pax_global_header 0000666 0000000 0000000 00000000064 14004340112 0014477 g ustar 00root root 0000000 0000000 52 comment=3eec7a375a8c7664d4e33c212058313c6fb43c57
ssri-8.0.1/ 0000775 0000000 0000000 00000000000 14004340112 0012465 5 ustar 00root root 0000000 0000000 ssri-8.0.1/.github/ 0000775 0000000 0000000 00000000000 14004340112 0014025 5 ustar 00root root 0000000 0000000 ssri-8.0.1/.github/CODEOWNERS 0000664 0000000 0000000 00000000020 14004340112 0015410 0 ustar 00root root 0000000 0000000 * @npm/cli-team
ssri-8.0.1/.github/settings.yml 0000664 0000000 0000000 00000000060 14004340112 0016404 0 ustar 00root root 0000000 0000000 ---
_extends: 'open-source-project-boilerplate'
ssri-8.0.1/.github/workflows/ 0000775 0000000 0000000 00000000000 14004340112 0016062 5 ustar 00root root 0000000 0000000 ssri-8.0.1/.github/workflows/ci.yml 0000664 0000000 0000000 00000007071 14004340112 0017205 0 ustar 00root root 0000000 0000000 ---
################################################################################
# Template - Node CI
#
# Description:
# This contains the basic information to: install dependencies, run tests,
# get coverage, and run linting on a nodejs project. This template will run
# over the MxN matrix of all operating systems, and all current LTS versions
# of NodeJS.
#
# Dependencies:
# This template assumes that your project is using the `tap` module for
# testing. If you're not using this module, then the step that runs your
# coverage will need to be adjusted.
#
################################################################################
name: Node CI
on: [push, pull_request]
jobs:
build:
strategy:
fail-fast: false
matrix:
node-version: [10.x, 12.x, 13.x]
os: [ubuntu-latest, windows-latest, macOS-latest]
runs-on: ${{ matrix.os }}
steps:
# Checkout the repository
- uses: actions/checkout@v2
# Installs the specific version of Node.js
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v1
with:
node-version: ${{ matrix.node-version }}
################################################################################
# Install Dependencies
#
# ASSUMPTIONS:
# - The project has a package-lock.json file
#
# Simply run the tests for the project.
################################################################################
- name: Install dependencies
run: npm ci
################################################################################
# Run Testing
#
# ASSUMPTIONS:
# - The project has `tap` as a devDependency
# - There is a script called "test" in the package.json
#
# Simply run the tests for the project.
################################################################################
- name: Run tests
run: npm test
################################################################################
# Run coverage check
#
# ASSUMPTIONS:
# - The project has `tap` as a devDependency
# - There is a script called "coverage" in the package.json
#
# Coverage should only be posted once, we are choosing the latest LTS of
# node, and ubuntu as the matrix point to post coverage from. We limit
# to the 'push' event so that coverage ins't posted twice from the
# pull-request event, and push event (line 3).
################################################################################
- name: Run coverage report
if: github.event_name == 'push' && matrix.node-version == '12.x' && matrix.os == 'ubuntu-latest'
run: npm run coverage
env:
# The environment variable name is leveraged by `tap`
COVERALLS_REPO_TOKEN: ${{ secrets.COVERALLS_REPO_TOKEN }}
################################################################################
# Run linting
#
# ASSUMPTIONS:
# - There is a script called "lint" in the package.json
#
# We run linting AFTER we run testing and coverage checks, because if a step
# fails in an GitHub Action, all other steps are not run. We don't want to
# fail to run tests or coverage because of linting. It should be the lowest
# priority of all the steps.
################################################################################
- name: Run linter
run: npm run lint
ssri-8.0.1/.gitignore 0000664 0000000 0000000 00000000045 14004340112 0014454 0 ustar 00root root 0000000 0000000 /node_modules
/.nyc_output
/coverage
ssri-8.0.1/CHANGELOG.md 0000664 0000000 0000000 00000025135 14004340112 0014304 0 ustar 00root root 0000000 0000000 # Changelog
All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
### [8.0.1](https://github.com/npm/ssri/compare/v8.0.0...v8.0.1) (2021-01-27)
### Bug Fixes
* simplify regex for strict mode, add tests ([76e2233](https://github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2))
## [8.0.0](https://github.com/npm/ssri/compare/v7.1.0...v8.0.0) (2020-02-18)
### ⚠ BREAKING CHANGES
* SRI values with `../` in the algorithm name now throw
as invalid (which they always probably should have!)
* adds a new error that will be thrown. Empty SRIs are
no longer considered valid for checking, only when using integrityStream
to calculate the SRI value.
PR-URL: https://github.com/npm/ssri/pull/12
Credit: @claudiahdz
### Features
* remove figgy-pudding ([0e78fd7](https://github.com/npm/ssri/commit/0e78fd7b754e2d098875eb4c57238709d96d7c27))
### Bug Fixes
* harden SRI parsing against ../ funny business ([4062735](https://github.com/npm/ssri/commit/4062735d1281941fd32ac4320b9f9965fcec278b))
* IntegrityStream responds to mutating opts object mid-stream ([4a963e5](https://github.com/npm/ssri/commit/4a963e5982478c6b07f86848cdb72d142c765195))
* throw null when sri is empty or bad ([a6811cb](https://github.com/npm/ssri/commit/a6811cba71e20ea1fdefa6e50c9ea3c67efc2500)), closes [#12](https://github.com/npm/ssri/issues/12)
## [7.1.0](https://github.com/npm/ssri/compare/v7.0.1...v7.1.0) (2019-10-24)
### Bug Fixes
* Do not blow up if the opts object is mutated ([806e8c8](https://github.com/npm/ssri/commit/806e8c8))
### Features
* Add Integrity#merge method ([0572c1d](https://github.com/npm/ssri/commit/0572c1d)), closes [#4](https://github.com/npm/ssri/issues/4)
### [7.0.1](https://github.com/npm/ssri/compare/v7.0.0...v7.0.1) (2019-09-30)
## [7.0.0](https://github.com/npm/ssri/compare/v6.0.1...v7.0.0) (2019-09-18)
### ⚠ BREAKING CHANGES
* ssri no longer accepts a Promise option, and does not
use, return, or rely on Bluebird promises.
* drop support for Node.js v6.
We knew this was coming, and the Stream changes are breaking anyway.
May as well do this now.
* **streams:** this replaces the Node.js stream with a Minipass
stream. See http://npm.im/minipass for documentation.
### Bug Fixes
* return super.write() return value ([55b055d](https://github.com/npm/ssri/commit/55b055d))
* Use native promises only ([6d13165](https://github.com/npm/ssri/commit/6d13165))
* update tap, standard, standard-version, travis ([2e54956](https://github.com/npm/ssri/commit/2e54956))
* **streams:** replace transform streams with minipass ([363995e](https://github.com/npm/ssri/commit/363995e))
## [6.0.1](https://github.com/npm/ssri/compare/v6.0.0...v6.0.1) (2018-08-27)
### Bug Fixes
* **opts:** use figgy-pudding to specify consumed opts ([cf86553](https://github.com/npm/ssri/commit/cf86553))
# [6.0.0](https://github.com/npm/ssri/compare/v5.3.0...v6.0.0) (2018-04-09)
### Bug Fixes
* **docs:** minor typo ([b71ef17](https://github.com/npm/ssri/commit/b71ef17))
### meta
* drop support for node@4 ([d9bf359](https://github.com/npm/ssri/commit/d9bf359))
### BREAKING CHANGES
* node@4 is no longer supported
# [5.3.0](https://github.com/npm/ssri/compare/v5.2.4...v5.3.0) (2018-03-13)
### Features
* **checkData:** optionally throw when checkData fails ([bf26b84](https://github.com/npm/ssri/commit/bf26b84))
## [5.2.4](https://github.com/npm/ssri/compare/v5.2.3...v5.2.4) (2018-02-16)
## [5.2.3](https://github.com/npm/ssri/compare/v5.2.2...v5.2.3) (2018-02-16)
### Bug Fixes
* **hashes:** filter hash priority list by available hashes ([2fa30b8](https://github.com/npm/ssri/commit/2fa30b8))
* **integrityStream:** dedupe algorithms to generate ([d56c654](https://github.com/npm/ssri/commit/d56c654))
## [5.2.2](https://github.com/npm/ssri/compare/v5.2.1...v5.2.2) (2018-02-14)
### Bug Fixes
* **security:** tweak strict SRI regex ([#10](https://github.com/npm/ssri/issues/10)) ([d0ebcdc](https://github.com/npm/ssri/commit/d0ebcdc))
## [5.2.1](https://github.com/npm/ssri/compare/v5.2.0...v5.2.1) (2018-02-06)
# [5.2.0](https://github.com/npm/ssri/compare/v5.1.0...v5.2.0) (2018-02-06)
### Features
* **match:** add integrity.match() ([3c49cc4](https://github.com/npm/ssri/commit/3c49cc4))
# [5.1.0](https://github.com/npm/ssri/compare/v5.0.0...v5.1.0) (2018-01-18)
### Bug Fixes
* **checkStream:** integrityStream now takes opts.integrity algos into account ([d262910](https://github.com/npm/ssri/commit/d262910))
### Features
* **sha3:** do some guesswork about upcoming sha3 ([7fdd9df](https://github.com/npm/ssri/commit/7fdd9df))
# [5.0.0](https://github.com/npm/ssri/compare/v4.1.6...v5.0.0) (2017-10-23)
### Features
* **license:** relicense to ISC (#9) ([c82983a](https://github.com/npm/ssri/commit/c82983a))
### BREAKING CHANGES
* **license:** the license has been changed from CC0-1.0 to ISC.
## [4.1.6](https://github.com/npm/ssri/compare/v4.1.5...v4.1.6) (2017-06-07)
### Bug Fixes
* **checkStream:** make sure to pass all opts through ([0b1bcbe](https://github.com/npm/ssri/commit/0b1bcbe))
## [4.1.5](https://github.com/npm/ssri/compare/v4.1.4...v4.1.5) (2017-06-05)
### Bug Fixes
* **integrityStream:** stop crashing if opts.algorithms and opts.integrity have an algo mismatch ([fb1293e](https://github.com/npm/ssri/commit/fb1293e))
## [4.1.4](https://github.com/npm/ssri/compare/v4.1.3...v4.1.4) (2017-05-31)
### Bug Fixes
* **node:** older versions of node[@4](https://github.com/4) do not support base64buffer string parsing ([513df4e](https://github.com/npm/ssri/commit/513df4e))
## [4.1.3](https://github.com/npm/ssri/compare/v4.1.2...v4.1.3) (2017-05-24)
### Bug Fixes
* **check:** handle various bad hash corner cases better ([c2c262b](https://github.com/npm/ssri/commit/c2c262b))
## [4.1.2](https://github.com/npm/ssri/compare/v4.1.1...v4.1.2) (2017-04-18)
### Bug Fixes
* **stream:** _flush can be called multiple times. use on("end") ([b1c4805](https://github.com/npm/ssri/commit/b1c4805))
## [4.1.1](https://github.com/npm/ssri/compare/v4.1.0...v4.1.1) (2017-04-12)
### Bug Fixes
* **pickAlgorithm:** error if pickAlgorithm() is used in an empty Integrity ([fab470e](https://github.com/npm/ssri/commit/fab470e))
# [4.1.0](https://github.com/npm/ssri/compare/v4.0.0...v4.1.0) (2017-04-07)
### Features
* adding ssri.create for a crypto style interface (#2) ([96f52ad](https://github.com/npm/ssri/commit/96f52ad))
# [4.0.0](https://github.com/npm/ssri/compare/v3.0.2...v4.0.0) (2017-04-03)
### Bug Fixes
* **integrity:** should have changed the error code before. oops ([8381afa](https://github.com/npm/ssri/commit/8381afa))
### BREAKING CHANGES
* **integrity:** EBADCHECKSUM -> EINTEGRITY for verification errors
## [3.0.2](https://github.com/npm/ssri/compare/v3.0.1...v3.0.2) (2017-04-03)
## [3.0.1](https://github.com/npm/ssri/compare/v3.0.0...v3.0.1) (2017-04-03)
### Bug Fixes
* **package.json:** really should have these in the keywords because search ([a6ac6d0](https://github.com/npm/ssri/commit/a6ac6d0))
# [3.0.0](https://github.com/npm/ssri/compare/v2.0.0...v3.0.0) (2017-04-03)
### Bug Fixes
* **hashes:** IntegrityMetadata -> Hash ([d04aa1f](https://github.com/npm/ssri/commit/d04aa1f))
### Features
* **check:** return IntegrityMetadata on check success ([2301e74](https://github.com/npm/ssri/commit/2301e74))
* **fromHex:** ssri.fromHex to make it easier to generate them from hex valus ([049b89e](https://github.com/npm/ssri/commit/049b89e))
* **hex:** utility function for getting hex version of digest ([a9f021c](https://github.com/npm/ssri/commit/a9f021c))
* **hexDigest:** added hexDigest method to Integrity objects too ([85208ba](https://github.com/npm/ssri/commit/85208ba))
* **integrity:** add .isIntegrity and .isIntegrityMetadata ([1b29e6f](https://github.com/npm/ssri/commit/1b29e6f))
* **integrityStream:** new stream that can both generate and check streamed data ([fd23e1b](https://github.com/npm/ssri/commit/fd23e1b))
* **parse:** allow parsing straight into a single IntegrityMetadata object ([c8ddf48](https://github.com/npm/ssri/commit/c8ddf48))
* **pickAlgorithm:** Intergrity#pickAlgorithm() added ([b97a796](https://github.com/npm/ssri/commit/b97a796))
* **size:** calculate and update stream sizes ([02ed1ad](https://github.com/npm/ssri/commit/02ed1ad))
### BREAKING CHANGES
* **hashes:** `.isIntegrityMetadata` is now `.isHash`. Also, any references to `IntegrityMetadata` now refer to `Hash`.
* **integrityStream:** createCheckerStream has been removed and replaced with a general-purpose integrityStream.
To convert existing createCheckerStream code, move the `sri` argument into `opts.integrity` in integrityStream. All other options should be the same.
* **check:** `checkData`, `checkStream`, and `createCheckerStream` now yield a whole IntegrityMetadata instance representing the first successful hash match.
# [2.0.0](https://github.com/npm/ssri/compare/v1.0.0...v2.0.0) (2017-03-24)
### Bug Fixes
* **strict-mode:** make regexes more rigid ([122a32c](https://github.com/npm/ssri/commit/122a32c))
### Features
* **api:** added serialize alias for unparse ([999b421](https://github.com/npm/ssri/commit/999b421))
* **concat:** add Integrity#concat() ([cae12c7](https://github.com/npm/ssri/commit/cae12c7))
* **pickAlgo:** pick the strongest algorithm provided, by default ([58c18f7](https://github.com/npm/ssri/commit/58c18f7))
* **strict-mode:** strict SRI support ([3f0b64c](https://github.com/npm/ssri/commit/3f0b64c))
* **stringify:** replaced unparse/serialize with stringify ([4acad30](https://github.com/npm/ssri/commit/4acad30))
* **verification:** add opts.pickAlgorithm ([f72e658](https://github.com/npm/ssri/commit/f72e658))
### BREAKING CHANGES
* **pickAlgo:** ssri will prioritize specific hashes now
* **stringify:** serialize and unparse have been removed. Use ssri.stringify instead.
* **strict-mode:** functions that accepted an optional `sep` argument now expect `opts.sep`.
# 1.0.0 (2017-03-23)
### Features
* **api:** implemented initial api ([4fbb16b](https://github.com/npm/ssri/commit/4fbb16b))
### BREAKING CHANGES
* **api:** Initial API established.
ssri-8.0.1/LICENSE.md 0000664 0000000 0000000 00000001363 14004340112 0014074 0 ustar 00root root 0000000 0000000 ISC License
Copyright (c) npm, Inc.
Permission to use, copy, modify, and/or distribute this software for
any purpose with or without fee is hereby granted, provided that the
above copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE COPYRIGHT HOLDER DISCLAIMS
ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
COPYRIGHT HOLDER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
USE OR PERFORMANCE OF THIS SOFTWARE.
ssri-8.0.1/README.md 0000664 0000000 0000000 00000047664 14004340112 0013765 0 ustar 00root root 0000000 0000000 # ssri [](https://npm.im/ssri) [](https://npm.im/ssri) [](https://travis-ci.org/npm/ssri) [](https://ci.appveyor.com/project/npm/ssri) [](https://coveralls.io/github/npm/ssri?branch=latest)
[`ssri`](https://github.com/npm/ssri), short for Standard Subresource
Integrity, is a Node.js utility for parsing, manipulating, serializing,
generating, and verifying [Subresource
Integrity](https://w3c.github.io/webappsec/specs/subresourceintegrity/) hashes.
## Install
`$ npm install --save ssri`
## Table of Contents
* [Example](#example)
* [Features](#features)
* [Contributing](#contributing)
* [API](#api)
* Parsing & Serializing
* [`parse`](#parse)
* [`stringify`](#stringify)
* [`Integrity#concat`](#integrity-concat)
* [`Integrity#merge`](#integrity-merge)
* [`Integrity#toString`](#integrity-to-string)
* [`Integrity#toJSON`](#integrity-to-json)
* [`Integrity#match`](#integrity-match)
* [`Integrity#pickAlgorithm`](#integrity-pick-algorithm)
* [`Integrity#hexDigest`](#integrity-hex-digest)
* Integrity Generation
* [`fromHex`](#from-hex)
* [`fromData`](#from-data)
* [`fromStream`](#from-stream)
* [`create`](#create)
* Integrity Verification
* [`checkData`](#check-data)
* [`checkStream`](#check-stream)
* [`integrityStream`](#integrity-stream)
### Example
```javascript
const ssri = require('ssri')
const integrity = 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo'
// Parsing and serializing
const parsed = ssri.parse(integrity)
ssri.stringify(parsed) // === integrity (works on non-Integrity objects)
parsed.toString() // === integrity
// Async stream functions
ssri.checkStream(fs.createReadStream('./my-file'), integrity).then(...)
ssri.fromStream(fs.createReadStream('./my-file')).then(sri => {
sri.toString() === integrity
})
fs.createReadStream('./my-file').pipe(ssri.createCheckerStream(sri))
// Sync data functions
ssri.fromData(fs.readFileSync('./my-file')) // === parsed
ssri.checkData(fs.readFileSync('./my-file'), integrity) // => 'sha512'
```
### Features
* Parses and stringifies SRI strings.
* Generates SRI strings from raw data or Streams.
* Strict standard compliance.
* `?foo` metadata option support.
* Multiple entries for the same algorithm.
* Object-based integrity hash manipulation.
* Small footprint: no dependencies, concise implementation.
* Full test coverage.
* Customizable algorithm picker.
### Contributing
The ssri team enthusiastically welcomes contributions and project participation!
There's a bunch of things you can do if you want to contribute! The [Contributor
Guide](CONTRIBUTING.md) has all the information you need for everything from
reporting bugs to contributing entire new features. Please don't hesitate to
jump in if you'd like to, or even ask us questions if something isn't clear.
### API
#### `> ssri.parse(sri, [opts]) -> Integrity`
Parses `sri` into an `Integrity` data structure. `sri` can be an integrity
string, an `Hash`-like with `digest` and `algorithm` fields and an optional
`options` field, or an `Integrity`-like object. The resulting object will be an
`Integrity` instance that has this shape:
```javascript
{
'sha1': [{algorithm: 'sha1', digest: 'deadbeef', options: []}],
'sha512': [
{algorithm: 'sha512', digest: 'c0ffee', options: []},
{algorithm: 'sha512', digest: 'bad1dea', options: ['foo']}
],
}
```
If `opts.single` is truthy, a single `Hash` object will be returned. That is, a
single object that looks like `{algorithm, digest, options}`, as opposed to a
larger object with multiple of these.
If `opts.strict` is truthy, the resulting object will be filtered such that
it strictly follows the Subresource Integrity spec, throwing away any entries
with any invalid components. This also means a restricted set of algorithms
will be used -- the spec limits them to `sha256`, `sha384`, and `sha512`.
Strict mode is recommended if the integrity strings are intended for use in
browsers, or in other situations where strict adherence to the spec is needed.
##### Example
```javascript
ssri.parse('sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo') // -> Integrity object
```
#### `> ssri.stringify(sri, [opts]) -> String`
This function is identical to [`Integrity#toString()`](#integrity-to-string),
except it can be used on _any_ object that [`parse`](#parse) can handle -- that
is, a string, an `Hash`-like, or an `Integrity`-like.
The `opts.sep` option defines the string to use when joining multiple entries
together. To be spec-compliant, this _must_ be whitespace. The default is a
single space (`' '`).
If `opts.strict` is true, the integrity string will be created using strict
parsing rules. See [`ssri.parse`](#parse).
##### Example
```javascript
// Useful for cleaning up input SRI strings:
ssri.stringify('\n\rsha512-foo\n\t\tsha384-bar')
// -> 'sha512-foo sha384-bar'
// Hash-like: only a single entry.
ssri.stringify({
algorithm: 'sha512',
digest:'9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==',
options: ['foo']
})
// ->
// 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo'
// Integrity-like: full multi-entry syntax. Similar to output of `ssri.parse`
ssri.stringify({
'sha512': [
{
algorithm: 'sha512',
digest:'9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==',
options: ['foo']
}
]
})
// ->
// 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo'
```
#### `> Integrity#concat(otherIntegrity, [opts]) -> Integrity`
Concatenates an `Integrity` object with another IntegrityLike, or an integrity
string.
This is functionally equivalent to concatenating the string format of both
integrity arguments, and calling [`ssri.parse`](#ssri-parse) on the new string.
If `opts.strict` is true, the new `Integrity` will be created using strict
parsing rules. See [`ssri.parse`](#parse).
##### Example
```javascript
// This will combine the integrity checks for two different versions of
// your index.js file so you can use a single integrity string and serve
// either of these to clients, from a single `