OrchardCMS
Check SubResource Integrity
@agriffard @deanmarcussen what I notice that many files in my local don't have the same SRI, for example ~/OrchardCore.Resources/Scripts/js.cookie.js so when I download that file from CDN I got the same exact SRI
Could you please let me know if there's something I can do? That's why the Test fails in both my end and GitHub
The following are the file that have the exact same SRI:
-
~/OrchardCore.Resources/Scripts/jquery-ui-i18n.min.js -
~/OrchardCore.Resources/Scripts/vue-multiselect.min.js -
~/OrchardCore.Resources/Scripts/vue-multiselect.min.js
I would suggest picking a specific file that doesn't match, and using the online https://www.srihash.org/ that I suspect @agriffard is using to test why one is not working, perhaps they are using different hashing methods.
@agriffard are using SHA384 when you generate the hash in SRI? Or are you using another one?
@agriffard are using
SHA384when you generate the hash in SRI? Or are you using another one?
Yes, I do. I always use https://www.srihash.org/ and the default encryption is SHA-384.
@agriffard how can I ensure that all the resources in my side are up to date, so I can validate the SRI for them
@agriffard could you let me know what should I do here to make a successful restore for npm packages. I need to finalize this PR
@agriffard could you let me know what should I do here to make a successful restore for npm packages. I need to finalize this PR
npm install
I already updated Node JS, I need to check again, coz it success with UI Testing project .. I will have a try
Once you installed the new node.js and npm try and do a cleanup of the node_modules folder. Then redo npm install.
@Skrypt is package-lock.json play an important role, what I notice is when I download the exact file from the CDN the SRI validated successfully. This make me think that some of my local assest are not updated
I tried npm run rebuild with no luck :(
Sometimes I do a git clean -xdf to clean also the package-lock.json files and retrieve those from the repository. It can be a node_modules cache on your computer too. There are so many things that can go wrong in node.js dependency hell...
@agriffard this PR is ready, I know the build will fail because I discover there are many invalid SRI, so I will create another PR to fix them. Once you merge the other PR we could rebase on main then the build will pass
I cancelled the workflows, the build was running without progress for 1h40.
Is this something you'd like to revisit any time soon @hishamco? Would be quite useful.
Seems the old issue in the testing has been resolved https://github.com/OrchardCMS/OrchardCore/pull/9947#issuecomment-1568750419
@Piedone I think we're ready to merge this now
Please request review when you're done, because I just noticed this randomly.
Use the new static instances instead of creating new ones: https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.sha384.hashdata?view=net-8.0
I am right that these will run also locally? If so would you want to create an XUnit attribute to add on the methods which would skip the test if the "CI" environment variable is defined?
public class CiOnlyFactAttribute : FactAttribute
{
public override string Skip
{
get
{
// "CI" is defined by GitHub actions
// "BUILD_BUILDID" is defined by Azure DevOps
if (Environment.GetEnvironmentVariable("BUILD_BUILDID") != null ||
Environment.GetEnvironmentVariable("CI") != null)
{
return $"nameof(CiOnlyFactAttribute) tests are not run locally. To run them locally create a \"CI\" environment variable.";
}
return null!;
}
}
}
We could do that, but I'm not sure do we still need Azure DevOps, while we're using GitHub actions?