From 3b6f5353fd2fdc4ada595bcf6d9776006bbecb99 Mon Sep 17 00:00:00 2001 From: Miguel Sales Pereira Date: Mon, 8 Mar 2021 18:51:51 +0100 Subject: [PATCH] Add SRI integrity hash to assets (#3256) * Added default setting to enable/disable assets SRI * Added system options to enable/disable assets SRI * Added integrityHash function to create asset SRI * Output SRI integrity hash on CSS assets * Output SRI integrity hash for JS assets * Updated integrityHash visibility (protected => public) * Add SRI integrity hash to CSS and JS pipelines * Made integrityHash static --- system/blueprints/config/system.yaml | 11 +++++++++ system/config/system.yaml | 1 + system/src/Grav/Common/Assets/BaseAsset.php | 26 +++++++++++++++++++++ system/src/Grav/Common/Assets/Css.php | 2 +- system/src/Grav/Common/Assets/Js.php | 2 +- system/src/Grav/Common/Assets/Pipeline.php | 5 ++-- 6 files changed, 43 insertions(+), 4 deletions(-) diff --git a/system/blueprints/config/system.yaml b/system/blueprints/config/system.yaml index 538fd08f5..8d5ca4e91 100644 --- a/system/blueprints/config/system.yaml +++ b/system/blueprints/config/system.yaml @@ -1005,6 +1005,17 @@ form: 0: PLUGIN_ADMIN.NO validate: type: bool + + assets.enable_asset_sri: + type: toggle + label: PLUGIN_ADMIN.ENABLED_SRI_ON_ASSETS + help: PLUGIN_ADMIN.ENABLED_SRI_ON_ASSETS_HELP + highlight: 0 + options: + 1: PLUGIN_ADMIN.YES + 0: PLUGIN_ADMIN.NO + validate: + type: bool assets.collections: type: multilevel diff --git a/system/config/system.yaml b/system/config/system.yaml index 5c29a7869..764c04886 100644 --- a/system/config/system.yaml +++ b/system/config/system.yaml @@ -127,6 +127,7 @@ assets: # Configuration for Assets Mana js_pipeline_before_excludes: true # Render the pipeline before any excluded files js_minify: true # Minify the JS during pipelining enable_asset_timestamp: false # Enable asset timestamps + enable_asset_sri: false # Enable asset SRI collections: jquery: system://assets/jquery/jquery-2.x.min.js diff --git a/system/src/Grav/Common/Assets/BaseAsset.php b/system/src/Grav/Common/Assets/BaseAsset.php index 579b1f943..423c84236 100644 --- a/system/src/Grav/Common/Assets/BaseAsset.php +++ b/system/src/Grav/Common/Assets/BaseAsset.php @@ -10,6 +10,7 @@ namespace Grav\Common\Assets; use Grav\Common\Assets\Traits\AssetUtilsTrait; +use Grav\Common\Config\Config; use Grav\Common\Grav; use Grav\Common\Uri; use Grav\Common\Utils; @@ -171,6 +172,31 @@ abstract class BaseAsset extends PropertyObject return $this; } + + /** + * Receive asset location and return the SRI integrity hash + * + * @param $input + * + * @return string + */ + public static function integrityHash( $input ) + { + $grav = Grav::instance(); + + $assetsConfig = $grav['config']->get('system.assets'); + + if ( !empty($assetsConfig['enable_asset_sri']) && $assetsConfig['enable_asset_sri'] ) + { + $dataToHash = file_get_contents( GRAV_ROOT . $input); + + $hash = hash('sha256', $dataToHash, true); + $hash_base64 = base64_encode($hash); + return ' integrity="sha256-' . $hash_base64 . '"'; + } + + return ''; + } /** diff --git a/system/src/Grav/Common/Assets/Css.php b/system/src/Grav/Common/Assets/Css.php index b1f0a488b..4c6a9c9b0 100644 --- a/system/src/Grav/Common/Assets/Css.php +++ b/system/src/Grav/Common/Assets/Css.php @@ -47,6 +47,6 @@ class Css extends BaseAsset return "\n"; } - return 'renderAttributes() . ">\n"; + return 'renderAttributes() . $this->integrityHash($this->asset) . ">\n"; } } diff --git a/system/src/Grav/Common/Assets/Js.php b/system/src/Grav/Common/Assets/Js.php index 9946bd8b4..fc2a472fd 100644 --- a/system/src/Grav/Common/Assets/Js.php +++ b/system/src/Grav/Common/Assets/Js.php @@ -43,6 +43,6 @@ class Js extends BaseAsset return 'renderAttributes() . ">\n" . trim($buffer) . "\n\n"; } - return '\n"; + return '\n"; } } diff --git a/system/src/Grav/Common/Assets/Pipeline.php b/system/src/Grav/Common/Assets/Pipeline.php index 9b44fd840..7aef0e145 100644 --- a/system/src/Grav/Common/Assets/Pipeline.php +++ b/system/src/Grav/Common/Assets/Pipeline.php @@ -9,6 +9,7 @@ namespace Grav\Common\Assets; +use Grav\Common\Assets\BaseAsset; use Grav\Common\Assets\Traits\AssetUtilsTrait; use Grav\Common\Config\Config; use Grav\Common\Grav; @@ -148,7 +149,7 @@ class Pipeline extends PropertyObject $output = "\n"; } else { $this->asset = $relative_path; - $output = 'renderAttributes() . ">\n"; + $output = 'renderAttributes() . BaseAsset::integrityHash($this->asset) . ">\n"; } return $output; @@ -211,7 +212,7 @@ class Pipeline extends PropertyObject $output = 'renderAttributes(). ">\n" . $buffer . "\n\n"; } else { $this->asset = $relative_path; - $output = '\n"; + $output = '\n"; } return $output;