Internal change

PiperOrigin-RevId: 399287771
google · ddworken · Sep 28, 2021 · Sep 27, 2021 · Sep 28, 2021 · Sep 28, 2021
commit e039f1d687d9dfdb57c1ffe26b14c4a939bce462
diff --git a/.gitignore b/.gitignore
@@ -1 +1,2 @@
 dest/
+*.js
diff --git a/.npmignore b/.npmignore
@@ -0,0 +1 @@
+# Purposefully blank so NPM doesn't use the .gitignore file
diff --git a/README.md b/README.md
@@ -38,7 +38,15 @@ npm install csp_evaluator
 To build, run:
 
 ```bash
-tsc --build
+npm install && tsc --build
+```
+
+## Testing
+
+To run unit tests, run:
+
+```bash
+npm install && npm test
 ```
 
 ## Example Usage

diff --git a/checks/parser_checks.ts b/checks/parser_checks.ts
@@ -135,7 +135,7 @@ export function checkInvalidKeyword(parsedCsp: Csp): Finding[] {
         }
       } else if (directive === csp.Directive.TRUSTED_TYPES) {
         // Continue, if it's an allowed Trusted Types keyword.
-        if (value === '\'allow-duplicates\'') {
+        if (value === '\'allow-duplicates\'' || value === '\'none\'') {
           continue;
         }
       } else {

diff --git a/checks/parser_checks_test.ts b/checks/parser_checks_test.ts
@@ -0,0 +1,94 @@
+/**
+ * @license
+ * Copyright 2016 Google Inc. All rights reserved.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * @fileoverview Tests for CSP Parser checks.
+ * @author lwe@google.com (Lukas Weichselbaum)
+ */
+
+import 'jasmine';
+
+import {Finding, Severity} from '../finding';
+import {CspParser} from '../parser';
+
+import {CheckerFunction} from './checker';
+import * as parserChecks from './parser_checks';
+
+/**
+ * Runs a check on a CSP string.
+ *
+ * @param test CSP string.
+ * @param checkFunction check.
+ */
+function checkCsp(test: string, checkFunction: CheckerFunction): Finding[] {
+  const parsedCsp = (new CspParser(test)).csp;
+  return checkFunction(parsedCsp);
+}
+
+
+describe('Test parser checks', () => {
+  /** Tests for csp.parserChecks.checkUnknownDirective */
+  it('CheckUnknownDirective', () => {
+    const test = 'foobar-src http:';
+
+    const violations = checkCsp(test, parserChecks.checkUnknownDirective);
+    expect(violations.length).toBe(1);
+    expect(violations[0].severity).toBe(Severity.SYNTAX);
+    expect(violations[0].directive).toBe('foobar-src');
+  });
+
+  /** Tests for csp.parserChecks.checkMissingSemicolon */
+  it('CheckMissingSemicolon', () => {
+    const test = 'default-src foo.bar script-src \'none\'';
+
+    const violations = checkCsp(test, parserChecks.checkMissingSemicolon);
+    expect(violations.length).toBe(1);
+    expect(violations[0].severity).toBe(Severity.SYNTAX);
+    expect(violations[0].value).toBe('script-src');
+  });
+
+  /** Tests for csp.parserChecks.checkInvalidKeyword */
+  it('CheckInvalidKeywordForgottenSingleTicks', () => {
+    const test = 'script-src strict-dynamic nonce-test sha256-asdf';
+
+    const violations = checkCsp(test, parserChecks.checkInvalidKeyword);
+    expect(violations.length).toBe(3);
+    expect(violations.every((v) => v.severity === Severity.SYNTAX)).toBeTrue();
+    expect(violations.every((v) => v.description.includes('single-ticks')))
+        .toBeTrue();
+  });
+
+  it('CheckInvalidKeywordUnknownKeyword', () => {
+    const test = 'script-src \'foo-bar\'';
+
+    const violations = checkCsp(test, parserChecks.checkInvalidKeyword);
+    expect(violations.length).toBe(1);
+    expect(violations[0].severity).toBe(Severity.SYNTAX);
+    expect(violations[0].value).toBe('\'foo-bar\'');
+  });
+
+  it('CheckInvalidKeywordAllowsRequireTrustedTypesForScript', () => {
+    const test = 'require-trusted-types-for \'script\'';
+
+    const violations = checkCsp(test, parserChecks.checkInvalidKeyword);
+    expect(violations.length).toBe(0);
+  });
+
+  it('CheckInvalidKeywordAllowsTrustedTypesAllowDuplicateKeyword', () => {
+    const test = 'trusted-types \'allow-duplicates\' policy1';
+
+    const violations = checkCsp(test, parserChecks.checkInvalidKeyword);
+    expect(violations.length).toBe(0);
+  });
+});
diff --git a/checks/security_checks.ts b/checks/security_checks.ts
@@ -169,8 +169,7 @@ export function checkMissingObjectSrcDirective(parsedCsp: Csp): Finding[] {
   } else if (Directive.DEFAULT_SRC in parsedCsp.directives) {
     objectRestrictions = parsedCsp.directives[Directive.DEFAULT_SRC];
   }
-  if (objectRestrictions !== undefined && objectRestrictions.length === 1 &&
-      objectRestrictions[0] === Keyword.NONE) {
+  if (objectRestrictions !== undefined && objectRestrictions.length >= 1) {
     return [];
   }
   return [new Finding(
@@ -267,7 +266,7 @@ export function checkScriptAllowlistBypass(parsedCsp: Csp): Finding[] {
     if (value === Keyword.SELF) {
       violations.push(new Finding(
           Type.SCRIPT_ALLOWLIST_BYPASS,
-          `'self' can be problematic if you host JSONP, Angular or user ` +
+          `'self' can be problematic if you host JSONP, AngularJS or user ` +
               'uploaded files.',
           Severity.MEDIUM_MAYBE, effectiveScriptSrcDirective, value));
       continue;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		# Purposefully blank so NPM doesn't use the .gitignore file