Comparing version 10.0.2 to 10.0.3
@@ -32,6 +32,11 @@ 'use strict' | ||
// options used for calculating stream. can't be changed. | ||
const algorithms = opts?.algorithms || DEFAULT_ALGORITHMS | ||
this.algorithms = Array.from( | ||
new Set(algorithms.concat(this.algorithm ? [this.algorithm] : [])) | ||
) | ||
if (opts?.algorithms) { | ||
this.algorithms = [...opts.algorithms] | ||
} else { | ||
this.algorithms = [...DEFAULT_ALGORITHMS] | ||
} | ||
if (this.algorithm !== null && !this.algorithms.includes(this.algorithm)) { | ||
this.algorithms.push(this.algorithm) | ||
} | ||
this.hashes = this.algorithms.map(crypto.createHash) | ||
@@ -44,4 +49,13 @@ } | ||
this.expectedSize = this.opts?.size | ||
this.goodSri = this.sri ? !!Object.keys(this.sri).length : false | ||
this.algorithm = this.goodSri ? this.sri.pickAlgorithm(this.opts) : null | ||
if (!this.sri) { | ||
this.algorithm = null | ||
} else if (this.sri.isHash) { | ||
this.goodSri = true | ||
this.algorithm = this.sri.algorithm | ||
} else { | ||
this.goodSri = !this.sri.isEmpty() | ||
this.algorithm = this.sri.pickAlgorithm(this.opts) | ||
} | ||
this.digests = this.goodSri ? this.sri[this.algorithm] : null | ||
@@ -164,2 +178,25 @@ this.optString = getOptString(this.opts?.options) | ||
match (integrity, opts) { | ||
const other = parse(integrity, opts) | ||
if (!other) { | ||
return false | ||
} | ||
if (other.isIntegrity) { | ||
const algo = other.pickAlgorithm(opts, [this.algorithm]) | ||
if (!algo) { | ||
return false | ||
} | ||
const foundHash = other[algo].find(hash => hash.digest === this.digest) | ||
if (foundHash) { | ||
return foundHash | ||
} | ||
return false | ||
} | ||
return other.digest === this.digest ? other : false | ||
} | ||
toString (opts) { | ||
@@ -291,4 +328,5 @@ if (opts?.strict) { | ||
} | ||
const algo = other.pickAlgorithm(opts) | ||
const algo = other.pickAlgorithm(opts, Object.keys(this)) | ||
return ( | ||
!!algo && | ||
this[algo] && | ||
@@ -304,8 +342,18 @@ other[algo] && | ||
pickAlgorithm (opts) { | ||
// Pick the highest priority algorithm present, optionally also limited to a | ||
// set of hashes found in another integrity. When limiting it may return | ||
// nothing. | ||
pickAlgorithm (opts, hashes) { | ||
const pickAlgorithm = opts?.pickAlgorithm || getPrioritizedHash | ||
const keys = Object.keys(this) | ||
return keys.reduce((acc, algo) => { | ||
return pickAlgorithm(acc, algo) || acc | ||
const keys = Object.keys(this).filter(k => { | ||
if (hashes?.length) { | ||
return hashes.includes(k) | ||
} | ||
return true | ||
}) | ||
if (keys.length) { | ||
return keys.reduce((acc, algo) => pickAlgorithm(acc, algo) || acc) | ||
} | ||
// no intersection between this and hashes, | ||
return null | ||
} | ||
@@ -373,3 +421,3 @@ } | ||
function fromData (data, opts) { | ||
const algorithms = opts?.algorithms || DEFAULT_ALGORITHMS | ||
const algorithms = opts?.algorithms || [...DEFAULT_ALGORITHMS] | ||
const optString = getOptString(opts?.options) | ||
@@ -408,3 +456,3 @@ return algorithms.reduce((acc, algo) => { | ||
istream.on('end', () => resolve(sri)) | ||
istream.on('data', () => {}) | ||
istream.resume() | ||
}) | ||
@@ -476,3 +524,3 @@ } | ||
checker.on('end', () => resolve(verified)) | ||
checker.on('data', () => {}) | ||
checker.resume() | ||
}) | ||
@@ -488,3 +536,3 @@ } | ||
function createIntegrity (opts) { | ||
const algorithms = opts?.algorithms || DEFAULT_ALGORITHMS | ||
const algorithms = opts?.algorithms || [...DEFAULT_ALGORITHMS] | ||
const optString = getOptString(opts?.options) | ||
@@ -524,3 +572,3 @@ | ||
const NODE_HASHES = new Set(crypto.getHashes()) | ||
const NODE_HASHES = crypto.getHashes() | ||
@@ -535,3 +583,3 @@ // This is a Best Effort™ at a reasonable priority for hash algos | ||
'sha3_256', 'sha3_384', 'sha3_512', | ||
].filter(algo => NODE_HASHES.has(algo)) | ||
].filter(algo => NODE_HASHES.includes(algo)) | ||
@@ -538,0 +586,0 @@ function getPrioritizedHash (algo1, algo2) { |
{ | ||
"name": "ssri", | ||
"version": "10.0.2", | ||
"version": "10.0.3", | ||
"description": "Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.", | ||
@@ -5,0 +5,0 @@ "main": "lib/index.js", |
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
38712
510
0