dwindown/formipay
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
622c9f8eb7d5808bbc8da8d5e2af286736137854
formipay/node_modules/csp_evaluator/checks/parser_checks.ts
dwindown e8fbfb14c1 fix: prevent asset conflicts between React and Grid.js versions 
Add coexistence checks to all enqueue methods to prevent loading
both React and Grid.js assets simultaneously.

Changes:
- ReactAdmin.php: Only enqueue React assets when ?react=1
- Init.php: Skip Grid.js when React active on admin pages
- Form.php, Coupon.php, Access.php: Restore classic assets when ?react=0
- Customer.php, Product.php, License.php: Add coexistence checks

Now the toggle between Classic and React versions works correctly.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-18 17:02:14 +07:00

157 lines
4.6 KiB
TypeScript
Raw Blame History

/**
* @fileoverview Collection of CSP parser checks which can be used to find
* common syntax mistakes like missing semicolons, invalid directives or
* invalid keywords.
* @author lwe@google.com (Lukas Weichselbaum)
*
* @license
* Copyright 2016 Google Inc. All rights reserved.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
import * as csp from '../csp';
import {Csp, Keyword} from '../csp';
import {Finding, Severity, Type} from '../finding';
/**
* Checks if the csp contains invalid directives.
*
* Example policy where this check would trigger:
* foobar-src foo.bar
*
* @param parsedCsp A parsed csp.
*/
export function checkUnknownDirective(parsedCsp: Csp): Finding[] {
const findings: Finding[] = [];
for (const directive of Object.keys(parsedCsp.directives)) {
if (csp.isDirective(directive)) {
// Directive is known.
continue;
}
if (directive.endsWith(':')) {
findings.push(new Finding(
Type.UNKNOWN_DIRECTIVE, 'CSP directives don\'t end with a colon.',
Severity.SYNTAX, directive));
} else {
findings.push(new Finding(
Type.UNKNOWN_DIRECTIVE,
'Directive "' + directive + '" is not a known CSP directive.',
Severity.SYNTAX, directive));
}
}
return findings;
}
/**
* Checks if semicolons are missing in the csp.
*
* Example policy where this check would trigger (missing semicolon before
* start of object-src):
* script-src foo.bar object-src 'none'
*
* @param parsedCsp A parsed csp.
*/
export function checkMissingSemicolon(parsedCsp: Csp): Finding[] {
const findings: Finding[] = [];
for (const [directive, directiveValues] of Object.entries(
parsedCsp.directives)) {
if (directiveValues === undefined) {
continue;
}
for (const value of directiveValues) {
// If we find a known directive inside a directive value, it is very
// likely that a semicolon was forgoten.
if (csp.isDirective(value)) {
findings.push(new Finding(
Type.MISSING_SEMICOLON,
'Did you forget the semicolon? ' +
'"' + value + '" seems to be a directive, not a value.',
Severity.SYNTAX, directive, value));
}
}
}
return findings;
}
/**
* Checks if csp contains invalid keywords.
*
* Example policy where this check would trigger:
* script-src 'notAkeyword'
*
* @param parsedCsp A parsed csp.
*/
export function checkInvalidKeyword(parsedCsp: Csp): Finding[] {
const findings: Finding[] = [];
const keywordsNoTicks =
Object.values(Keyword).map((k) => k.replace(/'/g, ''));
for (const [directive, directiveValues] of Object.entries(
parsedCsp.directives)) {
if (directiveValues === undefined) {
continue;
}
for (const value of directiveValues) {
// Check if single ticks have been forgotten.
if (keywordsNoTicks.some((k) => k === value) ||
value.startsWith('nonce-') ||
value.match(/^(sha256|sha384|sha512)-/)) {
findings.push(new Finding(
Type.INVALID_KEYWORD,
'Did you forget to surround "' + value + '" with single-ticks?',
Severity.SYNTAX, directive, value));
continue;
}
// Continue, if the value doesn't start with single tick.
// All CSP keywords start with a single tick.
if (!value.startsWith('\'')) {
continue;
}
if (directive === csp.Directive.REQUIRE_TRUSTED_TYPES_FOR) {
// Continue, if it's an allowed Trusted Types sink.
if (value === csp.TrustedTypesSink.SCRIPT) {
continue;
}
} else if (directive === csp.Directive.TRUSTED_TYPES) {
// Continue, if it's an allowed Trusted Types keyword.
if (value === '\'allow-duplicates\'' || value === '\'none\'') {
continue;
}
} else {
// Continue, if it's a valid keyword.
if (csp.isKeyword(value) || csp.isHash(value) || csp.isNonce(value)) {
continue;
}
}
findings.push(new Finding(
Type.INVALID_KEYWORD, value + ' seems to be an invalid CSP keyword.',
Severity.SYNTAX, directive, value));
}
}
return findings;
}
Reference in New Issue View Git Blame Copy Permalink