From 1a7edaca3c3e7235c29f164b7e59aea9a910dd3a Mon Sep 17 00:00:00 2001 From: Rohan Sircar Date: Fri, 29 May 2020 15:20:27 +0530 Subject: [PATCH] Browserified chat web worker This was done because previously, the worker used importscript to load deps from a CDN, which was vulnerable to attacks like XSS because it does not support SRI. The web worker also cannot access deps from the global head. --- chatto/.gitignore | 1 + chatto/src/main/javascript/Gruntfile.js | 20 +++++- chatto/src/main/javascript/package.json | 1 - .../workers/encryption-worker/main.ts | 9 +++ .../workers/encryption-worker/tsconfig.json | 66 +++++++++++++++++++ chatto/src/main/resources/static/js/worker.js | 10 --- 6 files changed, 93 insertions(+), 14 deletions(-) create mode 100644 chatto/src/main/javascript/workers/encryption-worker/main.ts create mode 100644 chatto/src/main/javascript/workers/encryption-worker/tsconfig.json delete mode 100644 chatto/src/main/resources/static/js/worker.js diff --git a/chatto/.gitignore b/chatto/.gitignore index a1c42da..b49e130 100644 --- a/chatto/.gitignore +++ b/chatto/.gitignore @@ -35,6 +35,7 @@ node_modules config bundle.js bundle.min.js +worker.js src/main/javascript/node/ dist out diff --git a/chatto/src/main/javascript/Gruntfile.js b/chatto/src/main/javascript/Gruntfile.js index f8416e1..a386c26 100644 --- a/chatto/src/main/javascript/Gruntfile.js +++ b/chatto/src/main/javascript/Gruntfile.js @@ -12,8 +12,21 @@ module.exports = function(grunt) { src: '../resources/static/js/bundle.js', dest: '../resources/static/js/bundle.min.js' }, + chat_worker: { + src: '../resources/static/js/worker.js', + dest: '../resources/static/js/worker.js' + }, }, browserify: { + chat_worker_dev: { + src: 'workers/encryption-worker/main.ts', + dest: '../resources/static/js/worker.js', + options: { + browserifyOptions: { + debug: true + }, + } + }, dev: { src: 'ts/src/main.ts', dest: '../resources/static/js/bundle.js', @@ -35,7 +48,7 @@ module.exports = function(grunt) { }, options: { plugin: [ - ['tsify', { target: 'ES6', noImplicitAny: true }], // register plugin by name + ['tsify', { target: 'ES6', noImplicitAny: true, esModuleInterop: true, allowSyntheticDefaultImports: true }], // register plugin by name ], @@ -51,10 +64,11 @@ module.exports = function(grunt) { // grunt.registerTask('default', ['uglify']); grunt.loadNpmTasks('grunt-browserify') + grunt.loadNpmTasks('grunt-banner'); - grunt.registerTask('default', ['browserify:dev']) - grunt.registerTask('prod', ["browserify:prod", "terser"]) + grunt.registerTask('default', ['browserify:dev','browserify:chat_worker_dev']) + grunt.registerTask('prod', ["browserify:prod", 'browserify:chat_worker_dev', "terser"]) }; \ No newline at end of file diff --git a/chatto/src/main/javascript/package.json b/chatto/src/main/javascript/package.json index d3222bc..39dfdef 100644 --- a/chatto/src/main/javascript/package.json +++ b/chatto/src/main/javascript/package.json @@ -44,7 +44,6 @@ "handlebars": "global:Handlebars", "dompurify": "global:DOMPurify", "fuse.js": "global:Fuse", - "sjcl": "global:sjcl", "sprintf-js": "global:sprintf", "alertifyjs": "global:alertify", "bootbox": { diff --git a/chatto/src/main/javascript/workers/encryption-worker/main.ts b/chatto/src/main/javascript/workers/encryption-worker/main.ts new file mode 100644 index 0000000..c5cd2c8 --- /dev/null +++ b/chatto/src/main/javascript/workers/encryption-worker/main.ts @@ -0,0 +1,9 @@ +import registerPromiseWorker from 'promise-worker/register'; +import * as sjcl from 'sjcl' + + +registerPromiseWorker((payload) => { + // console.log(payload) + // console.log('decrypted = ' + sjcl.decrypt(payload.passphrase, JSON.stringify(payload.cipher))); + return sjcl.decrypt(payload.passphrase, JSON.stringify(payload.cipher)) +}); \ No newline at end of file diff --git a/chatto/src/main/javascript/workers/encryption-worker/tsconfig.json b/chatto/src/main/javascript/workers/encryption-worker/tsconfig.json new file mode 100644 index 0000000..9fa07a6 --- /dev/null +++ b/chatto/src/main/javascript/workers/encryption-worker/tsconfig.json @@ -0,0 +1,66 @@ +{ + "compilerOptions": { + /* Basic Options */ + // "incremental": true, /* Enable incremental compilation */ + "target": "es6", /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */ + "module": "commonjs", /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */ + // "lib": [], /* Specify library files to be included in the compilation. */ + // "allowJs": true, /* Allow javascript files to be compiled. */ + // "checkJs": true, /* Report errors in .js files. */ + // "jsx": "preserve", /* Specify JSX code generation: 'preserve', 'react-native', or 'react'. */ + // "declaration": true, /* Generates corresponding '.d.ts' file. */ + // "declarationMap": true, /* Generates a sourcemap for each corresponding '.d.ts' file. */ + // "sourceMap": true, /* Generates corresponding '.map' file. */ + // "outFile": "./", /* Concatenate and emit output to single file. */ + // "outDir": "./", /* Redirect output structure to the directory. */ + // "rootDir": "./", /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */ + // "composite": true, /* Enable project compilation */ + // "tsBuildInfoFile": "./", /* Specify file to store incremental compilation information */ + // "removeComments": true, /* Do not emit comments to output. */ + // "noEmit": true, /* Do not emit outputs. */ + // "importHelpers": true, /* Import emit helpers from 'tslib'. */ + // "downlevelIteration": true, /* Provide full support for iterables in 'for-of', spread, and destructuring when targeting 'ES5' or 'ES3'. */ + // "isolatedModules": true, /* Transpile each file as a separate module (similar to 'ts.transpileModule'). */ + + /* Strict Type-Checking Options */ + "strict": true, /* Enable all strict type-checking options. */ + // "noImplicitAny": true, /* Raise error on expressions and declarations with an implied 'any' type. */ + // "strictNullChecks": true, /* Enable strict null checks. */ + // "strictFunctionTypes": true, /* Enable strict checking of function types. */ + // "strictBindCallApply": true, /* Enable strict 'bind', 'call', and 'apply' methods on functions. */ + // "strictPropertyInitialization": true, /* Enable strict checking of property initialization in classes. */ + // "noImplicitThis": true, /* Raise error on 'this' expressions with an implied 'any' type. */ + // "alwaysStrict": true, /* Parse in strict mode and emit "use strict" for each source file. */ + + /* Additional Checks */ + // "noUnusedLocals": true, /* Report errors on unused locals. */ + // "noUnusedParameters": true, /* Report errors on unused parameters. */ + // "noImplicitReturns": true, /* Report error when not all code paths in function return a value. */ + // "noFallthroughCasesInSwitch": true, /* Report errors for fallthrough cases in switch statement. */ + + /* Module Resolution Options */ + // "moduleResolution": "node", /* Specify module resolution strategy: 'node' (Node.js) or 'classic' (TypeScript pre-1.6). */ + // "baseUrl": "./", /* Base directory to resolve non-absolute module names. */ + // "paths": {}, /* A series of entries which re-map imports to lookup locations relative to the 'baseUrl'. */ + // "rootDirs": [], /* List of root folders whose combined content represents the structure of the project at runtime. */ + // "typeRoots": [], /* List of folders to include type definitions from. */ + // "types": [], /* Type declaration files to be included in compilation. */ + "allowSyntheticDefaultImports": true, /* Allow default imports from modules with no default export. This does not affect code emit, just typechecking. */ + "esModuleInterop": true, /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */ + // "preserveSymlinks": true, /* Do not resolve the real path of symlinks. */ + // "allowUmdGlobalAccess": true, /* Allow accessing UMD globals from modules. */ + + /* Source Map Options */ + // "sourceRoot": "", /* Specify the location where debugger should locate TypeScript files instead of source locations. */ + // "mapRoot": "", /* Specify the location where debugger should locate map files instead of generated locations. */ + // "inlineSourceMap": true, /* Emit a single file with source maps instead of having a separate file. */ + // "inlineSources": true, /* Emit the source alongside the sourcemaps within a single file; requires '--inlineSourceMap' or '--sourceMap' to be set. */ + + /* Experimental Options */ + // "experimentalDecorators": true, /* Enables experimental support for ES7 decorators. */ + // "emitDecoratorMetadata": true, /* Enables experimental support for emitting type metadata for decorators. */ + + /* Advanced Options */ + "forceConsistentCasingInFileNames": true /* Disallow inconsistently-cased references to the same file. */ + } +} diff --git a/chatto/src/main/resources/static/js/worker.js b/chatto/src/main/resources/static/js/worker.js deleted file mode 100644 index 0088fc7..0000000 --- a/chatto/src/main/resources/static/js/worker.js +++ /dev/null @@ -1,10 +0,0 @@ -// worker.js -importScripts('https://unpkg.com/promise-worker/dist/promise-worker.register.js'); -// importScripts('https://unpkg.com/promise-worker@2.0.1/dist/promise-worker.register.js') -importScripts('https://cdnjs.cloudflare.com/ajax/libs/sjcl/1.0.8/sjcl.min.js'); - -registerPromiseWorker((payload) => { - // console.log(payload) - // console.log('decrypted = ' + sjcl.decrypt(payload.passphrase, JSON.stringify(payload.cipher))); - return sjcl.decrypt(payload.passphrase, JSON.stringify(payload.cipher)) -}); \ No newline at end of file