UNPKG

csp_evaluator

Version:

Evaluate Content Security Policies for a wide range of bypasses and weaknesses

csp-evaluator.withgoogle.com

google/csp-evaluator

144 lines (131 loc) 4.75 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
/** * @fileoverview CSP checks as used by Lighthouse. These checks tend to be a * stricter subset of the other checks defined in this project. */ import {CheckerFunction} from '../checks/checker'; import {checkInvalidKeyword, checkMissingSemicolon, checkUnknownDirective} from '../checks/parser_checks'; import {checkDeprecatedDirective, checkMissingObjectSrcDirective, checkMissingScriptSrcDirective, checkMultipleMissingBaseUriDirective, checkNonceLength, checkPlainUrlSchemes, checkScriptUnsafeInline, checkWildcards} from '../checks/security_checks'; import {checkAllowlistFallback, checkStrictDynamic, checkUnsafeInlineFallback} from '../checks/strictcsp_checks'; import {Csp, Directive, Version} from '../csp'; import {Finding} from '../finding'; interface Equalable { equals(a: unknown): boolean; } function arrayContains<T extends Equalable>(arr: T[], elem: T) { return arr.some(e => e.equals(elem)); } /** * Computes the intersection of all of the given sets using the `equals(...)` * method to compare items. */ function setIntersection<T extends Equalable>(sets: T[][]): T[] { const intersection: T[] = []; if (sets.length === 0) { return intersection; } const firstSet = sets[0]; for (const elem of firstSet) { if (sets.every(set => arrayContains(set, elem))) { intersection.push(elem); } } return intersection; } /** * Computes the union of all of the given sets using the `equals(...)` method to * compare items. */ function setUnion<T extends Equalable>(sets: T[][]): T[] { const union: T[] = []; for (const set of sets) { for (const elem of set) { if (!arrayContains(union, elem)) { union.push(elem); } } } return union; } /** * Checks if *any* of the given policies pass the given checker. If at least one * passes, returns no findings. Otherwise, returns the list of findings from the * first one that had any findings. */ function atLeastOnePasses( parsedCsps: Csp[], checker: CheckerFunction): Finding[] { const findings: Finding[][] = []; for (const parsedCsp of parsedCsps) { findings.push(checker(parsedCsp)); } return setIntersection(findings); } /** * Checks if *any* of the given policies fail the given checker. Returns the * list of findings from the one that had the most findings. */ function atLeastOneFails( parsedCsps: Csp[], checker: CheckerFunction): Finding[] { const findings: Finding[][] = []; for (const parsedCsp of parsedCsps) { findings.push(checker(parsedCsp)); } return setUnion(findings); } /** * Evaluate the given list of CSPs for checks that should cause Lighthouse to * mark the CSP as failing. Returns only the first set of failures. */ export function evaluateForFailure(parsedCsps: Csp[]): Finding[] { // Check #1 const targetsXssFindings = [ ...atLeastOnePasses(parsedCsps, checkMissingScriptSrcDirective), ...atLeastOnePasses(parsedCsps, checkMissingObjectSrcDirective), ...checkMultipleMissingBaseUriDirective(parsedCsps), ]; // Check #2 const effectiveCsps = parsedCsps.map(csp => csp.getEffectiveCsp(Version.CSP3)); const effectiveCspsWithScript = effectiveCsps.filter(csp => { const directiveName = csp.getEffectiveDirective(Directive.SCRIPT_SRC); return csp.directives[directiveName]; }); const robust = [ ...atLeastOnePasses(effectiveCspsWithScript, checkStrictDynamic), ...atLeastOnePasses(effectiveCspsWithScript, checkScriptUnsafeInline), ...atLeastOnePasses(effectiveCsps, checkWildcards), ...atLeastOnePasses(effectiveCsps, checkPlainUrlSchemes), ]; return [...targetsXssFindings, ...robust]; } /** * Evaluate the given list of CSPs for checks that should cause Lighthouse to * mark the CSP as OK, but present a warning. Returns only the first set of * failures. */ export function evaluateForWarnings(parsedCsps: Csp[]): Finding[] { // Check #1 is implemented by Lighthouse directly // Check #2 is no longer used in Lighthouse. // Check #3 return [ ...atLeastOneFails(parsedCsps, checkUnsafeInlineFallback), ...atLeastOneFails(parsedCsps, checkAllowlistFallback) ]; } /** * Evaluate the given list of CSPs for syntax errors. Returns a list of the same * length as parsedCsps where each item in the list is the findings for the * matching Csp. */ export function evaluateForSyntaxErrors(parsedCsps: Csp[]): Finding[][] { // Check #4 const allFindings: Finding[][] = []; for (const csp of parsedCsps) { const findings = [ ...checkNonceLength(csp), ...checkUnknownDirective(csp), ...checkDeprecatedDirective(csp), ...checkMissingSemicolon(csp), ...checkInvalidKeyword(csp) ]; allFindings.push(findings); } return allFindings; }