csp_evaluator
Advanced tools
csp_evaluator - npm Package Compare versions
Comparing version 1.1.0 to 1.1.1
@@ -87,3 +87,2 @@ {"needsEval": | ||
| "//widgets.pinterest.com/v3/pidgets/boards/ciciwin/hedgehog-squirrel-crafts/pins/", | ||
| "//appcenter.intuit.com/Account/LogoutJSONP", | ||
| "//www.linkedin.com/countserv/count/share", | ||
@@ -90,0 +89,0 @@ "//se.wikipedia.org/w/api.php", |
@@ -120,3 +120,2 @@ /** | ||
| '//widgets.pinterest.com/v3/pidgets/boards/ciciwin/hedgehog-squirrel-crafts/pins/', | ||
| '//appcenter.intuit.com/Account/LogoutJSONP', | ||
| '//www.linkedin.com/countserv/count/share', | ||
@@ -123,0 +122,0 @@ '//se.wikipedia.org/w/api.php', |
@@ -269,3 +269,3 @@ /** | ||
| Type.SCRIPT_ALLOWLIST_BYPASS, | ||
| `'self' can be problematic if you host JSONP, Angular or user ` + | ||
| `'self' can be problematic if you host JSONP, AngularJS or user ` + | ||
| 'uploaded files.', | ||
@@ -272,0 +272,0 @@ Severity.MEDIUM_MAYBE, effectiveScriptSrcDirective, value)); |
@@ -216,3 +216,5 @@ /** | ||
| UNSAFE_HASHES = '\'unsafe-hashes\'', | ||
| REPORT_SAMPLE = '\'report-sample\'' | ||
| REPORT_SAMPLE = '\'report-sample\'', | ||
| BLOCK = '\'block\'', | ||
| ALLOW = '\'allow\'', | ||
| } | ||
@@ -266,2 +268,3 @@ | ||
| FRAME_ANCESTORS = 'frame-ancestors', | ||
| NAVIGATE_TO = 'navigate-to', | ||
@@ -280,3 +283,4 @@ // Reporting directives | ||
| // https://github.com/WICG/trusted-types | ||
| REQUIRE_TRUSTED_TYPES_FOR = 'require-trusted-types-for' | ||
| REQUIRE_TRUSTED_TYPES_FOR = 'require-trusted-types-for', | ||
| WEBRTC = 'webrtc', | ||
| } | ||
@@ -283,0 +287,0 @@ |
@@ -84,3 +84,2 @@ "use strict"; | ||
| '//widgets.pinterest.com/v3/pidgets/boards/ciciwin/hedgehog-squirrel-crafts/pins/', | ||
| '//appcenter.intuit.com/Account/LogoutJSONP', | ||
| '//www.linkedin.com/countserv/count/share', | ||
@@ -87,0 +86,0 @@ '//se.wikipedia.org/w/api.php', |
@@ -140,3 +140,3 @@ "use strict"; | ||
| if (value === csp_1.Keyword.SELF) { | ||
| violations.push(new finding_1.Finding(finding_1.Type.SCRIPT_ALLOWLIST_BYPASS, `'self' can be problematic if you host JSONP, Angular or user ` + | ||
| violations.push(new finding_1.Finding(finding_1.Type.SCRIPT_ALLOWLIST_BYPASS, `'self' can be problematic if you host JSONP, AngularJS or user ` + | ||
| 'uploaded files.', finding_1.Severity.MEDIUM_MAYBE, effectiveScriptSrcDirective, value)); | ||
@@ -143,0 +143,0 @@ continue; |
@@ -23,3 +23,5 @@ import { Finding } from './finding'; | ||
| UNSAFE_HASHES = "'unsafe-hashes'", | ||
| REPORT_SAMPLE = "'report-sample'" | ||
| REPORT_SAMPLE = "'report-sample'", | ||
| BLOCK = "'block'", | ||
| ALLOW = "'allow'" | ||
| } | ||
@@ -53,2 +55,3 @@ export declare enum TrustedTypesSink { | ||
| FRAME_ANCESTORS = "frame-ancestors", | ||
| NAVIGATE_TO = "navigate-to", | ||
| REPORT_TO = "report-to", | ||
@@ -62,3 +65,4 @@ REPORT_URI = "report-uri", | ||
| TRUSTED_TYPES = "trusted-types", | ||
| REQUIRE_TRUSTED_TYPES_FOR = "require-trusted-types-for" | ||
| REQUIRE_TRUSTED_TYPES_FOR = "require-trusted-types-for", | ||
| WEBRTC = "webrtc" | ||
| } | ||
@@ -65,0 +69,0 @@ export declare const FETCH_DIRECTIVES: Directive[]; |
@@ -119,2 +119,4 @@ "use strict"; | ||
| Keyword["REPORT_SAMPLE"] = "'report-sample'"; | ||
| Keyword["BLOCK"] = "'block'"; | ||
| Keyword["ALLOW"] = "'allow'"; | ||
| })(Keyword = exports.Keyword || (exports.Keyword = {})); | ||
@@ -150,2 +152,3 @@ var TrustedTypesSink; | ||
| Directive["FRAME_ANCESTORS"] = "frame-ancestors"; | ||
| Directive["NAVIGATE_TO"] = "navigate-to"; | ||
| Directive["REPORT_TO"] = "report-to"; | ||
@@ -160,2 +163,3 @@ Directive["REPORT_URI"] = "report-uri"; | ||
| Directive["REQUIRE_TRUSTED_TYPES_FOR"] = "require-trusted-types-for"; | ||
| Directive["WEBRTC"] = "webrtc"; | ||
| })(Directive = exports.Directive || (exports.Directive = {})); | ||
@@ -162,0 +166,0 @@ exports.FETCH_DIRECTIVES = [ |
@@ -59,2 +59,8 @@ "use strict"; | ||
| }); | ||
| it('GetHostnamePort', () => { | ||
| expect(utils_1.getHostname('https://www.google.com:8080')).toBe('www.google.com'); | ||
| }); | ||
| it('GetHostnameWildcardPort', () => { | ||
| expect(utils_1.getHostname('https://www.google.com:*')).toBe('www.google.com'); | ||
| }); | ||
| it('GetHostnameNoProtocol', () => { | ||
@@ -61,0 +67,0 @@ expect(utils_1.getHostname('www.google.com')).toBe('www.google.com'); |
@@ -12,3 +12,5 @@ "use strict"; | ||
| const hostname = new URL('https://' + | ||
| getSchemeFreeUrl(url).replace('*', 'wildcard_placeholder')) | ||
| getSchemeFreeUrl(url) | ||
| .replace(':*', '') | ||
| .replace('*', 'wildcard_placeholder')) | ||
| .hostname.replace('wildcard_placeholder', '*'); | ||
@@ -29,3 +31,5 @@ const ipv6Regex = /^\[[\d:]+\]/; | ||
| function matchWildcardUrls(cspUrlString, listOfUrlStrings) { | ||
| const cspUrl = new URL(setScheme(cspUrlString.replace('*', 'wildcard_placeholder'))); | ||
| const cspUrl = new URL(setScheme(cspUrlString | ||
| .replace(':*', '') | ||
| .replace('*', 'wildcard_placeholder'))); | ||
| const listOfUrls = listOfUrlStrings.map(u => new URL(setScheme(u))); | ||
@@ -32,0 +36,0 @@ const host = cspUrl.hostname.toLowerCase(); |
| { | ||
| "name": "csp_evaluator", | ||
| "version": "1.1.0", | ||
| "version": "1.1.1", | ||
| "description": "Evaluate Content Security Policies for a wide range of bypasses and weaknesses", | ||
@@ -5,0 +5,0 @@ "main": "dist/evaluator.js", |
@@ -88,2 +88,10 @@ /** | ||
| it('GetHostnamePort', () => { | ||
| expect(getHostname('https://www.google.com:8080')).toBe('www.google.com'); | ||
| }); | ||
| it('GetHostnameWildcardPort', () => { | ||
| expect(getHostname('https://www.google.com:*')).toBe('www.google.com'); | ||
| }); | ||
| it('GetHostnameNoProtocol', () => { | ||
@@ -90,0 +98,0 @@ expect(getHostname('www.google.com')).toBe('www.google.com'); |
@@ -45,3 +45,5 @@ /** | ||
| 'https://' + | ||
| getSchemeFreeUrl(url).replace('*', 'wildcard_placeholder')) | ||
| getSchemeFreeUrl(url) | ||
| .replace(':*', '') // Remove wildcard port | ||
| .replace('*', 'wildcard_placeholder')) | ||
| .hostname.replace('wildcard_placeholder', '*'); | ||
@@ -82,3 +84,5 @@ | ||
| const cspUrl = | ||
| new URL(setScheme(cspUrlString.replace('*', 'wildcard_placeholder'))); | ||
| new URL(setScheme(cspUrlString | ||
| .replace(':*', '') // Remove wildcard port | ||
| .replace('*', 'wildcard_placeholder'))); | ||
| const listOfUrls = listOfUrlStrings.map(u => new URL(setScheme(u))); | ||
@@ -85,0 +89,0 @@ const host = cspUrl.hostname.toLowerCase(); |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by0.34%
404552
- Lines of code
- increased by0.45%
6430