Add allowedDomains check for RemoteAsset theme checker

Enhances developer experience by validating the remote assets (scripts, stylesheets) are loaded not only from Shopify CDNs but now approved domains. This prevents potential performance risks and incorrect errors from loading resources from untrusted sources, forcing developers to go and enable a source if it's _required_ The implementation includes: - Schema property for configuring allowedDomains - Domain validation against configured allow list - Test coverage for both allowed and non-allowed domains
Shopify · Jan 16, 2025 · 861e8c6 · 861e8c6
1 parent 4a429e1
commit 861e8c6
Show file tree

Hide file tree

Showing 3 changed files with 77 additions and 3 deletions.
diff --git a/.changeset/grumpy-countries-jog.md b/.changeset/grumpy-countries-jog.md
@@ -0,0 +1,5 @@
+---
+'@shopify/theme-check-common': minor
+---
+
+Updated RemoteAsset to take an array of allowed domains
diff --git a/packages/theme-check-common/src/checks/remote-asset/index.spec.ts b/packages/theme-check-common/src/checks/remote-asset/index.spec.ts
@@ -1,5 +1,5 @@
 import { describe, it, expect } from 'vitest';
-import { runLiquidCheck, highlightedOffenses } from '../../test';
+import { runLiquidCheck, highlightedOffenses, check, MockTheme } from '../../test';
 import { RemoteAsset } from './index';
 
 describe('Module: RemoteAsset', () => {
@@ -209,4 +209,57 @@ describe('Module: RemoteAsset', () => {
     const highlights = highlightedOffenses({ 'file.liquid': sourceCode }, offenses);
     expect(highlights).to.be.empty;
   });
+
+  it('should report an offense if url is not listed in allowedDomains', async () => {
+    const themeFiles: MockTheme = {
+      'layout/theme.liquid': `
+        <script src="https://domain.com" defer></script>
+      `,
+    };
+
+    const offenses = await check(
+      themeFiles,
+      [RemoteAsset],
+      {},
+      {
+        RemoteAsset: {
+          enabled: true,
+          allowedDomains: [
+            'someotherdomain.com',
+          ],
+        },
+      },
+    );
+
+    expect(offenses).to.have.length(1);
+  });
+
+  it('should not report an offense if url is listed in allowedDomains', async () => {
+    const themeFiles: MockTheme = {
+      'layout/theme.liquid': `
+        <script src="https://domain.com" defer></script>
+      `,
+    };
+
+    const offenses = await check(
+      themeFiles,
+      [RemoteAsset],
+      {},
+      {
+        RemoteAsset: {
+          enabled: true,
+          allowedDomains: [
+            'domain.com',
+            'https://domain.com',
+            'http://domain.com',
+            'https://www.domain.com',
+            'www.domain.com',
+          ],
+        },
+      },
+    );
+
+    expect(offenses).to.be.empty;
+  });
+
 });
diff --git a/packages/theme-check-common/src/checks/remote-asset/index.ts b/packages/theme-check-common/src/checks/remote-asset/index.ts
@@ -12,6 +12,7 @@ import {
   SourceCodeType,
   LiquidCheckDefinition,
   LiquidHtmlNode,
+  SchemaProp,
 } from '../../types';
 import { isAttr, isValuedHtmlAttribute, isNodeOfType, ValuedHtmlAttribute } from '../utils';
 import { last } from '../../utils';
@@ -96,7 +97,11 @@ function valueIsShopifyHosted(attr: ValuedHtmlAttribute): boolean {
   });
 }
 
-export const RemoteAsset: LiquidCheckDefinition = {
+const schema = {
+  allowedDomains: SchemaProp.array(SchemaProp.string()),
+};
+
+export const RemoteAsset: LiquidCheckDefinition<typeof schema> = {
   meta: {
     code: 'RemoteAsset',
     aliases: ['AssetUrlFilters'],
@@ -108,11 +113,18 @@ export const RemoteAsset: LiquidCheckDefinition = {
     },
     type: SourceCodeType.LiquidHtml,
     severity: Severity.WARNING,
-    schema: {},
+    schema,
     targets: [],
   },
 
   create(context) {
+    /* Push the allowed list of domains to our allowed domains */
+    if (context.settings.allowedDomains) {
+      for (const domain of context.settings.allowedDomains) {
+        SHOPIFY_CDN_DOMAINS.push(domain);
+      }
+    }
+
     function checkHtmlNode(node: HtmlVoidElement | HtmlRawNode) {
       if (!RESOURCE_TAGS.includes(node.name)) return;
 
@@ -168,6 +180,10 @@ export const RemoteAsset: LiquidCheckDefinition = {
 
       const urlNode = parentNode.expression;
       if (urlNode.type === NodeTypes.String && !isUrlHostedbyShopify(urlNode.value)) {
+        if (context.settings.allowedDomains && Array.isArray(context.settings.allowedDomains)) {
+          // const url = new URL(urlNode.value);
+        }
+
         context.report({
           message: 'Asset should be served by the Shopify CDN for better performance.',
           startIndex: urlNode.position.start,