Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support 'report-sample' keyword-source #184

Merged
merged 1 commit into from
Aug 11, 2017
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion src/main/java/com/shapesecurity/salvation/Parser.java
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ public class Parser {
private static final String unsafeInlineWarningMessage = "The \"'unsafe-inline'\" keyword-source has no effect in source lists that contain hash-source or nonce-source in CSP2 and later. " + explanation;
private static final String strictDynamicWarningMessage = "The host-source and scheme-source expressions, as well as the \"'unsafe-inline'\" and \"'self'\" keyword-sources have no effect in source lists that contain \"'strict-dynamic'\" in CSP3 and later. " + explanation;
private static final String unsafeHashedWithoutHashWarningMessage = "The \"'unsafe-hashed-attributes'\" keyword-source has no effect in source lists that do not contain hash-source in CSP3 and later.";
private enum SeenStates {SEEN_HASH, SEEN_HOST_OR_SCHEME_SOURCE, SEEN_NONE, SEEN_NONCE, SEEN_SELF, SEEN_STRICT_DYNAMIC, SEEN_UNSAFE_EVAL, SEEN_UNSAFE_INLINE, SEEN_UNSAFE_HASHED_ATTR};
private enum SeenStates {SEEN_HASH, SEEN_HOST_OR_SCHEME_SOURCE, SEEN_NONE, SEEN_NONCE, SEEN_SELF, SEEN_STRICT_DYNAMIC, SEEN_UNSAFE_EVAL, SEEN_UNSAFE_INLINE, SEEN_UNSAFE_HASHED_ATTR, SEEN_REPORT_SAMPLE};
@Nonnull protected final Token[] tokens;
@Nonnull private final Origin origin;
protected int index = 0;
Expand Down Expand Up @@ -391,6 +391,8 @@ private void enforceMissingDirectiveValue(@Nonnull Token directiveNameToken) thr
seenStates.add(SeenStates.SEEN_HOST_OR_SCHEME_SOURCE);
} else if (se == KeywordSource.UnsafeHashedAttributes) {
seenStates.add(SeenStates.SEEN_UNSAFE_HASHED_ATTR);
} else if (se == KeywordSource.ReportSample) {
seenStates.add(SeenStates.SEEN_REPORT_SAMPLE);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems silly to add this if it's not going to be read, but whatever.

}
sourceExpressions.add(se);
} catch (DirectiveValueParseException e) {
Expand Down Expand Up @@ -441,6 +443,8 @@ private void enforceMissingDirectiveValue(@Nonnull Token directiveNameToken) thr
return KeywordSource.UnsafeRedirect;
case "'unsafe-hashed-attributes'":
return KeywordSource.UnsafeHashedAttributes;
case "'report-sample'":
return KeywordSource.ReportSample;
default:
checkForUnquotedKeyword(token);
if (token.value.startsWith("'nonce-")) {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,20 +1,21 @@
package com.shapesecurity.salvation.directiveValues;


import javax.annotation.Nonnull;

import com.shapesecurity.salvation.data.GUID;
import com.shapesecurity.salvation.data.Origin;
import com.shapesecurity.salvation.data.URI;
import com.shapesecurity.salvation.interfaces.MatchesSource;

import javax.annotation.Nonnull;

public class KeywordSource implements SourceExpression, AncestorSource, MatchesSource {
@Nonnull public static final KeywordSource Self = new KeywordSource("self");
@Nonnull public static final KeywordSource UnsafeInline = new KeywordSource("unsafe-inline");
@Nonnull public static final KeywordSource UnsafeEval = new KeywordSource("unsafe-eval");
@Nonnull public static final KeywordSource UnsafeRedirect = new KeywordSource("unsafe-redirect");
@Nonnull public static final KeywordSource StrictDynamic = new KeywordSource("strict-dynamic");
@Nonnull public static final KeywordSource UnsafeHashedAttributes = new KeywordSource("unsafe-hashed-attributes");
@Nonnull public static final KeywordSource ReportSample = new KeywordSource("report-sample");
@Nonnull private final String value;

private KeywordSource(@Nonnull String value) {
Expand Down
24 changes: 24 additions & 0 deletions src/test/java/com/shapesecurity/salvation/ParserTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -1050,4 +1050,28 @@ public class ParserTest extends CSPTest {
assertEquals(1, p.getDirectives().size());
assertEquals(0, notices.size());
}

@Test public void testReportSample() {
Policy p;
ArrayList<Notice> notices = new ArrayList<>();
p = parseWithNotices("default-src 'report-sample'", notices);
assertEquals(1, p.getDirectives().size());
assertEquals(0, notices.size());

notices.clear();
p = parseWithNotices("script-src 'report-sample' 'report-sample'", notices);
assertEquals(1, p.getDirectives().size());
assertEquals("script-src 'report-sample'", p.getDirectiveByType(ScriptSrcDirective.class).show());
assertEquals(0, notices.size());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two report-samples, but no notices?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will be addressed in #185


notices.clear();
p = parseWithNotices("default-src 'strict-dynamic' 'report-sample'", notices);
assertEquals(1, p.getDirectives().size());
assertEquals(0, notices.size());

notices.clear();
p = parseWithNotices("img-src 'report-sample'", notices);
assertEquals(1, p.getDirectives().size());
assertEquals(0, notices.size());
}
}