Don't fail in CSPGlobalCheck if CSP is invalid

doyensec · Jul 3, 2020 · ed1f2c6 · ed1f2c6
1 parent 321a061
commit ed1f2c6
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/src/finder/checks/GlobalChecks/CSPGlobalCheck.js b/src/finder/checks/GlobalChecks/CSPGlobalCheck.js
@@ -1,5 +1,6 @@
 import * as attributes from '../../attributes';
 import * as csp from '@doyensec/csp-evaluator';
+import logger from 'winston';
 
 export default class CSPGlobalCheck {
 
@@ -23,9 +24,16 @@ export default class CSPGlobalCheck {
       // There is a CSP set
       var confidence = 0; 
       for (var cspIssue of cspIssues) {
-        var parser = new csp.CspParser(cspIssue.properties.CSPstring);
-        var evaluator = new csp.CspEvaluator(parser.csp, csp.Version.CSP3);
-        var findings = evaluator.evaluate();
+        var findings;
+        try {
+          var parser = new csp.CspParser(cspIssue.properties.CSPstring);
+          var evaluator = new csp.CspEvaluator(parser.csp, csp.Version.CSP3);
+          findings = evaluator.evaluate();
+        }
+        catch (e) {
+          logger.warn(`Parsing the CSP '${cspIssue.properties.CSPstring}' failed: ${e.message}`);
+          continue;
+        }
         for (var finding of findings)
           if (finding.severity === csp.severities.HIGH || finding.severity === csp.severities.MEDIUM)
             confidence = 2;