHaveBeenCalled();
|
||||
expect(await response.json()).toEqual({test: "success"})
|
||||
expect(response.url).toEqual('https://resilient.is/test.json')
|
||||
});
|
||||
|
||||
test("it should check integrity and return data from the wrapped plugin if SHA-512 integrity data matches", async () => {
|
||||
require("../../plugins/integrity-check.js");
|
||||
|
||||
const response = await LibResilientPluginConstructors.get('integrity-check')(LR, init).fetch('https://resilient.is/test.json', {
|
||||
integrity: "sha512-o+J3lPk7DU8xOJaNfZI5T4Upmaoc9XOVxOWPCFAy4pTgvS8LrJZ8iNis/2ZaryU4bB33cNSXQBxUDvwDxknEBQ=="
|
||||
});
|
||||
|
||||
expect(resolvingFetch).toHaveBeenCalled();
|
||||
expect(await response.json()).toEqual({test: "success"})
|
||||
expect(response.url).toEqual('https://resilient.is/test.json')
|
||||
});
|
||||
|
||||
test("it should check integrity of the data returned from the wrapped plugin and reject if it doesn't match", async () => {
|
||||
require("../../plugins/integrity-check.js");
|
||||
|
||||
expect.assertions(1);
|
||||
try {
|
||||
await LibResilientPluginConstructors.get('integrity-check')(LR, init).fetch('https://resilient.is/test.json', {
|
||||
integrity: "sha256-INCORRECTINCORRECTINCORRECTINCORRECTINCORREC"
|
||||
});
|
||||
} catch(e) {
|
||||
expect(e.toString()).toMatch('No digest matched')
|
||||
}
|
||||
});
|
||||
|
||||
test("it should check integrity of the data returned from the wrapped plugin and resolve if at least one of multiple integrity hash matches", async () => {
|
||||
require("../../plugins/integrity-check.js");
|
||||
|
||||
const response = await LibResilientPluginConstructors.get('integrity-check')(LR, init).fetch('https://resilient.is/test.json', {
|
||||
integrity: "sha256-INCORRECTINCORRECTINCORRECTINCORRECTINCORREC sha256-eiMrFuthzteJuj8fPwUMyNQMb2SMW7VITmmt2oAxGj0="
|
||||
});
|
||||
|
||||
expect(resolvingFetch).toHaveBeenCalled();
|
||||
expect(await response.json()).toEqual({test: "success"})
|
||||
expect(response.url).toEqual('https://resilient.is/test.json')
|
||||
});
|
||||
|
||||
test("it should check integrity of the data returned from the wrapped plugin and reject if all out of multiple integrity hash do not match", async () => {
|
||||
require("../../plugins/integrity-check.js");
|
||||
|
||||
expect.assertions(1);
|
||||
try {
|
||||
await LibResilientPluginConstructors.get('integrity-check')(LR, init).fetch('https://resilient.is/test.json', {
|
||||
integrity: "sha256-INCORRECTINCORRECTINCORRECTINCORRECTINCORREC sha256-WRONGWRONGWRONGWRONGWRONGWRONGWRONGWRONGWRON"
|
||||
});
|
||||
} catch(e) {
|
||||
expect(e.toString()).toMatch('No digest matched')
|
||||
}
|
||||
});
|
||||
|
||||
});
|
|
@ -0,0 +1,184 @@
|
|||
/* ========================================================================= *\
|
||||
|* === integrity-check: subresource integrity checks for wrapped plugins === *|
|
||||
\* ========================================================================= */
|
||||
|
||||
/**
|
||||
* this plugin does not implement any push method
|
||||
*/
|
||||
|
||||
// no polluting of the global namespace please
|
||||
(function(LRPC){
|
||||
// this never changes
|
||||
const pluginName = "integrity-check"
|
||||
LRPC.set(pluginName, (LR, init={})=>{
|
||||
|
||||
/*
|
||||
* plugin config settings
|
||||
*/
|
||||
|
||||
// sane defaults
|
||||
let defaultConfig = {
|
||||
|
||||
// list of plugins to wrap
|
||||
// this should always contain exactly one element, but still needs to be an array
|
||||
// as this is what the Service Worker script expects
|
||||
uses: [{
|
||||
name: "alt-fetch"
|
||||
}],
|
||||
|
||||
// if there is no integrity data available for an URL, should the request be allowed to proceed?
|
||||
requireIntegrity: false,
|
||||
|
||||
// should *all* available hashes for the resource be checked and required?
|
||||
//
|
||||
// by default, if the resource matches *any* of the hashes, it's considered good to go
|
||||
// this follows the spec; from the documentation:
|
||||
//
|
||||
// Note: An integrity value may contain multiple hashes separated by whitespace.
|
||||
// A resource will be loaded if it matches one of those hashes.
|
||||
// https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity#using_subresource_integrity
|
||||
//
|
||||
// TODO: not implemented yet!
|
||||
// TODO: https://gitlab.com/rysiekpl/libresilient/-/issues/22
|
||||
//enforceAllHashes: false
|
||||
}
|
||||
|
||||
// merge the defaults with settings from LibResilientConfig
|
||||
let config = {...defaultConfig, ...init}
|
||||
|
||||
// reality check: if no wrapped plugin configured, complain
|
||||
if (config.uses.length != 1) {
|
||||
throw new Error(`Expected exactly one plugin to wrap, but ${config.uses.length} configured.`)
|
||||
}
|
||||
|
||||
/**
|
||||
* helper function, converting binary to base64
|
||||
* this need not be extremely fast, since it will only be used on digests
|
||||
*
|
||||
* binary_data - data to convert to base64
|
||||
*/
|
||||
let binToBase64 = (binary_data) => {
|
||||
return btoa(
|
||||
(new Uint8Array(binary_data))
|
||||
.reduce((bin, byte)=>{
|
||||
return bin += String.fromCharCode(byte)
|
||||
}, '')
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* helper function, getting the digest algo
|
||||
* from algorithm part of an integrity string
|
||||
*
|
||||
* integrity_algo - the algorithm part of an integrity string
|
||||
*/
|
||||
let getAlgo = (integrity_algo) => {
|
||||
switch (integrity_algo.toLowerCase()) {
|
||||
case 'sha256':
|
||||
return 'SHA-256'; break;
|
||||
case 'sha384':
|
||||
return 'SHA-384'; break;
|
||||
case 'sha512':
|
||||
return 'SHA-512'; break;
|
||||
default:
|
||||
throw new Error(`Unsupported integrity digest algorithm: ${nextIntegrityHash[0]}`)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* getting content using regular HTTP(S) fetch()
|
||||
*
|
||||
* url - the url to fetch
|
||||
* init - Request() init data
|
||||
*
|
||||
* NOTICE: we have no way of knowing if the wrapped plugin performs any actual integrity check
|
||||
* NOTICE: if the wrapped plugin does check integrity, this will lead to checking it twice,
|
||||
* NOTICE: wasting resources
|
||||
*/
|
||||
let fetchAndVerifyContent = (url, init={}) => {
|
||||
|
||||
// integrity data
|
||||
var integrity = []
|
||||
|
||||
// do we have integrity data in init?
|
||||
if ('integrity' in init && init.integrity != "") {
|
||||
// we need an array
|
||||
integrity = init.integrity.split(' ')
|
||||
LR.log(pluginName, `integrity for: ${url}\n- ${integrity}`)
|
||||
|
||||
// no integrity data available, are we even allowed to proceed?
|
||||
} else if (config.requireIntegrity) {
|
||||
|
||||
// bail if integrity data is not available
|
||||
throw new Error(`Integrity data required but not provided for: ${url}`)
|
||||
}
|
||||
|
||||
// fetch data using the configured wrapped plugin
|
||||
responsePromise = config.uses[0].fetch(url, init)
|
||||
|
||||
// if we have no integrity data, we really do not have anything to do
|
||||
// apart from returning the response
|
||||
if (integrity.length == 0) {
|
||||
LR.log(pluginName, `no integrity data provided for: ${url}`)
|
||||
return responsePromise;
|
||||
}
|
||||
|
||||
LR.log(pluginName, `preparing to check integrity of: ${url}`)
|
||||
|
||||
// down the Promise slide we go
|
||||
//
|
||||
// TODO: what if responsePromise got rejected?
|
||||
// TODO: how to handle split()-related artifacts (empty strings etc)?
|
||||
return responsePromise
|
||||
// get the blob from a cloned response
|
||||
.then(response=>response.clone().blob())
|
||||
.then(blob=>blob.arrayBuffer())
|
||||
.then((ab)=>{
|
||||
// go sequentially, find the first match
|
||||
return integrity
|
||||
// c.f. https://css-tricks.com/why-using-reduce-to-sequentially-resolve-promises-works/
|
||||
.reduce(
|
||||
(previousPromise, nextIntegrityHash)=>{
|
||||
return previousPromise
|
||||
.catch((err)=>{
|
||||
// it's a string, we need an array
|
||||
nextIntegrityHash = nextIntegrityHash.split('-')
|
||||
// make sure the algo name is compatible with SubtleCrypto digest algo names
|
||||
nextIntegrityHash[0] = getAlgo(nextIntegrityHash[0])
|
||||
LR.log(pluginName, `verifying integrity for: ${url}\n- algo: ${nextIntegrityHash[0]}\n- hash: ${nextIntegrityHash[1]}`)
|
||||
return crypto
|
||||
.subtle
|
||||
.digest(nextIntegrityHash[0], ab)
|
||||
})
|
||||
.then((digest)=>{
|
||||
let b64digest = binToBase64(digest)
|
||||
LR.log(pluginName, `actual digest for: ${url}\n- algo: ${nextIntegrityHash[0]}\n- hash: ${b64digest}`)
|
||||
if (b64digest == nextIntegrityHash[1]) {
|
||||
LR.log(pluginName, `successfully verified integrity for: ${url}\n- algo: ${nextIntegrityHash[0]}\n- hash: ${nextIntegrityHash[1]}`)
|
||||
return responsePromise
|
||||
} else {
|
||||
return Promise.reject('Digest does not match.')
|
||||
}
|
||||
})
|
||||
},
|
||||
// we need to start with a rejected promise, since we're doing a catch()-slide
|
||||
Promise.reject())
|
||||
})
|
||||
.catch((err)=>{
|
||||
return Promise.reject(`No digest matched for: ${url}`)
|
||||
})
|
||||
}
|
||||
|
||||
// and add ourselves to it
|
||||
// with some additional metadata
|
||||
return {
|
||||
name: pluginName,
|
||||
description: `performing subresource integrity checks for resources fetched by other plugins`,
|
||||
version: 'COMMIT_UNKNOWN',
|
||||
fetch: fetchAndVerifyContent,
|
||||
uses: config.uses
|
||||
}
|
||||
|
||||
})
|
||||
// done with not polluting the global namespace
|
||||
})(LibResilientPluginConstructors)
|
Ładowanie…
Reference in New Issue