@localnerve/csp-hashes 1.0.2 → 2.0.0

package/dist/cjs/index.js

@@ -0,0 +1,24 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+Object.defineProperty(exports, "default", {
+  enumerable: true,
+  get: function () {
+    return _index.hashstream;
+  }
+});
+Object.defineProperty(exports, "hashstream", {
+  enumerable: true,
+  get: function () {
+    return _index.hashstream;
+  }
+});
+Object.defineProperty(exports, "removeCspMeta", {
+  enumerable: true,
+  get: function () {
+    return _index.removeCspMeta;
+  }
+});
+var _index = require("./lib/index.js");

package/dist/cjs/lib/index.js

@@ -0,0 +1,111 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.default = exports.hashstream = hashstream;
+Object.defineProperty(exports, "removeCspMeta", {
+  enumerable: true,
+  get: function () {
+    return _removeCspMeta.removeCspMeta;
+  }
+});
+var _stream = require("stream");
+var _crypto = _interopRequireDefault(require("crypto"));
+var _cheerio = _interopRequireDefault(require("cheerio"));
+var _removeCspMeta = require("./removeCspMeta.js");
+function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
+/**
+ * CSP Hashes.
+ * 
+ * Return a Vinyl transform object stream to process html files for
+ * generating the required CSP hashes for inline and attribute scripts, styles.
+ * 
+ * Copyright (c) 2022 Alex Grant (@localnerve), LocalNerve LLC
+ * Licensed under the MIT license.
+ */
+
+/**
+ * Collect all CSP Hashes and fill the given `hashes` structure.
+ *
+ * @param {Function} hashFn - Creates and formats a csp hash
+ * @param {Buffer} html - The html content
+ * @param {Object} hashes - The hash structure to fill
+ */
+function collectHashes(hashFn, html, hashes) {
+  const $ = _cheerio.default.load(html);
+  Object.keys(hashes).forEach(what => {
+    hashes[what].elements = $(`${what}:not([src])`).map((i, el) => hashFn($(el).html())).toArray();
+  });
+  hashes.style.attributes.push(...$('[style]').map((i, el) => hashFn($(el).attr('style'))).toArray());
+  const eventHandlerRe = /^on/i;
+  const jsUrlRe = /^javascript:/i;
+  $('*').each(function (i, el) {
+    for (const attrName in el.attribs) {
+      if (eventHandlerRe.test(attrName)) {
+        hashes.script.attributes.push(hashFn(el.attribs[attrName]));
+      }
+      if (jsUrlRe.test(el.attribs[attrName])) {
+        hashes.script.attributes.push(hashFn(el.attribs[attrName].split(jsUrlRe)[1]));
+      }
+    }
+  });
+}
+
+/**
+ * hashstream
+ * Accepts the processing options and returns the Vinyl transform object stream.
+ *
+ * @param {Object} options
+ * @param {Function} options.callback - Function to call to process the csp hashes.
+ * @param {String} [options.algo] - hash algorithm, default sha256. Can be sha384, sha512.
+ * @param {Boolean} [options.replace] - True if callback is used for meta html replacements, defaults to false.
+ * @returns Transform object stream to process Vinyl objects.
+ */
+function hashstream({
+  algo = 'sha256',
+  replace = false,
+  callback = null
+} = {}) {
+  if (!/^sha(256|384|512)$/.test(algo)) {
+    throw new Error('algo option must be one of "sha256", "sha384", or "sha512" only.');
+  }
+  if (typeof callback !== 'function') {
+    throw new Error('callback option must be a valid function.');
+  }
+  const createHash = r => _crypto.default.createHash(algo).update(r).digest('base64');
+  const formatHash = h => `'${algo}-${h}'`;
+  const makeCSPHash = s => formatHash(createHash(s));
+  const transformObjectStream = new _stream.Transform({
+    objectMode: true,
+    transform: (vinyl, enc, done) => {
+      const path = vinyl.path;
+      const content = vinyl.contents;
+      const hashes = {
+        script: {
+          elements: [],
+          attributes: [],
+          get all() {
+            return this.elements.concat(this.attributes);
+          }
+        },
+        style: {
+          elements: [],
+          attributes: [],
+          get all() {
+            return this.elements.concat(this.attributes);
+          }
+        }
+      };
+      collectHashes(makeCSPHash, content, hashes);
+      if (replace) {
+        const s = callback(path, hashes, content.toString());
+        vinyl.contents = Buffer.from(s, enc);
+      } else {
+        callback(path, hashes);
+      }
+      done(null, vinyl);
+    }
+  });
+  return transformObjectStream;
+}

package/dist/cjs/lib/removeCspMeta.js

@@ -0,0 +1,35 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.default = exports.removeCspMeta = removeCspMeta;
+var _stream = require("stream");
+/**
+ * removeCspMeta.js
+ * 
+ * A convenience method to remove the content of a Content-Security-Policy in a meta tag.
+ * Useful for development builds that need to ignore CSP meta tags.
+ * 
+ * Copyright (c) 2022 Alex Grant (@localnerve), LocalNerve LLC
+ * Licensed under the MIT license.
+ */
+
+function removeCspMeta() {
+  return new _stream.Transform({
+    objectMode: true,
+    transform: (vinyl, enc, done) => {
+      var _vinyl$contents;
+      let e = null;
+      const input = vinyl === null || vinyl === void 0 ? void 0 : (_vinyl$contents = vinyl.contents) === null || _vinyl$contents === void 0 ? void 0 : _vinyl$contents.toString();
+      if (input) {
+        const output = input.replace(/("?Content-Security-Policy"?)(\s+)(content=")([^"]+)"/i, '$1$2$3$2"');
+        vinyl.contents = Buffer.from(output, enc);
+      } else {
+        e = new Error('removeCspMeta could not get Vinyl object file contents');
+        e.errorCode = 'EBADINPUT';
+      }
+      done(e, vinyl);
+    }
+  });
+}

package/dist/index.js

@@ -1,18 +1,11 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-Object.defineProperty(exports, "default", {
-  enumerable: true,
-  get: function () {
-    return _index.hashstream;
-  }
-});
-Object.defineProperty(exports, "hashstream", {
-  enumerable: true,
-  get: function () {
-    return _index.hashstream;
-  }
-});
-var _index = require("./lib/index.js");
+/**
+ * CSP Hashes.
+ * 
+ * Return a Vinyl transform object stream to process html files for
+ * generating the required CSP hashes for inline and attribute scripts, styles.
+ * 
+ * Copyright (c) 2022 Alex Grant (@localnerve), LocalNerve LLC
+ * Licensed under the MIT license.
+ */
+/* eslint-env node */
+export { hashstream as default, hashstream, removeCspMeta } from './lib/index.js';

package/dist/lib/index.js

@@ -1,13 +1,3 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-exports.default = exports.hashstream = hashstream;
-var _cheerio = _interopRequireDefault(require("cheerio"));
-var _through = _interopRequireDefault(require("through2"));
-var _crypto = _interopRequireDefault(require("crypto"));
-function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
 /**
  * CSP Hashes.
  * 
@@ -17,6 +7,10 @@ function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { de
  * Copyright (c) 2022 Alex Grant (@localnerve), LocalNerve LLC
  * Licensed under the MIT license.
  */
+import { Transform } from 'stream';
+import crypto from 'crypto';
+import cheerio from 'cheerio';
+export { removeCspMeta } from './removeCspMeta.js';
 
 /**
  * Collect all CSP Hashes and fill the given `hashes` structure.
@@ -25,21 +19,33 @@ function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { de
  * @param {Buffer} html - The html content
  * @param {Object} hashes - The hash structure to fill
  */
-function collectHashes(hashFn, html, hashes) {
-  const $ = _cheerio.default.load(html);
+function collectHashes (hashFn, html, hashes) {
+  const $ = cheerio.load(html);
+
   Object.keys(hashes).forEach(what => {
-    hashes[what].elements = $(`${what}:not([src])`).map((i, el) => hashFn($(el).html())).toArray();
+    hashes[what].elements = $(`${what}:not([src])`).map(
+      (i, el) => hashFn($(el).html())
+    ).toArray();
   });
-  hashes.style.attributes.push(...$('[style]').map((i, el) => hashFn($(el).attr('style'))).toArray());
+
+  hashes.style.attributes.push(
+    ...$('[style]').map((i, el) => hashFn($(el).attr('style'))).toArray()
+  );
+
   const eventHandlerRe = /^on/i;
   const jsUrlRe = /^javascript:/i;
+
   $('*').each(function (i, el) {
     for (const attrName in el.attribs) {
       if (eventHandlerRe.test(attrName)) {
-        hashes.script.attributes.push(hashFn(el.attribs[attrName]));
+        hashes.script.attributes.push(
+          hashFn(el.attribs[attrName])
+        );
       }
       if (jsUrlRe.test(el.attribs[attrName])) {
-        hashes.script.attributes.push(hashFn(el.attribs[attrName].split(jsUrlRe)[1]));
+        hashes.script.attributes.push(
+          hashFn(el.attribs[attrName].split(jsUrlRe)[1])
+        );
       }
     }
   });
@@ -55,46 +61,61 @@ function collectHashes(hashFn, html, hashes) {
  * @param {Boolean} [options.replace] - True if callback is used for meta html replacements, defaults to false.
  * @returns Transform object stream to process Vinyl objects.
  */
-function hashstream({
+export function hashstream ({
   algo = 'sha256',
   replace = false,
   callback = null
 } = {}) {
+
   if (!/^sha(256|384|512)$/.test(algo)) {
     throw new Error('algo option must be one of "sha256", "sha384", or "sha512" only.');
   }
+
   if (typeof callback !== 'function') {
     throw new Error('callback option must be a valid function.');
   }
-  const createHash = r => _crypto.default.createHash(algo).update(r).digest('base64');
+
+  const createHash = r => crypto.createHash(algo).update(r).digest('base64');
   const formatHash = h => `'${algo}-${h}'`;
   const makeCSPHash = s => formatHash(createHash(s));
-  return _through.default.obj((vinyl, enc, done) => {
-    const path = vinyl.path;
-    const content = vinyl.contents;
-    const hashes = {
-      script: {
-        elements: [],
-        attributes: [],
-        get all() {
-          return this.elements.concat(this.attributes);
-        }
-      },
-      style: {
-        elements: [],
-        attributes: [],
-        get all() {
-          return this.elements.concat(this.attributes);
+
+  const transformObjectStream = new Transform({
+    objectMode: true,
+    transform: (vinyl, enc, done) => {
+      const path = vinyl.path;
+      const content = vinyl.contents;
+  
+      const hashes = {
+        script: {
+          elements: [],
+          attributes: [],
+          get all () {
+            return this.elements.concat(this.attributes);
+          }
+        },
+        style: {
+          elements: [],
+          attributes: [],
+          get all () {
+            return this.elements.concat(this.attributes);
+          }
         }
+      };
+  
+      collectHashes(makeCSPHash, content, hashes);
+  
+      if (replace) {
+        const s = callback(path, hashes, content.toString());
+        vinyl.contents = Buffer.from(s, enc);
+      } else {
+        callback(path, hashes);
       }
-    };
-    collectHashes(makeCSPHash, content, hashes);
-    if (replace) {
-      const s = callback(path, hashes, content.toString());
-      vinyl.contents = Buffer.from(s, enc);
-    } else {
-      callback(path, hashes);
+  
+      done(null, vinyl);
     }
-    done(null, vinyl);
   });
-}
+
+  return transformObjectStream;
+}
+
+export { hashstream as default }

package/dist/lib/removeCspMeta.js

@@ -0,0 +1,32 @@
+/**
+ * removeCspMeta.js
+ * 
+ * A convenience method to remove the content of a Content-Security-Policy in a meta tag.
+ * Useful for development builds that need to ignore CSP meta tags.
+ * 
+ * Copyright (c) 2022 Alex Grant (@localnerve), LocalNerve LLC
+ * Licensed under the MIT license.
+ */
+import { Transform } from 'stream';
+
+export function removeCspMeta () {
+  return new Transform({
+    objectMode: true,
+    transform: (vinyl, enc, done) => {
+      let e = null;
+      const input = vinyl?.contents?.toString();
+      if (input) {
+        const output = input.replace(
+          /("?Content-Security-Policy"?)(\s+)(content=")([^"]+)"/i, '$1$2$3$2"'
+        );
+        vinyl.contents = Buffer.from(output, enc);
+      } else {
+        e = new Error('removeCspMeta could not get Vinyl object file contents');
+        e.errorCode = 'EBADINPUT';
+      }
+      done(e, vinyl);
+    }
+  });
+}
+
+export { removeCspMeta as default }

package/{dist/index.mjs → index.js}

@@ -8,4 +8,4 @@
  * Licensed under the MIT license.
  */
 /* eslint-env node */
-export { hashstream as default, hashstream } from './lib/index.js';
+export { hashstream as default, hashstream, removeCspMeta } from './lib/index.js';

package/lib/index.js

@@ -0,0 +1,121 @@
+/**
+ * CSP Hashes.
+ * 
+ * Return a Vinyl transform object stream to process html files for
+ * generating the required CSP hashes for inline and attribute scripts, styles.
+ * 
+ * Copyright (c) 2022 Alex Grant (@localnerve), LocalNerve LLC
+ * Licensed under the MIT license.
+ */
+import { Transform } from 'stream';
+import crypto from 'crypto';
+import cheerio from 'cheerio';
+export { removeCspMeta } from './removeCspMeta.js';
+
+/**
+ * Collect all CSP Hashes and fill the given `hashes` structure.
+ *
+ * @param {Function} hashFn - Creates and formats a csp hash
+ * @param {Buffer} html - The html content
+ * @param {Object} hashes - The hash structure to fill
+ */
+function collectHashes (hashFn, html, hashes) {
+  const $ = cheerio.load(html);
+
+  Object.keys(hashes).forEach(what => {
+    hashes[what].elements = $(`${what}:not([src])`).map(
+      (i, el) => hashFn($(el).html())
+    ).toArray();
+  });
+
+  hashes.style.attributes.push(
+    ...$('[style]').map((i, el) => hashFn($(el).attr('style'))).toArray()
+  );
+
+  const eventHandlerRe = /^on/i;
+  const jsUrlRe = /^javascript:/i;
+
+  $('*').each(function (i, el) {
+    for (const attrName in el.attribs) {
+      if (eventHandlerRe.test(attrName)) {
+        hashes.script.attributes.push(
+          hashFn(el.attribs[attrName])
+        );
+      }
+      if (jsUrlRe.test(el.attribs[attrName])) {
+        hashes.script.attributes.push(
+          hashFn(el.attribs[attrName].split(jsUrlRe)[1])
+        );
+      }
+    }
+  });
+}
+
+/**
+ * hashstream
+ * Accepts the processing options and returns the Vinyl transform object stream.
+ *
+ * @param {Object} options
+ * @param {Function} options.callback - Function to call to process the csp hashes.
+ * @param {String} [options.algo] - hash algorithm, default sha256. Can be sha384, sha512.
+ * @param {Boolean} [options.replace] - True if callback is used for meta html replacements, defaults to false.
+ * @returns Transform object stream to process Vinyl objects.
+ */
+export function hashstream ({
+  algo = 'sha256',
+  replace = false,
+  callback = null
+} = {}) {
+
+  if (!/^sha(256|384|512)$/.test(algo)) {
+    throw new Error('algo option must be one of "sha256", "sha384", or "sha512" only.');
+  }
+
+  if (typeof callback !== 'function') {
+    throw new Error('callback option must be a valid function.');
+  }
+
+  const createHash = r => crypto.createHash(algo).update(r).digest('base64');
+  const formatHash = h => `'${algo}-${h}'`;
+  const makeCSPHash = s => formatHash(createHash(s));
+
+  const transformObjectStream = new Transform({
+    objectMode: true,
+    transform: (vinyl, enc, done) => {
+      const path = vinyl.path;
+      const content = vinyl.contents;
+  
+      const hashes = {
+        script: {
+          elements: [],
+          attributes: [],
+          get all () {
+            return this.elements.concat(this.attributes);
+          }
+        },
+        style: {
+          elements: [],
+          attributes: [],
+          get all () {
+            return this.elements.concat(this.attributes);
+          }
+        }
+      };
+  
+      collectHashes(makeCSPHash, content, hashes);
+  
+      if (replace) {
+        const s = callback(path, hashes, content.toString());
+        vinyl.contents = Buffer.from(s, enc);
+      } else {
+        callback(path, hashes);
+      }
+  
+      done(null, vinyl);
+    }
+  });
+
+  return transformObjectStream;
+}
+
+export { hashstream as default }

package/lib/removeCspMeta.js

@@ -0,0 +1,32 @@
+/**
+ * removeCspMeta.js
+ * 
+ * A convenience method to remove the content of a Content-Security-Policy in a meta tag.
+ * Useful for development builds that need to ignore CSP meta tags.
+ * 
+ * Copyright (c) 2022 Alex Grant (@localnerve), LocalNerve LLC
+ * Licensed under the MIT license.
+ */
+import { Transform } from 'stream';
+
+export function removeCspMeta () {
+  return new Transform({
+    objectMode: true,
+    transform: (vinyl, enc, done) => {
+      let e = null;
+      const input = vinyl?.contents?.toString();
+      if (input) {
+        const output = input.replace(
+          /("?Content-Security-Policy"?)(\s+)(content=")([^"]+)"/i, '$1$2$3$2"'
+        );
+        vinyl.contents = Buffer.from(output, enc);
+      } else {
+        e = new Error('removeCspMeta could not get Vinyl object file contents');
+        e.errorCode = 'EBADINPUT';
+      }
+      done(e, vinyl);
+    }
+  });
+}
+
+export { removeCspMeta as default }

package/package.json

@@ -1,34 +1,34 @@
 {
   "name": "@localnerve/csp-hashes",
-  "version": "1.0.2",
+  "version": "2.0.0",
   "description": "Flexible library to generate CSP hashes",
   "main": "dist/index.js",
+  "type": "module",
   "exports": {
-    "import": "./dist/index.mjs",
-    "require": "./dist/index.js",
+    "import": "./dist/index.js",
+    "require": "./dist/cjs/index.js",
     "default": "./dist/index.js"
   },
   "scripts": {
     "lint": "eslint .",
-    "transpile": "rimraf ./dist && babel --out-dir ./dist index.js && babel --out-dir ./dist/lib ./lib",
-    "prepublishBuild": "node -e 'try{require(\"fs\").copyFileSync(\"./index.js\", \"./dist/index.mjs\");}catch(e){}'",
-    "prepublishOnly": "npm run transpile && npm run prepublishBuild",
+    "transpile": "babel --out-dir ./dist/cjs index.js && babel --out-dir ./dist/cjs/lib ./lib",
+    "preprepublishOnly": "rimraf ./dist && npm run transpile",
+    "prepublishOnly": "node -e 'require(\"fs\").copyFileSync(\"./index.js\", \"./dist/index.js\");'",
+    "postprepublishOnly": "node -e 'require(\"fs\").cpSync(\"./lib\", \"./dist/lib\", {recursive: true});'",
     "pretest": "node -e 'try{require(\"fs\").symlinkSync(\"../lib\", \"./__tests__/lib\");}catch(e){}'",
     "test": "jest",
     "test:debug": "node --inspect-brk ./node_modules/.bin/jest"
   },
   "devDependencies": {
     "@babel/cli": "^7.19.3",
-    "@babel/preset-env": "^7.19.4",
-    "@babel/register": "^7.18.9",
-    "eslint": "^8.26.0",
-    "jest": "^29.2.2",
+    "@babel/preset-env": "^7.20.2",
+    "eslint": "^8.30.0",
+    "jest": "^29.3.1",
     "rimraf": "^3.0.2",
     "vinyl": "^2.2.1"
   },
   "dependencies": {
-    "cheerio": "^1.0.0-rc.12",
-    "through2": "^4.0.2"
+    "cheerio": "^1.0.0-rc.12"
   },
   "repository": {
     "type": "git",

package/readme.md

@@ -24,7 +24,9 @@ This Nodejs library generates script and style inline element and attribute hash
 + NodeJS 14+
 
 ## API
-This library exports a single function that takes options and returns a transform stream in object mode. The transform stream operates on [Vinyl](https://github.com/gulpjs/vinyl) objects or a compatible file object with `path` and `contents` properties. The only required option is a [`callback`](#callback-function) function.
+
+### hashstream (also the default export)
+This library exports a function that takes options and returns a transform stream in object mode. The transform stream operates on [Vinyl](https://github.com/gulpjs/vinyl) objects or a compatible file object with `path` and `contents` properties. The only required option is a [`callback`](#callback-function) function.
 
 ```
 Stream hashstream ({
@@ -34,7 +36,14 @@ Stream hashstream ({
 })
 ```
 
-### Options
+### removeCspMeta
+This library also exports a convenience helper method, `removeCspMeta` that is useful for some types of development builds. This method takes no options and returns a stream that operates on [Vinyl](https://github.com/gulpjs/vinyl) objects and removes any `Content-Security-Policy` content found in the files.
+
+```
+Stream removeCspMeta ()
+```
+
+### Hashstream Options
 
 + {Function} **callback** - Required - A [function](#callback-function) to process the hashes. Receives file contents and must return new file contents if `replace` option is true.
 + {Boolean} **\[replace\]** - Optional - Defaults to `false`, set to true to indicate your `callback` function returns new file contents to replace the original.
@@ -129,6 +138,22 @@ export function cspMetaTags (settings) {
 }
 ```
 
+### Build Step to Remove CSP Meta Tag Content
+In this example, a build step removes any content from a `Content-Security-Policy` in a development build that wishes to ignore it.
+
+```javascript
+import gulp from 'gulp';
+import { removeCspMeta } from '@localnerve/csp-hashes';
+
+export function stripCspMetaContents (settings) {
+  const { dist } = settings;
+
+  return gulp.src(`${dist}/**/*.html`)
+    .pipe(removeCspMeta())
+    .pipe(gulp.dest(dist));
+}
+```
+
 ## LICENSE
 
 * [MIT, Alex Grant, LocalNerve, LLC](license.md)