require-resource-integrity-hook.js

/** @license
Copyright 2018 Google, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

/**
 * @fileoverview
 * A factory for hooks that prevent require of files not on a production whitelist
 * such as that generated by scripts/gen-import-graph.js
 */

'use strict'

exports.makeGuardHook = makeGuardHook

const crypto = require('crypto')
const fs = require('fs')
const path = require('path')

const { hasOwnProperty } = Object
const { apply } = Reflect

// Don't hash modules more than once.
// Assumes that modules don't change on disk.
const hashCache = new Map()

function hashFor (file) {
  if (hashCache.has(file)) {
    return hashCache.get(file)
  }

  let key = null
  let data = null
  try {
    data = fs.readFileSync(file)
  } catch (err) {
    console.error(`${module.id}: ${err.message}`)
  }
  if (data !== null) {
    key = crypto.createHash('sha256').update(data).digest('hex')
  }

  hashCache.set(file, key)
  return key
}

function makeGuardHook (hashesToSourceLists, reportOnly) {
  return function requireGraphHook (
    importingFile, importingId, requiredId,
    resolveFilename, isBuiltin) {
    if (isBuiltin) {
      return requiredId
    }
    const key = hashFor(resolveFilename(requiredId))
    if (key && apply(hasOwnProperty, hashesToSourceLists, [ key ])) {
      return requiredId
    }

    console.warn(`${module.id}: Blocking require(${JSON.stringify(requiredId)}) by ${importingId}`)
    if (reportOnly) {
      return requiredId
    }
    return path.join(__dirname, 'innocuous')
  }
}