@localnerve/csp-hashes 0.1.3

package/.eslintignore

@@ -0,0 +1,5 @@
+__tests__/lib
+coverage
+dist
+private
+tmp

package/.eslintrc.json

@@ -0,0 +1,22 @@
+{
+  "root": true,
+  "env": {
+    "node": true,
+    "es2020": true
+  },
+  "parserOptions": {
+    "sourceType": "module",
+    "ecmaVersion": 2020
+  },
+  "extends": [
+    "eslint:recommended"
+  ],
+  "rules": {
+    "indent": [2, 2, {
+      "SwitchCase": 1,
+      "MemberExpression": 1
+    }],
+    "quotes": [2, "single"],
+    "dot-notation": [2, {"allowKeywords": true}]
+  }
+}

package/.github/workflows/verify.yml

@@ -0,0 +1,32 @@
+name: Verify
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  verify:
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [14.x, 16.x]
+        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v3.0.0
+      with:
+        node-version: ${{ matrix.node-version }}
+    - run: npm ci
+    - name: Run Lint and Test
+      run: npm run lint && npm test
+    - name: Coverage Upload
+      if: ${{ success() }}
+      uses: coverallsapp/github-action@master
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        path-to-lcov: ./coverage/lcov.info

package/.vscode/launch.json

@@ -0,0 +1,14 @@
+{
+  // Use IntelliSense to learn about possible attributes.
+  // Hover to view descriptions of existing attributes.
+  // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "type": "node",
+      "request": "attach",
+      "name": "Attach to Tests",
+      "port": 9229
+    }
+  ]
+}

package/__tests__/fixtures/multiple-scripts-attr.html

@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <script>
+    console.log("foo");
+
+
+  </script>
+</head>
+<body>
+  <script>"hello world"</script>
+  <div class="decoy"></div>
+  <button onclick="alert(0);"></button>
+  <a href="javascript:void(0)">link</a>
+  <div data-attr="decoy"></div>
+</body>
+</html>

package/__tests__/fixtures/multiple-scripts-attr.sha256

@@ -0,0 +1,7 @@
+# element hashes
+sha256-rExzpKR08DmzriumM64x74bd6TG79uFw0RlSMdXFzO4=
+sha256-nd7+RDWyHZAUOeVG1UoUoXWjSTuf2PvzjZ6m08v3CCY=
+# attribute hashes
+sha256-d3ii1Pel57UO62xosCMNgTaZJhJa87Gd/X6e7UdlEU8=
+sha256-97l24HYIWEdSIQ8PoMHzpxiGCZuyBDXtN19RPKFsOgk=
+#

package/__tests__/fixtures/multiple-scripts-attr.sha384

@@ -0,0 +1,7 @@
+# element hashes
+sha384-O60SQD+smnMjcJ8RHL7sAbSOyPUWgRHBovbIAphGqPN98/Iu8mtniAogp4wIsOhW
+sha384-WmpTK6zbDiu5hx1ojbwG5VsNrqhW+OahJWEgoWt05o63pvZvCdwNIanHJLoyr3SD
+# attribute hashes
+sha384-bukTLq2o+W5IQrLDTC6PHPqfJ4hmAZxNVytFjb4OuGCjwVgz4fWKrwLEuGwMGN3+
+sha384-Hs4TMINoOqtUudRVK7cWbO9tOQB1sxVWZcY9wrHsnyMIvr0urtjvW2Tl48Td9XHX
+#

package/__tests__/fixtures/multiple-scripts-attr.sha512

@@ -0,0 +1,7 @@
+# element hashes
+sha512-MqQ+zvBvxknlz+ZyHsCJfMSsAwYLwpr4REOSr7Q6QhvkqbJFvjlbN6mHacwH7sS6GkbgoC5j+DWFzWh6coeP0g==
+sha512-qAJOafTHO8uHcv2M4vRRoaHnkd7h/xuiv+DkboPHj8WwHNcevfKTc4Wt0OqnaGuRpeKnxLXBv4VByLKSvuGZqQ==
+# attribute hashes
+sha512-d9VZk4RVMuB9zbaCdtPmoi0jg3Q/ENmcbczKvg9eF1Km6v4jO658wc17JPo2V9eP59CGLG1Qtnj9KBA3pvFFdw==
+sha512-95nit2a0nErfKAcXliTb4gREVstYj5n71nrjGBiyu9LTOQ0tLgNNIAYImzWBYUP5H7MjJz//7XfNfirAJKoyuA==
+#

package/__tests__/fixtures/multiple-scripts-styles-script.sha256

@@ -0,0 +1,7 @@
+# element hashes
+sha256-rExzpKR08DmzriumM64x74bd6TG79uFw0RlSMdXFzO4=
+sha256-nd7+RDWyHZAUOeVG1UoUoXWjSTuf2PvzjZ6m08v3CCY=
+# attribute hashes
+sha256-d3ii1Pel57UO62xosCMNgTaZJhJa87Gd/X6e7UdlEU8=
+sha256-97l24HYIWEdSIQ8PoMHzpxiGCZuyBDXtN19RPKFsOgk=
+#

package/__tests__/fixtures/multiple-scripts-styles-script.sha384

@@ -0,0 +1,7 @@
+# element hashes
+sha384-O60SQD+smnMjcJ8RHL7sAbSOyPUWgRHBovbIAphGqPN98/Iu8mtniAogp4wIsOhW
+sha384-WmpTK6zbDiu5hx1ojbwG5VsNrqhW+OahJWEgoWt05o63pvZvCdwNIanHJLoyr3SD
+# attribute hashes
+sha384-bukTLq2o+W5IQrLDTC6PHPqfJ4hmAZxNVytFjb4OuGCjwVgz4fWKrwLEuGwMGN3+
+sha384-Hs4TMINoOqtUudRVK7cWbO9tOQB1sxVWZcY9wrHsnyMIvr0urtjvW2Tl48Td9XHX
+#

package/__tests__/fixtures/multiple-scripts-styles-script.sha512

@@ -0,0 +1,7 @@
+# element hashes
+sha512-MqQ+zvBvxknlz+ZyHsCJfMSsAwYLwpr4REOSr7Q6QhvkqbJFvjlbN6mHacwH7sS6GkbgoC5j+DWFzWh6coeP0g==
+sha512-qAJOafTHO8uHcv2M4vRRoaHnkd7h/xuiv+DkboPHj8WwHNcevfKTc4Wt0OqnaGuRpeKnxLXBv4VByLKSvuGZqQ==
+# attribute hashes
+sha512-d9VZk4RVMuB9zbaCdtPmoi0jg3Q/ENmcbczKvg9eF1Km6v4jO658wc17JPo2V9eP59CGLG1Qtnj9KBA3pvFFdw==
+sha512-95nit2a0nErfKAcXliTb4gREVstYj5n71nrjGBiyu9LTOQ0tLgNNIAYImzWBYUP5H7MjJz//7XfNfirAJKoyuA==
+#

package/__tests__/fixtures/multiple-scripts-styles-style.sha256

@@ -0,0 +1,6 @@
+# element hashes
+sha256-ZRXDQAaaiAOOtUbmDL5Ty2JR8Zf1AonXn6DCmchNhvk=
+sha256-n5JetA0VmZdQj4zgyixeiOgx9wfnK2oa9/zb8+xvZks=
+# attribute hashes
+sha256-iYwYhiMcsGmXCUzLEpEzZNz5dINrlkqf1sLbLhEcqGM=
+#

package/__tests__/fixtures/multiple-scripts-styles-style.sha384

@@ -0,0 +1,6 @@
+# element hashes
+sha384-fR76DAgrmWR4v7rpv4JBvCihgpwA2GRb4b6e4o+ThYYMJ4FQLX3l+EwzySAPxzbN
+sha384-vSmTBkQfDGIq3/4cHWOHpAwAHxMhwPY/5vxKe4XCcKVmQaAN0BYDoZeZu5n0qHjS
+# attribute hashes
+sha384-YHRSKUJbAwb1DUQ5EcSZ+IOjmjTr9Bcrv8E2oHbMS45tF1M/tNHACnjgCr6L+GXc
+#

package/__tests__/fixtures/multiple-scripts-styles-style.sha512

@@ -0,0 +1,6 @@
+# element hashes
+sha512-dtOFpumNJPKES8S72UuTAXS6daEMYQKpRpCzlFAto/DHdx7fH0KK8sO9LjLpOjVWrDXE4G+MtisGdWa19wieSg==
+sha512-mZQHDGDpL2tkHm3IWxwlZQUEwzH27l1bGvq4qo/9T/Ef52z0J2TGEEeOgp8INb/fGFHk4NjteTNwDTeuqb9rrw==
+# attribute hashes
+sha512-aOZs3PhtrZbzR6+CPKnKpStcJBq1Y4lw/+SwV5pKL52hpcq5pj+tTLv7x2uegYLFIqZ89KnfhRsrVSrQ3V3XDw==
+#

package/__tests__/fixtures/multiple-scripts-styles.html

@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <script>
+    console.log("foo");
+
+
+  </script>
+  <style>* { display: none; }</style>
+</head>
+<body>
+  <style>div { background: red; }</style>
+  <script>"hello world"</script>
+  <div class="decoy"></div>
+  <button onclick="alert(0);"></button>
+  <a href="javascript:void(0)">link</a>
+  <div data-attr="decoy"></div>
+  <div style="position:relative;"></div>
+</body>
+</html>

package/__tests__/fixtures/multiple-scripts.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <script>
+    console.log("foo");
+
+
+  </script>
+</head>
+<body>
+  <script>"hello world"</script>
+</body>
+</html>

package/__tests__/fixtures/multiple-scripts.sha256

@@ -0,0 +1,5 @@
+# element hashes
+sha256-rExzpKR08DmzriumM64x74bd6TG79uFw0RlSMdXFzO4=
+sha256-nd7+RDWyHZAUOeVG1UoUoXWjSTuf2PvzjZ6m08v3CCY=
+# attribute hashes
+#

package/__tests__/fixtures/multiple-scripts.sha384

@@ -0,0 +1,5 @@
+# element hashes
+sha384-O60SQD+smnMjcJ8RHL7sAbSOyPUWgRHBovbIAphGqPN98/Iu8mtniAogp4wIsOhW
+sha384-WmpTK6zbDiu5hx1ojbwG5VsNrqhW+OahJWEgoWt05o63pvZvCdwNIanHJLoyr3SD
+# attribute hashes
+#

package/__tests__/fixtures/multiple-scripts.sha512

@@ -0,0 +1,5 @@
+# element hashes
+sha512-MqQ+zvBvxknlz+ZyHsCJfMSsAwYLwpr4REOSr7Q6QhvkqbJFvjlbN6mHacwH7sS6GkbgoC5j+DWFzWh6coeP0g==
+sha512-qAJOafTHO8uHcv2M4vRRoaHnkd7h/xuiv+DkboPHj8WwHNcevfKTc4Wt0OqnaGuRpeKnxLXBv4VByLKSvuGZqQ==
+# attribute hashes
+#

package/__tests__/fixtures/multiple-style-attr.html

@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>* { display: none; }</style>
+</head>
+<body>
+  <style>div { background: red; }</style>
+  <div class="decoy"></div>
+  <div style="position:relative;"></div>
+  <div data-attr="decoy"></div>
+</body>
+</html>

package/__tests__/fixtures/multiple-style-attr.sha256

@@ -0,0 +1,6 @@
+# element hashes
+sha256-ZRXDQAaaiAOOtUbmDL5Ty2JR8Zf1AonXn6DCmchNhvk=
+sha256-n5JetA0VmZdQj4zgyixeiOgx9wfnK2oa9/zb8+xvZks=
+# attribute hashes
+sha256-iYwYhiMcsGmXCUzLEpEzZNz5dINrlkqf1sLbLhEcqGM=
+#

package/__tests__/fixtures/multiple-style-attr.sha384

@@ -0,0 +1,6 @@
+# element hashes
+sha384-fR76DAgrmWR4v7rpv4JBvCihgpwA2GRb4b6e4o+ThYYMJ4FQLX3l+EwzySAPxzbN
+sha384-vSmTBkQfDGIq3/4cHWOHpAwAHxMhwPY/5vxKe4XCcKVmQaAN0BYDoZeZu5n0qHjS
+# attribute hashes
+sha384-YHRSKUJbAwb1DUQ5EcSZ+IOjmjTr9Bcrv8E2oHbMS45tF1M/tNHACnjgCr6L+GXc
+#

package/__tests__/fixtures/multiple-style-attr.sha512

@@ -0,0 +1,6 @@
+# element hashes
+sha512-dtOFpumNJPKES8S72UuTAXS6daEMYQKpRpCzlFAto/DHdx7fH0KK8sO9LjLpOjVWrDXE4G+MtisGdWa19wieSg==
+sha512-mZQHDGDpL2tkHm3IWxwlZQUEwzH27l1bGvq4qo/9T/Ef52z0J2TGEEeOgp8INb/fGFHk4NjteTNwDTeuqb9rrw==
+# attribute hashes
+sha512-aOZs3PhtrZbzR6+CPKnKpStcJBq1Y4lw/+SwV5pKL52hpcq5pj+tTLv7x2uegYLFIqZ89KnfhRsrVSrQ3V3XDw==
+#

package/__tests__/fixtures/multiple-style.html

@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>* { display: none; }</style>
+</head>
+<body>
+  <style>div { background: red; }</style>
+</body>
+</html>

package/__tests__/fixtures/multiple-style.sha256

@@ -0,0 +1,5 @@
+# element hashes
+sha256-ZRXDQAaaiAOOtUbmDL5Ty2JR8Zf1AonXn6DCmchNhvk=
+sha256-n5JetA0VmZdQj4zgyixeiOgx9wfnK2oa9/zb8+xvZks=
+# attribute hashes
+#

package/__tests__/fixtures/multiple-style.sha384

@@ -0,0 +1,5 @@
+# element hashes
+sha384-fR76DAgrmWR4v7rpv4JBvCihgpwA2GRb4b6e4o+ThYYMJ4FQLX3l+EwzySAPxzbN
+sha384-vSmTBkQfDGIq3/4cHWOHpAwAHxMhwPY/5vxKe4XCcKVmQaAN0BYDoZeZu5n0qHjS
+# attribute hashes
+#

package/__tests__/fixtures/multiple-style.sha512

@@ -0,0 +1,5 @@
+# element hashes
+sha512-dtOFpumNJPKES8S72UuTAXS6daEMYQKpRpCzlFAto/DHdx7fH0KK8sO9LjLpOjVWrDXE4G+MtisGdWa19wieSg==
+sha512-mZQHDGDpL2tkHm3IWxwlZQUEwzH27l1bGvq4qo/9T/Ef52z0J2TGEEeOgp8INb/fGFHk4NjteTNwDTeuqb9rrw==
+# attribute hashes
+#

package/__tests__/fixtures/script-src.html

@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html>
+<head></head>
+<body>
+  <script src="test.js"></script>
+</body>
+</html>

package/__tests__/fixtures/single-script.html

@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html>
+<head></head>
+<body>
+  <script>"hello world"</script>
+</body>
+</html>

package/__tests__/fixtures/single-script.sha256

@@ -0,0 +1,4 @@
+# element hashes
+sha256-nd7+RDWyHZAUOeVG1UoUoXWjSTuf2PvzjZ6m08v3CCY=
+# attribute hashes
+#

package/__tests__/fixtures/single-script.sha384

@@ -0,0 +1,4 @@
+# element hashes
+sha384-WmpTK6zbDiu5hx1ojbwG5VsNrqhW+OahJWEgoWt05o63pvZvCdwNIanHJLoyr3SD
+# attribute hashes
+#

package/__tests__/fixtures/single-script.sha512

@@ -0,0 +1,4 @@
+# element hashes
+sha512-qAJOafTHO8uHcv2M4vRRoaHnkd7h/xuiv+DkboPHj8WwHNcevfKTc4Wt0OqnaGuRpeKnxLXBv4VByLKSvuGZqQ==
+# attribute hashes
+#

package/__tests__/fixtures/single-style.html

@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>* { display: none; }</style>
+</head>
+<body>
+</body>
+</html>

package/__tests__/fixtures/single-style.sha256

@@ -0,0 +1,4 @@
+# element hashes
+sha256-ZRXDQAaaiAOOtUbmDL5Ty2JR8Zf1AonXn6DCmchNhvk=
+# attribute hashes
+#

package/__tests__/fixtures/single-style.sha384

@@ -0,0 +1,4 @@
+# element hashes
+sha384-fR76DAgrmWR4v7rpv4JBvCihgpwA2GRb4b6e4o+ThYYMJ4FQLX3l+EwzySAPxzbN
+# attribute hashes
+#

package/__tests__/fixtures/single-style.sha512

@@ -0,0 +1,4 @@
+# element hashes
+sha512-dtOFpumNJPKES8S72UuTAXS6daEMYQKpRpCzlFAto/DHdx7fH0KK8sO9LjLpOjVWrDXE4G+MtisGdWa19wieSg==
+# attribute hashes
+#

package/__tests__/index.test.js

@@ -0,0 +1,195 @@
+/**
+ * Test entry
+ */
+/* eslint-env jest */
+const path = require('path');
+const fs = require('fs');
+const hashstream = require('./lib').default;
+const Vinyl = require('vinyl');
+
+require('@babel/register');
+
+function fixtures (glob) {
+  return path.join(__dirname, 'fixtures', glob);
+}
+
+function parseHashFixture (fixtureFilename) {
+  const result = {
+    elements: [],
+    attributes: [],
+    get all () {
+      return this.elements.concat(this.attributes);
+    }
+  };
+
+  try {
+    const re = /#\s*element hashes\s*(?<elements>[^#]+)#\s*attribute hashes\s*(?<attributes>[^#]+)\s*/im;
+    const m = fs.readFileSync(fixtureFilename, { encoding: 'utf8' }).match(re);
+    const elements = m?.groups?.elements;
+    const attributes = m?.groups?.attributes;
+    if (elements) {
+      result.elements.push(...elements.replace(/\s+/g, ' ').split(/\s+/).filter(h => h.length > 0));
+    }
+    if (attributes) {
+      result.attributes.push(...attributes.replace(/\s+/g, ' ').split(/\s+/).filter(h => h.length > 0));
+    }
+  }
+  catch (e) { /* ignore */ }
+
+  return result;
+}
+
+function onStreamError (err) {
+  throw new Error(err.message);
+}
+
+function onStreamFinish (expectedHashes, actualHashes, done) {
+  Object.keys(expectedHashes).forEach(what => {
+    expect(actualHashes[what].all.join(' ')).toEqual(expectedHashes[what].all.join(' '));
+    Object.keys(expectedHashes[what]).forEach(which => {
+      expect(actualHashes[what][which].length).toEqual(expectedHashes[what][which].length);
+      for (let i = 0; i < expectedHashes[what][which].length; ++i) {
+        expect(actualHashes[what][which][i]).toEqual(expectedHashes[what][which][i]);
+      }
+    });
+  });
+  done();
+}
+
+function run (name, algo, replace, {
+  hashFixtureScript = 'none',
+  hashFixtureStyle = 'none'
+} = {}, done) {
+  const srcFile = new Vinyl({
+    path: fixtures(`${name}.html`),
+    cwd: 'test/',
+    base: fixtures(''),
+    contents: fs.readFileSync(fixtures(`${name}.html`))
+  });
+
+  const scriptFixture = fixtures(`${hashFixtureScript}.${algo}`);
+  const styleFixture = fixtures(`${hashFixtureStyle}.${algo}`);
+  const expectedHashes = {
+    script: parseHashFixture(scriptFixture),
+    style: parseHashFixture(styleFixture)
+  };
+  const actualHashes = {
+    script: {
+      elements: [],
+      attributes: []
+    },
+    style: {
+      elements: [],
+      attributes: []
+    }
+  };
+  
+  const stream = hashstream({
+    algo,
+    replace,
+    callback: (path, hashes, contents) => {
+      expect(path).toEqual(fixtures(`${name}.html`));
+      if (replace) {
+        expect(contents).toEqual(srcFile.contents.toString());
+      }
+
+      Object.keys(hashes).forEach(what => {
+        Object.defineProperty(actualHashes[what], 'all', {
+          get: Object.getOwnPropertyDescriptor(hashes[what], 'all').get
+        });
+        Object.keys(hashes[what]).forEach(which => {
+          actualHashes[what][which].push(...hashes[what][which].map(x => x.replace(/'/g, '')));
+        });
+      });
+
+      return contents;
+    }
+  });
+
+  stream.on('error', onStreamError);
+  stream.on('finish', onStreamFinish.bind(null, expectedHashes, actualHashes, done));
+
+  stream.write(srcFile);
+  stream.end();
+}
+
+describe('should hash scripts correctly', () => {
+  const name = 'single-script';
+  const hashFixtureScript = name;
+  it('#sha256', done => { run(name, 'sha256', false, { hashFixtureScript }, done); });
+  it('#sha384', done => { run(name, 'sha384', false, { hashFixtureScript }, done); });
+  it('#sha512', done => { run(name, 'sha512', false, { hashFixtureScript }, done); });
+});
+
+describe('should hash styles correctly', () => {
+  const name = 'single-style';
+  const hashFixtureStyle = name;
+  it('#sha256', done => { run(name, 'sha256', false, { hashFixtureStyle }, done); });
+  it('#sha384', done => { run(name, 'sha384', false, { hashFixtureStyle }, done); });
+  it('#sha512', done => { run(name, 'sha512', false, { hashFixtureStyle }, done); });
+});
+
+describe('should hash multiple script tags', () => {
+  const name = 'multiple-scripts';
+  const hashFixtureScript = name;
+  it('#sha256', done => { run(name, 'sha256', false, { hashFixtureScript }, done); });
+  it('#sha384', done => { run(name, 'sha384', false, { hashFixtureScript }, done); });
+  it('#sha512', done => { run(name, 'sha512', false, { hashFixtureScript }, done); });
+});
+
+describe('should hash multiple style tags', () => {
+  const name = 'multiple-style';
+  const hashFixtureStyle = name;
+  it('#sha256', done => { run(name, 'sha256', false, { hashFixtureStyle }, done); });
+  it('#sha384', done => { run(name, 'sha384', false, { hashFixtureStyle }, done); });
+  it('#sha512', done => { run(name, 'sha512', false, { hashFixtureStyle }, done); });
+});
+
+describe('should ignore scripts with src attribute', () => {
+  const name = 'script-src';
+  const hashFixtureScript = name;
+  it('#sha256', done => { run(name, 'sha256', false, { hashFixtureScript }, done); });
+  it('#sha384', done => { run(name, 'sha384', false, { hashFixtureScript }, done); });
+  it('#sha512', done => { run(name, 'sha512', false, { hashFixtureScript }, done); });
+});
+
+it('should throw an exception on invalid algo', () => {
+  expect(() => hashstream({ algo: 'invalid' })).toThrow();
+});
+
+it('should throw an exception on invalid callbacks', () => {
+  expect(() => hashstream({})).toThrow();
+});
+
+describe('should hash multiple script tags and attributes', () => {
+  const name = 'multiple-scripts-attr';
+  const hashFixtureScript = name;
+  it('#sha256', done => { run(name, 'sha256', false, { hashFixtureScript }, done); });
+  it('#sha384', done => { run(name, 'sha384', false, { hashFixtureScript }, done); });
+  it('#sha512', done => { run(name, 'sha512', false, { hashFixtureScript }, done); });
+});
+
+describe('should hash multiple style tags and attributes', () => {
+  const name = 'multiple-style-attr';
+  const hashFixtureStyle = name;
+  it('#sha256', done => { run(name, 'sha256', false, { hashFixtureStyle }, done); });
+  it('#sha384', done => { run(name, 'sha384', false, { hashFixtureStyle }, done); });
+  it('#sha512', done => { run(name, 'sha512', false, { hashFixtureStyle }, done); });
+});
+
+describe('should hash multiple style tags and attributes (REPLACE OPTION)', () => {
+  const name = 'multiple-style-attr';
+  const hashFixtureStyle = name;
+  it('#sha256', done => { run(name, 'sha256', true, { hashFixtureStyle }, done); });
+  it('#sha384', done => { run(name, 'sha384', true, { hashFixtureStyle }, done); });
+  it('#sha512', done => { run(name, 'sha512', true, { hashFixtureStyle }, done); });
+});
+
+describe('should hash multiple scripts and styles, elements and attributes', () => {
+  const name = 'multiple-scripts-styles';
+  const hashFixtureScript = `${name}-script`;
+  const hashFixtureStyle = `${name}-style`;
+  it('#sha256', done => { run (name, 'sha256', false, { hashFixtureScript, hashFixtureStyle }, done); });
+  it('#sha384', done => { run (name, 'sha384', false, { hashFixtureScript, hashFixtureStyle }, done); });
+  it('#sha512', done => { run (name, 'sha512', false, { hashFixtureScript, hashFixtureStyle }, done); });
+});

package/babel.config.js

@@ -0,0 +1,11 @@
+module.exports = {
+  presets: [
+    [
+      '@babel/preset-env', {
+        targets: {
+          node: '16'
+        }
+      }
+    ]
+  ]
+};

package/dist/index.js

@@ -0,0 +1,15 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+Object.defineProperty(exports, "default", {
+  enumerable: true,
+  get: function () {
+    return _index.default;
+  }
+});
+
+var _index = _interopRequireDefault(require("./lib/index"));
+
+function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }

package/dist/lib/index.js

@@ -0,0 +1,119 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.default = hashstream;
+
+var _cheerio = _interopRequireDefault(require("cheerio"));
+
+var _through = _interopRequireDefault(require("through2"));
+
+var _crypto = _interopRequireDefault(require("crypto"));
+
+function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
+
+/**
+ * CSP Hashes.
+ * 
+ * Return a Vinyl transform object stream to process html files for
+ * generating the required CSP hashes for inline and attribute scripts, styles.
+ * 
+ * Copyright (c) 2022 Alex Grant (@localnerve), LocalNerve LLC
+ * Licensed under the MIT license.
+ */
+
+/**
+ * Collect all CSP Hashes and fill the given `hashes` structure.
+ *
+ * @param {Function} hashFn - Creates and formats a csp hash
+ * @param {Buffer} html - The html content
+ * @param {Object} hashes - The hash structure to fill
+ */
+function collectHashes(hashFn, html, hashes) {
+  const $ = _cheerio.default.load(html);
+
+  Object.keys(hashes).forEach(what => {
+    hashes[what].elements = $(`${what}:not([src])`).map((i, el) => hashFn($(el).html())).toArray();
+  });
+  hashes.style.attributes.push(...$('[style]').map((i, el) => hashFn($(el).attr('style'))).toArray());
+  const eventHandlerRe = /^on/i;
+  const jsUrlRe = /^javascript:/i;
+  $('*').each(function (i, el) {
+    for (const attrName in el.attribs) {
+      if (eventHandlerRe.test(attrName)) {
+        hashes.script.attributes.push(hashFn(el.attribs[attrName]));
+      }
+
+      if (jsUrlRe.test(el.attribs[attrName])) {
+        hashes.script.attributes.push(hashFn(el.attribs[attrName].split(jsUrlRe)[1]));
+      }
+    }
+  });
+}
+/**
+ * hashstream
+ * Accepts the processing options and returns the Vinyl transform object stream.
+ *
+ * @param {Object} options
+ * @param {Function} options.callback - Function to call to process the csp hashes.
+ * @param {String} [options.algo] - hash algorithm, default sha256. Can be sha384, sha512.
+ * @param {Boolean} [options.replace] - True if callback is used for meta html replacements, defaults to false.
+ * @returns Transform object stream to process Vinyl objects.
+ */
+
+
+function hashstream({
+  algo = 'sha256',
+  replace = false,
+  callback = null
+} = {}) {
+  if (!/^sha(256|384|512)$/.test(algo)) {
+    throw new Error('algo option must be one of "sha256", "sha384", or "sha512" only.');
+  }
+
+  if (typeof callback !== 'function') {
+    throw new Error('callback option must be a valid function.');
+  }
+
+  const createHash = r => _crypto.default.createHash(algo).update(r).digest('base64');
+
+  const formatHash = h => `'${algo}-${h}'`;
+
+  const makeCSPHash = s => formatHash(createHash(s));
+
+  return _through.default.obj((vinyl, enc, done) => {
+    const path = vinyl.path;
+    const content = vinyl.contents;
+    const hashes = {
+      script: {
+        elements: [],
+        attributes: [],
+
+        get all() {
+          return this.elements.concat(this.attributes);
+        }
+
+      },
+      style: {
+        elements: [],
+        attributes: [],
+
+        get all() {
+          return this.elements.concat(this.attributes);
+        }
+
+      }
+    };
+    collectHashes(makeCSPHash, content, hashes);
+
+    if (replace) {
+      const s = callback(path, hashes, content.toString());
+      vinyl.contents = Buffer.from(s, enc);
+    } else {
+      callback(path, hashes);
+    }
+
+    done(null, vinyl);
+  });
+}

package/index.js

@@ -0,0 +1,11 @@
+/**
+ * CSP Hashes.
+ * 
+ * Return a Vinyl transform object stream to process html files for
+ * generating the required CSP hashes for inline and attribute scripts, styles.
+ * 
+ * Copyright (c) 2022 Alex Grant (@localnerve), LocalNerve LLC
+ * Licensed under the MIT license.
+ */
+/* eslint-env node */
+export { default } from './lib/index';

package/jest.config.js

@@ -0,0 +1,10 @@
+module.exports = {
+  collectCoverage: true,
+  coverageDirectory: 'coverage',
+  verbose: true,
+  testEnvironment: 'node',
+  testPathIgnorePatterns: [
+    '/node_modules/',
+    '/tmp'
+  ]
+};

package/lib/index.js

@@ -0,0 +1,113 @@
+/**
+ * CSP Hashes.
+ * 
+ * Return a Vinyl transform object stream to process html files for
+ * generating the required CSP hashes for inline and attribute scripts, styles.
+ * 
+ * Copyright (c) 2022 Alex Grant (@localnerve), LocalNerve LLC
+ * Licensed under the MIT license.
+ */
+import cheerio from 'cheerio';
+import through2 from 'through2';
+import crypto from 'crypto';
+
+/**
+ * Collect all CSP Hashes and fill the given `hashes` structure.
+ *
+ * @param {Function} hashFn - Creates and formats a csp hash
+ * @param {Buffer} html - The html content
+ * @param {Object} hashes - The hash structure to fill
+ */
+function collectHashes (hashFn, html, hashes) {
+  const $ = cheerio.load(html);
+
+  Object.keys(hashes).forEach(what => {
+    hashes[what].elements = $(`${what}:not([src])`).map(
+      (i, el) => hashFn($(el).html())
+    ).toArray();
+  });
+
+  hashes.style.attributes.push(
+    ...$('[style]').map((i, el) => hashFn($(el).attr('style'))).toArray()
+  );
+
+  const eventHandlerRe = /^on/i;
+  const jsUrlRe = /^javascript:/i;
+
+  $('*').each(function (i, el) {
+    for (const attrName in el.attribs) {
+      if (eventHandlerRe.test(attrName)) {
+        hashes.script.attributes.push(
+          hashFn(el.attribs[attrName])
+        );
+      }
+      if (jsUrlRe.test(el.attribs[attrName])) {
+        hashes.script.attributes.push(
+          hashFn(el.attribs[attrName].split(jsUrlRe)[1])
+        );
+      }
+    }
+  });
+}
+
+/**
+ * hashstream
+ * Accepts the processing options and returns the Vinyl transform object stream.
+ *
+ * @param {Object} options
+ * @param {Function} options.callback - Function to call to process the csp hashes.
+ * @param {String} [options.algo] - hash algorithm, default sha256. Can be sha384, sha512.
+ * @param {Boolean} [options.replace] - True if callback is used for meta html replacements, defaults to false.
+ * @returns Transform object stream to process Vinyl objects.
+ */
+export default function hashstream ({
+  algo = 'sha256',
+  replace = false,
+  callback = null
+} = {}) {
+
+  if (!/^sha(256|384|512)$/.test(algo)) {
+    throw new Error('algo option must be one of "sha256", "sha384", or "sha512" only.');
+  }
+
+  if (typeof callback !== 'function') {
+    throw new Error('callback option must be a valid function.');
+  }
+
+  const createHash = r => crypto.createHash(algo).update(r).digest('base64');
+  const formatHash = h => `'${algo}-${h}'`;
+  const makeCSPHash = s => formatHash(createHash(s));
+
+  return through2.obj((vinyl, enc, done) => {
+    const path = vinyl.path;
+    const content = vinyl.contents;
+
+    const hashes = {
+      script: {
+        elements: [],
+        attributes: [],
+        get all () {
+          return this.elements.concat(this.attributes);
+        }
+      },
+      style: {
+        elements: [],
+        attributes: [],
+        get all () {
+          return this.elements.concat(this.attributes);
+        }
+      }
+    };
+
+    collectHashes(makeCSPHash, content, hashes);
+
+    if (replace) {
+      const s = callback(path, hashes, content.toString());
+      vinyl.contents = Buffer.from(s, enc);
+    } else {
+      callback(path, hashes);
+    }
+
+    done(null, vinyl);
+  });
+}

package/license.md

@@ -0,0 +1,8 @@
+Copyright 2022, Alex Grant, LocalNerve, LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

package/package.json

@@ -0,0 +1,46 @@
+{
+  "name": "@localnerve/csp-hashes",
+  "version": "0.1.3",
+  "description": "Flexible library to handle CSP hashes at build time",
+  "main": "dist/index.js",
+  "scripts": {
+    "lint": "eslint .",
+    "transpile": "rimraf ./dist && babel --out-dir ./dist index.js && babel --out-dir ./dist/lib ./lib",
+    "prepublishOnly": "npm run transpile",
+    "pretest": "node -e 'try{require(\"fs\").symlinkSync(\"../lib\", \"./__tests__/lib\");}catch(e){}'",
+    "test": "jest",
+    "test:debug": "node --inspect-brk ./node_modules/.bin/jest"
+  },
+  "devDependencies": {
+    "@babel/cli": "^7.17.6",
+    "@babel/preset-env": "^7.16.11",
+    "@babel/register": "^7.17.7",
+    "coveralls": "^3.1.1",
+    "eslint": "^8.11.0",
+    "jest": "^27.5.1",
+    "rimraf": "^3.0.2",
+    "vinyl": "^2.2.1"
+  },
+  "dependencies": {
+    "cheerio": "^1.0.0-rc.3",
+    "through2": "^4.0.2"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/localnerve/csp-hashes.git"
+  },
+  "keywords": [
+    "CSP",
+    "hashes",
+    "gulp"
+  ],
+  "author": "Alex Grant <alex@localnerve.com>",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/localnerve/csp-hashes/issues"
+  },
+  "homepage": "https://github.com/localnerve/csp-hashes#readme",
+  "engines": {
+    "node": "14 - 16"
+  }
+}

package/readme.md

@@ -0,0 +1,129 @@
+# csp-hashes
+
+> Flexible build library to generate script and style hashes for CSP headers or meta tags
+
+[![npm version](https://badge.fury.io/js/%40localnerve%2Fcsp-hashes.svg)](https://badge.fury.io/js/%40localnerve%2Fcsp-hashes)
+![Verify](https://github.com/localnerve/csp-hashes/workflows/Verify/badge.svg)
+[![Coverage Status](https://coveralls.io/repos/github/localnerve/csp-hashes/badge.svg?branch=main)](https://coveralls.io/github/localnerve/csp-hashes?branch=main)
+
+## Contents
++ [Overview](#overview)
++ [API](#API)
+  + [Options](#options)
+    + [Callback Function](#callback-function)
+    + [Callback Hashes Object](#callback-hashes-object)
++ [Example Usage](#example-usage)
+  + [CSP Headers](#build-step-to-maintain-csp-headers)
+  + [Meta Tag](#build-step-to-maintain-csp-meta-tags)
++ [MIT License](#license)
+
+## Overview
+This library generates script and style inline element and attribute hashes. It is for use in the generation of HTTP content security policy (CSP) headers or to replace/update Meta tags as a website build step.
+
+## API
+This library exports a single function that takes options and returns a transform stream in object mode that operates on [Vinyl](https://github.com/gulpjs/vinyl) objects in [Gulp](https://github.com/gulpjs/gulp). The only required option is a [`callback`](#callback-function) function.
+
+```
+Stream hashstream ({
+  callback,
+  replace = false,
+  algo = 'sha256'
+})
+```
+
+### Options
+
++ {Function} **callback** - Required - A [function](#callback-function) to process the hashes. Receives file contents and must return new file contents if `replace` option is true.
++ {Boolean} **\[replace\]** - Optional - Defaults to `false`, set to true to indicate your `callback` function returns new file contents to replace the original.
++ {String} **\[algo\]** - Optional - Defaults to `'sha256'`, can be one of 'sha256', 'sha384' or 'sha512'.
+
+
+#### Callback Function
+A callback function is required to process the CSP hashes collected by this library for your build.
+
+```
+callback(path, hashes[, contents])
+```
+
++ {String} **path** - The local filesystem path to the original file. Use to create your own rules and/or a path to the web resource for writing header rules.
++ {Object} **hashes** - The script and style inline element and attribute hashes for the current file. See object [format](callback-hashes-object) for details.
++ {String} **\[contents\]** - The original file contents. Only sent if the `replace` option is true, in which case you **must** return new file contents.
+
+##### Callback Hashes Object
+The callback hashes object contains all of the inline element and attribute hashes for scripts and styles in the current file being processed. The object has the following format:
+
+```javascript
+// `hashes` object:
+{
+  script: {
+    elements: [],
+    attributes: [],
+    get all () {
+      return this.elements.concat(this.attributes);
+    }
+  },
+  style: {
+    elements: [],
+    attributes: [],
+    get all () {
+      return this.elements.concat(this.attributes);
+    }
+  }
+}
+```
+The object structure allows you to direct the hashes to any CSP header directive layout you might use. You can use `script-src` or `style-src` alone and concatenate the element and attribute hashes together into one list using the `all` getter property, or you can use `script-src-attr` and `style-src-attr` separately, whatever is a more secure/optimal policy for your situation.  
+**NOTE**  
+The `hashes` object structure is always the same. If there are no elements or attributes of script or style in the current file, the arrays are just empty (not null).
+
+## Example Usage
+
+### Build Step to Maintain CSP Headers
+In this example, a build step gets the hashes for every html file under the `dist` directory, then for each html file, updates the header rules for the host service being deployed to.
+
+```javascript
+import gulp from 'gulp';
+import hashstream from '@localnerve/csp-hashes';
+import { cspHeaderRules } from './host-header-rules';
+
+export function cspHeaders (settings) {
+  const { dist } = settings;
+
+  return gulp.src(`${dist}/**/*.html`)
+    .pipe(hashstream({
+      callback: (path, hashes) => {
+        const webPath = path.replace(dist, '');
+        cspHeaderRules.updateHashes(webPath, 'script-src', hashes.script.elements.join(' '));
+        cspHeaderRules.updateHashes(webPath, 'script-src-attr', hashes.script.attributes.join(' '));
+        cspHeaderRules.updateHashes(webPath, 'style-src', hashes.style.elements.join(' '));
+        cspHeaderRules.updateHashes(webPath, 'style-src-attr', hashes.style.attributes.join(' '));
+      }
+    }))
+}
+```
+
+### Build Step to Maintain CSP Meta Tags
+In this example, a build step gets the hashes for every html file under the `dist` directory, then updates each html file's meta tags to include the hashes after 'self', preserving any other rules before it. This example uses the `all` property to get the combined element and attribute hashes together.
+
+```javascript
+import gulp from 'gulp';
+import hashstream from '@localnerve/csp-hashes';
+
+export function cspMetaTags (settings) {
+  const { dist } = settings;
+
+  return gulp.src(`${dist}/**/*.html`)
+    .pipe(hashstream({
+      replace: true,
+      callback: (p /* not used */, hashes, contents) => {
+        return contents
+          .replace(/script-src (.+) 'self'/, `script-src $1 'self' ${hashes.script.all.join(' ')}`)
+          .replace(/style-src (.+) 'self'/, `style-src $1 'self' ${hashes.style.all.join(' ')}`);
+      }
+    }))
+    .pipe(gulp.dest(dist));
+}
+```
+
+## LICENSE
+
+* [MIT, Alex Grant, LocalNerve, LLC](license.md)