-
Notifications
You must be signed in to change notification settings - Fork 570
Expand file tree
/
Copy pathvalidateHashes.sh
More file actions
executable file
·48 lines (38 loc) · 1.41 KB
/
validateHashes.sh
File metadata and controls
executable file
·48 lines (38 loc) · 1.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#!/bin/bash
set -eu -o pipefail
# This script validates the hashes of inline scripts in the index.html file against the configured hashes in the staticwebapp.config.json file.
indexFile="build/index.html"
configFile="static/staticwebapp.config.json"
echo "Extracting and hashing inline scripts from $indexFile"
expectedHashes="expected_hashes.txt"
generatedHashes="generated_hashes.txt"
> "$expectedHashes"
> "$generatedHashes"
# Extract inline scripts and compute hashes
awk 'BEGIN { RS="</script>"; FS="<script[^>]*>" }
NF>1 { print $2 }' "$indexFile" | while read -r scriptContent; do
if [[ "$scriptContent" != "" ]]; then
echo "$scriptContent" | tr -d '\n'| openssl dgst -sha256 -binary | openssl base64 | sed 's/^/sha256-/' >> "$generatedHashes"
fi
done
echo "Extracted Hashes:"
cat "$generatedHashes"
echo "Reading configured hashes from $configFile"
grep -oE "sha256-[A-Za-z0-9+/=]{43,45}" "$configFile" | sort | uniq > "$expectedHashes"
cat $expectedHashes
echo "Validating..."
fail=0
while read -r actualHash; do
if ! grep -q "$actualHash" $expectedHashes; then
echo "Missing hash in config: $actualHash"
fail=1
else
echo "Hash matched: $actualHash"
fi
done < "$generatedHashes"
rm -f "$generatedHashes" "$expectedHashes"
if [ "$fail" -ne 0 ]; then
echo "Inline script hashes do not match configured values. Override the hashes in $configFile with the extracted hashes."
exit 1
fi
echo "All inline script hashes are valid."