Skip to content

Commit 7eb5ff2

Browse files
rdeltourrdeltour
committed
feat: warn about non-HTTPS remote resource references
This commit introduces a new check `RSC-031` (warning) that is reported when a reference to a remote resource (font, audio, video) is not using HTTPS. Fix #1337
1 parent f3e5f67 commit 7eb5ff2

File tree

30 files changed

+123
-50
lines changed

30 files changed

+123
-50
lines changed

src/main/java/com/adobe/epubcheck/messages/DefaultSeverities.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -347,6 +347,7 @@ private void initialize()
347347
severities.put(MessageId.RSC_028, Severity.ERROR);
348348
severities.put(MessageId.RSC_029, Severity.ERROR);
349349
severities.put(MessageId.RSC_030, Severity.ERROR);
350+
severities.put(MessageId.RSC_031, Severity.WARNING);
350351

351352
// Scripting
352353
severities.put(MessageId.SCP_001, Severity.SUPPRESSED); // checking scripts is out of scope

src/main/java/com/adobe/epubcheck/messages/MessageId.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -341,6 +341,7 @@ public enum MessageId implements Comparable<MessageId>
341341
RSC_028("RSC-028"),
342342
RSC_029("RSC-029"),
343343
RSC_030("RSC-030"),
344+
RSC_031("RSC-031"),
344345

345346
// Messages relating to scripting
346347
SCP_001("SCP-001"),

src/main/java/com/adobe/epubcheck/opf/XRefChecker.java

Lines changed: 32 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -286,7 +286,7 @@ public Optional<OPFItem> getResource(URL url)
286286
* Returns set (possibly multiple) types of references to the given resource
287287
*
288288
* @param path
289-
* the path to a publication resource
289+
* the path to a publication resource
290290
* @return an immutable {@link EnumSet} containing the types of references to
291291
* {@code path}.
292292
*/
@@ -428,24 +428,38 @@ private void checkReference(URLReference reference)
428428
URLFragment fragment = URLFragment.parse(reference.url, targetMimetype);
429429

430430
// Check remote resources
431-
if (container.isRemote(reference.url)
432-
// remote links and hyperlinks are not Publication Resources
433-
&& !EnumSet.of(Type.LINK, Type.HYPERLINK).contains(reference.type)
434-
// spine items are checked in OPFChecker30
435-
&& !(version == EPUBVersion.VERSION_3 && targetResource != null
436-
&& targetResource.isInSpine())
437-
// audio, video, and fonts can be remote resources in EPUB 3
438-
&& !(version == EPUBVersion.VERSION_3 && (targetResource != null
439-
// if the item is declared, check its mime type
440-
&& (OPFChecker30.isAudioType(targetResource.getMimeType())
441-
|| OPFChecker30.isVideoType(targetResource.getMimeType())
442-
|| OPFChecker30.isFontType(targetResource.getMimeType()))
443-
// else, check if the reference is a type allowing remote resources
444-
|| reference.type == Type.FONT || reference.type == Type.AUDIO
445-
|| reference.type == Type.VIDEO)))
431+
if (container.isRemote(reference.url))
446432
{
447-
report.message(MessageId.RSC_006, reference.location.context(reference.targetDoc.toString()));
448-
return;
433+
// Check if the remote reference is allowed
434+
if (// remote links and hyperlinks are not Publication Resources
435+
!EnumSet.of(Type.LINK, Type.HYPERLINK).contains(reference.type)
436+
// spine items are checked in OPFChecker30
437+
&& !(version == EPUBVersion.VERSION_3 && targetResource != null
438+
&& targetResource.isInSpine())
439+
// audio, video, and fonts can be remote resources in EPUB 3
440+
&& !(version == EPUBVersion.VERSION_3 && (targetResource != null
441+
// if the item is declared, check its mime type
442+
&& (OPFChecker30.isAudioType(targetResource.getMimeType())
443+
|| OPFChecker30.isVideoType(targetResource.getMimeType())
444+
|| OPFChecker30.isFontType(targetResource.getMimeType()))
445+
// else, check if the reference is a type allowing remote
446+
// resources
447+
|| reference.type == Type.FONT || reference.type == Type.AUDIO
448+
|| reference.type == Type.VIDEO)))
449+
{
450+
report.message(MessageId.RSC_006,
451+
reference.location.context(reference.targetDoc.toString()));
452+
return;
453+
}
454+
// Check if the remote resource is using HTTPS
455+
else if (version == EPUBVersion.VERSION_3
456+
&& !EnumSet.of(Type.LINK, Type.HYPERLINK).contains(reference.type)
457+
&& !"https".equals(reference.url.scheme())
458+
// file URLs are disallowed and reported elsewhere
459+
&& !"file".equals(reference.url.scheme()))
460+
{
461+
report.message(MessageId.RSC_031, reference.location, reference.url);
462+
}
449463
}
450464

451465
// Check undeclared resources

src/main/resources/com/adobe/epubcheck/messages/MessageBundle.properties

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -356,6 +356,7 @@ RSC_027=XML document is encoded in UTF-16. It should be encoded in UTF-8 instead
356356
RSC_028=XML documents must be encoded in UTF-8, but %1%s was detected.
357357
RSC_029=Data URL is not allowed in this context.
358358
RSC_030=File URLs are not allowed in EPUB, but found "%1$s".
359+
RSC_031=Remote resource references should use HTTPS, but found "%1$s".
359360

360361
#Scripting
361362
SCP_001=Use of Javascript eval() function in EPUB scripts is a security risk.

src/test/resources/epub3/03-resources/files/resources-remote-audio-sources-foreign-valid/EPUB/content_001.xhtml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,8 @@
77
<body>
88
<!-- remote audio sources, one in a foreign type -->
99
<audio>
10-
<source src="http://example.org/remote.foo" />
11-
<source src="http://example.org/remote.mp4" />
10+
<source src="https://example.org/remote.foo" />
11+
<source src="https://example.org/remote.mp4" />
1212
</audio>
1313
</body>
1414
</html>

src/test/resources/epub3/03-resources/files/resources-remote-audio-sources-foreign-valid/EPUB/package.opf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,8 @@
99
<manifest>
1010
<item id="content_001" href="content_001.xhtml" media-type="application/xhtml+xml" properties="remote-resources"/>
1111
<item id="nav" href="nav.xhtml" media-type="application/xhtml+xml" properties="nav"/>
12-
<item id="audio" href="http://example.org/remote.foo" media-type="audio/foo"/>
13-
<item id="audio-fallback" href="http://example.org/remote.mp4" media-type="audio/mp4" /></manifest>
12+
<item id="audio" href="https://example.org/remote.foo" media-type="audio/foo"/>
13+
<item id="audio-fallback" href="https://example.org/remote.mp4" media-type="audio/mp4" /></manifest>
1414
<spine>
1515
<itemref idref="content_001" />
1616
</spine>

src/test/resources/epub3/03-resources/files/resources-remote-audio-sources-valid/EPUB/content_001.xhtml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,8 @@
66
</head>
77
<body>
88
<audio controls="controls">
9-
<source src="http://example.com/audio/src-1.mp4" type="audio/mp4"/>
10-
<source src="http://example.com/audio/src-2.mp4" type="audio/mp4"/>
9+
<source src="https://example.com/audio/src-1.mp4" type="audio/mp4"/>
10+
<source src="https://example.com/audio/src-2.mp4" type="audio/mp4"/>
1111
</audio>
1212
</body>
1313
</html>

src/test/resources/epub3/03-resources/files/resources-remote-audio-sources-valid/EPUB/package.opf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,8 @@
99
<manifest>
1010
<item id="content_001" href="content_001.xhtml" media-type="application/xhtml+xml" properties="remote-resources"/>
1111
<item id="nav" href="nav.xhtml" media-type="application/xhtml+xml" properties="nav"/>
12-
<item id="audio1" href="http://example.com/audio/src-1.mp4" media-type="audio/mp4" />
13-
<item id="audio2" href="http://example.com/audio/src-2.mp4" media-type="audio/mp4" />
12+
<item id="audio1" href="https://example.com/audio/src-1.mp4" media-type="audio/mp4" />
13+
<item id="audio2" href="https://example.com/audio/src-2.mp4" media-type="audio/mp4" />
1414
</manifest>
1515
<spine>
1616
<itemref idref="content_001" />

src/test/resources/epub3/03-resources/files/resources-remote-audio-valid/EPUB/content_001.xhtml

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,11 +5,9 @@
55
<title>Minimal EPUB</title>
66
</head>
77
<body>
8-
<!-- remote http URL -->
9-
<audio src="http://example.org/remote.mp4" />
108
<!-- remote https URL -->
119
<audio src="https://example.org/remote.mp4" />
1210
<!-- remote URL with query -->
13-
<audio src="http://example.org/remote.mp4?test" />
11+
<audio src="https://example.org/remote.mp4?test" />
1412
</body>
1513
</html>

src/test/resources/epub3/03-resources/files/resources-remote-audio-valid/EPUB/package.opf

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,8 @@
99
<manifest>
1010
<item id="content_001" href="content_001.xhtml" media-type="application/xhtml+xml" properties="remote-resources"/>
1111
<item id="nav" href="nav.xhtml" media-type="application/xhtml+xml" properties="nav"/>
12-
<item id="audio-1" href="http://example.org/remote.mp4" media-type="audio/mp4" />
13-
<item id="audio-2" href="https://example.org/remote.mp4" media-type="audio/mp4" />
14-
<item id="audio-3" href="http://example.org/remote.mp4?test" media-type="audio/mp4" />
12+
<item id="audio-1" href="https://example.org/remote.mp4" media-type="audio/mp4" />
13+
<item id="audio-2" href="https://example.org/remote.mp4?test" media-type="audio/mp4" />
1514
</manifest>
1615
<spine>
1716
<itemref idref="content_001" />

0 commit comments

Comments
 (0)