Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Check script tags for inline JS #48

Merged
merged 34 commits into from
Apr 9, 2024
Merged

feat: Check script tags for inline JS #48

merged 34 commits into from
Apr 9, 2024

Conversation

d3xter666
Copy link
Contributor

JIRA: CPOUI5FOUNDATION-826

@d3xter666 d3xter666 marked this pull request as draft March 25, 2024 13:04
@matz3 matz3 mentioned this pull request Mar 25, 2024
Closed
27 tasks
d3xter666
d3xter666 commented Mar 26, 2024
View reviewed changes
src/linter/html/linter.ts Outdated Show resolved Hide resolved
@d3xter666 d3xter666 marked this pull request as ready for review March 27, 2024 09:44
@d3xter666 d3xter666 requested a review from a team March 27, 2024 09:44
d3xter666
d3xter666 commented Mar 28, 2024
View reviewed changes
tsconfig.base.json Outdated Show resolved Hide resolved
RandomByte
RandomByte requested changes Mar 28, 2024
View reviewed changes
test/fixtures/linter/rules/CSPCompliance/NoInlineJS.html Show resolved Hide resolved
src/detectors/transpilers/html/parser.ts Outdated Show resolved Hide resolved
src/detectors/typeChecker/index.ts Outdated Show resolved Hide resolved
src/linter/html/HtmlReporter.ts Outdated Show resolved Hide resolved
src/linter/html/HtmlReporter.ts Outdated Show resolved Hide resolved
src/linter/html/linter.ts Outdated Show resolved Hide resolved
tsconfig.base.json Outdated Show resolved Hide resolved
@d3xter666 d3xter666 requested a review from RandomByte April 3, 2024 13:53
matz3
matz3 reviewed Apr 5, 2024
View reviewed changes
src/detectors/typeChecker/index.ts Show resolved Hide resolved
src/detectors/typeChecker/index.ts Outdated Show resolved Hide resolved
src/linter/html/linter.ts Outdated Show resolved Hide resolved
@matz3 matz3 requested a review from a team April 5, 2024 12:49
RandomByte
RandomByte previously approved these changes Apr 8, 2024
View reviewed changes
Copy link
Member

@RandomByte RandomByte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

codeworrior
codeworrior reviewed Apr 9, 2024
View reviewed changes
src/detectors/transpilers/html/parser.ts Outdated
// https://developer.mozilla.org/en-US/docs/Web/HTML/Element/script/type#attribute_is_not_set_default_an_empty_string_or_a_javascript_mime_type
return attr.name.value !== "type" ||
(attr.name.value === "type" &&
(attr.value.value === "" || attr.value.value === "text/javascript"));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the scope of SAPUI5, I find ~180 occurrences of the legacy MIME type application/javascript. Maybe we should include that one as well? The other legacy types, I didn't find.

According to https://mimesniff.spec.whatwg.org/#javascript-mime-type-essence-match, the MIME types are case insensitive. I don't expect the SAX parser to normalize attribute values, so the check maybe should be case insensitive.

Last but not least: we most likely won't process scripts of type module any time soon, but the check for inline scripts could complain about them already (if they're inline)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @codeworrior !

I have added the case insensitive checks and also the application/javascript type.

Regarding the module type, currently it's being ignored as we check only for missing type property or against a list of hardcoded, case insensitive (already, thanks!) types.

I have added type="module" to the test cases

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@codeworrior's comment wasn't fully addressed, right? I also agree that the check should complain about type="module", as it is also relevant for CSP unsafe-inline.

In addition, a <script> tag with a "src" attribute and a comment (or even code) as content is falsely reported as finding. Browsers (tested with Chrome only) ignore the script tag content in case a "src" attribute is provided (even without a value).

<script src="foo.js"> // should not be reported as it is not a CSP violation
</script>
<script src> // should also not be reported as it is not a CSP violation
console.log("this code won't run");
</script>

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I missunderstood it. However, I have addressed the changes in the following PR: #70

d3xter666 added 22 commits April 9, 2024 16:20
@d3xter666
fix: Eslint
15ae266
@d3xter666
fix: Tests
2604e63
@d3xter666
feat: Add test cases
6e58189
@d3xter666
fix: Eslint
dcfa43b
@d3xter666
fix: Tests for Windows
efdbd26
@d3xter666
fix: Tests for Windows
9242980
@d3xter666
refactor: Remove redundant checks
4dd42cf
@d3xter666
refactor: Rewrite --file-paths filtering fallback to js
69ef393
@d3xter666
refactor: Treat html files as JSX
f3fce8d
@d3xter666
feat: Parse HTML files as JSX
dc916c0
@d3xter666
fix: Fix tests
95ad30c
@d3xter666
refactor: Address GH comments
8042a49
@d3xter666
fix: Use jsx: preserve option for scanned documents
7ece8f9
@d3xter666
refactor: Optimize resource filtering
615f5c1
@d3xter666
refactor: Enforce utf8 encoding for html fixtures
810c8d0
@d3xter666
refactor: Adjust report details for CSP
8992d55
@d3xter666
refactor: Avoid parsing of HTML content as JSX
4914973
@d3xter666
refactor: Move js script checks in the parser
ed9d9e7
@d3xter666
fix: Rename html files to JSX
6f6bb45
@d3xter666
fix: Add new lines at the end of html tests
3fd956f
@d3xter666
fix: Ignore case when checking script's type
0cd6efb
@d3xter666
feat: Add tests for application/javascript
93495c6
@d3xter666 d3xter666 force-pushed the check-script-tags branch from a7c520b to 93495c6 Compare April 9, 2024 13:21
@d3xter666 d3xter666 merged commit 70b719a into main Apr 9, 2024
17 checks passed
@d3xter666 d3xter666 deleted the check-script-tags branch April 9, 2024 17:33
@openui5bot openui5bot mentioned this pull request Apr 9, 2024
Merged
@d3xter666 d3xter666 mentioned this pull request Apr 10, 2024
Merged
d3xter666 added a commit that referenced this pull request Apr 12, 2024
@d3xter666
fix: Respect src attribute for script tags and include module type fo…
2b28e5f 
…r checks (#70)

This change addresses the following comments:
#48 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flovogt flovogt flovogt left review comments

@codeworrior codeworrior codeworrior left review comments

@matz3 matz3 matz3 left review comments

@RandomByte RandomByte RandomByte approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@d3xter666 @matz3 @RandomByte @codeworrior @flovogt