Ssri
Standard Subresource Integrity library for Node.js
Install / Use
/learn @zkat/SsriREADME
ssri 
ssri, short for Standard Subresource
Integrity, is a Node.js utility for parsing, manipulating, serializing,
generating, and verifying Subresource
Integrity hashes.
Install
$ npm install --save ssri
Table of Contents
- Example
- Features
- Contributing
- API
- Parsing & Serializing
- Integrity Generation
- Integrity Verification
Example
const ssri = require('ssri')
const integrity = 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo'
// Parsing and serializing
const parsed = ssri.parse(integrity)
ssri.stringify(parsed) // === integrity (works on non-Integrity objects)
parsed.toString() // === integrity
// Async stream functions
ssri.checkStream(fs.createReadStream('./my-file'), integrity).then(...)
ssri.fromStream(fs.createReadStream('./my-file')).then(sri => {
sri.toString() === integrity
})
fs.createReadStream('./my-file').pipe(ssri.createCheckerStream(sri))
// Sync data functions
ssri.fromData(fs.readFileSync('./my-file')) // === parsed
ssri.checkData(fs.readFileSync('./my-file'), integrity) // => 'sha512'
Features
- Parses and stringifies SRI strings.
- Generates SRI strings from raw data or Streams.
- Strict standard compliance.
?foometadata option support.- Multiple entries for the same algorithm.
- Object-based integrity hash manipulation.
- Small footprint: no dependencies, concise implementation.
- Full test coverage.
- Customizable algorithm picker.
Contributing
The ssri team enthusiastically welcomes contributions and project participation! There's a bunch of things you can do if you want to contribute! The Contributor Guide has all the information you need for everything from reporting bugs to contributing entire new features. Please don't hesitate to jump in if you'd like to, or even ask us questions if something isn't clear.
API
<a name="parse"></a> > ssri.parse(sri, [opts]) -> Integrity
Parses sri into an Integrity data structure. sri can be an integrity
string, an Hash-like with digest and algorithm fields and an optional
options field, or an Integrity-like object. The resulting object will be an
Integrity instance that has this shape:
{
'sha1': [{algorithm: 'sha1', digest: 'deadbeef', options: []}],
'sha512': [
{algorithm: 'sha512', digest: 'c0ffee', options: []},
{algorithm: 'sha512', digest: 'bad1dea', options: ['foo']}
],
}
If opts.single is truthy, a single Hash object will be returned. That is, a
single object that looks like {algorithm, digest, options}, as opposed to a
larger object with multiple of these.
If opts.strict is truthy, the resulting object will be filtered such that
it strictly follows the Subresource Integrity spec, throwing away any entries
with any invalid components. This also means a restricted set of algorithms
will be used -- the spec limits them to sha256, sha384, and sha512.
Strict mode is recommended if the integrity strings are intended for use in browsers, or in other situations where strict adherence to the spec is needed.
Example
ssri.parse('sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo') // -> Integrity object
<a name="stringify"></a> > ssri.stringify(sri, [opts]) -> String
This function is identical to Integrity#toString(),
except it can be used on any object that parse can handle -- that
is, a string, an Hash-like, or an Integrity-like.
The opts.sep option defines the string to use when joining multiple entries
together. To be spec-compliant, this must be whitespace. The default is a
single space (' ').
If opts.strict is true, the integrity string will be created using strict
parsing rules. See ssri.parse.
Example
// Useful for cleaning up input SRI strings:
ssri.stringify('\n\rsha512-foo\n\t\tsha384-bar')
// -> 'sha512-foo sha384-bar'
// Hash-like: only a single entry.
ssri.stringify({
algorithm: 'sha512',
digest:'9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==',
options: ['foo']
})
// ->
// 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo'
// Integrity-like: full multi-entry syntax. Similar to output of `ssri.parse`
ssri.stringify({
'sha512': [
{
algorithm: 'sha512',
digest:'9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==',
options: ['foo']
}
]
})
// ->
// 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo'
<a name="integrity-concat"></a> > Integrity#concat(otherIntegrity, [opts]) -> Integrity
Concatenates an Integrity object with another IntegrityLike, or an integrity
string.
This is functionally equivalent to concatenating the string format of both
integrity arguments, and calling ssri.parse on the new string.
If opts.strict is true, the new Integrity will be created using strict
parsing rules. See ssri.parse.
Example
// This will combine the integrity checks for two different versions of
// your index.js file so you can use a single integrity string and serve
// either of these to clients, from a single `<script>` tag.
const desktopIntegrity = ssri.fromData(fs.readFileSync('./index.desktop.js'))
const mobileIntegrity = ssri.fromData(fs.readFileSync('./index.mobile.js'))
// Note that browsers (and ssri) will succeed as long as ONE of the entries
// for the *prioritized* algorithm succeeds. That is, in order for this fallback
// to work, both desktop and mobile *must* use the same `algorithm` values.
desktopIntegrity.concat(mobileIntegrity)
<a name="integrity-to-string"></a> > Integrity#toString([opts]) -> String
Returns the string representation of an Integrity object. All hash entries
will be concatenated in the string by opts.sep, which defaults to ' '.
If you want to serialize an object that didn't come from an ssri function,
use ssri.stringify().
If opts.strict is true, the integrity string will be created using strict
parsing rules. See ssri.parse.
Example
const integrity = 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo'
ssri.parse(integrity).toString() === integrity
<a name="integrity-to-json"></a> > Integrity#toJSON() -> String
Returns the string representation of an Integrity object. All hash entries
will be concatenated in the string by ' '.
This is a convenience method so you can pass an Integrity object directly to JSON.stringify.
For more info check out toJSON() behavior on mdn.
Example
const integrity = '"sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo"'
JSON.stringify(ssri.parse(integrity)) === integrity
<a name="integrity-match"></a> > Integrity#match(sri, [opts]) -> Hash | false
Returns the matching (truthy) hash if Integrity matches the argument passed as
sri, which can be anything that parse will accept. opts will be
passed through to parse and pickAlgorithm().
Example
const integrity = 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A=='
ssri.parse(integrity).match(integrity)
// Hash {
// digest: '9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A=='
// algorithm: 'sha512'
// }
ssri.parse(integrity).match('sha1-deadbeef')
// false
<a name="integrity-pick-algorithm"></a> > Integrity#pickAlgorithm([opts]) -> String
Returns the "best" algorithm from those available in the integrity object.
If opts.pickAlgorithm is provided, it will be passed two algorithms as
arguments. ssri will prioritize whichever of the two algorithms is returned by
this function. Note that the function may be called multiple times, and it
must return one of the two algorithms provided. By default, ssri will make
a best-effort to pick the strongest/most reliable of the given algorithms. It
may intentionally deprioritize algorithms with known vulnerabilities.
Example
ssri.parse('sha1-WEakDigEST sha512-yzd8ELD1piyANiWnmdnpCL5F52f10UfUdEkHywVZeqTt0ymgrxR63Qz0GB7TKPoeeZQmWCaz7T1').pickAlgorithm() // sha512
