From 5b9cd41f60fba0c9a1b3e234a89b672d75a05b32 Mon Sep 17 00:00:00 2001 From: edukisto <52005215+edukisto@users.noreply.github.com> Date: Tue, 1 Dec 2020 07:54:48 +0300 Subject: [PATCH 1/2] Add CSP and UISecurity directives and keywords --- components/prism-csp.js | 8 ++++---- components/prism-csp.min.js | 2 +- ...rective_with_source_expression_feature.test | 18 ++++++++++++++++-- tests/languages/csp/safe_feature.test | 3 ++- tests/languages/csp/unsafe_feature.test | 10 ++++++++-- 5 files changed, 31 insertions(+), 10 deletions(-) diff --git a/components/prism-csp.js b/components/prism-csp.js index c8facbc30f..32c6a793f9 100644 --- a/components/prism-csp.js +++ b/components/prism-csp.js @@ -10,17 +10,17 @@ */ Prism.languages.csp = { - 'directive': { - pattern: /(^|[^-\da-z])(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|script|style|worker)-src|disown-opener|form-action|frame-ancestors|plugin-types|referrer|reflected-xss|report-to|report-uri|require-sri-for|sandbox|upgrade-insecure-requests)(?=[^-\da-z]|$)/i, + 'directive': { + pattern: /(^|[^-\da-z])(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|prefetch|script|style|worker)-src|disown-opener|form-action|frame-(?:ancestors|options)|input-protection(?:-(?:clip|selectors))?|navigate-to|plugin-types|policy-uri|referrer|reflected-xss|report-(?:to|uri)|require-sri-for|sandbox|(?:script|style)-src-(?:attr|elem)|upgrade-insecure-requests)(?=[^-\da-z]|$)/i, lookbehind: true, alias: 'keyword' }, 'safe': { - pattern: /'(?:self|none|strict-dynamic|(?:nonce-|sha(?:256|384|512)-)[a-zA-Z\d+=/]+)'/, + pattern: /'(?:deny|none|report-sample|self|strict-dynamic|top-only|(?:nonce|sha(?:256|384|512))-[-+/\d=_a-z]+)'/i, alias: 'selector' }, 'unsafe': { - pattern: /(?:'unsafe-inline'|'unsafe-eval'|'unsafe-hashed-attributes'|\*)/, + pattern: /(?:'unsafe-(?:allow-redirects|dynamic|eval|hash-attributes|hashed-attributes|hashes|inline)'|\*)/i, alias: 'function' } }; \ No newline at end of file diff --git a/components/prism-csp.min.js b/components/prism-csp.min.js index 6da48ba61d..3749b8c10e 100644 --- a/components/prism-csp.min.js +++ b/components/prism-csp.min.js @@ -1 +1 @@ -Prism.languages.csp={directive:{pattern:/(^|[^-\da-z])(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|script|style|worker)-src|disown-opener|form-action|frame-ancestors|plugin-types|referrer|reflected-xss|report-to|report-uri|require-sri-for|sandbox|upgrade-insecure-requests)(?=[^-\da-z]|$)/i,lookbehind:!0,alias:"keyword"},safe:{pattern:/'(?:self|none|strict-dynamic|(?:nonce-|sha(?:256|384|512)-)[a-zA-Z\d+=/]+)'/,alias:"selector"},unsafe:{pattern:/(?:'unsafe-inline'|'unsafe-eval'|'unsafe-hashed-attributes'|\*)/,alias:"function"}}; \ No newline at end of file +Prism.languages.csp={directive:{pattern:/(^|[^-\da-z])(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|prefetch|script|style|worker)-src|disown-opener|form-action|frame-(?:ancestors|options)|input-protection(?:-(?:clip|selectors))?|navigate-to|plugin-types|policy-uri|referrer|reflected-xss|report-(?:to|uri)|require-sri-for|sandbox|(?:script|style)-src-(?:attr|elem)|upgrade-insecure-requests)(?=[^-\da-z]|$)/i,lookbehind:!0,alias:"keyword"},safe:{pattern:/'(?:deny|none|report-sample|self|strict-dynamic|top-only|(?:nonce|sha(?:256|384|512))-[-+/\d=_a-z]+)'/i,alias:"selector"},unsafe:{pattern:/(?:'unsafe-(?:allow-redirects|dynamic|eval|hash-attributes|hashed-attributes|hashes|inline)'|\*)/i,alias:"function"}}; \ No newline at end of file diff --git a/tests/languages/csp/directive_with_source_expression_feature.test b/tests/languages/csp/directive_with_source_expression_feature.test index a4db6cd64f..f618d290ad 100644 --- a/tests/languages/csp/directive_with_source_expression_feature.test +++ b/tests/languages/csp/directive_with_source_expression_feature.test @@ -1,10 +1,24 @@ -script-src example.com; +input-protection tolerance=50; input-protection-clip before=60; input-protection-selectors div; policy-uri https://example.com; script-src example.com; script-src-attr 'none'; style-src-elem 'none'; ---------------------------------------------------- [ + ["directive", "input-protection"], + " tolerance=50; ", + ["directive", "input-protection-clip"], + " before=60; ", + ["directive", "input-protection-selectors"], + " div; ", + ["directive", "policy-uri"], + " https://example.com; ", ["directive", "script-src"], - " example.com;" + " example.com; ", + ["directive", "script-src-attr"], + ["safe", "'none'"], + "; ", + ["directive", "style-src-elem"], + ["safe", "'none'"], + ";" ] ---------------------------------------------------- diff --git a/tests/languages/csp/safe_feature.test b/tests/languages/csp/safe_feature.test index 13c9d837b7..f61cc32fdd 100644 --- a/tests/languages/csp/safe_feature.test +++ b/tests/languages/csp/safe_feature.test @@ -1,10 +1,11 @@ -default-src 'none'; style-src 'self' 'strict-dynamic' 'nonce-yeah' 'sha256-EpOpN/ahUF6jhWShDUdy+NvvtaGcu5F7qM6+x2mfkh4='; +default-src 'none' 'report-sample'; style-src 'self' 'strict-dynamic' 'nonce-yeah' 'sha256-EpOpN/ahUF6jhWShDUdy+NvvtaGcu5F7qM6+x2mfkh4='; ---------------------------------------------------- [ ["directive", "default-src"], ["safe", "'none'"], + ["safe", "'report-sample'"], "; ", ["directive", "style-src"], ["safe", "'self'"], diff --git a/tests/languages/csp/unsafe_feature.test b/tests/languages/csp/unsafe_feature.test index e1cf98aa13..758ab58fc0 100644 --- a/tests/languages/csp/unsafe_feature.test +++ b/tests/languages/csp/unsafe_feature.test @@ -1,12 +1,18 @@ -script-src 'unsafe-inline' 'unsafe-eval' 'unsafe-hashed-attributes'; +navigate-to 'unsafe-allow-redirects'; script-src 'unsafe-dynamic' 'unsafe-eval' 'unsafe-hash-attributes' 'unsafe-hashed-attributes' 'unsafe-hashes' 'unsafe-inline'; ---------------------------------------------------- [ + ["directive", "navigate-to"], + ["unsafe", "'unsafe-allow-redirects'"], + "; ", ["directive", "script-src"], - ["unsafe", "'unsafe-inline'"], + ["unsafe", "'unsafe-dynamic'"], ["unsafe", "'unsafe-eval'"], + ["unsafe", "'unsafe-hash-attributes'"], ["unsafe", "'unsafe-hashed-attributes'"], + ["unsafe", "'unsafe-hashes'"], + ["unsafe", "'unsafe-inline'"], ";" ] From 7c28827e87a44791f4910554e4c45a439807a84e Mon Sep 17 00:00:00 2001 From: edukisto <52005215+edukisto@users.noreply.github.com> Date: Tue, 1 Dec 2020 23:06:59 +0300 Subject: [PATCH 2/2] Comment the CSP hash pattern --- components/prism-csp.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/components/prism-csp.js b/components/prism-csp.js index 32c6a793f9..72910bc65c 100644 --- a/components/prism-csp.js +++ b/components/prism-csp.js @@ -16,6 +16,9 @@ Prism.languages.csp = { alias: 'keyword' }, 'safe': { + // CSP2 hashes and nonces are base64 values. CSP3 accepts both base64 and base64url values. + // See https://tools.ietf.org/html/rfc4648#section-4 + // See https://tools.ietf.org/html/rfc4648#section-5 pattern: /'(?:deny|none|report-sample|self|strict-dynamic|top-only|(?:nonce|sha(?:256|384|512))-[-+/\d=_a-z]+)'/i, alias: 'selector' },