-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check SubResource Integrity #9947
Conversation
@agriffard @deanmarcussen what I notice that many files in my local don't have the same SRI, for example Could you please let me know if there's something I can do? That's why the Test fails in both my end and GitHub |
The following are the file that have the exact same SRI:
|
I would suggest picking a specific file that doesn't match, and using the online https://www.srihash.org/ that I suspect @agriffard is using to test why one is not working, perhaps they are using different hashing methods. |
@agriffard are using |
Yes, I do. I always use https://www.srihash.org/ and the default encryption is |
@agriffard how can I ensure that all the resources in my side are up to date, so I can validate the SRI for them |
FYI I tried |
@agriffard could you let me know what should I do here to make a successful restore for npm packages. I need to finalize this PR |
|
@hishamco Update your node.js and/or npm to latest LTS version. |
I already updated Node JS, I need to check again, coz it success with UI Testing project .. I will have a try |
Once you installed the new node.js and npm try and do a cleanup of the node_modules folder. Then redo npm install. |
@Skrypt is I tried |
Sometimes I do a |
@agriffard this PR is ready, I know the build will fail because I discover there are many invalid SRI, so I will create another PR to fix them. Once you merge the other PR we could rebase on main then the build will pass |
I cancelled the workflows, the build was running without progress for 1h40. |
That's why I didn't the build failed, I might need to check the logs |
Seems the resources take time to validate the SRI, which is weird!! |
Is this something you'd like to revisit any time soon @hishamco? Would be quite useful. |
Sure, there are many PRs on my list :) |
Let me know if you'd like a review here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See #9947 (comment)
@Piedone time to merge :) |
@@ -6,6 +6,8 @@ namespace OrchardCore.Tests.Modules.OrchardCore.Resources; | |||
|
|||
public class SubResourceIntegrityTests | |||
{ | |||
private static readonly HttpClient _httpClient = new(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You also need to dispose this. It doesn't actually need to be static, you can just add a using var
into the test method.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You also need to dispose this
Agree
It doesn't actually need to be static
The GetSubResourceIntegrityAsync()
is static
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And you can change that, because you have the infinite power of Visual Studio at your hand :). However, I'm not arguing for that. You can just pass HttpClient
into the method. The latest implementation of disposing a static field from an instance method is a wrong approach to this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And you can change that, because you have the infinite power of Visual Studio at your hand
Sure :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I committed what I think is simpler, please check.
Please request review when you're done, because I just noticed this randomly. |
// Assert | ||
var resourceManifest = resourceManagementOptions.ResourceManifests.First(); | ||
|
||
using var httpClient = new HttpClient(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Piedone If you remember you told me to use the same instance of HttpClient
which you insisted a lot before, now I see you are a new instance :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is still one instance during the lifetime of the test, but we don't go the roundabout way of passing a field to a local function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No problem, I think we are fine now for merge this, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you're OK with it then yes.
Use the new static instances instead of creating new ones: https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.sha384.hashdata?view=net-8.0 |
I am right that these will run also locally?
|
We could do that, but I'm not sure do we still need Azure DevOps, while we're using GitHub actions? |
Why would we skip these in CI? |
The opposite, skip these locally but not in CI. My wording was wrong, the code is correct ;) |
I thought what the Seb meant at the first glance 😂, I will submit a PR |
Seb seems the code is wrong, because the fact should be |
Co-authored-by: Zoltán Lehóczky <zoltan.lehoczky@lombiq.com>
Fixes #9941
Fixes #11915