UNPKG

csp_evaluator

Version:

Evaluate Content Security Policies for a wide range of bypasses and weaknesses

csp-evaluator.withgoogle.com

google/csp-evaluator

124 lines (110 loc) 3.2 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
/** * @license * Copyright 2016 Google Inc. All rights reserved. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * * @author lwe@google.com (Lukas Weichselbaum) */ /** * A CSP Finding is returned by a CSP check and can either reference a directive * value or a directive. If a directive value is referenced opt_index must be * provided. * @unrestricted */ export class Finding { /** * @param type Type of the finding. * @param description Description of the finding. * @param severity Severity of the finding. * @param directive The CSP directive in which the finding occurred. * @param value The directive value, if exists. */ constructor( public type: Type, public description: string, public severity: Severity, public directive: string, public value?: string) {} /** * Returns the highest severity of a list of findings. * @param findings List of findings. * @return highest severity of a list of findings. */ static getHighestSeverity(findings: Finding[]): Severity { if (findings.length === 0) { return Severity.NONE; } const severities = findings.map((finding) => finding.severity); const min = (prev: Severity, cur: Severity) => prev < cur ? prev : cur; return severities.reduce(min, Severity.NONE); } equals(obj: unknown): boolean { if (!(obj instanceof Finding)) { return false; } return obj.type === this.type && obj.description === this.description && obj.severity === this.severity && obj.directive === this.directive && obj.value === this.value; } } /** * Finding severities. */ export enum Severity { HIGH = 10, SYNTAX = 20, MEDIUM = 30, HIGH_MAYBE = 40, STRICT_CSP = 45, MEDIUM_MAYBE = 50, INFO = 60, NONE = 100 } /** * Finding types for evluator checks. */ export enum Type { // Parser checks MISSING_SEMICOLON = 100, UNKNOWN_DIRECTIVE, INVALID_KEYWORD, NONCE_CHARSET = 106, // Security checks MISSING_DIRECTIVES = 300, SCRIPT_UNSAFE_INLINE, SCRIPT_UNSAFE_EVAL, PLAIN_URL_SCHEMES, PLAIN_WILDCARD, SCRIPT_ALLOWLIST_BYPASS, OBJECT_ALLOWLIST_BYPASS, NONCE_LENGTH, IP_SOURCE, DEPRECATED_DIRECTIVE, SRC_HTTP, SRC_NO_PROTOCOL, EXPERIMENTAL, WILDCARD_URL, X_FRAME_OPTIONS_OBSOLETED, STYLE_UNSAFE_INLINE, STATIC_NONCE, SCRIPT_UNSAFE_HASHES, // Strict dynamic and backward compatibility checks STRICT_DYNAMIC = 400, STRICT_DYNAMIC_NOT_STANDALONE, NONCE_HASH, UNSAFE_INLINE_FALLBACK, ALLOWLIST_FALLBACK, IGNORED, // Trusted Types checks REQUIRE_TRUSTED_TYPES_FOR_SCRIPTS = 500, // Lighthouse checks REPORTING_DESTINATION_MISSING = 600, REPORT_TO_ONLY, }