Add support for highlighting CSP, HSTS, and HPKP (#1275)

* Add CSP support.

* Add HPKP support.

* Add HSTS support.

* Updates based on feedback.

* Updates based on feedback.

* Updates based on feedback.

* Updates based on feedback.

* Updates based on feedback.

* Updates based on feedback.

* Updates based on Feedback.

* Fix parentheses.

* List csp, hpkp, and hsts in components.js

* Add missing base64 chars to 'nonce-...' and 'sha-...' source expressions

* Add support for 'sha384-...' and 'sha512-...' source expressions

* Add tests and examples for csp

* Add tests and examples for hsts

* Add tests and examples for hpkp

* hpkp: Include the sha256 hash in the directive itself

Prevent the numbers in the base64 string from being classified
as "safe" or "unsafe".

* Rebuild the minified csp and hpkp components

* Rebuild the "Show Language" plugin as well

* Fix copy/paste error in test description

Author: papandreou

components.js

@@ -161,6 +161,10 @@ var components = {
 			"require": "ruby",
 			"owner": "MakeNowJust"
 		},
+		"csp": {
+			"title": "Content-Security-Policy",
+			"owner": "ScottHelme"
+		},
 		"css-extras": {
 			"title": "CSS Extras",
 			"require": "css",
@@ -269,6 +273,14 @@ var components = {
 			"title": "HTTP",
 			"owner": "danielgtaylor"
 		},
+		"hpkp": {
+			"title": "HTTP Public-Key-Pins",
+			"owner": "ScottHelme"
+		},
+		"hsts": {
+			"title": "HTTP Strict-Transport-Security",
+			"owner": "ScottHelme"
+		},
 		"ichigojam": {
 			"title": "IchigoJam",
 			"owner": "BlueCocoa"

components/prism-csp.js

@@ -0,0 +1,25 @@
+/**
+ * Original by Scott Helme.
+ *
+ * Reference: https://scotthelme.co.uk/csp-cheat-sheet/
+ *
+ * Supports the following:
+ *  - CSP Level 1
+ *  - CSP Level 2
+ *  - CSP Level 3
+ */
+
+Prism.languages.csp = {
+	'directive':  {
+             pattern: /\b(?:(?:base-uri|form-action|frame-ancestors|plugin-types|referrer|reflected-xss|report-to|report-uri|require-sri-for|sandbox) |(?:block-all-mixed-content|disown-opener|upgrade-insecure-requests)(?: |;)|(?:child|connect|default|font|frame|img|manifest|media|object|script|style|worker)-src )/i,
+             alias: 'keyword'
+        },
+	'safe': {
+            pattern: /'(?:self|none|strict-dynamic|(?:nonce-|sha(?:256|384|512)-)[a-zA-Z0-9+=/]+)'/,
+            alias: 'selector'
+        },
+	'unsafe': {
+            pattern: /(?:'unsafe-inline'|'unsafe-eval'|'unsafe-hashed-attributes'|\*)/,
+            alias: 'function'
+        }
+};

components/prism-csp.min.js

@@ -0,0 +1,20 @@
+/**
+ * Original by Scott Helme.
+ *
+ * Reference: https://scotthelme.co.uk/hpkp-cheat-sheet/
+ */
+
+Prism.languages.hpkp = {
+	'directive':  {
+             pattern: /\b(?:(?:includeSubDomains|preload|strict)(?: |;)|pin-sha256="[a-zA-Z0-9+=/]+"|(?:max-age|report-uri)=|report-to )/,
+             alias: 'keyword'
+        },
+	'safe': {
+            pattern: /[0-9]{7,}/,
+            alias: 'selector'
+        },
+	'unsafe': {
+            pattern: /[0-9]{0,6}/,
+            alias: 'function'
+        }
+};

components/prism-hpkp.js

@@ -0,0 +1,20 @@
+/**
+ * Original by Scott Helme.
+ *
+ * Reference: https://scotthelme.co.uk/hsts-cheat-sheet/
+ */
+
+Prism.languages.hsts = {
+	'directive':  {
+             pattern: /\b(?:max-age=|includeSubDomains|preload)/,
+             alias: 'keyword'
+        },
+	'safe': {
+            pattern: /[0-9]{8,}/,
+            alias: 'selector'
+        },
+	'unsafe': {
+            pattern: /[0-9]{0,7}/,
+            alias: 'function'
+        }
+};

components/prism-hpkp.min.js

@@ -0,0 +1,16 @@
+<h1>HTTP Content-Security-Policy header value</h1>
+<p>To use this language, use the class "language-csp".</p>
+
+<h2>A complete policy</h2>
+<pre><code>default-src 'none';
+script-src my.cdn.com;
+img-src 'self' data:;
+child-src 'self' data: ms-appx-web:;
+block-all-mixed-content;
+report-uri https://my-reports.com/submit;
+</code></pre>
+
+<h2>An policy with unsafe source expressions</h2>
+<pre><code>script-src 'self' 'unsafe-eval' 'unsafe-inline';
+style-src 'unsafe-inline' 'unsafe-hashed-attributes' 'self';
+</code></pre>

components/prism-hsts.js

@@ -0,0 +1,14 @@
+<h1>HTTP Public-Key-Pins header value</h1>
+<p>To use this language, use the class "language-hpkp".</p>
+
+<h2>Pin for one year with report-uri</h2>
+<pre><code>pin-sha256="EpOpN/ahUF6jhWShDUdy+NvvtaGcu5F7qM6+x2mfkh4=";
+max-age=31536000;
+includeSubDomains;
+report-uri="https://my-reports.com/submit"
+</code></pre>
+
+<h2>Pin for a short time (considered unsafe)</h2>
+<pre><code>pin-sha256="EpOpN/ahUF6jhWShDUdy+NvvtaGcu5F7qM6+x2mfkh4=";
+max-age=123
+</code></pre>

components/prism-hsts.min.js

@@ -0,0 +1,11 @@
+<h1>HTTP Strict-Transport-Security header value</h1>
+<p>To use this language, use the class "language-hsts".</p>
+
+<h2>Policy with far-future max-age</h2>
+<pre><code>max-age=31536000</code></pre>
+
+<h2>Policy with near-future max-age, considered unsafe</h2>
+<pre><code>max-age=123</code></pre>
+
+<h2>Policy with extra directives</h2>
+<pre><code>max-age=31536000; includeSubdomains; preload</code></pre>

examples/prism-csp.html

@@ -11,7 +11,7 @@ if (!Prism.plugins.toolbar) {
 }
 
 // The languages map is built automatically with gulp
-var Languages = /*languages_placeholder[*/{"html":"HTML","xml":"XML","svg":"SVG","mathml":"MathML","css":"CSS","clike":"C-like","javascript":"JavaScript","abap":"ABAP","actionscript":"ActionScript","apacheconf":"Apache Configuration","apl":"APL","applescript":"AppleScript","asciidoc":"AsciiDoc","asm6502":"6502 Assembly","aspnet":"ASP.NET (C#)","autohotkey":"AutoHotkey","autoit":"AutoIt","basic":"BASIC","csharp":"C#","cpp":"C++","coffeescript":"CoffeeScript","css-extras":"CSS Extras","django":"Django/Jinja2","fsharp":"F#","glsl":"GLSL","graphql":"GraphQL","http":"HTTP","ichigojam":"IchigoJam","inform7":"Inform 7","json":"JSON","latex":"LaTeX","livescript":"LiveScript","lolcode":"LOLCODE","matlab":"MATLAB","mel":"MEL","n4js":"N4JS","nasm":"NASM","nginx":"nginx","nsis":"NSIS","objectivec":"Objective-C","ocaml":"OCaml","opencl":"OpenCL","parigp":"PARI/GP","php":"PHP","php-extras":"PHP Extras","powershell":"PowerShell","properties":".properties","protobuf":"Protocol Buffers","jsx":"React JSX","renpy":"Ren'py","rest":"reST (reStructuredText)","sas":"SAS","sass":"Sass (Sass)","scss":"Sass (Scss)","sql":"SQL","typescript":"TypeScript","vbnet":"VB.Net","vhdl":"VHDL","vim":"vim","wiki":"Wiki markup","xojo":"Xojo (REALbasic)","yaml":"YAML"}/*]*/;
+var Languages = /*languages_placeholder[*/{"html":"HTML","xml":"XML","svg":"SVG","mathml":"MathML","css":"CSS","clike":"C-like","javascript":"JavaScript","abap":"ABAP","actionscript":"ActionScript","apacheconf":"Apache Configuration","apl":"APL","applescript":"AppleScript","asciidoc":"AsciiDoc","asm6502":"6502 Assembly","aspnet":"ASP.NET (C#)","autohotkey":"AutoHotkey","autoit":"AutoIt","basic":"BASIC","csharp":"C#","cpp":"C++","coffeescript":"CoffeeScript","csp":"Content-Security-Policy","css-extras":"CSS Extras","django":"Django/Jinja2","fsharp":"F#","glsl":"GLSL","graphql":"GraphQL","http":"HTTP","hpkp":"HTTP Public-Key-Pins","hsts":"HTTP Strict-Transport-Security","ichigojam":"IchigoJam","inform7":"Inform 7","json":"JSON","latex":"LaTeX","livescript":"LiveScript","lolcode":"LOLCODE","matlab":"MATLAB","mel":"MEL","n4js":"N4JS","nasm":"NASM","nginx":"nginx","nsis":"NSIS","objectivec":"Objective-C","ocaml":"OCaml","opencl":"OpenCL","parigp":"PARI/GP","php":"PHP","php-extras":"PHP Extras","powershell":"PowerShell","properties":".properties","protobuf":"Protocol Buffers","jsx":"React JSX","renpy":"Ren'py","rest":"reST (reStructuredText)","sas":"SAS","sass":"Sass (Sass)","scss":"Sass (Scss)","sql":"SQL","typescript":"TypeScript","vbnet":"VB.Net","vhdl":"VHDL","vim":"vim","wiki":"Wiki markup","xojo":"Xojo (REALbasic)","yaml":"YAML"}/*]*/;
 Prism.plugins.toolbar.registerButton('show-language', function(env) {
 	var pre = env.element.parentNode;
 	if (!pre || !/pre/i.test(pre.nodeName)) {

examples/prism-hpkp.html

@@ -0,0 +1,11 @@
+upgrade-insecure-requests;
+
+----------------------------------------------------
+
+[
+	["directive", "upgrade-insecure-requests;"]
+]
+
+----------------------------------------------------
+
+Checks for a "void" CSP directive followed by semicolon.

examples/prism-hsts.html

@@ -0,0 +1,12 @@
+script-src example.com;
+
+----------------------------------------------------
+
+[
+	["directive", "script-src "],
+	"example.com;"
+]
+
+----------------------------------------------------
+
+Checks for CSP directive followed by a source expression.

plugins/show-language/prism-show-language.js

@@ -0,0 +1,19 @@
+default-src 'none'; style-src 'self' 'strict-dynamic' 'nonce-yeah' 'sha256-EpOpN/ahUF6jhWShDUdy+NvvtaGcu5F7qM6+x2mfkh4=';
+
+----------------------------------------------------
+
+[
+	["directive", "default-src "],
+	["safe", "'none'"],
+	"; ",
+	["directive", "style-src "],
+	["safe", "'self'"],
+	["safe", "'strict-dynamic'"],
+	["safe", "'nonce-yeah'"],
+	["safe", "'sha256-EpOpN/ahUF6jhWShDUdy+NvvtaGcu5F7qM6+x2mfkh4='"],
+	";"
+]
+
+----------------------------------------------------
+
+Checks for source expressions classified as safe.

plugins/show-language/prism-show-language.min.js

@@ -0,0 +1,15 @@
+script-src 'unsafe-inline' 'unsafe-eval' 'unsafe-hashed-attributes';
+
+----------------------------------------------------
+
+[
+	["directive", "script-src "],
+	["unsafe", "'unsafe-inline'"],
+	["unsafe", "'unsafe-eval'"],
+	["unsafe", "'unsafe-hashed-attributes'"],
+	";"
+]
+
+----------------------------------------------------
+
+Checks for source expressions classified as unsafe.

tests/languages/csp/directive_no_value_feature.test

@@ -0,0 +1,12 @@
+max-age=31536000
+
+----------------------------------------------------
+
+[
+	["directive", "max-age="],
+	["safe", "31536000"]
+]
+
+----------------------------------------------------
+
+Checks for HPKP with a "safe" max-age.

tests/languages/csp/directive_with_source_expression_feature.test

@@ -0,0 +1,11 @@
+pin-sha256="EpOpN/ahUF6jhWShDUdy+NvvtaGcu5F7qM6+x2mfkh4="
+
+----------------------------------------------------
+
+[
+	["directive", "pin-sha256=\"EpOpN/ahUF6jhWShDUdy+NvvtaGcu5F7qM6+x2mfkh4=\""]
+]
+
+----------------------------------------------------
+
+Checks for HPKP with a sha256 pin.

tests/languages/csp/safe_feature.test

@@ -0,0 +1,12 @@
+max-age=123
+
+----------------------------------------------------
+
+[
+	["directive", "max-age="],
+	["unsafe", "123"]
+]
+
+----------------------------------------------------
+
+Checks for HPKP with an "unsafe" max-age.

tests/languages/csp/unsafe_feature.test

@@ -0,0 +1,11 @@
+includeSubDomains
+
+----------------------------------------------------
+
+[
+	["directive", "includeSubDomains"]
+]
+
+----------------------------------------------------
+
+Checks for HSTS with the includeSubDomains directive.

tests/languages/hpkp/safe_maxage_feature.test

@@ -0,0 +1,11 @@
+preload
+
+----------------------------------------------------
+
+[
+	["directive", "preload"]
+]
+
+----------------------------------------------------
+
+Checks for HSTS with the preload directive.

tests/languages/hpkp/sha256_pin_feature.test

@@ -0,0 +1,12 @@
+max-age=31536000
+
+----------------------------------------------------
+
+[
+	["directive", "max-age="],
+	["safe", "31536000"]
+]
+
+----------------------------------------------------
+
+Checks for HSTS with a "safe" max-age.

tests/languages/hpkp/unsafe_maxage_feature.test

@@ -0,0 +1,12 @@
+max-age=123
+
+----------------------------------------------------
+
+[
+	["directive", "max-age="],
+	["unsafe", "123"]
+]
+
+----------------------------------------------------
+
+Checks for HSTS with an "unsafe" max-age.