1 |
|
2 |
|
3 |
|
4 |
|
5 |
|
6 |
|
7 |
|
8 |
|
9 |
|
10 |
|
11 |
|
12 |
|
13 |
|
14 |
|
15 |
|
16 |
|
17 |
|
18 | 'use strict';
|
19 |
|
20 | require('module-keys/cjs').polyfill(module, require, 'web-contract-types');
|
21 |
|
22 | const { Mintable } = require('node-sec-patterns');
|
23 | const { TypedString } = require('template-tag-common');
|
24 |
|
25 | const { defineProperties, freeze } = Object;
|
26 | const { apply } = Reflect;
|
27 | const { exec: reExec, test: reTest } = RegExp.prototype;
|
28 | const { replace } = String.prototype;
|
29 |
|
30 | const { stringify: JSONstringify } = JSON;
|
31 | const { encodeURIComponent } = global;
|
32 |
|
33 |
|
34 | const HTML_SPECIAL = /[\x00<>&"'+=@`{]/g;
|
35 | const HTML_ESCS = {
|
36 | __proto__: null,
|
37 | '\x00': '',
|
38 | '<': '<',
|
39 | '>': '>',
|
40 | '&': '&',
|
41 | '"': '"',
|
42 | '\'': ''',
|
43 |
|
44 | '+': '+',
|
45 | '=': '=',
|
46 |
|
47 | '@': '@',
|
48 |
|
49 | '`': '`',
|
50 |
|
51 | '{': '{',
|
52 | };
|
53 | function escapeHtmlMetaCharacter(chr) {
|
54 | return HTML_ESCS[chr];
|
55 | }
|
56 |
|
57 | function htmlEscapeString(str) {
|
58 | return apply(replace, `${ str }`, [ HTML_SPECIAL, escapeHtmlMetaCharacter ]);
|
59 | }
|
60 |
|
61 | const SCRIPT_OR_CDATA_END = /<\/script|\]\]>/i;
|
62 |
|
63 |
|
64 | class TrustedType extends TypedString {}
|
65 | defineProperties(
|
66 | TrustedType.prototype,
|
67 | {
|
68 | 'toJSON': {
|
69 |
|
70 | value: function toJSON() {
|
71 |
|
72 |
|
73 | return this.content;
|
74 | },
|
75 | },
|
76 | });
|
77 |
|
78 |
|
79 |
|
80 |
|
81 |
|
82 |
|
83 |
|
84 |
|
85 |
|
86 |
|
87 |
|
88 |
|
89 |
|
90 |
|
91 |
|
92 |
|
93 |
|
94 |
|
95 |
|
96 | class TrustedHTML extends TrustedType {}
|
97 |
|
98 |
|
99 |
|
100 |
|
101 |
|
102 |
|
103 |
|
104 |
|
105 |
|
106 |
|
107 |
|
108 |
|
109 |
|
110 |
|
111 |
|
112 |
|
113 |
|
114 |
|
115 | class TrustedResourceURL extends TrustedType {}
|
116 |
|
117 |
|
118 |
|
119 |
|
120 |
|
121 |
|
122 |
|
123 |
|
124 |
|
125 |
|
126 |
|
127 |
|
128 |
|
129 |
|
130 |
|
131 |
|
132 |
|
133 |
|
134 |
|
135 |
|
136 |
|
137 |
|
138 |
|
139 | class TrustedScript extends TrustedType {}
|
140 |
|
141 |
|
142 |
|
143 |
|
144 |
|
145 |
|
146 |
|
147 |
|
148 |
|
149 |
|
150 |
|
151 |
|
152 |
|
153 |
|
154 |
|
155 |
|
156 |
|
157 |
|
158 |
|
159 |
|
160 |
|
161 | class TrustedURL extends TrustedType {}
|
162 |
|
163 |
|
164 | defineProperties(TrustedHTML, {
|
165 | 'contractKey': {
|
166 | enumerable: true,
|
167 | value: 'web-contract-types/TrustedHTML',
|
168 | },
|
169 | });
|
170 | defineProperties(TrustedResourceURL, {
|
171 | 'contractKey': {
|
172 | enumerable: true,
|
173 | value: 'web-contract-types/TrustedResourceURL',
|
174 | },
|
175 | });
|
176 | defineProperties(TrustedScript, {
|
177 | 'contractKey': {
|
178 | enumerable: true,
|
179 | value: 'web-contract-types/TrustedScript',
|
180 | },
|
181 | });
|
182 | defineProperties(TrustedURL, {
|
183 | 'contractKey': {
|
184 | enumerable: true,
|
185 | value: 'web-contract-types/TrustedURL',
|
186 | },
|
187 | });
|
188 |
|
189 |
|
190 | function minterFor(TrustedTypeT) {
|
191 | let warned = false;
|
192 | function singleWarningFallback(x) {
|
193 | if (!warned) {
|
194 | warned = true;
|
195 |
|
196 | console.warning(
|
197 | `web-contract-types not authorized to create ${ TrustedTypeT.name
|
198 | }. Maybe check your mintable grants used to initialize node-sec-patterns.`);
|
199 | }
|
200 | return `${ x }`;
|
201 | }
|
202 |
|
203 | return require.keys.unbox(
|
204 | Mintable.minterFor(TrustedTypeT),
|
205 | () => true,
|
206 | singleWarningFallback);
|
207 | }
|
208 |
|
209 |
|
210 | const mintTrustedHTML = minterFor(TrustedHTML);
|
211 | const isTrustedHTML = Mintable.verifierFor(TrustedHTML);
|
212 |
|
213 | const mintTrustedResourceURL = minterFor(TrustedResourceURL);
|
214 | const isTrustedResourceURL = Mintable.verifierFor(TrustedResourceURL);
|
215 |
|
216 | const mintTrustedScript = minterFor(TrustedScript);
|
217 | const isTrustedScript = Mintable.verifierFor(TrustedScript);
|
218 |
|
219 | const mintTrustedURL = minterFor(TrustedURL);
|
220 | const isTrustedURL = Mintable.verifierFor(TrustedURL);
|
221 |
|
222 |
|
223 | defineProperties(
|
224 | TrustedHTML,
|
225 | {
|
226 | 'concat': {
|
227 | enumerable: true,
|
228 |
|
229 | value: function concat(...els) {
|
230 | let content = '';
|
231 | for (const element of els) {
|
232 | if (!isTrustedHTML(element)) {
|
233 | throw new TypeError(`Expected TrustedHTML not ${ element }`);
|
234 | }
|
235 | content += element.content;
|
236 | }
|
237 | return mintTrustedHTML(content);
|
238 | },
|
239 | },
|
240 | 'empty': {
|
241 | enumerable: true,
|
242 | value: freeze(mintTrustedHTML('')),
|
243 | },
|
244 | 'escape': {
|
245 | enumerable: true,
|
246 |
|
247 | value: function escape(val) {
|
248 | return (isTrustedHTML(val)) ? val : mintTrustedHTML(htmlEscapeString(val));
|
249 | },
|
250 | },
|
251 | 'fromScript': {
|
252 | enumerable: true,
|
253 |
|
254 | value: function fromScript(src, { nonce, type, async, defer } = {}) {
|
255 |
|
256 | let html = '<!-- --><script';
|
257 | if (nonce) {
|
258 | html += ` nonce="${ htmlEscapeString(nonce) }"`;
|
259 | }
|
260 | if (type) {
|
261 | html += ` type="${ htmlEscapeString(type) }"`;
|
262 | }
|
263 | if (async) {
|
264 | html += ' async="async"';
|
265 | }
|
266 | if (defer) {
|
267 | html += ' defer="defer"';
|
268 | }
|
269 | if (isTrustedResourceURL(src)) {
|
270 | html += ` src="${ htmlEscapeString(src.content) }">`;
|
271 | } else if (isTrustedScript(src)) {
|
272 | const { content } = src;
|
273 | if (apply(reTest, SCRIPT_OR_CDATA_END, [ content ])) {
|
274 | throw new Error(`TrustedScript is not embeddable in HTML ${ content }`);
|
275 | }
|
276 |
|
277 | html += `>//<![CDATA[\n${ content }\n//]]>`;
|
278 | } else {
|
279 | throw new TypeError('Expected either a TrustedResourceURL or a TrustedScript for src');
|
280 | }
|
281 | html += '</script>';
|
282 | return mintTrustedHTML(html);
|
283 | },
|
284 | },
|
285 | 'is': {
|
286 | enumerable: true,
|
287 | value: isTrustedHTML,
|
288 | },
|
289 | });
|
290 |
|
291 | const innocuousResourceURL = freeze(mintTrustedURL('about:invalid#TrustedResourceURL'));
|
292 |
|
293 | defineProperties(
|
294 | TrustedResourceURL,
|
295 | {
|
296 | 'fromScript': {
|
297 | enumerable: true,
|
298 |
|
299 | value: function fromScript(script) {
|
300 | if (isTrustedScript(script)) {
|
301 | return mintTrustedResourceURL(
|
302 |
|
303 |
|
304 | `data:text/javascript;charset=UTF-8,${ encodeURIComponent(script.content) }#`);
|
305 | }
|
306 | throw new TypeError('Expected TrustedScript');
|
307 | },
|
308 | },
|
309 | 'innocuousURL': {
|
310 | enumerable: true,
|
311 | value: innocuousResourceURL,
|
312 | },
|
313 | 'is': {
|
314 | enumerable: true,
|
315 | value: isTrustedResourceURL,
|
316 | },
|
317 | });
|
318 |
|
319 | const LS_GLOBAL = /\u2028/g;
|
320 | const PS_GLOBAL = /\u2029/g;
|
321 |
|
322 | defineProperties(
|
323 | TrustedScript,
|
324 | {
|
325 | 'expressionFromJSON': {
|
326 | enumerable: true,
|
327 |
|
328 | value: function expressionFromJSON(...args) {
|
329 | const json = JSONstringify(...args);
|
330 |
|
331 | let javascript = apply(replace, json, [ LS_GLOBAL, '\\u2028' ]);
|
332 | javascript = apply(replace, javascript, [ PS_GLOBAL, '\\u2029' ]);
|
333 | return mintTrustedScript(`(${ javascript })`);
|
334 | },
|
335 | },
|
336 | 'innocuousScript': {
|
337 | enumerable: true,
|
338 | value: freeze(mintTrustedScript('[null][0]/*TrustedScript*/')),
|
339 | },
|
340 | 'is': {
|
341 | enumerable: true,
|
342 | value: isTrustedScript,
|
343 | },
|
344 | });
|
345 |
|
346 |
|
347 | const SCHEME_AND_REST = /^[\t\n\f\r ]*([^/:?#]+:)?([\s\S]*?)[\t\n\f\r ]*$/;
|
348 |
|
349 |
|
350 |
|
351 |
|
352 | const SAFE_SCHEME_WHITELIST = {
|
353 | __proto__: null,
|
354 | 'http:': true,
|
355 | 'https:': true,
|
356 | 'mailto:': true,
|
357 | 'tel:': true,
|
358 | };
|
359 |
|
360 | const innocuousURL = freeze(mintTrustedURL('about:invalid#TrustedURL'));
|
361 |
|
362 | defineProperties(
|
363 | TrustedURL,
|
364 | {
|
365 | 'innocuousURL': {
|
366 | enumerable: true,
|
367 | value: innocuousURL,
|
368 | },
|
369 | 'sanitize': {
|
370 | enumerable: true,
|
371 |
|
372 | value: function sanitize(val, fallback = innocuousURL) {
|
373 | if (isTrustedURL(val)) {
|
374 | return val;
|
375 | }
|
376 | if (isTrustedResourceURL(val)) {
|
377 | return mintTrustedURL(val);
|
378 | }
|
379 | const str = `${ val }`;
|
380 | const [ , scheme, schemeSpecificPart ] = apply(reExec, SCHEME_AND_REST, [ str ]);
|
381 | if (!scheme) {
|
382 | return mintTrustedURL(schemeSpecificPart);
|
383 | }
|
384 | const canonScheme = scheme.toLowerCase();
|
385 | if (SAFE_SCHEME_WHITELIST[canonScheme]) {
|
386 | return mintTrustedURL(`${ canonScheme }${ schemeSpecificPart }`);
|
387 | }
|
388 | return fallback;
|
389 | },
|
390 | },
|
391 | 'is': {
|
392 | enumerable: true,
|
393 | value: isTrustedURL,
|
394 | },
|
395 | });
|
396 |
|
397 |
|
398 | module.exports = freeze({
|
399 | TrustedHTML,
|
400 | TrustedResourceURL,
|
401 | TrustedScript,
|
402 | TrustedURL,
|
403 | });
|