'use strict' const { redirectStatus } = require('./constants') const { performance } = require('perf_hooks') const { isBlobLike, toUSVString, ReadableStreamFrom } = require('../core/util') const assert = require('assert') const { isUint8Array } = require('util/types') // https://nodejs.org/api/crypto.html#determining-if-crypto-support-is-unavailable /** @type {import('crypto')|undefined} */ let crypto try { crypto = require('crypto') } catch { } // https://fetch.spec.whatwg.org/#block-bad-port const badPorts = [ '1', '7', '9', '11', '13', '15', '17', '19', '20', '21', '22', '23', '25', '37', '42', '43', '53', '69', '77', '79', '87', '95', '101', '102', '103', '104', '109', '110', '111', '113', '115', '117', '119', '123', '135', '137', '139', '143', '161', '179', '389', '427', '465', '512', '513', '514', '515', '526', '530', '531', '532', '540', '548', '554', '556', '563', '587', '601', '636', '989', '990', '993', '995', '1719', '1720', '1723', '2049', '3659', '4045', '5060', '5061', '6000', '6566', '6665', '6666', '6667', '6668', '6669', '6697', '10080' ] function responseURL (response) { // https://fetch.spec.whatwg.org/#responses // A response has an associated URL. It is a pointer to the last URL // in response’s URL list and null if response’s URL list is empty. const urlList = response.urlList const length = urlList.length return length === 0 ? null : urlList[length - 1].toString() } // https://fetch.spec.whatwg.org/#concept-response-location-url function responseLocationURL (response, requestFragment) { // 1. If response’s status is not a redirect status, then return null. if (!redirectStatus.includes(response.status)) { return null } // 2. Let location be the result of extracting header list values given // `Location` and response’s header list. let location = response.headersList.get('location') // 3. If location is a value, then set location to the result of parsing // location with response’s URL. location = location ? new URL(location, responseURL(response)) : null // 4. If location is a URL whose fragment is null, then set location’s // fragment to requestFragment. if (location && !location.hash) { location.hash = requestFragment } // 5. Return location. return location } /** @returns {URL} */ function requestCurrentURL (request) { return request.urlList[request.urlList.length - 1] } function requestBadPort (request) { // 1. Let url be request’s current URL. const url = requestCurrentURL(request) // 2. If url’s scheme is an HTTP(S) scheme and url’s port is a bad port, // then return blocked. if (/^https?:/.test(url.protocol) && badPorts.includes(url.port)) { return 'blocked' } // 3. Return allowed. return 'allowed' } function isErrorLike (object) { return object instanceof Error || ( object?.constructor?.name === 'Error' || object?.constructor?.name === 'DOMException' ) } // Check whether |statusText| is a ByteString and // matches the Reason-Phrase token production. // RFC 2616: https://tools.ietf.org/html/rfc2616 // RFC 7230: https://tools.ietf.org/html/rfc7230 // "reason-phrase = *( HTAB / SP / VCHAR / obs-text )" // https://github.com/chromium/chromium/blob/94.0.4604.1/third_party/blink/renderer/core/fetch/response.cc#L116 function isValidReasonPhrase (statusText) { for (let i = 0; i < statusText.length; ++i) { const c = statusText.charCodeAt(i) if ( !( ( c === 0x09 || // HTAB (c >= 0x20 && c <= 0x7e) || // SP / VCHAR (c >= 0x80 && c <= 0xff) ) // obs-text ) ) { return false } } return true } function isTokenChar (c) { return !( c >= 0x7f || c <= 0x20 || c === '(' || c === ')' || c === '<' || c === '>' || c === '@' || c === ',' || c === ';' || c === ':' || c === '\\' || c === '"' || c === '/' || c === '[' || c === ']' || c === '?' || c === '=' || c === '{' || c === '}' ) } // See RFC 7230, Section 3.2.6. // https://github.com/chromium/chromium/blob/d7da0240cae77824d1eda25745c4022757499131/third_party/blink/renderer/platform/network/http_parsers.cc#L321 function isValidHTTPToken (characters) { if (!characters || typeof characters !== 'string') { return false } for (let i = 0; i < characters.length; ++i) { const c = characters.charCodeAt(i) if (c > 0x7f || !isTokenChar(c)) { return false } } return true } // https://fetch.spec.whatwg.org/#header-name // https://github.com/chromium/chromium/blob/b3d37e6f94f87d59e44662d6078f6a12de845d17/net/http/http_util.cc#L342 function isValidHeaderName (potentialValue) { if (potentialValue.length === 0) { return false } for (const char of potentialValue) { if (!isValidHTTPToken(char)) { return false } } return true } /** * @see https://fetch.spec.whatwg.org/#header-value * @param {string} potentialValue */ function isValidHeaderValue (potentialValue) { // - Has no leading or trailing HTTP tab or space bytes. // - Contains no 0x00 (NUL) or HTTP newline bytes. if ( potentialValue.startsWith('\t') || potentialValue.startsWith(' ') || potentialValue.endsWith('\t') || potentialValue.endsWith(' ') ) { return false } if ( potentialValue.includes('\0') || potentialValue.includes('\r') || potentialValue.includes('\n') ) { return false } return true } // https://w3c.github.io/webappsec-referrer-policy/#set-requests-referrer-policy-on-redirect function setRequestReferrerPolicyOnRedirect (request, actualResponse) { // Given a request request and a response actualResponse, this algorithm // updates request’s referrer policy according to the Referrer-Policy // header (if any) in actualResponse. // 1. Let policy be the result of executing § 8.1 Parse a referrer policy // from a Referrer-Policy header on actualResponse. // TODO: https://w3c.github.io/webappsec-referrer-policy/#parse-referrer-policy-from-header const policy = '' // 2. If policy is not the empty string, then set request’s referrer policy to policy. if (policy !== '') { request.referrerPolicy = policy } } // https://fetch.spec.whatwg.org/#cross-origin-resource-policy-check function crossOriginResourcePolicyCheck () { // TODO return 'allowed' } // https://fetch.spec.whatwg.org/#concept-cors-check function corsCheck () { // TODO return 'success' } // https://fetch.spec.whatwg.org/#concept-tao-check function TAOCheck () { // TODO return 'success' } function appendFetchMetadata (httpRequest) { // https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-dest-header // TODO // https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-mode-header // 1. Assert: r’s url is a potentially trustworthy URL. // TODO // 2. Let header be a Structured Header whose value is a token. let header = null // 3. Set header’s value to r’s mode. header = httpRequest.mode // 4. Set a structured field value `Sec-Fetch-Mode`/header in r’s header list. httpRequest.headersList.set('sec-fetch-mode', header) // https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-site-header // TODO // https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-user-header // TODO } // https://fetch.spec.whatwg.org/#append-a-request-origin-header function appendRequestOriginHeader (request) { // 1. Let serializedOrigin be the result of byte-serializing a request origin with request. let serializedOrigin = request.origin // 2. If request’s response tainting is "cors" or request’s mode is "websocket", then append (`Origin`, serializedOrigin) to request’s header list. if (request.responseTainting === 'cors' || request.mode === 'websocket') { if (serializedOrigin) { request.headersList.append('Origin', serializedOrigin) } // 3. Otherwise, if request’s method is neither `GET` nor `HEAD`, then: } else if (request.method !== 'GET' && request.method !== 'HEAD') { // 1. Switch on request’s referrer policy: switch (request.referrerPolicy) { case 'no-referrer': // Set serializedOrigin to `null`. serializedOrigin = null break case 'no-referrer-when-downgrade': case 'strict-origin': case 'strict-origin-when-cross-origin': // If request’s origin is a tuple origin, its scheme is "https", and request’s current URL’s scheme is not "https", then set serializedOrigin to `null`. if (/^https:/.test(request.origin) && !/^https:/.test(requestCurrentURL(request))) { serializedOrigin = null } break case 'same-origin': // If request’s origin is not same origin with request’s current URL’s origin, then set serializedOrigin to `null`. if (!sameOrigin(request, requestCurrentURL(request))) { serializedOrigin = null } break default: // Do nothing. } if (serializedOrigin) { // 2. Append (`Origin`, serializedOrigin) to request’s header list. request.headersList.append('Origin', serializedOrigin) } } } function coarsenedSharedCurrentTime (crossOriginIsolatedCapability) { // TODO return performance.now() } // https://fetch.spec.whatwg.org/#create-an-opaque-timing-info function createOpaqueTimingInfo (timingInfo) { return { startTime: timingInfo.startTime ?? 0, redirectStartTime: 0, redirectEndTime: 0, postRedirectStartTime: timingInfo.startTime ?? 0, finalServiceWorkerStartTime: 0, finalNetworkResponseStartTime: 0, finalNetworkRequestStartTime: 0, endTime: 0, encodedBodySize: 0, decodedBodySize: 0, finalConnectionTimingInfo: null } } // https://html.spec.whatwg.org/multipage/origin.html#policy-container function makePolicyContainer () { // TODO return {} } // https://html.spec.whatwg.org/multipage/origin.html#clone-a-policy-container function clonePolicyContainer () { // TODO return {} } // https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer function determineRequestsReferrer (request) { // 1. Let policy be request's referrer policy. const policy = request.referrerPolicy // Return no-referrer when empty or policy says so if (policy == null || policy === '' || policy === 'no-referrer') { return 'no-referrer' } // 2. Let environment be the request client const environment = request.client let referrerSource = null /** * 3, Switch on request’s referrer: "client" If environment’s global object is a Window object, then Let document be the associated Document of environment’s global object. If document’s origin is an opaque origin, return no referrer. While document is an iframe srcdoc document, let document be document’s browsing context’s browsing context container’s node document. Let referrerSource be document’s URL. Otherwise, let referrerSource be environment’s creation URL. a URL Let referrerSource be request’s referrer. */ if (request.referrer === 'client') { // Not defined in Node but part of the spec if (request.client?.globalObject?.constructor?.name === 'Window' ) { // eslint-disable-line const origin = environment.globalObject.self?.origin ?? environment.globalObject.location?.origin // If document’s origin is an opaque origin, return no referrer. if (origin == null || origin === 'null') return 'no-referrer' // Let referrerSource be document’s URL. referrerSource = new URL(environment.globalObject.location.href) } else { // 3(a)(II) If environment's global object is not Window, // Let referrerSource be environments creationURL if (environment?.globalObject?.location == null) { return 'no-referrer' } referrerSource = new URL(environment.globalObject.location.href) } } else if (request.referrer instanceof URL) { // 3(b) If requests's referrer is a URL instance, then make // referrerSource be requests's referrer. referrerSource = request.referrer } else { // If referrerSource neither client nor instance of URL // then return "no-referrer". return 'no-referrer' } const urlProtocol = referrerSource.protocol // If url's scheme is a local scheme (i.e. one of "about", "data", "javascript", "file") // then return "no-referrer". if ( urlProtocol === 'about:' || urlProtocol === 'data:' || urlProtocol === 'blob:' ) { return 'no-referrer' } let temp let referrerOrigin // 4. Let requests's referrerURL be the result of stripping referrer // source for use as referrer (using util function, without origin only) const referrerUrl = (temp = stripURLForReferrer(referrerSource)).length > 4096 // 5. Let referrerOrigin be the result of stripping referrer // source for use as referrer (using util function, with originOnly true) ? (referrerOrigin = stripURLForReferrer(referrerSource, true)) // 6. If result of seralizing referrerUrl is a string whose length is greater than // 4096, then set referrerURL to referrerOrigin : temp const areSameOrigin = sameOrigin(request, referrerUrl) const isNonPotentiallyTrustWorthy = isURLPotentiallyTrustworthy(referrerUrl) && !isURLPotentiallyTrustworthy(request.url) // NOTE: How to treat step 7? // 8. Execute the switch statements corresponding to the value of policy: switch (policy) { case 'origin': return referrerOrigin != null ? referrerOrigin : stripURLForReferrer(referrerSource, true) case 'unsafe-url': return referrerUrl case 'same-origin': return areSameOrigin ? referrerOrigin : 'no-referrer' case 'origin-when-cross-origin': return areSameOrigin ? referrerUrl : referrerOrigin case 'strict-origin-when-cross-origin': /** * 1. If the origin of referrerURL and the origin of request’s current URL are the same, * then return referrerURL. * 2. If referrerURL is a potentially trustworthy URL and request’s current URL is not a * potentially trustworthy URL, then return no referrer. * 3. Return referrerOrigin */ if (areSameOrigin) return referrerOrigin // else return isNonPotentiallyTrustWorthy ? 'no-referrer' : referrerOrigin case 'strict-origin': // eslint-disable-line /** * 1. If referrerURL is a potentially trustworthy URL and * request’s current URL is not a potentially trustworthy URL, * then return no referrer. * 2. Return referrerOrigin */ case 'no-referrer-when-downgrade': // eslint-disable-line /** * 1. If referrerURL is a potentially trustworthy URL and * request’s current URL is not a potentially trustworthy URL, * then return no referrer. * 2. Return referrerOrigin */ default: // eslint-disable-line return isNonPotentiallyTrustWorthy ? 'no-referrer' : referrerOrigin } function stripURLForReferrer (url, originOnly = false) { const urlObject = new URL(url.href) urlObject.username = '' urlObject.password = '' urlObject.hash = '' return originOnly ? urlObject.origin : urlObject.href } } function isURLPotentiallyTrustworthy (url) { if (!(url instanceof URL)) { return false } // If child of about, return true if (url.href === 'about:blank' || url.href === 'about:srcdoc') { return true } // If scheme is data, return true if (url.protocol === 'data:') return true // If file, return true if (url.protocol === 'file:') return true return isOriginPotentiallyTrustworthy(url.origin) function isOriginPotentiallyTrustworthy (origin) { // If origin is explicitly null, return false if (origin == null || origin === 'null') return false const originAsURL = new URL(origin) // If secure, return true if (originAsURL.protocol === 'https:' || originAsURL.protocol === 'wss:') { return true } // If localhost or variants, return true if (/^127(?:\.[0-9]+){0,2}\.[0-9]+$|^\[(?:0*:)*?:?0*1\]$/.test(originAsURL.hostname) || (originAsURL.hostname === 'localhost' || originAsURL.hostname.includes('localhost.')) || (originAsURL.hostname.endsWith('.localhost'))) { return true } // If any other, return false return false } } /** * @see https://w3c.github.io/webappsec-subresource-integrity/#does-response-match-metadatalist * @param {Uint8Array} bytes * @param {string} metadataList */ function bytesMatch (bytes, metadataList) { // If node is not built with OpenSSL support, we cannot check // a request's integrity, so allow it by default (the spec will // allow requests if an invalid hash is given, as precedence). /* istanbul ignore if: only if node is built with --without-ssl */ if (crypto === undefined) { return true } // 1. Let parsedMetadata be the result of parsing metadataList. const parsedMetadata = parseMetadata(metadataList) // 2. If parsedMetadata is no metadata, return true. if (parsedMetadata === 'no metadata') { return true } // 3. If parsedMetadata is the empty set, return true. if (parsedMetadata.length === 0) { return true } // 4. Let metadata be the result of getting the strongest // metadata from parsedMetadata. // Note: this will only work for SHA- algorithms and it's lazy *at best*. const metadata = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)) // 5. For each item in metadata: for (const item of metadata) { // 1. Let algorithm be the alg component of item. const algorithm = item.algo // 2. Let expectedValue be the val component of item. const expectedValue = item.hash // 3. Let actualValue be the result of applying algorithm to bytes. // Note: "applying algorithm to bytes" converts the result to base64 const actualValue = crypto.createHash(algorithm).update(bytes).digest('base64') // 4. If actualValue is a case-sensitive match for expectedValue, // return true. if (actualValue === expectedValue) { return true } } // 6. Return false. return false } // https://w3c.github.io/webappsec-subresource-integrity/#grammardef-hash-with-options // hash-algo is defined in Content Security Policy 2 Section 4.2 // base64-value is similary defined there // VCHAR is defined https://www.rfc-editor.org/rfc/rfc5234#appendix-B.1 const parseHashWithOptions = /((?sha256|sha384|sha512)-(?[A-z0-9+/]{1}.*={1,2}))( +[\x21-\x7e]?)?/i /** * @see https://w3c.github.io/webappsec-subresource-integrity/#parse-metadata * @param {string} metadata */ function parseMetadata (metadata) { // 1. Let result be the empty set. /** @type {{ algo: string, hash: string }[]} */ const result = [] // 2. Let empty be equal to true. let empty = true const supportedHashes = crypto.getHashes() // 3. For each token returned by splitting metadata on spaces: for (const token of metadata.split(' ')) { // 1. Set empty to false. empty = false // 2. Parse token as a hash-with-options. const parsedToken = parseHashWithOptions.exec(token) // 3. If token does not parse, continue to the next token. if (parsedToken === null || parsedToken.groups === undefined) { // Note: Chromium blocks the request at this point, but Firefox // gives a warning that an invalid integrity was given. The // correct behavior is to ignore these, and subsequently not // check the integrity of the resource. continue } // 4. Let algorithm be the hash-algo component of token. const algorithm = parsedToken.groups.algo // 5. If algorithm is a hash function recognized by the user // agent, add the parsed token to result. if (supportedHashes.includes(algorithm.toLowerCase())) { result.push(parsedToken.groups) } } // 4. Return no metadata if empty is true, otherwise return result. if (empty === true) { return 'no metadata' } return result } // https://w3c.github.io/webappsec-upgrade-insecure-requests/#upgrade-request function tryUpgradeRequestToAPotentiallyTrustworthyURL (request) { // TODO } /** * @link {https://html.spec.whatwg.org/multipage/origin.html#same-origin} * @param {URL} A * @param {URL} B */ function sameOrigin (A, B) { // 1. If A and B are the same opaque origin, then return true. // "opaque origin" is an internal value we cannot access, ignore. // 2. If A and B are both tuple origins and their schemes, // hosts, and port are identical, then return true. if (A.protocol === B.protocol && A.hostname === B.hostname && A.port === B.port) { return true } // 3. Return false. return false } function createDeferredPromise () { let res let rej const promise = new Promise((resolve, reject) => { res = resolve rej = reject }) return { promise, resolve: res, reject: rej } } function isAborted (fetchParams) { return fetchParams.controller.state === 'aborted' } function isCancelled (fetchParams) { return fetchParams.controller.state === 'aborted' || fetchParams.controller.state === 'terminated' } // https://fetch.spec.whatwg.org/#concept-method-normalize function normalizeMethod (method) { return /^(DELETE|GET|HEAD|OPTIONS|POST|PUT)$/i.test(method) ? method.toUpperCase() : method } // https://infra.spec.whatwg.org/#serialize-a-javascript-value-to-a-json-string function serializeJavascriptValueToJSONString (value) { // 1. Let result be ? Call(%JSON.stringify%, undefined, « value »). const result = JSON.stringify(value) // 2. If result is undefined, then throw a TypeError. if (result === undefined) { throw new TypeError('Value is not JSON serializable') } // 3. Assert: result is a string. assert(typeof result === 'string') // 4. Return result. return result } // https://tc39.es/ecma262/#sec-%25iteratorprototype%25-object const esIteratorPrototype = Object.getPrototypeOf(Object.getPrototypeOf([][Symbol.iterator]())) // https://webidl.spec.whatwg.org/#dfn-iterator-prototype-object function makeIterator (iterator, name) { const i = { next () { if (Object.getPrototypeOf(this) !== i) { throw new TypeError( `'next' called on an object that does not implement interface ${name} Iterator.` ) } return iterator.next() }, // The class string of an iterator prototype object for a given interface is the // result of concatenating the identifier of the interface and the string " Iterator". [Symbol.toStringTag]: `${name} Iterator` } // The [[Prototype]] internal slot of an iterator prototype object must be %IteratorPrototype%. Object.setPrototypeOf(i, esIteratorPrototype) // esIteratorPrototype needs to be the prototype of i // which is the prototype of an empty object. Yes, it's confusing. return Object.setPrototypeOf({}, i) } /** * @see https://fetch.spec.whatwg.org/#body-fully-read */ async function fullyReadBody (body, processBody, processBodyError) { // 1. If taskDestination is null, then set taskDestination to // the result of starting a new parallel queue. // 2. Let promise be the result of fully reading body as promise // given body. try { /** @type {Uint8Array[]} */ const chunks = [] let length = 0 const reader = body.stream.getReader() while (true) { const { done, value } = await reader.read() if (done === true) { break } // read-loop chunk steps assert(isUint8Array(value)) chunks.push(value) length += value.byteLength } // 3. Let fulfilledSteps given a byte sequence bytes be to queue // a fetch task to run processBody given bytes, with // taskDestination. const fulfilledSteps = (bytes) => queueMicrotask(() => { processBody(bytes) }) fulfilledSteps(Buffer.concat(chunks, length)) } catch (err) { // 4. Let rejectedSteps be to queue a fetch task to run // processBodyError, with taskDestination. queueMicrotask(() => processBodyError(err)) } // 5. React to promise with fulfilledSteps and rejectedSteps. } /** * Fetch supports node >= 16.8.0, but Object.hasOwn was added in v16.9.0. */ const hasOwn = Object.hasOwn || ((dict, key) => Object.prototype.hasOwnProperty.call(dict, key)) module.exports = { isAborted, isCancelled, createDeferredPromise, ReadableStreamFrom, toUSVString, tryUpgradeRequestToAPotentiallyTrustworthyURL, coarsenedSharedCurrentTime, determineRequestsReferrer, makePolicyContainer, clonePolicyContainer, appendFetchMetadata, appendRequestOriginHeader, TAOCheck, corsCheck, crossOriginResourcePolicyCheck, createOpaqueTimingInfo, setRequestReferrerPolicyOnRedirect, isValidHTTPToken, requestBadPort, requestCurrentURL, responseURL, responseLocationURL, isBlobLike, isURLPotentiallyTrustworthy, isValidReasonPhrase, sameOrigin, normalizeMethod, serializeJavascriptValueToJSONString, makeIterator, isValidHeaderName, isValidHeaderValue, hasOwn, isErrorLike, fullyReadBody, bytesMatch }