diff options
Diffstat (limited to 'sandbox/testAppNevena/Front/node_modules/ssri')
5 files changed, 1421 insertions, 0 deletions
diff --git a/sandbox/testAppNevena/Front/node_modules/ssri/CHANGELOG.md b/sandbox/testAppNevena/Front/node_modules/ssri/CHANGELOG.md new file mode 100644 index 00000000..3fea458e --- /dev/null +++ b/sandbox/testAppNevena/Front/node_modules/ssri/CHANGELOG.md @@ -0,0 +1,355 @@ +# Changelog + +All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. + +### [8.0.1](https://github.com/npm/ssri/compare/v8.0.0...v8.0.1) (2021-01-27) + + +### Bug Fixes + +* simplify regex for strict mode, add tests ([76e2233](https://github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2)) + +## [8.0.0](https://github.com/npm/ssri/compare/v7.1.0...v8.0.0) (2020-02-18) + + +### ⚠ BREAKING CHANGES + +* SRI values with `../` in the algorithm name now throw +as invalid (which they always probably should have!) +* adds a new error that will be thrown. Empty SRIs are +no longer considered valid for checking, only when using integrityStream +to calculate the SRI value. + +PR-URL: https://github.com/npm/ssri/pull/12 +Credit: @claudiahdz + +### Features + +* remove figgy-pudding ([0e78fd7](https://github.com/npm/ssri/commit/0e78fd7b754e2d098875eb4c57238709d96d7c27)) + + +### Bug Fixes + +* harden SRI parsing against ../ funny business ([4062735](https://github.com/npm/ssri/commit/4062735d1281941fd32ac4320b9f9965fcec278b)) +* IntegrityStream responds to mutating opts object mid-stream ([4a963e5](https://github.com/npm/ssri/commit/4a963e5982478c6b07f86848cdb72d142c765195)) +* throw null when sri is empty or bad ([a6811cb](https://github.com/npm/ssri/commit/a6811cba71e20ea1fdefa6e50c9ea3c67efc2500)), closes [#12](https://github.com/npm/ssri/issues/12) + +## [7.1.0](https://github.com/npm/ssri/compare/v7.0.1...v7.1.0) (2019-10-24) + + +### Bug Fixes + +* Do not blow up if the opts object is mutated ([806e8c8](https://github.com/npm/ssri/commit/806e8c8)) + + +### Features + +* Add Integrity#merge method ([0572c1d](https://github.com/npm/ssri/commit/0572c1d)), closes [#4](https://github.com/npm/ssri/issues/4) + +### [7.0.1](https://github.com/npm/ssri/compare/v7.0.0...v7.0.1) (2019-09-30) + +## [7.0.0](https://github.com/npm/ssri/compare/v6.0.1...v7.0.0) (2019-09-18) + + +### ⚠ BREAKING CHANGES + +* ssri no longer accepts a Promise option, and does not +use, return, or rely on Bluebird promises. +* drop support for Node.js v6. + +We knew this was coming, and the Stream changes are breaking anyway. +May as well do this now. +* **streams:** this replaces the Node.js stream with a Minipass +stream. See http://npm.im/minipass for documentation. + +### Bug Fixes + +* return super.write() return value ([55b055d](https://github.com/npm/ssri/commit/55b055d)) + + +* Use native promises only ([6d13165](https://github.com/npm/ssri/commit/6d13165)) +* update tap, standard, standard-version, travis ([2e54956](https://github.com/npm/ssri/commit/2e54956)) +* **streams:** replace transform streams with minipass ([363995e](https://github.com/npm/ssri/commit/363995e)) + +<a name="6.0.1"></a> +## [6.0.1](https://github.com/npm/ssri/compare/v6.0.0...v6.0.1) (2018-08-27) + + +### Bug Fixes + +* **opts:** use figgy-pudding to specify consumed opts ([cf86553](https://github.com/npm/ssri/commit/cf86553)) + + + +<a name="6.0.0"></a> +# [6.0.0](https://github.com/npm/ssri/compare/v5.3.0...v6.0.0) (2018-04-09) + + +### Bug Fixes + +* **docs:** minor typo ([b71ef17](https://github.com/npm/ssri/commit/b71ef17)) + + +### meta + +* drop support for node@4 ([d9bf359](https://github.com/npm/ssri/commit/d9bf359)) + + +### BREAKING CHANGES + +* node@4 is no longer supported + + + +<a name="5.3.0"></a> +# [5.3.0](https://github.com/npm/ssri/compare/v5.2.4...v5.3.0) (2018-03-13) + + +### Features + +* **checkData:** optionally throw when checkData fails ([bf26b84](https://github.com/npm/ssri/commit/bf26b84)) + + + +<a name="5.2.4"></a> +## [5.2.4](https://github.com/npm/ssri/compare/v5.2.3...v5.2.4) (2018-02-16) + + + +<a name="5.2.3"></a> +## [5.2.3](https://github.com/npm/ssri/compare/v5.2.2...v5.2.3) (2018-02-16) + + +### Bug Fixes + +* **hashes:** filter hash priority list by available hashes ([2fa30b8](https://github.com/npm/ssri/commit/2fa30b8)) +* **integrityStream:** dedupe algorithms to generate ([d56c654](https://github.com/npm/ssri/commit/d56c654)) + + + +<a name="5.2.2"></a> +## [5.2.2](https://github.com/npm/ssri/compare/v5.2.1...v5.2.2) (2018-02-14) + + +### Bug Fixes + +* **security:** tweak strict SRI regex ([#10](https://github.com/npm/ssri/issues/10)) ([d0ebcdc](https://github.com/npm/ssri/commit/d0ebcdc)) + + + +<a name="5.2.1"></a> +## [5.2.1](https://github.com/npm/ssri/compare/v5.2.0...v5.2.1) (2018-02-06) + + + +<a name="5.2.0"></a> +# [5.2.0](https://github.com/npm/ssri/compare/v5.1.0...v5.2.0) (2018-02-06) + + +### Features + +* **match:** add integrity.match() ([3c49cc4](https://github.com/npm/ssri/commit/3c49cc4)) + + + +<a name="5.1.0"></a> +# [5.1.0](https://github.com/npm/ssri/compare/v5.0.0...v5.1.0) (2018-01-18) + + +### Bug Fixes + +* **checkStream:** integrityStream now takes opts.integrity algos into account ([d262910](https://github.com/npm/ssri/commit/d262910)) + + +### Features + +* **sha3:** do some guesswork about upcoming sha3 ([7fdd9df](https://github.com/npm/ssri/commit/7fdd9df)) + + + +<a name="5.0.0"></a> +# [5.0.0](https://github.com/npm/ssri/compare/v4.1.6...v5.0.0) (2017-10-23) + + +### Features + +* **license:** relicense to ISC (#9) ([c82983a](https://github.com/npm/ssri/commit/c82983a)) + + +### BREAKING CHANGES + +* **license:** the license has been changed from CC0-1.0 to ISC. + + + +<a name="4.1.6"></a> +## [4.1.6](https://github.com/npm/ssri/compare/v4.1.5...v4.1.6) (2017-06-07) + + +### Bug Fixes + +* **checkStream:** make sure to pass all opts through ([0b1bcbe](https://github.com/npm/ssri/commit/0b1bcbe)) + + + +<a name="4.1.5"></a> +## [4.1.5](https://github.com/npm/ssri/compare/v4.1.4...v4.1.5) (2017-06-05) + + +### Bug Fixes + +* **integrityStream:** stop crashing if opts.algorithms and opts.integrity have an algo mismatch ([fb1293e](https://github.com/npm/ssri/commit/fb1293e)) + + + +<a name="4.1.4"></a> +## [4.1.4](https://github.com/npm/ssri/compare/v4.1.3...v4.1.4) (2017-05-31) + + +### Bug Fixes + +* **node:** older versions of node[@4](https://github.com/4) do not support base64buffer string parsing ([513df4e](https://github.com/npm/ssri/commit/513df4e)) + + + +<a name="4.1.3"></a> +## [4.1.3](https://github.com/npm/ssri/compare/v4.1.2...v4.1.3) (2017-05-24) + + +### Bug Fixes + +* **check:** handle various bad hash corner cases better ([c2c262b](https://github.com/npm/ssri/commit/c2c262b)) + + + +<a name="4.1.2"></a> +## [4.1.2](https://github.com/npm/ssri/compare/v4.1.1...v4.1.2) (2017-04-18) + + +### Bug Fixes + +* **stream:** _flush can be called multiple times. use on("end") ([b1c4805](https://github.com/npm/ssri/commit/b1c4805)) + + + +<a name="4.1.1"></a> +## [4.1.1](https://github.com/npm/ssri/compare/v4.1.0...v4.1.1) (2017-04-12) + + +### Bug Fixes + +* **pickAlgorithm:** error if pickAlgorithm() is used in an empty Integrity ([fab470e](https://github.com/npm/ssri/commit/fab470e)) + + + +<a name="4.1.0"></a> +# [4.1.0](https://github.com/npm/ssri/compare/v4.0.0...v4.1.0) (2017-04-07) + + +### Features + +* adding ssri.create for a crypto style interface (#2) ([96f52ad](https://github.com/npm/ssri/commit/96f52ad)) + + + +<a name="4.0.0"></a> +# [4.0.0](https://github.com/npm/ssri/compare/v3.0.2...v4.0.0) (2017-04-03) + + +### Bug Fixes + +* **integrity:** should have changed the error code before. oops ([8381afa](https://github.com/npm/ssri/commit/8381afa)) + + +### BREAKING CHANGES + +* **integrity:** EBADCHECKSUM -> EINTEGRITY for verification errors + + + +<a name="3.0.2"></a> +## [3.0.2](https://github.com/npm/ssri/compare/v3.0.1...v3.0.2) (2017-04-03) + + + +<a name="3.0.1"></a> +## [3.0.1](https://github.com/npm/ssri/compare/v3.0.0...v3.0.1) (2017-04-03) + + +### Bug Fixes + +* **package.json:** really should have these in the keywords because search ([a6ac6d0](https://github.com/npm/ssri/commit/a6ac6d0)) + + + +<a name="3.0.0"></a> +# [3.0.0](https://github.com/npm/ssri/compare/v2.0.0...v3.0.0) (2017-04-03) + + +### Bug Fixes + +* **hashes:** IntegrityMetadata -> Hash ([d04aa1f](https://github.com/npm/ssri/commit/d04aa1f)) + + +### Features + +* **check:** return IntegrityMetadata on check success ([2301e74](https://github.com/npm/ssri/commit/2301e74)) +* **fromHex:** ssri.fromHex to make it easier to generate them from hex valus ([049b89e](https://github.com/npm/ssri/commit/049b89e)) +* **hex:** utility function for getting hex version of digest ([a9f021c](https://github.com/npm/ssri/commit/a9f021c)) +* **hexDigest:** added hexDigest method to Integrity objects too ([85208ba](https://github.com/npm/ssri/commit/85208ba)) +* **integrity:** add .isIntegrity and .isIntegrityMetadata ([1b29e6f](https://github.com/npm/ssri/commit/1b29e6f)) +* **integrityStream:** new stream that can both generate and check streamed data ([fd23e1b](https://github.com/npm/ssri/commit/fd23e1b)) +* **parse:** allow parsing straight into a single IntegrityMetadata object ([c8ddf48](https://github.com/npm/ssri/commit/c8ddf48)) +* **pickAlgorithm:** Intergrity#pickAlgorithm() added ([b97a796](https://github.com/npm/ssri/commit/b97a796)) +* **size:** calculate and update stream sizes ([02ed1ad](https://github.com/npm/ssri/commit/02ed1ad)) + + +### BREAKING CHANGES + +* **hashes:** `.isIntegrityMetadata` is now `.isHash`. Also, any references to `IntegrityMetadata` now refer to `Hash`. +* **integrityStream:** createCheckerStream has been removed and replaced with a general-purpose integrityStream. + +To convert existing createCheckerStream code, move the `sri` argument into `opts.integrity` in integrityStream. All other options should be the same. +* **check:** `checkData`, `checkStream`, and `createCheckerStream` now yield a whole IntegrityMetadata instance representing the first successful hash match. + + + +<a name="2.0.0"></a> +# [2.0.0](https://github.com/npm/ssri/compare/v1.0.0...v2.0.0) (2017-03-24) + + +### Bug Fixes + +* **strict-mode:** make regexes more rigid ([122a32c](https://github.com/npm/ssri/commit/122a32c)) + + +### Features + +* **api:** added serialize alias for unparse ([999b421](https://github.com/npm/ssri/commit/999b421)) +* **concat:** add Integrity#concat() ([cae12c7](https://github.com/npm/ssri/commit/cae12c7)) +* **pickAlgo:** pick the strongest algorithm provided, by default ([58c18f7](https://github.com/npm/ssri/commit/58c18f7)) +* **strict-mode:** strict SRI support ([3f0b64c](https://github.com/npm/ssri/commit/3f0b64c)) +* **stringify:** replaced unparse/serialize with stringify ([4acad30](https://github.com/npm/ssri/commit/4acad30)) +* **verification:** add opts.pickAlgorithm ([f72e658](https://github.com/npm/ssri/commit/f72e658)) + + +### BREAKING CHANGES + +* **pickAlgo:** ssri will prioritize specific hashes now +* **stringify:** serialize and unparse have been removed. Use ssri.stringify instead. +* **strict-mode:** functions that accepted an optional `sep` argument now expect `opts.sep`. + + + +<a name="1.0.0"></a> +# 1.0.0 (2017-03-23) + + +### Features + +* **api:** implemented initial api ([4fbb16b](https://github.com/npm/ssri/commit/4fbb16b)) + + +### BREAKING CHANGES + +* **api:** Initial API established. diff --git a/sandbox/testAppNevena/Front/node_modules/ssri/LICENSE.md b/sandbox/testAppNevena/Front/node_modules/ssri/LICENSE.md new file mode 100644 index 00000000..8d28acf8 --- /dev/null +++ b/sandbox/testAppNevena/Front/node_modules/ssri/LICENSE.md @@ -0,0 +1,16 @@ +ISC License + +Copyright (c) npm, Inc. + +Permission to use, copy, modify, and/or distribute this software for +any purpose with or without fee is hereby granted, provided that the +above copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE COPYRIGHT HOLDER DISCLAIMS +ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE +COPYRIGHT HOLDER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR +CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS +OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE +USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/sandbox/testAppNevena/Front/node_modules/ssri/README.md b/sandbox/testAppNevena/Front/node_modules/ssri/README.md new file mode 100644 index 00000000..0cd41be8 --- /dev/null +++ b/sandbox/testAppNevena/Front/node_modules/ssri/README.md @@ -0,0 +1,528 @@ +# ssri [](https://npm.im/ssri) [](https://npm.im/ssri) [](https://travis-ci.org/npm/ssri) [](https://ci.appveyor.com/project/npm/ssri) [](https://coveralls.io/github/npm/ssri?branch=latest) + +[`ssri`](https://github.com/npm/ssri), short for Standard Subresource +Integrity, is a Node.js utility for parsing, manipulating, serializing, +generating, and verifying [Subresource +Integrity](https://w3c.github.io/webappsec/specs/subresourceintegrity/) hashes. + +## Install + +`$ npm install --save ssri` + +## Table of Contents + +* [Example](#example) +* [Features](#features) +* [Contributing](#contributing) +* [API](#api) + * Parsing & Serializing + * [`parse`](#parse) + * [`stringify`](#stringify) + * [`Integrity#concat`](#integrity-concat) + * [`Integrity#merge`](#integrity-merge) + * [`Integrity#toString`](#integrity-to-string) + * [`Integrity#toJSON`](#integrity-to-json) + * [`Integrity#match`](#integrity-match) + * [`Integrity#pickAlgorithm`](#integrity-pick-algorithm) + * [`Integrity#hexDigest`](#integrity-hex-digest) + * Integrity Generation + * [`fromHex`](#from-hex) + * [`fromData`](#from-data) + * [`fromStream`](#from-stream) + * [`create`](#create) + * Integrity Verification + * [`checkData`](#check-data) + * [`checkStream`](#check-stream) + * [`integrityStream`](#integrity-stream) + +### Example + +```javascript +const ssri = require('ssri') + +const integrity = 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo' + +// Parsing and serializing +const parsed = ssri.parse(integrity) +ssri.stringify(parsed) // === integrity (works on non-Integrity objects) +parsed.toString() // === integrity + +// Async stream functions +ssri.checkStream(fs.createReadStream('./my-file'), integrity).then(...) +ssri.fromStream(fs.createReadStream('./my-file')).then(sri => { + sri.toString() === integrity +}) +fs.createReadStream('./my-file').pipe(ssri.createCheckerStream(sri)) + +// Sync data functions +ssri.fromData(fs.readFileSync('./my-file')) // === parsed +ssri.checkData(fs.readFileSync('./my-file'), integrity) // => 'sha512' +``` + +### Features + +* Parses and stringifies SRI strings. +* Generates SRI strings from raw data or Streams. +* Strict standard compliance. +* `?foo` metadata option support. +* Multiple entries for the same algorithm. +* Object-based integrity hash manipulation. +* Small footprint: no dependencies, concise implementation. +* Full test coverage. +* Customizable algorithm picker. + +### Contributing + +The ssri team enthusiastically welcomes contributions and project participation! +There's a bunch of things you can do if you want to contribute! The [Contributor +Guide](CONTRIBUTING.md) has all the information you need for everything from +reporting bugs to contributing entire new features. Please don't hesitate to +jump in if you'd like to, or even ask us questions if something isn't clear. + +### API + +#### <a name="parse"></a> `> ssri.parse(sri, [opts]) -> Integrity` + +Parses `sri` into an `Integrity` data structure. `sri` can be an integrity +string, an `Hash`-like with `digest` and `algorithm` fields and an optional +`options` field, or an `Integrity`-like object. The resulting object will be an +`Integrity` instance that has this shape: + +```javascript +{ + 'sha1': [{algorithm: 'sha1', digest: 'deadbeef', options: []}], + 'sha512': [ + {algorithm: 'sha512', digest: 'c0ffee', options: []}, + {algorithm: 'sha512', digest: 'bad1dea', options: ['foo']} + ], +} +``` + +If `opts.single` is truthy, a single `Hash` object will be returned. That is, a +single object that looks like `{algorithm, digest, options}`, as opposed to a +larger object with multiple of these. + +If `opts.strict` is truthy, the resulting object will be filtered such that +it strictly follows the Subresource Integrity spec, throwing away any entries +with any invalid components. This also means a restricted set of algorithms +will be used -- the spec limits them to `sha256`, `sha384`, and `sha512`. + +Strict mode is recommended if the integrity strings are intended for use in +browsers, or in other situations where strict adherence to the spec is needed. + +##### Example + +```javascript +ssri.parse('sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo') // -> Integrity object +``` + +#### <a name="stringify"></a> `> ssri.stringify(sri, [opts]) -> String` + +This function is identical to [`Integrity#toString()`](#integrity-to-string), +except it can be used on _any_ object that [`parse`](#parse) can handle -- that +is, a string, an `Hash`-like, or an `Integrity`-like. + +The `opts.sep` option defines the string to use when joining multiple entries +together. To be spec-compliant, this _must_ be whitespace. The default is a +single space (`' '`). + +If `opts.strict` is true, the integrity string will be created using strict +parsing rules. See [`ssri.parse`](#parse). + +##### Example + +```javascript +// Useful for cleaning up input SRI strings: +ssri.stringify('\n\rsha512-foo\n\t\tsha384-bar') +// -> 'sha512-foo sha384-bar' + +// Hash-like: only a single entry. +ssri.stringify({ + algorithm: 'sha512', + digest:'9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==', + options: ['foo'] +}) +// -> +// 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo' + +// Integrity-like: full multi-entry syntax. Similar to output of `ssri.parse` +ssri.stringify({ + 'sha512': [ + { + algorithm: 'sha512', + digest:'9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==', + options: ['foo'] + } + ] +}) +// -> +// 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo' +``` + +#### <a name="integrity-concat"></a> `> Integrity#concat(otherIntegrity, [opts]) -> Integrity` + +Concatenates an `Integrity` object with another IntegrityLike, or an integrity +string. + +This is functionally equivalent to concatenating the string format of both +integrity arguments, and calling [`ssri.parse`](#ssri-parse) on the new string. + +If `opts.strict` is true, the new `Integrity` will be created using strict +parsing rules. See [`ssri.parse`](#parse). + +##### Example + +```javascript +// This will combine the integrity checks for two different versions of +// your index.js file so you can use a single integrity string and serve +// either of these to clients, from a single `<script>` tag. +const desktopIntegrity = ssri.fromData(fs.readFileSync('./index.desktop.js')) +const mobileIntegrity = ssri.fromData(fs.readFileSync('./index.mobile.js')) + +// Note that browsers (and ssri) will succeed as long as ONE of the entries +// for the *prioritized* algorithm succeeds. That is, in order for this fallback +// to work, both desktop and mobile *must* use the same `algorithm` values. +desktopIntegrity.concat(mobileIntegrity) +``` + +#### <a name="integrity-merge"></a> `> Integrity#merge(otherIntegrity, [opts])` + +Safely merges another IntegrityLike or integrity string into an `Integrity` +object. + +If the other integrity value has any algorithms in common with the current +object, then the hash digests must match, or an error is thrown. + +Any new hashes will be added to the current object's set. + +This is useful when an integrity value may be upgraded with a stronger +algorithm, you wish to prevent accidentally supressing integrity errors by +overwriting the expected integrity value. + +##### Example + +```javascript +const data = fs.readFileSync('data.txt') + +// integrity.txt contains 'sha1-X1UT+IIv2+UUWvM7ZNjZcNz5XG4=' +// because we were young, and didn't realize sha1 would not last +const expectedIntegrity = ssri.parse(fs.readFileSync('integrity.txt', 'utf8')) +const match = ssri.checkData(data, expectedIntegrity, { + algorithms: ['sha512', 'sha1'] +}) +if (!match) { + throw new Error('data corrupted or something!') +} + +// get a stronger algo! +if (match && match.algorithm !== 'sha512') { + const updatedIntegrity = ssri.fromData(data, { algorithms: ['sha512'] }) + expectedIntegrity.merge(updatedIntegrity) + fs.writeFileSync('integrity.txt', expectedIntegrity.toString()) + // file now contains + // 'sha1-X1UT+IIv2+UUWvM7ZNjZcNz5XG4= sha512-yzd8ELD1piyANiWnmdnpCL5F52f10UfUdEkHywVZeqTt0ymgrxR63Qz0GB7TKPoeeZQmWCaz7T1+9vBnypkYWg==' +} +``` + +#### <a name="integrity-to-string"></a> `> Integrity#toString([opts]) -> String` + +Returns the string representation of an `Integrity` object. All hash entries +will be concatenated in the string by `opts.sep`, which defaults to `' '`. + +If you want to serialize an object that didn't come from an `ssri` function, +use [`ssri.stringify()`](#stringify). + +If `opts.strict` is true, the integrity string will be created using strict +parsing rules. See [`ssri.parse`](#parse). + +##### Example + +```javascript +const integrity = 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo' + +ssri.parse(integrity).toString() === integrity +``` + +#### <a name="integrity-to-json"></a> `> Integrity#toJSON() -> String` + +Returns the string representation of an `Integrity` object. All hash entries +will be concatenated in the string by `' '`. + +This is a convenience method so you can pass an `Integrity` object directly to `JSON.stringify`. +For more info check out [toJSON() behavior on mdn](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify#toJSON%28%29_behavior). + +##### Example + +```javascript +const integrity = '"sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo"' + +JSON.stringify(ssri.parse(integrity)) === integrity +``` + +#### <a name="integrity-match"></a> `> Integrity#match(sri, [opts]) -> Hash | false` + +Returns the matching (truthy) hash if `Integrity` matches the argument passed as +`sri`, which can be anything that [`parse`](#parse) will accept. `opts` will be +passed through to `parse` and [`pickAlgorithm()`](#integrity-pick-algorithm). + +##### Example + +```javascript +const integrity = 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==' + +ssri.parse(integrity).match(integrity) +// Hash { +// digest: '9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==' +// algorithm: 'sha512' +// } + +ssri.parse(integrity).match('sha1-deadbeef') +// false +``` + +#### <a name="integrity-pick-algorithm"></a> `> Integrity#pickAlgorithm([opts]) -> String` + +Returns the "best" algorithm from those available in the integrity object. + +If `opts.pickAlgorithm` is provided, it will be passed two algorithms as +arguments. ssri will prioritize whichever of the two algorithms is returned by +this function. Note that the function may be called multiple times, and it +**must** return one of the two algorithms provided. By default, ssri will make +a best-effort to pick the strongest/most reliable of the given algorithms. It +may intentionally deprioritize algorithms with known vulnerabilities. + +##### Example + +```javascript +ssri.parse('sha1-WEakDigEST sha512-yzd8ELD1piyANiWnmdnpCL5F52f10UfUdEkHywVZeqTt0ymgrxR63Qz0GB7TKPoeeZQmWCaz7T1').pickAlgorithm() // sha512 +``` + +#### <a name="integrity-hex-digest"></a> `> Integrity#hexDigest() -> String` + +`Integrity` is assumed to be either a single-hash `Integrity` instance, or a +`Hash` instance. Returns its `digest`, converted to a hex representation of the +base64 data. + +##### Example + +```javascript +ssri.parse('sha1-deadbeef').hexDigest() // '75e69d6de79f' +``` + +#### <a name="from-hex"></a> `> ssri.fromHex(hexDigest, algorithm, [opts]) -> Integrity` + +Creates an `Integrity` object with a single entry, based on a hex-formatted +hash. This is a utility function to help convert existing shasums to the +Integrity format, and is roughly equivalent to something like: + +```javascript +algorithm + '-' + Buffer.from(hexDigest, 'hex').toString('base64') +``` + +`opts.options` may optionally be passed in: it must be an array of option +strings that will be added to all generated integrity hashes generated by +`fromData`. This is a loosely-specified feature of SRIs, and currently has no +specified semantics besides being `?`-separated. Use at your own risk, and +probably avoid if your integrity strings are meant to be used with browsers. + +If `opts.strict` is true, the integrity object will be created using strict +parsing rules. See [`ssri.parse`](#parse). + +If `opts.single` is true, a single `Hash` object will be returned. + +##### Example + +```javascript +ssri.fromHex('75e69d6de79f', 'sha1').toString() // 'sha1-deadbeef' +``` + +#### <a name="from-data"></a> `> ssri.fromData(data, [opts]) -> Integrity` + +Creates an `Integrity` object from either string or `Buffer` data, calculating +all the requested hashes and adding any specified options to the object. + +`opts.algorithms` determines which algorithms to generate hashes for. All +results will be included in a single `Integrity` object. The default value for +`opts.algorithms` is `['sha512']`. All algorithm strings must be hashes listed +in `crypto.getHashes()` for the host Node.js platform. + +`opts.options` may optionally be passed in: it must be an array of option +strings that will be added to all generated integrity hashes generated by +`fromData`. This is a loosely-specified feature of SRIs, and currently has no +specified semantics besides being `?`-separated. Use at your own risk, and +probably avoid if your integrity strings are meant to be used with browsers. + +If `opts.strict` is true, the integrity object will be created using strict +parsing rules. See [`ssri.parse`](#parse). + +##### Example + +```javascript +const integrityObj = ssri.fromData('foobarbaz', { + algorithms: ['sha256', 'sha384', 'sha512'] +}) +integrity.toString('\n') +// -> +// sha256-l981iLWj8kurw4UbNy8Lpxqdzd7UOxS50Glhv8FwfZ0= +// sha384-irnCxQ0CfQhYGlVAUdwTPC9bF3+YWLxlaDGM4xbYminxpbXEq+D+2GCEBTxcjES9 +// sha512-yzd8ELD1piyANiWnmdnpCL5F52f10UfUdEkHywVZeqTt0ymgrxR63Qz0GB7TKPoeeZQmWCaz7T1+9vBnypkYWg== +``` + +#### <a name="from-stream"></a> `> ssri.fromStream(stream, [opts]) -> Promise<Integrity>` + +Returns a Promise of an Integrity object calculated by reading data from +a given `stream`. + +It accepts both `opts.algorithms` and `opts.options`, which are documented as +part of [`ssri.fromData`](#from-data). + +Additionally, `opts.Promise` may be passed in to inject a Promise library of +choice. By default, ssri will use Node's built-in Promises. + +If `opts.strict` is true, the integrity object will be created using strict +parsing rules. See [`ssri.parse`](#parse). + +##### Example + +```javascript +ssri.fromStream(fs.createReadStream('index.js'), { + algorithms: ['sha1', 'sha512'] +}).then(integrity => { + return ssri.checkStream(fs.createReadStream('index.js'), integrity) +}) // succeeds +``` + +#### <a name="create"></a> `> ssri.create([opts]) -> <Hash>` + +Returns a Hash object with `update(<Buffer or string>[,enc])` and `digest()` methods. + + +The Hash object provides the same methods as [crypto class Hash](https://nodejs.org/dist/latest-v6.x/docs/api/crypto.html#crypto_class_hash). +`digest()` accepts no arguments and returns an Integrity object calculated by reading data from +calls to update. + +It accepts both `opts.algorithms` and `opts.options`, which are documented as +part of [`ssri.fromData`](#from-data). + +If `opts.strict` is true, the integrity object will be created using strict +parsing rules. See [`ssri.parse`](#parse). + +##### Example + +```javascript +const integrity = ssri.create().update('foobarbaz').digest() +integrity.toString() +// -> +// sha512-yzd8ELD1piyANiWnmdnpCL5F52f10UfUdEkHywVZeqTt0ymgrxR63Qz0GB7TKPoeeZQmWCaz7T1+9vBnypkYWg== +``` + +#### <a name="check-data"></a> `> ssri.checkData(data, sri, [opts]) -> Hash|false` + +Verifies `data` integrity against an `sri` argument. `data` may be either a +`String` or a `Buffer`, and `sri` can be any subresource integrity +representation that [`ssri.parse`](#parse) can handle. + +If verification succeeds, `checkData` will return the name of the algorithm that +was used for verification (a truthy value). Otherwise, it will return `false`. + +If `opts.pickAlgorithm` is provided, it will be used by +[`Integrity#pickAlgorithm`](#integrity-pick-algorithm) when deciding which of +the available digests to match against. + +If `opts.error` is true, and verification fails, `checkData` will throw either +an `EBADSIZE` or an `EINTEGRITY` error, instead of just returning false. + +##### Example + +```javascript +const data = fs.readFileSync('index.js') +ssri.checkData(data, ssri.fromData(data)) // -> 'sha512' +ssri.checkData(data, 'sha256-l981iLWj8kurw4UbNy8Lpxqdzd7UOxS50Glhv8FwfZ0') +ssri.checkData(data, 'sha1-BaDDigEST') // -> false +ssri.checkData(data, 'sha1-BaDDigEST', {error: true}) // -> Error! EINTEGRITY +``` + +#### <a name="check-stream"></a> `> ssri.checkStream(stream, sri, [opts]) -> Promise<Hash>` + +Verifies the contents of `stream` against an `sri` argument. `stream` will be +consumed in its entirety by this process. `sri` can be any subresource integrity +representation that [`ssri.parse`](#parse) can handle. + +`checkStream` will return a Promise that either resolves to the +`Hash` that succeeded verification, or, if the verification fails +or an error happens with `stream`, the Promise will be rejected. + +If the Promise is rejected because verification failed, the returned error will +have `err.code` as `EINTEGRITY`. + +If `opts.size` is given, it will be matched against the stream size. An error +with `err.code` `EBADSIZE` will be returned by a rejection if the expected size +and actual size fail to match. + +If `opts.pickAlgorithm` is provided, it will be used by +[`Integrity#pickAlgorithm`](#integrity-pick-algorithm) when deciding which of +the available digests to match against. + +##### Example + +```javascript +const integrity = ssri.fromData(fs.readFileSync('index.js')) + +ssri.checkStream( + fs.createReadStream('index.js'), + integrity +) +// -> +// Promise<{ +// algorithm: 'sha512', +// digest: 'sha512-yzd8ELD1piyANiWnmdnpCL5F52f10UfUdEkHywVZeqTt0ymgrxR63Qz0GB7TKPoeeZQmWCaz7T1' +// }> + +ssri.checkStream( + fs.createReadStream('index.js'), + 'sha256-l981iLWj8kurw4UbNy8Lpxqdzd7UOxS50Glhv8FwfZ0' +) // -> Promise<Hash> + +ssri.checkStream( + fs.createReadStream('index.js'), + 'sha1-BaDDigEST' +) // -> Promise<Error<{code: 'EINTEGRITY'}>> +``` + +#### <a name="integrity-stream"></a> `> integrityStream([opts]) -> IntegrityStream` + +Returns a `Transform` stream that data can be piped through in order to generate +and optionally check data integrity for piped data. When the stream completes +successfully, it emits `size` and `integrity` events, containing the total +number of bytes processed and a calculated `Integrity` instance based on stream +data, respectively. + +If `opts.algorithms` is passed in, the listed algorithms will be calculated when +generating the final `Integrity` instance. The default is `['sha512']`. + +If `opts.single` is passed in, a single `Hash` instance will be returned. + +If `opts.integrity` is passed in, it should be an `integrity` value understood +by [`parse`](#parse) that the stream will check the data against. If +verification succeeds, the integrity stream will emit a `verified` event whose +value is a single `Hash` object that is the one that succeeded verification. If +verification fails, the stream will error with an `EINTEGRITY` error code. + +If `opts.size` is given, it will be matched against the stream size. An error +with `err.code` `EBADSIZE` will be emitted by the stream if the expected size +and actual size fail to match. + +If `opts.pickAlgorithm` is provided, it will be passed two algorithms as +arguments. ssri will prioritize whichever of the two algorithms is returned by +this function. Note that the function may be called multiple times, and it +**must** return one of the two algorithms provided. By default, ssri will make +a best-effort to pick the strongest/most reliable of the given algorithms. It +may intentionally deprioritize algorithms with known vulnerabilities. + +##### Example + +```javascript +const integrity = ssri.fromData(fs.readFileSync('index.js')) +fs.createReadStream('index.js') +.pipe(ssri.integrityStream({integrity})) +``` diff --git a/sandbox/testAppNevena/Front/node_modules/ssri/index.js b/sandbox/testAppNevena/Front/node_modules/ssri/index.js new file mode 100644 index 00000000..2b309849 --- /dev/null +++ b/sandbox/testAppNevena/Front/node_modules/ssri/index.js @@ -0,0 +1,470 @@ +'use strict' + +const crypto = require('crypto') +const MiniPass = require('minipass') + +const SPEC_ALGORITHMS = ['sha256', 'sha384', 'sha512'] + +// TODO: this should really be a hardcoded list of algorithms we support, +// rather than [a-z0-9]. +const BASE64_REGEX = /^[a-z0-9+/]+(?:=?=?)$/i +const SRI_REGEX = /^([a-z0-9]+)-([^?]+)([?\S*]*)$/ +const STRICT_SRI_REGEX = /^([a-z0-9]+)-([A-Za-z0-9+/=]{44,88})(\?[\x21-\x7E]*)?$/ +const VCHAR_REGEX = /^[\x21-\x7E]+$/ + +const defaultOpts = { + algorithms: ['sha512'], + error: false, + options: [], + pickAlgorithm: getPrioritizedHash, + sep: ' ', + single: false, + strict: false +} + +const ssriOpts = (opts = {}) => ({ ...defaultOpts, ...opts }) + +const getOptString = options => !options || !options.length + ? '' + : `?${options.join('?')}` + +const _onEnd = Symbol('_onEnd') +const _getOptions = Symbol('_getOptions') +class IntegrityStream extends MiniPass { + constructor (opts) { + super() + this.size = 0 + this.opts = opts + + // may be overridden later, but set now for class consistency + this[_getOptions]() + + // options used for calculating stream. can't be changed. + const { algorithms = defaultOpts.algorithms } = opts + this.algorithms = Array.from( + new Set(algorithms.concat(this.algorithm ? [this.algorithm] : [])) + ) + this.hashes = this.algorithms.map(crypto.createHash) + } + + [_getOptions] () { + const { + integrity, + size, + options + } = { ...defaultOpts, ...this.opts } + + // For verification + this.sri = integrity ? parse(integrity, this.opts) : null + this.expectedSize = size + this.goodSri = this.sri ? !!Object.keys(this.sri).length : false + this.algorithm = this.goodSri ? this.sri.pickAlgorithm(this.opts) : null + this.digests = this.goodSri ? this.sri[this.algorithm] : null + this.optString = getOptString(options) + } + + emit (ev, data) { + if (ev === 'end') this[_onEnd]() + return super.emit(ev, data) + } + + write (data) { + this.size += data.length + this.hashes.forEach(h => h.update(data)) + return super.write(data) + } + + [_onEnd] () { + if (!this.goodSri) { + this[_getOptions]() + } + const newSri = parse(this.hashes.map((h, i) => { + return `${this.algorithms[i]}-${h.digest('base64')}${this.optString}` + }).join(' '), this.opts) + // Integrity verification mode + const match = this.goodSri && newSri.match(this.sri, this.opts) + if (typeof this.expectedSize === 'number' && this.size !== this.expectedSize) { + const err = new Error(`stream size mismatch when checking ${this.sri}.\n Wanted: ${this.expectedSize}\n Found: ${this.size}`) + err.code = 'EBADSIZE' + err.found = this.size + err.expected = this.expectedSize + err.sri = this.sri + this.emit('error', err) + } else if (this.sri && !match) { + const err = new Error(`${this.sri} integrity checksum failed when using ${this.algorithm}: wanted ${this.digests} but got ${newSri}. (${this.size} bytes)`) + err.code = 'EINTEGRITY' + err.found = newSri + err.expected = this.digests + err.algorithm = this.algorithm + err.sri = this.sri + this.emit('error', err) + } else { + this.emit('size', this.size) + this.emit('integrity', newSri) + match && this.emit('verified', match) + } + } +} + +class Hash { + get isHash () { return true } + constructor (hash, opts) { + opts = ssriOpts(opts) + const strict = !!opts.strict + this.source = hash.trim() + + // set default values so that we make V8 happy to + // always see a familiar object template. + this.digest = '' + this.algorithm = '' + this.options = [] + + // 3.1. Integrity metadata (called "Hash" by ssri) + // https://w3c.github.io/webappsec-subresource-integrity/#integrity-metadata-description + const match = this.source.match( + strict + ? STRICT_SRI_REGEX + : SRI_REGEX + ) + if (!match) { return } + if (strict && !SPEC_ALGORITHMS.some(a => a === match[1])) { return } + this.algorithm = match[1] + this.digest = match[2] + + const rawOpts = match[3] + if (rawOpts) { + this.options = rawOpts.slice(1).split('?') + } + } + + hexDigest () { + return this.digest && Buffer.from(this.digest, 'base64').toString('hex') + } + + toJSON () { + return this.toString() + } + + toString (opts) { + opts = ssriOpts(opts) + if (opts.strict) { + // Strict mode enforces the standard as close to the foot of the + // letter as it can. + if (!( + // The spec has very restricted productions for algorithms. + // https://www.w3.org/TR/CSP2/#source-list-syntax + SPEC_ALGORITHMS.some(x => x === this.algorithm) && + // Usually, if someone insists on using a "different" base64, we + // leave it as-is, since there's multiple standards, and the + // specified is not a URL-safe variant. + // https://www.w3.org/TR/CSP2/#base64_value + this.digest.match(BASE64_REGEX) && + // Option syntax is strictly visual chars. + // https://w3c.github.io/webappsec-subresource-integrity/#grammardef-option-expression + // https://tools.ietf.org/html/rfc5234#appendix-B.1 + this.options.every(opt => opt.match(VCHAR_REGEX)) + )) { + return '' + } + } + const options = this.options && this.options.length + ? `?${this.options.join('?')}` + : '' + return `${this.algorithm}-${this.digest}${options}` + } +} + +class Integrity { + get isIntegrity () { return true } + toJSON () { + return this.toString() + } + + isEmpty () { + return Object.keys(this).length === 0 + } + + toString (opts) { + opts = ssriOpts(opts) + let sep = opts.sep || ' ' + if (opts.strict) { + // Entries must be separated by whitespace, according to spec. + sep = sep.replace(/\S+/g, ' ') + } + return Object.keys(this).map(k => { + return this[k].map(hash => { + return Hash.prototype.toString.call(hash, opts) + }).filter(x => x.length).join(sep) + }).filter(x => x.length).join(sep) + } + + concat (integrity, opts) { + opts = ssriOpts(opts) + const other = typeof integrity === 'string' + ? integrity + : stringify(integrity, opts) + return parse(`${this.toString(opts)} ${other}`, opts) + } + + hexDigest () { + return parse(this, { single: true }).hexDigest() + } + + // add additional hashes to an integrity value, but prevent + // *changing* an existing integrity hash. + merge (integrity, opts) { + opts = ssriOpts(opts) + const other = parse(integrity, opts) + for (const algo in other) { + if (this[algo]) { + if (!this[algo].find(hash => + other[algo].find(otherhash => + hash.digest === otherhash.digest))) { + throw new Error('hashes do not match, cannot update integrity') + } + } else { + this[algo] = other[algo] + } + } + } + + match (integrity, opts) { + opts = ssriOpts(opts) + const other = parse(integrity, opts) + const algo = other.pickAlgorithm(opts) + return ( + this[algo] && + other[algo] && + this[algo].find(hash => + other[algo].find(otherhash => + hash.digest === otherhash.digest + ) + ) + ) || false + } + + pickAlgorithm (opts) { + opts = ssriOpts(opts) + const pickAlgorithm = opts.pickAlgorithm + const keys = Object.keys(this) + return keys.reduce((acc, algo) => { + return pickAlgorithm(acc, algo) || acc + }) + } +} + +module.exports.parse = parse +function parse (sri, opts) { + if (!sri) return null + opts = ssriOpts(opts) + if (typeof sri === 'string') { + return _parse(sri, opts) + } else if (sri.algorithm && sri.digest) { + const fullSri = new Integrity() + fullSri[sri.algorithm] = [sri] + return _parse(stringify(fullSri, opts), opts) + } else { + return _parse(stringify(sri, opts), opts) + } +} + +function _parse (integrity, opts) { + // 3.4.3. Parse metadata + // https://w3c.github.io/webappsec-subresource-integrity/#parse-metadata + if (opts.single) { + return new Hash(integrity, opts) + } + const hashes = integrity.trim().split(/\s+/).reduce((acc, string) => { + const hash = new Hash(string, opts) + if (hash.algorithm && hash.digest) { + const algo = hash.algorithm + if (!acc[algo]) { acc[algo] = [] } + acc[algo].push(hash) + } + return acc + }, new Integrity()) + return hashes.isEmpty() ? null : hashes +} + +module.exports.stringify = stringify +function stringify (obj, opts) { + opts = ssriOpts(opts) + if (obj.algorithm && obj.digest) { + return Hash.prototype.toString.call(obj, opts) + } else if (typeof obj === 'string') { + return stringify(parse(obj, opts), opts) + } else { + return Integrity.prototype.toString.call(obj, opts) + } +} + +module.exports.fromHex = fromHex +function fromHex (hexDigest, algorithm, opts) { + opts = ssriOpts(opts) + const optString = getOptString(opts.options) + return parse( + `${algorithm}-${ + Buffer.from(hexDigest, 'hex').toString('base64') + }${optString}`, opts + ) +} + +module.exports.fromData = fromData +function fromData (data, opts) { + opts = ssriOpts(opts) + const algorithms = opts.algorithms + const optString = getOptString(opts.options) + return algorithms.reduce((acc, algo) => { + const digest = crypto.createHash(algo).update(data).digest('base64') + const hash = new Hash( + `${algo}-${digest}${optString}`, + opts + ) + /* istanbul ignore else - it would be VERY strange if the string we + * just calculated with an algo did not have an algo or digest. + */ + if (hash.algorithm && hash.digest) { + const algo = hash.algorithm + if (!acc[algo]) { acc[algo] = [] } + acc[algo].push(hash) + } + return acc + }, new Integrity()) +} + +module.exports.fromStream = fromStream +function fromStream (stream, opts) { + opts = ssriOpts(opts) + const istream = integrityStream(opts) + return new Promise((resolve, reject) => { + stream.pipe(istream) + stream.on('error', reject) + istream.on('error', reject) + let sri + istream.on('integrity', s => { sri = s }) + istream.on('end', () => resolve(sri)) + istream.on('data', () => {}) + }) +} + +module.exports.checkData = checkData +function checkData (data, sri, opts) { + opts = ssriOpts(opts) + sri = parse(sri, opts) + if (!sri || !Object.keys(sri).length) { + if (opts.error) { + throw Object.assign( + new Error('No valid integrity hashes to check against'), { + code: 'EINTEGRITY' + } + ) + } else { + return false + } + } + const algorithm = sri.pickAlgorithm(opts) + const digest = crypto.createHash(algorithm).update(data).digest('base64') + const newSri = parse({ algorithm, digest }) + const match = newSri.match(sri, opts) + if (match || !opts.error) { + return match + } else if (typeof opts.size === 'number' && (data.length !== opts.size)) { + const err = new Error(`data size mismatch when checking ${sri}.\n Wanted: ${opts.size}\n Found: ${data.length}`) + err.code = 'EBADSIZE' + err.found = data.length + err.expected = opts.size + err.sri = sri + throw err + } else { + const err = new Error(`Integrity checksum failed when using ${algorithm}: Wanted ${sri}, but got ${newSri}. (${data.length} bytes)`) + err.code = 'EINTEGRITY' + err.found = newSri + err.expected = sri + err.algorithm = algorithm + err.sri = sri + throw err + } +} + +module.exports.checkStream = checkStream +function checkStream (stream, sri, opts) { + opts = ssriOpts(opts) + opts.integrity = sri + sri = parse(sri, opts) + if (!sri || !Object.keys(sri).length) { + return Promise.reject(Object.assign( + new Error('No valid integrity hashes to check against'), { + code: 'EINTEGRITY' + } + )) + } + const checker = integrityStream(opts) + return new Promise((resolve, reject) => { + stream.pipe(checker) + stream.on('error', reject) + checker.on('error', reject) + let sri + checker.on('verified', s => { sri = s }) + checker.on('end', () => resolve(sri)) + checker.on('data', () => {}) + }) +} + +module.exports.integrityStream = integrityStream +function integrityStream (opts = {}) { + return new IntegrityStream(opts) +} + +module.exports.create = createIntegrity +function createIntegrity (opts) { + opts = ssriOpts(opts) + const algorithms = opts.algorithms + const optString = getOptString(opts.options) + + const hashes = algorithms.map(crypto.createHash) + + return { + update: function (chunk, enc) { + hashes.forEach(h => h.update(chunk, enc)) + return this + }, + digest: function (enc) { + const integrity = algorithms.reduce((acc, algo) => { + const digest = hashes.shift().digest('base64') + const hash = new Hash( + `${algo}-${digest}${optString}`, + opts + ) + /* istanbul ignore else - it would be VERY strange if the hash we + * just calculated with an algo did not have an algo or digest. + */ + if (hash.algorithm && hash.digest) { + const algo = hash.algorithm + if (!acc[algo]) { acc[algo] = [] } + acc[algo].push(hash) + } + return acc + }, new Integrity()) + + return integrity + } + } +} + +const NODE_HASHES = new Set(crypto.getHashes()) + +// This is a Best Effort™ at a reasonable priority for hash algos +const DEFAULT_PRIORITY = [ + 'md5', 'whirlpool', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', + // TODO - it's unclear _which_ of these Node will actually use as its name + // for the algorithm, so we guesswork it based on the OpenSSL names. + 'sha3', + 'sha3-256', 'sha3-384', 'sha3-512', + 'sha3_256', 'sha3_384', 'sha3_512' +].filter(algo => NODE_HASHES.has(algo)) + +function getPrioritizedHash (algo1, algo2) { + return DEFAULT_PRIORITY.indexOf(algo1.toLowerCase()) >= DEFAULT_PRIORITY.indexOf(algo2.toLowerCase()) + ? algo1 + : algo2 +} diff --git a/sandbox/testAppNevena/Front/node_modules/ssri/package.json b/sandbox/testAppNevena/Front/node_modules/ssri/package.json new file mode 100644 index 00000000..4af1a3c4 --- /dev/null +++ b/sandbox/testAppNevena/Front/node_modules/ssri/package.json @@ -0,0 +1,52 @@ +{ + "name": "ssri", + "version": "8.0.1", + "description": "Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.", + "main": "index.js", + "files": [], + "scripts": { + "prerelease": "npm t", + "postrelease": "npm publish", + "prepublishOnly": "git push --follow-tags", + "posttest": "npm run lint", + "release": "standard-version -s", + "test": "tap", + "coverage": "tap", + "lint": "standard" + }, + "tap": { + "check-coverage": true + }, + "repository": "https://github.com/npm/ssri", + "keywords": [ + "w3c", + "web", + "security", + "integrity", + "checksum", + "hashing", + "subresource integrity", + "sri", + "sri hash", + "sri string", + "sri generator", + "html" + ], + "author": { + "name": "Kat Marchán", + "email": "kzm@sykosomatic.org", + "twitter": "maybekatz" + }, + "license": "ISC", + "dependencies": { + "minipass": "^3.1.1" + }, + "devDependencies": { + "standard": "^16.0.3", + "standard-version": "^9.1.0", + "tap": "^14.10.6" + }, + "engines": { + "node": ">= 8" + } +} |