No public description

PiperOrigin-RevId: 650314356

Author: CSP Evaluator Team

checks/security_checks.ts

@@ -70,6 +70,12 @@ export function checkScriptUnsafeInline(effectiveCsp: Csp): Finding[] {
               'and event handlers.',
           Severity.HIGH, directive, Keyword.UNSAFE_INLINE));
     }
+    if (values.includes(Keyword.UNSAFE_HASHES)) {
+      violations.push(new Finding(
+          Type.SCRIPT_UNSAFE_HASHES,
+          `'unsafe-hashes', while safer than 'unsafe-inline', allows the execution of unsafe in-page scripts and event handlers as long as their hashes appear in the CSP. Please refactor them to no longer use inline scripts if possible.`,
+          Severity.MEDIUM_MAYBE, directive, Keyword.UNSAFE_HASHES));
+    }
   }
 
   return violations;

checks/security_checks_test.ts

@@ -54,6 +54,15 @@ describe('Test security checks', () => {
     expect(violations.length).toBe(1);
   });
 
+  it('CheckScriptUnsafeHashesInScriptSrc', () => {
+    const test =
+        'script-src \'unsafe-hashes\' \'sha256-1DCfk1NYWuHMfoobarfoobar=\'';
+
+    const violations = checkCsp(test, securityChecks.checkScriptUnsafeInline);
+    expect(violations.length).toBe(1);
+    expect(violations[0].severity).toBe(Severity.MEDIUM_MAYBE);
+  });
+
   it('CheckScriptUnsafeInlineInDefaultSrcAndNotInScriptSrc', () => {
     const test =
         'default-src \'unsafe-inline\'; script-src https:; script-src-attr https:; script-src-elem https:';

finding.ts

@@ -86,7 +86,7 @@ export enum Type {
   INVALID_KEYWORD,
   NONCE_CHARSET = 106,
 
-  // Security cheks
+  // Security checks
   MISSING_DIRECTIVES = 300,
   SCRIPT_UNSAFE_INLINE,
   SCRIPT_UNSAFE_EVAL,
@@ -104,6 +104,7 @@ export enum Type {
   X_FRAME_OPTIONS_OBSOLETED,
   STYLE_UNSAFE_INLINE,
   STATIC_NONCE,
+  SCRIPT_UNSAFE_HASHES,
 
   // Strict dynamic and backward compatibility checks
   STRICT_DYNAMIC = 400,

parser_test.ts

@@ -26,8 +26,8 @@ describe('Test parser', () => {
   it('CspParser', () => {
     const validCsp =  // Test policy with different features from CSP2.
         'default-src \'none\';' +
-        'script-src \'nonce-unsafefoobar\' \'unsafe-eval\'   \'unsafe-inline\' \n' +
-        'https://example.com/foo.js foo.bar;      ' +
+        'script-src \'nonce-unsafefoobar\' \'unsafe-eval\' \'unsafe-hashes\'  \'unsafe-inline\' \n' +
+        'https://example.com/foo.js foo.bar     \'sha256-1DCfk1NYWuHMfoobarfoobar=\';' +
         'script-src-elem \'self\' \'unsafe-inline\' https://apis.google.com https://www.googletagmanager.com https://www.google-analytics.com https://wchat.freshchat.com;' +
         'object-src \'none\';' +
         'img-src \'self\' https: data: blob:;' +
@@ -57,8 +57,9 @@ describe('Test parser', () => {
             parsedCsp.directives['default-src'] as string[]));
 
     expect([
-      '\'nonce-unsafefoobar\'', '\'unsafe-eval\'', '\'unsafe-inline\'',
-      'https://example.com/foo.js', 'foo.bar'
+      '\'nonce-unsafefoobar\'', '\'unsafe-eval\'', '\'unsafe-hashes\'',
+      '\'unsafe-inline\'', 'https://example.com/foo.js', 'foo.bar',
+      '\'sha256-1DCfk1NYWuHMfoobarfoobar=\''
     ])
         .toEqual(jasmine.arrayWithExactContents(
             parsedCsp.directives['script-src'] as string[]));