feat: support SRI verification of script tags

falsandtru · Jonathan Ginsburg · commit 6a54b1c2a1df · 2022-06-13T17:31:53.000-07:00
diff --git a/lib/config.js b/lib/config.js
@@ -32,7 +32,7 @@ try {
 } catch {}
 
 class Pattern {
-  constructor (pattern, served, included, watched, nocache, type, isBinary) {
+  constructor (pattern, served, included, watched, nocache, type, isBinary, integrity) {
     this.pattern = pattern
     this.served = helper.isDefined(served) ? served : true
     this.included = helper.isDefined(included) ? included : true
@@ -41,6 +41,7 @@ class Pattern {
     this.weight = helper.mmPatternWeight(pattern)
     this.type = type
     this.isBinary = isBinary
+    this.integrity = integrity
   }
 
   compare (other) {
@@ -49,8 +50,8 @@ class Pattern {
 }
 
 class UrlPattern extends Pattern {
-  constructor (url, type) {
-    super(url, false, true, false, false, type)
+  constructor (url, type, integrity) {
+    super(url, false, true, false, false, type, undefined, integrity)
   }
 }
 
diff --git a/lib/file-list.js b/lib/file-list.js
@@ -62,9 +62,9 @@ class FileList {
 
     let lastCompletedRefresh = this._refreshing
     lastCompletedRefresh = Promise.all(
-      this._patterns.map(async ({ pattern, type, nocache, isBinary }) => {
+      this._patterns.map(async ({ pattern, type, nocache, isBinary, integrity }) => {
         if (helper.isUrlAbsolute(pattern)) {
-          this.buckets.set(pattern, [new Url(pattern, type)])
+          this.buckets.set(pattern, [new Url(pattern, type, integrity)])
           return
         }
 
diff --git a/lib/file.js b/lib/file.js
@@ -6,7 +6,7 @@ const path = require('path')
  * File object used for tracking files in `file-list.js`.
  */
 class File {
-  constructor (path, mtime, doNotCache, type, isBinary) {
+  constructor (path, mtime, doNotCache, type, isBinary, integrity) {
     // used for serving (processed path, eg some/file.coffee -> some/file.coffee.js)
     this.path = path
 
@@ -29,6 +29,8 @@ class File {
 
     // Tri state: null means probe file for binary.
     this.isBinary = isBinary === undefined ? null : isBinary
+
+    this.integrity = integrity
   }
 
   /**
diff --git a/lib/middleware/karma.js b/lib/middleware/karma.js
@@ -190,11 +190,12 @@ function createKarmaMiddleware (
               scriptTags.push(`<link href="${filePath}" rel="import">`)
             } else {
               const scriptType = (SCRIPT_TYPE[fileType] || 'text/javascript')
-              const crossOriginAttribute = includeCrossOriginAttribute ? 'crossorigin="anonymous"' : ''
+              const crossOriginAttribute = includeCrossOriginAttribute ? ' crossorigin="anonymous"' : ''
+              const integrityAttribute = file.integrity ? ` integrity="${file.integrity}"` : ''
               if (fileType === 'module') {
-                scriptTags.push(`<script onerror="throw 'Error loading ${filePath}'" type="${scriptType}" src="${filePath}" ${crossOriginAttribute}></script>`)
+                scriptTags.push(`<script onerror="throw 'Error loading ${filePath}'" type="${scriptType}" src="${filePath}"${integrityAttribute}${crossOriginAttribute}></script>`)
               } else {
-                scriptTags.push(`<script type="${scriptType}" src="${filePath}" ${crossOriginAttribute}></script>`)
+                scriptTags.push(`<script type="${scriptType}" src="${filePath}"${integrityAttribute}${crossOriginAttribute}></script>`)
               }
             }
           }
diff --git a/lib/url.js b/lib/url.js
@@ -7,10 +7,11 @@ const { URL } = require('url')
  * Url object used for tracking files in `file-list.js`.
  */
 class Url {
-  constructor (path, type) {
+  constructor (path, type, integrity) {
     this.path = path
     this.originalPath = path
     this.type = type
+    this.integrity = integrity
     this.isUrl = true
   }
 
diff --git a/test/unit/middleware/karma.spec.js b/test/unit/middleware/karma.spec.js
@@ -17,8 +17,8 @@ describe('middleware.karma', () => {
   let response
 
   class MockFile extends File {
-    constructor (path, sha, type, content) {
-      super(path, undefined, undefined, type)
+    constructor (path, sha, type, content, integrity) {
+      super(path, undefined, undefined, type, undefined, integrity)
       this.sha = sha || 'sha-default'
       this.content = content
     }
@@ -230,6 +230,21 @@ describe('middleware.karma', () => {
     callHandlerWith('/__karma__/context.html')
   })
 
+  it('should serve context.html with script tags with integrity checking', (done) => {
+    includedFiles([
+      new MockFile('/first.js', 'sha123'),
+      new MockFile('/second.js', 'sha456', undefined, undefined, 'sha256-XXX')
+    ])
+
+    response.once('end', () => {
+      expect(nextSpy).not.to.have.been.called
+      expect(response).to.beServedAs(200, 'CONTEXT\n<script type="text/javascript" src="/__proxy__/__karma__/absolute/first.js?sha123" crossorigin="anonymous"></script>\n<script type="text/javascript" src="/__proxy__/__karma__/absolute/second.js?sha456" integrity="sha256-XXX" crossorigin="anonymous"></script>')
+      done()
+    })
+
+    callHandlerWith('/__karma__/context.html')
+  })
+
   it('should serve context.html with replaced link tags', (done) => {
     includedFiles([
       new MockFile('/first.css', 'sha007'),

Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ try {`
`32`	`32`	`} catch {}`
`33`	`33`
`34`	`34`	`class Pattern {`
`35`		`- constructor (pattern, served, included, watched, nocache, type, isBinary) {`
	`35`	`+ constructor (pattern, served, included, watched, nocache, type, isBinary, integrity) {`
`36`	`36`	`this.pattern = pattern`
`37`	`37`	`this.served = helper.isDefined(served) ? served : true`
`38`	`38`	`this.included = helper.isDefined(included) ? included : true`
`@@ -41,6 +41,7 @@ class Pattern {`
`41`	`41`	`this.weight = helper.mmPatternWeight(pattern)`
`42`	`42`	`this.type = type`
`43`	`43`	`this.isBinary = isBinary`
	`44`	`+ this.integrity = integrity`
`44`	`45`	`}`
`45`	`46`
`46`	`47`	`compare (other) {`
`@@ -49,8 +50,8 @@ class Pattern {`
`49`	`50`	`}`
`50`	`51`
`51`	`52`	`class UrlPattern extends Pattern {`
`52`		`- constructor (url, type) {`
`53`		`- super(url, false, true, false, false, type)`
	`53`	`+ constructor (url, type, integrity) {`
	`54`	`+ super(url, false, true, false, false, type, undefined, integrity)`
`54`	`55`	`}`
`55`	`56`	`}`
`56`	`57`
Original file line number	Diff line number	Diff line change
`@@ -190,11 +190,12 @@ function createKarmaMiddleware (`
`190`	`190`	scriptTags.push(`<link href="${filePath}" rel="import">`)
`191`	`191`	`} else {`
`192`	`192`	`const scriptType = (SCRIPT_TYPE[fileType] \|\| 'text/javascript')`
`193`		`- const crossOriginAttribute = includeCrossOriginAttribute ? 'crossorigin="anonymous"' : ''`
	`193`	`+ const crossOriginAttribute = includeCrossOriginAttribute ? ' crossorigin="anonymous"' : ''`
	`194`	+ const integrityAttribute = file.integrity ? ` integrity="${file.integrity}"` : ''
`194`	`195`	`if (fileType === 'module') {`
`195`		- scriptTags.push(`<script onerror="throw 'Error loading ${filePath}'" type="${scriptType}" src="${filePath}" ${crossOriginAttribute}></script>`)
	`196`	+ scriptTags.push(`<script onerror="throw 'Error loading ${filePath}'" type="${scriptType}" src="${filePath}"${integrityAttribute}${crossOriginAttribute}></script>`)
`196`	`197`	`} else {`
`197`		- scriptTags.push(`<script type="${scriptType}" src="${filePath}" ${crossOriginAttribute}></script>`)
	`198`	+ scriptTags.push(`<script type="${scriptType}" src="${filePath}"${integrityAttribute}${crossOriginAttribute}></script>`)
`198`	`199`	`}`
`199`	`200`	`}`
`200`	`201`	`}`