Skip to content

Commit

Permalink
Add source-file and associated column-number and line-number.
Browse files Browse the repository at this point in the history
Fix build command in README and change `-` to `_` for consistency with Dockerfile.

Fixes #94.
  • Loading branch information
chennin committed Jan 14, 2024
1 parent 667e023 commit d7428ee
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 4 deletions.
8 changes: 4 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@ Alternatively, you can download the binaries from the [release page][2].
### Running

```sh
$ go build main.go -p csp-collector
$ ./csp-collector
$ go build -o csp_collector main.go
$ ./csp_collector
```

### Endpoints
Expand All @@ -34,7 +34,7 @@ You will either need to build within a docker container for the purpose, or use
to make the build compatible with alpine linux in a docker container.

```sh
$ CGO_ENABLED=0 go build main.go -p csp-collector
$ CGO_ENABLED=0 go build -o csp_collector main.go
```

### Command Line Options
Expand Down Expand Up @@ -89,7 +89,7 @@ If you'd rather have these violations end up in a file, I suggest just
redirecting the output into a file like so:

```sh
$ ./csp-collector 2>> /path/to/violations.log
$ ./csp_collector 2>> /path/to/violations.log
```

### Visualisation
Expand Down
7 changes: 7 additions & 0 deletions internal/handler/csp.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@ type CSPReportBody struct {
Disposition string `json:"disposition"`
ScriptSample string `json:"script-sample"`
StatusCode interface{} `json:"status-code"`
SourceFile string `json:"source-file"`
LineNumber uint32 `json:"line-number"`
ColumnNumber uint32 `json:"column-number"`
}

type CSPViolationReportHandler struct {
Expand Down Expand Up @@ -94,6 +97,9 @@ func (vrh *CSPViolationReportHandler) ServeHTTP(w http.ResponseWriter, r *http.R
"disposition": report.Body.Disposition,
"script_sample": report.Body.ScriptSample,
"status_code": report.Body.StatusCode,
"source_file": report.Body.SourceFile,
"line_number": report.Body.LineNumber,
"column_number": report.Body.ColumnNumber,
"metadata": metadata,
"path": r.URL.Path,
}
Expand All @@ -102,6 +108,7 @@ func (vrh *CSPViolationReportHandler) ServeHTTP(w http.ResponseWriter, r *http.R
lf["document_uri"] = utils.TruncateQueryStringFragment(report.Body.DocumentURI)
lf["referrer"] = utils.TruncateQueryStringFragment(report.Body.Referrer)
lf["blocked_uri"] = utils.TruncateQueryStringFragment(report.Body.BlockedURI)
lf["source_file"] = utils.TruncateQueryStringFragment(report.Body.SourceFile)
}

if vrh.LogClientIP {
Expand Down
33 changes: 33 additions & 0 deletions internal/handler/csp_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -227,3 +227,36 @@ func TestHandleViolationReportMultipleTypeStatusCode(t *testing.T) {
})
}
}

func TestValidateViolationWithSourceFile(t *testing.T) {
rawReport := []byte(`{
"csp-report": {
"document-uri": "https://example.com",
"blocked-uri": "https://google.com/example.css",
"column-number": 70774,
"line-number": 2,
"source-file": "https://example.com/example.js"
}
}`)

var report CSPReport
jsonErr := json.Unmarshal(rawReport, &report)
if jsonErr != nil {
t.Errorf("error: %s", jsonErr)
}

cspViolationHandler := &CSPViolationReportHandler{BlockedURIs: invalidBlockedURIs}
validateErr := cspViolationHandler.validateViolation(report)
if validateErr != nil {
t.Errorf("Unexpected error raised")
}
if report.Body.SourceFile == "" {
t.Errorf("Violation 'source-file' not found")
}
if report.Body.LineNumber == 0 {
t.Errorf("Violation 'line-number' not found")
}
if report.Body.ColumnNumber == 0 {
t.Errorf("Violation 'column-number' not found")
}
}

0 comments on commit d7428ee

Please sign in to comment.