diff --git a/src/UI/Areas/Identity/Pages/_Layout.cshtml b/src/UI/Areas/Identity/Pages/_Layout.cshtml index 95b76376..a145bd6e 100644 --- a/src/UI/Areas/Identity/Pages/_Layout.cshtml +++ b/src/UI/Areas/Identity/Pages/_Layout.cshtml @@ -67,7 +67,7 @@ asp-fallback-src="~/Identity/lib/jquery/dist/jquery.min.js" asp-fallback-test="window.jQuery" crossorigin="anonymous" - integrity="sha384-K+ctZQ+LL8q6tP7I94W+qzQsfRV2a+AfHIi9k8z8l9ggpc8X+Ytst4yBo/hH+8Fk"> + integrity="sha384-tsQFqpEReu7ZLhBV2VZlAu7zcOV+rXbYlF2cqB8txI/8aZajjp4Bqd+V6D5IgvKT"> diff --git a/test/Identity.Test/CdnScriptTaghelperTests.cs b/test/Identity.Test/CdnScriptTaghelperTests.cs new file mode 100644 index 00000000..b9a65a32 --- /dev/null +++ b/test/Identity.Test/CdnScriptTaghelperTests.cs @@ -0,0 +1,111 @@ +// Copyright (c) .NET Foundation. All rights reserved. +// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. + +using System; +using System.Collections.Generic; +using System.IO; +using System.Net.Http; +using System.Security.Cryptography; +using System.Text.RegularExpressions; +using System.Threading.Tasks; +using Xunit; +using Xunit.Abstractions; + +namespace Microsoft.AspNetCore.Identity.Test +{ + public class CdnScriptTagTests + { + private readonly ITestOutputHelper _output; + + public CdnScriptTagTests(ITestOutputHelper output) + { + _output = output; + } + + [Fact] + public async Task IdentityUI_ScriptTags_SubresourceIntegrityCheck() + { + var slnDir = GetSolutionDir(); + var sourceDir = Path.Combine(slnDir, "src", "UI"); + var cshtmlFiles = Directory.GetFiles(sourceDir, "*.cshtml", SearchOption.AllDirectories); + + var scriptTags = new List(); + foreach (var cshtmlFile in cshtmlFiles) + { + scriptTags.AddRange(GetScriptTags(cshtmlFile)); + } + + Assert.NotEmpty(scriptTags); + + var shasum = new Dictionary(StringComparer.OrdinalIgnoreCase); + using (var client = new HttpClient()) + { + foreach (var script in scriptTags) + { + if (shasum.ContainsKey(script.Src)) + { + continue; + } + + using (var resp = await client.GetStreamAsync(script.Src)) + using (var alg = SHA384.Create()) + { + var hash = alg.ComputeHash(resp); + shasum.Add(script.Src, "sha384-" + Convert.ToBase64String(hash)); + } + } + } + + Assert.All(scriptTags, t => + { + Assert.True(shasum[t.Src] == t.Integrity, userMessage: $"Expected integrity on script tag to be {shasum[t.Src]} but it was {t.Integrity}. {t.FileName}"); + }); + } + + private struct ScriptTag + { + public string Src; + public string Integrity; + public string FileName; + } + + private static readonly Regex _scriptRegex = new Regex(@"]*src=""(?'src'http[^""]+)""[^>]*integrity=""(?'integrity'[^""]+)""([^>]*)>", RegexOptions.Multiline); + + private IEnumerable GetScriptTags(string cshtmlFile) + { + string contents; + using (var reader = new StreamReader(File.OpenRead(cshtmlFile))) + { + contents = reader.ReadToEnd(); + } + + var match = _scriptRegex.Match(contents); + while (match != null && match != Match.Empty) + { + var tag = new ScriptTag + { + Src = match.Groups["src"].Value, + Integrity = match.Groups["integrity"].Value, + FileName = Path.GetFileName(cshtmlFile) + }; + yield return tag; + _output.WriteLine($"Found script tag in '{tag.FileName}', src='{tag.Src}' integrity='{tag.Integrity}'"); + match = match.NextMatch(); + } + } + + private static string GetSolutionDir() + { + var dir = new DirectoryInfo(AppContext.BaseDirectory); + while (dir != null) + { + if (File.Exists(Path.Combine(dir.FullName, "Identity.sln"))) + { + break; + } + dir = dir.Parent; + } + return dir.FullName; + } + } +} \ No newline at end of file