From f154134221a291d8db022422a1921e5cb95fbc1d Mon Sep 17 00:00:00 2001 From: edukisto <52005215+edukisto@users.noreply.github.com> Date: Tue, 1 Dec 2020 23:10:29 +0300 Subject: [PATCH] CSP: Added missing directives and keywords (#2664) This adds missing CSP and UISecurity directives and keywords. --- components/prism-csp.js | 11 +++++++---- components/prism-csp.min.js | 2 +- ...rective_with_source_expression_feature.test | 18 ++++++++++++++++-- tests/languages/csp/safe_feature.test | 3 ++- tests/languages/csp/unsafe_feature.test | 10 ++++++++-- 5 files changed, 34 insertions(+), 10 deletions(-) diff --git a/components/prism-csp.js b/components/prism-csp.js index c8facbc30f..72910bc65c 100644 --- a/components/prism-csp.js +++ b/components/prism-csp.js @@ -10,17 +10,20 @@ */ Prism.languages.csp = { - 'directive': { - pattern: /(^|[^-\da-z])(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|script|style|worker)-src|disown-opener|form-action|frame-ancestors|plugin-types|referrer|reflected-xss|report-to|report-uri|require-sri-for|sandbox|upgrade-insecure-requests)(?=[^-\da-z]|$)/i, + 'directive': { + pattern: /(^|[^-\da-z])(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|prefetch|script|style|worker)-src|disown-opener|form-action|frame-(?:ancestors|options)|input-protection(?:-(?:clip|selectors))?|navigate-to|plugin-types|policy-uri|referrer|reflected-xss|report-(?:to|uri)|require-sri-for|sandbox|(?:script|style)-src-(?:attr|elem)|upgrade-insecure-requests)(?=[^-\da-z]|$)/i, lookbehind: true, alias: 'keyword' }, 'safe': { - pattern: /'(?:self|none|strict-dynamic|(?:nonce-|sha(?:256|384|512)-)[a-zA-Z\d+=/]+)'/, + // CSP2 hashes and nonces are base64 values. CSP3 accepts both base64 and base64url values. + // See https://tools.ietf.org/html/rfc4648#section-4 + // See https://tools.ietf.org/html/rfc4648#section-5 + pattern: /'(?:deny|none|report-sample|self|strict-dynamic|top-only|(?:nonce|sha(?:256|384|512))-[-+/\d=_a-z]+)'/i, alias: 'selector' }, 'unsafe': { - pattern: /(?:'unsafe-inline'|'unsafe-eval'|'unsafe-hashed-attributes'|\*)/, + pattern: /(?:'unsafe-(?:allow-redirects|dynamic|eval|hash-attributes|hashed-attributes|hashes|inline)'|\*)/i, alias: 'function' } }; \ No newline at end of file diff --git a/components/prism-csp.min.js b/components/prism-csp.min.js index 6da48ba61d..3749b8c10e 100644 --- a/components/prism-csp.min.js +++ b/components/prism-csp.min.js @@ -1 +1 @@ -Prism.languages.csp={directive:{pattern:/(^|[^-\da-z])(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|script|style|worker)-src|disown-opener|form-action|frame-ancestors|plugin-types|referrer|reflected-xss|report-to|report-uri|require-sri-for|sandbox|upgrade-insecure-requests)(?=[^-\da-z]|$)/i,lookbehind:!0,alias:"keyword"},safe:{pattern:/'(?:self|none|strict-dynamic|(?:nonce-|sha(?:256|384|512)-)[a-zA-Z\d+=/]+)'/,alias:"selector"},unsafe:{pattern:/(?:'unsafe-inline'|'unsafe-eval'|'unsafe-hashed-attributes'|\*)/,alias:"function"}}; \ No newline at end of file +Prism.languages.csp={directive:{pattern:/(^|[^-\da-z])(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|prefetch|script|style|worker)-src|disown-opener|form-action|frame-(?:ancestors|options)|input-protection(?:-(?:clip|selectors))?|navigate-to|plugin-types|policy-uri|referrer|reflected-xss|report-(?:to|uri)|require-sri-for|sandbox|(?:script|style)-src-(?:attr|elem)|upgrade-insecure-requests)(?=[^-\da-z]|$)/i,lookbehind:!0,alias:"keyword"},safe:{pattern:/'(?:deny|none|report-sample|self|strict-dynamic|top-only|(?:nonce|sha(?:256|384|512))-[-+/\d=_a-z]+)'/i,alias:"selector"},unsafe:{pattern:/(?:'unsafe-(?:allow-redirects|dynamic|eval|hash-attributes|hashed-attributes|hashes|inline)'|\*)/i,alias:"function"}}; \ No newline at end of file diff --git a/tests/languages/csp/directive_with_source_expression_feature.test b/tests/languages/csp/directive_with_source_expression_feature.test index a4db6cd64f..f618d290ad 100644 --- a/tests/languages/csp/directive_with_source_expression_feature.test +++ b/tests/languages/csp/directive_with_source_expression_feature.test @@ -1,10 +1,24 @@ -script-src example.com; +input-protection tolerance=50; input-protection-clip before=60; input-protection-selectors div; policy-uri https://example.com; script-src example.com; script-src-attr 'none'; style-src-elem 'none'; ---------------------------------------------------- [ + ["directive", "input-protection"], + " tolerance=50; ", + ["directive", "input-protection-clip"], + " before=60; ", + ["directive", "input-protection-selectors"], + " div; ", + ["directive", "policy-uri"], + " https://example.com; ", ["directive", "script-src"], - " example.com;" + " example.com; ", + ["directive", "script-src-attr"], + ["safe", "'none'"], + "; ", + ["directive", "style-src-elem"], + ["safe", "'none'"], + ";" ] ---------------------------------------------------- diff --git a/tests/languages/csp/safe_feature.test b/tests/languages/csp/safe_feature.test index 13c9d837b7..f61cc32fdd 100644 --- a/tests/languages/csp/safe_feature.test +++ b/tests/languages/csp/safe_feature.test @@ -1,10 +1,11 @@ -default-src 'none'; style-src 'self' 'strict-dynamic' 'nonce-yeah' 'sha256-EpOpN/ahUF6jhWShDUdy+NvvtaGcu5F7qM6+x2mfkh4='; +default-src 'none' 'report-sample'; style-src 'self' 'strict-dynamic' 'nonce-yeah' 'sha256-EpOpN/ahUF6jhWShDUdy+NvvtaGcu5F7qM6+x2mfkh4='; ---------------------------------------------------- [ ["directive", "default-src"], ["safe", "'none'"], + ["safe", "'report-sample'"], "; ", ["directive", "style-src"], ["safe", "'self'"], diff --git a/tests/languages/csp/unsafe_feature.test b/tests/languages/csp/unsafe_feature.test index e1cf98aa13..758ab58fc0 100644 --- a/tests/languages/csp/unsafe_feature.test +++ b/tests/languages/csp/unsafe_feature.test @@ -1,12 +1,18 @@ -script-src 'unsafe-inline' 'unsafe-eval' 'unsafe-hashed-attributes'; +navigate-to 'unsafe-allow-redirects'; script-src 'unsafe-dynamic' 'unsafe-eval' 'unsafe-hash-attributes' 'unsafe-hashed-attributes' 'unsafe-hashes' 'unsafe-inline'; ---------------------------------------------------- [ + ["directive", "navigate-to"], + ["unsafe", "'unsafe-allow-redirects'"], + "; ", ["directive", "script-src"], - ["unsafe", "'unsafe-inline'"], + ["unsafe", "'unsafe-dynamic'"], ["unsafe", "'unsafe-eval'"], + ["unsafe", "'unsafe-hash-attributes'"], ["unsafe", "'unsafe-hashed-attributes'"], + ["unsafe", "'unsafe-hashes'"], + ["unsafe", "'unsafe-inline'"], ";" ]