forked from mit-teaching-systems-lab/csp-logger
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcsp-logger.js
executable file
·82 lines (69 loc) · 2.68 KB
/
csp-logger.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
#!/usr/bin/env node
var url = require('url');
var argv = require('optimist')
.usage('Usage: $0')
.describe('test', 'Enables testing mode')
.describe('example', 'Writes example config to given file instead of reading it and exits')
.argv;
if (argv.example) {
var config = require('./lib/config').dropExample('example.json');
process.exit(0);
}
var config = require('./lib/config').loadFromEnv();
var server = require('./lib/server').init(config);
if (argv.test) {
console.log('Testing page enabled');
require('./lib/test')(server);
}
var store = require('./lib/store').init(config);
// Rollbar
var isRollbarEnabled = process.env.ROLLBAR_ACCESS_TOKEN !== undefined;
if (isRollbarEnabled) {
var Rollbar = require('rollbar');
var rollbar = new Rollbar({
accessToken: process.env.ROLLBAR_ACCESS_TOKEN,
captureUncaught: true,
captureUnhandledRejections: true
});
}
server.listen(config.port, function (reportObject, req) {
store.save(reportObject);
if (isRollbarEnabled && shouldReportToRollbar(reportObject)) {
console.log('Sent to Rollbar.');
reportToRollbar(reportObject, req);
}
});
// Log these exceptions to the database, but don't send them
// to Rollbar since they're likely just noise.
function shouldReportToRollbar(reportObject) {
// Our CSP disallows chrome-extensions.
// See https://stackoverflow.com/questions/32336860/why-would-i-get-a-csp-violation-for-the-blocked-uri-about#35559407
if (reportObject.data.blockedURI === 'chrome-extension') return false;
if (reportObject.data.blockedURI === 'about') return false;
// Firefox containers also report false positives, so if the
// injection is on column 1 on line 1 in Firefox, ignore it.
var isMaybeFirefoxContainer = (
(reportObject.data.userAgent.indexOf('Mozilla/5.0') !== -1) &&
(reportObject.data.userAgent.indexOf('Gecko') !== -1) &&
(reportObject.data.userAgent.indexOf('Firefox') !== -1) &&
(reportObject.data.violatedDirective === 'script-src') &&
(reportObject.data.blockedURI === 'inline') &&
(reportObject.data.lineNumber === 1) &&
(reportObject.data.columnNumber === 1)
);
if (isMaybeFirefoxContainer) return false;
return true;
}
function reportToRollbar(reportObject, req) {
var reportingDomain = url.parse(reportObject.data.documentURI).host;
rollbar.warning('CSP violation from ' + reportingDomain, {
reportingDomain: reportingDomain,
deploymentKey: 'csp-logger',
districtKey: 'csp-logger',
violatedDirective: reportObject.data.violatedDirective,
blockedURI: reportObject.data.blockedURI,
documentURI: reportObject.data.documentURI,
scriptSample: reportObject.data.scriptSample,
userAgent: reportObject.data.userAgent
});
}