diff --git a/lib/fetch/util.js b/lib/fetch/util.js index 27adea72085..ae20a05d815 100644 --- a/lib/fetch/util.js +++ b/lib/fetch/util.js @@ -5,6 +5,7 @@ const { performance } = require('perf_hooks') const { isBlobLike, toUSVString, ReadableStreamFrom } = require('../core/util') const assert = require('assert') const { isUint8Array } = require('util/types') +const { createHash } = require('crypto') let File @@ -341,7 +342,8 @@ function determineRequestsReferrer (request) { } function matchRequestIntegrity (request, bytes) { - return false + const [algo, expectedHashValue] = request.integrity.split('-', 2) + return createHash(algo).update(bytes).digest('hex') === expectedHashValue } // https://w3c.github.io/webappsec-upgrade-insecure-requests/#upgrade-request diff --git a/test/fetch/client-fetch.js b/test/fetch/client-fetch.js index 935abe9f0d0..4ec4545d544 100644 --- a/test/fetch/client-fetch.js +++ b/test/fetch/client-fetch.js @@ -536,28 +536,3 @@ test('Receiving non-Latin1 headers', async (t) => { t.same(lengths, [30, 34, 94, 104, 90]) t.end() }) - -// https://github.com/nodejs/undici/issues/1594 -// TODO(@KhafraDev): this test fails because of an integrity-mismatch check -// that hasn't been implemented when this comment was written. Enable this -// check once a resource's integrity is checked. -// test('with RequestInit.integrity set', async (t) => { -// const body = 'Hello world' -// const hash = require('crypto').createHash('sha256').update(body).digest('hex') -// -// const server = createServer((req, res) => { -// res.write(body) -// res.end() -// }).listen(0) -// -// t.teardown(server.close.bind(server)) -// await once(server, 'listening') -// -// const response = await fetch(`http://localhost:${server.address().port}`, { -// integrity: `sha256-${hash}` -// }) -// -// const ab = await response.arrayBuffer() -// -// t.same(new Uint8Array(ab), new TextEncoder().encode(body)) -// }) diff --git a/test/fetch/integrity.js b/test/fetch/integrity.js new file mode 100644 index 00000000000..bd464218d55 --- /dev/null +++ b/test/fetch/integrity.js @@ -0,0 +1,74 @@ +'use strict' + +const { test } = require('tap') +const { createServer } = require('http') +const { createHash } = require('crypto') +const { gzipSync } = require('zlib') +const { fetch, setGlobalDispatcher, Agent } = require('../..') + +setGlobalDispatcher(new Agent({ + keepAliveTimeout: 1, + keepAliveMaxTimeout: 1 +})) + +test('request with correct integrity checksum', (t) => { + const body = 'Hello world!' + const hash = createHash('sha256').update(body).digest('hex') + + const server = createServer((req, res) => { + res.end(body) + }) + + t.teardown(server.close.bind(server)) + + server.listen(0, async () => { + const response = await fetch(`http://localhost:${server.address().port}`, { + integrity: `sha256-${hash}` + }) + t.strictSame(body, await response.text()) + t.end() + }) +}) + +test('request with wrong integrity checksum', (t) => { + const body = 'Hello world!' + const hash = 'c0535e4be2b79ffd93291305436bf889314e4a3faec05ecffcbb7df31ad9e51b' + + const server = createServer((req, res) => { + res.end(body) + }) + + t.teardown(server.close.bind(server)) + + server.listen(0, () => { + fetch(`http://localhost:${server.address().port}`, { + integrity: `sha256-${hash}` + }).then(response => { + t.fail('fetch did not fail') + }).catch((err) => { + t.equal(err.cause.message, 'integrity mismatch') + }).finally(() => { + t.end() + }) + }) +}) + +test('request with integrity checksum on encoded body', (t) => { + const body = 'Hello world!' + const hash = createHash('sha256').update(body).digest('hex') + + const server = createServer((req, res) => { + res.setHeader('content-encoding', 'gzip') + res.end(gzipSync(body)) + }) + + t.teardown(server.close.bind(server)) + + server.listen(0, async () => { + const response = await fetch(`http://localhost:${server.address().port}`, { + integrity: `sha256-${hash}` + }) + t.strictSame(body, await response.text()) + t.end() + }) +})