auths
objectreturn
or this.key = 'value'
, pass input data to your code viaparams
, and maintain state across executions with$checkpoint.async
(event, steps) => {
}
// Sometimes the CSP report is empty. Exit early
if (!event.body["csp-report"]) {
$end("No CSP report present in body")
}
Enter the name of the table (e.g., my_table_name) to load the payload data into. Pipedream's SQL service automatically creates the table and adapts the schema to your data.
Enter a reference to the data (for example, event.body or steps.step_name.return_value) you'd like to insert into the table. Pipedream’s SQL service automatically converts the data to JSON and maps the table schema to its keys.
async
params => {
}
$send.sql({
table: params.table,
payload: params.payload,
})
auths
objectreturn
or this.key = 'value'
, pass input data to your code viaparams
, and maintain state across executions with$checkpoint.async
(event, steps) => {
}
const includes = require("lodash.includes")
const cspReport = event.body["csp-report"]
const effectiveDirective = cspReport["effective-directive"]
const violatedDirective = cspReport["violated-directive"]
const blockedURI = cspReport["blocked-uri"]
// This shows how you can ignore violations for specific directives.
// If a directive is included on this list, the violation will not get sent to Slack.
// Of course, you can modify this code to ignore a more specific set of violations
// for a (directive, URI pattern), for example.
//const ignoreDirectives = ["object-src", "font-src", "style-src-elem"]
const ignoreDirectives = []
// You can also ignore specific blocked URIs
// (or extend this to handle pattern matching)
//const ignoreURIs = ["chrome-extension"]
const ignoreURIs = []
if (includes(ignoreDirectives, effectiveDirective) || includes(ignoreDirectives, violatedDirective)) {
$end(`${effectiveDirective || violatedDirective} is on our list of ignored directives. Exiting.`)
}
if (includes(ignoreURIs, blockedURI)) {
$end(`${blockedURI} is on our list of ignored blocked URIs. Exiting.`)
}
auths
objectreturn
or this.key = 'value'
, pass input data to your code viaparams
, and maintain state across executions with$checkpoint.async
(event, steps, params, auths) => {
}
// Process a message to send to Slack
const { WebClient } = require('@slack/web-api')
const useragent = require('useragent')
const { channel } = params
const cspReport = event.body['csp-report']
let report_url
try {
report_url = new URL(cspReport['document-uri'])
} catch (err) {
// Some document-uris are not full URLs
report_url = cspReport['document-uri']
}
// Retrieve browser + version, since that can be
// relevant for researching CSP violations
const ua = useragent.parse(event.headers["user-agent"])
const browserString = `${ua.family} ${ua.major}.${ua.minor} on ${ua.os.family}`
// Send a subset of the CSP violation fields to Slack
const cspSlackPayload = {
"document-uri": cspReport["document-uri"],
browser: browserString,
referrer: cspReport.referrer,
"effective-directive": cspReport["effective-directive"],
"violated-directive": cspReport["violated-directive"],
"blocked-uri": cspReport["blocked-uri"],
"source-file": cspReport["source-file"],
"script-sample": cspReport["script-sample"],
}
const text = `New CSP violation on ${report_url.hostname} — ${event.body['csp-report']['blocked-uri']} violated directive ${event.body['csp-report']['violated-directive']}
\`\`\`${JSON.stringify(cspSlackPayload, null, 2)}\`\`\``
const web = new WebClient(auths.slack.oauth_access_token)
await web.chat.postMessage({
channel,
text,
})