Added support for Subresource Integrity

thejoeejoee · thejoeejoee · commit 238bba2599d4 · 2022-02-16T22:53:11.000+01:00
diff --git a/tests/app/templates/single.html b/tests/app/templates/single.html
@@ -0,0 +1,14 @@
+{% load render_bundle webpack_static from webpack_loader %}
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="UTF-8">
+    <title>Example</title>
+    {% render_bundle 'main' 'css' %}
+  </head>
+
+  <body>
+    <div id="react-app"></div>
+    {% render_bundle 'main' 'js' %}
+  </body>
+</html>
diff --git a/tests/app/tests/test_webpack.py b/tests/app/tests/test_webpack.py
@@ -210,6 +210,25 @@ def test_preload(self):
             '<script src="/static/django_webpack_loader_bundles/main.js" >'
             '</script>'), result.rendered_content)
 
+    def test_integrity(self):
+        self.compile_bundles('webpack.config.integrity.js')
+
+        loader = get_loader(DEFAULT_CONFIG)
+        with patch.dict(loader.config, {'INTEGRITY': True}):
+            view = TemplateView.as_view(template_name='single.html')
+            request = self.factory.get('/')
+            result = view(request)
+
+            self.assertIn((
+                '<script src="/static/django_webpack_loader_bundles/main.js" '
+                'integrity="sha256-1wgFMxcDlOWYV727qRvWNoPHdnOGFNVMLuKd25cjR+o=">'
+                '</script>'), result.rendered_content)
+            self.assertIn((
+                '<link href="/static/django_webpack_loader_bundles/main.css" rel="stylesheet" '
+                'integrity="sha256-cYWwRvS04/VsttQYx4BalKYrBDuw5t8vKFhWB/LKX30="/>'),
+                result.rendered_content
+            )
+
     def test_append_extensions(self):
         self.compile_bundles('webpack.config.gzipTest.js')
         view = TemplateView.as_view(template_name='append_extensions.html')
diff --git a/tests/webpack.config.integrity.js b/tests/webpack.config.integrity.js
@@ -0,0 +1,41 @@
+var path = require("path");
+var webpack = require('webpack');
+var BundleTracker = require('webpack-bundle-tracker');
+var MiniCssExtractPlugin = require('mini-css-extract-plugin');
+
+
+module.exports = {
+  context: __dirname,
+  entry: './assets/js/index',
+  output: {
+      path: path.resolve('./assets/django_webpack_loader_bundles/'),
+      filename: "[name].js"
+  },
+
+  plugins: [
+    new MiniCssExtractPlugin(),
+    new BundleTracker({path: __dirname, filename: './webpack-stats.json', integrity: true}),
+  ],
+
+  module: {
+    rules: [
+      // we pass the output from babel loader to react-hot loader
+      {
+        test: /\.jsx?$/,
+        exclude: /node_modules/,
+        use: {
+          loader: 'babel-loader',
+          options: {
+            presets: ['@babel/preset-react']
+          }
+        }
+      },
+      { test: /\.css$/, use: [MiniCssExtractPlugin.loader, 'css-loader'], }
+    ],
+  },
+
+  resolve: {
+    modules: ['node_modules'],
+    extensions: ['.js', '.jsx']
+  },
+}
diff --git a/webpack_loader/config.py b/webpack_loader/config.py
@@ -15,6 +15,7 @@
         'TIMEOUT': None,
         'IGNORE': [r'.+\.hot-update.js', r'.+\.map'],
         'LOADER_CLASS': 'webpack_loader.loader.WebpackLoader',
+        'INTEGRITY': False,
     }
 }
 
diff --git a/webpack_loader/loader.py b/webpack_loader/loader.py
@@ -38,6 +38,18 @@ def get_assets(self):
             return self._assets[self.name]
         return self.load_assets()
 
+    def get_integrity_attr(self, chunk):
+        if not self.config['INTEGRITY']:
+            return ''
+
+        integrity = chunk.get('integrity')
+        if not integrity:
+            raise WebpackLoaderBadStatsError(
+                "The stats file does not contain valid data: INTEGRITY is set to True, "
+                "but chunk does not contain \"integrity\" key.")
+
+        return 'integrity="{}"'.format(integrity.partition(' ')[0])
+
     def filter_chunks(self, chunks):
         filtered_chunks = []
 
@@ -53,9 +65,15 @@ def map_chunk_files_to_url(self, chunks):
         assets = self.get_assets()
         files = assets['assets']
 
+        add_integrity = self.config['INTEGRITY']
+
         for chunk in chunks:
             url = self.get_chunk_url(files[chunk])
-            yield { 'name': chunk, 'url': url }
+
+            if add_integrity:
+                yield {'name': chunk, 'url': url, 'integrity': files[chunk].get('integrity')}
+            else:
+                yield {'name': chunk, 'url': url}
 
     def get_chunk_url(self, chunk_file):
         public_path = chunk_file.get('publicPath')
diff --git a/webpack_loader/utils.py b/webpack_loader/utils.py
@@ -60,6 +60,9 @@ def get_as_tags(bundle_name, extension=None, config='DEFAULT', suffix='', attrs=
 
     bundle = _get_bundle(bundle_name, extension, config)
     tags = []
+
+    loader = get_loader(config)
+
     for chunk in bundle:
         if chunk['name'].endswith(('.js', '.js.gz')):
             if is_preload:
@@ -68,12 +71,21 @@ def get_as_tags(bundle_name, extension=None, config='DEFAULT', suffix='', attrs=
                 ).format(''.join([chunk['url'], suffix]), attrs))
             else:
                 tags.append((
-                    '<script src="{0}" {1}></script>'
-                ).format(''.join([chunk['url'], suffix]), attrs))
+                    '<script src="{0}" {1}{2}></script>'
+                ).format(
+                    ''.join([chunk['url'], suffix]),
+                    attrs,
+                    loader.get_integrity_attr(chunk),
+                ))
         elif chunk['name'].endswith(('.css', '.css.gz')):
             tags.append((
-                '<link href="{0}" rel={2} {1}/>'
-            ).format(''.join([chunk['url'], suffix]), attrs, '"stylesheet"' if not is_preload else '"preload" as="style"'))
+                '<link href="{0}" rel={2} {1}{3}/>'
+            ).format(
+                ''.join([chunk['url'], suffix]),
+                attrs,
+                '"stylesheet"' if not is_preload else '"preload" as="style"',
+                loader.get_integrity_attr(chunk),
+            ))
     return tags
 
 

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@`
`15`	`15`	`'TIMEOUT': None,`
`16`	`16`	`'IGNORE': [r'.+\.hot-update.js', r'.+\.map'],`
`17`	`17`	`'LOADER_CLASS': 'webpack_loader.loader.WebpackLoader',`
	`18`	`+ 'INTEGRITY': False,`
`18`	`19`	`}`
`19`	`20`	`}`
`20`	`21`