From 4062735d1281941fd32ac4320b9f9965fcec278b Mon Sep 17 00:00:00 2001
From: isaacs <i@izs.me>
Date: Mon, 17 Feb 2020 17:21:38 -0800
Subject: [PATCH] fix: harden SRI parsing against ../ funny business

The actual security fix this relates to is already fixed in cacache, but
defense in depth is a good and valuable thing.

BREAKING CHANGE: SRI values with `../` in the algorithm name now throw
as invalid (which they always probably should have!)
---
 index.js      |  6 ++++--
 test/parse.js | 10 ++++++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/index.js b/index.js
index fb03e36..950548c 100644
--- a/index.js
+++ b/index.js
@@ -5,9 +5,11 @@ const MiniPass = require('minipass')
 
 const SPEC_ALGORITHMS = ['sha256', 'sha384', 'sha512']
 
+// TODO: this should really be a hardcoded list of algorithms we support,
+// rather than [a-z0-9].
 const BASE64_REGEX = /^[a-z0-9+/]+(?:=?=?)$/i
-const SRI_REGEX = /^([^-]+)-([^?]+)([?\S*]*)$/
-const STRICT_SRI_REGEX = /^([^-]+)-([A-Za-z0-9+/=]{44,88})(\?[\x21-\x7E]*)*$/
+const SRI_REGEX = /^([a-z0-9]+)-([^?]+)([?\S*]*)$/
+const STRICT_SRI_REGEX = /^([a-z0-9]+)-([A-Za-z0-9+/=]{44,88})(\?[\x21-\x7E]*)*$/
 const VCHAR_REGEX = /^[\x21-\x7E]+$/
 
 const defaultOpts = {
diff --git a/test/parse.js b/test/parse.js
index 7a8164e..1f49c76 100644
--- a/test/parse.js
+++ b/test/parse.js
@@ -226,3 +226,13 @@ test('supports strict spec parsing', t => {
   }).toString(), valid, 'entries that fail strict check rejected')
   t.done()
 })
+
+test('does not allow weird stuff in sri', t => {
+  const badInt = 'mdc2\u0000/../../../hello_what_am_I_doing_here-Juwtg9UFssfrRfwsXu+n/Q=='
+  const bad = ssri.parse(badInt)
+  const badStrict = ssri.parse(badInt, { strict: true })
+  const expect = ssri.parse('')
+  t.strictSame(bad, expect)
+  t.strictSame(badStrict, expect)
+  t.end()
+})