ACP2E-3854: Bundled/Merged JS not part of SRI Hashes

aplapana · aplapana · commit 4bf6e1c1b03f · 2025-05-06T16:02:39.000+03:00
diff --git a/app/code/Magento/Csp/Plugin/GenerateBundleAssetIntegrity.php b/app/code/Magento/Csp/Plugin/GenerateBundleAssetIntegrity.php
@@ -0,0 +1,101 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\Csp\Plugin;
+
+use Magento\Csp\Model\SubresourceIntegrity\HashGenerator;
+use Magento\Csp\Model\SubresourceIntegrityCollector;
+use Magento\Csp\Model\SubresourceIntegrityFactory;
+use Magento\Deploy\Service\Bundle;
+use Magento\Framework\App\Filesystem\DirectoryList;
+use Magento\Framework\App\Utility\Files;
+use Magento\Framework\Exception\FileSystemException;
+use Magento\Framework\Filesystem;
+
+class GenerateBundleAssetIntegrity
+{
+    /**
+     * @var HashGenerator
+     */
+    private HashGenerator $hashGenerator;
+
+    /**
+     * @var SubresourceIntegrityFactory
+     */
+    private SubresourceIntegrityFactory $integrityFactory;
+
+    /**
+     * @var SubresourceIntegrityCollector
+     */
+    private SubresourceIntegrityCollector $integrityCollector;
+
+    /**
+     * @var Filesystem
+     */
+    private Filesystem $filesystem;
+
+    /**
+     * @var Files
+     */
+    private Files $utilityFiles;
+
+    /**
+     * @param HashGenerator $hashGenerator
+     * @param SubresourceIntegrityFactory $integrityFactory
+     * @param SubresourceIntegrityCollector $integrityCollector
+     * @param Filesystem $filesystem
+     * @param Files $utilityFiles
+     */
+    public function __construct(
+        HashGenerator $hashGenerator,
+        SubresourceIntegrityFactory $integrityFactory,
+        SubresourceIntegrityCollector $integrityCollector,
+        Filesystem $filesystem,
+        Files $utilityFiles
+    ) {
+        $this->hashGenerator = $hashGenerator;
+        $this->integrityFactory = $integrityFactory;
+        $this->integrityCollector = $integrityCollector;
+        $this->filesystem = $filesystem;
+        $this->utilityFiles = $utilityFiles;
+    }
+
+    /**
+     * @param Bundle $subject
+     * @param string|null $result
+     * @param string $area
+     * @param string $theme
+     * @param string $locale
+     * @return void
+     * @throws FileSystemException
+     */
+    public function afterDeploy(Bundle $subject, ?string $result, string $area, string $theme, string $locale)
+    {
+        if (PHP_SAPI == 'cli') {
+            $pubStaticDir = $this->filesystem->getDirectoryWrite(DirectoryList::STATIC_VIEW);
+            $bundleDir = $pubStaticDir->getAbsolutePath($area . '/' . $theme . '/' . $locale) .
+                "/". Bundle::BUNDLE_JS_DIR;
+            $files = $this->utilityFiles->getFiles([$bundleDir], '*.js');
+
+            foreach ($files as $file) {
+                $integrity = $this->integrityFactory->create(
+                    [
+                        "data" => [
+                            'hash' => $this->hashGenerator->generate(
+                                file_get_contents($file)
+                            ),
+                            'path' => $area . '/' . $theme . '/' . $locale .
+                                "/" . Bundle::BUNDLE_JS_DIR . '/' . basename($file)
+                        ]
+                    ]
+                );
+
+                $this->integrityCollector->collect($integrity);
+            }
+        }
+    }
+}
diff --git a/app/code/Magento/Csp/Plugin/GenerateMergedAssetIntegrity.php b/app/code/Magento/Csp/Plugin/GenerateMergedAssetIntegrity.php
@@ -0,0 +1,88 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\Csp\Plugin;
+
+use Magento\Csp\Model\SubresourceIntegrityRepositoryPool;
+use Magento\Csp\Model\SubresourceIntegrityRepository;
+use Magento\Csp\Model\SubresourceIntegrity\HashGenerator;
+use Magento\Csp\Model\SubresourceIntegrityFactory;
+use Magento\Framework\App\Area;
+use Magento\Framework\App\Filesystem\DirectoryList;
+use Magento\Framework\Filesystem;
+use Magento\Framework\View\Asset\LocalInterface;
+use Magento\Framework\View\Asset\MergeStrategy\FileExists;
+
+class GenerateMergedAssetIntegrity
+{
+    /**
+     * @var SubresourceIntegrityRepository
+     */
+    private SubresourceIntegrityRepository $sourceIntegrityRepository;
+
+    /**
+     * @var HashGenerator
+     */
+    private HashGenerator $hashGenerator;
+
+    /**
+     * @var SubresourceIntegrityFactory
+     */
+    private SubresourceIntegrityFactory $integrityFactory;
+
+    /**
+     * @var Filesystem
+     */
+    private Filesystem $filesystem;
+
+    /**
+     * @param SubresourceIntegrityRepositoryPool $sourceIntegrityRepositoryPool
+     * @param HashGenerator $hashGenerator
+     * @param SubresourceIntegrityFactory $integrityFactory
+     * @param Filesystem $filesystem
+     */
+    public function __construct(
+        SubresourceIntegrityRepositoryPool $sourceIntegrityRepositoryPool,
+        HashGenerator                      $hashGenerator,
+        SubresourceIntegrityFactory        $integrityFactory,
+        Filesystem                         $filesystem
+    ) {
+        $this->sourceIntegrityRepository = $sourceIntegrityRepositoryPool->get(Area::AREA_FRONTEND);
+        $this->hashGenerator = $hashGenerator;
+        $this->integrityFactory = $integrityFactory;
+        $this->filesystem = $filesystem;
+    }
+
+    /**
+     * @param FileExists $subject
+     * @param string|null $result
+     * @param array $assetsToMerge
+     * @param LocalInterface $resultAsset
+     * @return string|null
+     * @throws \Magento\Framework\Exception\FileSystemException
+     */
+    public function afterMerge(FileExists $subject, ?string $result, array $assetsToMerge, LocalInterface $resultAsset)
+    {
+        if ($resultAsset->getContentType() !== 'js') {
+            return $result;
+        }
+        $pubStaticDir = $this->filesystem->getDirectoryWrite(DirectoryList::STATIC_VIEW);
+        $absolutePath = $pubStaticDir->getAbsolutePath() . $resultAsset->getRelativeSourceFilePath();
+        $integrity = $this->integrityFactory->create(
+            [
+                "data" => [
+                    'hash' => $this->hashGenerator->generate(file_get_contents($absolutePath)),
+                    'path' => $resultAsset->getRelativeSourceFilePath()
+                ]
+            ]
+        );
+
+        $this->sourceIntegrityRepository->save($integrity);
+
+        return $result;
+    }
+}
diff --git a/app/code/Magento/Csp/etc/di.xml b/app/code/Magento/Csp/etc/di.xml
@@ -128,6 +128,12 @@
     <type name="Magento\RequireJs\Model\FileManager">
         <plugin name="addResourceIntegrityAfterAssetCreate" type="Magento\Csp\Plugin\GenerateAssetIntegrity"/>
     </type>
+    <type name="Magento\Deploy\Service\Bundle">
+        <plugin name="addResourceIntegrityAfterBundleDeploy" type="Magento\Csp\Plugin\GenerateBundleAssetIntegrity" />
+    </type>
+    <type name="Magento\Framework\View\Asset\MergeStrategy\FileExists">
+        <plugin name="addResourceIntegrityAfterMergeFile" type="Magento\Csp\Plugin\GenerateMergedAssetIntegrity" />
+    </type>
     <preference for="Magento\Deploy\Package\Processor\PostProcessor\Map" type="Magento\Csp\Model\Deploy\Package\Processor\PostProcessor\Map" />
     <type name="Magento\Csp\Model\Deploy\Package\Processor\PostProcessor\Map">
         <arguments>
