From f8dedf60638bffde3f92116db3f418d2e6260e80 Mon Sep 17 00:00:00 2001
From: Wojtek Kosior <koszko@koszko.org>
Date: Wed, 1 Jun 2022 18:14:09 +0200
Subject: allow eval() in injected scripts

---
 common/entities.js   | 22 ++++++++++++++++++++++
 common/jsonschema.js | 12 ++----------
 common/policy.js     | 43 ++++++++++++++++++++++++++++++++++++-------
 3 files changed, 60 insertions(+), 17 deletions(-)

(limited to 'common')

diff --git a/common/entities.js b/common/entities.js
index 74cad20..41d6e3b 100644
--- a/common/entities.js
+++ b/common/entities.js
@@ -116,6 +116,28 @@ function* get_used_files(item)
 }
 #EXPORT get_used_files AS get_files
 
+/*
+ * Regex to parse URIs like:
+ *     https://hydrilla.koszko.org/schemas/api_mapping_description-2.schema.json
+ */
+const name_base_re    = "(?<name_base>[^/]*)";
+const major_number_re = "(?<major>[1-9][0-9]*)";
+const minor_number_re = "(?:[1-9][0-9]*|0)";
+const numbers_rest_re = `(?:\\.${minor_number_re})*`;
+const version_re      = `(?<ver>${major_number_re}${numbers_rest_re})`;
+const schema_name_re  = `${name_base_re}-${version_re}\\.schema\\.json`;
+
+const haketilo_schema_name_regex = new RegExp(schema_name_re);
+#EXPORT haketilo_schema_name_regex
+
+/* Extract the number that indicates entity's compatibility mode. */
+function get_schema_major_version(instance) {
+    const match = haketilo_schema_name_regex.exec(instance.$schema);
+
+    return parseInt(match.groups.major);
+}
+#EXPORT get_schema_major_version
+
 #IF NEVER
 
 /*
diff --git a/common/jsonschema.js b/common/jsonschema.js
index 3e99cd6..9c4a70c 100644
--- a/common/jsonschema.js
+++ b/common/jsonschema.js
@@ -57,6 +57,8 @@
 
 #FROM common/jsonschema/scan.js IMPORT SchemaScanResult, scan
 
+#FROM common/entities.js IMPORT haketilo_schema_name_regex
+
 #EXPORT scan
 #EXPORT SchemaScanResult
 
@@ -86,15 +88,6 @@ const haketilo_schemas = [
 #INCLUDE schemas/2.x/common_definitions-2.schema.json
 ].reduce((ac, s) => Object.assign(ac, {[s.$id]: s}), {});
 
-const name_base_re    = "(?<name_base>[^/]*)";
-const major_number_re = "(?<major>[1-9][0-9]*)";
-const minor_number_re = "(?:[1-9][0-9]*|0)";
-const numbers_rest_re = `(?:\\.${minor_number_re})*`;
-const version_re      = `(?<ver>${major_number_re}${numbers_rest_re})`;
-const schema_name_re  = `${name_base_re}-${version_re}\\.schema\\.json`;
-
-const haketilo_schema_name_regex = new RegExp(schema_name_re);
-
 for (const [$id, schema] of [...Object.entries(haketilo_schemas)]) {
     const match = haketilo_schema_name_regex.exec($id);
     const schema_name =
@@ -103,7 +96,6 @@ for (const [$id, schema] of [...Object.entries(haketilo_schemas)]) {
 }
 
 #EXPORT haketilo_schemas
-#EXPORT haketilo_schema_name_regex
 
 const haketilo_validator = new Validator();
 Object.values(haketilo_schemas)
diff --git a/common/policy.js b/common/policy.js
index e14d8cd..6bcb54b 100644
--- a/common/policy.js
+++ b/common/policy.js
@@ -49,16 +49,15 @@
  * CSP rule that either blocks all scripts or only allows scripts with specified
  * nonce attached.
  */
-function make_csp(nonce)
-{
-    const rule = nonce ? `nonce-${nonce}` : "none";
+function make_csp(nonce) {
+    const rule = nonce ? `'nonce-${nonce}'` : "'none'";
     const csp_list = [
-	["prefetch-src",    "none"],
-	["script-src-attr", "none"],
-	["script-src",      rule],
+	["prefetch-src",    "'none'"],
+	["script-src-attr", "'none'"],
+	["script-src",      rule, "'unsafe-eval'"],
 	["script-src-elem", rule]
     ];
-    return csp_list.map(([a, b]) => `${a} '${b}';`).join(" ");
+    return csp_list.map(words => `${words.join(" ")};`).join(" ");
 }
 
 function decide_policy(patterns_tree, url, default_allow, secret)
@@ -113,3 +112,33 @@ function decide_policy(patterns_tree, url, default_allow, secret)
 #EXPORT decide_policy
 
 #EXPORT  () => ({allow: false, csp: make_csp()})  AS fallback_policy
+
+#IF NEVER
+
+/*
+ * Note: the functions below were overeagerly written and are not used now but
+ * might prove useful to once we add more functionalities and are hence kept...
+ */
+
+function relaxed_csp_eval(csp) {
+    const new_csp_list = [];
+
+    for (const directive of csp.split(";")) {
+	const directive_words = directive.trim().split(" ");
+	if (directive_words[0] === "script-src")
+	    directive_words.push("'unsafe-eval'");
+
+	new_csp_list.push(directive_words);
+    }
+
+    new_policy.csp = new_csp_list.map(d => `${d.join(" ")}';`).join(" ");
+}
+
+function relax_policy_eval(policy) {
+    const new_policy = Object.assign({}, policy);
+
+    return Object.assign(new_policy, {csp: relaxed_csp_eval(policy.csp)});
+}
+#EXPORT relax_policy_eval
+
+#ENDIF
-- 
cgit v1.2.3