UNPKG

csp_evaluator

Version:

Evaluate Content Security Policies for a wide range of bypasses and weaknesses

csp-evaluator.withgoogle.com

google/csp-evaluator

95 lines (77 loc) 3.29 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
/** * @license * Copyright 2016 Google Inc. All rights reserved. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * * @fileoverview Tests for CSP Parser checks. * @author lwe@google.com (Lukas Weichselbaum) */ import 'jasmine'; import {Finding, Severity} from '../finding'; import {CspParser} from '../parser'; import {CheckerFunction} from './checker'; import * as parserChecks from './parser_checks'; /** * Runs a check on a CSP string. * * @param test CSP string. * @param checkFunction check. */ function checkCsp(test: string, checkFunction: CheckerFunction): Finding[] { const parsedCsp = (new CspParser(test)).csp; return checkFunction(parsedCsp); } describe('Test parser checks', () => { /** Tests for csp.parserChecks.checkUnknownDirective */ it('CheckUnknownDirective', () => { const test = 'foobar-src http:'; const violations = checkCsp(test, parserChecks.checkUnknownDirective); expect(violations.length).toBe(1); expect(violations[0].severity).toBe(Severity.SYNTAX); expect(violations[0].directive).toBe('foobar-src'); }); /** Tests for csp.parserChecks.checkMissingSemicolon */ it('CheckMissingSemicolon', () => { const test = 'default-src foo.bar script-src \'none\''; const violations = checkCsp(test, parserChecks.checkMissingSemicolon); expect(violations.length).toBe(1); expect(violations[0].severity).toBe(Severity.SYNTAX); expect(violations[0].value).toBe('script-src'); }); /** Tests for csp.parserChecks.checkInvalidKeyword */ it('CheckInvalidKeywordForgottenSingleTicks', () => { const test = 'script-src strict-dynamic nonce-test sha256-asdf'; const violations = checkCsp(test, parserChecks.checkInvalidKeyword); expect(violations.length).toBe(3); expect(violations.every((v) => v.severity === Severity.SYNTAX)).toBeTrue(); expect(violations.every((v) => v.description.includes('single-ticks'))) .toBeTrue(); }); it('CheckInvalidKeywordUnknownKeyword', () => { const test = 'script-src \'foo-bar\''; const violations = checkCsp(test, parserChecks.checkInvalidKeyword); expect(violations.length).toBe(1); expect(violations[0].severity).toBe(Severity.SYNTAX); expect(violations[0].value).toBe('\'foo-bar\''); }); it('CheckInvalidKeywordAllowsRequireTrustedTypesForScript', () => { const test = 'require-trusted-types-for \'script\''; const violations = checkCsp(test, parserChecks.checkInvalidKeyword); expect(violations.length).toBe(0); }); it('CheckInvalidKeywordAllowsTrustedTypesAllowDuplicateKeyword', () => { const test = 'trusted-types \'allow-duplicates\' policy1'; const violations = checkCsp(test, parserChecks.checkInvalidKeyword); expect(violations.length).toBe(0); }); });