Adding nonce attrs to external scripts where their host hasnt been defined in the CSP already (#27)

* Adding nonce attrs to external scripts where their host hasnt been defined in the CSP already

* Making sure that nonces are included when strict-dynamic is set, even if the domain has been whitelisted. Also validating static sources

Author: AnujRNair

package.json

@@ -7,7 +7,7 @@
     "eslint": "eslint .",
     "eslint:fix": "eslint . --fix",
     "jest": "jest --config=./jest.config.js plugin.jest.js",
-    "jest:watch": "jest --watch --config=./jest.config.js plugin.jest.js",
+    "jest:watch": "jest --watch --verbose=false --config=./jest.config.js plugin.jest.js",
     "jest:coverage:generate": "jest --coverage --config=./jest.config.js plugin.jest.js",
     "jest:coverage:clean": "rm -rf ./coverage",
     "jest:coverage:upload": "npx codecov --token=252086ef-c14d-4f29-ab36-720265249fa2",

plugin.jest.js

@@ -1,4 +1,5 @@
 const path = require('path');
+const crypto = require('crypto');
 const HtmlWebpackPlugin = require('html-webpack-plugin');
 const {
   WEBPACK_OUTPUT_DIR,
@@ -8,6 +9,21 @@ const {
 const CspHtmlWebpackPlugin = require('./plugin');
 
 describe('CspHtmlWebpackPlugin', () => {
+  beforeEach(() => {
+    jest
+      .spyOn(crypto, 'randomBytes')
+      .mockImplementationOnce(() => 'mockedbase64string-1')
+      .mockImplementationOnce(() => 'mockedbase64string-2')
+      .mockImplementationOnce(() => 'mockedbase64string-3')
+      .mockImplementation(
+        () => new Error('Need to add more crypto.randomBytes mocks')
+      );
+  });
+
+  afterEach(() => {
+    crypto.randomBytes.mockReset();
+  });
+
   describe('Error checking', () => {
     it('throws an error if an invalid hashing method is used', () => {
       expect(() => {
@@ -20,10 +36,85 @@ describe('CspHtmlWebpackPlugin', () => {
         );
       }).toThrow(new Error(`'invalid' is not a valid hashing method`));
     });
+
+    describe('validatePolicy', () => {
+      [
+        'self',
+        'unsafe-inline',
+        'unsafe-eval',
+        'none',
+        'strict-dynamic',
+        'report-sample'
+      ].forEach(source => {
+        it(`throws an error if '${source}' is not wrapped in apostrophes in an array defined policy`, done => {
+          const config = createWebpackConfig([
+            new HtmlWebpackPlugin({
+              filename: path.join(WEBPACK_OUTPUT_DIR, 'index.html'),
+              template: path.join(
+                __dirname,
+                'test-utils',
+                'fixtures',
+                'with-nothing.html'
+              )
+            }),
+            new CspHtmlWebpackPlugin({
+              'script-src': [source]
+            })
+          ]);
+
+          webpackCompile(
+            config,
+            (_1, _2, _3, errors) => {
+              expect(errors[0]).toEqual(
+                new Error(
+                  `CSP: policy for script-src contains ${source} which should be wrapped in apostrophes`
+                )
+              );
+              done();
+            },
+            {
+              expectError: true
+            }
+          );
+        });
+
+        it(`throws an error if '${source}' is not wrapped in apostrophes in a string defined policy`, done => {
+          const config = createWebpackConfig([
+            new HtmlWebpackPlugin({
+              filename: path.join(WEBPACK_OUTPUT_DIR, 'index.html'),
+              template: path.join(
+                __dirname,
+                'test-utils',
+                'fixtures',
+                'with-nothing.html'
+              )
+            }),
+            new CspHtmlWebpackPlugin({
+              'script-src': source
+            })
+          ]);
+
+          webpackCompile(
+            config,
+            (_1, _2, _3, errors) => {
+              expect(errors[0]).toEqual(
+                new Error(
+                  `CSP: policy for script-src contains ${source} which should be wrapped in apostrophes`
+                )
+              );
+              done();
+            },
+            {
+              expectError: true
+            }
+          );
+        });
+      });
+    });
   });
 
-  describe('Adding sha checksums', () => {
-    it('inserts the default policy, including sha-256 hashes of other inline scripts and styles found', done => {
+  describe('Adding sha and nonce checksums', () => {
+    it('inserts the default policy, including sha-256 hashes of other inline scripts and styles found, and nonce hashes of external scripts found', done => {
       const config = createWebpackConfig([
         new HtmlWebpackPlugin({
           filename: path.join(WEBPACK_OUTPUT_DIR, 'index.html'),
@@ -41,8 +132,8 @@ describe('CspHtmlWebpackPlugin', () => {
         const expected =
           "base-uri 'self';" +
           " object-src 'none';" +
-          " script-src 'unsafe-inline' 'self' 'unsafe-eval' 'sha256-ixjZMYNfWQWawUHioWOx2jBsTmfxucX7IlwsMt2jWvc=';" +
-          " style-src 'unsafe-inline' 'self' 'unsafe-eval' 'sha256-MqG77yUiqBo4MMVZAl09WSafnQY4Uu3cSdZPKxaf9sQ='";
+          " script-src 'unsafe-inline' 'self' 'unsafe-eval' 'sha256-ixjZMYNfWQWawUHioWOx2jBsTmfxucX7IlwsMt2jWvc=' 'nonce-mockedbase64string-1' 'nonce-mockedbase64string-2';" +
+          " style-src 'unsafe-inline' 'self' 'unsafe-eval' 'sha256-MqG77yUiqBo4MMVZAl09WSafnQY4Uu3cSdZPKxaf9sQ=' 'nonce-mockedbase64string-3'";
 
         expect(csps['index.html']).toEqual(expected);
         done();
@@ -73,7 +164,7 @@ describe('CspHtmlWebpackPlugin', () => {
         const expected =
           "base-uri 'self' https://slack.com;" +
           " object-src 'none';" +
-          " script-src 'self';" +
+          " script-src 'self' 'nonce-mockedbase64string-1';" +
           " style-src 'self';" +
           " font-src 'self' 'https://a-slack-edge.com';" +
           " connect-src 'self'";
@@ -83,7 +174,7 @@ describe('CspHtmlWebpackPlugin', () => {
       });
     });
 
-    it('handles string values for policies where the hash is appended', done => {
+    it('handles string values for policies where hashes and nonces are appended', done => {
       const config = createWebpackConfig([
         new HtmlWebpackPlugin({
           filename: path.join(WEBPACK_OUTPUT_DIR, 'index.html'),
@@ -104,14 +195,116 @@ describe('CspHtmlWebpackPlugin', () => {
         const expected =
           "base-uri 'self';" +
           " object-src 'none';" +
-          " script-src 'self' 'sha256-ixjZMYNfWQWawUHioWOx2jBsTmfxucX7IlwsMt2jWvc=';" +
-          " style-src 'self' 'sha256-MqG77yUiqBo4MMVZAl09WSafnQY4Uu3cSdZPKxaf9sQ='";
+          " script-src 'self' 'sha256-ixjZMYNfWQWawUHioWOx2jBsTmfxucX7IlwsMt2jWvc=' 'nonce-mockedbase64string-1' 'nonce-mockedbase64string-2';" +
+          " style-src 'self' 'sha256-MqG77yUiqBo4MMVZAl09WSafnQY4Uu3cSdZPKxaf9sQ=' 'nonce-mockedbase64string-3'";
 
         expect(csps['index.html']).toEqual(expected);
         done();
       });
     });
 
+    it("doesn't add nonces for scripts / styles generated where their host has already been defined in the CSP, and 'strict-dynamic' doesn't exist in the policy", done => {
+      const config = createWebpackConfig(
+        [
+          new HtmlWebpackPlugin({
+            filename: path.join(WEBPACK_OUTPUT_DIR, 'index.html'),
+            template: path.join(
+              __dirname,
+              'test-utils',
+              'fixtures',
+              'with-script-and-style.html'
+            )
+          }),
+          new CspHtmlWebpackPlugin({
+            'script-src': ["'self'", 'https://my.cdn.com'],
+            'style-src': ["'self'"]
+          })
+        ],
+        'https://my.cdn.com/'
+      );
+
+      webpackCompile(config, (csps, selectors) => {
+        const $ = selectors['index.html'];
+        const expected =
+          "base-uri 'self';" +
+          " object-src 'none';" +
+          " script-src 'self' https://my.cdn.com 'sha256-ixjZMYNfWQWawUHioWOx2jBsTmfxucX7IlwsMt2jWvc=' 'nonce-mockedbase64string-1';" +
+          " style-src 'self' 'sha256-MqG77yUiqBo4MMVZAl09WSafnQY4Uu3cSdZPKxaf9sQ=' 'nonce-mockedbase64string-2'";
+
+        // csp should be defined properly
+        expect(csps['index.html']).toEqual(expected);
+
+        // script with host not defined should have nonce defined, and correct
+        expect($('script')[0].attribs.src).toEqual(
+          'https://example.com/example.js'
+        );
+        expect($('script')[0].attribs.nonce).toEqual('mockedbase64string-1');
+
+        // inline script, so no nonce
+        expect($('script')[1].attribs).toEqual({});
+
+        // script with host defined should not have a nonce
+        expect($('script')[2].attribs.src).toEqual(
+          'https://my.cdn.com/index.bundle.js'
+        );
+        expect(Object.keys($('script')[2].attribs)).not.toContain('nonce');
+
+        done();
+      });
+    });
+
+    it("continues to add nonces to scripts / styles even if the host has already been whitelisted due to 'strict-dynamic' existing in the policy", done => {
+      const config = createWebpackConfig(
+        [
+          new HtmlWebpackPlugin({
+            filename: path.join(WEBPACK_OUTPUT_DIR, 'index.html'),
+            template: path.join(
+              __dirname,
+              'test-utils',
+              'fixtures',
+              'with-script-and-style.html'
+            )
+          }),
+          new CspHtmlWebpackPlugin({
+            'script-src': ["'self'", "'strict-dynamic'", 'https://my.cdn.com'],
+            'style-src': ["'self'"]
+          })
+        ],
+        'https://my.cdn.com/'
+      );
+
+      webpackCompile(config, (csps, selectors) => {
+        const $ = selectors['index.html'];
+
+        // 'strict-dynamic' should be at the end of the script-src here
+        const expected =
+          "base-uri 'self';" +
+          " object-src 'none';" +
+          " script-src 'self' https://my.cdn.com 'sha256-ixjZMYNfWQWawUHioWOx2jBsTmfxucX7IlwsMt2jWvc=' 'nonce-mockedbase64string-1' 'nonce-mockedbase64string-2' 'strict-dynamic';" +
+          " style-src 'self' 'sha256-MqG77yUiqBo4MMVZAl09WSafnQY4Uu3cSdZPKxaf9sQ=' 'nonce-mockedbase64string-3'";
+
+        // csp should be defined properly
+        expect(csps['index.html']).toEqual(expected);
+
+        // script with host not defined should have nonce defined, and correct
+        expect($('script')[0].attribs.src).toEqual(
+          'https://example.com/example.js'
+        );
+        expect($('script')[0].attribs.nonce).toEqual('mockedbase64string-1');
+
+        // inline script, so no nonce
+        expect($('script')[1].attribs).toEqual({});
+
+        // script with host defined should also have a nonce
+        expect($('script')[2].attribs.src).toEqual(
+          'https://my.cdn.com/index.bundle.js'
+        );
+        expect($('script')[2].attribs.nonce).toEqual('mockedbase64string-2');
+
+        done();
+      });
+    });
+
     describe('HtmlWebpackPlugin defined policy', () => {
       it('inserts a custom policy from a specific HtmlWebpackPlugin instance, if one is defined', done => {
         const config = createWebpackConfig([
@@ -140,7 +333,7 @@ describe('CspHtmlWebpackPlugin', () => {
           const expected =
             "base-uri 'self' https://slack.com;" +
             " object-src 'none';" +
-            " script-src 'self';" +
+            " script-src 'self' 'nonce-mockedbase64string-1';" +
             " style-src 'self';" +
             " font-src 'self' 'https://a-slack-edge.com';" +
             " connect-src 'self'";
@@ -179,7 +372,7 @@ describe('CspHtmlWebpackPlugin', () => {
           const expected =
             "base-uri 'self' https://slack.com;" + // this should be included as it's not defined in the HtmlWebpackPlugin instance
             " object-src 'none';" + // this comes from the default policy
-            " script-src 'unsafe-inline' 'self' 'unsafe-eval';" + // this comes from the default policy
+            " script-src 'unsafe-inline' 'self' 'unsafe-eval' 'nonce-mockedbase64string-1';" + // this comes from the default policy
             " style-src 'unsafe-inline' 'self' 'unsafe-eval';" + // this comes from the default policy
             " font-src 'https://a-slack-edge.com' 'https://b-slack-edge.com'"; // this should only include the HtmlWebpackPlugin instance policy
 
@@ -221,13 +414,13 @@ describe('CspHtmlWebpackPlugin', () => {
           const expectedCustom =
             "base-uri 'self';" +
             " object-src 'none';" +
-            " script-src 'https://a-slack-edge.com';" +
+            " script-src 'https://a-slack-edge.com' 'nonce-mockedbase64string-1';" +
             " style-src 'https://b-slack-edge.com'";
 
           const expectedDefault =
             "base-uri 'self';" +
             " object-src 'none';" +
-            " script-src 'unsafe-inline' 'self' 'unsafe-eval';" +
+            " script-src 'unsafe-inline' 'self' 'unsafe-eval' 'nonce-mockedbase64string-2';" +
             " style-src 'unsafe-inline' 'self' 'unsafe-eval'";
 
           expect(csps['index-csp.html']).toEqual(expectedCustom);
@@ -238,7 +431,7 @@ describe('CspHtmlWebpackPlugin', () => {
     });
 
     describe('unsafe-inline / unsafe-eval', () => {
-      it('skips the hashing of the scripts and styles it finds if devAllowUnsafe is true', done => {
+      it('skips the hashing / nonceing of the scripts and styles it finds if devAllowUnsafe is true', done => {
         const config = createWebpackConfig([
           new HtmlWebpackPlugin({
             filename: path.join(WEBPACK_OUTPUT_DIR, 'index.html'),
@@ -275,7 +468,7 @@ describe('CspHtmlWebpackPlugin', () => {
         });
       });
 
-      it('continues hashing scripts and styles if unsafe-inline/unsafe-eval is included, but devAllowUnsafe is false', done => {
+      it('continues hashing / nonceing scripts and styles if unsafe-inline/unsafe-eval is included, but devAllowUnsafe is false', done => {
         const config = createWebpackConfig([
           new HtmlWebpackPlugin({
             filename: path.join(WEBPACK_OUTPUT_DIR, 'index.html'),
@@ -303,8 +496,8 @@ describe('CspHtmlWebpackPlugin', () => {
           const expected =
             "base-uri 'self' https://slack.com;" +
             " object-src 'none';" +
-            " script-src 'self' 'unsafe-inline' 'sha256-ixjZMYNfWQWawUHioWOx2jBsTmfxucX7IlwsMt2jWvc=';" +
-            " style-src 'self' 'unsafe-eval' 'sha256-MqG77yUiqBo4MMVZAl09WSafnQY4Uu3cSdZPKxaf9sQ=';" +
+            " script-src 'self' 'unsafe-inline' 'sha256-ixjZMYNfWQWawUHioWOx2jBsTmfxucX7IlwsMt2jWvc=' 'nonce-mockedbase64string-1' 'nonce-mockedbase64string-2';" +
+            " style-src 'self' 'unsafe-eval' 'sha256-MqG77yUiqBo4MMVZAl09WSafnQY4Uu3cSdZPKxaf9sQ=' 'nonce-mockedbase64string-3';" +
             " font-src 'self' 'https://a-slack-edge.com'";
 
           expect(csps['index.html']).toEqual(expected);
@@ -446,7 +639,7 @@ describe('CspHtmlWebpackPlugin', () => {
         const expected =
           "base-uri 'self';" +
           " object-src 'none';" +
-          " script-src 'unsafe-inline' 'self' 'unsafe-eval';" +
+          " script-src 'unsafe-inline' 'self' 'unsafe-eval' 'nonce-mockedbase64string-1';" +
           " style-src 'unsafe-inline' 'self' 'unsafe-eval'";
 
         expect(csps['index.html']).toEqual(expected);
@@ -472,7 +665,7 @@ describe('CspHtmlWebpackPlugin', () => {
         const expected =
           "base-uri 'self';" +
           " object-src 'none';" +
-          " script-src 'unsafe-inline' 'self' 'unsafe-eval';" +
+          " script-src 'unsafe-inline' 'self' 'unsafe-eval' 'nonce-mockedbase64string-1';" +
           " style-src 'unsafe-inline' 'self' 'unsafe-eval'";
 
         expect(csps['index.html']).toEqual(expected);
@@ -492,7 +685,7 @@ describe('CspHtmlWebpackPlugin', () => {
         const expected =
           "base-uri 'self';" +
           " object-src 'none';" +
-          " script-src 'unsafe-inline' 'self' 'unsafe-eval';" +
+          " script-src 'unsafe-inline' 'self' 'unsafe-eval' 'nonce-mockedbase64string-1';" +
           " style-src 'unsafe-inline' 'self' 'unsafe-eval'";
 
         expect(csps['index.html']).toEqual(expected);