DEV: add validation on content_security_policy_script_src site setting (#27564)

* DEV: add validation on content_security_policy_script_src site setting
2025-05-23 22:51:06 +08:00 · 2024-06-21 17:00:22 +08:00
parent ca4af53be8
commit 60d5170587
5 changed files with 75 additions and 11 deletions
--- a/lib/validators/csp_script_src_validator.rb
+++ b/lib/validators/csp_script_src_validator.rb
@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+class CspScriptSrcValidator
+  VALID_SOURCE_REGEX =
+    /
+        (?:\A'unsafe-eval'\z)|
+        (?:\A'wasm-unsafe-eval'\z)|
+        (?:\A'sha(?:256|384|512)-[A-Za-z0-9+\/\-_]+={0,2}'\z)
+      /x
+
+  def initialize(opts = {})
+    @opts = opts
+  end
+
+  def valid_value?(values)
+    values.split("|").all? { _1.match? VALID_SOURCE_REGEX }
+  end
+
+  def error_message
+    I18n.t("site_settings.errors.invalid_csp_script_src")
+  end
+end