Tags are injected with integrity="undefined" on v1.5.0 #131
Comments
|
It's also being discussed here. |
|
@jahed thanks for reporting this. A fix for this issue is published in v1.5.1 and a security advisory created. |
|
This one shouldn't have slipped through 💩 It's a Sunday night where I am but I'll expand a bit more about the contributing factors here soon. |
|
|
|
@LP1994 I haven't checked 1.5.1 myself yet but what you're experiencing is probably a browser caching bug as it's computing a SHA256 when it should be comparing a SHA512. You might need to cache bump your files (e.g. add a number to the end of the output files like If it's not that it may be this: https://bugs.chromium.org/p/chromium/issues/detail?id=881365 |
Moreover, the error Sri value is different from the Sri value on the page!!! And I have cleared the cache, there should be no cache. |
However, 1.5.0 is still OK, but the Sri of dynamically imported files cannot be generated correctly. Now, however, none of the Sri values work. |
|
@LP1994 The value in the console log is the SHA256 hash, while yours is a SHA512, so it will be different. Either Chrome is using a cached integrity (which a cache bump can fix) or it's reporting the wrong integrity (see the Chromium issue I linked). The integrity cache is not stored in regular browser caches so it can't be cleared through the interface. You'll have to either change the script URL (cache bump), nuke your browser profile, or find the specific cache file and delete it on the file system. The easiest is to change the script URL. I have bumped my build to 1.5.1 and it's all working correctly on my end. 👍🏽 |
thank you!!!I'll try again. |
|
Ok, I've spent some time reflecting on what went wrong here, and the bottom line is:
I'm planning to take the following steps to reduce the likelihood of something like this happening again:
In addition, time permitting, I'm thinking of starting work on a version 2.0.0 that would be a rewrite in Typescript, and drop compatibility with Webpack < 5 (and probably also html-webpack-plugin < 5) which would further help to improve code quality by reducing footprint. We're also going to establish a security policy, including a communications channel that can be used for reporting security issues privately. |
|
If you need a test, I'm ready to help you. |
|
@jscheid that sounds awesome :) I talked to the webpack core team and they told me that they will probably provide us with additional stages so that we can built the html at time where the css & js files have been optimized and you can generate the correct hashes.. I'll keep you posted :) |
GHSA-4fc4-chg7-h8gh low severity Vulnerable versions: < 1.5.1 Patched version: 1.5.1 Impact All dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their integrity. This removes the additional level of protection offered by SRI for such chunks. Top-level chunks are unaffected. Patches This issue is patched in version 1.5.1. Workarounds N/A References waysact/webpack-subresource-integrity#131 For more information If you have any questions or comments about this advisory: Comment on webpack-subresource-integrity issue #131 Or email us at security@waysact.com
|
Sorry to resurrect this, but some clarification is needed. Does this effect only v1.5.0, or all versions before v1.5.1. |
|
@jpmckearin 1.5.0 only. It was a bug introduced in 1.5.0 and fixed in 1.5.1. |
I'm on Webpack 4.44.2 and noticed after upgrading to this plugin's v1.5.0 release that injected tags have an
undefinedintegrity. Tags inserted via html-webpack-plugin have the correct integrity, but dynamically injected tags useundefinedand the integrity check is bypassed.Here's what Firefox prints:
There are no errors or warnings printed during Webpack's build.
Downgrading to 1.4.1 fixes this issue so I'm assuming it's related to the changes that added Webpack 5 support in 1.5.0.
The text was updated successfully, but these errors were encountered: