diff --git a/dist/add-item.js b/dist/add-item.js index 466582c..093e33a 100644 --- a/dist/add-item.js +++ b/dist/add-item.js @@ -1141,6 +1141,121 @@ var require_errors = __commonJS({ } }); +// node_modules/undici/lib/core/constants.js +var require_constants = __commonJS({ + "node_modules/undici/lib/core/constants.js"(exports2, module2) { + "use strict"; + var headerNameLowerCasedRecord = {}; + var wellknownHeaderNames = [ + "Accept", + "Accept-Encoding", + "Accept-Language", + "Accept-Ranges", + "Access-Control-Allow-Credentials", + "Access-Control-Allow-Headers", + "Access-Control-Allow-Methods", + "Access-Control-Allow-Origin", + "Access-Control-Expose-Headers", + "Access-Control-Max-Age", + "Access-Control-Request-Headers", + "Access-Control-Request-Method", + "Age", + "Allow", + "Alt-Svc", + "Alt-Used", + "Authorization", + "Cache-Control", + "Clear-Site-Data", + "Connection", + "Content-Disposition", + "Content-Encoding", + "Content-Language", + "Content-Length", + "Content-Location", + "Content-Range", + "Content-Security-Policy", + "Content-Security-Policy-Report-Only", + "Content-Type", + "Cookie", + "Cross-Origin-Embedder-Policy", + "Cross-Origin-Opener-Policy", + "Cross-Origin-Resource-Policy", + "Date", + "Device-Memory", + "Downlink", + "ECT", + "ETag", + "Expect", + "Expect-CT", + "Expires", + "Forwarded", + "From", + "Host", + "If-Match", + "If-Modified-Since", + "If-None-Match", + "If-Range", + "If-Unmodified-Since", + "Keep-Alive", + "Last-Modified", + "Link", + "Location", + "Max-Forwards", + "Origin", + "Permissions-Policy", + "Pragma", + "Proxy-Authenticate", + "Proxy-Authorization", + "RTT", + "Range", + "Referer", + "Referrer-Policy", + "Refresh", + "Retry-After", + "Sec-WebSocket-Accept", + "Sec-WebSocket-Extensions", + "Sec-WebSocket-Key", + "Sec-WebSocket-Protocol", + "Sec-WebSocket-Version", + "Server", + "Server-Timing", + "Service-Worker-Allowed", + "Service-Worker-Navigation-Preload", + "Set-Cookie", + "SourceMap", + "Strict-Transport-Security", + "Supports-Loading-Mode", + "TE", + "Timing-Allow-Origin", + "Trailer", + "Transfer-Encoding", + "Upgrade", + "Upgrade-Insecure-Requests", + "User-Agent", + "Vary", + "Via", + "WWW-Authenticate", + "X-Content-Type-Options", + "X-DNS-Prefetch-Control", + "X-Frame-Options", + "X-Permitted-Cross-Domain-Policies", + "X-Powered-By", + "X-Requested-With", + "X-XSS-Protection" + ]; + for (let i = 0; i < wellknownHeaderNames.length; ++i) { + const key = wellknownHeaderNames[i]; + const lowerCasedKey = key.toLowerCase(); + headerNameLowerCasedRecord[key] = headerNameLowerCasedRecord[lowerCasedKey] = lowerCasedKey; + } + Object.setPrototypeOf(headerNameLowerCasedRecord, null); + module2.exports = { + wellknownHeaderNames, + headerNameLowerCasedRecord + }; + } +}); + // node_modules/undici/lib/core/util.js var require_util = __commonJS({ "node_modules/undici/lib/core/util.js"(exports2, module2) { @@ -1154,6 +1269,7 @@ var require_util = __commonJS({ var { Blob: Blob2 } = require("buffer"); var nodeUtil = require("util"); var { stringify: stringify2 } = require("querystring"); + var { headerNameLowerCasedRecord } = require_constants(); var [nodeMajor, nodeMinor] = process.versions.node.split(".").map((v) => Number(v)); function nop() { } @@ -1297,6 +1413,9 @@ var require_util = __commonJS({ const m = val.toString().match(KEEPALIVE_TIMEOUT_EXPR); return m ? parseInt(m[1], 10) * 1e3 : null; } + function headerNameToString(value) { + return headerNameLowerCasedRecord[value] || value.toLowerCase(); + } function parseHeaders(headers, obj = {}) { if (!Array.isArray(headers)) return headers; @@ -1500,6 +1619,7 @@ var require_util = __commonJS({ isIterable, isAsyncIterable, isDestroyed, + headerNameToString, parseRawHeaders, parseHeaders, parseKeepAliveTimeout, @@ -3595,7 +3715,7 @@ var require_main = __commonJS({ }); // node_modules/undici/lib/fetch/constants.js -var require_constants = __commonJS({ +var require_constants2 = __commonJS({ "node_modules/undici/lib/fetch/constants.js"(exports2, module2) { "use strict"; var { MessageChannel, receiveMessageOnPort } = require("worker_threads"); @@ -3833,15 +3953,18 @@ var require_global = __commonJS({ var require_util2 = __commonJS({ "node_modules/undici/lib/fetch/util.js"(exports2, module2) { "use strict"; - var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants(); + var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants2(); var { getGlobalOrigin } = require_global(); var { performance: performance2 } = require("perf_hooks"); var { isBlobLike, toUSVString, ReadableStreamFrom } = require_util(); var assert = require("assert"); var { isUint8Array } = require("util/types"); + var supportedHashes = []; var crypto4; try { crypto4 = require("crypto"); + const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; + supportedHashes = crypto4.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); } catch { } function responseURL(response) { @@ -4117,45 +4240,37 @@ var require_util2 = __commonJS({ if (parsedMetadata.length === 0) { return true; } - const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)); - const strongest = list[0].algo; - const metadata = list.filter((item) => item.algo === strongest); + const strongest = getStrongestMetadata(parsedMetadata); + const metadata = filterMetadataListByAlgorithm(parsedMetadata, strongest); for (const item of metadata) { const algorithm = item.algo; - let expectedValue = item.hash; - if (expectedValue.endsWith("==")) { - expectedValue = expectedValue.slice(0, -2); - } + const expectedValue = item.hash; let actualValue = crypto4.createHash(algorithm).update(bytes).digest("base64"); - if (actualValue.endsWith("==")) { - actualValue = actualValue.slice(0, -2); - } - if (actualValue === expectedValue) { - return true; - } - let actualBase64URL = crypto4.createHash(algorithm).update(bytes).digest("base64url"); - if (actualBase64URL.endsWith("==")) { - actualBase64URL = actualBase64URL.slice(0, -2); + if (actualValue[actualValue.length - 1] === "=") { + if (actualValue[actualValue.length - 2] === "=") { + actualValue = actualValue.slice(0, -2); + } else { + actualValue = actualValue.slice(0, -1); + } } - if (actualBase64URL === expectedValue) { + if (compareBase64Mixed(actualValue, expectedValue)) { return true; } } return false; } - var parseHashWithOptions = /((?sha256|sha384|sha512)-(?[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i; + var parseHashWithOptions = /(?sha256|sha384|sha512)-((?[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)( +[!-~]*)?)?/i; function parseMetadata(metadata) { const result = []; let empty = true; - const supportedHashes = crypto4.getHashes(); for (const token of metadata.split(" ")) { empty = false; const parsedToken = parseHashWithOptions.exec(token); - if (parsedToken === null || parsedToken.groups === void 0) { + if (parsedToken === null || parsedToken.groups === void 0 || parsedToken.groups.algo === void 0) { continue; } - const algorithm = parsedToken.groups.algo; - if (supportedHashes.includes(algorithm.toLowerCase())) { + const algorithm = parsedToken.groups.algo.toLowerCase(); + if (supportedHashes.includes(algorithm)) { result.push(parsedToken.groups); } } @@ -4164,6 +4279,51 @@ var require_util2 = __commonJS({ } return result; } + function getStrongestMetadata(metadataList) { + let algorithm = metadataList[0].algo; + if (algorithm[3] === "5") { + return algorithm; + } + for (let i = 1; i < metadataList.length; ++i) { + const metadata = metadataList[i]; + if (metadata.algo[3] === "5") { + algorithm = "sha512"; + break; + } else if (algorithm[3] === "3") { + continue; + } else if (metadata.algo[3] === "3") { + algorithm = "sha384"; + } + } + return algorithm; + } + function filterMetadataListByAlgorithm(metadataList, algorithm) { + if (metadataList.length === 1) { + return metadataList; + } + let pos = 0; + for (let i = 0; i < metadataList.length; ++i) { + if (metadataList[i].algo === algorithm) { + metadataList[pos++] = metadataList[i]; + } + } + metadataList.length = pos; + return metadataList; + } + function compareBase64Mixed(actualValue, expectedValue) { + if (actualValue.length !== expectedValue.length) { + return false; + } + for (let i = 0; i < actualValue.length; ++i) { + if (actualValue[i] !== expectedValue[i]) { + if (actualValue[i] === "+" && expectedValue[i] === "-" || actualValue[i] === "/" && expectedValue[i] === "_") { + continue; + } + return false; + } + } + return true; + } function tryUpgradeRequestToAPotentiallyTrustworthyURL(request) { } function sameOrigin(A, B) { @@ -4387,7 +4547,8 @@ var require_util2 = __commonJS({ urlHasHttpsScheme, urlIsHttpHttpsScheme, readAllBytes, - normalizeMethodRecord + normalizeMethodRecord, + parseMetadata }; } }); @@ -5424,7 +5585,7 @@ var require_body = __commonJS({ var { FormData } = require_formdata(); var { kState } = require_symbols2(); var { webidl } = require_webidl(); - var { DOMException: DOMException2, structuredClone } = require_constants(); + var { DOMException: DOMException2, structuredClone } = require_constants2(); var { Blob: Blob2, File: NativeFile } = require("buffer"); var { kBodyUsed } = require_symbols(); var assert = require("assert"); @@ -6520,7 +6681,7 @@ var require_utils2 = __commonJS({ }); // node_modules/undici/lib/llhttp/constants.js -var require_constants2 = __commonJS({ +var require_constants3 = __commonJS({ "node_modules/undici/lib/llhttp/constants.js"(exports2) { "use strict"; Object.defineProperty(exports2, "__esModule", { value: true }); @@ -6955,7 +7116,17 @@ var require_RedirectHandler = __commonJS({ } } function shouldRemoveHeader(header, removeContent, unknownOrigin) { - return header.length === 4 && header.toString().toLowerCase() === "host" || removeContent && header.toString().toLowerCase().indexOf("content-") === 0 || unknownOrigin && header.length === 13 && header.toString().toLowerCase() === "authorization" || unknownOrigin && header.length === 6 && header.toString().toLowerCase() === "cookie"; + if (header.length === 4) { + return util.headerNameToString(header) === "host"; + } + if (removeContent && util.headerNameToString(header).startsWith("content-")) { + return true; + } + if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) { + const name = util.headerNameToString(header); + return name === "authorization" || name === "cookie" || name === "proxy-authorization"; + } + return false; } function cleanRequestHeaders(headers, removeContent, unknownOrigin) { const ret = []; @@ -7400,7 +7571,7 @@ var require_client = __commonJS({ ); resume(client); } - var constants = require_constants2(); + var constants = require_constants3(); var createRedirectInterceptor = require_redirectInterceptor(); var EMPTY_BUF = Buffer.alloc(0); async function lazyllhttp() { @@ -12104,7 +12275,7 @@ var require_response = __commonJS({ redirectStatusSet, nullBodyStatus, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kState, kHeaders, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); var { FormData } = require_formdata(); @@ -12486,7 +12657,7 @@ var require_request2 = __commonJS({ requestCredentials, requestCache, requestDuplex - } = require_constants(); + } = require_constants2(); var { kEnumerableProperty } = util; var { kHeaders, kSignal, kState, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); @@ -13155,7 +13326,7 @@ var require_fetch = __commonJS({ requestBodyHeader, subresourceSet, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kHeadersList } = require_symbols(); var EE = require("events"); var { Readable, pipeline } = require("stream"); @@ -13692,6 +13863,7 @@ var require_fetch = __commonJS({ } if (!sameOrigin(requestCurrentURL(request), locationURL)) { request.headersList.delete("authorization"); + request.headersList.delete("proxy-authorization", true); request.headersList.delete("cookie"); request.headersList.delete("host"); } @@ -14518,7 +14690,7 @@ var require_util4 = __commonJS({ } = require_symbols3(); var { ProgressEvent } = require_progressevent(); var { getEncoding } = require_encoding(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { serializeAMimeType, parseMIMEType } = require_dataURL(); var { types } = require("util"); var { StringDecoder } = require("string_decoder"); @@ -15634,7 +15806,7 @@ var require_cachestorage = __commonJS({ }); // node_modules/undici/lib/cookies/constants.js -var require_constants3 = __commonJS({ +var require_constants4 = __commonJS({ "node_modules/undici/lib/cookies/constants.js"(exports2, module2) { "use strict"; var maxAttributeValueSize = 1024; @@ -15809,7 +15981,7 @@ var require_util6 = __commonJS({ var require_parse = __commonJS({ "node_modules/undici/lib/cookies/parse.js"(exports2, module2) { "use strict"; - var { maxNameValuePairSize, maxAttributeValueSize } = require_constants3(); + var { maxNameValuePairSize, maxAttributeValueSize } = require_constants4(); var { isCTLExcludingHtab } = require_util6(); var { collectASequenceOfCodePointsFast } = require_dataURL(); var assert = require("assert"); @@ -16074,7 +16246,7 @@ var require_cookies = __commonJS({ }); // node_modules/undici/lib/websocket/constants.js -var require_constants4 = __commonJS({ +var require_constants5 = __commonJS({ "node_modules/undici/lib/websocket/constants.js"(exports2, module2) { "use strict"; var uid = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"; @@ -16382,7 +16554,7 @@ var require_util7 = __commonJS({ "node_modules/undici/lib/websocket/util.js"(exports2, module2) { "use strict"; var { kReadyState, kController, kResponse, kBinaryType, kWebSocketURL } = require_symbols5(); - var { states, opcodes } = require_constants4(); + var { states, opcodes } = require_constants5(); var { MessageEvent, ErrorEvent } = require_events(); function isEstablished(ws) { return ws[kReadyState] === states.OPEN; @@ -16472,7 +16644,7 @@ var require_connection = __commonJS({ "node_modules/undici/lib/websocket/connection.js"(exports2, module2) { "use strict"; var diagnosticsChannel = require("diagnostics_channel"); - var { uid, states } = require_constants4(); + var { uid, states } = require_constants5(); var { kReadyState, kSentClose, @@ -16619,7 +16791,7 @@ var require_connection = __commonJS({ var require_frame = __commonJS({ "node_modules/undici/lib/websocket/frame.js"(exports2, module2) { "use strict"; - var { maxUnsigned16Bit } = require_constants4(); + var { maxUnsigned16Bit } = require_constants5(); var crypto4; try { crypto4 = require("crypto"); @@ -16678,7 +16850,7 @@ var require_receiver = __commonJS({ "use strict"; var { Writable } = require("stream"); var diagnosticsChannel = require("diagnostics_channel"); - var { parserStates, opcodes, states, emptyBuffer } = require_constants4(); + var { parserStates, opcodes, states, emptyBuffer } = require_constants5(); var { kReadyState, kSentClose, kResponse, kReceivedClose } = require_symbols5(); var { isValidStatusCode, failWebsocketConnection, websocketMessageReceived } = require_util7(); var { WebsocketFrameSend } = require_frame(); @@ -16913,10 +17085,10 @@ var require_websocket = __commonJS({ "node_modules/undici/lib/websocket/websocket.js"(exports2, module2) { "use strict"; var { webidl } = require_webidl(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { URLSerializer } = require_dataURL(); var { getGlobalOrigin } = require_global(); - var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants4(); + var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants5(); var { kWebSocketURL, kReadyState, diff --git a/dist/archive-item.js b/dist/archive-item.js index e0fc95d..3120bb5 100644 --- a/dist/archive-item.js +++ b/dist/archive-item.js @@ -1141,6 +1141,121 @@ var require_errors = __commonJS({ } }); +// node_modules/undici/lib/core/constants.js +var require_constants = __commonJS({ + "node_modules/undici/lib/core/constants.js"(exports2, module2) { + "use strict"; + var headerNameLowerCasedRecord = {}; + var wellknownHeaderNames = [ + "Accept", + "Accept-Encoding", + "Accept-Language", + "Accept-Ranges", + "Access-Control-Allow-Credentials", + "Access-Control-Allow-Headers", + "Access-Control-Allow-Methods", + "Access-Control-Allow-Origin", + "Access-Control-Expose-Headers", + "Access-Control-Max-Age", + "Access-Control-Request-Headers", + "Access-Control-Request-Method", + "Age", + "Allow", + "Alt-Svc", + "Alt-Used", + "Authorization", + "Cache-Control", + "Clear-Site-Data", + "Connection", + "Content-Disposition", + "Content-Encoding", + "Content-Language", + "Content-Length", + "Content-Location", + "Content-Range", + "Content-Security-Policy", + "Content-Security-Policy-Report-Only", + "Content-Type", + "Cookie", + "Cross-Origin-Embedder-Policy", + "Cross-Origin-Opener-Policy", + "Cross-Origin-Resource-Policy", + "Date", + "Device-Memory", + "Downlink", + "ECT", + "ETag", + "Expect", + "Expect-CT", + "Expires", + "Forwarded", + "From", + "Host", + "If-Match", + "If-Modified-Since", + "If-None-Match", + "If-Range", + "If-Unmodified-Since", + "Keep-Alive", + "Last-Modified", + "Link", + "Location", + "Max-Forwards", + "Origin", + "Permissions-Policy", + "Pragma", + "Proxy-Authenticate", + "Proxy-Authorization", + "RTT", + "Range", + "Referer", + "Referrer-Policy", + "Refresh", + "Retry-After", + "Sec-WebSocket-Accept", + "Sec-WebSocket-Extensions", + "Sec-WebSocket-Key", + "Sec-WebSocket-Protocol", + "Sec-WebSocket-Version", + "Server", + "Server-Timing", + "Service-Worker-Allowed", + "Service-Worker-Navigation-Preload", + "Set-Cookie", + "SourceMap", + "Strict-Transport-Security", + "Supports-Loading-Mode", + "TE", + "Timing-Allow-Origin", + "Trailer", + "Transfer-Encoding", + "Upgrade", + "Upgrade-Insecure-Requests", + "User-Agent", + "Vary", + "Via", + "WWW-Authenticate", + "X-Content-Type-Options", + "X-DNS-Prefetch-Control", + "X-Frame-Options", + "X-Permitted-Cross-Domain-Policies", + "X-Powered-By", + "X-Requested-With", + "X-XSS-Protection" + ]; + for (let i = 0; i < wellknownHeaderNames.length; ++i) { + const key = wellknownHeaderNames[i]; + const lowerCasedKey = key.toLowerCase(); + headerNameLowerCasedRecord[key] = headerNameLowerCasedRecord[lowerCasedKey] = lowerCasedKey; + } + Object.setPrototypeOf(headerNameLowerCasedRecord, null); + module2.exports = { + wellknownHeaderNames, + headerNameLowerCasedRecord + }; + } +}); + // node_modules/undici/lib/core/util.js var require_util = __commonJS({ "node_modules/undici/lib/core/util.js"(exports2, module2) { @@ -1154,6 +1269,7 @@ var require_util = __commonJS({ var { Blob: Blob2 } = require("buffer"); var nodeUtil = require("util"); var { stringify: stringify2 } = require("querystring"); + var { headerNameLowerCasedRecord } = require_constants(); var [nodeMajor, nodeMinor] = process.versions.node.split(".").map((v) => Number(v)); function nop() { } @@ -1297,6 +1413,9 @@ var require_util = __commonJS({ const m = val.toString().match(KEEPALIVE_TIMEOUT_EXPR); return m ? parseInt(m[1], 10) * 1e3 : null; } + function headerNameToString(value) { + return headerNameLowerCasedRecord[value] || value.toLowerCase(); + } function parseHeaders(headers, obj = {}) { if (!Array.isArray(headers)) return headers; @@ -1500,6 +1619,7 @@ var require_util = __commonJS({ isIterable, isAsyncIterable, isDestroyed, + headerNameToString, parseRawHeaders, parseHeaders, parseKeepAliveTimeout, @@ -3595,7 +3715,7 @@ var require_main = __commonJS({ }); // node_modules/undici/lib/fetch/constants.js -var require_constants = __commonJS({ +var require_constants2 = __commonJS({ "node_modules/undici/lib/fetch/constants.js"(exports2, module2) { "use strict"; var { MessageChannel, receiveMessageOnPort } = require("worker_threads"); @@ -3833,15 +3953,18 @@ var require_global = __commonJS({ var require_util2 = __commonJS({ "node_modules/undici/lib/fetch/util.js"(exports2, module2) { "use strict"; - var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants(); + var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants2(); var { getGlobalOrigin } = require_global(); var { performance: performance2 } = require("perf_hooks"); var { isBlobLike, toUSVString, ReadableStreamFrom } = require_util(); var assert = require("assert"); var { isUint8Array } = require("util/types"); + var supportedHashes = []; var crypto4; try { crypto4 = require("crypto"); + const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; + supportedHashes = crypto4.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); } catch { } function responseURL(response) { @@ -4117,45 +4240,37 @@ var require_util2 = __commonJS({ if (parsedMetadata.length === 0) { return true; } - const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)); - const strongest = list[0].algo; - const metadata = list.filter((item) => item.algo === strongest); + const strongest = getStrongestMetadata(parsedMetadata); + const metadata = filterMetadataListByAlgorithm(parsedMetadata, strongest); for (const item of metadata) { const algorithm = item.algo; - let expectedValue = item.hash; - if (expectedValue.endsWith("==")) { - expectedValue = expectedValue.slice(0, -2); - } + const expectedValue = item.hash; let actualValue = crypto4.createHash(algorithm).update(bytes).digest("base64"); - if (actualValue.endsWith("==")) { - actualValue = actualValue.slice(0, -2); - } - if (actualValue === expectedValue) { - return true; - } - let actualBase64URL = crypto4.createHash(algorithm).update(bytes).digest("base64url"); - if (actualBase64URL.endsWith("==")) { - actualBase64URL = actualBase64URL.slice(0, -2); + if (actualValue[actualValue.length - 1] === "=") { + if (actualValue[actualValue.length - 2] === "=") { + actualValue = actualValue.slice(0, -2); + } else { + actualValue = actualValue.slice(0, -1); + } } - if (actualBase64URL === expectedValue) { + if (compareBase64Mixed(actualValue, expectedValue)) { return true; } } return false; } - var parseHashWithOptions = /((?sha256|sha384|sha512)-(?[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i; + var parseHashWithOptions = /(?sha256|sha384|sha512)-((?[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)( +[!-~]*)?)?/i; function parseMetadata(metadata) { const result = []; let empty = true; - const supportedHashes = crypto4.getHashes(); for (const token of metadata.split(" ")) { empty = false; const parsedToken = parseHashWithOptions.exec(token); - if (parsedToken === null || parsedToken.groups === void 0) { + if (parsedToken === null || parsedToken.groups === void 0 || parsedToken.groups.algo === void 0) { continue; } - const algorithm = parsedToken.groups.algo; - if (supportedHashes.includes(algorithm.toLowerCase())) { + const algorithm = parsedToken.groups.algo.toLowerCase(); + if (supportedHashes.includes(algorithm)) { result.push(parsedToken.groups); } } @@ -4164,6 +4279,51 @@ var require_util2 = __commonJS({ } return result; } + function getStrongestMetadata(metadataList) { + let algorithm = metadataList[0].algo; + if (algorithm[3] === "5") { + return algorithm; + } + for (let i = 1; i < metadataList.length; ++i) { + const metadata = metadataList[i]; + if (metadata.algo[3] === "5") { + algorithm = "sha512"; + break; + } else if (algorithm[3] === "3") { + continue; + } else if (metadata.algo[3] === "3") { + algorithm = "sha384"; + } + } + return algorithm; + } + function filterMetadataListByAlgorithm(metadataList, algorithm) { + if (metadataList.length === 1) { + return metadataList; + } + let pos = 0; + for (let i = 0; i < metadataList.length; ++i) { + if (metadataList[i].algo === algorithm) { + metadataList[pos++] = metadataList[i]; + } + } + metadataList.length = pos; + return metadataList; + } + function compareBase64Mixed(actualValue, expectedValue) { + if (actualValue.length !== expectedValue.length) { + return false; + } + for (let i = 0; i < actualValue.length; ++i) { + if (actualValue[i] !== expectedValue[i]) { + if (actualValue[i] === "+" && expectedValue[i] === "-" || actualValue[i] === "/" && expectedValue[i] === "_") { + continue; + } + return false; + } + } + return true; + } function tryUpgradeRequestToAPotentiallyTrustworthyURL(request) { } function sameOrigin(A, B) { @@ -4387,7 +4547,8 @@ var require_util2 = __commonJS({ urlHasHttpsScheme, urlIsHttpHttpsScheme, readAllBytes, - normalizeMethodRecord + normalizeMethodRecord, + parseMetadata }; } }); @@ -5424,7 +5585,7 @@ var require_body = __commonJS({ var { FormData } = require_formdata(); var { kState } = require_symbols2(); var { webidl } = require_webidl(); - var { DOMException: DOMException2, structuredClone } = require_constants(); + var { DOMException: DOMException2, structuredClone } = require_constants2(); var { Blob: Blob2, File: NativeFile } = require("buffer"); var { kBodyUsed } = require_symbols(); var assert = require("assert"); @@ -6520,7 +6681,7 @@ var require_utils2 = __commonJS({ }); // node_modules/undici/lib/llhttp/constants.js -var require_constants2 = __commonJS({ +var require_constants3 = __commonJS({ "node_modules/undici/lib/llhttp/constants.js"(exports2) { "use strict"; Object.defineProperty(exports2, "__esModule", { value: true }); @@ -6955,7 +7116,17 @@ var require_RedirectHandler = __commonJS({ } } function shouldRemoveHeader(header, removeContent, unknownOrigin) { - return header.length === 4 && header.toString().toLowerCase() === "host" || removeContent && header.toString().toLowerCase().indexOf("content-") === 0 || unknownOrigin && header.length === 13 && header.toString().toLowerCase() === "authorization" || unknownOrigin && header.length === 6 && header.toString().toLowerCase() === "cookie"; + if (header.length === 4) { + return util.headerNameToString(header) === "host"; + } + if (removeContent && util.headerNameToString(header).startsWith("content-")) { + return true; + } + if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) { + const name = util.headerNameToString(header); + return name === "authorization" || name === "cookie" || name === "proxy-authorization"; + } + return false; } function cleanRequestHeaders(headers, removeContent, unknownOrigin) { const ret = []; @@ -7400,7 +7571,7 @@ var require_client = __commonJS({ ); resume(client); } - var constants = require_constants2(); + var constants = require_constants3(); var createRedirectInterceptor = require_redirectInterceptor(); var EMPTY_BUF = Buffer.alloc(0); async function lazyllhttp() { @@ -12104,7 +12275,7 @@ var require_response = __commonJS({ redirectStatusSet, nullBodyStatus, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kState, kHeaders, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); var { FormData } = require_formdata(); @@ -12486,7 +12657,7 @@ var require_request2 = __commonJS({ requestCredentials, requestCache, requestDuplex - } = require_constants(); + } = require_constants2(); var { kEnumerableProperty } = util; var { kHeaders, kSignal, kState, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); @@ -13155,7 +13326,7 @@ var require_fetch = __commonJS({ requestBodyHeader, subresourceSet, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kHeadersList } = require_symbols(); var EE = require("events"); var { Readable, pipeline } = require("stream"); @@ -13692,6 +13863,7 @@ var require_fetch = __commonJS({ } if (!sameOrigin(requestCurrentURL(request), locationURL)) { request.headersList.delete("authorization"); + request.headersList.delete("proxy-authorization", true); request.headersList.delete("cookie"); request.headersList.delete("host"); } @@ -14518,7 +14690,7 @@ var require_util4 = __commonJS({ } = require_symbols3(); var { ProgressEvent } = require_progressevent(); var { getEncoding } = require_encoding(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { serializeAMimeType, parseMIMEType } = require_dataURL(); var { types } = require("util"); var { StringDecoder } = require("string_decoder"); @@ -15634,7 +15806,7 @@ var require_cachestorage = __commonJS({ }); // node_modules/undici/lib/cookies/constants.js -var require_constants3 = __commonJS({ +var require_constants4 = __commonJS({ "node_modules/undici/lib/cookies/constants.js"(exports2, module2) { "use strict"; var maxAttributeValueSize = 1024; @@ -15809,7 +15981,7 @@ var require_util6 = __commonJS({ var require_parse = __commonJS({ "node_modules/undici/lib/cookies/parse.js"(exports2, module2) { "use strict"; - var { maxNameValuePairSize, maxAttributeValueSize } = require_constants3(); + var { maxNameValuePairSize, maxAttributeValueSize } = require_constants4(); var { isCTLExcludingHtab } = require_util6(); var { collectASequenceOfCodePointsFast } = require_dataURL(); var assert = require("assert"); @@ -16074,7 +16246,7 @@ var require_cookies = __commonJS({ }); // node_modules/undici/lib/websocket/constants.js -var require_constants4 = __commonJS({ +var require_constants5 = __commonJS({ "node_modules/undici/lib/websocket/constants.js"(exports2, module2) { "use strict"; var uid = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"; @@ -16382,7 +16554,7 @@ var require_util7 = __commonJS({ "node_modules/undici/lib/websocket/util.js"(exports2, module2) { "use strict"; var { kReadyState, kController, kResponse, kBinaryType, kWebSocketURL } = require_symbols5(); - var { states, opcodes } = require_constants4(); + var { states, opcodes } = require_constants5(); var { MessageEvent, ErrorEvent } = require_events(); function isEstablished(ws) { return ws[kReadyState] === states.OPEN; @@ -16472,7 +16644,7 @@ var require_connection = __commonJS({ "node_modules/undici/lib/websocket/connection.js"(exports2, module2) { "use strict"; var diagnosticsChannel = require("diagnostics_channel"); - var { uid, states } = require_constants4(); + var { uid, states } = require_constants5(); var { kReadyState, kSentClose, @@ -16619,7 +16791,7 @@ var require_connection = __commonJS({ var require_frame = __commonJS({ "node_modules/undici/lib/websocket/frame.js"(exports2, module2) { "use strict"; - var { maxUnsigned16Bit } = require_constants4(); + var { maxUnsigned16Bit } = require_constants5(); var crypto4; try { crypto4 = require("crypto"); @@ -16678,7 +16850,7 @@ var require_receiver = __commonJS({ "use strict"; var { Writable } = require("stream"); var diagnosticsChannel = require("diagnostics_channel"); - var { parserStates, opcodes, states, emptyBuffer } = require_constants4(); + var { parserStates, opcodes, states, emptyBuffer } = require_constants5(); var { kReadyState, kSentClose, kResponse, kReceivedClose } = require_symbols5(); var { isValidStatusCode, failWebsocketConnection, websocketMessageReceived } = require_util7(); var { WebsocketFrameSend } = require_frame(); @@ -16913,10 +17085,10 @@ var require_websocket = __commonJS({ "node_modules/undici/lib/websocket/websocket.js"(exports2, module2) { "use strict"; var { webidl } = require_webidl(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { URLSerializer } = require_dataURL(); var { getGlobalOrigin } = require_global(); - var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants4(); + var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants5(); var { kWebSocketURL, kReadyState, diff --git a/dist/close-project.js b/dist/close-project.js index 659d0a7..af2d6a9 100644 --- a/dist/close-project.js +++ b/dist/close-project.js @@ -1141,6 +1141,121 @@ var require_errors = __commonJS({ } }); +// node_modules/undici/lib/core/constants.js +var require_constants = __commonJS({ + "node_modules/undici/lib/core/constants.js"(exports2, module2) { + "use strict"; + var headerNameLowerCasedRecord = {}; + var wellknownHeaderNames = [ + "Accept", + "Accept-Encoding", + "Accept-Language", + "Accept-Ranges", + "Access-Control-Allow-Credentials", + "Access-Control-Allow-Headers", + "Access-Control-Allow-Methods", + "Access-Control-Allow-Origin", + "Access-Control-Expose-Headers", + "Access-Control-Max-Age", + "Access-Control-Request-Headers", + "Access-Control-Request-Method", + "Age", + "Allow", + "Alt-Svc", + "Alt-Used", + "Authorization", + "Cache-Control", + "Clear-Site-Data", + "Connection", + "Content-Disposition", + "Content-Encoding", + "Content-Language", + "Content-Length", + "Content-Location", + "Content-Range", + "Content-Security-Policy", + "Content-Security-Policy-Report-Only", + "Content-Type", + "Cookie", + "Cross-Origin-Embedder-Policy", + "Cross-Origin-Opener-Policy", + "Cross-Origin-Resource-Policy", + "Date", + "Device-Memory", + "Downlink", + "ECT", + "ETag", + "Expect", + "Expect-CT", + "Expires", + "Forwarded", + "From", + "Host", + "If-Match", + "If-Modified-Since", + "If-None-Match", + "If-Range", + "If-Unmodified-Since", + "Keep-Alive", + "Last-Modified", + "Link", + "Location", + "Max-Forwards", + "Origin", + "Permissions-Policy", + "Pragma", + "Proxy-Authenticate", + "Proxy-Authorization", + "RTT", + "Range", + "Referer", + "Referrer-Policy", + "Refresh", + "Retry-After", + "Sec-WebSocket-Accept", + "Sec-WebSocket-Extensions", + "Sec-WebSocket-Key", + "Sec-WebSocket-Protocol", + "Sec-WebSocket-Version", + "Server", + "Server-Timing", + "Service-Worker-Allowed", + "Service-Worker-Navigation-Preload", + "Set-Cookie", + "SourceMap", + "Strict-Transport-Security", + "Supports-Loading-Mode", + "TE", + "Timing-Allow-Origin", + "Trailer", + "Transfer-Encoding", + "Upgrade", + "Upgrade-Insecure-Requests", + "User-Agent", + "Vary", + "Via", + "WWW-Authenticate", + "X-Content-Type-Options", + "X-DNS-Prefetch-Control", + "X-Frame-Options", + "X-Permitted-Cross-Domain-Policies", + "X-Powered-By", + "X-Requested-With", + "X-XSS-Protection" + ]; + for (let i = 0; i < wellknownHeaderNames.length; ++i) { + const key = wellknownHeaderNames[i]; + const lowerCasedKey = key.toLowerCase(); + headerNameLowerCasedRecord[key] = headerNameLowerCasedRecord[lowerCasedKey] = lowerCasedKey; + } + Object.setPrototypeOf(headerNameLowerCasedRecord, null); + module2.exports = { + wellknownHeaderNames, + headerNameLowerCasedRecord + }; + } +}); + // node_modules/undici/lib/core/util.js var require_util = __commonJS({ "node_modules/undici/lib/core/util.js"(exports2, module2) { @@ -1154,6 +1269,7 @@ var require_util = __commonJS({ var { Blob: Blob2 } = require("buffer"); var nodeUtil = require("util"); var { stringify: stringify2 } = require("querystring"); + var { headerNameLowerCasedRecord } = require_constants(); var [nodeMajor, nodeMinor] = process.versions.node.split(".").map((v) => Number(v)); function nop() { } @@ -1297,6 +1413,9 @@ var require_util = __commonJS({ const m = val.toString().match(KEEPALIVE_TIMEOUT_EXPR); return m ? parseInt(m[1], 10) * 1e3 : null; } + function headerNameToString(value) { + return headerNameLowerCasedRecord[value] || value.toLowerCase(); + } function parseHeaders(headers, obj = {}) { if (!Array.isArray(headers)) return headers; @@ -1500,6 +1619,7 @@ var require_util = __commonJS({ isIterable, isAsyncIterable, isDestroyed, + headerNameToString, parseRawHeaders, parseHeaders, parseKeepAliveTimeout, @@ -3595,7 +3715,7 @@ var require_main = __commonJS({ }); // node_modules/undici/lib/fetch/constants.js -var require_constants = __commonJS({ +var require_constants2 = __commonJS({ "node_modules/undici/lib/fetch/constants.js"(exports2, module2) { "use strict"; var { MessageChannel, receiveMessageOnPort } = require("worker_threads"); @@ -3833,15 +3953,18 @@ var require_global = __commonJS({ var require_util2 = __commonJS({ "node_modules/undici/lib/fetch/util.js"(exports2, module2) { "use strict"; - var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants(); + var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants2(); var { getGlobalOrigin } = require_global(); var { performance: performance2 } = require("perf_hooks"); var { isBlobLike, toUSVString, ReadableStreamFrom } = require_util(); var assert = require("assert"); var { isUint8Array } = require("util/types"); + var supportedHashes = []; var crypto4; try { crypto4 = require("crypto"); + const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; + supportedHashes = crypto4.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); } catch { } function responseURL(response) { @@ -4117,45 +4240,37 @@ var require_util2 = __commonJS({ if (parsedMetadata.length === 0) { return true; } - const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)); - const strongest = list[0].algo; - const metadata = list.filter((item) => item.algo === strongest); + const strongest = getStrongestMetadata(parsedMetadata); + const metadata = filterMetadataListByAlgorithm(parsedMetadata, strongest); for (const item of metadata) { const algorithm = item.algo; - let expectedValue = item.hash; - if (expectedValue.endsWith("==")) { - expectedValue = expectedValue.slice(0, -2); - } + const expectedValue = item.hash; let actualValue = crypto4.createHash(algorithm).update(bytes).digest("base64"); - if (actualValue.endsWith("==")) { - actualValue = actualValue.slice(0, -2); - } - if (actualValue === expectedValue) { - return true; - } - let actualBase64URL = crypto4.createHash(algorithm).update(bytes).digest("base64url"); - if (actualBase64URL.endsWith("==")) { - actualBase64URL = actualBase64URL.slice(0, -2); + if (actualValue[actualValue.length - 1] === "=") { + if (actualValue[actualValue.length - 2] === "=") { + actualValue = actualValue.slice(0, -2); + } else { + actualValue = actualValue.slice(0, -1); + } } - if (actualBase64URL === expectedValue) { + if (compareBase64Mixed(actualValue, expectedValue)) { return true; } } return false; } - var parseHashWithOptions = /((?sha256|sha384|sha512)-(?[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i; + var parseHashWithOptions = /(?sha256|sha384|sha512)-((?[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)( +[!-~]*)?)?/i; function parseMetadata(metadata) { const result = []; let empty = true; - const supportedHashes = crypto4.getHashes(); for (const token of metadata.split(" ")) { empty = false; const parsedToken = parseHashWithOptions.exec(token); - if (parsedToken === null || parsedToken.groups === void 0) { + if (parsedToken === null || parsedToken.groups === void 0 || parsedToken.groups.algo === void 0) { continue; } - const algorithm = parsedToken.groups.algo; - if (supportedHashes.includes(algorithm.toLowerCase())) { + const algorithm = parsedToken.groups.algo.toLowerCase(); + if (supportedHashes.includes(algorithm)) { result.push(parsedToken.groups); } } @@ -4164,6 +4279,51 @@ var require_util2 = __commonJS({ } return result; } + function getStrongestMetadata(metadataList) { + let algorithm = metadataList[0].algo; + if (algorithm[3] === "5") { + return algorithm; + } + for (let i = 1; i < metadataList.length; ++i) { + const metadata = metadataList[i]; + if (metadata.algo[3] === "5") { + algorithm = "sha512"; + break; + } else if (algorithm[3] === "3") { + continue; + } else if (metadata.algo[3] === "3") { + algorithm = "sha384"; + } + } + return algorithm; + } + function filterMetadataListByAlgorithm(metadataList, algorithm) { + if (metadataList.length === 1) { + return metadataList; + } + let pos = 0; + for (let i = 0; i < metadataList.length; ++i) { + if (metadataList[i].algo === algorithm) { + metadataList[pos++] = metadataList[i]; + } + } + metadataList.length = pos; + return metadataList; + } + function compareBase64Mixed(actualValue, expectedValue) { + if (actualValue.length !== expectedValue.length) { + return false; + } + for (let i = 0; i < actualValue.length; ++i) { + if (actualValue[i] !== expectedValue[i]) { + if (actualValue[i] === "+" && expectedValue[i] === "-" || actualValue[i] === "/" && expectedValue[i] === "_") { + continue; + } + return false; + } + } + return true; + } function tryUpgradeRequestToAPotentiallyTrustworthyURL(request) { } function sameOrigin(A, B) { @@ -4387,7 +4547,8 @@ var require_util2 = __commonJS({ urlHasHttpsScheme, urlIsHttpHttpsScheme, readAllBytes, - normalizeMethodRecord + normalizeMethodRecord, + parseMetadata }; } }); @@ -5424,7 +5585,7 @@ var require_body = __commonJS({ var { FormData } = require_formdata(); var { kState } = require_symbols2(); var { webidl } = require_webidl(); - var { DOMException: DOMException2, structuredClone } = require_constants(); + var { DOMException: DOMException2, structuredClone } = require_constants2(); var { Blob: Blob2, File: NativeFile } = require("buffer"); var { kBodyUsed } = require_symbols(); var assert = require("assert"); @@ -6520,7 +6681,7 @@ var require_utils2 = __commonJS({ }); // node_modules/undici/lib/llhttp/constants.js -var require_constants2 = __commonJS({ +var require_constants3 = __commonJS({ "node_modules/undici/lib/llhttp/constants.js"(exports2) { "use strict"; Object.defineProperty(exports2, "__esModule", { value: true }); @@ -6955,7 +7116,17 @@ var require_RedirectHandler = __commonJS({ } } function shouldRemoveHeader(header, removeContent, unknownOrigin) { - return header.length === 4 && header.toString().toLowerCase() === "host" || removeContent && header.toString().toLowerCase().indexOf("content-") === 0 || unknownOrigin && header.length === 13 && header.toString().toLowerCase() === "authorization" || unknownOrigin && header.length === 6 && header.toString().toLowerCase() === "cookie"; + if (header.length === 4) { + return util.headerNameToString(header) === "host"; + } + if (removeContent && util.headerNameToString(header).startsWith("content-")) { + return true; + } + if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) { + const name = util.headerNameToString(header); + return name === "authorization" || name === "cookie" || name === "proxy-authorization"; + } + return false; } function cleanRequestHeaders(headers, removeContent, unknownOrigin) { const ret = []; @@ -7400,7 +7571,7 @@ var require_client = __commonJS({ ); resume(client); } - var constants = require_constants2(); + var constants = require_constants3(); var createRedirectInterceptor = require_redirectInterceptor(); var EMPTY_BUF = Buffer.alloc(0); async function lazyllhttp() { @@ -12104,7 +12275,7 @@ var require_response = __commonJS({ redirectStatusSet, nullBodyStatus, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kState, kHeaders, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); var { FormData } = require_formdata(); @@ -12486,7 +12657,7 @@ var require_request2 = __commonJS({ requestCredentials, requestCache, requestDuplex - } = require_constants(); + } = require_constants2(); var { kEnumerableProperty } = util; var { kHeaders, kSignal, kState, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); @@ -13155,7 +13326,7 @@ var require_fetch = __commonJS({ requestBodyHeader, subresourceSet, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kHeadersList } = require_symbols(); var EE = require("events"); var { Readable, pipeline } = require("stream"); @@ -13692,6 +13863,7 @@ var require_fetch = __commonJS({ } if (!sameOrigin(requestCurrentURL(request), locationURL)) { request.headersList.delete("authorization"); + request.headersList.delete("proxy-authorization", true); request.headersList.delete("cookie"); request.headersList.delete("host"); } @@ -14518,7 +14690,7 @@ var require_util4 = __commonJS({ } = require_symbols3(); var { ProgressEvent } = require_progressevent(); var { getEncoding } = require_encoding(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { serializeAMimeType, parseMIMEType } = require_dataURL(); var { types } = require("util"); var { StringDecoder } = require("string_decoder"); @@ -15634,7 +15806,7 @@ var require_cachestorage = __commonJS({ }); // node_modules/undici/lib/cookies/constants.js -var require_constants3 = __commonJS({ +var require_constants4 = __commonJS({ "node_modules/undici/lib/cookies/constants.js"(exports2, module2) { "use strict"; var maxAttributeValueSize = 1024; @@ -15809,7 +15981,7 @@ var require_util6 = __commonJS({ var require_parse = __commonJS({ "node_modules/undici/lib/cookies/parse.js"(exports2, module2) { "use strict"; - var { maxNameValuePairSize, maxAttributeValueSize } = require_constants3(); + var { maxNameValuePairSize, maxAttributeValueSize } = require_constants4(); var { isCTLExcludingHtab } = require_util6(); var { collectASequenceOfCodePointsFast } = require_dataURL(); var assert = require("assert"); @@ -16074,7 +16246,7 @@ var require_cookies = __commonJS({ }); // node_modules/undici/lib/websocket/constants.js -var require_constants4 = __commonJS({ +var require_constants5 = __commonJS({ "node_modules/undici/lib/websocket/constants.js"(exports2, module2) { "use strict"; var uid = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"; @@ -16382,7 +16554,7 @@ var require_util7 = __commonJS({ "node_modules/undici/lib/websocket/util.js"(exports2, module2) { "use strict"; var { kReadyState, kController, kResponse, kBinaryType, kWebSocketURL } = require_symbols5(); - var { states, opcodes } = require_constants4(); + var { states, opcodes } = require_constants5(); var { MessageEvent, ErrorEvent } = require_events(); function isEstablished(ws) { return ws[kReadyState] === states.OPEN; @@ -16472,7 +16644,7 @@ var require_connection = __commonJS({ "node_modules/undici/lib/websocket/connection.js"(exports2, module2) { "use strict"; var diagnosticsChannel = require("diagnostics_channel"); - var { uid, states } = require_constants4(); + var { uid, states } = require_constants5(); var { kReadyState, kSentClose, @@ -16619,7 +16791,7 @@ var require_connection = __commonJS({ var require_frame = __commonJS({ "node_modules/undici/lib/websocket/frame.js"(exports2, module2) { "use strict"; - var { maxUnsigned16Bit } = require_constants4(); + var { maxUnsigned16Bit } = require_constants5(); var crypto4; try { crypto4 = require("crypto"); @@ -16678,7 +16850,7 @@ var require_receiver = __commonJS({ "use strict"; var { Writable } = require("stream"); var diagnosticsChannel = require("diagnostics_channel"); - var { parserStates, opcodes, states, emptyBuffer } = require_constants4(); + var { parserStates, opcodes, states, emptyBuffer } = require_constants5(); var { kReadyState, kSentClose, kResponse, kReceivedClose } = require_symbols5(); var { isValidStatusCode, failWebsocketConnection, websocketMessageReceived } = require_util7(); var { WebsocketFrameSend } = require_frame(); @@ -16913,10 +17085,10 @@ var require_websocket = __commonJS({ "node_modules/undici/lib/websocket/websocket.js"(exports2, module2) { "use strict"; var { webidl } = require_webidl(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { URLSerializer } = require_dataURL(); var { getGlobalOrigin } = require_global(); - var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants4(); + var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants5(); var { kWebSocketURL, kReadyState, diff --git a/dist/completed-by.js b/dist/completed-by.js index 9238143..703ac91 100644 --- a/dist/completed-by.js +++ b/dist/completed-by.js @@ -1141,6 +1141,121 @@ var require_errors = __commonJS({ } }); +// node_modules/undici/lib/core/constants.js +var require_constants = __commonJS({ + "node_modules/undici/lib/core/constants.js"(exports2, module2) { + "use strict"; + var headerNameLowerCasedRecord = {}; + var wellknownHeaderNames = [ + "Accept", + "Accept-Encoding", + "Accept-Language", + "Accept-Ranges", + "Access-Control-Allow-Credentials", + "Access-Control-Allow-Headers", + "Access-Control-Allow-Methods", + "Access-Control-Allow-Origin", + "Access-Control-Expose-Headers", + "Access-Control-Max-Age", + "Access-Control-Request-Headers", + "Access-Control-Request-Method", + "Age", + "Allow", + "Alt-Svc", + "Alt-Used", + "Authorization", + "Cache-Control", + "Clear-Site-Data", + "Connection", + "Content-Disposition", + "Content-Encoding", + "Content-Language", + "Content-Length", + "Content-Location", + "Content-Range", + "Content-Security-Policy", + "Content-Security-Policy-Report-Only", + "Content-Type", + "Cookie", + "Cross-Origin-Embedder-Policy", + "Cross-Origin-Opener-Policy", + "Cross-Origin-Resource-Policy", + "Date", + "Device-Memory", + "Downlink", + "ECT", + "ETag", + "Expect", + "Expect-CT", + "Expires", + "Forwarded", + "From", + "Host", + "If-Match", + "If-Modified-Since", + "If-None-Match", + "If-Range", + "If-Unmodified-Since", + "Keep-Alive", + "Last-Modified", + "Link", + "Location", + "Max-Forwards", + "Origin", + "Permissions-Policy", + "Pragma", + "Proxy-Authenticate", + "Proxy-Authorization", + "RTT", + "Range", + "Referer", + "Referrer-Policy", + "Refresh", + "Retry-After", + "Sec-WebSocket-Accept", + "Sec-WebSocket-Extensions", + "Sec-WebSocket-Key", + "Sec-WebSocket-Protocol", + "Sec-WebSocket-Version", + "Server", + "Server-Timing", + "Service-Worker-Allowed", + "Service-Worker-Navigation-Preload", + "Set-Cookie", + "SourceMap", + "Strict-Transport-Security", + "Supports-Loading-Mode", + "TE", + "Timing-Allow-Origin", + "Trailer", + "Transfer-Encoding", + "Upgrade", + "Upgrade-Insecure-Requests", + "User-Agent", + "Vary", + "Via", + "WWW-Authenticate", + "X-Content-Type-Options", + "X-DNS-Prefetch-Control", + "X-Frame-Options", + "X-Permitted-Cross-Domain-Policies", + "X-Powered-By", + "X-Requested-With", + "X-XSS-Protection" + ]; + for (let i = 0; i < wellknownHeaderNames.length; ++i) { + const key = wellknownHeaderNames[i]; + const lowerCasedKey = key.toLowerCase(); + headerNameLowerCasedRecord[key] = headerNameLowerCasedRecord[lowerCasedKey] = lowerCasedKey; + } + Object.setPrototypeOf(headerNameLowerCasedRecord, null); + module2.exports = { + wellknownHeaderNames, + headerNameLowerCasedRecord + }; + } +}); + // node_modules/undici/lib/core/util.js var require_util = __commonJS({ "node_modules/undici/lib/core/util.js"(exports2, module2) { @@ -1154,6 +1269,7 @@ var require_util = __commonJS({ var { Blob: Blob2 } = require("buffer"); var nodeUtil = require("util"); var { stringify: stringify2 } = require("querystring"); + var { headerNameLowerCasedRecord } = require_constants(); var [nodeMajor, nodeMinor] = process.versions.node.split(".").map((v) => Number(v)); function nop() { } @@ -1297,6 +1413,9 @@ var require_util = __commonJS({ const m = val.toString().match(KEEPALIVE_TIMEOUT_EXPR); return m ? parseInt(m[1], 10) * 1e3 : null; } + function headerNameToString(value) { + return headerNameLowerCasedRecord[value] || value.toLowerCase(); + } function parseHeaders(headers, obj = {}) { if (!Array.isArray(headers)) return headers; @@ -1500,6 +1619,7 @@ var require_util = __commonJS({ isIterable, isAsyncIterable, isDestroyed, + headerNameToString, parseRawHeaders, parseHeaders, parseKeepAliveTimeout, @@ -3595,7 +3715,7 @@ var require_main = __commonJS({ }); // node_modules/undici/lib/fetch/constants.js -var require_constants = __commonJS({ +var require_constants2 = __commonJS({ "node_modules/undici/lib/fetch/constants.js"(exports2, module2) { "use strict"; var { MessageChannel, receiveMessageOnPort } = require("worker_threads"); @@ -3833,15 +3953,18 @@ var require_global = __commonJS({ var require_util2 = __commonJS({ "node_modules/undici/lib/fetch/util.js"(exports2, module2) { "use strict"; - var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants(); + var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants2(); var { getGlobalOrigin } = require_global(); var { performance: performance2 } = require("perf_hooks"); var { isBlobLike, toUSVString, ReadableStreamFrom } = require_util(); var assert = require("assert"); var { isUint8Array } = require("util/types"); + var supportedHashes = []; var crypto4; try { crypto4 = require("crypto"); + const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; + supportedHashes = crypto4.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); } catch { } function responseURL(response) { @@ -4117,45 +4240,37 @@ var require_util2 = __commonJS({ if (parsedMetadata.length === 0) { return true; } - const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)); - const strongest = list[0].algo; - const metadata = list.filter((item) => item.algo === strongest); + const strongest = getStrongestMetadata(parsedMetadata); + const metadata = filterMetadataListByAlgorithm(parsedMetadata, strongest); for (const item of metadata) { const algorithm = item.algo; - let expectedValue = item.hash; - if (expectedValue.endsWith("==")) { - expectedValue = expectedValue.slice(0, -2); - } + const expectedValue = item.hash; let actualValue = crypto4.createHash(algorithm).update(bytes).digest("base64"); - if (actualValue.endsWith("==")) { - actualValue = actualValue.slice(0, -2); - } - if (actualValue === expectedValue) { - return true; - } - let actualBase64URL = crypto4.createHash(algorithm).update(bytes).digest("base64url"); - if (actualBase64URL.endsWith("==")) { - actualBase64URL = actualBase64URL.slice(0, -2); + if (actualValue[actualValue.length - 1] === "=") { + if (actualValue[actualValue.length - 2] === "=") { + actualValue = actualValue.slice(0, -2); + } else { + actualValue = actualValue.slice(0, -1); + } } - if (actualBase64URL === expectedValue) { + if (compareBase64Mixed(actualValue, expectedValue)) { return true; } } return false; } - var parseHashWithOptions = /((?sha256|sha384|sha512)-(?[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i; + var parseHashWithOptions = /(?sha256|sha384|sha512)-((?[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)( +[!-~]*)?)?/i; function parseMetadata(metadata) { const result = []; let empty = true; - const supportedHashes = crypto4.getHashes(); for (const token of metadata.split(" ")) { empty = false; const parsedToken = parseHashWithOptions.exec(token); - if (parsedToken === null || parsedToken.groups === void 0) { + if (parsedToken === null || parsedToken.groups === void 0 || parsedToken.groups.algo === void 0) { continue; } - const algorithm = parsedToken.groups.algo; - if (supportedHashes.includes(algorithm.toLowerCase())) { + const algorithm = parsedToken.groups.algo.toLowerCase(); + if (supportedHashes.includes(algorithm)) { result.push(parsedToken.groups); } } @@ -4164,6 +4279,51 @@ var require_util2 = __commonJS({ } return result; } + function getStrongestMetadata(metadataList) { + let algorithm = metadataList[0].algo; + if (algorithm[3] === "5") { + return algorithm; + } + for (let i = 1; i < metadataList.length; ++i) { + const metadata = metadataList[i]; + if (metadata.algo[3] === "5") { + algorithm = "sha512"; + break; + } else if (algorithm[3] === "3") { + continue; + } else if (metadata.algo[3] === "3") { + algorithm = "sha384"; + } + } + return algorithm; + } + function filterMetadataListByAlgorithm(metadataList, algorithm) { + if (metadataList.length === 1) { + return metadataList; + } + let pos = 0; + for (let i = 0; i < metadataList.length; ++i) { + if (metadataList[i].algo === algorithm) { + metadataList[pos++] = metadataList[i]; + } + } + metadataList.length = pos; + return metadataList; + } + function compareBase64Mixed(actualValue, expectedValue) { + if (actualValue.length !== expectedValue.length) { + return false; + } + for (let i = 0; i < actualValue.length; ++i) { + if (actualValue[i] !== expectedValue[i]) { + if (actualValue[i] === "+" && expectedValue[i] === "-" || actualValue[i] === "/" && expectedValue[i] === "_") { + continue; + } + return false; + } + } + return true; + } function tryUpgradeRequestToAPotentiallyTrustworthyURL(request) { } function sameOrigin(A, B) { @@ -4387,7 +4547,8 @@ var require_util2 = __commonJS({ urlHasHttpsScheme, urlIsHttpHttpsScheme, readAllBytes, - normalizeMethodRecord + normalizeMethodRecord, + parseMetadata }; } }); @@ -5424,7 +5585,7 @@ var require_body = __commonJS({ var { FormData } = require_formdata(); var { kState } = require_symbols2(); var { webidl } = require_webidl(); - var { DOMException: DOMException2, structuredClone } = require_constants(); + var { DOMException: DOMException2, structuredClone } = require_constants2(); var { Blob: Blob2, File: NativeFile } = require("buffer"); var { kBodyUsed } = require_symbols(); var assert = require("assert"); @@ -6520,7 +6681,7 @@ var require_utils2 = __commonJS({ }); // node_modules/undici/lib/llhttp/constants.js -var require_constants2 = __commonJS({ +var require_constants3 = __commonJS({ "node_modules/undici/lib/llhttp/constants.js"(exports2) { "use strict"; Object.defineProperty(exports2, "__esModule", { value: true }); @@ -6955,7 +7116,17 @@ var require_RedirectHandler = __commonJS({ } } function shouldRemoveHeader(header, removeContent, unknownOrigin) { - return header.length === 4 && header.toString().toLowerCase() === "host" || removeContent && header.toString().toLowerCase().indexOf("content-") === 0 || unknownOrigin && header.length === 13 && header.toString().toLowerCase() === "authorization" || unknownOrigin && header.length === 6 && header.toString().toLowerCase() === "cookie"; + if (header.length === 4) { + return util.headerNameToString(header) === "host"; + } + if (removeContent && util.headerNameToString(header).startsWith("content-")) { + return true; + } + if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) { + const name = util.headerNameToString(header); + return name === "authorization" || name === "cookie" || name === "proxy-authorization"; + } + return false; } function cleanRequestHeaders(headers, removeContent, unknownOrigin) { const ret = []; @@ -7400,7 +7571,7 @@ var require_client = __commonJS({ ); resume(client); } - var constants = require_constants2(); + var constants = require_constants3(); var createRedirectInterceptor = require_redirectInterceptor(); var EMPTY_BUF = Buffer.alloc(0); async function lazyllhttp() { @@ -12104,7 +12275,7 @@ var require_response = __commonJS({ redirectStatusSet, nullBodyStatus, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kState, kHeaders, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); var { FormData } = require_formdata(); @@ -12486,7 +12657,7 @@ var require_request2 = __commonJS({ requestCredentials, requestCache, requestDuplex - } = require_constants(); + } = require_constants2(); var { kEnumerableProperty } = util; var { kHeaders, kSignal, kState, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); @@ -13155,7 +13326,7 @@ var require_fetch = __commonJS({ requestBodyHeader, subresourceSet, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kHeadersList } = require_symbols(); var EE = require("events"); var { Readable, pipeline } = require("stream"); @@ -13692,6 +13863,7 @@ var require_fetch = __commonJS({ } if (!sameOrigin(requestCurrentURL(request), locationURL)) { request.headersList.delete("authorization"); + request.headersList.delete("proxy-authorization", true); request.headersList.delete("cookie"); request.headersList.delete("host"); } @@ -14518,7 +14690,7 @@ var require_util4 = __commonJS({ } = require_symbols3(); var { ProgressEvent } = require_progressevent(); var { getEncoding } = require_encoding(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { serializeAMimeType, parseMIMEType } = require_dataURL(); var { types } = require("util"); var { StringDecoder } = require("string_decoder"); @@ -15634,7 +15806,7 @@ var require_cachestorage = __commonJS({ }); // node_modules/undici/lib/cookies/constants.js -var require_constants3 = __commonJS({ +var require_constants4 = __commonJS({ "node_modules/undici/lib/cookies/constants.js"(exports2, module2) { "use strict"; var maxAttributeValueSize = 1024; @@ -15809,7 +15981,7 @@ var require_util6 = __commonJS({ var require_parse = __commonJS({ "node_modules/undici/lib/cookies/parse.js"(exports2, module2) { "use strict"; - var { maxNameValuePairSize, maxAttributeValueSize } = require_constants3(); + var { maxNameValuePairSize, maxAttributeValueSize } = require_constants4(); var { isCTLExcludingHtab } = require_util6(); var { collectASequenceOfCodePointsFast } = require_dataURL(); var assert = require("assert"); @@ -16074,7 +16246,7 @@ var require_cookies = __commonJS({ }); // node_modules/undici/lib/websocket/constants.js -var require_constants4 = __commonJS({ +var require_constants5 = __commonJS({ "node_modules/undici/lib/websocket/constants.js"(exports2, module2) { "use strict"; var uid = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"; @@ -16382,7 +16554,7 @@ var require_util7 = __commonJS({ "node_modules/undici/lib/websocket/util.js"(exports2, module2) { "use strict"; var { kReadyState, kController, kResponse, kBinaryType, kWebSocketURL } = require_symbols5(); - var { states, opcodes } = require_constants4(); + var { states, opcodes } = require_constants5(); var { MessageEvent, ErrorEvent } = require_events(); function isEstablished(ws) { return ws[kReadyState] === states.OPEN; @@ -16472,7 +16644,7 @@ var require_connection = __commonJS({ "node_modules/undici/lib/websocket/connection.js"(exports2, module2) { "use strict"; var diagnosticsChannel = require("diagnostics_channel"); - var { uid, states } = require_constants4(); + var { uid, states } = require_constants5(); var { kReadyState, kSentClose, @@ -16619,7 +16791,7 @@ var require_connection = __commonJS({ var require_frame = __commonJS({ "node_modules/undici/lib/websocket/frame.js"(exports2, module2) { "use strict"; - var { maxUnsigned16Bit } = require_constants4(); + var { maxUnsigned16Bit } = require_constants5(); var crypto4; try { crypto4 = require("crypto"); @@ -16678,7 +16850,7 @@ var require_receiver = __commonJS({ "use strict"; var { Writable } = require("stream"); var diagnosticsChannel = require("diagnostics_channel"); - var { parserStates, opcodes, states, emptyBuffer } = require_constants4(); + var { parserStates, opcodes, states, emptyBuffer } = require_constants5(); var { kReadyState, kSentClose, kResponse, kReceivedClose } = require_symbols5(); var { isValidStatusCode, failWebsocketConnection, websocketMessageReceived } = require_util7(); var { WebsocketFrameSend } = require_frame(); @@ -16913,10 +17085,10 @@ var require_websocket = __commonJS({ "node_modules/undici/lib/websocket/websocket.js"(exports2, module2) { "use strict"; var { webidl } = require_webidl(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { URLSerializer } = require_dataURL(); var { getGlobalOrigin } = require_global(); - var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants4(); + var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants5(); var { kWebSocketURL, kReadyState, diff --git a/dist/copy-project.js b/dist/copy-project.js index c54a34c..857efd9 100644 --- a/dist/copy-project.js +++ b/dist/copy-project.js @@ -1141,6 +1141,121 @@ var require_errors = __commonJS({ } }); +// node_modules/undici/lib/core/constants.js +var require_constants = __commonJS({ + "node_modules/undici/lib/core/constants.js"(exports2, module2) { + "use strict"; + var headerNameLowerCasedRecord = {}; + var wellknownHeaderNames = [ + "Accept", + "Accept-Encoding", + "Accept-Language", + "Accept-Ranges", + "Access-Control-Allow-Credentials", + "Access-Control-Allow-Headers", + "Access-Control-Allow-Methods", + "Access-Control-Allow-Origin", + "Access-Control-Expose-Headers", + "Access-Control-Max-Age", + "Access-Control-Request-Headers", + "Access-Control-Request-Method", + "Age", + "Allow", + "Alt-Svc", + "Alt-Used", + "Authorization", + "Cache-Control", + "Clear-Site-Data", + "Connection", + "Content-Disposition", + "Content-Encoding", + "Content-Language", + "Content-Length", + "Content-Location", + "Content-Range", + "Content-Security-Policy", + "Content-Security-Policy-Report-Only", + "Content-Type", + "Cookie", + "Cross-Origin-Embedder-Policy", + "Cross-Origin-Opener-Policy", + "Cross-Origin-Resource-Policy", + "Date", + "Device-Memory", + "Downlink", + "ECT", + "ETag", + "Expect", + "Expect-CT", + "Expires", + "Forwarded", + "From", + "Host", + "If-Match", + "If-Modified-Since", + "If-None-Match", + "If-Range", + "If-Unmodified-Since", + "Keep-Alive", + "Last-Modified", + "Link", + "Location", + "Max-Forwards", + "Origin", + "Permissions-Policy", + "Pragma", + "Proxy-Authenticate", + "Proxy-Authorization", + "RTT", + "Range", + "Referer", + "Referrer-Policy", + "Refresh", + "Retry-After", + "Sec-WebSocket-Accept", + "Sec-WebSocket-Extensions", + "Sec-WebSocket-Key", + "Sec-WebSocket-Protocol", + "Sec-WebSocket-Version", + "Server", + "Server-Timing", + "Service-Worker-Allowed", + "Service-Worker-Navigation-Preload", + "Set-Cookie", + "SourceMap", + "Strict-Transport-Security", + "Supports-Loading-Mode", + "TE", + "Timing-Allow-Origin", + "Trailer", + "Transfer-Encoding", + "Upgrade", + "Upgrade-Insecure-Requests", + "User-Agent", + "Vary", + "Via", + "WWW-Authenticate", + "X-Content-Type-Options", + "X-DNS-Prefetch-Control", + "X-Frame-Options", + "X-Permitted-Cross-Domain-Policies", + "X-Powered-By", + "X-Requested-With", + "X-XSS-Protection" + ]; + for (let i = 0; i < wellknownHeaderNames.length; ++i) { + const key = wellknownHeaderNames[i]; + const lowerCasedKey = key.toLowerCase(); + headerNameLowerCasedRecord[key] = headerNameLowerCasedRecord[lowerCasedKey] = lowerCasedKey; + } + Object.setPrototypeOf(headerNameLowerCasedRecord, null); + module2.exports = { + wellknownHeaderNames, + headerNameLowerCasedRecord + }; + } +}); + // node_modules/undici/lib/core/util.js var require_util = __commonJS({ "node_modules/undici/lib/core/util.js"(exports2, module2) { @@ -1154,6 +1269,7 @@ var require_util = __commonJS({ var { Blob: Blob2 } = require("buffer"); var nodeUtil = require("util"); var { stringify: stringify2 } = require("querystring"); + var { headerNameLowerCasedRecord } = require_constants(); var [nodeMajor, nodeMinor] = process.versions.node.split(".").map((v) => Number(v)); function nop() { } @@ -1297,6 +1413,9 @@ var require_util = __commonJS({ const m = val.toString().match(KEEPALIVE_TIMEOUT_EXPR); return m ? parseInt(m[1], 10) * 1e3 : null; } + function headerNameToString(value) { + return headerNameLowerCasedRecord[value] || value.toLowerCase(); + } function parseHeaders(headers, obj = {}) { if (!Array.isArray(headers)) return headers; @@ -1500,6 +1619,7 @@ var require_util = __commonJS({ isIterable, isAsyncIterable, isDestroyed, + headerNameToString, parseRawHeaders, parseHeaders, parseKeepAliveTimeout, @@ -3595,7 +3715,7 @@ var require_main = __commonJS({ }); // node_modules/undici/lib/fetch/constants.js -var require_constants = __commonJS({ +var require_constants2 = __commonJS({ "node_modules/undici/lib/fetch/constants.js"(exports2, module2) { "use strict"; var { MessageChannel, receiveMessageOnPort } = require("worker_threads"); @@ -3833,15 +3953,18 @@ var require_global = __commonJS({ var require_util2 = __commonJS({ "node_modules/undici/lib/fetch/util.js"(exports2, module2) { "use strict"; - var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants(); + var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants2(); var { getGlobalOrigin } = require_global(); var { performance: performance2 } = require("perf_hooks"); var { isBlobLike, toUSVString, ReadableStreamFrom } = require_util(); var assert = require("assert"); var { isUint8Array } = require("util/types"); + var supportedHashes = []; var crypto4; try { crypto4 = require("crypto"); + const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; + supportedHashes = crypto4.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); } catch { } function responseURL(response) { @@ -4117,45 +4240,37 @@ var require_util2 = __commonJS({ if (parsedMetadata.length === 0) { return true; } - const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)); - const strongest = list[0].algo; - const metadata = list.filter((item) => item.algo === strongest); + const strongest = getStrongestMetadata(parsedMetadata); + const metadata = filterMetadataListByAlgorithm(parsedMetadata, strongest); for (const item of metadata) { const algorithm = item.algo; - let expectedValue = item.hash; - if (expectedValue.endsWith("==")) { - expectedValue = expectedValue.slice(0, -2); - } + const expectedValue = item.hash; let actualValue = crypto4.createHash(algorithm).update(bytes).digest("base64"); - if (actualValue.endsWith("==")) { - actualValue = actualValue.slice(0, -2); - } - if (actualValue === expectedValue) { - return true; - } - let actualBase64URL = crypto4.createHash(algorithm).update(bytes).digest("base64url"); - if (actualBase64URL.endsWith("==")) { - actualBase64URL = actualBase64URL.slice(0, -2); + if (actualValue[actualValue.length - 1] === "=") { + if (actualValue[actualValue.length - 2] === "=") { + actualValue = actualValue.slice(0, -2); + } else { + actualValue = actualValue.slice(0, -1); + } } - if (actualBase64URL === expectedValue) { + if (compareBase64Mixed(actualValue, expectedValue)) { return true; } } return false; } - var parseHashWithOptions = /((?sha256|sha384|sha512)-(?[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i; + var parseHashWithOptions = /(?sha256|sha384|sha512)-((?[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)( +[!-~]*)?)?/i; function parseMetadata(metadata) { const result = []; let empty = true; - const supportedHashes = crypto4.getHashes(); for (const token of metadata.split(" ")) { empty = false; const parsedToken = parseHashWithOptions.exec(token); - if (parsedToken === null || parsedToken.groups === void 0) { + if (parsedToken === null || parsedToken.groups === void 0 || parsedToken.groups.algo === void 0) { continue; } - const algorithm = parsedToken.groups.algo; - if (supportedHashes.includes(algorithm.toLowerCase())) { + const algorithm = parsedToken.groups.algo.toLowerCase(); + if (supportedHashes.includes(algorithm)) { result.push(parsedToken.groups); } } @@ -4164,6 +4279,51 @@ var require_util2 = __commonJS({ } return result; } + function getStrongestMetadata(metadataList) { + let algorithm = metadataList[0].algo; + if (algorithm[3] === "5") { + return algorithm; + } + for (let i = 1; i < metadataList.length; ++i) { + const metadata = metadataList[i]; + if (metadata.algo[3] === "5") { + algorithm = "sha512"; + break; + } else if (algorithm[3] === "3") { + continue; + } else if (metadata.algo[3] === "3") { + algorithm = "sha384"; + } + } + return algorithm; + } + function filterMetadataListByAlgorithm(metadataList, algorithm) { + if (metadataList.length === 1) { + return metadataList; + } + let pos = 0; + for (let i = 0; i < metadataList.length; ++i) { + if (metadataList[i].algo === algorithm) { + metadataList[pos++] = metadataList[i]; + } + } + metadataList.length = pos; + return metadataList; + } + function compareBase64Mixed(actualValue, expectedValue) { + if (actualValue.length !== expectedValue.length) { + return false; + } + for (let i = 0; i < actualValue.length; ++i) { + if (actualValue[i] !== expectedValue[i]) { + if (actualValue[i] === "+" && expectedValue[i] === "-" || actualValue[i] === "/" && expectedValue[i] === "_") { + continue; + } + return false; + } + } + return true; + } function tryUpgradeRequestToAPotentiallyTrustworthyURL(request) { } function sameOrigin(A, B) { @@ -4387,7 +4547,8 @@ var require_util2 = __commonJS({ urlHasHttpsScheme, urlIsHttpHttpsScheme, readAllBytes, - normalizeMethodRecord + normalizeMethodRecord, + parseMetadata }; } }); @@ -5424,7 +5585,7 @@ var require_body = __commonJS({ var { FormData } = require_formdata(); var { kState } = require_symbols2(); var { webidl } = require_webidl(); - var { DOMException: DOMException2, structuredClone } = require_constants(); + var { DOMException: DOMException2, structuredClone } = require_constants2(); var { Blob: Blob2, File: NativeFile } = require("buffer"); var { kBodyUsed } = require_symbols(); var assert = require("assert"); @@ -6520,7 +6681,7 @@ var require_utils2 = __commonJS({ }); // node_modules/undici/lib/llhttp/constants.js -var require_constants2 = __commonJS({ +var require_constants3 = __commonJS({ "node_modules/undici/lib/llhttp/constants.js"(exports2) { "use strict"; Object.defineProperty(exports2, "__esModule", { value: true }); @@ -6955,7 +7116,17 @@ var require_RedirectHandler = __commonJS({ } } function shouldRemoveHeader(header, removeContent, unknownOrigin) { - return header.length === 4 && header.toString().toLowerCase() === "host" || removeContent && header.toString().toLowerCase().indexOf("content-") === 0 || unknownOrigin && header.length === 13 && header.toString().toLowerCase() === "authorization" || unknownOrigin && header.length === 6 && header.toString().toLowerCase() === "cookie"; + if (header.length === 4) { + return util.headerNameToString(header) === "host"; + } + if (removeContent && util.headerNameToString(header).startsWith("content-")) { + return true; + } + if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) { + const name = util.headerNameToString(header); + return name === "authorization" || name === "cookie" || name === "proxy-authorization"; + } + return false; } function cleanRequestHeaders(headers, removeContent, unknownOrigin) { const ret = []; @@ -7400,7 +7571,7 @@ var require_client = __commonJS({ ); resume(client); } - var constants = require_constants2(); + var constants = require_constants3(); var createRedirectInterceptor = require_redirectInterceptor(); var EMPTY_BUF = Buffer.alloc(0); async function lazyllhttp() { @@ -12104,7 +12275,7 @@ var require_response = __commonJS({ redirectStatusSet, nullBodyStatus, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kState, kHeaders, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); var { FormData } = require_formdata(); @@ -12486,7 +12657,7 @@ var require_request2 = __commonJS({ requestCredentials, requestCache, requestDuplex - } = require_constants(); + } = require_constants2(); var { kEnumerableProperty } = util; var { kHeaders, kSignal, kState, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); @@ -13155,7 +13326,7 @@ var require_fetch = __commonJS({ requestBodyHeader, subresourceSet, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kHeadersList } = require_symbols(); var EE = require("events"); var { Readable, pipeline } = require("stream"); @@ -13692,6 +13863,7 @@ var require_fetch = __commonJS({ } if (!sameOrigin(requestCurrentURL(request), locationURL)) { request.headersList.delete("authorization"); + request.headersList.delete("proxy-authorization", true); request.headersList.delete("cookie"); request.headersList.delete("host"); } @@ -14518,7 +14690,7 @@ var require_util4 = __commonJS({ } = require_symbols3(); var { ProgressEvent } = require_progressevent(); var { getEncoding } = require_encoding(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { serializeAMimeType, parseMIMEType } = require_dataURL(); var { types } = require("util"); var { StringDecoder } = require("string_decoder"); @@ -15634,7 +15806,7 @@ var require_cachestorage = __commonJS({ }); // node_modules/undici/lib/cookies/constants.js -var require_constants3 = __commonJS({ +var require_constants4 = __commonJS({ "node_modules/undici/lib/cookies/constants.js"(exports2, module2) { "use strict"; var maxAttributeValueSize = 1024; @@ -15809,7 +15981,7 @@ var require_util6 = __commonJS({ var require_parse = __commonJS({ "node_modules/undici/lib/cookies/parse.js"(exports2, module2) { "use strict"; - var { maxNameValuePairSize, maxAttributeValueSize } = require_constants3(); + var { maxNameValuePairSize, maxAttributeValueSize } = require_constants4(); var { isCTLExcludingHtab } = require_util6(); var { collectASequenceOfCodePointsFast } = require_dataURL(); var assert = require("assert"); @@ -16074,7 +16246,7 @@ var require_cookies = __commonJS({ }); // node_modules/undici/lib/websocket/constants.js -var require_constants4 = __commonJS({ +var require_constants5 = __commonJS({ "node_modules/undici/lib/websocket/constants.js"(exports2, module2) { "use strict"; var uid = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"; @@ -16382,7 +16554,7 @@ var require_util7 = __commonJS({ "node_modules/undici/lib/websocket/util.js"(exports2, module2) { "use strict"; var { kReadyState, kController, kResponse, kBinaryType, kWebSocketURL } = require_symbols5(); - var { states, opcodes } = require_constants4(); + var { states, opcodes } = require_constants5(); var { MessageEvent, ErrorEvent } = require_events(); function isEstablished(ws) { return ws[kReadyState] === states.OPEN; @@ -16472,7 +16644,7 @@ var require_connection = __commonJS({ "node_modules/undici/lib/websocket/connection.js"(exports2, module2) { "use strict"; var diagnosticsChannel = require("diagnostics_channel"); - var { uid, states } = require_constants4(); + var { uid, states } = require_constants5(); var { kReadyState, kSentClose, @@ -16619,7 +16791,7 @@ var require_connection = __commonJS({ var require_frame = __commonJS({ "node_modules/undici/lib/websocket/frame.js"(exports2, module2) { "use strict"; - var { maxUnsigned16Bit } = require_constants4(); + var { maxUnsigned16Bit } = require_constants5(); var crypto4; try { crypto4 = require("crypto"); @@ -16678,7 +16850,7 @@ var require_receiver = __commonJS({ "use strict"; var { Writable } = require("stream"); var diagnosticsChannel = require("diagnostics_channel"); - var { parserStates, opcodes, states, emptyBuffer } = require_constants4(); + var { parserStates, opcodes, states, emptyBuffer } = require_constants5(); var { kReadyState, kSentClose, kResponse, kReceivedClose } = require_symbols5(); var { isValidStatusCode, failWebsocketConnection, websocketMessageReceived } = require_util7(); var { WebsocketFrameSend } = require_frame(); @@ -16913,10 +17085,10 @@ var require_websocket = __commonJS({ "node_modules/undici/lib/websocket/websocket.js"(exports2, module2) { "use strict"; var { webidl } = require_webidl(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { URLSerializer } = require_dataURL(); var { getGlobalOrigin } = require_global(); - var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants4(); + var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants5(); var { kWebSocketURL, kReadyState, diff --git a/dist/delete-item.js b/dist/delete-item.js index e8546d5..8292edb 100644 --- a/dist/delete-item.js +++ b/dist/delete-item.js @@ -1141,6 +1141,121 @@ var require_errors = __commonJS({ } }); +// node_modules/undici/lib/core/constants.js +var require_constants = __commonJS({ + "node_modules/undici/lib/core/constants.js"(exports2, module2) { + "use strict"; + var headerNameLowerCasedRecord = {}; + var wellknownHeaderNames = [ + "Accept", + "Accept-Encoding", + "Accept-Language", + "Accept-Ranges", + "Access-Control-Allow-Credentials", + "Access-Control-Allow-Headers", + "Access-Control-Allow-Methods", + "Access-Control-Allow-Origin", + "Access-Control-Expose-Headers", + "Access-Control-Max-Age", + "Access-Control-Request-Headers", + "Access-Control-Request-Method", + "Age", + "Allow", + "Alt-Svc", + "Alt-Used", + "Authorization", + "Cache-Control", + "Clear-Site-Data", + "Connection", + "Content-Disposition", + "Content-Encoding", + "Content-Language", + "Content-Length", + "Content-Location", + "Content-Range", + "Content-Security-Policy", + "Content-Security-Policy-Report-Only", + "Content-Type", + "Cookie", + "Cross-Origin-Embedder-Policy", + "Cross-Origin-Opener-Policy", + "Cross-Origin-Resource-Policy", + "Date", + "Device-Memory", + "Downlink", + "ECT", + "ETag", + "Expect", + "Expect-CT", + "Expires", + "Forwarded", + "From", + "Host", + "If-Match", + "If-Modified-Since", + "If-None-Match", + "If-Range", + "If-Unmodified-Since", + "Keep-Alive", + "Last-Modified", + "Link", + "Location", + "Max-Forwards", + "Origin", + "Permissions-Policy", + "Pragma", + "Proxy-Authenticate", + "Proxy-Authorization", + "RTT", + "Range", + "Referer", + "Referrer-Policy", + "Refresh", + "Retry-After", + "Sec-WebSocket-Accept", + "Sec-WebSocket-Extensions", + "Sec-WebSocket-Key", + "Sec-WebSocket-Protocol", + "Sec-WebSocket-Version", + "Server", + "Server-Timing", + "Service-Worker-Allowed", + "Service-Worker-Navigation-Preload", + "Set-Cookie", + "SourceMap", + "Strict-Transport-Security", + "Supports-Loading-Mode", + "TE", + "Timing-Allow-Origin", + "Trailer", + "Transfer-Encoding", + "Upgrade", + "Upgrade-Insecure-Requests", + "User-Agent", + "Vary", + "Via", + "WWW-Authenticate", + "X-Content-Type-Options", + "X-DNS-Prefetch-Control", + "X-Frame-Options", + "X-Permitted-Cross-Domain-Policies", + "X-Powered-By", + "X-Requested-With", + "X-XSS-Protection" + ]; + for (let i = 0; i < wellknownHeaderNames.length; ++i) { + const key = wellknownHeaderNames[i]; + const lowerCasedKey = key.toLowerCase(); + headerNameLowerCasedRecord[key] = headerNameLowerCasedRecord[lowerCasedKey] = lowerCasedKey; + } + Object.setPrototypeOf(headerNameLowerCasedRecord, null); + module2.exports = { + wellknownHeaderNames, + headerNameLowerCasedRecord + }; + } +}); + // node_modules/undici/lib/core/util.js var require_util = __commonJS({ "node_modules/undici/lib/core/util.js"(exports2, module2) { @@ -1154,6 +1269,7 @@ var require_util = __commonJS({ var { Blob: Blob2 } = require("buffer"); var nodeUtil = require("util"); var { stringify: stringify2 } = require("querystring"); + var { headerNameLowerCasedRecord } = require_constants(); var [nodeMajor, nodeMinor] = process.versions.node.split(".").map((v) => Number(v)); function nop() { } @@ -1297,6 +1413,9 @@ var require_util = __commonJS({ const m = val.toString().match(KEEPALIVE_TIMEOUT_EXPR); return m ? parseInt(m[1], 10) * 1e3 : null; } + function headerNameToString(value) { + return headerNameLowerCasedRecord[value] || value.toLowerCase(); + } function parseHeaders(headers, obj = {}) { if (!Array.isArray(headers)) return headers; @@ -1500,6 +1619,7 @@ var require_util = __commonJS({ isIterable, isAsyncIterable, isDestroyed, + headerNameToString, parseRawHeaders, parseHeaders, parseKeepAliveTimeout, @@ -3595,7 +3715,7 @@ var require_main = __commonJS({ }); // node_modules/undici/lib/fetch/constants.js -var require_constants = __commonJS({ +var require_constants2 = __commonJS({ "node_modules/undici/lib/fetch/constants.js"(exports2, module2) { "use strict"; var { MessageChannel, receiveMessageOnPort } = require("worker_threads"); @@ -3833,15 +3953,18 @@ var require_global = __commonJS({ var require_util2 = __commonJS({ "node_modules/undici/lib/fetch/util.js"(exports2, module2) { "use strict"; - var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants(); + var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants2(); var { getGlobalOrigin } = require_global(); var { performance: performance2 } = require("perf_hooks"); var { isBlobLike, toUSVString, ReadableStreamFrom } = require_util(); var assert = require("assert"); var { isUint8Array } = require("util/types"); + var supportedHashes = []; var crypto4; try { crypto4 = require("crypto"); + const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; + supportedHashes = crypto4.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); } catch { } function responseURL(response) { @@ -4117,45 +4240,37 @@ var require_util2 = __commonJS({ if (parsedMetadata.length === 0) { return true; } - const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)); - const strongest = list[0].algo; - const metadata = list.filter((item) => item.algo === strongest); + const strongest = getStrongestMetadata(parsedMetadata); + const metadata = filterMetadataListByAlgorithm(parsedMetadata, strongest); for (const item of metadata) { const algorithm = item.algo; - let expectedValue = item.hash; - if (expectedValue.endsWith("==")) { - expectedValue = expectedValue.slice(0, -2); - } + const expectedValue = item.hash; let actualValue = crypto4.createHash(algorithm).update(bytes).digest("base64"); - if (actualValue.endsWith("==")) { - actualValue = actualValue.slice(0, -2); - } - if (actualValue === expectedValue) { - return true; - } - let actualBase64URL = crypto4.createHash(algorithm).update(bytes).digest("base64url"); - if (actualBase64URL.endsWith("==")) { - actualBase64URL = actualBase64URL.slice(0, -2); + if (actualValue[actualValue.length - 1] === "=") { + if (actualValue[actualValue.length - 2] === "=") { + actualValue = actualValue.slice(0, -2); + } else { + actualValue = actualValue.slice(0, -1); + } } - if (actualBase64URL === expectedValue) { + if (compareBase64Mixed(actualValue, expectedValue)) { return true; } } return false; } - var parseHashWithOptions = /((?sha256|sha384|sha512)-(?[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i; + var parseHashWithOptions = /(?sha256|sha384|sha512)-((?[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)( +[!-~]*)?)?/i; function parseMetadata(metadata) { const result = []; let empty = true; - const supportedHashes = crypto4.getHashes(); for (const token of metadata.split(" ")) { empty = false; const parsedToken = parseHashWithOptions.exec(token); - if (parsedToken === null || parsedToken.groups === void 0) { + if (parsedToken === null || parsedToken.groups === void 0 || parsedToken.groups.algo === void 0) { continue; } - const algorithm = parsedToken.groups.algo; - if (supportedHashes.includes(algorithm.toLowerCase())) { + const algorithm = parsedToken.groups.algo.toLowerCase(); + if (supportedHashes.includes(algorithm)) { result.push(parsedToken.groups); } } @@ -4164,6 +4279,51 @@ var require_util2 = __commonJS({ } return result; } + function getStrongestMetadata(metadataList) { + let algorithm = metadataList[0].algo; + if (algorithm[3] === "5") { + return algorithm; + } + for (let i = 1; i < metadataList.length; ++i) { + const metadata = metadataList[i]; + if (metadata.algo[3] === "5") { + algorithm = "sha512"; + break; + } else if (algorithm[3] === "3") { + continue; + } else if (metadata.algo[3] === "3") { + algorithm = "sha384"; + } + } + return algorithm; + } + function filterMetadataListByAlgorithm(metadataList, algorithm) { + if (metadataList.length === 1) { + return metadataList; + } + let pos = 0; + for (let i = 0; i < metadataList.length; ++i) { + if (metadataList[i].algo === algorithm) { + metadataList[pos++] = metadataList[i]; + } + } + metadataList.length = pos; + return metadataList; + } + function compareBase64Mixed(actualValue, expectedValue) { + if (actualValue.length !== expectedValue.length) { + return false; + } + for (let i = 0; i < actualValue.length; ++i) { + if (actualValue[i] !== expectedValue[i]) { + if (actualValue[i] === "+" && expectedValue[i] === "-" || actualValue[i] === "/" && expectedValue[i] === "_") { + continue; + } + return false; + } + } + return true; + } function tryUpgradeRequestToAPotentiallyTrustworthyURL(request) { } function sameOrigin(A, B) { @@ -4387,7 +4547,8 @@ var require_util2 = __commonJS({ urlHasHttpsScheme, urlIsHttpHttpsScheme, readAllBytes, - normalizeMethodRecord + normalizeMethodRecord, + parseMetadata }; } }); @@ -5424,7 +5585,7 @@ var require_body = __commonJS({ var { FormData } = require_formdata(); var { kState } = require_symbols2(); var { webidl } = require_webidl(); - var { DOMException: DOMException2, structuredClone } = require_constants(); + var { DOMException: DOMException2, structuredClone } = require_constants2(); var { Blob: Blob2, File: NativeFile } = require("buffer"); var { kBodyUsed } = require_symbols(); var assert = require("assert"); @@ -6520,7 +6681,7 @@ var require_utils2 = __commonJS({ }); // node_modules/undici/lib/llhttp/constants.js -var require_constants2 = __commonJS({ +var require_constants3 = __commonJS({ "node_modules/undici/lib/llhttp/constants.js"(exports2) { "use strict"; Object.defineProperty(exports2, "__esModule", { value: true }); @@ -6955,7 +7116,17 @@ var require_RedirectHandler = __commonJS({ } } function shouldRemoveHeader(header, removeContent, unknownOrigin) { - return header.length === 4 && header.toString().toLowerCase() === "host" || removeContent && header.toString().toLowerCase().indexOf("content-") === 0 || unknownOrigin && header.length === 13 && header.toString().toLowerCase() === "authorization" || unknownOrigin && header.length === 6 && header.toString().toLowerCase() === "cookie"; + if (header.length === 4) { + return util.headerNameToString(header) === "host"; + } + if (removeContent && util.headerNameToString(header).startsWith("content-")) { + return true; + } + if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) { + const name = util.headerNameToString(header); + return name === "authorization" || name === "cookie" || name === "proxy-authorization"; + } + return false; } function cleanRequestHeaders(headers, removeContent, unknownOrigin) { const ret = []; @@ -7400,7 +7571,7 @@ var require_client = __commonJS({ ); resume(client); } - var constants = require_constants2(); + var constants = require_constants3(); var createRedirectInterceptor = require_redirectInterceptor(); var EMPTY_BUF = Buffer.alloc(0); async function lazyllhttp() { @@ -12104,7 +12275,7 @@ var require_response = __commonJS({ redirectStatusSet, nullBodyStatus, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kState, kHeaders, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); var { FormData } = require_formdata(); @@ -12486,7 +12657,7 @@ var require_request2 = __commonJS({ requestCredentials, requestCache, requestDuplex - } = require_constants(); + } = require_constants2(); var { kEnumerableProperty } = util; var { kHeaders, kSignal, kState, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); @@ -13155,7 +13326,7 @@ var require_fetch = __commonJS({ requestBodyHeader, subresourceSet, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kHeadersList } = require_symbols(); var EE = require("events"); var { Readable, pipeline } = require("stream"); @@ -13692,6 +13863,7 @@ var require_fetch = __commonJS({ } if (!sameOrigin(requestCurrentURL(request), locationURL)) { request.headersList.delete("authorization"); + request.headersList.delete("proxy-authorization", true); request.headersList.delete("cookie"); request.headersList.delete("host"); } @@ -14518,7 +14690,7 @@ var require_util4 = __commonJS({ } = require_symbols3(); var { ProgressEvent } = require_progressevent(); var { getEncoding } = require_encoding(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { serializeAMimeType, parseMIMEType } = require_dataURL(); var { types } = require("util"); var { StringDecoder } = require("string_decoder"); @@ -15634,7 +15806,7 @@ var require_cachestorage = __commonJS({ }); // node_modules/undici/lib/cookies/constants.js -var require_constants3 = __commonJS({ +var require_constants4 = __commonJS({ "node_modules/undici/lib/cookies/constants.js"(exports2, module2) { "use strict"; var maxAttributeValueSize = 1024; @@ -15809,7 +15981,7 @@ var require_util6 = __commonJS({ var require_parse = __commonJS({ "node_modules/undici/lib/cookies/parse.js"(exports2, module2) { "use strict"; - var { maxNameValuePairSize, maxAttributeValueSize } = require_constants3(); + var { maxNameValuePairSize, maxAttributeValueSize } = require_constants4(); var { isCTLExcludingHtab } = require_util6(); var { collectASequenceOfCodePointsFast } = require_dataURL(); var assert = require("assert"); @@ -16074,7 +16246,7 @@ var require_cookies = __commonJS({ }); // node_modules/undici/lib/websocket/constants.js -var require_constants4 = __commonJS({ +var require_constants5 = __commonJS({ "node_modules/undici/lib/websocket/constants.js"(exports2, module2) { "use strict"; var uid = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"; @@ -16382,7 +16554,7 @@ var require_util7 = __commonJS({ "node_modules/undici/lib/websocket/util.js"(exports2, module2) { "use strict"; var { kReadyState, kController, kResponse, kBinaryType, kWebSocketURL } = require_symbols5(); - var { states, opcodes } = require_constants4(); + var { states, opcodes } = require_constants5(); var { MessageEvent, ErrorEvent } = require_events(); function isEstablished(ws) { return ws[kReadyState] === states.OPEN; @@ -16472,7 +16644,7 @@ var require_connection = __commonJS({ "node_modules/undici/lib/websocket/connection.js"(exports2, module2) { "use strict"; var diagnosticsChannel = require("diagnostics_channel"); - var { uid, states } = require_constants4(); + var { uid, states } = require_constants5(); var { kReadyState, kSentClose, @@ -16619,7 +16791,7 @@ var require_connection = __commonJS({ var require_frame = __commonJS({ "node_modules/undici/lib/websocket/frame.js"(exports2, module2) { "use strict"; - var { maxUnsigned16Bit } = require_constants4(); + var { maxUnsigned16Bit } = require_constants5(); var crypto4; try { crypto4 = require("crypto"); @@ -16678,7 +16850,7 @@ var require_receiver = __commonJS({ "use strict"; var { Writable } = require("stream"); var diagnosticsChannel = require("diagnostics_channel"); - var { parserStates, opcodes, states, emptyBuffer } = require_constants4(); + var { parserStates, opcodes, states, emptyBuffer } = require_constants5(); var { kReadyState, kSentClose, kResponse, kReceivedClose } = require_symbols5(); var { isValidStatusCode, failWebsocketConnection, websocketMessageReceived } = require_util7(); var { WebsocketFrameSend } = require_frame(); @@ -16913,10 +17085,10 @@ var require_websocket = __commonJS({ "node_modules/undici/lib/websocket/websocket.js"(exports2, module2) { "use strict"; var { webidl } = require_webidl(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { URLSerializer } = require_dataURL(); var { getGlobalOrigin } = require_global(); - var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants4(); + var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants5(); var { kWebSocketURL, kReadyState, diff --git a/dist/delete-project.js b/dist/delete-project.js index 652c0fb..90e90c4 100644 --- a/dist/delete-project.js +++ b/dist/delete-project.js @@ -1141,6 +1141,121 @@ var require_errors = __commonJS({ } }); +// node_modules/undici/lib/core/constants.js +var require_constants = __commonJS({ + "node_modules/undici/lib/core/constants.js"(exports2, module2) { + "use strict"; + var headerNameLowerCasedRecord = {}; + var wellknownHeaderNames = [ + "Accept", + "Accept-Encoding", + "Accept-Language", + "Accept-Ranges", + "Access-Control-Allow-Credentials", + "Access-Control-Allow-Headers", + "Access-Control-Allow-Methods", + "Access-Control-Allow-Origin", + "Access-Control-Expose-Headers", + "Access-Control-Max-Age", + "Access-Control-Request-Headers", + "Access-Control-Request-Method", + "Age", + "Allow", + "Alt-Svc", + "Alt-Used", + "Authorization", + "Cache-Control", + "Clear-Site-Data", + "Connection", + "Content-Disposition", + "Content-Encoding", + "Content-Language", + "Content-Length", + "Content-Location", + "Content-Range", + "Content-Security-Policy", + "Content-Security-Policy-Report-Only", + "Content-Type", + "Cookie", + "Cross-Origin-Embedder-Policy", + "Cross-Origin-Opener-Policy", + "Cross-Origin-Resource-Policy", + "Date", + "Device-Memory", + "Downlink", + "ECT", + "ETag", + "Expect", + "Expect-CT", + "Expires", + "Forwarded", + "From", + "Host", + "If-Match", + "If-Modified-Since", + "If-None-Match", + "If-Range", + "If-Unmodified-Since", + "Keep-Alive", + "Last-Modified", + "Link", + "Location", + "Max-Forwards", + "Origin", + "Permissions-Policy", + "Pragma", + "Proxy-Authenticate", + "Proxy-Authorization", + "RTT", + "Range", + "Referer", + "Referrer-Policy", + "Refresh", + "Retry-After", + "Sec-WebSocket-Accept", + "Sec-WebSocket-Extensions", + "Sec-WebSocket-Key", + "Sec-WebSocket-Protocol", + "Sec-WebSocket-Version", + "Server", + "Server-Timing", + "Service-Worker-Allowed", + "Service-Worker-Navigation-Preload", + "Set-Cookie", + "SourceMap", + "Strict-Transport-Security", + "Supports-Loading-Mode", + "TE", + "Timing-Allow-Origin", + "Trailer", + "Transfer-Encoding", + "Upgrade", + "Upgrade-Insecure-Requests", + "User-Agent", + "Vary", + "Via", + "WWW-Authenticate", + "X-Content-Type-Options", + "X-DNS-Prefetch-Control", + "X-Frame-Options", + "X-Permitted-Cross-Domain-Policies", + "X-Powered-By", + "X-Requested-With", + "X-XSS-Protection" + ]; + for (let i = 0; i < wellknownHeaderNames.length; ++i) { + const key = wellknownHeaderNames[i]; + const lowerCasedKey = key.toLowerCase(); + headerNameLowerCasedRecord[key] = headerNameLowerCasedRecord[lowerCasedKey] = lowerCasedKey; + } + Object.setPrototypeOf(headerNameLowerCasedRecord, null); + module2.exports = { + wellknownHeaderNames, + headerNameLowerCasedRecord + }; + } +}); + // node_modules/undici/lib/core/util.js var require_util = __commonJS({ "node_modules/undici/lib/core/util.js"(exports2, module2) { @@ -1154,6 +1269,7 @@ var require_util = __commonJS({ var { Blob: Blob2 } = require("buffer"); var nodeUtil = require("util"); var { stringify: stringify2 } = require("querystring"); + var { headerNameLowerCasedRecord } = require_constants(); var [nodeMajor, nodeMinor] = process.versions.node.split(".").map((v) => Number(v)); function nop() { } @@ -1297,6 +1413,9 @@ var require_util = __commonJS({ const m = val.toString().match(KEEPALIVE_TIMEOUT_EXPR); return m ? parseInt(m[1], 10) * 1e3 : null; } + function headerNameToString(value) { + return headerNameLowerCasedRecord[value] || value.toLowerCase(); + } function parseHeaders(headers, obj = {}) { if (!Array.isArray(headers)) return headers; @@ -1500,6 +1619,7 @@ var require_util = __commonJS({ isIterable, isAsyncIterable, isDestroyed, + headerNameToString, parseRawHeaders, parseHeaders, parseKeepAliveTimeout, @@ -3595,7 +3715,7 @@ var require_main = __commonJS({ }); // node_modules/undici/lib/fetch/constants.js -var require_constants = __commonJS({ +var require_constants2 = __commonJS({ "node_modules/undici/lib/fetch/constants.js"(exports2, module2) { "use strict"; var { MessageChannel, receiveMessageOnPort } = require("worker_threads"); @@ -3833,15 +3953,18 @@ var require_global = __commonJS({ var require_util2 = __commonJS({ "node_modules/undici/lib/fetch/util.js"(exports2, module2) { "use strict"; - var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants(); + var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants2(); var { getGlobalOrigin } = require_global(); var { performance: performance2 } = require("perf_hooks"); var { isBlobLike, toUSVString, ReadableStreamFrom } = require_util(); var assert = require("assert"); var { isUint8Array } = require("util/types"); + var supportedHashes = []; var crypto4; try { crypto4 = require("crypto"); + const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; + supportedHashes = crypto4.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); } catch { } function responseURL(response) { @@ -4117,45 +4240,37 @@ var require_util2 = __commonJS({ if (parsedMetadata.length === 0) { return true; } - const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)); - const strongest = list[0].algo; - const metadata = list.filter((item) => item.algo === strongest); + const strongest = getStrongestMetadata(parsedMetadata); + const metadata = filterMetadataListByAlgorithm(parsedMetadata, strongest); for (const item of metadata) { const algorithm = item.algo; - let expectedValue = item.hash; - if (expectedValue.endsWith("==")) { - expectedValue = expectedValue.slice(0, -2); - } + const expectedValue = item.hash; let actualValue = crypto4.createHash(algorithm).update(bytes).digest("base64"); - if (actualValue.endsWith("==")) { - actualValue = actualValue.slice(0, -2); - } - if (actualValue === expectedValue) { - return true; - } - let actualBase64URL = crypto4.createHash(algorithm).update(bytes).digest("base64url"); - if (actualBase64URL.endsWith("==")) { - actualBase64URL = actualBase64URL.slice(0, -2); + if (actualValue[actualValue.length - 1] === "=") { + if (actualValue[actualValue.length - 2] === "=") { + actualValue = actualValue.slice(0, -2); + } else { + actualValue = actualValue.slice(0, -1); + } } - if (actualBase64URL === expectedValue) { + if (compareBase64Mixed(actualValue, expectedValue)) { return true; } } return false; } - var parseHashWithOptions = /((?sha256|sha384|sha512)-(?[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i; + var parseHashWithOptions = /(?sha256|sha384|sha512)-((?[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)( +[!-~]*)?)?/i; function parseMetadata(metadata) { const result = []; let empty = true; - const supportedHashes = crypto4.getHashes(); for (const token of metadata.split(" ")) { empty = false; const parsedToken = parseHashWithOptions.exec(token); - if (parsedToken === null || parsedToken.groups === void 0) { + if (parsedToken === null || parsedToken.groups === void 0 || parsedToken.groups.algo === void 0) { continue; } - const algorithm = parsedToken.groups.algo; - if (supportedHashes.includes(algorithm.toLowerCase())) { + const algorithm = parsedToken.groups.algo.toLowerCase(); + if (supportedHashes.includes(algorithm)) { result.push(parsedToken.groups); } } @@ -4164,6 +4279,51 @@ var require_util2 = __commonJS({ } return result; } + function getStrongestMetadata(metadataList) { + let algorithm = metadataList[0].algo; + if (algorithm[3] === "5") { + return algorithm; + } + for (let i = 1; i < metadataList.length; ++i) { + const metadata = metadataList[i]; + if (metadata.algo[3] === "5") { + algorithm = "sha512"; + break; + } else if (algorithm[3] === "3") { + continue; + } else if (metadata.algo[3] === "3") { + algorithm = "sha384"; + } + } + return algorithm; + } + function filterMetadataListByAlgorithm(metadataList, algorithm) { + if (metadataList.length === 1) { + return metadataList; + } + let pos = 0; + for (let i = 0; i < metadataList.length; ++i) { + if (metadataList[i].algo === algorithm) { + metadataList[pos++] = metadataList[i]; + } + } + metadataList.length = pos; + return metadataList; + } + function compareBase64Mixed(actualValue, expectedValue) { + if (actualValue.length !== expectedValue.length) { + return false; + } + for (let i = 0; i < actualValue.length; ++i) { + if (actualValue[i] !== expectedValue[i]) { + if (actualValue[i] === "+" && expectedValue[i] === "-" || actualValue[i] === "/" && expectedValue[i] === "_") { + continue; + } + return false; + } + } + return true; + } function tryUpgradeRequestToAPotentiallyTrustworthyURL(request) { } function sameOrigin(A, B) { @@ -4387,7 +4547,8 @@ var require_util2 = __commonJS({ urlHasHttpsScheme, urlIsHttpHttpsScheme, readAllBytes, - normalizeMethodRecord + normalizeMethodRecord, + parseMetadata }; } }); @@ -5424,7 +5585,7 @@ var require_body = __commonJS({ var { FormData } = require_formdata(); var { kState } = require_symbols2(); var { webidl } = require_webidl(); - var { DOMException: DOMException2, structuredClone } = require_constants(); + var { DOMException: DOMException2, structuredClone } = require_constants2(); var { Blob: Blob2, File: NativeFile } = require("buffer"); var { kBodyUsed } = require_symbols(); var assert = require("assert"); @@ -6520,7 +6681,7 @@ var require_utils2 = __commonJS({ }); // node_modules/undici/lib/llhttp/constants.js -var require_constants2 = __commonJS({ +var require_constants3 = __commonJS({ "node_modules/undici/lib/llhttp/constants.js"(exports2) { "use strict"; Object.defineProperty(exports2, "__esModule", { value: true }); @@ -6955,7 +7116,17 @@ var require_RedirectHandler = __commonJS({ } } function shouldRemoveHeader(header, removeContent, unknownOrigin) { - return header.length === 4 && header.toString().toLowerCase() === "host" || removeContent && header.toString().toLowerCase().indexOf("content-") === 0 || unknownOrigin && header.length === 13 && header.toString().toLowerCase() === "authorization" || unknownOrigin && header.length === 6 && header.toString().toLowerCase() === "cookie"; + if (header.length === 4) { + return util.headerNameToString(header) === "host"; + } + if (removeContent && util.headerNameToString(header).startsWith("content-")) { + return true; + } + if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) { + const name = util.headerNameToString(header); + return name === "authorization" || name === "cookie" || name === "proxy-authorization"; + } + return false; } function cleanRequestHeaders(headers, removeContent, unknownOrigin) { const ret = []; @@ -7400,7 +7571,7 @@ var require_client = __commonJS({ ); resume(client); } - var constants = require_constants2(); + var constants = require_constants3(); var createRedirectInterceptor = require_redirectInterceptor(); var EMPTY_BUF = Buffer.alloc(0); async function lazyllhttp() { @@ -12104,7 +12275,7 @@ var require_response = __commonJS({ redirectStatusSet, nullBodyStatus, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kState, kHeaders, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); var { FormData } = require_formdata(); @@ -12486,7 +12657,7 @@ var require_request2 = __commonJS({ requestCredentials, requestCache, requestDuplex - } = require_constants(); + } = require_constants2(); var { kEnumerableProperty } = util; var { kHeaders, kSignal, kState, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); @@ -13155,7 +13326,7 @@ var require_fetch = __commonJS({ requestBodyHeader, subresourceSet, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kHeadersList } = require_symbols(); var EE = require("events"); var { Readable, pipeline } = require("stream"); @@ -13692,6 +13863,7 @@ var require_fetch = __commonJS({ } if (!sameOrigin(requestCurrentURL(request), locationURL)) { request.headersList.delete("authorization"); + request.headersList.delete("proxy-authorization", true); request.headersList.delete("cookie"); request.headersList.delete("host"); } @@ -14518,7 +14690,7 @@ var require_util4 = __commonJS({ } = require_symbols3(); var { ProgressEvent } = require_progressevent(); var { getEncoding } = require_encoding(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { serializeAMimeType, parseMIMEType } = require_dataURL(); var { types } = require("util"); var { StringDecoder } = require("string_decoder"); @@ -15634,7 +15806,7 @@ var require_cachestorage = __commonJS({ }); // node_modules/undici/lib/cookies/constants.js -var require_constants3 = __commonJS({ +var require_constants4 = __commonJS({ "node_modules/undici/lib/cookies/constants.js"(exports2, module2) { "use strict"; var maxAttributeValueSize = 1024; @@ -15809,7 +15981,7 @@ var require_util6 = __commonJS({ var require_parse = __commonJS({ "node_modules/undici/lib/cookies/parse.js"(exports2, module2) { "use strict"; - var { maxNameValuePairSize, maxAttributeValueSize } = require_constants3(); + var { maxNameValuePairSize, maxAttributeValueSize } = require_constants4(); var { isCTLExcludingHtab } = require_util6(); var { collectASequenceOfCodePointsFast } = require_dataURL(); var assert = require("assert"); @@ -16074,7 +16246,7 @@ var require_cookies = __commonJS({ }); // node_modules/undici/lib/websocket/constants.js -var require_constants4 = __commonJS({ +var require_constants5 = __commonJS({ "node_modules/undici/lib/websocket/constants.js"(exports2, module2) { "use strict"; var uid = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"; @@ -16382,7 +16554,7 @@ var require_util7 = __commonJS({ "node_modules/undici/lib/websocket/util.js"(exports2, module2) { "use strict"; var { kReadyState, kController, kResponse, kBinaryType, kWebSocketURL } = require_symbols5(); - var { states, opcodes } = require_constants4(); + var { states, opcodes } = require_constants5(); var { MessageEvent, ErrorEvent } = require_events(); function isEstablished(ws) { return ws[kReadyState] === states.OPEN; @@ -16472,7 +16644,7 @@ var require_connection = __commonJS({ "node_modules/undici/lib/websocket/connection.js"(exports2, module2) { "use strict"; var diagnosticsChannel = require("diagnostics_channel"); - var { uid, states } = require_constants4(); + var { uid, states } = require_constants5(); var { kReadyState, kSentClose, @@ -16619,7 +16791,7 @@ var require_connection = __commonJS({ var require_frame = __commonJS({ "node_modules/undici/lib/websocket/frame.js"(exports2, module2) { "use strict"; - var { maxUnsigned16Bit } = require_constants4(); + var { maxUnsigned16Bit } = require_constants5(); var crypto4; try { crypto4 = require("crypto"); @@ -16678,7 +16850,7 @@ var require_receiver = __commonJS({ "use strict"; var { Writable } = require("stream"); var diagnosticsChannel = require("diagnostics_channel"); - var { parserStates, opcodes, states, emptyBuffer } = require_constants4(); + var { parserStates, opcodes, states, emptyBuffer } = require_constants5(); var { kReadyState, kSentClose, kResponse, kReceivedClose } = require_symbols5(); var { isValidStatusCode, failWebsocketConnection, websocketMessageReceived } = require_util7(); var { WebsocketFrameSend } = require_frame(); @@ -16913,10 +17085,10 @@ var require_websocket = __commonJS({ "node_modules/undici/lib/websocket/websocket.js"(exports2, module2) { "use strict"; var { webidl } = require_webidl(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { URLSerializer } = require_dataURL(); var { getGlobalOrigin } = require_global(); - var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants4(); + var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants5(); var { kWebSocketURL, kReadyState, diff --git a/dist/edit-item.js b/dist/edit-item.js index 3d2e670..5728d52 100644 --- a/dist/edit-item.js +++ b/dist/edit-item.js @@ -1141,6 +1141,121 @@ var require_errors = __commonJS({ } }); +// node_modules/undici/lib/core/constants.js +var require_constants = __commonJS({ + "node_modules/undici/lib/core/constants.js"(exports2, module2) { + "use strict"; + var headerNameLowerCasedRecord = {}; + var wellknownHeaderNames = [ + "Accept", + "Accept-Encoding", + "Accept-Language", + "Accept-Ranges", + "Access-Control-Allow-Credentials", + "Access-Control-Allow-Headers", + "Access-Control-Allow-Methods", + "Access-Control-Allow-Origin", + "Access-Control-Expose-Headers", + "Access-Control-Max-Age", + "Access-Control-Request-Headers", + "Access-Control-Request-Method", + "Age", + "Allow", + "Alt-Svc", + "Alt-Used", + "Authorization", + "Cache-Control", + "Clear-Site-Data", + "Connection", + "Content-Disposition", + "Content-Encoding", + "Content-Language", + "Content-Length", + "Content-Location", + "Content-Range", + "Content-Security-Policy", + "Content-Security-Policy-Report-Only", + "Content-Type", + "Cookie", + "Cross-Origin-Embedder-Policy", + "Cross-Origin-Opener-Policy", + "Cross-Origin-Resource-Policy", + "Date", + "Device-Memory", + "Downlink", + "ECT", + "ETag", + "Expect", + "Expect-CT", + "Expires", + "Forwarded", + "From", + "Host", + "If-Match", + "If-Modified-Since", + "If-None-Match", + "If-Range", + "If-Unmodified-Since", + "Keep-Alive", + "Last-Modified", + "Link", + "Location", + "Max-Forwards", + "Origin", + "Permissions-Policy", + "Pragma", + "Proxy-Authenticate", + "Proxy-Authorization", + "RTT", + "Range", + "Referer", + "Referrer-Policy", + "Refresh", + "Retry-After", + "Sec-WebSocket-Accept", + "Sec-WebSocket-Extensions", + "Sec-WebSocket-Key", + "Sec-WebSocket-Protocol", + "Sec-WebSocket-Version", + "Server", + "Server-Timing", + "Service-Worker-Allowed", + "Service-Worker-Navigation-Preload", + "Set-Cookie", + "SourceMap", + "Strict-Transport-Security", + "Supports-Loading-Mode", + "TE", + "Timing-Allow-Origin", + "Trailer", + "Transfer-Encoding", + "Upgrade", + "Upgrade-Insecure-Requests", + "User-Agent", + "Vary", + "Via", + "WWW-Authenticate", + "X-Content-Type-Options", + "X-DNS-Prefetch-Control", + "X-Frame-Options", + "X-Permitted-Cross-Domain-Policies", + "X-Powered-By", + "X-Requested-With", + "X-XSS-Protection" + ]; + for (let i = 0; i < wellknownHeaderNames.length; ++i) { + const key = wellknownHeaderNames[i]; + const lowerCasedKey = key.toLowerCase(); + headerNameLowerCasedRecord[key] = headerNameLowerCasedRecord[lowerCasedKey] = lowerCasedKey; + } + Object.setPrototypeOf(headerNameLowerCasedRecord, null); + module2.exports = { + wellknownHeaderNames, + headerNameLowerCasedRecord + }; + } +}); + // node_modules/undici/lib/core/util.js var require_util = __commonJS({ "node_modules/undici/lib/core/util.js"(exports2, module2) { @@ -1154,6 +1269,7 @@ var require_util = __commonJS({ var { Blob: Blob2 } = require("buffer"); var nodeUtil = require("util"); var { stringify: stringify2 } = require("querystring"); + var { headerNameLowerCasedRecord } = require_constants(); var [nodeMajor, nodeMinor] = process.versions.node.split(".").map((v) => Number(v)); function nop() { } @@ -1297,6 +1413,9 @@ var require_util = __commonJS({ const m = val.toString().match(KEEPALIVE_TIMEOUT_EXPR); return m ? parseInt(m[1], 10) * 1e3 : null; } + function headerNameToString(value) { + return headerNameLowerCasedRecord[value] || value.toLowerCase(); + } function parseHeaders(headers, obj = {}) { if (!Array.isArray(headers)) return headers; @@ -1500,6 +1619,7 @@ var require_util = __commonJS({ isIterable, isAsyncIterable, isDestroyed, + headerNameToString, parseRawHeaders, parseHeaders, parseKeepAliveTimeout, @@ -3595,7 +3715,7 @@ var require_main = __commonJS({ }); // node_modules/undici/lib/fetch/constants.js -var require_constants = __commonJS({ +var require_constants2 = __commonJS({ "node_modules/undici/lib/fetch/constants.js"(exports2, module2) { "use strict"; var { MessageChannel, receiveMessageOnPort } = require("worker_threads"); @@ -3833,15 +3953,18 @@ var require_global = __commonJS({ var require_util2 = __commonJS({ "node_modules/undici/lib/fetch/util.js"(exports2, module2) { "use strict"; - var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants(); + var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants2(); var { getGlobalOrigin } = require_global(); var { performance: performance2 } = require("perf_hooks"); var { isBlobLike, toUSVString, ReadableStreamFrom } = require_util(); var assert = require("assert"); var { isUint8Array } = require("util/types"); + var supportedHashes = []; var crypto4; try { crypto4 = require("crypto"); + const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; + supportedHashes = crypto4.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); } catch { } function responseURL(response) { @@ -4117,45 +4240,37 @@ var require_util2 = __commonJS({ if (parsedMetadata.length === 0) { return true; } - const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)); - const strongest = list[0].algo; - const metadata = list.filter((item) => item.algo === strongest); + const strongest = getStrongestMetadata(parsedMetadata); + const metadata = filterMetadataListByAlgorithm(parsedMetadata, strongest); for (const item of metadata) { const algorithm = item.algo; - let expectedValue = item.hash; - if (expectedValue.endsWith("==")) { - expectedValue = expectedValue.slice(0, -2); - } + const expectedValue = item.hash; let actualValue = crypto4.createHash(algorithm).update(bytes).digest("base64"); - if (actualValue.endsWith("==")) { - actualValue = actualValue.slice(0, -2); - } - if (actualValue === expectedValue) { - return true; - } - let actualBase64URL = crypto4.createHash(algorithm).update(bytes).digest("base64url"); - if (actualBase64URL.endsWith("==")) { - actualBase64URL = actualBase64URL.slice(0, -2); + if (actualValue[actualValue.length - 1] === "=") { + if (actualValue[actualValue.length - 2] === "=") { + actualValue = actualValue.slice(0, -2); + } else { + actualValue = actualValue.slice(0, -1); + } } - if (actualBase64URL === expectedValue) { + if (compareBase64Mixed(actualValue, expectedValue)) { return true; } } return false; } - var parseHashWithOptions = /((?sha256|sha384|sha512)-(?[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i; + var parseHashWithOptions = /(?sha256|sha384|sha512)-((?[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)( +[!-~]*)?)?/i; function parseMetadata(metadata) { const result = []; let empty = true; - const supportedHashes = crypto4.getHashes(); for (const token of metadata.split(" ")) { empty = false; const parsedToken = parseHashWithOptions.exec(token); - if (parsedToken === null || parsedToken.groups === void 0) { + if (parsedToken === null || parsedToken.groups === void 0 || parsedToken.groups.algo === void 0) { continue; } - const algorithm = parsedToken.groups.algo; - if (supportedHashes.includes(algorithm.toLowerCase())) { + const algorithm = parsedToken.groups.algo.toLowerCase(); + if (supportedHashes.includes(algorithm)) { result.push(parsedToken.groups); } } @@ -4164,6 +4279,51 @@ var require_util2 = __commonJS({ } return result; } + function getStrongestMetadata(metadataList) { + let algorithm = metadataList[0].algo; + if (algorithm[3] === "5") { + return algorithm; + } + for (let i = 1; i < metadataList.length; ++i) { + const metadata = metadataList[i]; + if (metadata.algo[3] === "5") { + algorithm = "sha512"; + break; + } else if (algorithm[3] === "3") { + continue; + } else if (metadata.algo[3] === "3") { + algorithm = "sha384"; + } + } + return algorithm; + } + function filterMetadataListByAlgorithm(metadataList, algorithm) { + if (metadataList.length === 1) { + return metadataList; + } + let pos = 0; + for (let i = 0; i < metadataList.length; ++i) { + if (metadataList[i].algo === algorithm) { + metadataList[pos++] = metadataList[i]; + } + } + metadataList.length = pos; + return metadataList; + } + function compareBase64Mixed(actualValue, expectedValue) { + if (actualValue.length !== expectedValue.length) { + return false; + } + for (let i = 0; i < actualValue.length; ++i) { + if (actualValue[i] !== expectedValue[i]) { + if (actualValue[i] === "+" && expectedValue[i] === "-" || actualValue[i] === "/" && expectedValue[i] === "_") { + continue; + } + return false; + } + } + return true; + } function tryUpgradeRequestToAPotentiallyTrustworthyURL(request) { } function sameOrigin(A, B) { @@ -4387,7 +4547,8 @@ var require_util2 = __commonJS({ urlHasHttpsScheme, urlIsHttpHttpsScheme, readAllBytes, - normalizeMethodRecord + normalizeMethodRecord, + parseMetadata }; } }); @@ -5424,7 +5585,7 @@ var require_body = __commonJS({ var { FormData } = require_formdata(); var { kState } = require_symbols2(); var { webidl } = require_webidl(); - var { DOMException: DOMException2, structuredClone } = require_constants(); + var { DOMException: DOMException2, structuredClone } = require_constants2(); var { Blob: Blob2, File: NativeFile } = require("buffer"); var { kBodyUsed } = require_symbols(); var assert = require("assert"); @@ -6520,7 +6681,7 @@ var require_utils2 = __commonJS({ }); // node_modules/undici/lib/llhttp/constants.js -var require_constants2 = __commonJS({ +var require_constants3 = __commonJS({ "node_modules/undici/lib/llhttp/constants.js"(exports2) { "use strict"; Object.defineProperty(exports2, "__esModule", { value: true }); @@ -6955,7 +7116,17 @@ var require_RedirectHandler = __commonJS({ } } function shouldRemoveHeader(header, removeContent, unknownOrigin) { - return header.length === 4 && header.toString().toLowerCase() === "host" || removeContent && header.toString().toLowerCase().indexOf("content-") === 0 || unknownOrigin && header.length === 13 && header.toString().toLowerCase() === "authorization" || unknownOrigin && header.length === 6 && header.toString().toLowerCase() === "cookie"; + if (header.length === 4) { + return util.headerNameToString(header) === "host"; + } + if (removeContent && util.headerNameToString(header).startsWith("content-")) { + return true; + } + if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) { + const name = util.headerNameToString(header); + return name === "authorization" || name === "cookie" || name === "proxy-authorization"; + } + return false; } function cleanRequestHeaders(headers, removeContent, unknownOrigin) { const ret = []; @@ -7400,7 +7571,7 @@ var require_client = __commonJS({ ); resume(client); } - var constants = require_constants2(); + var constants = require_constants3(); var createRedirectInterceptor = require_redirectInterceptor(); var EMPTY_BUF = Buffer.alloc(0); async function lazyllhttp() { @@ -12104,7 +12275,7 @@ var require_response = __commonJS({ redirectStatusSet, nullBodyStatus, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kState, kHeaders, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); var { FormData } = require_formdata(); @@ -12486,7 +12657,7 @@ var require_request2 = __commonJS({ requestCredentials, requestCache, requestDuplex - } = require_constants(); + } = require_constants2(); var { kEnumerableProperty } = util; var { kHeaders, kSignal, kState, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); @@ -13155,7 +13326,7 @@ var require_fetch = __commonJS({ requestBodyHeader, subresourceSet, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kHeadersList } = require_symbols(); var EE = require("events"); var { Readable, pipeline } = require("stream"); @@ -13692,6 +13863,7 @@ var require_fetch = __commonJS({ } if (!sameOrigin(requestCurrentURL(request), locationURL)) { request.headersList.delete("authorization"); + request.headersList.delete("proxy-authorization", true); request.headersList.delete("cookie"); request.headersList.delete("host"); } @@ -14518,7 +14690,7 @@ var require_util4 = __commonJS({ } = require_symbols3(); var { ProgressEvent } = require_progressevent(); var { getEncoding } = require_encoding(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { serializeAMimeType, parseMIMEType } = require_dataURL(); var { types } = require("util"); var { StringDecoder } = require("string_decoder"); @@ -15634,7 +15806,7 @@ var require_cachestorage = __commonJS({ }); // node_modules/undici/lib/cookies/constants.js -var require_constants3 = __commonJS({ +var require_constants4 = __commonJS({ "node_modules/undici/lib/cookies/constants.js"(exports2, module2) { "use strict"; var maxAttributeValueSize = 1024; @@ -15809,7 +15981,7 @@ var require_util6 = __commonJS({ var require_parse = __commonJS({ "node_modules/undici/lib/cookies/parse.js"(exports2, module2) { "use strict"; - var { maxNameValuePairSize, maxAttributeValueSize } = require_constants3(); + var { maxNameValuePairSize, maxAttributeValueSize } = require_constants4(); var { isCTLExcludingHtab } = require_util6(); var { collectASequenceOfCodePointsFast } = require_dataURL(); var assert = require("assert"); @@ -16074,7 +16246,7 @@ var require_cookies = __commonJS({ }); // node_modules/undici/lib/websocket/constants.js -var require_constants4 = __commonJS({ +var require_constants5 = __commonJS({ "node_modules/undici/lib/websocket/constants.js"(exports2, module2) { "use strict"; var uid = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"; @@ -16382,7 +16554,7 @@ var require_util7 = __commonJS({ "node_modules/undici/lib/websocket/util.js"(exports2, module2) { "use strict"; var { kReadyState, kController, kResponse, kBinaryType, kWebSocketURL } = require_symbols5(); - var { states, opcodes } = require_constants4(); + var { states, opcodes } = require_constants5(); var { MessageEvent, ErrorEvent } = require_events(); function isEstablished(ws) { return ws[kReadyState] === states.OPEN; @@ -16472,7 +16644,7 @@ var require_connection = __commonJS({ "node_modules/undici/lib/websocket/connection.js"(exports2, module2) { "use strict"; var diagnosticsChannel = require("diagnostics_channel"); - var { uid, states } = require_constants4(); + var { uid, states } = require_constants5(); var { kReadyState, kSentClose, @@ -16619,7 +16791,7 @@ var require_connection = __commonJS({ var require_frame = __commonJS({ "node_modules/undici/lib/websocket/frame.js"(exports2, module2) { "use strict"; - var { maxUnsigned16Bit } = require_constants4(); + var { maxUnsigned16Bit } = require_constants5(); var crypto4; try { crypto4 = require("crypto"); @@ -16678,7 +16850,7 @@ var require_receiver = __commonJS({ "use strict"; var { Writable } = require("stream"); var diagnosticsChannel = require("diagnostics_channel"); - var { parserStates, opcodes, states, emptyBuffer } = require_constants4(); + var { parserStates, opcodes, states, emptyBuffer } = require_constants5(); var { kReadyState, kSentClose, kResponse, kReceivedClose } = require_symbols5(); var { isValidStatusCode, failWebsocketConnection, websocketMessageReceived } = require_util7(); var { WebsocketFrameSend } = require_frame(); @@ -16913,10 +17085,10 @@ var require_websocket = __commonJS({ "node_modules/undici/lib/websocket/websocket.js"(exports2, module2) { "use strict"; var { webidl } = require_webidl(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { URLSerializer } = require_dataURL(); var { getGlobalOrigin } = require_global(); - var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants4(); + var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants5(); var { kWebSocketURL, kReadyState, diff --git a/dist/edit-project.js b/dist/edit-project.js index 924ca08..81d8a38 100644 --- a/dist/edit-project.js +++ b/dist/edit-project.js @@ -1141,6 +1141,121 @@ var require_errors = __commonJS({ } }); +// node_modules/undici/lib/core/constants.js +var require_constants = __commonJS({ + "node_modules/undici/lib/core/constants.js"(exports2, module2) { + "use strict"; + var headerNameLowerCasedRecord = {}; + var wellknownHeaderNames = [ + "Accept", + "Accept-Encoding", + "Accept-Language", + "Accept-Ranges", + "Access-Control-Allow-Credentials", + "Access-Control-Allow-Headers", + "Access-Control-Allow-Methods", + "Access-Control-Allow-Origin", + "Access-Control-Expose-Headers", + "Access-Control-Max-Age", + "Access-Control-Request-Headers", + "Access-Control-Request-Method", + "Age", + "Allow", + "Alt-Svc", + "Alt-Used", + "Authorization", + "Cache-Control", + "Clear-Site-Data", + "Connection", + "Content-Disposition", + "Content-Encoding", + "Content-Language", + "Content-Length", + "Content-Location", + "Content-Range", + "Content-Security-Policy", + "Content-Security-Policy-Report-Only", + "Content-Type", + "Cookie", + "Cross-Origin-Embedder-Policy", + "Cross-Origin-Opener-Policy", + "Cross-Origin-Resource-Policy", + "Date", + "Device-Memory", + "Downlink", + "ECT", + "ETag", + "Expect", + "Expect-CT", + "Expires", + "Forwarded", + "From", + "Host", + "If-Match", + "If-Modified-Since", + "If-None-Match", + "If-Range", + "If-Unmodified-Since", + "Keep-Alive", + "Last-Modified", + "Link", + "Location", + "Max-Forwards", + "Origin", + "Permissions-Policy", + "Pragma", + "Proxy-Authenticate", + "Proxy-Authorization", + "RTT", + "Range", + "Referer", + "Referrer-Policy", + "Refresh", + "Retry-After", + "Sec-WebSocket-Accept", + "Sec-WebSocket-Extensions", + "Sec-WebSocket-Key", + "Sec-WebSocket-Protocol", + "Sec-WebSocket-Version", + "Server", + "Server-Timing", + "Service-Worker-Allowed", + "Service-Worker-Navigation-Preload", + "Set-Cookie", + "SourceMap", + "Strict-Transport-Security", + "Supports-Loading-Mode", + "TE", + "Timing-Allow-Origin", + "Trailer", + "Transfer-Encoding", + "Upgrade", + "Upgrade-Insecure-Requests", + "User-Agent", + "Vary", + "Via", + "WWW-Authenticate", + "X-Content-Type-Options", + "X-DNS-Prefetch-Control", + "X-Frame-Options", + "X-Permitted-Cross-Domain-Policies", + "X-Powered-By", + "X-Requested-With", + "X-XSS-Protection" + ]; + for (let i = 0; i < wellknownHeaderNames.length; ++i) { + const key = wellknownHeaderNames[i]; + const lowerCasedKey = key.toLowerCase(); + headerNameLowerCasedRecord[key] = headerNameLowerCasedRecord[lowerCasedKey] = lowerCasedKey; + } + Object.setPrototypeOf(headerNameLowerCasedRecord, null); + module2.exports = { + wellknownHeaderNames, + headerNameLowerCasedRecord + }; + } +}); + // node_modules/undici/lib/core/util.js var require_util = __commonJS({ "node_modules/undici/lib/core/util.js"(exports2, module2) { @@ -1154,6 +1269,7 @@ var require_util = __commonJS({ var { Blob: Blob2 } = require("buffer"); var nodeUtil = require("util"); var { stringify: stringify2 } = require("querystring"); + var { headerNameLowerCasedRecord } = require_constants(); var [nodeMajor, nodeMinor] = process.versions.node.split(".").map((v) => Number(v)); function nop() { } @@ -1297,6 +1413,9 @@ var require_util = __commonJS({ const m = val.toString().match(KEEPALIVE_TIMEOUT_EXPR); return m ? parseInt(m[1], 10) * 1e3 : null; } + function headerNameToString(value) { + return headerNameLowerCasedRecord[value] || value.toLowerCase(); + } function parseHeaders(headers, obj = {}) { if (!Array.isArray(headers)) return headers; @@ -1500,6 +1619,7 @@ var require_util = __commonJS({ isIterable, isAsyncIterable, isDestroyed, + headerNameToString, parseRawHeaders, parseHeaders, parseKeepAliveTimeout, @@ -3595,7 +3715,7 @@ var require_main = __commonJS({ }); // node_modules/undici/lib/fetch/constants.js -var require_constants = __commonJS({ +var require_constants2 = __commonJS({ "node_modules/undici/lib/fetch/constants.js"(exports2, module2) { "use strict"; var { MessageChannel, receiveMessageOnPort } = require("worker_threads"); @@ -3833,15 +3953,18 @@ var require_global = __commonJS({ var require_util2 = __commonJS({ "node_modules/undici/lib/fetch/util.js"(exports2, module2) { "use strict"; - var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants(); + var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants2(); var { getGlobalOrigin } = require_global(); var { performance: performance2 } = require("perf_hooks"); var { isBlobLike, toUSVString, ReadableStreamFrom } = require_util(); var assert = require("assert"); var { isUint8Array } = require("util/types"); + var supportedHashes = []; var crypto4; try { crypto4 = require("crypto"); + const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; + supportedHashes = crypto4.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); } catch { } function responseURL(response) { @@ -4117,45 +4240,37 @@ var require_util2 = __commonJS({ if (parsedMetadata.length === 0) { return true; } - const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)); - const strongest = list[0].algo; - const metadata = list.filter((item) => item.algo === strongest); + const strongest = getStrongestMetadata(parsedMetadata); + const metadata = filterMetadataListByAlgorithm(parsedMetadata, strongest); for (const item of metadata) { const algorithm = item.algo; - let expectedValue = item.hash; - if (expectedValue.endsWith("==")) { - expectedValue = expectedValue.slice(0, -2); - } + const expectedValue = item.hash; let actualValue = crypto4.createHash(algorithm).update(bytes).digest("base64"); - if (actualValue.endsWith("==")) { - actualValue = actualValue.slice(0, -2); - } - if (actualValue === expectedValue) { - return true; - } - let actualBase64URL = crypto4.createHash(algorithm).update(bytes).digest("base64url"); - if (actualBase64URL.endsWith("==")) { - actualBase64URL = actualBase64URL.slice(0, -2); + if (actualValue[actualValue.length - 1] === "=") { + if (actualValue[actualValue.length - 2] === "=") { + actualValue = actualValue.slice(0, -2); + } else { + actualValue = actualValue.slice(0, -1); + } } - if (actualBase64URL === expectedValue) { + if (compareBase64Mixed(actualValue, expectedValue)) { return true; } } return false; } - var parseHashWithOptions = /((?sha256|sha384|sha512)-(?[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i; + var parseHashWithOptions = /(?sha256|sha384|sha512)-((?[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)( +[!-~]*)?)?/i; function parseMetadata(metadata) { const result = []; let empty = true; - const supportedHashes = crypto4.getHashes(); for (const token of metadata.split(" ")) { empty = false; const parsedToken = parseHashWithOptions.exec(token); - if (parsedToken === null || parsedToken.groups === void 0) { + if (parsedToken === null || parsedToken.groups === void 0 || parsedToken.groups.algo === void 0) { continue; } - const algorithm = parsedToken.groups.algo; - if (supportedHashes.includes(algorithm.toLowerCase())) { + const algorithm = parsedToken.groups.algo.toLowerCase(); + if (supportedHashes.includes(algorithm)) { result.push(parsedToken.groups); } } @@ -4164,6 +4279,51 @@ var require_util2 = __commonJS({ } return result; } + function getStrongestMetadata(metadataList) { + let algorithm = metadataList[0].algo; + if (algorithm[3] === "5") { + return algorithm; + } + for (let i = 1; i < metadataList.length; ++i) { + const metadata = metadataList[i]; + if (metadata.algo[3] === "5") { + algorithm = "sha512"; + break; + } else if (algorithm[3] === "3") { + continue; + } else if (metadata.algo[3] === "3") { + algorithm = "sha384"; + } + } + return algorithm; + } + function filterMetadataListByAlgorithm(metadataList, algorithm) { + if (metadataList.length === 1) { + return metadataList; + } + let pos = 0; + for (let i = 0; i < metadataList.length; ++i) { + if (metadataList[i].algo === algorithm) { + metadataList[pos++] = metadataList[i]; + } + } + metadataList.length = pos; + return metadataList; + } + function compareBase64Mixed(actualValue, expectedValue) { + if (actualValue.length !== expectedValue.length) { + return false; + } + for (let i = 0; i < actualValue.length; ++i) { + if (actualValue[i] !== expectedValue[i]) { + if (actualValue[i] === "+" && expectedValue[i] === "-" || actualValue[i] === "/" && expectedValue[i] === "_") { + continue; + } + return false; + } + } + return true; + } function tryUpgradeRequestToAPotentiallyTrustworthyURL(request) { } function sameOrigin(A, B) { @@ -4387,7 +4547,8 @@ var require_util2 = __commonJS({ urlHasHttpsScheme, urlIsHttpHttpsScheme, readAllBytes, - normalizeMethodRecord + normalizeMethodRecord, + parseMetadata }; } }); @@ -5424,7 +5585,7 @@ var require_body = __commonJS({ var { FormData } = require_formdata(); var { kState } = require_symbols2(); var { webidl } = require_webidl(); - var { DOMException: DOMException2, structuredClone } = require_constants(); + var { DOMException: DOMException2, structuredClone } = require_constants2(); var { Blob: Blob2, File: NativeFile } = require("buffer"); var { kBodyUsed } = require_symbols(); var assert = require("assert"); @@ -6520,7 +6681,7 @@ var require_utils2 = __commonJS({ }); // node_modules/undici/lib/llhttp/constants.js -var require_constants2 = __commonJS({ +var require_constants3 = __commonJS({ "node_modules/undici/lib/llhttp/constants.js"(exports2) { "use strict"; Object.defineProperty(exports2, "__esModule", { value: true }); @@ -6955,7 +7116,17 @@ var require_RedirectHandler = __commonJS({ } } function shouldRemoveHeader(header, removeContent, unknownOrigin) { - return header.length === 4 && header.toString().toLowerCase() === "host" || removeContent && header.toString().toLowerCase().indexOf("content-") === 0 || unknownOrigin && header.length === 13 && header.toString().toLowerCase() === "authorization" || unknownOrigin && header.length === 6 && header.toString().toLowerCase() === "cookie"; + if (header.length === 4) { + return util.headerNameToString(header) === "host"; + } + if (removeContent && util.headerNameToString(header).startsWith("content-")) { + return true; + } + if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) { + const name = util.headerNameToString(header); + return name === "authorization" || name === "cookie" || name === "proxy-authorization"; + } + return false; } function cleanRequestHeaders(headers, removeContent, unknownOrigin) { const ret = []; @@ -7400,7 +7571,7 @@ var require_client = __commonJS({ ); resume(client); } - var constants = require_constants2(); + var constants = require_constants3(); var createRedirectInterceptor = require_redirectInterceptor(); var EMPTY_BUF = Buffer.alloc(0); async function lazyllhttp() { @@ -12104,7 +12275,7 @@ var require_response = __commonJS({ redirectStatusSet, nullBodyStatus, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kState, kHeaders, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); var { FormData } = require_formdata(); @@ -12486,7 +12657,7 @@ var require_request2 = __commonJS({ requestCredentials, requestCache, requestDuplex - } = require_constants(); + } = require_constants2(); var { kEnumerableProperty } = util; var { kHeaders, kSignal, kState, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); @@ -13155,7 +13326,7 @@ var require_fetch = __commonJS({ requestBodyHeader, subresourceSet, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kHeadersList } = require_symbols(); var EE = require("events"); var { Readable, pipeline } = require("stream"); @@ -13692,6 +13863,7 @@ var require_fetch = __commonJS({ } if (!sameOrigin(requestCurrentURL(request), locationURL)) { request.headersList.delete("authorization"); + request.headersList.delete("proxy-authorization", true); request.headersList.delete("cookie"); request.headersList.delete("host"); } @@ -14518,7 +14690,7 @@ var require_util4 = __commonJS({ } = require_symbols3(); var { ProgressEvent } = require_progressevent(); var { getEncoding } = require_encoding(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { serializeAMimeType, parseMIMEType } = require_dataURL(); var { types } = require("util"); var { StringDecoder } = require("string_decoder"); @@ -15634,7 +15806,7 @@ var require_cachestorage = __commonJS({ }); // node_modules/undici/lib/cookies/constants.js -var require_constants3 = __commonJS({ +var require_constants4 = __commonJS({ "node_modules/undici/lib/cookies/constants.js"(exports2, module2) { "use strict"; var maxAttributeValueSize = 1024; @@ -15809,7 +15981,7 @@ var require_util6 = __commonJS({ var require_parse = __commonJS({ "node_modules/undici/lib/cookies/parse.js"(exports2, module2) { "use strict"; - var { maxNameValuePairSize, maxAttributeValueSize } = require_constants3(); + var { maxNameValuePairSize, maxAttributeValueSize } = require_constants4(); var { isCTLExcludingHtab } = require_util6(); var { collectASequenceOfCodePointsFast } = require_dataURL(); var assert = require("assert"); @@ -16074,7 +16246,7 @@ var require_cookies = __commonJS({ }); // node_modules/undici/lib/websocket/constants.js -var require_constants4 = __commonJS({ +var require_constants5 = __commonJS({ "node_modules/undici/lib/websocket/constants.js"(exports2, module2) { "use strict"; var uid = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"; @@ -16382,7 +16554,7 @@ var require_util7 = __commonJS({ "node_modules/undici/lib/websocket/util.js"(exports2, module2) { "use strict"; var { kReadyState, kController, kResponse, kBinaryType, kWebSocketURL } = require_symbols5(); - var { states, opcodes } = require_constants4(); + var { states, opcodes } = require_constants5(); var { MessageEvent, ErrorEvent } = require_events(); function isEstablished(ws) { return ws[kReadyState] === states.OPEN; @@ -16472,7 +16644,7 @@ var require_connection = __commonJS({ "node_modules/undici/lib/websocket/connection.js"(exports2, module2) { "use strict"; var diagnosticsChannel = require("diagnostics_channel"); - var { uid, states } = require_constants4(); + var { uid, states } = require_constants5(); var { kReadyState, kSentClose, @@ -16619,7 +16791,7 @@ var require_connection = __commonJS({ var require_frame = __commonJS({ "node_modules/undici/lib/websocket/frame.js"(exports2, module2) { "use strict"; - var { maxUnsigned16Bit } = require_constants4(); + var { maxUnsigned16Bit } = require_constants5(); var crypto4; try { crypto4 = require("crypto"); @@ -16678,7 +16850,7 @@ var require_receiver = __commonJS({ "use strict"; var { Writable } = require("stream"); var diagnosticsChannel = require("diagnostics_channel"); - var { parserStates, opcodes, states, emptyBuffer } = require_constants4(); + var { parserStates, opcodes, states, emptyBuffer } = require_constants5(); var { kReadyState, kSentClose, kResponse, kReceivedClose } = require_symbols5(); var { isValidStatusCode, failWebsocketConnection, websocketMessageReceived } = require_util7(); var { WebsocketFrameSend } = require_frame(); @@ -16913,10 +17085,10 @@ var require_websocket = __commonJS({ "node_modules/undici/lib/websocket/websocket.js"(exports2, module2) { "use strict"; var { webidl } = require_webidl(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { URLSerializer } = require_dataURL(); var { getGlobalOrigin } = require_global(); - var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants4(); + var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants5(); var { kWebSocketURL, kReadyState, diff --git a/dist/find-project.js b/dist/find-project.js index 4692063..fbb3ce5 100644 --- a/dist/find-project.js +++ b/dist/find-project.js @@ -1141,6 +1141,121 @@ var require_errors = __commonJS({ } }); +// node_modules/undici/lib/core/constants.js +var require_constants = __commonJS({ + "node_modules/undici/lib/core/constants.js"(exports2, module2) { + "use strict"; + var headerNameLowerCasedRecord = {}; + var wellknownHeaderNames = [ + "Accept", + "Accept-Encoding", + "Accept-Language", + "Accept-Ranges", + "Access-Control-Allow-Credentials", + "Access-Control-Allow-Headers", + "Access-Control-Allow-Methods", + "Access-Control-Allow-Origin", + "Access-Control-Expose-Headers", + "Access-Control-Max-Age", + "Access-Control-Request-Headers", + "Access-Control-Request-Method", + "Age", + "Allow", + "Alt-Svc", + "Alt-Used", + "Authorization", + "Cache-Control", + "Clear-Site-Data", + "Connection", + "Content-Disposition", + "Content-Encoding", + "Content-Language", + "Content-Length", + "Content-Location", + "Content-Range", + "Content-Security-Policy", + "Content-Security-Policy-Report-Only", + "Content-Type", + "Cookie", + "Cross-Origin-Embedder-Policy", + "Cross-Origin-Opener-Policy", + "Cross-Origin-Resource-Policy", + "Date", + "Device-Memory", + "Downlink", + "ECT", + "ETag", + "Expect", + "Expect-CT", + "Expires", + "Forwarded", + "From", + "Host", + "If-Match", + "If-Modified-Since", + "If-None-Match", + "If-Range", + "If-Unmodified-Since", + "Keep-Alive", + "Last-Modified", + "Link", + "Location", + "Max-Forwards", + "Origin", + "Permissions-Policy", + "Pragma", + "Proxy-Authenticate", + "Proxy-Authorization", + "RTT", + "Range", + "Referer", + "Referrer-Policy", + "Refresh", + "Retry-After", + "Sec-WebSocket-Accept", + "Sec-WebSocket-Extensions", + "Sec-WebSocket-Key", + "Sec-WebSocket-Protocol", + "Sec-WebSocket-Version", + "Server", + "Server-Timing", + "Service-Worker-Allowed", + "Service-Worker-Navigation-Preload", + "Set-Cookie", + "SourceMap", + "Strict-Transport-Security", + "Supports-Loading-Mode", + "TE", + "Timing-Allow-Origin", + "Trailer", + "Transfer-Encoding", + "Upgrade", + "Upgrade-Insecure-Requests", + "User-Agent", + "Vary", + "Via", + "WWW-Authenticate", + "X-Content-Type-Options", + "X-DNS-Prefetch-Control", + "X-Frame-Options", + "X-Permitted-Cross-Domain-Policies", + "X-Powered-By", + "X-Requested-With", + "X-XSS-Protection" + ]; + for (let i = 0; i < wellknownHeaderNames.length; ++i) { + const key = wellknownHeaderNames[i]; + const lowerCasedKey = key.toLowerCase(); + headerNameLowerCasedRecord[key] = headerNameLowerCasedRecord[lowerCasedKey] = lowerCasedKey; + } + Object.setPrototypeOf(headerNameLowerCasedRecord, null); + module2.exports = { + wellknownHeaderNames, + headerNameLowerCasedRecord + }; + } +}); + // node_modules/undici/lib/core/util.js var require_util = __commonJS({ "node_modules/undici/lib/core/util.js"(exports2, module2) { @@ -1154,6 +1269,7 @@ var require_util = __commonJS({ var { Blob: Blob2 } = require("buffer"); var nodeUtil = require("util"); var { stringify: stringify2 } = require("querystring"); + var { headerNameLowerCasedRecord } = require_constants(); var [nodeMajor, nodeMinor] = process.versions.node.split(".").map((v) => Number(v)); function nop() { } @@ -1297,6 +1413,9 @@ var require_util = __commonJS({ const m = val.toString().match(KEEPALIVE_TIMEOUT_EXPR); return m ? parseInt(m[1], 10) * 1e3 : null; } + function headerNameToString(value) { + return headerNameLowerCasedRecord[value] || value.toLowerCase(); + } function parseHeaders(headers, obj = {}) { if (!Array.isArray(headers)) return headers; @@ -1500,6 +1619,7 @@ var require_util = __commonJS({ isIterable, isAsyncIterable, isDestroyed, + headerNameToString, parseRawHeaders, parseHeaders, parseKeepAliveTimeout, @@ -3595,7 +3715,7 @@ var require_main = __commonJS({ }); // node_modules/undici/lib/fetch/constants.js -var require_constants = __commonJS({ +var require_constants2 = __commonJS({ "node_modules/undici/lib/fetch/constants.js"(exports2, module2) { "use strict"; var { MessageChannel, receiveMessageOnPort } = require("worker_threads"); @@ -3833,15 +3953,18 @@ var require_global = __commonJS({ var require_util2 = __commonJS({ "node_modules/undici/lib/fetch/util.js"(exports2, module2) { "use strict"; - var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants(); + var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants2(); var { getGlobalOrigin } = require_global(); var { performance: performance2 } = require("perf_hooks"); var { isBlobLike, toUSVString, ReadableStreamFrom } = require_util(); var assert = require("assert"); var { isUint8Array } = require("util/types"); + var supportedHashes = []; var crypto4; try { crypto4 = require("crypto"); + const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; + supportedHashes = crypto4.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); } catch { } function responseURL(response) { @@ -4117,45 +4240,37 @@ var require_util2 = __commonJS({ if (parsedMetadata.length === 0) { return true; } - const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)); - const strongest = list[0].algo; - const metadata = list.filter((item) => item.algo === strongest); + const strongest = getStrongestMetadata(parsedMetadata); + const metadata = filterMetadataListByAlgorithm(parsedMetadata, strongest); for (const item of metadata) { const algorithm = item.algo; - let expectedValue = item.hash; - if (expectedValue.endsWith("==")) { - expectedValue = expectedValue.slice(0, -2); - } + const expectedValue = item.hash; let actualValue = crypto4.createHash(algorithm).update(bytes).digest("base64"); - if (actualValue.endsWith("==")) { - actualValue = actualValue.slice(0, -2); - } - if (actualValue === expectedValue) { - return true; - } - let actualBase64URL = crypto4.createHash(algorithm).update(bytes).digest("base64url"); - if (actualBase64URL.endsWith("==")) { - actualBase64URL = actualBase64URL.slice(0, -2); + if (actualValue[actualValue.length - 1] === "=") { + if (actualValue[actualValue.length - 2] === "=") { + actualValue = actualValue.slice(0, -2); + } else { + actualValue = actualValue.slice(0, -1); + } } - if (actualBase64URL === expectedValue) { + if (compareBase64Mixed(actualValue, expectedValue)) { return true; } } return false; } - var parseHashWithOptions = /((?sha256|sha384|sha512)-(?[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i; + var parseHashWithOptions = /(?sha256|sha384|sha512)-((?[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)( +[!-~]*)?)?/i; function parseMetadata(metadata) { const result = []; let empty = true; - const supportedHashes = crypto4.getHashes(); for (const token of metadata.split(" ")) { empty = false; const parsedToken = parseHashWithOptions.exec(token); - if (parsedToken === null || parsedToken.groups === void 0) { + if (parsedToken === null || parsedToken.groups === void 0 || parsedToken.groups.algo === void 0) { continue; } - const algorithm = parsedToken.groups.algo; - if (supportedHashes.includes(algorithm.toLowerCase())) { + const algorithm = parsedToken.groups.algo.toLowerCase(); + if (supportedHashes.includes(algorithm)) { result.push(parsedToken.groups); } } @@ -4164,6 +4279,51 @@ var require_util2 = __commonJS({ } return result; } + function getStrongestMetadata(metadataList) { + let algorithm = metadataList[0].algo; + if (algorithm[3] === "5") { + return algorithm; + } + for (let i = 1; i < metadataList.length; ++i) { + const metadata = metadataList[i]; + if (metadata.algo[3] === "5") { + algorithm = "sha512"; + break; + } else if (algorithm[3] === "3") { + continue; + } else if (metadata.algo[3] === "3") { + algorithm = "sha384"; + } + } + return algorithm; + } + function filterMetadataListByAlgorithm(metadataList, algorithm) { + if (metadataList.length === 1) { + return metadataList; + } + let pos = 0; + for (let i = 0; i < metadataList.length; ++i) { + if (metadataList[i].algo === algorithm) { + metadataList[pos++] = metadataList[i]; + } + } + metadataList.length = pos; + return metadataList; + } + function compareBase64Mixed(actualValue, expectedValue) { + if (actualValue.length !== expectedValue.length) { + return false; + } + for (let i = 0; i < actualValue.length; ++i) { + if (actualValue[i] !== expectedValue[i]) { + if (actualValue[i] === "+" && expectedValue[i] === "-" || actualValue[i] === "/" && expectedValue[i] === "_") { + continue; + } + return false; + } + } + return true; + } function tryUpgradeRequestToAPotentiallyTrustworthyURL(request) { } function sameOrigin(A, B) { @@ -4387,7 +4547,8 @@ var require_util2 = __commonJS({ urlHasHttpsScheme, urlIsHttpHttpsScheme, readAllBytes, - normalizeMethodRecord + normalizeMethodRecord, + parseMetadata }; } }); @@ -5424,7 +5585,7 @@ var require_body = __commonJS({ var { FormData } = require_formdata(); var { kState } = require_symbols2(); var { webidl } = require_webidl(); - var { DOMException: DOMException2, structuredClone } = require_constants(); + var { DOMException: DOMException2, structuredClone } = require_constants2(); var { Blob: Blob2, File: NativeFile } = require("buffer"); var { kBodyUsed } = require_symbols(); var assert = require("assert"); @@ -6520,7 +6681,7 @@ var require_utils2 = __commonJS({ }); // node_modules/undici/lib/llhttp/constants.js -var require_constants2 = __commonJS({ +var require_constants3 = __commonJS({ "node_modules/undici/lib/llhttp/constants.js"(exports2) { "use strict"; Object.defineProperty(exports2, "__esModule", { value: true }); @@ -6955,7 +7116,17 @@ var require_RedirectHandler = __commonJS({ } } function shouldRemoveHeader(header, removeContent, unknownOrigin) { - return header.length === 4 && header.toString().toLowerCase() === "host" || removeContent && header.toString().toLowerCase().indexOf("content-") === 0 || unknownOrigin && header.length === 13 && header.toString().toLowerCase() === "authorization" || unknownOrigin && header.length === 6 && header.toString().toLowerCase() === "cookie"; + if (header.length === 4) { + return util.headerNameToString(header) === "host"; + } + if (removeContent && util.headerNameToString(header).startsWith("content-")) { + return true; + } + if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) { + const name = util.headerNameToString(header); + return name === "authorization" || name === "cookie" || name === "proxy-authorization"; + } + return false; } function cleanRequestHeaders(headers, removeContent, unknownOrigin) { const ret = []; @@ -7400,7 +7571,7 @@ var require_client = __commonJS({ ); resume(client); } - var constants = require_constants2(); + var constants = require_constants3(); var createRedirectInterceptor = require_redirectInterceptor(); var EMPTY_BUF = Buffer.alloc(0); async function lazyllhttp() { @@ -12104,7 +12275,7 @@ var require_response = __commonJS({ redirectStatusSet, nullBodyStatus, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kState, kHeaders, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); var { FormData } = require_formdata(); @@ -12486,7 +12657,7 @@ var require_request2 = __commonJS({ requestCredentials, requestCache, requestDuplex - } = require_constants(); + } = require_constants2(); var { kEnumerableProperty } = util; var { kHeaders, kSignal, kState, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); @@ -13155,7 +13326,7 @@ var require_fetch = __commonJS({ requestBodyHeader, subresourceSet, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kHeadersList } = require_symbols(); var EE = require("events"); var { Readable, pipeline } = require("stream"); @@ -13692,6 +13863,7 @@ var require_fetch = __commonJS({ } if (!sameOrigin(requestCurrentURL(request), locationURL)) { request.headersList.delete("authorization"); + request.headersList.delete("proxy-authorization", true); request.headersList.delete("cookie"); request.headersList.delete("host"); } @@ -14518,7 +14690,7 @@ var require_util4 = __commonJS({ } = require_symbols3(); var { ProgressEvent } = require_progressevent(); var { getEncoding } = require_encoding(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { serializeAMimeType, parseMIMEType } = require_dataURL(); var { types } = require("util"); var { StringDecoder } = require("string_decoder"); @@ -15634,7 +15806,7 @@ var require_cachestorage = __commonJS({ }); // node_modules/undici/lib/cookies/constants.js -var require_constants3 = __commonJS({ +var require_constants4 = __commonJS({ "node_modules/undici/lib/cookies/constants.js"(exports2, module2) { "use strict"; var maxAttributeValueSize = 1024; @@ -15809,7 +15981,7 @@ var require_util6 = __commonJS({ var require_parse = __commonJS({ "node_modules/undici/lib/cookies/parse.js"(exports2, module2) { "use strict"; - var { maxNameValuePairSize, maxAttributeValueSize } = require_constants3(); + var { maxNameValuePairSize, maxAttributeValueSize } = require_constants4(); var { isCTLExcludingHtab } = require_util6(); var { collectASequenceOfCodePointsFast } = require_dataURL(); var assert = require("assert"); @@ -16074,7 +16246,7 @@ var require_cookies = __commonJS({ }); // node_modules/undici/lib/websocket/constants.js -var require_constants4 = __commonJS({ +var require_constants5 = __commonJS({ "node_modules/undici/lib/websocket/constants.js"(exports2, module2) { "use strict"; var uid = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"; @@ -16382,7 +16554,7 @@ var require_util7 = __commonJS({ "node_modules/undici/lib/websocket/util.js"(exports2, module2) { "use strict"; var { kReadyState, kController, kResponse, kBinaryType, kWebSocketURL } = require_symbols5(); - var { states, opcodes } = require_constants4(); + var { states, opcodes } = require_constants5(); var { MessageEvent, ErrorEvent } = require_events(); function isEstablished(ws) { return ws[kReadyState] === states.OPEN; @@ -16472,7 +16644,7 @@ var require_connection = __commonJS({ "node_modules/undici/lib/websocket/connection.js"(exports2, module2) { "use strict"; var diagnosticsChannel = require("diagnostics_channel"); - var { uid, states } = require_constants4(); + var { uid, states } = require_constants5(); var { kReadyState, kSentClose, @@ -16619,7 +16791,7 @@ var require_connection = __commonJS({ var require_frame = __commonJS({ "node_modules/undici/lib/websocket/frame.js"(exports2, module2) { "use strict"; - var { maxUnsigned16Bit } = require_constants4(); + var { maxUnsigned16Bit } = require_constants5(); var crypto4; try { crypto4 = require("crypto"); @@ -16678,7 +16850,7 @@ var require_receiver = __commonJS({ "use strict"; var { Writable } = require("stream"); var diagnosticsChannel = require("diagnostics_channel"); - var { parserStates, opcodes, states, emptyBuffer } = require_constants4(); + var { parserStates, opcodes, states, emptyBuffer } = require_constants5(); var { kReadyState, kSentClose, kResponse, kReceivedClose } = require_symbols5(); var { isValidStatusCode, failWebsocketConnection, websocketMessageReceived } = require_util7(); var { WebsocketFrameSend } = require_frame(); @@ -16913,10 +17085,10 @@ var require_websocket = __commonJS({ "node_modules/undici/lib/websocket/websocket.js"(exports2, module2) { "use strict"; var { webidl } = require_webidl(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { URLSerializer } = require_dataURL(); var { getGlobalOrigin } = require_global(); - var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants4(); + var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants5(); var { kWebSocketURL, kReadyState, diff --git a/dist/get-item.js b/dist/get-item.js index 210e010..b82ac0e 100644 --- a/dist/get-item.js +++ b/dist/get-item.js @@ -1141,6 +1141,121 @@ var require_errors = __commonJS({ } }); +// node_modules/undici/lib/core/constants.js +var require_constants = __commonJS({ + "node_modules/undici/lib/core/constants.js"(exports2, module2) { + "use strict"; + var headerNameLowerCasedRecord = {}; + var wellknownHeaderNames = [ + "Accept", + "Accept-Encoding", + "Accept-Language", + "Accept-Ranges", + "Access-Control-Allow-Credentials", + "Access-Control-Allow-Headers", + "Access-Control-Allow-Methods", + "Access-Control-Allow-Origin", + "Access-Control-Expose-Headers", + "Access-Control-Max-Age", + "Access-Control-Request-Headers", + "Access-Control-Request-Method", + "Age", + "Allow", + "Alt-Svc", + "Alt-Used", + "Authorization", + "Cache-Control", + "Clear-Site-Data", + "Connection", + "Content-Disposition", + "Content-Encoding", + "Content-Language", + "Content-Length", + "Content-Location", + "Content-Range", + "Content-Security-Policy", + "Content-Security-Policy-Report-Only", + "Content-Type", + "Cookie", + "Cross-Origin-Embedder-Policy", + "Cross-Origin-Opener-Policy", + "Cross-Origin-Resource-Policy", + "Date", + "Device-Memory", + "Downlink", + "ECT", + "ETag", + "Expect", + "Expect-CT", + "Expires", + "Forwarded", + "From", + "Host", + "If-Match", + "If-Modified-Since", + "If-None-Match", + "If-Range", + "If-Unmodified-Since", + "Keep-Alive", + "Last-Modified", + "Link", + "Location", + "Max-Forwards", + "Origin", + "Permissions-Policy", + "Pragma", + "Proxy-Authenticate", + "Proxy-Authorization", + "RTT", + "Range", + "Referer", + "Referrer-Policy", + "Refresh", + "Retry-After", + "Sec-WebSocket-Accept", + "Sec-WebSocket-Extensions", + "Sec-WebSocket-Key", + "Sec-WebSocket-Protocol", + "Sec-WebSocket-Version", + "Server", + "Server-Timing", + "Service-Worker-Allowed", + "Service-Worker-Navigation-Preload", + "Set-Cookie", + "SourceMap", + "Strict-Transport-Security", + "Supports-Loading-Mode", + "TE", + "Timing-Allow-Origin", + "Trailer", + "Transfer-Encoding", + "Upgrade", + "Upgrade-Insecure-Requests", + "User-Agent", + "Vary", + "Via", + "WWW-Authenticate", + "X-Content-Type-Options", + "X-DNS-Prefetch-Control", + "X-Frame-Options", + "X-Permitted-Cross-Domain-Policies", + "X-Powered-By", + "X-Requested-With", + "X-XSS-Protection" + ]; + for (let i = 0; i < wellknownHeaderNames.length; ++i) { + const key = wellknownHeaderNames[i]; + const lowerCasedKey = key.toLowerCase(); + headerNameLowerCasedRecord[key] = headerNameLowerCasedRecord[lowerCasedKey] = lowerCasedKey; + } + Object.setPrototypeOf(headerNameLowerCasedRecord, null); + module2.exports = { + wellknownHeaderNames, + headerNameLowerCasedRecord + }; + } +}); + // node_modules/undici/lib/core/util.js var require_util = __commonJS({ "node_modules/undici/lib/core/util.js"(exports2, module2) { @@ -1154,6 +1269,7 @@ var require_util = __commonJS({ var { Blob: Blob2 } = require("buffer"); var nodeUtil = require("util"); var { stringify: stringify2 } = require("querystring"); + var { headerNameLowerCasedRecord } = require_constants(); var [nodeMajor, nodeMinor] = process.versions.node.split(".").map((v) => Number(v)); function nop() { } @@ -1297,6 +1413,9 @@ var require_util = __commonJS({ const m = val.toString().match(KEEPALIVE_TIMEOUT_EXPR); return m ? parseInt(m[1], 10) * 1e3 : null; } + function headerNameToString(value) { + return headerNameLowerCasedRecord[value] || value.toLowerCase(); + } function parseHeaders(headers, obj = {}) { if (!Array.isArray(headers)) return headers; @@ -1500,6 +1619,7 @@ var require_util = __commonJS({ isIterable, isAsyncIterable, isDestroyed, + headerNameToString, parseRawHeaders, parseHeaders, parseKeepAliveTimeout, @@ -3595,7 +3715,7 @@ var require_main = __commonJS({ }); // node_modules/undici/lib/fetch/constants.js -var require_constants = __commonJS({ +var require_constants2 = __commonJS({ "node_modules/undici/lib/fetch/constants.js"(exports2, module2) { "use strict"; var { MessageChannel, receiveMessageOnPort } = require("worker_threads"); @@ -3833,15 +3953,18 @@ var require_global = __commonJS({ var require_util2 = __commonJS({ "node_modules/undici/lib/fetch/util.js"(exports2, module2) { "use strict"; - var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants(); + var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants2(); var { getGlobalOrigin } = require_global(); var { performance: performance2 } = require("perf_hooks"); var { isBlobLike, toUSVString, ReadableStreamFrom } = require_util(); var assert = require("assert"); var { isUint8Array } = require("util/types"); + var supportedHashes = []; var crypto4; try { crypto4 = require("crypto"); + const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; + supportedHashes = crypto4.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); } catch { } function responseURL(response) { @@ -4117,45 +4240,37 @@ var require_util2 = __commonJS({ if (parsedMetadata.length === 0) { return true; } - const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)); - const strongest = list[0].algo; - const metadata = list.filter((item) => item.algo === strongest); + const strongest = getStrongestMetadata(parsedMetadata); + const metadata = filterMetadataListByAlgorithm(parsedMetadata, strongest); for (const item of metadata) { const algorithm = item.algo; - let expectedValue = item.hash; - if (expectedValue.endsWith("==")) { - expectedValue = expectedValue.slice(0, -2); - } + const expectedValue = item.hash; let actualValue = crypto4.createHash(algorithm).update(bytes).digest("base64"); - if (actualValue.endsWith("==")) { - actualValue = actualValue.slice(0, -2); - } - if (actualValue === expectedValue) { - return true; - } - let actualBase64URL = crypto4.createHash(algorithm).update(bytes).digest("base64url"); - if (actualBase64URL.endsWith("==")) { - actualBase64URL = actualBase64URL.slice(0, -2); + if (actualValue[actualValue.length - 1] === "=") { + if (actualValue[actualValue.length - 2] === "=") { + actualValue = actualValue.slice(0, -2); + } else { + actualValue = actualValue.slice(0, -1); + } } - if (actualBase64URL === expectedValue) { + if (compareBase64Mixed(actualValue, expectedValue)) { return true; } } return false; } - var parseHashWithOptions = /((?sha256|sha384|sha512)-(?[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i; + var parseHashWithOptions = /(?sha256|sha384|sha512)-((?[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)( +[!-~]*)?)?/i; function parseMetadata(metadata) { const result = []; let empty = true; - const supportedHashes = crypto4.getHashes(); for (const token of metadata.split(" ")) { empty = false; const parsedToken = parseHashWithOptions.exec(token); - if (parsedToken === null || parsedToken.groups === void 0) { + if (parsedToken === null || parsedToken.groups === void 0 || parsedToken.groups.algo === void 0) { continue; } - const algorithm = parsedToken.groups.algo; - if (supportedHashes.includes(algorithm.toLowerCase())) { + const algorithm = parsedToken.groups.algo.toLowerCase(); + if (supportedHashes.includes(algorithm)) { result.push(parsedToken.groups); } } @@ -4164,6 +4279,51 @@ var require_util2 = __commonJS({ } return result; } + function getStrongestMetadata(metadataList) { + let algorithm = metadataList[0].algo; + if (algorithm[3] === "5") { + return algorithm; + } + for (let i = 1; i < metadataList.length; ++i) { + const metadata = metadataList[i]; + if (metadata.algo[3] === "5") { + algorithm = "sha512"; + break; + } else if (algorithm[3] === "3") { + continue; + } else if (metadata.algo[3] === "3") { + algorithm = "sha384"; + } + } + return algorithm; + } + function filterMetadataListByAlgorithm(metadataList, algorithm) { + if (metadataList.length === 1) { + return metadataList; + } + let pos = 0; + for (let i = 0; i < metadataList.length; ++i) { + if (metadataList[i].algo === algorithm) { + metadataList[pos++] = metadataList[i]; + } + } + metadataList.length = pos; + return metadataList; + } + function compareBase64Mixed(actualValue, expectedValue) { + if (actualValue.length !== expectedValue.length) { + return false; + } + for (let i = 0; i < actualValue.length; ++i) { + if (actualValue[i] !== expectedValue[i]) { + if (actualValue[i] === "+" && expectedValue[i] === "-" || actualValue[i] === "/" && expectedValue[i] === "_") { + continue; + } + return false; + } + } + return true; + } function tryUpgradeRequestToAPotentiallyTrustworthyURL(request) { } function sameOrigin(A, B) { @@ -4387,7 +4547,8 @@ var require_util2 = __commonJS({ urlHasHttpsScheme, urlIsHttpHttpsScheme, readAllBytes, - normalizeMethodRecord + normalizeMethodRecord, + parseMetadata }; } }); @@ -5424,7 +5585,7 @@ var require_body = __commonJS({ var { FormData } = require_formdata(); var { kState } = require_symbols2(); var { webidl } = require_webidl(); - var { DOMException: DOMException2, structuredClone } = require_constants(); + var { DOMException: DOMException2, structuredClone } = require_constants2(); var { Blob: Blob2, File: NativeFile } = require("buffer"); var { kBodyUsed } = require_symbols(); var assert = require("assert"); @@ -6520,7 +6681,7 @@ var require_utils2 = __commonJS({ }); // node_modules/undici/lib/llhttp/constants.js -var require_constants2 = __commonJS({ +var require_constants3 = __commonJS({ "node_modules/undici/lib/llhttp/constants.js"(exports2) { "use strict"; Object.defineProperty(exports2, "__esModule", { value: true }); @@ -6955,7 +7116,17 @@ var require_RedirectHandler = __commonJS({ } } function shouldRemoveHeader(header, removeContent, unknownOrigin) { - return header.length === 4 && header.toString().toLowerCase() === "host" || removeContent && header.toString().toLowerCase().indexOf("content-") === 0 || unknownOrigin && header.length === 13 && header.toString().toLowerCase() === "authorization" || unknownOrigin && header.length === 6 && header.toString().toLowerCase() === "cookie"; + if (header.length === 4) { + return util.headerNameToString(header) === "host"; + } + if (removeContent && util.headerNameToString(header).startsWith("content-")) { + return true; + } + if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) { + const name = util.headerNameToString(header); + return name === "authorization" || name === "cookie" || name === "proxy-authorization"; + } + return false; } function cleanRequestHeaders(headers, removeContent, unknownOrigin) { const ret = []; @@ -7400,7 +7571,7 @@ var require_client = __commonJS({ ); resume(client); } - var constants = require_constants2(); + var constants = require_constants3(); var createRedirectInterceptor = require_redirectInterceptor(); var EMPTY_BUF = Buffer.alloc(0); async function lazyllhttp() { @@ -12104,7 +12275,7 @@ var require_response = __commonJS({ redirectStatusSet, nullBodyStatus, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kState, kHeaders, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); var { FormData } = require_formdata(); @@ -12486,7 +12657,7 @@ var require_request2 = __commonJS({ requestCredentials, requestCache, requestDuplex - } = require_constants(); + } = require_constants2(); var { kEnumerableProperty } = util; var { kHeaders, kSignal, kState, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); @@ -13155,7 +13326,7 @@ var require_fetch = __commonJS({ requestBodyHeader, subresourceSet, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kHeadersList } = require_symbols(); var EE = require("events"); var { Readable, pipeline } = require("stream"); @@ -13692,6 +13863,7 @@ var require_fetch = __commonJS({ } if (!sameOrigin(requestCurrentURL(request), locationURL)) { request.headersList.delete("authorization"); + request.headersList.delete("proxy-authorization", true); request.headersList.delete("cookie"); request.headersList.delete("host"); } @@ -14518,7 +14690,7 @@ var require_util4 = __commonJS({ } = require_symbols3(); var { ProgressEvent } = require_progressevent(); var { getEncoding } = require_encoding(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { serializeAMimeType, parseMIMEType } = require_dataURL(); var { types } = require("util"); var { StringDecoder } = require("string_decoder"); @@ -15634,7 +15806,7 @@ var require_cachestorage = __commonJS({ }); // node_modules/undici/lib/cookies/constants.js -var require_constants3 = __commonJS({ +var require_constants4 = __commonJS({ "node_modules/undici/lib/cookies/constants.js"(exports2, module2) { "use strict"; var maxAttributeValueSize = 1024; @@ -15809,7 +15981,7 @@ var require_util6 = __commonJS({ var require_parse = __commonJS({ "node_modules/undici/lib/cookies/parse.js"(exports2, module2) { "use strict"; - var { maxNameValuePairSize, maxAttributeValueSize } = require_constants3(); + var { maxNameValuePairSize, maxAttributeValueSize } = require_constants4(); var { isCTLExcludingHtab } = require_util6(); var { collectASequenceOfCodePointsFast } = require_dataURL(); var assert = require("assert"); @@ -16074,7 +16246,7 @@ var require_cookies = __commonJS({ }); // node_modules/undici/lib/websocket/constants.js -var require_constants4 = __commonJS({ +var require_constants5 = __commonJS({ "node_modules/undici/lib/websocket/constants.js"(exports2, module2) { "use strict"; var uid = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"; @@ -16382,7 +16554,7 @@ var require_util7 = __commonJS({ "node_modules/undici/lib/websocket/util.js"(exports2, module2) { "use strict"; var { kReadyState, kController, kResponse, kBinaryType, kWebSocketURL } = require_symbols5(); - var { states, opcodes } = require_constants4(); + var { states, opcodes } = require_constants5(); var { MessageEvent, ErrorEvent } = require_events(); function isEstablished(ws) { return ws[kReadyState] === states.OPEN; @@ -16472,7 +16644,7 @@ var require_connection = __commonJS({ "node_modules/undici/lib/websocket/connection.js"(exports2, module2) { "use strict"; var diagnosticsChannel = require("diagnostics_channel"); - var { uid, states } = require_constants4(); + var { uid, states } = require_constants5(); var { kReadyState, kSentClose, @@ -16619,7 +16791,7 @@ var require_connection = __commonJS({ var require_frame = __commonJS({ "node_modules/undici/lib/websocket/frame.js"(exports2, module2) { "use strict"; - var { maxUnsigned16Bit } = require_constants4(); + var { maxUnsigned16Bit } = require_constants5(); var crypto4; try { crypto4 = require("crypto"); @@ -16678,7 +16850,7 @@ var require_receiver = __commonJS({ "use strict"; var { Writable } = require("stream"); var diagnosticsChannel = require("diagnostics_channel"); - var { parserStates, opcodes, states, emptyBuffer } = require_constants4(); + var { parserStates, opcodes, states, emptyBuffer } = require_constants5(); var { kReadyState, kSentClose, kResponse, kReceivedClose } = require_symbols5(); var { isValidStatusCode, failWebsocketConnection, websocketMessageReceived } = require_util7(); var { WebsocketFrameSend } = require_frame(); @@ -16913,10 +17085,10 @@ var require_websocket = __commonJS({ "node_modules/undici/lib/websocket/websocket.js"(exports2, module2) { "use strict"; var { webidl } = require_webidl(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { URLSerializer } = require_dataURL(); var { getGlobalOrigin } = require_global(); - var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants4(); + var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants5(); var { kWebSocketURL, kReadyState, diff --git a/dist/get-project.js b/dist/get-project.js index eef8bd8..a2e7738 100644 --- a/dist/get-project.js +++ b/dist/get-project.js @@ -1141,6 +1141,121 @@ var require_errors = __commonJS({ } }); +// node_modules/undici/lib/core/constants.js +var require_constants = __commonJS({ + "node_modules/undici/lib/core/constants.js"(exports2, module2) { + "use strict"; + var headerNameLowerCasedRecord = {}; + var wellknownHeaderNames = [ + "Accept", + "Accept-Encoding", + "Accept-Language", + "Accept-Ranges", + "Access-Control-Allow-Credentials", + "Access-Control-Allow-Headers", + "Access-Control-Allow-Methods", + "Access-Control-Allow-Origin", + "Access-Control-Expose-Headers", + "Access-Control-Max-Age", + "Access-Control-Request-Headers", + "Access-Control-Request-Method", + "Age", + "Allow", + "Alt-Svc", + "Alt-Used", + "Authorization", + "Cache-Control", + "Clear-Site-Data", + "Connection", + "Content-Disposition", + "Content-Encoding", + "Content-Language", + "Content-Length", + "Content-Location", + "Content-Range", + "Content-Security-Policy", + "Content-Security-Policy-Report-Only", + "Content-Type", + "Cookie", + "Cross-Origin-Embedder-Policy", + "Cross-Origin-Opener-Policy", + "Cross-Origin-Resource-Policy", + "Date", + "Device-Memory", + "Downlink", + "ECT", + "ETag", + "Expect", + "Expect-CT", + "Expires", + "Forwarded", + "From", + "Host", + "If-Match", + "If-Modified-Since", + "If-None-Match", + "If-Range", + "If-Unmodified-Since", + "Keep-Alive", + "Last-Modified", + "Link", + "Location", + "Max-Forwards", + "Origin", + "Permissions-Policy", + "Pragma", + "Proxy-Authenticate", + "Proxy-Authorization", + "RTT", + "Range", + "Referer", + "Referrer-Policy", + "Refresh", + "Retry-After", + "Sec-WebSocket-Accept", + "Sec-WebSocket-Extensions", + "Sec-WebSocket-Key", + "Sec-WebSocket-Protocol", + "Sec-WebSocket-Version", + "Server", + "Server-Timing", + "Service-Worker-Allowed", + "Service-Worker-Navigation-Preload", + "Set-Cookie", + "SourceMap", + "Strict-Transport-Security", + "Supports-Loading-Mode", + "TE", + "Timing-Allow-Origin", + "Trailer", + "Transfer-Encoding", + "Upgrade", + "Upgrade-Insecure-Requests", + "User-Agent", + "Vary", + "Via", + "WWW-Authenticate", + "X-Content-Type-Options", + "X-DNS-Prefetch-Control", + "X-Frame-Options", + "X-Permitted-Cross-Domain-Policies", + "X-Powered-By", + "X-Requested-With", + "X-XSS-Protection" + ]; + for (let i = 0; i < wellknownHeaderNames.length; ++i) { + const key = wellknownHeaderNames[i]; + const lowerCasedKey = key.toLowerCase(); + headerNameLowerCasedRecord[key] = headerNameLowerCasedRecord[lowerCasedKey] = lowerCasedKey; + } + Object.setPrototypeOf(headerNameLowerCasedRecord, null); + module2.exports = { + wellknownHeaderNames, + headerNameLowerCasedRecord + }; + } +}); + // node_modules/undici/lib/core/util.js var require_util = __commonJS({ "node_modules/undici/lib/core/util.js"(exports2, module2) { @@ -1154,6 +1269,7 @@ var require_util = __commonJS({ var { Blob: Blob2 } = require("buffer"); var nodeUtil = require("util"); var { stringify: stringify2 } = require("querystring"); + var { headerNameLowerCasedRecord } = require_constants(); var [nodeMajor, nodeMinor] = process.versions.node.split(".").map((v) => Number(v)); function nop() { } @@ -1297,6 +1413,9 @@ var require_util = __commonJS({ const m = val.toString().match(KEEPALIVE_TIMEOUT_EXPR); return m ? parseInt(m[1], 10) * 1e3 : null; } + function headerNameToString(value) { + return headerNameLowerCasedRecord[value] || value.toLowerCase(); + } function parseHeaders(headers, obj = {}) { if (!Array.isArray(headers)) return headers; @@ -1500,6 +1619,7 @@ var require_util = __commonJS({ isIterable, isAsyncIterable, isDestroyed, + headerNameToString, parseRawHeaders, parseHeaders, parseKeepAliveTimeout, @@ -3595,7 +3715,7 @@ var require_main = __commonJS({ }); // node_modules/undici/lib/fetch/constants.js -var require_constants = __commonJS({ +var require_constants2 = __commonJS({ "node_modules/undici/lib/fetch/constants.js"(exports2, module2) { "use strict"; var { MessageChannel, receiveMessageOnPort } = require("worker_threads"); @@ -3833,15 +3953,18 @@ var require_global = __commonJS({ var require_util2 = __commonJS({ "node_modules/undici/lib/fetch/util.js"(exports2, module2) { "use strict"; - var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants(); + var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants2(); var { getGlobalOrigin } = require_global(); var { performance: performance2 } = require("perf_hooks"); var { isBlobLike, toUSVString, ReadableStreamFrom } = require_util(); var assert = require("assert"); var { isUint8Array } = require("util/types"); + var supportedHashes = []; var crypto4; try { crypto4 = require("crypto"); + const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; + supportedHashes = crypto4.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); } catch { } function responseURL(response) { @@ -4117,45 +4240,37 @@ var require_util2 = __commonJS({ if (parsedMetadata.length === 0) { return true; } - const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)); - const strongest = list[0].algo; - const metadata = list.filter((item) => item.algo === strongest); + const strongest = getStrongestMetadata(parsedMetadata); + const metadata = filterMetadataListByAlgorithm(parsedMetadata, strongest); for (const item of metadata) { const algorithm = item.algo; - let expectedValue = item.hash; - if (expectedValue.endsWith("==")) { - expectedValue = expectedValue.slice(0, -2); - } + const expectedValue = item.hash; let actualValue = crypto4.createHash(algorithm).update(bytes).digest("base64"); - if (actualValue.endsWith("==")) { - actualValue = actualValue.slice(0, -2); - } - if (actualValue === expectedValue) { - return true; - } - let actualBase64URL = crypto4.createHash(algorithm).update(bytes).digest("base64url"); - if (actualBase64URL.endsWith("==")) { - actualBase64URL = actualBase64URL.slice(0, -2); + if (actualValue[actualValue.length - 1] === "=") { + if (actualValue[actualValue.length - 2] === "=") { + actualValue = actualValue.slice(0, -2); + } else { + actualValue = actualValue.slice(0, -1); + } } - if (actualBase64URL === expectedValue) { + if (compareBase64Mixed(actualValue, expectedValue)) { return true; } } return false; } - var parseHashWithOptions = /((?sha256|sha384|sha512)-(?[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i; + var parseHashWithOptions = /(?sha256|sha384|sha512)-((?[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)( +[!-~]*)?)?/i; function parseMetadata(metadata) { const result = []; let empty = true; - const supportedHashes = crypto4.getHashes(); for (const token of metadata.split(" ")) { empty = false; const parsedToken = parseHashWithOptions.exec(token); - if (parsedToken === null || parsedToken.groups === void 0) { + if (parsedToken === null || parsedToken.groups === void 0 || parsedToken.groups.algo === void 0) { continue; } - const algorithm = parsedToken.groups.algo; - if (supportedHashes.includes(algorithm.toLowerCase())) { + const algorithm = parsedToken.groups.algo.toLowerCase(); + if (supportedHashes.includes(algorithm)) { result.push(parsedToken.groups); } } @@ -4164,6 +4279,51 @@ var require_util2 = __commonJS({ } return result; } + function getStrongestMetadata(metadataList) { + let algorithm = metadataList[0].algo; + if (algorithm[3] === "5") { + return algorithm; + } + for (let i = 1; i < metadataList.length; ++i) { + const metadata = metadataList[i]; + if (metadata.algo[3] === "5") { + algorithm = "sha512"; + break; + } else if (algorithm[3] === "3") { + continue; + } else if (metadata.algo[3] === "3") { + algorithm = "sha384"; + } + } + return algorithm; + } + function filterMetadataListByAlgorithm(metadataList, algorithm) { + if (metadataList.length === 1) { + return metadataList; + } + let pos = 0; + for (let i = 0; i < metadataList.length; ++i) { + if (metadataList[i].algo === algorithm) { + metadataList[pos++] = metadataList[i]; + } + } + metadataList.length = pos; + return metadataList; + } + function compareBase64Mixed(actualValue, expectedValue) { + if (actualValue.length !== expectedValue.length) { + return false; + } + for (let i = 0; i < actualValue.length; ++i) { + if (actualValue[i] !== expectedValue[i]) { + if (actualValue[i] === "+" && expectedValue[i] === "-" || actualValue[i] === "/" && expectedValue[i] === "_") { + continue; + } + return false; + } + } + return true; + } function tryUpgradeRequestToAPotentiallyTrustworthyURL(request) { } function sameOrigin(A, B) { @@ -4387,7 +4547,8 @@ var require_util2 = __commonJS({ urlHasHttpsScheme, urlIsHttpHttpsScheme, readAllBytes, - normalizeMethodRecord + normalizeMethodRecord, + parseMetadata }; } }); @@ -5424,7 +5585,7 @@ var require_body = __commonJS({ var { FormData } = require_formdata(); var { kState } = require_symbols2(); var { webidl } = require_webidl(); - var { DOMException: DOMException2, structuredClone } = require_constants(); + var { DOMException: DOMException2, structuredClone } = require_constants2(); var { Blob: Blob2, File: NativeFile } = require("buffer"); var { kBodyUsed } = require_symbols(); var assert = require("assert"); @@ -6520,7 +6681,7 @@ var require_utils2 = __commonJS({ }); // node_modules/undici/lib/llhttp/constants.js -var require_constants2 = __commonJS({ +var require_constants3 = __commonJS({ "node_modules/undici/lib/llhttp/constants.js"(exports2) { "use strict"; Object.defineProperty(exports2, "__esModule", { value: true }); @@ -6955,7 +7116,17 @@ var require_RedirectHandler = __commonJS({ } } function shouldRemoveHeader(header, removeContent, unknownOrigin) { - return header.length === 4 && header.toString().toLowerCase() === "host" || removeContent && header.toString().toLowerCase().indexOf("content-") === 0 || unknownOrigin && header.length === 13 && header.toString().toLowerCase() === "authorization" || unknownOrigin && header.length === 6 && header.toString().toLowerCase() === "cookie"; + if (header.length === 4) { + return util.headerNameToString(header) === "host"; + } + if (removeContent && util.headerNameToString(header).startsWith("content-")) { + return true; + } + if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) { + const name = util.headerNameToString(header); + return name === "authorization" || name === "cookie" || name === "proxy-authorization"; + } + return false; } function cleanRequestHeaders(headers, removeContent, unknownOrigin) { const ret = []; @@ -7400,7 +7571,7 @@ var require_client = __commonJS({ ); resume(client); } - var constants = require_constants2(); + var constants = require_constants3(); var createRedirectInterceptor = require_redirectInterceptor(); var EMPTY_BUF = Buffer.alloc(0); async function lazyllhttp() { @@ -12104,7 +12275,7 @@ var require_response = __commonJS({ redirectStatusSet, nullBodyStatus, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kState, kHeaders, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); var { FormData } = require_formdata(); @@ -12486,7 +12657,7 @@ var require_request2 = __commonJS({ requestCredentials, requestCache, requestDuplex - } = require_constants(); + } = require_constants2(); var { kEnumerableProperty } = util; var { kHeaders, kSignal, kState, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); @@ -13155,7 +13326,7 @@ var require_fetch = __commonJS({ requestBodyHeader, subresourceSet, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kHeadersList } = require_symbols(); var EE = require("events"); var { Readable, pipeline } = require("stream"); @@ -13692,6 +13863,7 @@ var require_fetch = __commonJS({ } if (!sameOrigin(requestCurrentURL(request), locationURL)) { request.headersList.delete("authorization"); + request.headersList.delete("proxy-authorization", true); request.headersList.delete("cookie"); request.headersList.delete("host"); } @@ -14518,7 +14690,7 @@ var require_util4 = __commonJS({ } = require_symbols3(); var { ProgressEvent } = require_progressevent(); var { getEncoding } = require_encoding(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { serializeAMimeType, parseMIMEType } = require_dataURL(); var { types } = require("util"); var { StringDecoder } = require("string_decoder"); @@ -15634,7 +15806,7 @@ var require_cachestorage = __commonJS({ }); // node_modules/undici/lib/cookies/constants.js -var require_constants3 = __commonJS({ +var require_constants4 = __commonJS({ "node_modules/undici/lib/cookies/constants.js"(exports2, module2) { "use strict"; var maxAttributeValueSize = 1024; @@ -15809,7 +15981,7 @@ var require_util6 = __commonJS({ var require_parse = __commonJS({ "node_modules/undici/lib/cookies/parse.js"(exports2, module2) { "use strict"; - var { maxNameValuePairSize, maxAttributeValueSize } = require_constants3(); + var { maxNameValuePairSize, maxAttributeValueSize } = require_constants4(); var { isCTLExcludingHtab } = require_util6(); var { collectASequenceOfCodePointsFast } = require_dataURL(); var assert = require("assert"); @@ -16074,7 +16246,7 @@ var require_cookies = __commonJS({ }); // node_modules/undici/lib/websocket/constants.js -var require_constants4 = __commonJS({ +var require_constants5 = __commonJS({ "node_modules/undici/lib/websocket/constants.js"(exports2, module2) { "use strict"; var uid = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"; @@ -16382,7 +16554,7 @@ var require_util7 = __commonJS({ "node_modules/undici/lib/websocket/util.js"(exports2, module2) { "use strict"; var { kReadyState, kController, kResponse, kBinaryType, kWebSocketURL } = require_symbols5(); - var { states, opcodes } = require_constants4(); + var { states, opcodes } = require_constants5(); var { MessageEvent, ErrorEvent } = require_events(); function isEstablished(ws) { return ws[kReadyState] === states.OPEN; @@ -16472,7 +16644,7 @@ var require_connection = __commonJS({ "node_modules/undici/lib/websocket/connection.js"(exports2, module2) { "use strict"; var diagnosticsChannel = require("diagnostics_channel"); - var { uid, states } = require_constants4(); + var { uid, states } = require_constants5(); var { kReadyState, kSentClose, @@ -16619,7 +16791,7 @@ var require_connection = __commonJS({ var require_frame = __commonJS({ "node_modules/undici/lib/websocket/frame.js"(exports2, module2) { "use strict"; - var { maxUnsigned16Bit } = require_constants4(); + var { maxUnsigned16Bit } = require_constants5(); var crypto4; try { crypto4 = require("crypto"); @@ -16678,7 +16850,7 @@ var require_receiver = __commonJS({ "use strict"; var { Writable } = require("stream"); var diagnosticsChannel = require("diagnostics_channel"); - var { parserStates, opcodes, states, emptyBuffer } = require_constants4(); + var { parserStates, opcodes, states, emptyBuffer } = require_constants5(); var { kReadyState, kSentClose, kResponse, kReceivedClose } = require_symbols5(); var { isValidStatusCode, failWebsocketConnection, websocketMessageReceived } = require_util7(); var { WebsocketFrameSend } = require_frame(); @@ -16913,10 +17085,10 @@ var require_websocket = __commonJS({ "node_modules/undici/lib/websocket/websocket.js"(exports2, module2) { "use strict"; var { webidl } = require_webidl(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { URLSerializer } = require_dataURL(); var { getGlobalOrigin } = require_global(); - var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants4(); + var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants5(); var { kWebSocketURL, kReadyState, diff --git a/dist/github-script/index.js b/dist/github-script/index.js index eb8066d..0a598d4 100644 --- a/dist/github-script/index.js +++ b/dist/github-script/index.js @@ -20827,6 +20827,132 @@ function onConnectTimeout (socket) { module.exports = buildConnector +/***/ }), + +/***/ 4462: +/***/ ((module) => { + +"use strict"; + + +/** @type {Record} */ +const headerNameLowerCasedRecord = {} + +// https://developer.mozilla.org/docs/Web/HTTP/Headers +const wellknownHeaderNames = [ + 'Accept', + 'Accept-Encoding', + 'Accept-Language', + 'Accept-Ranges', + 'Access-Control-Allow-Credentials', + 'Access-Control-Allow-Headers', + 'Access-Control-Allow-Methods', + 'Access-Control-Allow-Origin', + 'Access-Control-Expose-Headers', + 'Access-Control-Max-Age', + 'Access-Control-Request-Headers', + 'Access-Control-Request-Method', + 'Age', + 'Allow', + 'Alt-Svc', + 'Alt-Used', + 'Authorization', + 'Cache-Control', + 'Clear-Site-Data', + 'Connection', + 'Content-Disposition', + 'Content-Encoding', + 'Content-Language', + 'Content-Length', + 'Content-Location', + 'Content-Range', + 'Content-Security-Policy', + 'Content-Security-Policy-Report-Only', + 'Content-Type', + 'Cookie', + 'Cross-Origin-Embedder-Policy', + 'Cross-Origin-Opener-Policy', + 'Cross-Origin-Resource-Policy', + 'Date', + 'Device-Memory', + 'Downlink', + 'ECT', + 'ETag', + 'Expect', + 'Expect-CT', + 'Expires', + 'Forwarded', + 'From', + 'Host', + 'If-Match', + 'If-Modified-Since', + 'If-None-Match', + 'If-Range', + 'If-Unmodified-Since', + 'Keep-Alive', + 'Last-Modified', + 'Link', + 'Location', + 'Max-Forwards', + 'Origin', + 'Permissions-Policy', + 'Pragma', + 'Proxy-Authenticate', + 'Proxy-Authorization', + 'RTT', + 'Range', + 'Referer', + 'Referrer-Policy', + 'Refresh', + 'Retry-After', + 'Sec-WebSocket-Accept', + 'Sec-WebSocket-Extensions', + 'Sec-WebSocket-Key', + 'Sec-WebSocket-Protocol', + 'Sec-WebSocket-Version', + 'Server', + 'Server-Timing', + 'Service-Worker-Allowed', + 'Service-Worker-Navigation-Preload', + 'Set-Cookie', + 'SourceMap', + 'Strict-Transport-Security', + 'Supports-Loading-Mode', + 'TE', + 'Timing-Allow-Origin', + 'Trailer', + 'Transfer-Encoding', + 'Upgrade', + 'Upgrade-Insecure-Requests', + 'User-Agent', + 'Vary', + 'Via', + 'WWW-Authenticate', + 'X-Content-Type-Options', + 'X-DNS-Prefetch-Control', + 'X-Frame-Options', + 'X-Permitted-Cross-Domain-Policies', + 'X-Powered-By', + 'X-Requested-With', + 'X-XSS-Protection' +] + +for (let i = 0; i < wellknownHeaderNames.length; ++i) { + const key = wellknownHeaderNames[i] + const lowerCasedKey = key.toLowerCase() + headerNameLowerCasedRecord[key] = headerNameLowerCasedRecord[lowerCasedKey] = + lowerCasedKey +} + +// Note: object prototypes should not be able to be referenced. e.g. `Object#hasOwnProperty`. +Object.setPrototypeOf(headerNameLowerCasedRecord, null) + +module.exports = { + wellknownHeaderNames, + headerNameLowerCasedRecord +} + + /***/ }), /***/ 8045: @@ -21659,6 +21785,7 @@ const { InvalidArgumentError } = __nccwpck_require__(8045) const { Blob } = __nccwpck_require__(4300) const nodeUtil = __nccwpck_require__(3837) const { stringify } = __nccwpck_require__(3477) +const { headerNameLowerCasedRecord } = __nccwpck_require__(4462) const [nodeMajor, nodeMinor] = process.versions.node.split('.').map(v => Number(v)) @@ -21868,6 +21995,15 @@ function parseKeepAliveTimeout (val) { return m ? parseInt(m[1], 10) * 1000 : null } +/** + * Retrieves a header name and returns its lowercase value. + * @param {string | Buffer} value Header name + * @returns {string} + */ +function headerNameToString (value) { + return headerNameLowerCasedRecord[value] || value.toLowerCase() +} + function parseHeaders (headers, obj = {}) { // For H2 support if (!Array.isArray(headers)) return headers @@ -22139,6 +22275,7 @@ module.exports = { isIterable, isAsyncIterable, isDestroyed, + headerNameToString, parseRawHeaders, parseHeaders, parseKeepAliveTimeout, @@ -26275,6 +26412,9 @@ function httpRedirectFetch (fetchParams, response) { // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name request.headersList.delete('authorization') + // https://fetch.spec.whatwg.org/#authentication-entries + request.headersList.delete('proxy-authorization', true) + // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement. request.headersList.delete('cookie') request.headersList.delete('host') @@ -28783,14 +28923,18 @@ const { isBlobLike, toUSVString, ReadableStreamFrom } = __nccwpck_require__(3983 const assert = __nccwpck_require__(9491) const { isUint8Array } = __nccwpck_require__(9830) +let supportedHashes = [] + // https://nodejs.org/api/crypto.html#determining-if-crypto-support-is-unavailable /** @type {import('crypto')|undefined} */ let crypto try { crypto = __nccwpck_require__(6113) + const possibleRelevantHashes = ['sha256', 'sha384', 'sha512'] + supportedHashes = crypto.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)) +/* c8 ignore next 3 */ } catch { - } function responseURL (response) { @@ -29318,66 +29462,56 @@ function bytesMatch (bytes, metadataList) { return true } - // 3. If parsedMetadata is the empty set, return true. + // 3. If response is not eligible for integrity validation, return false. + // TODO + + // 4. If parsedMetadata is the empty set, return true. if (parsedMetadata.length === 0) { return true } - // 4. Let metadata be the result of getting the strongest + // 5. Let metadata be the result of getting the strongest // metadata from parsedMetadata. - const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)) - // get the strongest algorithm - const strongest = list[0].algo - // get all entries that use the strongest algorithm; ignore weaker - const metadata = list.filter((item) => item.algo === strongest) + const strongest = getStrongestMetadata(parsedMetadata) + const metadata = filterMetadataListByAlgorithm(parsedMetadata, strongest) - // 5. For each item in metadata: + // 6. For each item in metadata: for (const item of metadata) { // 1. Let algorithm be the alg component of item. const algorithm = item.algo // 2. Let expectedValue be the val component of item. - let expectedValue = item.hash + const expectedValue = item.hash // See https://github.com/web-platform-tests/wpt/commit/e4c5cc7a5e48093220528dfdd1c4012dc3837a0e // "be liberal with padding". This is annoying, and it's not even in the spec. - if (expectedValue.endsWith('==')) { - expectedValue = expectedValue.slice(0, -2) - } - // 3. Let actualValue be the result of applying algorithm to bytes. let actualValue = crypto.createHash(algorithm).update(bytes).digest('base64') - if (actualValue.endsWith('==')) { - actualValue = actualValue.slice(0, -2) + if (actualValue[actualValue.length - 1] === '=') { + if (actualValue[actualValue.length - 2] === '=') { + actualValue = actualValue.slice(0, -2) + } else { + actualValue = actualValue.slice(0, -1) + } } // 4. If actualValue is a case-sensitive match for expectedValue, // return true. - if (actualValue === expectedValue) { - return true - } - - let actualBase64URL = crypto.createHash(algorithm).update(bytes).digest('base64url') - - if (actualBase64URL.endsWith('==')) { - actualBase64URL = actualBase64URL.slice(0, -2) - } - - if (actualBase64URL === expectedValue) { + if (compareBase64Mixed(actualValue, expectedValue)) { return true } } - // 6. Return false. + // 7. Return false. return false } // https://w3c.github.io/webappsec-subresource-integrity/#grammardef-hash-with-options // https://www.w3.org/TR/CSP2/#source-list-syntax // https://www.rfc-editor.org/rfc/rfc5234#appendix-B.1 -const parseHashWithOptions = /((?sha256|sha384|sha512)-(?[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i +const parseHashWithOptions = /(?sha256|sha384|sha512)-((?[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)( +[!-~]*)?)?/i /** * @see https://w3c.github.io/webappsec-subresource-integrity/#parse-metadata @@ -29391,8 +29525,6 @@ function parseMetadata (metadata) { // 2. Let empty be equal to true. let empty = true - const supportedHashes = crypto.getHashes() - // 3. For each token returned by splitting metadata on spaces: for (const token of metadata.split(' ')) { // 1. Set empty to false. @@ -29402,7 +29534,11 @@ function parseMetadata (metadata) { const parsedToken = parseHashWithOptions.exec(token) // 3. If token does not parse, continue to the next token. - if (parsedToken === null || parsedToken.groups === undefined) { + if ( + parsedToken === null || + parsedToken.groups === undefined || + parsedToken.groups.algo === undefined + ) { // Note: Chromium blocks the request at this point, but Firefox // gives a warning that an invalid integrity was given. The // correct behavior is to ignore these, and subsequently not @@ -29411,11 +29547,11 @@ function parseMetadata (metadata) { } // 4. Let algorithm be the hash-algo component of token. - const algorithm = parsedToken.groups.algo + const algorithm = parsedToken.groups.algo.toLowerCase() // 5. If algorithm is a hash function recognized by the user // agent, add the parsed token to result. - if (supportedHashes.includes(algorithm.toLowerCase())) { + if (supportedHashes.includes(algorithm)) { result.push(parsedToken.groups) } } @@ -29428,6 +29564,82 @@ function parseMetadata (metadata) { return result } +/** + * @param {{ algo: 'sha256' | 'sha384' | 'sha512' }[]} metadataList + */ +function getStrongestMetadata (metadataList) { + // Let algorithm be the algo component of the first item in metadataList. + // Can be sha256 + let algorithm = metadataList[0].algo + // If the algorithm is sha512, then it is the strongest + // and we can return immediately + if (algorithm[3] === '5') { + return algorithm + } + + for (let i = 1; i < metadataList.length; ++i) { + const metadata = metadataList[i] + // If the algorithm is sha512, then it is the strongest + // and we can break the loop immediately + if (metadata.algo[3] === '5') { + algorithm = 'sha512' + break + // If the algorithm is sha384, then a potential sha256 or sha384 is ignored + } else if (algorithm[3] === '3') { + continue + // algorithm is sha256, check if algorithm is sha384 and if so, set it as + // the strongest + } else if (metadata.algo[3] === '3') { + algorithm = 'sha384' + } + } + return algorithm +} + +function filterMetadataListByAlgorithm (metadataList, algorithm) { + if (metadataList.length === 1) { + return metadataList + } + + let pos = 0 + for (let i = 0; i < metadataList.length; ++i) { + if (metadataList[i].algo === algorithm) { + metadataList[pos++] = metadataList[i] + } + } + + metadataList.length = pos + + return metadataList +} + +/** + * Compares two base64 strings, allowing for base64url + * in the second string. + * +* @param {string} actualValue always base64 + * @param {string} expectedValue base64 or base64url + * @returns {boolean} + */ +function compareBase64Mixed (actualValue, expectedValue) { + if (actualValue.length !== expectedValue.length) { + return false + } + for (let i = 0; i < actualValue.length; ++i) { + if (actualValue[i] !== expectedValue[i]) { + if ( + (actualValue[i] === '+' && expectedValue[i] === '-') || + (actualValue[i] === '/' && expectedValue[i] === '_') + ) { + continue + } + return false + } + } + + return true +} + // https://w3c.github.io/webappsec-upgrade-insecure-requests/#upgrade-request function tryUpgradeRequestToAPotentiallyTrustworthyURL (request) { // TODO @@ -29843,7 +30055,8 @@ module.exports = { urlHasHttpsScheme, urlIsHttpHttpsScheme, readAllBytes, - normalizeMethodRecord + normalizeMethodRecord, + parseMetadata } @@ -31930,12 +32143,17 @@ function parseLocation (statusCode, headers) { // https://tools.ietf.org/html/rfc7231#section-6.4.4 function shouldRemoveHeader (header, removeContent, unknownOrigin) { - return ( - (header.length === 4 && header.toString().toLowerCase() === 'host') || - (removeContent && header.toString().toLowerCase().indexOf('content-') === 0) || - (unknownOrigin && header.length === 13 && header.toString().toLowerCase() === 'authorization') || - (unknownOrigin && header.length === 6 && header.toString().toLowerCase() === 'cookie') - ) + if (header.length === 4) { + return util.headerNameToString(header) === 'host' + } + if (removeContent && util.headerNameToString(header).startsWith('content-')) { + return true + } + if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) { + const name = util.headerNameToString(header) + return name === 'authorization' || name === 'cookie' || name === 'proxy-authorization' + } + return false } // https://tools.ietf.org/html/rfc7231#section-6.4 diff --git a/dist/link-project.js b/dist/link-project.js index 0128756..1b1fe33 100644 --- a/dist/link-project.js +++ b/dist/link-project.js @@ -1141,6 +1141,121 @@ var require_errors = __commonJS({ } }); +// node_modules/undici/lib/core/constants.js +var require_constants = __commonJS({ + "node_modules/undici/lib/core/constants.js"(exports2, module2) { + "use strict"; + var headerNameLowerCasedRecord = {}; + var wellknownHeaderNames = [ + "Accept", + "Accept-Encoding", + "Accept-Language", + "Accept-Ranges", + "Access-Control-Allow-Credentials", + "Access-Control-Allow-Headers", + "Access-Control-Allow-Methods", + "Access-Control-Allow-Origin", + "Access-Control-Expose-Headers", + "Access-Control-Max-Age", + "Access-Control-Request-Headers", + "Access-Control-Request-Method", + "Age", + "Allow", + "Alt-Svc", + "Alt-Used", + "Authorization", + "Cache-Control", + "Clear-Site-Data", + "Connection", + "Content-Disposition", + "Content-Encoding", + "Content-Language", + "Content-Length", + "Content-Location", + "Content-Range", + "Content-Security-Policy", + "Content-Security-Policy-Report-Only", + "Content-Type", + "Cookie", + "Cross-Origin-Embedder-Policy", + "Cross-Origin-Opener-Policy", + "Cross-Origin-Resource-Policy", + "Date", + "Device-Memory", + "Downlink", + "ECT", + "ETag", + "Expect", + "Expect-CT", + "Expires", + "Forwarded", + "From", + "Host", + "If-Match", + "If-Modified-Since", + "If-None-Match", + "If-Range", + "If-Unmodified-Since", + "Keep-Alive", + "Last-Modified", + "Link", + "Location", + "Max-Forwards", + "Origin", + "Permissions-Policy", + "Pragma", + "Proxy-Authenticate", + "Proxy-Authorization", + "RTT", + "Range", + "Referer", + "Referrer-Policy", + "Refresh", + "Retry-After", + "Sec-WebSocket-Accept", + "Sec-WebSocket-Extensions", + "Sec-WebSocket-Key", + "Sec-WebSocket-Protocol", + "Sec-WebSocket-Version", + "Server", + "Server-Timing", + "Service-Worker-Allowed", + "Service-Worker-Navigation-Preload", + "Set-Cookie", + "SourceMap", + "Strict-Transport-Security", + "Supports-Loading-Mode", + "TE", + "Timing-Allow-Origin", + "Trailer", + "Transfer-Encoding", + "Upgrade", + "Upgrade-Insecure-Requests", + "User-Agent", + "Vary", + "Via", + "WWW-Authenticate", + "X-Content-Type-Options", + "X-DNS-Prefetch-Control", + "X-Frame-Options", + "X-Permitted-Cross-Domain-Policies", + "X-Powered-By", + "X-Requested-With", + "X-XSS-Protection" + ]; + for (let i = 0; i < wellknownHeaderNames.length; ++i) { + const key = wellknownHeaderNames[i]; + const lowerCasedKey = key.toLowerCase(); + headerNameLowerCasedRecord[key] = headerNameLowerCasedRecord[lowerCasedKey] = lowerCasedKey; + } + Object.setPrototypeOf(headerNameLowerCasedRecord, null); + module2.exports = { + wellknownHeaderNames, + headerNameLowerCasedRecord + }; + } +}); + // node_modules/undici/lib/core/util.js var require_util = __commonJS({ "node_modules/undici/lib/core/util.js"(exports2, module2) { @@ -1154,6 +1269,7 @@ var require_util = __commonJS({ var { Blob: Blob2 } = require("buffer"); var nodeUtil = require("util"); var { stringify: stringify2 } = require("querystring"); + var { headerNameLowerCasedRecord } = require_constants(); var [nodeMajor, nodeMinor] = process.versions.node.split(".").map((v) => Number(v)); function nop() { } @@ -1297,6 +1413,9 @@ var require_util = __commonJS({ const m = val.toString().match(KEEPALIVE_TIMEOUT_EXPR); return m ? parseInt(m[1], 10) * 1e3 : null; } + function headerNameToString(value) { + return headerNameLowerCasedRecord[value] || value.toLowerCase(); + } function parseHeaders(headers, obj = {}) { if (!Array.isArray(headers)) return headers; @@ -1500,6 +1619,7 @@ var require_util = __commonJS({ isIterable, isAsyncIterable, isDestroyed, + headerNameToString, parseRawHeaders, parseHeaders, parseKeepAliveTimeout, @@ -3595,7 +3715,7 @@ var require_main = __commonJS({ }); // node_modules/undici/lib/fetch/constants.js -var require_constants = __commonJS({ +var require_constants2 = __commonJS({ "node_modules/undici/lib/fetch/constants.js"(exports2, module2) { "use strict"; var { MessageChannel, receiveMessageOnPort } = require("worker_threads"); @@ -3833,15 +3953,18 @@ var require_global = __commonJS({ var require_util2 = __commonJS({ "node_modules/undici/lib/fetch/util.js"(exports2, module2) { "use strict"; - var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants(); + var { redirectStatusSet, referrerPolicySet: referrerPolicyTokens, badPortsSet } = require_constants2(); var { getGlobalOrigin } = require_global(); var { performance: performance2 } = require("perf_hooks"); var { isBlobLike, toUSVString, ReadableStreamFrom } = require_util(); var assert = require("assert"); var { isUint8Array } = require("util/types"); + var supportedHashes = []; var crypto4; try { crypto4 = require("crypto"); + const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; + supportedHashes = crypto4.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); } catch { } function responseURL(response) { @@ -4117,45 +4240,37 @@ var require_util2 = __commonJS({ if (parsedMetadata.length === 0) { return true; } - const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo)); - const strongest = list[0].algo; - const metadata = list.filter((item) => item.algo === strongest); + const strongest = getStrongestMetadata(parsedMetadata); + const metadata = filterMetadataListByAlgorithm(parsedMetadata, strongest); for (const item of metadata) { const algorithm = item.algo; - let expectedValue = item.hash; - if (expectedValue.endsWith("==")) { - expectedValue = expectedValue.slice(0, -2); - } + const expectedValue = item.hash; let actualValue = crypto4.createHash(algorithm).update(bytes).digest("base64"); - if (actualValue.endsWith("==")) { - actualValue = actualValue.slice(0, -2); - } - if (actualValue === expectedValue) { - return true; - } - let actualBase64URL = crypto4.createHash(algorithm).update(bytes).digest("base64url"); - if (actualBase64URL.endsWith("==")) { - actualBase64URL = actualBase64URL.slice(0, -2); + if (actualValue[actualValue.length - 1] === "=") { + if (actualValue[actualValue.length - 2] === "=") { + actualValue = actualValue.slice(0, -2); + } else { + actualValue = actualValue.slice(0, -1); + } } - if (actualBase64URL === expectedValue) { + if (compareBase64Mixed(actualValue, expectedValue)) { return true; } } return false; } - var parseHashWithOptions = /((?sha256|sha384|sha512)-(?[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i; + var parseHashWithOptions = /(?sha256|sha384|sha512)-((?[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)( +[!-~]*)?)?/i; function parseMetadata(metadata) { const result = []; let empty = true; - const supportedHashes = crypto4.getHashes(); for (const token of metadata.split(" ")) { empty = false; const parsedToken = parseHashWithOptions.exec(token); - if (parsedToken === null || parsedToken.groups === void 0) { + if (parsedToken === null || parsedToken.groups === void 0 || parsedToken.groups.algo === void 0) { continue; } - const algorithm = parsedToken.groups.algo; - if (supportedHashes.includes(algorithm.toLowerCase())) { + const algorithm = parsedToken.groups.algo.toLowerCase(); + if (supportedHashes.includes(algorithm)) { result.push(parsedToken.groups); } } @@ -4164,6 +4279,51 @@ var require_util2 = __commonJS({ } return result; } + function getStrongestMetadata(metadataList) { + let algorithm = metadataList[0].algo; + if (algorithm[3] === "5") { + return algorithm; + } + for (let i = 1; i < metadataList.length; ++i) { + const metadata = metadataList[i]; + if (metadata.algo[3] === "5") { + algorithm = "sha512"; + break; + } else if (algorithm[3] === "3") { + continue; + } else if (metadata.algo[3] === "3") { + algorithm = "sha384"; + } + } + return algorithm; + } + function filterMetadataListByAlgorithm(metadataList, algorithm) { + if (metadataList.length === 1) { + return metadataList; + } + let pos = 0; + for (let i = 0; i < metadataList.length; ++i) { + if (metadataList[i].algo === algorithm) { + metadataList[pos++] = metadataList[i]; + } + } + metadataList.length = pos; + return metadataList; + } + function compareBase64Mixed(actualValue, expectedValue) { + if (actualValue.length !== expectedValue.length) { + return false; + } + for (let i = 0; i < actualValue.length; ++i) { + if (actualValue[i] !== expectedValue[i]) { + if (actualValue[i] === "+" && expectedValue[i] === "-" || actualValue[i] === "/" && expectedValue[i] === "_") { + continue; + } + return false; + } + } + return true; + } function tryUpgradeRequestToAPotentiallyTrustworthyURL(request) { } function sameOrigin(A, B) { @@ -4387,7 +4547,8 @@ var require_util2 = __commonJS({ urlHasHttpsScheme, urlIsHttpHttpsScheme, readAllBytes, - normalizeMethodRecord + normalizeMethodRecord, + parseMetadata }; } }); @@ -5424,7 +5585,7 @@ var require_body = __commonJS({ var { FormData } = require_formdata(); var { kState } = require_symbols2(); var { webidl } = require_webidl(); - var { DOMException: DOMException2, structuredClone } = require_constants(); + var { DOMException: DOMException2, structuredClone } = require_constants2(); var { Blob: Blob2, File: NativeFile } = require("buffer"); var { kBodyUsed } = require_symbols(); var assert = require("assert"); @@ -6520,7 +6681,7 @@ var require_utils2 = __commonJS({ }); // node_modules/undici/lib/llhttp/constants.js -var require_constants2 = __commonJS({ +var require_constants3 = __commonJS({ "node_modules/undici/lib/llhttp/constants.js"(exports2) { "use strict"; Object.defineProperty(exports2, "__esModule", { value: true }); @@ -6955,7 +7116,17 @@ var require_RedirectHandler = __commonJS({ } } function shouldRemoveHeader(header, removeContent, unknownOrigin) { - return header.length === 4 && header.toString().toLowerCase() === "host" || removeContent && header.toString().toLowerCase().indexOf("content-") === 0 || unknownOrigin && header.length === 13 && header.toString().toLowerCase() === "authorization" || unknownOrigin && header.length === 6 && header.toString().toLowerCase() === "cookie"; + if (header.length === 4) { + return util.headerNameToString(header) === "host"; + } + if (removeContent && util.headerNameToString(header).startsWith("content-")) { + return true; + } + if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) { + const name = util.headerNameToString(header); + return name === "authorization" || name === "cookie" || name === "proxy-authorization"; + } + return false; } function cleanRequestHeaders(headers, removeContent, unknownOrigin) { const ret = []; @@ -7400,7 +7571,7 @@ var require_client = __commonJS({ ); resume(client); } - var constants = require_constants2(); + var constants = require_constants3(); var createRedirectInterceptor = require_redirectInterceptor(); var EMPTY_BUF = Buffer.alloc(0); async function lazyllhttp() { @@ -12104,7 +12275,7 @@ var require_response = __commonJS({ redirectStatusSet, nullBodyStatus, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kState, kHeaders, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); var { FormData } = require_formdata(); @@ -12486,7 +12657,7 @@ var require_request2 = __commonJS({ requestCredentials, requestCache, requestDuplex - } = require_constants(); + } = require_constants2(); var { kEnumerableProperty } = util; var { kHeaders, kSignal, kState, kGuard, kRealm } = require_symbols2(); var { webidl } = require_webidl(); @@ -13155,7 +13326,7 @@ var require_fetch = __commonJS({ requestBodyHeader, subresourceSet, DOMException: DOMException2 - } = require_constants(); + } = require_constants2(); var { kHeadersList } = require_symbols(); var EE = require("events"); var { Readable, pipeline } = require("stream"); @@ -13692,6 +13863,7 @@ var require_fetch = __commonJS({ } if (!sameOrigin(requestCurrentURL(request), locationURL)) { request.headersList.delete("authorization"); + request.headersList.delete("proxy-authorization", true); request.headersList.delete("cookie"); request.headersList.delete("host"); } @@ -14518,7 +14690,7 @@ var require_util4 = __commonJS({ } = require_symbols3(); var { ProgressEvent } = require_progressevent(); var { getEncoding } = require_encoding(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { serializeAMimeType, parseMIMEType } = require_dataURL(); var { types } = require("util"); var { StringDecoder } = require("string_decoder"); @@ -15634,7 +15806,7 @@ var require_cachestorage = __commonJS({ }); // node_modules/undici/lib/cookies/constants.js -var require_constants3 = __commonJS({ +var require_constants4 = __commonJS({ "node_modules/undici/lib/cookies/constants.js"(exports2, module2) { "use strict"; var maxAttributeValueSize = 1024; @@ -15809,7 +15981,7 @@ var require_util6 = __commonJS({ var require_parse = __commonJS({ "node_modules/undici/lib/cookies/parse.js"(exports2, module2) { "use strict"; - var { maxNameValuePairSize, maxAttributeValueSize } = require_constants3(); + var { maxNameValuePairSize, maxAttributeValueSize } = require_constants4(); var { isCTLExcludingHtab } = require_util6(); var { collectASequenceOfCodePointsFast } = require_dataURL(); var assert = require("assert"); @@ -16074,7 +16246,7 @@ var require_cookies = __commonJS({ }); // node_modules/undici/lib/websocket/constants.js -var require_constants4 = __commonJS({ +var require_constants5 = __commonJS({ "node_modules/undici/lib/websocket/constants.js"(exports2, module2) { "use strict"; var uid = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"; @@ -16382,7 +16554,7 @@ var require_util7 = __commonJS({ "node_modules/undici/lib/websocket/util.js"(exports2, module2) { "use strict"; var { kReadyState, kController, kResponse, kBinaryType, kWebSocketURL } = require_symbols5(); - var { states, opcodes } = require_constants4(); + var { states, opcodes } = require_constants5(); var { MessageEvent, ErrorEvent } = require_events(); function isEstablished(ws) { return ws[kReadyState] === states.OPEN; @@ -16472,7 +16644,7 @@ var require_connection = __commonJS({ "node_modules/undici/lib/websocket/connection.js"(exports2, module2) { "use strict"; var diagnosticsChannel = require("diagnostics_channel"); - var { uid, states } = require_constants4(); + var { uid, states } = require_constants5(); var { kReadyState, kSentClose, @@ -16619,7 +16791,7 @@ var require_connection = __commonJS({ var require_frame = __commonJS({ "node_modules/undici/lib/websocket/frame.js"(exports2, module2) { "use strict"; - var { maxUnsigned16Bit } = require_constants4(); + var { maxUnsigned16Bit } = require_constants5(); var crypto4; try { crypto4 = require("crypto"); @@ -16678,7 +16850,7 @@ var require_receiver = __commonJS({ "use strict"; var { Writable } = require("stream"); var diagnosticsChannel = require("diagnostics_channel"); - var { parserStates, opcodes, states, emptyBuffer } = require_constants4(); + var { parserStates, opcodes, states, emptyBuffer } = require_constants5(); var { kReadyState, kSentClose, kResponse, kReceivedClose } = require_symbols5(); var { isValidStatusCode, failWebsocketConnection, websocketMessageReceived } = require_util7(); var { WebsocketFrameSend } = require_frame(); @@ -16913,10 +17085,10 @@ var require_websocket = __commonJS({ "node_modules/undici/lib/websocket/websocket.js"(exports2, module2) { "use strict"; var { webidl } = require_webidl(); - var { DOMException: DOMException2 } = require_constants(); + var { DOMException: DOMException2 } = require_constants2(); var { URLSerializer } = require_dataURL(); var { getGlobalOrigin } = require_global(); - var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants4(); + var { staticPropertyDescriptors, states, opcodes, emptyBuffer } = require_constants5(); var { kWebSocketURL, kReadyState, diff --git a/package-lock.json b/package-lock.json index 0467d37..893d267 100644 --- a/package-lock.json +++ b/package-lock.json @@ -6101,9 +6101,9 @@ } }, "node_modules/undici": { - "version": "5.28.2", - "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.2.tgz", - "integrity": "sha512-wh1pHJHnUeQV5Xa8/kyQhO7WFa8M34l026L5P/+2TYiakvGy5Rdc8jWZVyG7ieht/0WgJLEd3kcU5gKx+6GC8w==", + "version": "5.28.4", + "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.4.tgz", + "integrity": "sha512-72RFADWFqKmUb2hmmvNODKL3p9hcB6Gt2DOQMis1SEBaV6a4MH8soBvzg+95CYhCKPFedut2JY9bMfrDl9D23g==", "dependencies": { "@fastify/busboy": "^2.0.0" },