Merge pull request #347 from Baroshem/chore/1.1.0

Chore/1.1.0
Baroshem · Feb 1, 2024 · 11dc2d5 · 11dc2d5
2 parents ef27a76 + e485692
commit 11dc2d5
Show file tree

Hide file tree

Showing 31 changed files with 335 additions and 71 deletions.
diff --git a/.stackblitz/package.json b/.stackblitz/package.json
@@ -11,6 +11,6 @@
     "nuxt": "3.9.3"
   },
   "dependencies": {
-    "nuxt-security": "^1.0.1"
+    "nuxt-security": "^1.1.0"
   }
 }
diff --git a/.stackblitz/yarn.lock b/.stackblitz/yarn.lock
@@ -1183,7 +1183,7 @@
   dependencies:
     "@rollup/pluginutils" "^5.0.2"
 
-"@rollup/pluginutils@^4.0.0", "@rollup/pluginutils@^4.2.1":
+"@rollup/pluginutils@^4.0.0":
   version "4.2.1"
   resolved "https://registry.yarnpkg.com/@rollup/pluginutils/-/pluginutils-4.2.1.tgz#e6c6c3aba0744edce3fb2074922d3776c0af2a6d"
   integrity sha512-iKnFXr7NkdZAIHiIWE+BX5ULi/ucVFYWD6TbAV+rZctiRTY2PL6tsIKhoIOaoskiWAkgu+VsbXgUVDNLHf+InQ==
@@ -3574,13 +3574,6 @@ magic-string-ast@^0.3.0:
   dependencies:
     magic-string "^0.30.2"
 
-magic-string@^0.26.3:
-  version "0.26.7"
-  resolved "https://registry.yarnpkg.com/magic-string/-/magic-string-0.26.7.tgz#caf7daf61b34e9982f8228c4527474dac8981d6f"
-  integrity sha512-hX9XH3ziStPoPhJxLq1syWuZMxbDvGNbVchfrdCtanC7D13888bMFow61x8axrx+GfHLtVeAx2kxL7tTGRl+Ow==
-  dependencies:
-    sourcemap-codec "^1.4.8"
-
 magic-string@^0.30.0, magic-string@^0.30.2, magic-string@^0.30.3, magic-string@^0.30.4, magic-string@^0.30.5:
   version "0.30.5"
   resolved "https://registry.yarnpkg.com/magic-string/-/magic-string-0.30.5.tgz#1994d980bd1c8835dc6e78db7cbd4ae4f24746f9"
@@ -4108,18 +4101,18 @@ nuxt-csurf@^1.3.1:
     defu "^6.1.1"
     uncsrf "^1.1.1"
 
-nuxt-security@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/nuxt-security/-/nuxt-security-1.0.1.tgz#a98a5b8636e46c6ff97bc7ec104d03b4c58aee0f"
-  integrity sha512-GT504TFIJn0sM6yhdiUIf5EXoakYir0zs/2KO4uLqcP6XyX7FDj/SW0D3r8EvK80peL2dPvcWRmYRaqo1vPU2g==
+nuxt-security@^1.1.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/nuxt-security/-/nuxt-security-1.1.0.tgz#ccb5600cbb835a4523fe22f89b7fd23a6544a287"
+  integrity sha512-nsvdUQbHjpGPNRUYi+ZDB5yUGL7rjTIhTxpuZwqxJuOPwAbw19S2DlgE+HTxn9CmzTCv8231lEhpD5G/Y4uG7g==
   dependencies:
     "@nuxt/kit" "^3.8.0"
     basic-auth "^2.0.1"
     cheerio "^1.0.0-rc.12"
     defu "^6.1.1"
     nuxt-csurf "^1.3.1"
     pathe "^1.0.0"
-    unplugin-remove "^0.1.6"
+    unplugin-remove "^0.1.7"
     xss "^1.0.14"
 
 nuxt@3.9.3:
@@ -5101,11 +5094,6 @@ source-map@^0.7.4:
   resolved "https://registry.yarnpkg.com/source-map/-/source-map-0.7.4.tgz#a9bbe705c9d8846f4e08ff6765acf0f1b0898656"
   integrity sha512-l3BikUxvPOcn5E74dZiq5BGsTb5yEwhaTSzccU6t4sDOH8NWJCstKO5QT2CvtFoK6F0saL7p9xHAqHOlCPJygA==
 
-sourcemap-codec@^1.4.8:
-  version "1.4.8"
-  resolved "https://registry.yarnpkg.com/sourcemap-codec/-/sourcemap-codec-1.4.8.tgz#ea804bd94857402e6992d05a38ef1ae35a9ab4c4"
-  integrity sha512-9NykojV5Uih4lgo5So5dtw+f0JgJX30KCNI8gwhz2J9A15wD0Ml6tjHKwf6fTSa6fAdVBdZeNOs9eJ71qCk8vA==
-
 spdx-correct@^3.0.0:
   version "3.2.0"
   resolved "https://registry.yarnpkg.com/spdx-correct/-/spdx-correct-3.2.0.tgz#4f5ab0668f0059e34f9c00dce331784a12de4e9c"
@@ -5517,14 +5505,14 @@ universalify@^2.0.0:
   resolved "https://registry.yarnpkg.com/universalify/-/universalify-2.0.0.tgz#75a4984efedc4b08975c5aeb73f530d02df25717"
   integrity sha512-hAZsKq7Yy11Zu1DE0OzWjw7nnLZmJZYTDZZyEFHZdUhV8FkH5MCfoU1XMaxXovpyW5nq5scPqq0ZDP9Zyl04oQ==
 
-unplugin-remove@^0.1.6:
-  version "0.1.6"
-  resolved "https://registry.yarnpkg.com/unplugin-remove/-/unplugin-remove-0.1.6.tgz#0b3d0a77ef2061de8a85cc239a5ba7f5c64d535d"
-  integrity sha512-/jwD4+ZzeBGC32Rx7m59FOhqALmtLsTeabFwaYM8yQMVaVO8un8AQxZi3YFJirPzJgEW43e5/wQpze8z/WwOxA==
+unplugin-remove@^0.1.7:
+  version "0.1.7"
+  resolved "https://registry.yarnpkg.com/unplugin-remove/-/unplugin-remove-0.1.7.tgz#0ee1b14963a6c186f5f263224b7085bf260913a5"
+  integrity sha512-7BaEfgR/hMQRgaN++RAILeq9/wBrJPqCLRsQH+ow8979s2TE3TAFE4rQRmMUPcJ/w4ccsVSLepwGbimLMkQjyA==
   dependencies:
-    "@rollup/pluginutils" "^4.2.1"
-    magic-string "^0.26.3"
-    unplugin "^1.5.0"
+    "@rollup/pluginutils" "^5.1.0"
+    magic-string "^0.30.5"
+    unplugin "^1.5.1"
 
 unplugin-vue-router@^0.7.0:
   version "0.7.0"

diff --git a/docs/content/0.index.md b/docs/content/0.index.md
@@ -92,7 +92,7 @@ cta:
 Nuxt Security solves several security issues automatically by implementing Headers and Middleware accordingly to OWASP & OWASP Top 10 documents. For others, it provides optional middleware that will help you handle more advanced cases like Cross Site Request Forgery.
 
 #support
-:video-player{src="https://www.youtube.com/watch?v=8RDPrptc9uU"}
+:video-player{src="https://www.youtube.com/watch?v=sJVeU0KGmv4"}
 ::
 
 

diff --git a/docs/content/1.documentation/1.getting-started/2.configuration.md b/docs/content/1.documentation/1.getting-started/2.configuration.md
@@ -98,7 +98,6 @@ security: {
     preflight: {
       statusCode: 204
     },
-    throwError: true
   },
   allowedMethodsRestricter: {
     methods: '*',

diff --git a/docs/content/1.documentation/1.getting-started/3.usage.md b/docs/content/1.documentation/1.getting-started/3.usage.md
@@ -169,3 +169,37 @@ export default defineNuxtConfig({
   }
 })
 ```
+
+## Runtime configuration
+
+If you need to change the headers configuration at runtime, it is possible to do it through `nuxt-security:headers` hook.
+
+### Enabling the option
+
+This feature is optional, you can enable it with
+
+```ts
+export default defineNuxtConfig({
+    modules: ['nuxt-security'],
+    security: {
+        runtimeHooks: true
+    }
+})
+```
+
+### Usage
+
+Within your nitro plugin. You can override the previous configuration of a route with `nuxt-security:headers`.
+
+```ts
+export default defineNitroPlugin((nitroApp) => {
+    nitroApp.hooks.hook('nuxt-security:ready', () => {
+        nitroApp.hooks.callHook('nuxt-security:headers', '/**' ,{
+            contentSecurityPolicy: {
+                "script-src": ["'self'", "'unsafe-inline'"],
+            },
+            xFrameOptions: false
+        })
+    })
+})
+```
diff --git a/docs/content/1.documentation/2.headers/3.crossOriginEmbedderPolicy.md b/docs/content/1.documentation/2.headers/3.crossOriginEmbedderPolicy.md
@@ -60,11 +60,11 @@ crossOriginEmbedderPolicy: 'unsafe-none' | 'require-corp' | 'credentialless' | f
 
 ### `unsafe-none`
 
-This is the default value. Allows the document to fetch cross-origin resources without giving explicit permission through the CORS protocol or the Cross-Origin-Resource-Policy header.
+Allows the document to fetch cross-origin resources without giving explicit permission through the CORS protocol or the Cross-Origin-Resource-Policy header.
 
 ### `require-corp`
 
-A document can only load resources from the same origin, or resources explicitly marked as loadable from another origin. If a cross origin resource supports CORS, the crossorigin attribute or the Cross-Origin-Resource-Policy header must be used to load it without being blocked by COEP.
+This is the default value. A document can only load resources from the same origin, or resources explicitly marked as loadable from another origin. If a cross origin resource supports CORS, the crossorigin attribute or the Cross-Origin-Resource-Policy header must be used to load it without being blocked by COEP.
 
 ### `credentialless`
 

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "nuxt-security",
-  "version": "1.0.1",
+  "version": "1.1.0",
   "license": "MIT",
   "type": "module",
   "homepage": "https://nuxt-security.vercel.app",
@@ -57,7 +57,7 @@
     "defu": "^6.1.1",
     "nuxt-csurf": "^1.3.1",
     "pathe": "^1.0.0",
-    "unplugin-remove": "^0.1.6",
+    "unplugin-remove": "^0.1.7",
     "xss": "^1.0.14"
   },
   "devDependencies": {

diff --git a/playground/nuxt.config.ts b/playground/nuxt.config.ts
@@ -23,6 +23,7 @@ export default defineNuxtConfig({
     rateLimiter: {
       tokensPerInterval: 10,
       interval: 10000
-    }
+    },
+    runtimeHooks: true
   }
 })
diff --git a/playground/public/favicon.ico b/playground/public/favicon.ico
diff --git a/playground/server/api/runtime-hooks.ts b/playground/server/api/runtime-hooks.ts
@@ -0,0 +1,7 @@
+import { defineEventHandler } from "#imports"
+
+export default defineEventHandler((event) => {
+    return {
+        csp: getResponseHeader(event, 'Content-Security-Policy')
+    }
+})
diff --git a/playground/server/plugins/headers.ts b/playground/server/plugins/headers.ts
@@ -0,0 +1,14 @@
+
+export default defineNitroPlugin((nitroApp) => {
+    nitroApp.hooks.hook('nuxt-security:ready', () => {
+        nitroApp.hooks.callHook('nuxt-security:headers',
+        { 
+            route: '/api/runtime-hooks',
+            headers: {
+                contentSecurityPolicy: {
+                    "script-src": ["'self'", "'unsafe-inline'"],
+                }
+            }
+        })
+    })
+})
diff --git a/src/module.ts b/src/module.ts
@@ -1,6 +1,6 @@
 import { fileURLToPath } from 'node:url'
 import { resolve, normalize } from 'pathe'
-import { defineNuxtModule, addServerHandler, installModule, addVitePlugin } from '@nuxt/kit'
+import { defineNuxtModule, addServerHandler, installModule, addVitePlugin, addServerPlugin } from '@nuxt/kit'
 import { defu } from 'defu'
 import type { Nuxt } from '@nuxt/schema'
 import viteRemove from 'unplugin-remove/vite'
@@ -126,6 +126,15 @@ export default defineNuxtModule<ModuleOptions>({
     }
 
 
+    if(nuxt.options.security.runtimeHooks) {
+      addServerPlugin(resolve(runtimeDir, 'nitro/plugins/00-context'))
+      addServerHandler({
+        handler: normalize(
+          resolve(runtimeDir, 'server/middleware/headers')
+        )
+      })
+    }
+
     const allowedMethodsRestricterConfig = nuxt.options.security
     .allowedMethodsRestricter
     if (
@@ -293,6 +302,15 @@ function registerSecurityNitroPlugins(nuxt: Nuxt, securityOptions: ModuleOptions
       )
     )
 
+    // Pre-process HTML into DOM tree
+    config.plugins.push(
+      normalize(
+        fileURLToPath(
+          new URL('./runtime/nitro/plugins/02a-preprocessHtml', import.meta.url)
+        )
+      )
+    )
+
     // Register nitro plugin to enable Subresource Integrity
     config.plugins.push(
       normalize(
@@ -331,6 +349,16 @@ function registerSecurityNitroPlugins(nuxt: Nuxt, securityOptions: ModuleOptions
         )
       )
     )
+
+
+    // Recombine HTML from DOM tree
+    config.plugins.push(
+      normalize(
+        fileURLToPath(
+          new URL('./runtime/nitro/plugins/99b-recombineHtml', import.meta.url)
+        )
+      )
+    )
   })
 
   // Make sure our nitro plugins will be applied last

diff --git a/src/runtime/nitro/plugins/00-context.ts b/src/runtime/nitro/plugins/00-context.ts
@@ -0,0 +1,33 @@
+import { getNameFromKey, headerStringFromObject} from "../../utils/headers"
+import { createRouter} from "radix3"
+import { defineNitroPlugin } from '#imports'
+import { OptionKey } from "~/src/module"
+
+export default defineNitroPlugin((nitroApp) => {
+    const router = createRouter()
+
+    nitroApp.hooks.hook('nuxt-security:headers', ({route, headers: headersConfig}) => {
+        const headers: Record<string, string |false > = {}
+
+        for (const [header, headerOptions] of Object.entries(headersConfig)) {
+            const headerName = getNameFromKey(header as OptionKey) 
+            if(headerName) {
+                const value = headerStringFromObject(header as OptionKey, headerOptions)
+                if(value) {
+                    headers[headerName] = value
+                } else {
+                    delete headers[headerName]
+                }
+            }
+        }
+
+        router.insert(route, headers)
+    })
+
+    nitroApp.hooks.hook('request', (event) => {
+        event.context.security = event.context.security || {}
+        event.context.security.headers = router.lookup(event.path)
+    })
+
+    nitroApp.hooks.callHook('nuxt-security:ready')
+})
diff --git a/src/runtime/nitro/plugins/02a-preprocessHtml.ts b/src/runtime/nitro/plugins/02a-preprocessHtml.ts
@@ -0,0 +1,29 @@
+import { defineNitroPlugin, getRouteRules } from '#imports'
+import * as cheerio from 'cheerio/lib/slim'
+
+
+export default defineNitroPlugin((nitroApp) => {
+  nitroApp.hooks.hook('render:html', async (html, { event }) => {
+
+    // Exit if no need to parse HTML for this route
+    const { security } = getRouteRules(event)
+    if (!security?.sri && (!security?.headers || !security?.headers.contentSecurityPolicy)) {
+      return
+    }
+
+    type Section = 'body' | 'bodyAppend' | 'bodyPrepend' | 'head'
+    const sections = ['body', 'bodyAppend', 'bodyPrepend', 'head'] as Section[]
+    const cheerios = {} as Record<Section, ReturnType<typeof cheerio.load>[]>
+    for (const section of sections) {
+      cheerios[section] = html[section].map(element => {
+        return cheerio.load(element, {
+          xml: {
+            // Disable `xmlMode` to parse HTML with htmlparser2.
+            xmlMode: false,
+          },
+        }, false)
+      })
+    }
+    event.context.cheerios = cheerios
+  })
+})
diff --git a/src/runtime/nitro/plugins/03-subresourceIntegrity.ts b/src/runtime/nitro/plugins/03-subresourceIntegrity.ts
@@ -1,10 +1,10 @@
 import { useStorage, defineNitroPlugin, getRouteRules } from '#imports'
-import * as cheerio from 'cheerio'
 import { isPrerendering } from '../utils'
+import { type CheerioAPI } from 'cheerio'
+
 
 export default defineNitroPlugin((nitroApp) => {
   nitroApp.hooks.hook('render:html', async (html, { event }) => {
-
     // Exit if SRI not enabled for this route
     const { security } = getRouteRules(event)
     if (!security?.sri) {
@@ -29,10 +29,9 @@ export default defineNitroPlugin((nitroApp) => {
     // However the SRI standard provides that other elements may be added to that list in the future
     type Section = 'body' | 'bodyAppend' | 'bodyPrepend' | 'head'
     const sections = ['body', 'bodyAppend', 'bodyPrepend', 'head'] as Section[]
+    const cheerios = event.context.cheerios as Record<Section, CheerioAPI[]>
     for (const section of sections) {
-      html[section] = html[section].map(element => {
-
-        const $ = cheerio.load(element, null, false)
+      cheerios[section].forEach($ => {
         // Add integrity to all relevant script tags
         $('script').each((i, script) => {
           const scriptAttrs = $(script).attr()
@@ -68,7 +67,6 @@ export default defineNitroPlugin((nitroApp) => {
             }
           }
         })
-        return $.html()
       })
     }
   })

diff --git a/src/runtime/nitro/plugins/04-cspSsgHashes.ts b/src/runtime/nitro/plugins/04-cspSsgHashes.ts
@@ -22,18 +22,17 @@ export default defineNitroPlugin((nitroApp) => {
     const scriptHashes: Set<string> = new Set()
     const styleHashes: Set<string> = new Set()
     const hashAlgorithm = 'sha256'
+    type Section = 'body' | 'bodyAppend' | 'bodyPrepend' | 'head'
+    const cheerios = event.context.cheerios as Record<Section, ReturnType<typeof cheerio.load>[]>
 
     // Parse HTML if SSG is enabled for this route
     if (security.ssg) {
       const { hashScripts, hashStyles } = security.ssg
 
       // Scan all relevant sections of the NuxtRenderHtmlContext
-      type Section = 'body' | 'bodyAppend' | 'bodyPrepend' | 'head'
       const sections = ['body', 'bodyAppend', 'bodyPrepend', 'head'] as Section[]
       for (const section of sections) {
-        html[section].forEach(element => {
-          const $ = cheerio.load(element, null, false)
-
+        cheerios[section].forEach($ => {
           // Parse all script tags
           if (hashScripts) {
             $('script').each((i, script) => {
@@ -103,10 +102,9 @@ export default defineNitroPlugin((nitroApp) => {
     const csp = security.headers.contentSecurityPolicy
     const headerValue = generateCspRules(csp, scriptHashes, styleHashes)
     // Insert CSP in the http meta tag
-    html.head.push(`<meta http-equiv="Content-Security-Policy" content="${headerValue}">`)
+    cheerios.head.push(cheerio.load(`<meta http-equiv="Content-Security-Policy" content="${headerValue}">`))
     // Update rules in HTTP header
     setResponseHeader(event, 'Content-Security-Policy', headerValue)
-
   })
 
   // Insert hashes in the CSP meta tag for both the script-src and the style-src policies