1 | <img align="right" src="https://cdn.rawgit.com/mikesamuel/template-tag-common/7f0159bda72d616af30645d49c3c9203c963c0a6/images/logo.png" alt="Sisyphus Logo">
|
2 |
|
3 | # Web Contract Types
|
4 |
|
5 | [![Build Status](https://travis-ci.org/mikesamuel/web-contract-types.svg?branch=master)](https://travis-ci.org/mikesamuel/web-contract-types)
|
6 | [![Dependencies Status](https://david-dm.org/mikesamuel/web-contract-types/status.svg)](https://david-dm.org/mikesamuel/web-contract-types)
|
7 | [![npm](https://img.shields.io/npm/v/web-contract-types.svg)](https://www.npmjs.com/package/web-contract-types)
|
8 | [![Coverage Status](https://coveralls.io/repos/github/mikesamuel/web-contract-types/badge.svg?branch=master)](https://coveralls.io/github/mikesamuel/web-contract-types?branch=master)
|
9 | [![Install Size](https://packagephobia.now.sh/badge?p=web-contract-types)](https://packagephobia.now.sh/result?p=web-contract-types)
|
10 | [![Known Vulnerabilities](https://snyk.io/test/github/mikesamuel/web-contract-types/badge.svg?targetFile=package.json)](https://snyk.io/test/github/mikesamuel/web-contract-types?targetFile=package.json)
|
11 |
|
12 | Security contract types for common web application languages: HTML, JavaScript, URLs.
|
13 |
|
14 |
|
15 |
|
16 |
|
17 |
|
18 | * [Installation](#hdr-installation)
|
19 | * [Configuration](#hdr-configuration)
|
20 | * [For applications](#hdr-for-applications)
|
21 | * [For library authors](#hdr-for-library-authors)
|
22 | * [Contracts](#hdr-contracts)
|
23 | * [TrustedHTML](#hdr-trustedhtml)
|
24 | * [TrustedResourceURL](#hdr-trustedresourceurl)
|
25 | * [TrustedScript](#hdr-trustedscript)
|
26 | * [TrustedURL](#hdr-trustedurl)
|
27 | * [Creating Trusted values](#hdr-creating-trusted-values)
|
28 | * [Verifying Trusted values](#hdr-verifying-trusted-values)
|
29 | * [API](#hdr-api)
|
30 | * [class TrustedHTML](#hdr-class-trustedhtml)
|
31 | * [TrustedHTML.concat](#hdr-trustedhtml-concat)
|
32 | * [TrustedHTML.empty](#hdr-trustedhtml-empty)
|
33 | * [TrustedHTML.escape](#hdr-trustedhtml-escape)
|
34 | * [TrustedHTML.fromScript](#hdr-trustedhtml-fromscript)
|
35 | * [class TrustedResourceURL](#hdr-class-trustedresourceurl)
|
36 | * [TrustedResourceURL.fromScript](#hdr-trustedresourceurl-fromscript)
|
37 | * [class TrustedScript](#hdr-class-trustedscript)
|
38 | * [TrustedScript.expressionFromJSON](#hdr-trustedscript-expressionfromjson)
|
39 | * [class TrustedURL](#hdr-class-trustedurl)
|
40 | * [TrustedURL.innocuousURL](#hdr-trustedurl-innocuousurl)
|
41 | * [TrustedURL.sanitize](#hdr-trustedurl-sanitize)
|
42 |
|
43 |
|
44 |
|
45 | ## Installation <a name="hdr-installation"></a>
|
46 |
|
47 | ```bash
|
48 | $ npm install web-contract-types
|
49 | ```
|
50 |
|
51 | ## Configuration <a name="hdr-configuration"></a>
|
52 |
|
53 | ### For applications <a name="hdr-for-applications"></a>
|
54 |
|
55 | These types are [Mintable][] so the application's main module should do some
|
56 | setup to guard which modules can create values that meet a contract.
|
57 |
|
58 | This helps an application team, in conjunction with security specialists,
|
59 | keep a bound on how much code needs review to check that contracts hold.
|
60 |
|
61 | The applications main file should do, as early as possible, something like:
|
62 |
|
63 | ```js
|
64 | // In application main file.
|
65 | require('node-sec-patterns').authorize(require('./package.json'));
|
66 | ```
|
67 |
|
68 | which opts into access checks for mintable type constructors, and
|
69 | tells it to use the "mintable" property of `./package.json` to
|
70 | determine which modules may create which contract types.
|
71 |
|
72 | The APIs below require access to the module's own minters, so the
|
73 | minimal additions to package.json are
|
74 |
|
75 | ```json
|
76 | {
|
77 | ...
|
78 | "mintable": {
|
79 | "grants": {
|
80 | "web-contract-types/TrustedHTML": [ "web-contract-types" ],
|
81 | "web-contract-types/TrustedResourceURL": [ "web-contract-types" ],
|
82 | "web-contract-types/TrustedScript": [ "web-contract-types" ],
|
83 | "web-contract-types/TrustedURL": [ "web-contract-types" ]
|
84 | }
|
85 | }
|
86 | }
|
87 | ```
|
88 |
|
89 | This says "this application trusts module web-contract-types to mint values
|
90 | that meet the contracts "web-contract-types/TrustedHTML", etc. This relies
|
91 | on the fact that `class TrustedHTML` has a static `contractKey` property with
|
92 | the value `"web-contract-types/TrustedHTML"`.
|
93 |
|
94 | This can be a bit verbose, so if you trust the web-contract-types project and
|
95 | its development practices, you can second any grants that it self-nominates for:
|
96 |
|
97 | ```json
|
98 | {
|
99 | ...
|
100 | "mintable": {
|
101 | "grants": {},
|
102 | "second": [
|
103 | "web-contract-types"
|
104 | ]
|
105 | }
|
106 | }
|
107 | ```
|
108 |
|
109 | This says "for each item in
|
110 | `require('web-contract-types/package.json').mintable.selfNominate` add
|
111 | `"web-contract-types"` to that contract keys grant list".
|
112 | If the seconded name ends in `.json` then `/package.json` is not implicitly
|
113 | added to the end, so module authors might provide self-nominates for differing
|
114 | levels of trust.
|
115 |
|
116 | To see what this grants you can do the below, but keep in mind that a
|
117 | package might change its self nominations in future versions so by
|
118 | seconding self-nominated grants you are expressing confidence in
|
119 | future development practices:
|
120 |
|
121 | ```sh
|
122 | $ node -e 'console.log(JSON.stringify(require("web-contract-types/package.json").mintable.selfNominate, null, 2))'
|
123 | ```
|
124 |
|
125 | See [Mintable][] for more details.
|
126 |
|
127 | ### For library authors <a name="hdr-for-library-authors"></a>
|
128 |
|
129 | Library code should *not* call `authorize` as in the example code for
|
130 | application maintainers above.
|
131 |
|
132 | Library code may self nominate by including a list of contract keys
|
133 | that the package needs to mint values for. In package.json
|
134 |
|
135 | ```js
|
136 | {
|
137 | ...
|
138 | "mintable": {
|
139 | "selfNominate": [
|
140 | "contractKey0",
|
141 | "contractKey1"
|
142 | ]
|
143 | }
|
144 | }
|
145 | ```
|
146 |
|
147 | Library authors are responsible for guaranteeing that they only mint
|
148 | values that meet the type's contract even when passed untrusted
|
149 | inputs.
|
150 |
|
151 | Library authors may assume that any inputs that pass a mintable types
|
152 | verifier pass that type's contract, and are not responsible for
|
153 | failure to preserve a contract given a verified input that does not
|
154 | meet its type contract.
|
155 |
|
156 | See [Mintable][] for more details.
|
157 |
|
158 | ## Contracts <a name="hdr-contracts"></a>
|
159 |
|
160 | ### TrustedHTML <a name="hdr-trustedhtml"></a>
|
161 |
|
162 | A string that is safe to use in HTML context in DOM APIs and HTML documents.
|
163 |
|
164 | A TrustedHTML is a string-like object that carries the security type contract
|
165 | that its value as a string will not cause untrusted script execution when
|
166 | evaluated as HTML in a browser.
|
167 |
|
168 | Values of this type are guaranteed to be safe to use in HTML contexts,
|
169 | such as, assignment to the innerHTML DOM property, or interpolation into
|
170 | a HTML template in HTML PC_DATA context, in the sense that the use will not
|
171 | result in a Cross-Site-Scripting vulnerability.
|
172 |
|
173 | Instances must be created by `Mintable.minterFor(TrustedHTML)`.
|
174 |
|
175 | When checking types, use `Mintable.verifierFor(TrustedHTML)` and do not rely on
|
176 | `instanceof`.
|
177 |
|
178 |
|
179 | ### TrustedResourceURL <a name="hdr-trustedresourceurl"></a>
|
180 |
|
181 | A URL which is under application control and from which script, CSS, and
|
182 | other resources that represent executable code, can be fetched.
|
183 |
|
184 | Given that the URL can only be constructed from strings under application
|
185 | control and is used to load resources, bugs resulting in a malformed URL
|
186 | should not have a security impact and are likely to be easily detectable
|
187 | during testing. Given the wide number of non-RFC compliant URLs in use,
|
188 | stricter validation could prevent some applications from being able to use
|
189 | this type.
|
190 |
|
191 | Instances must be created by `Mintable.minterFor(TrustedResourceURL)`.
|
192 |
|
193 | When checking types, use `Mintable.verifierFor(TrustedResourceURL)` and do
|
194 | not rely on `instanceof`.
|
195 |
|
196 | ### TrustedScript <a name="hdr-trustedscript"></a>
|
197 |
|
198 | A string-like object which represents JavaScript code and that carries the
|
199 | security type contract that its value, as a string, will not cause execution
|
200 | of unconstrained attacker controlled code (XSS) when evaluated as JavaScript
|
201 | in a browser.
|
202 |
|
203 | A TrustedScript's string representation can safely be interpolated as the
|
204 | content of a script element within HTML. The TrustedScript string should not be
|
205 | escaped before interpolation.
|
206 |
|
207 | Note that the TrustedScript might contain text that is attacker-controlled but
|
208 | that text should have been interpolated with appropriate escaping,
|
209 | sanitization and/or validation into the right location in the script, such
|
210 | that it is highly constrained in its effect (for example, it had to match a
|
211 | set of whitelisted words).
|
212 |
|
213 | Instances must be created by `Mintable.minterFor(TrustedScript)`.
|
214 |
|
215 | When checking types, use `Mintable.verifierFor(TrustedScript)` and do
|
216 | not rely on `instanceof`.
|
217 |
|
218 | ### TrustedURL <a name="hdr-trustedurl"></a>
|
219 |
|
220 | A string that is safe to use in URL context in DOM APIs and HTML documents.
|
221 |
|
222 | A TrustedURL is a string-like object that carries the security type contract
|
223 | that its value as a string will not cause untrusted script execution
|
224 | when evaluated as a hyperlink URL in a browser.
|
225 |
|
226 | Values of this type are guaranteed to be safe to use in URL/hyperlink
|
227 | contexts, such as assignment to URL-valued DOM properties, in the sense that
|
228 | the use will not result in a Cross-Site-Scripting vulnerability. Similarly,
|
229 | TrustedURLs can be interpolated into the URL context of an HTML template (e.g.,
|
230 | inside a href attribute). However, appropriate HTML-escaping must still be
|
231 | applied.
|
232 |
|
233 | Instances must be created by `Mintable.minterFor(TrustedURL)`.
|
234 |
|
235 | When checking types, use `Mintable.verifierFor(TrustedURL)` and do not rely on
|
236 | `instanceof`.
|
237 |
|
238 |
|
239 | ## Creating Trusted values <a name="hdr-creating-trusted-values"></a>
|
240 |
|
241 | ```js
|
242 | require('module-keys/cjs').polyfill(module, require, module.id);
|
243 |
|
244 | const { Mintable } = require('node-sec-patterns');
|
245 | const { TrustedHTML } = require('web-contract-types');
|
246 |
|
247 | const makeTrustedHTML = require.keys.unbox(
|
248 | Mintable.minterFor(TrustedHTML),
|
249 | () => true,
|
250 | String);
|
251 | ```
|
252 |
|
253 | This boilerplate can be tiresome, but this should only happen in an applications
|
254 | secure kernel.
|
255 |
|
256 | Do not grant access to `makeTrustedHTML` widely. That defeats the purpose of
|
257 | guarding constructors to minimize the amount of code that could result in a
|
258 | security vulnerability.
|
259 |
|
260 | See [Mintable][] for more details.
|
261 |
|
262 | ## Verifying Trusted values <a name="hdr-verifying-trusted-values"></a>
|
263 |
|
264 | Any JavaScript code that can access a class can create an object that
|
265 | is an `instanceof` that class.
|
266 |
|
267 | To prevent accepting a contract forged by code outside your secure kernel,
|
268 | check types thus:
|
269 |
|
270 | ```js
|
271 | const { TrustedHTML } = require('web-contract-types');
|
272 |
|
273 | if (TrustedHTML.is(x)) {
|
274 | // x is not a forgery
|
275 | // May assume x meets its type contract.
|
276 | } else {
|
277 | // Do not assume x meets the TrustedHTML type contract.
|
278 | }
|
279 | ```
|
280 |
|
281 |
|
282 | ## API <a name="hdr-api"></a>
|
283 |
|
284 | ### class TrustedHTML <a name="hdr-class-trustedhtml"></a>
|
285 |
|
286 | The contract type for TrustedHTML. See [contract](#hdr-trustedhtml) above.
|
287 |
|
288 | ### TrustedHTML.concat <a name="hdr-trustedhtml-concat"></a>
|
289 |
|
290 | ```js
|
291 | const { TrustedHTML } = require('web-contract-types');
|
292 | TrustedHTML.concat(x, y, z);
|
293 | ```
|
294 |
|
295 | Takes any number of *TrustedHTML* inputs and returns a *TrustedHTML* output
|
296 | whose content is the concatenation of the inputs' content.
|
297 |
|
298 | Throws a *TypeError* if any input does not verify as *TrustedHTML*
|
299 |
|
300 | ### TrustedHTML.empty <a name="hdr-trustedhtml-empty"></a>
|
301 |
|
302 | A *TrustedHTML* instance that represents the empty document fragment.
|
303 |
|
304 | ```js
|
305 | const { TrustedHTML } = require('web-contract-types');
|
306 | TrustedHTML.empty;
|
307 | ```
|
308 |
|
309 | ### TrustedHTML.escape <a name="hdr-trustedhtml-escape"></a>
|
310 |
|
311 | Given a string, returns a *TrustedHTML* instance that represents a text
|
312 | node with that textContent.
|
313 |
|
314 | Given a TrustedHTML instance, returns it unchanged.
|
315 |
|
316 | The content is equivalent to the input but with `'<'` replaced with `'<'`,
|
317 | and other HTML metacharacters replaced with similar character references.
|
318 |
|
319 | ```js
|
320 | const { TrustedHTML } = require('web-contract-types');
|
321 | TrustedHTML.escape('Hello, <World!>').content === 'Hello, <World!>';
|
322 | ```
|
323 |
|
324 | ### TrustedHTML.fromScript <a name="hdr-trustedhtml-fromscript"></a>
|
325 |
|
326 | ```js
|
327 | const { TrustedHTML } = require('web-contract-types');
|
328 | TrustedHTML.fromScript(myTrustedResourceURL)
|
329 | ```
|
330 |
|
331 | Given a *TrustedResourceURL*, returns a `TrustedHTML` instance like `<script src=...></script>`.
|
332 |
|
333 | Given a *TrustedScript*, returns a `TrustedHTML` instance like `<script>...</script>`.
|
334 |
|
335 | May also take a second options argument that allows specifying:
|
336 |
|
337 | * `type`: May be "module" to specify that the src is an ES6 module not a script
|
338 | * `defer`: If truthy, the output script element has the defer attribute.
|
339 | * `async`: If truthy, the output script element has the async attribute.
|
340 | * `nonce`: Unescaped text of a Conent-Security-Policy nonce.
|
341 |
|
342 | ### class TrustedResourceURL <a name="hdr-class-trustedresourceurl"></a>
|
343 |
|
344 | The contract type for TrustedResourceURL. See [contract](#hdr-trustedresourceurl) above.
|
345 |
|
346 | ### TrustedResourceURL.fromScript <a name="hdr-trustedresourceurl-fromscript"></a>
|
347 |
|
348 | ```js
|
349 | const { TrustedResourceURL } = require('web-contract-types');
|
350 |
|
351 | TrustedResourceURL.fromScript(myTrustedScript)
|
352 | // ~ data:text/javascript,...
|
353 | ```
|
354 |
|
355 | If the input is a *TrustedScript* returns a *TrustedResourceUrl* with scheme `data:`,
|
356 | content type text/javascript, and a data segment that is the script's content.
|
357 |
|
358 | If the input is not a *TrustedScript*, throws a *TypeError*.
|
359 |
|
360 | ### class TrustedScript <a name="hdr-class-trustedscript"></a>
|
361 |
|
362 | The contract type for TrustedScript. See [contract](#hdr-trustedscript) above.
|
363 |
|
364 | ### TrustedScript.expressionFromJSON <a name="hdr-trustedscript-expressionfromjson"></a>
|
365 |
|
366 | ```js
|
367 | const { TrustedScript } = require('web-contract-types');
|
368 |
|
369 | const dataObject = { "foo": [ "bar" ] };
|
370 |
|
371 | TrustedScript.expressionFromJSON(dataObject)
|
372 | // ~ ({ "foo", [ "bar" ] })
|
373 | ```
|
374 |
|
375 | Forwards its arguments to `JSON.stringify` and returns a *TrustedScript*
|
376 | whose content is a parenthesized JavaScript expression that produces
|
377 | similar data.
|
378 |
|
379 | It forwards all arguments, so accepts the same [optional arguments][JSON args]
|
380 | as `JSON.stringify`.
|
381 |
|
382 | * value
|
383 | * replacer
|
384 | * space
|
385 |
|
386 | It throws an exception when `JSON.stringify` does -- for example, reference cycles.
|
387 |
|
388 | ### class TrustedURL <a name="hdr-class-trustedurl"></a>
|
389 |
|
390 | The contract type for TrustedURL. See [contract](#hdr-trustedurl) above.
|
391 |
|
392 | ### TrustedURL.innocuousURL <a name="hdr-trustedurl-innocuousurl"></a>
|
393 |
|
394 | ```js
|
395 | const { TrustedURL } = require('web-contract-types');
|
396 | TrustedURL.innocuousURL
|
397 | ```
|
398 |
|
399 | A URL that will have no effect when loaded. May be used as a placeholder.
|
400 |
|
401 | ### TrustedURL.sanitize <a name="hdr-trustedurl-sanitize"></a>
|
402 |
|
403 | ```js
|
404 | const { TrustedURL } = require('web-contract-types');
|
405 | TrustedURL.sanitize('http://example.com/').content === 'http://example.com';
|
406 | ```
|
407 |
|
408 | Given a string, returns a *TrustedURL* with that string's content if the
|
409 | string is a relative URL or has a scheme in
|
410 |
|
411 | * http
|
412 | * https
|
413 | * mailto
|
414 | * tel
|
415 |
|
416 | Given a *TrustedURL* returns its input unchanged.
|
417 |
|
418 | If the input does not pass one of the given conditions, returns its second
|
419 | argument unchanged, or if that argument is falsey, returns `TrustedURL.innocuousURL`.
|
420 |
|
421 |
|
422 | [Mintable]: https://npmjs.com/package/node-sec-patterns
|
423 | [JSON args]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify#Parameters
|