diff --git a/.travis.yml b/.travis.yml
index f77cd9a..7723689 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,6 +1,7 @@
language: node_js
sudo: false
node_js:
- - "7"
+ - "9"
+ - "8"
- "6"
- "4"
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 177c176..fab4a95 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,16 @@
All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
+
+## [5.2.2](https://github.com/zkat/ssri/compare/v5.2.1...v5.2.2) (2018-02-14)
+
+
+### Bug Fixes
+
+* **security:** tweak strict SRI regex ([#10](https://github.com/zkat/ssri/issues/10)) ([d0ebcdc](https://github.com/zkat/ssri/commit/d0ebcdc))
+
+
+
## [5.2.1](https://github.com/zkat/ssri/compare/v5.2.0...v5.2.1) (2018-02-06)
diff --git a/appveyor.yml b/appveyor.yml
index 71afe26..592631c 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -1,6 +1,7 @@
environment:
matrix:
- - nodejs_version: "7"
+ - nodejs_version: "9"
+ - nodejs_version: "8"
- nodejs_version: "6"
- nodejs_version: "4"
diff --git a/index.js b/index.js
index ba1bb6d..43c1507 100644
--- a/index.js
+++ b/index.js
@@ -9,7 +9,7 @@ const SPEC_ALGORITHMS = ['sha256', 'sha384', 'sha512']
const BASE64_REGEX = /^[a-z0-9+/]+(?:=?=?)$/i
const SRI_REGEX = /^([^-]+)-([^?]+)([?\S*]*)$/
-const STRICT_SRI_REGEX = /^([^-]+)-([A-Za-z0-9+/]+(?:=?=?))([?\x21-\x7E]*)$/
+const STRICT_SRI_REGEX = /^([^-]+)-([A-Za-z0-9+/=]{44,88})(\?[\x21-\x7E]*)*$/
const VCHAR_REGEX = /^[\x21-\x7E]+$/
class Hash {
diff --git a/package-lock.json b/package-lock.json
index cb93465..79b96be 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,6 +1,6 @@
{
"name": "ssri",
- "version": "5.2.1",
+ "version": "5.2.2",
"lockfileVersion": 1,
"requires": true,
"dependencies": {
diff --git a/package.json b/package.json
index 8b0836d..c82e3d4 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "ssri",
- "version": "5.2.1",
+ "version": "5.2.2",
"description": "Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.",
"main": "index.js",
"files": [
diff --git a/test/integrity.js b/test/integrity.js
index 3a697fb..a35f725 100644
--- a/test/integrity.js
+++ b/test/integrity.js
@@ -7,20 +7,20 @@ const test = require('tap').test
const ssri = require('..')
test('toString()', t => {
- const sri = ssri.parse('sha512-foo sha256-bar!')
+ const sri = ssri.parse('sha1-eUN/Xt2hP5wGabl43XqQZt0gWfE= sha256-Qhx213Vjr6GRSEawEL0WTzlb00whAuXpngy5zxc8HYc=')
t.equal(
sri.toString(),
- 'sha512-foo sha256-bar!',
+ 'sha1-eUN/Xt2hP5wGabl43XqQZt0gWfE= sha256-Qhx213Vjr6GRSEawEL0WTzlb00whAuXpngy5zxc8HYc=',
'integrity objects from ssri.parse() can use toString()'
)
t.equal(
sri.toString({strict: true}),
- 'sha512-foo',
+ 'sha256-Qhx213Vjr6GRSEawEL0WTzlb00whAuXpngy5zxc8HYc=',
'accepts strict mode option'
)
t.equal(
sri.toString({sep: '\n'}),
- 'sha512-foo\nsha256-bar!',
+ 'sha1-eUN/Xt2hP5wGabl43XqQZt0gWfE=\nsha256-Qhx213Vjr6GRSEawEL0WTzlb00whAuXpngy5zxc8HYc=',
'accepts separator option'
)
t.done()
@@ -72,9 +72,12 @@ test('concat()', t => {
'sha512-foo sha512-quux sha1-bar sha1-baz',
'preserves relative order for algorithms between different concatenations'
)
+ const strictSri = ssri.parse('sha512-WrLorGiX4iEWOOOaJSiCrmDIamA47exH+Bz7tVwIPb4sCU8w4iNqGCqYuspMMeU5pgz/sU7koP5u8W3RCUojGw==')
t.equal(
- sri.concat('sha1-bar!', {strict: true}).toString(),
- 'sha512-foo',
+ strictSri.concat('sha1-eUN/Xt2hP5wGabl43XqQZt0gWfE=', {
+ strict: true
+ }).toString(),
+ 'sha512-WrLorGiX4iEWOOOaJSiCrmDIamA47exH+Bz7tVwIPb4sCU8w4iNqGCqYuspMMeU5pgz/sU7koP5u8W3RCUojGw==',
'accepts strict mode option'
)
t.done()
diff --git a/test/stringify.js b/test/stringify.js
index 727efbd..53200cb 100644
--- a/test/stringify.js
+++ b/test/stringify.js
@@ -108,8 +108,8 @@ test('support strict serialization', t => {
'entries that do not conform to strict spec interpretation removed'
)
t.equal(
- ssri.stringify('sha512-foo sha256-bar', {sep: ' \r|\n\t', strict: true}),
- 'sha512-foo \r \n\tsha256-bar',
+ ssri.stringify('sha512-WrLorGiX4iEWOOOaJSiCrmDIamA47exH+Bz7tVwIPb4sCU8w4iNqGCqYuspMMeU5pgz/sU7koP5u8W3RCUojGw== sha256-Qhx213Vjr6GRSEawEL0WTzlb00whAuXpngy5zxc8HYc=', {sep: ' \r|\n\t', strict: true}),
+ 'sha512-WrLorGiX4iEWOOOaJSiCrmDIamA47exH+Bz7tVwIPb4sCU8w4iNqGCqYuspMMeU5pgz/sU7koP5u8W3RCUojGw== \r \n\tsha256-Qhx213Vjr6GRSEawEL0WTzlb00whAuXpngy5zxc8HYc=',
'strict mode replaces non-whitespace characters in separator with space'
)
t.done()