ssri 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: fc077f8e97a9f458076702ce2057aa7dd4403894f6dd2d38f3bf1a4e922ede72
+  data.tar.gz: 060dd31549dad3c51dd6f25d4a710e702dfcbd907258fe7bb1ac9587702ac269
+SHA512:
+  metadata.gz: 1f17f2f6f2ffd8a5c87eed3ab2ef9e07cbc4e79c885cc21a7ee452bcb5a02d9df387602f42a011430cffccc282d5942d888f387369230c178874b9e4fe1a8fca
+  data.tar.gz: dcc7876db22ec5d304136103c0d37d2c7c2d8ffc3fc5da2b624e2a2544fd16ee36df24c7d6066b8940e9eb28306bfb310f635020f80a7f545a6a03e0f4cc335d

data/lib/ssri/constants.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'openssl'
+
+module SSRI
+  SPEC_ALGORITHMS    = %w[sha512 sha384 sha256].freeze
+  DEFAULT_ALGORITHMS = %w[sha512].freeze
+
+  NODE_HASHES = OpenSSL::Digest.constants
+                               .map { |c|
+                                 c.to_s.downcase.tr('_',
+                                                    '')
+  }
+                               .select { |c|
+                                 begin;
+                                   OpenSSL::Digest.new(c); true; rescue StandardError; false;
+                                 end
+  }
+                                                                                                                .uniq.freeze
+
+  BASE64_REGEX     = /\A[a-z0-9+\/]+={0,2}\z/i
+  SRI_REGEX        = /\A([a-z0-9]+)-([^?]+)(\?[?\S]*)?\z/
+  STRICT_SRI_REGEX = /\A([a-z0-9]+)-([A-Za-z0-9+\/=]{44,88})(\?[\x21-\x7E]*)?\z/
+  VCHAR_REGEX      = /\A[\x21-\x7E]+\z/
+
+  DEFAULT_PRIORITY = %w[
+    md5 whirlpool sha1 sha224 sha256 sha384 sha512
+    sha3 sha3-256 sha3-384 sha3-512
+  ].select { |algo| begin; OpenSSL::Digest.new(algo); true; rescue StandardError; false; end }.freeze
+
+  def self.get_opt_string(options)
+    options&.any? ? "?#{options.join('?')}" : ''
+  end
+end

data/lib/ssri/errors.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module SSRI
+  class IntegrityError < StandardError
+    attr_reader :code, :found, :expected, :algorithm, :sri
+
+    def initialize(msg, found: nil, expected: nil, algorithm: nil, sri: nil)
+      super(msg)
+      @code      = 'EINTEGRITY'
+      @found     = found
+      @expected  = expected
+      @algorithm = algorithm
+      @sri       = sri
+    end
+  end
+
+  class SizeMismatchError < StandardError
+    attr_reader :code, :found, :expected, :sri
+
+    def initialize(msg, found: nil, expected: nil, sri: nil)
+      super(msg)
+      @code     = 'EBADSIZE'
+      @found    = found
+      @expected = expected
+      @sri      = sri
+    end
+  end
+end

data/lib/ssri/functions.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'base64'
+require_relative 'constants'
+
+module SSRI
+  def self.parse(sri, opts = {})
+    return nil if sri.nil?
+
+    if sri.is_a?(String)
+      _parse(sri, opts)
+    elsif sri.respond_to?(:algorithm) && sri.respond_to?(:digest)
+      full = Integrity.new
+      full[sri.algorithm] = [sri]
+      _parse(stringify(full, opts), opts)
+    else
+      _parse(stringify(sri, opts), opts)
+    end
+  end
+
+  def self._parse(integrity, opts = {})
+    if opts[:single]
+      return Hash.new(integrity, opts)
+    end
+
+    result = integrity.strip.split(/\s+/).each_with_object(Integrity.new) do |str, acc|
+      h = Hash.new(str, opts)
+      next if h.algorithm.empty? || h.digest.empty?
+
+      acc[h.algorithm] ||= []
+      acc[h.algorithm] << h
+    end
+    result.empty? ? nil : result
+  end
+
+  def self.stringify(obj, opts = {})
+    if obj.respond_to?(:algorithm) && obj.respond_to?(:digest)
+      Hash.instance_method(:to_s).bind(obj).call(opts)
+    elsif obj.is_a?(String)
+      stringify(parse(obj, opts), opts)
+    else
+      Integrity.instance_method(:to_s).bind(obj).call(opts)
+    end
+  end
+
+  def self.from_hex(hex_digest, algorithm, opts = {})
+    opt_string = get_opt_string(opts[:options])
+    b64 = Base64.strict_encode64([hex_digest].pack('H*'))
+    parse("#{algorithm}-#{b64}#{opt_string}", opts)
+  end
+
+  def self.from_data(data, opts = {})
+    algorithms = opts[:algorithms] || SSRI::DEFAULT_ALGORITHMS.dup
+    opt_string = SSRI.get_opt_string(opts[:options])
+
+    algorithms.each_with_object(Integrity.new) do |algo, acc|
+      digest = Base64.strict_encode64(OpenSSL::Digest.new(algo).digest(data))
+      h = Hash.new("#{algo}-#{digest}#{opt_string}", opts)
+      next if h.algorithm.empty? || h.digest.empty?
+
+      acc[h.algorithm] ||= []
+      acc[h.algorithm] << h
+    end
+  end
+
+  def self.check_data(data, sri, opts = {})
+    sri = parse(sri, opts)
+    if sri.nil? || sri.empty?
+      raise IntegrityError.new('No valid integrity hashes to check against') if opts[:error]
+
+      return false
+    end
+
+    algorithm = sri.pick_algorithm(opts)
+    digest    = Base64.strict_encode64(OpenSSL::Digest.new(algorithm).digest(data))
+    new_sri   = begin
+      tmp = Integrity.new
+      tmp[algorithm] = [Hash.new("#{algorithm}-#{digest}", opts)]
+      tmp
+    end
+    match = new_sri.match(sri, opts)
+
+    return match if match || !opts[:error]
+
+    if opts[:size].is_a?(Integer) && data.bytesize != opts[:size]
+      raise SizeMismatchError.new(
+        "data size mismatch when checking #{sri}.\n  Wanted: #{opts[:size]}\n  Found: #{data.bytesize}",
+        found: data.bytesize, expected: opts[:size], sri: sri
+      )
+    else
+      raise IntegrityError.new(
+        "Integrity checksum failed when using #{algorithm}: Wanted #{sri}, but got #{new_sri}.",
+        found: new_sri, expected: sri, algorithm: algorithm, sri: sri
+      )
+    end
+  end
+
+  def self.create(opts = {})
+    algorithms = opts[:algorithms] || SSRI::DEFAULT_ALGORITHMS.dup
+    opt_string = SSRI.get_opt_string(opts[:options])
+    hashes     = algorithms.map { |a| [a, OpenSSL::Digest.new(a)] }
+
+    obj = Object.new
+    obj.define_singleton_method(:update) do |chunk|
+      hashes.each { |_, h| h.update(chunk) }
+      obj
+    end
+    obj.define_singleton_method(:digest) do
+      hashes.each_with_object(Integrity.new) do |(algo, h), acc|
+        b64  = Base64.strict_encode64(h.digest)
+        hash = SSRI::Hash.new("#{algo}-#{b64}#{opt_string}", opts)
+        acc[hash.algorithm] ||= []
+        acc[hash.algorithm] << hash
+      end
+    end
+    obj
+  end
+end

data/lib/ssri/hash.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require 'base64'
+
+module SSRI
+  class Hash
+    attr_accessor :source, :digest, :algorithm, :options
+
+    def initialize(hash, opts = {})
+      @source    = hash.strip
+      @digest    = ''
+      @algorithm = ''
+      @options   = []
+
+      strict = opts[:strict]
+      match  = @source.match(strict ? STRICT_SRI_REGEX : SRI_REGEX)
+      return unless match
+      return if strict && !SPEC_ALGORITHMS.include?(match[1])
+      return unless NODE_HASHES.include?(match[1])
+
+      @algorithm = match[1]
+      @digest    = match[2]
+      raw_opts   = match[3]
+      @options   = raw_opts ? raw_opts[1..].split('?') : []
+    end
+
+    def is_hash?; true; end
+    def is_integrity?; false; end
+
+    def hex_digest
+      return nil if @digest.empty?
+
+      Base64.strict_decode64(@digest).unpack1('H*')
+    end
+
+    def to_json(*); to_s; end
+
+    def match(integrity, opts = {})
+      other = SSRI.parse(integrity, opts)
+      return false unless other
+
+      if other.is_integrity?
+        algo = other.pick_algorithm(opts, [@algorithm])
+        return false unless algo
+
+        found = other[algo]&.find { |h| h.digest == @digest }
+        return found || false
+      end
+
+      other.digest == @digest ? other : false
+    end
+
+    def to_s(opts = {})
+      if opts[:strict]
+        return '' unless SPEC_ALGORITHMS.include?(@algorithm) &&
+                         @digest.match?(BASE64_REGEX) &&
+                         @options.all? { |o| o.match?(VCHAR_REGEX) }
+      end
+      "#{@algorithm}-#{@digest}#{SSRI.get_opt_string(@options)}"
+    end
+  end
+end

data/lib/ssri/integrity.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+module SSRI
+  class Integrity
+    def initialize
+      @hashes = {}
+    end
+
+    def is_hash?; false; end
+    def is_integrity?; true; end
+    def empty?; @hashes.empty?; end
+    def [](algo); @hashes[algo]; end
+    def []=(algo, v); @hashes[algo] = v; end
+    def keys; @hashes.keys; end
+    def to_json(*); to_s; end
+
+    def to_s(opts = {})
+      sep   = opts[:sep] || ' '
+      sep   = sep.gsub(/\S+/, ' ') if opts[:strict]
+      parts = []
+      list  = opts[:strict] ? SPEC_ALGORITHMS.select { |a| @hashes[a] } : @hashes.keys
+      list.each do |algo|
+        @hashes[algo]&.each do |h|
+          s = h.to_s(opts)
+          parts << s unless s.empty?
+        end
+      end
+      parts.join(sep)
+    end
+
+    def concat(integrity, opts = {})
+      other = integrity.is_a?(String) ? integrity : SSRI.stringify(integrity, opts)
+      SSRI.parse("#{to_s(opts)} #{other}", opts)
+    end
+
+    def hex_digest
+      SSRI.parse(self, single: true).hex_digest
+    end
+
+    def merge(integrity, opts = {})
+      other = SSRI.parse(integrity, opts)
+      other.keys.each do |algo|
+        if @hashes[algo]
+          unless @hashes[algo].any? { |h| other[algo].any? { |oh| h.digest == oh.digest } }
+            raise "hashes do not match, cannot update integrity"
+          end
+        else
+          @hashes[algo] = other[algo]
+        end
+      end
+    end
+
+    def match(integrity, opts = {})
+      other = SSRI.parse(integrity, opts)
+      return false unless other
+
+      algo = other.pick_algorithm(opts, @hashes.keys)
+      return false unless algo
+
+      @hashes[algo]&.find do |h|
+        other[algo]&.find { |oh| h.digest == oh.digest }
+      end || false
+    end
+
+    def pick_algorithm(opts = {}, hashes = nil)
+      pick_fn = opts[:pick_algorithm] || method(:prioritized_hash)
+      keys    = @hashes.keys
+      keys    = keys.select { |k| hashes.include?(k) } if hashes&.any?
+      return nil if keys.empty?
+
+      keys.reduce { |acc, algo| pick_fn.call(acc, algo) || acc }
+    end
+
+    private
+
+    def prioritized_hash(algo1, algo2)
+      i1 = DEFAULT_PRIORITY.index(algo1.downcase) || -1
+      i2 = DEFAULT_PRIORITY.index(algo2.downcase) || -1
+      i1 >= i2 ? algo1 : algo2
+    end
+  end
+end

data/lib/ssri.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+require_relative 'ssri/constants'
+require_relative 'ssri/errors'
+require_relative 'ssri/hash'
+require_relative 'ssri/integrity'
+require_relative 'ssri/functions'

metadata

@@ -0,0 +1,49 @@
+--- !ruby/object:Gem::Specification
+name: ssri
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- ssanoop
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2026-02-24 00:00:00.000000000 Z
+dependencies: []
+description: A Ruby port of the Node.js ssri library for parsing, generating and verifying
+  Subresource Integrity hashes.
+email: samsanoop@outlook.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/ssri.rb
+- lib/ssri/constants.rb
+- lib/ssri/errors.rb
+- lib/ssri/functions.rb
+- lib/ssri/hash.rb
+- lib/ssri/integrity.rb
+homepage:
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.3.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.3
+signing_key:
+specification_version: 4
+summary: Standard Subresource Integrity for Ruby
+test_files: []