Add SRI integrity hash to assets (#3256)

* Added default setting to enable/disable assets SRI

* Added system options to enable/disable assets SRI

* Added integrityHash function to create asset SRI

* Output SRI integrity hash on CSS assets

* Output SRI integrity hash for JS assets

* Updated integrityHash visibility (protected => public)

* Add SRI integrity hash to CSS and JS pipelines

* Made integrityHash static
This commit is contained in:
Miguel Sales Pereira
2021-03-08 18:51:51 +01:00
committed by GitHub
parent 47bc6b0411
commit 3b6f5353fd
6 changed files with 43 additions and 4 deletions

View File

@@ -1005,6 +1005,17 @@ form:
0: PLUGIN_ADMIN.NO
validate:
type: bool
assets.enable_asset_sri:
type: toggle
label: PLUGIN_ADMIN.ENABLED_SRI_ON_ASSETS
help: PLUGIN_ADMIN.ENABLED_SRI_ON_ASSETS_HELP
highlight: 0
options:
1: PLUGIN_ADMIN.YES
0: PLUGIN_ADMIN.NO
validate:
type: bool
assets.collections:
type: multilevel

View File

@@ -127,6 +127,7 @@ assets: # Configuration for Assets Mana
js_pipeline_before_excludes: true # Render the pipeline before any excluded files
js_minify: true # Minify the JS during pipelining
enable_asset_timestamp: false # Enable asset timestamps
enable_asset_sri: false # Enable asset SRI
collections:
jquery: system://assets/jquery/jquery-2.x.min.js

View File

@@ -10,6 +10,7 @@
namespace Grav\Common\Assets;
use Grav\Common\Assets\Traits\AssetUtilsTrait;
use Grav\Common\Config\Config;
use Grav\Common\Grav;
use Grav\Common\Uri;
use Grav\Common\Utils;
@@ -171,6 +172,31 @@ abstract class BaseAsset extends PropertyObject
return $this;
}
/**
* Receive asset location and return the SRI integrity hash
*
* @param $input
*
* @return string
*/
public static function integrityHash( $input )
{
$grav = Grav::instance();
$assetsConfig = $grav['config']->get('system.assets');
if ( !empty($assetsConfig['enable_asset_sri']) && $assetsConfig['enable_asset_sri'] )
{
$dataToHash = file_get_contents( GRAV_ROOT . $input);
$hash = hash('sha256', $dataToHash, true);
$hash_base64 = base64_encode($hash);
return ' integrity="sha256-' . $hash_base64 . '"';
}
return '';
}
/**

View File

@@ -47,6 +47,6 @@ class Css extends BaseAsset
return "<style>\n" . trim($buffer) . "\n</style>\n";
}
return '<link href="' . trim($this->asset) . $this->renderQueryString() . '"' . $this->renderAttributes() . ">\n";
return '<link href="' . trim($this->asset) . $this->renderQueryString() . '"' . $this->renderAttributes() . $this->integrityHash($this->asset) . ">\n";
}
}

View File

@@ -43,6 +43,6 @@ class Js extends BaseAsset
return '<script' . $this->renderAttributes() . ">\n" . trim($buffer) . "\n</script>\n";
}
return '<script src="' . trim($this->asset) . $this->renderQueryString() . '"' . $this->renderAttributes() . "></script>\n";
return '<script src="' . trim($this->asset) . $this->renderQueryString() . '"' . $this->renderAttributes() . $this->integrityHash($this->asset) . "></script>\n";
}
}

View File

@@ -9,6 +9,7 @@
namespace Grav\Common\Assets;
use Grav\Common\Assets\BaseAsset;
use Grav\Common\Assets\Traits\AssetUtilsTrait;
use Grav\Common\Config\Config;
use Grav\Common\Grav;
@@ -148,7 +149,7 @@ class Pipeline extends PropertyObject
$output = "<style>\n" . $buffer . "\n</style>\n";
} else {
$this->asset = $relative_path;
$output = '<link href="' . $relative_path . $this->renderQueryString() . '"' . $this->renderAttributes() . ">\n";
$output = '<link href="' . $relative_path . $this->renderQueryString() . '"' . $this->renderAttributes() . BaseAsset::integrityHash($this->asset) . ">\n";
}
return $output;
@@ -211,7 +212,7 @@ class Pipeline extends PropertyObject
$output = '<script' . $this->renderAttributes(). ">\n" . $buffer . "\n</script>\n";
} else {
$this->asset = $relative_path;
$output = '<script src="' . $relative_path . $this->renderQueryString() . '"' . $this->renderAttributes() . "></script>\n";
$output = '<script src="' . $relative_path . $this->renderQueryString() . '"' . $this->renderAttributes() . BaseAsset::integrityHash($this->asset) . "></script>\n";
}
return $output;