From 2ac964fae5af53e93538a345eabce4114f8f9186 Mon Sep 17 00:00:00 2001 From: Sunshine Date: Fri, 26 Jun 2020 18:14:46 -0400 Subject: [PATCH] include font-src into CSP --- src/html.rs | 9 +++++++- src/main.rs | 1 + src/tests/cli.rs | 30 +++++++++++++++++++++++- src/tests/html/csp.rs | 34 +++++++++++++++++++++++++++- src/tests/html/stringify_document.rs | 18 +++++++++++---- 5 files changed, 85 insertions(+), 7 deletions(-) diff --git a/src/html.rs b/src/html.rs index 7ed0797..3ae3e2d 100644 --- a/src/html.rs +++ b/src/html.rs @@ -1076,6 +1076,7 @@ fn get_child_node_by_name(handle: &Handle, node_name: &str) -> Handle { pub fn stringify_document( handle: &Handle, opt_no_css: bool, + opt_no_fonts: bool, opt_no_frames: bool, opt_no_js: bool, opt_no_images: bool, @@ -1088,7 +1089,7 @@ pub fn stringify_document( let mut result = String::from_utf8(buf).unwrap(); // Take care of CSP - if opt_isolate || opt_no_css || opt_no_frames || opt_no_js || opt_no_images { + if opt_isolate || opt_no_css || opt_no_fonts || opt_no_frames || opt_no_js || opt_no_images { let mut buf: Vec = Vec::new(); let mut dom = html_to_dom(&result); let doc = dom.get_document(); @@ -1097,6 +1098,7 @@ pub fn stringify_document( let csp_content: String = csp( opt_isolate, opt_no_css, + opt_no_fonts, opt_no_frames, opt_no_js, opt_no_images, @@ -1137,6 +1139,7 @@ pub fn stringify_document( pub fn csp( opt_isolate: bool, opt_no_css: bool, + opt_no_fonts: bool, opt_no_frames: bool, opt_no_js: bool, opt_no_images: bool, @@ -1151,6 +1154,10 @@ pub fn csp( string_list.push("style-src 'none';"); } + if opt_no_fonts { + string_list.push("font-src 'none';"); + } + if opt_no_frames { string_list.push("frame-src 'none';"); string_list.push("child-src 'none';"); diff --git a/src/main.rs b/src/main.rs index 131120e..5461e26 100644 --- a/src/main.rs +++ b/src/main.rs @@ -152,6 +152,7 @@ fn main() { let mut result: String = stringify_document( &dom.document, app_args.no_css, + app_args.no_fonts, app_args.no_frames, app_args.no_js, app_args.no_images, diff --git a/src/tests/cli.rs b/src/tests/cli.rs index d2824bf..b685cbb 100644 --- a/src/tests/cli.rs +++ b/src/tests/cli.rs @@ -128,13 +128,41 @@ mod passing { Ok(()) } + #[test] + fn remove_fonts_from_data_url() -> Result<(), Box> { + let mut cmd = Command::cargo_bin(env!("CARGO_PKG_NAME"))?; + let out = cmd + .arg("-M") + .arg("-F") + .arg("data:text/html,Hi") + .output() + .unwrap(); + + // STDOUT should contain HTML with no web fonts + assert_eq!( + std::str::from_utf8(&out.stdout).unwrap(), + "\ + \ + \ + Hi\n" + ); + + // STDERR should be empty + assert_eq!(std::str::from_utf8(&out.stderr).unwrap(), ""); + + // The exit code should be 0 + out.assert().code(0); + + Ok(()) + } + #[test] fn remove_frames_from_data_url() -> Result<(), Box> { let mut cmd = Command::cargo_bin(env!("CARGO_PKG_NAME"))?; let out = cmd .arg("-M") .arg("-f") - .arg("data:text/html,Hi") + .arg("data:text/html,Hi") .output() .unwrap(); diff --git a/src/tests/html/csp.rs b/src/tests/html/csp.rs index bc16124..6aa7c9d 100644 --- a/src/tests/html/csp.rs +++ b/src/tests/html/csp.rs @@ -13,12 +13,14 @@ mod passing { fn isolated() { let opt_isolate: bool = true; let opt_no_css: bool = false; + let opt_no_fonts: bool = false; let opt_no_frames: bool = false; let opt_no_js: bool = false; let opt_no_images: bool = false; let csp_content = html::csp( opt_isolate, opt_no_css, + opt_no_fonts, opt_no_frames, opt_no_js, opt_no_images, @@ -31,12 +33,14 @@ mod passing { fn no_css() { let opt_isolate: bool = false; let opt_no_css: bool = true; + let opt_no_fonts: bool = false; let opt_no_frames: bool = false; let opt_no_js: bool = false; let opt_no_images: bool = false; let csp_content = html::csp( opt_isolate, opt_no_css, + opt_no_fonts, opt_no_frames, opt_no_js, opt_no_images, @@ -45,16 +49,38 @@ mod passing { assert_eq!(csp_content, "style-src 'none';"); } + #[test] + fn no_fonts() { + let opt_isolate: bool = false; + let opt_no_css: bool = false; + let opt_no_fonts: bool = true; + let opt_no_frames: bool = false; + let opt_no_js: bool = false; + let opt_no_images: bool = false; + let csp_content = html::csp( + opt_isolate, + opt_no_css, + opt_no_fonts, + opt_no_frames, + opt_no_js, + opt_no_images, + ); + + assert_eq!(csp_content, "font-src 'none';"); + } + #[test] fn no_frames() { let opt_isolate: bool = false; let opt_no_css: bool = false; + let opt_no_fonts: bool = false; let opt_no_frames: bool = true; let opt_no_js: bool = false; let opt_no_images: bool = false; let csp_content = html::csp( opt_isolate, opt_no_css, + opt_no_fonts, opt_no_frames, opt_no_js, opt_no_images, @@ -67,12 +93,14 @@ mod passing { fn no_js() { let opt_isolate: bool = false; let opt_no_css: bool = false; + let opt_no_fonts: bool = false; let opt_no_frames: bool = false; let opt_no_js: bool = true; let opt_no_images: bool = false; let csp_content = html::csp( opt_isolate, opt_no_css, + opt_no_fonts, opt_no_frames, opt_no_js, opt_no_images, @@ -85,12 +113,14 @@ mod passing { fn no_image() { let opt_isolate: bool = false; let opt_no_css: bool = false; + let opt_no_fonts: bool = false; let opt_no_frames: bool = false; let opt_no_js: bool = false; let opt_no_images: bool = true; let csp_content = html::csp( opt_isolate, opt_no_css, + opt_no_fonts, opt_no_frames, opt_no_js, opt_no_images, @@ -103,17 +133,19 @@ mod passing { fn all() { let opt_isolate: bool = true; let opt_no_css: bool = true; + let opt_no_fonts: bool = true; let opt_no_frames: bool = true; let opt_no_js: bool = true; let opt_no_images: bool = true; let csp_content = html::csp( opt_isolate, opt_no_css, + opt_no_fonts, opt_no_frames, opt_no_js, opt_no_images, ); - assert_eq!(csp_content, "default-src 'unsafe-inline' data:; style-src 'none'; frame-src 'none'; child-src 'none'; script-src 'none'; img-src data:;"); + assert_eq!(csp_content, "default-src 'unsafe-inline' data:; style-src 'none'; font-src 'none'; frame-src 'none'; child-src 'none'; script-src 'none'; img-src data:;"); } } diff --git a/src/tests/html/stringify_document.rs b/src/tests/html/stringify_document.rs index 14d9318..8d13c8a 100644 --- a/src/tests/html/stringify_document.rs +++ b/src/tests/html/stringify_document.rs @@ -15,6 +15,7 @@ mod passing { let dom = html::html_to_dom(&html); let opt_no_css: bool = false; + let opt_no_fonts: bool = false; let opt_no_frames: bool = false; let opt_no_js: bool = false; let opt_no_images: bool = false; @@ -24,6 +25,7 @@ mod passing { html::stringify_document( &dom.document, opt_no_css, + opt_no_fonts, opt_no_frames, opt_no_js, opt_no_images, @@ -42,6 +44,7 @@ mod passing { let dom = html::html_to_dom(&html); let opt_no_css: bool = false; + let opt_no_fonts: bool = false; let opt_no_frames: bool = false; let opt_no_js: bool = false; let opt_no_images: bool = false; @@ -51,6 +54,7 @@ mod passing { html::stringify_document( &dom.document, opt_no_css, + opt_no_fonts, opt_no_frames, opt_no_js, opt_no_images, @@ -81,6 +85,7 @@ mod passing { let dom = html::html_to_dom(&html); let opt_no_css: bool = true; + let opt_no_fonts: bool = false; let opt_no_frames: bool = false; let opt_no_js: bool = false; let opt_no_images: bool = false; @@ -90,6 +95,7 @@ mod passing { html::stringify_document( &dom.document, opt_no_css, + opt_no_fonts, opt_no_frames, opt_no_js, opt_no_images, @@ -116,6 +122,7 @@ mod passing { let dom = html::html_to_dom(&html); let opt_no_css: bool = false; + let opt_no_fonts: bool = false; let opt_no_frames: bool = true; let opt_no_js: bool = false; let opt_no_images: bool = false; @@ -125,6 +132,7 @@ mod passing { html::stringify_document( &dom.document, opt_no_css, + opt_no_fonts, opt_no_frames, opt_no_js, opt_no_images, @@ -149,14 +157,15 @@ mod passing { \ \
\ - \ - \ - \ + \ + \ + \
"; let dom = html::html_to_dom(&html); let opt_isolate: bool = true; let opt_no_css: bool = true; + let opt_no_fonts: bool = true; let opt_no_frames: bool = true; let opt_no_js: bool = true; let opt_no_images: bool = true; @@ -165,6 +174,7 @@ mod passing { html::stringify_document( &dom.document, opt_no_css, + opt_no_fonts, opt_no_frames, opt_no_js, opt_no_images, @@ -173,7 +183,7 @@ mod passing { "\ \ \ - \ + \ no-frame no-css no-js no-image isolated document\ \ \