Warn about asterisk being used in media type.

fixes #181
shapesecurity · May 28, 2017 · c0fff67 · c0fff67
1 parent d26e1cf
commit c0fff67
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 1 deletion.
diff --git a/src/main/java/com/shapesecurity/salvation/Constants.java b/src/main/java/com/shapesecurity/salvation/Constants.java
@@ -14,7 +14,8 @@
             + "|scripts|top-navigation)$");
     public static final Pattern requireSriForEnumeratedTokenPattern = Pattern
             .compile("^(?:script|style)$", Pattern.CASE_INSENSITIVE);
-    public static final Pattern mediaTypePattern = Pattern.compile("^(?<type>[^/]+)/(?<subtype>[^/]+)$");
+    public static final Pattern mediaTypePattern = Pattern.compile("^(?<type>[a-zA-Z0-9!#$%^&*\\-_+{}|'.`~]+)/(?<subtype>[a-zA-Z0-9!#$%^&*\\-_+{}|'.`~]+)$");
+    // public static final Pattern mediaTypePattern = Pattern.compile("[a-zA-Z0-9!#$%^&\\*-_\\+{}\\|'.`~]+/[a-zA-Z0-9!#$%^&\\*-_\\+{}\\|'.`~]+");
     public static final Pattern unquotedKeywordPattern = Pattern.compile("^(?:self|unsafe-inline|unsafe-eval|unsafe-redirect|none|strict-dynamic)$");
     // port-part constants
     public static final int WILDCARD_PORT = -200;

diff --git a/src/main/java/com/shapesecurity/salvation/Parser.java b/src/main/java/com/shapesecurity/salvation/Parser.java
@@ -252,6 +252,8 @@ private boolean eat(@Nonnull Class<? extends Token> c) {
                     if (mediaTypes.isEmpty()) {
                         this.error(token, "The media-type-list must contain at least one media-type.");
                         throw INVALID_MEDIA_TYPE_LIST;
+                    } else if (mediaTypes.stream().anyMatch(x -> x.matchesTypeOrSubType("*"))) {
+                        this.warn(token,"`*` is allowed character in media type which will be literally matched. Make sure it not an attempt to match any.");
                     }
                     result = new PluginTypesDirective(mediaTypes);
                     break;

diff --git a/src/main/java/com/shapesecurity/salvation/directiveValues/MediaType.java b/src/main/java/com/shapesecurity/salvation/directiveValues/MediaType.java
@@ -25,6 +25,10 @@ public boolean matchesMediaType(@Nonnull MediaType mediaType) {
         return this.type.equalsIgnoreCase(mediaType.type) && this.subtype.equalsIgnoreCase(mediaType.subtype);
     }
 
+    public boolean matchesTypeOrSubType(@Nonnull String str) {
+        return this.type.equalsIgnoreCase(str) || this.subtype.equalsIgnoreCase(str);
+    }
+
     @Override public int hashCode() {
         return (this.type.toLowerCase().hashCode() ^ 0x887E088E) ^ (this.subtype.toLowerCase().hashCode() ^ 0x33E42712);
     }

diff --git a/src/test/java/com/shapesecurity/salvation/ParserTest.java b/src/test/java/com/shapesecurity/salvation/ParserTest.java
@@ -315,6 +315,11 @@ public class ParserTest extends CSPTest {
         assertEquals(1, notices.size());
         assertEquals("The media-type-list must contain at least one media-type.", notices.get(0).message);
 
+        notices.clear();
+        parseWithNotices("plugin-types */* a/a", notices);
+        assertEquals(1, notices.size());
+        assertEquals("`*` is allowed character in media type which will be literally matched. Make sure it not an attempt to match any.", notices.get(0).message);
+
         notices.clear();
         // XXX: technically allowed via ietf-token if an RFC introduces a type/subtype that is empty
         parseWithNotices("plugin-types /", notices);