@angular-helpers/security 21.6.2 → 22.1.0

package/fesm2022/angular-helpers-security.mjs

@@ -4,6 +4,7 @@ import { injectPlatform, injectWorkerPool } from '@angular-helpers/core';
 import { isPlatformBrowser, DOCUMENT } from '@angular/common';
 import { Observable, Subject, fromEvent, merge } from 'rxjs';
 import { throttleTime } from 'rxjs/operators';
+import { Meta } from '@angular/platform-browser';
 
 /**
  * Builder pattern to construct safe regular expressions
@@ -974,7 +975,9 @@ class InputSanitizerService {
     }
     /**
      * Parses and sanitizes an HTML string, keeping only allowed tags and attributes.
-     * Script execution is prevented — parsing is done via DOMParser, not innerHTML assignment.
+     * Leverages the native browser Sanitizer API (e.g. Element.prototype.setHTML) if available
+     * for high-performance execution, falling back to a custom DOMParser implementation on
+     * unsupported environments (such as older browsers or SSR).
      *
      * @throws {Error} When called in a non-browser environment.
      */
@@ -982,6 +985,43 @@ class InputSanitizerService {
         if (!this.isSupported()) {
             throw new Error('sanitizeHtml requires a browser environment (DOMParser unavailable)');
         }
+        // 1. Try native Element.prototype.setHTML (modern standard in Firefox 148+, etc.)
+        if (typeof Element !== 'undefined' && 'setHTML' in Element.prototype) {
+            try {
+                const tempDiv = document.createElement('div');
+                const config = {
+                    allowElements: this.allowedTags,
+                    allowAttributes: this.allowedAttributes,
+                };
+                try {
+                    tempDiv.setHTML(input, { sanitizer: config });
+                }
+                catch {
+                    tempDiv.setHTML(input);
+                }
+                return tempDiv.innerHTML;
+            }
+            catch {
+                // Fallback on error
+            }
+        }
+        // 2. Try older Sanitizer API spec draft (implemented in some Chrome versions)
+        if (typeof window.Sanitizer !== 'undefined') {
+            try {
+                const tempDiv = document.createElement('div');
+                const config = {
+                    allowElements: this.allowedTags,
+                    allowAttributes: this.allowedAttributes,
+                };
+                const sanitizer = new window.Sanitizer(config);
+                tempDiv.innerHTML = sanitizer.sanitizeToString(input);
+                return tempDiv.innerHTML;
+            }
+            catch {
+                // Fallback on error
+            }
+        }
+        // 3. Fallback to DOMParser-based allowlist sanitizer
         return sanitizeHtmlString(input, {
             allowedTags: this.allowedTags,
             allowedAttributes: this.allowedAttributes,
@@ -2064,8 +2104,277 @@ function provideSecureMessage() {
     return makeEnvironmentProviders([WebCryptoService, SecureMessageService]);
 }
 
+/**
+ * Serializes a CspDirectives object into a standard CSP policy string.
+ */
+function serializeCsp(directives) {
+    const parts = [];
+    for (const [key, val] of Object.entries(directives)) {
+        if (val === undefined || val === null) {
+            continue;
+        }
+        if (typeof val === 'boolean') {
+            if (val) {
+                parts.push(key);
+            }
+        }
+        else if (Array.isArray(val)) {
+            if (val.length > 0) {
+                parts.push(`${key} ${val.join(' ')}`);
+            }
+            else {
+                parts.push(key);
+            }
+        }
+        else if (typeof val === 'string') {
+            parts.push(`${key} ${val}`);
+        }
+    }
+    return parts.join('; ');
+}
+/**
+ * Parses a CSP policy string into a CspDirectives object.
+ */
+function parseCsp(policy) {
+    const directives = {};
+    const tokens = policy
+        .split(';')
+        .map((t) => t.trim())
+        .filter(Boolean);
+    for (const token of tokens) {
+        const spaceIndex = token.indexOf(' ');
+        if (spaceIndex === -1) {
+            const key = token;
+            if (key === 'upgrade-insecure-requests' || key === 'block-all-mixed-content') {
+                directives[key] = true;
+            }
+            else {
+                directives[key] = [];
+            }
+        }
+        else {
+            const key = token.substring(0, spaceIndex);
+            const val = token
+                .substring(spaceIndex + 1)
+                .split(/\s+/)
+                .filter(Boolean);
+            directives[key] = val;
+        }
+    }
+    return directives;
+}
+/**
+ * Fluent builder for creating Content Security Policy (CSP) directives.
+ */
+class CspPolicyBuilder {
+    directives = {};
+    defaultSrc(values) {
+        this.directives['default-src'] = Array.isArray(values) ? values : [values];
+        return this;
+    }
+    scriptSrc(values) {
+        this.directives['script-src'] = Array.isArray(values) ? values : [values];
+        return this;
+    }
+    styleSrc(values) {
+        this.directives['style-src'] = Array.isArray(values) ? values : [values];
+        return this;
+    }
+    imgSrc(values) {
+        this.directives['img-src'] = Array.isArray(values) ? values : [values];
+        return this;
+    }
+    connectSrc(values) {
+        this.directives['connect-src'] = Array.isArray(values) ? values : [values];
+        return this;
+    }
+    fontSrc(values) {
+        this.directives['font-src'] = Array.isArray(values) ? values : [values];
+        return this;
+    }
+    frameSrc(values) {
+        this.directives['frame-src'] = Array.isArray(values) ? values : [values];
+        return this;
+    }
+    objectSrc(values) {
+        this.directives['object-src'] = Array.isArray(values) ? values : [values];
+        return this;
+    }
+    mediaSrc(values) {
+        this.directives['media-src'] = Array.isArray(values) ? values : [values];
+        return this;
+    }
+    childSrc(values) {
+        this.directives['child-src'] = Array.isArray(values) ? values : [values];
+        return this;
+    }
+    workerSrc(values) {
+        this.directives['worker-src'] = Array.isArray(values) ? values : [values];
+        return this;
+    }
+    manifestSrc(values) {
+        this.directives['manifest-src'] = Array.isArray(values) ? values : [values];
+        return this;
+    }
+    baseUri(values) {
+        this.directives['base-uri'] = Array.isArray(values) ? values : [values];
+        return this;
+    }
+    formAction(values) {
+        this.directives['form-action'] = Array.isArray(values) ? values : [values];
+        return this;
+    }
+    frameAncestors(values) {
+        this.directives['frame-ancestors'] = Array.isArray(values) ? values : [values];
+        return this;
+    }
+    reportUri(values) {
+        this.directives['report-uri'] = Array.isArray(values) ? values : [values];
+        return this;
+    }
+    reportTo(values) {
+        this.directives['report-to'] = Array.isArray(values) ? values : [values];
+        return this;
+    }
+    sandbox(values) {
+        this.directives['sandbox'] = Array.isArray(values) ? values : [values];
+        return this;
+    }
+    upgradeInsecureRequests(value = true) {
+        this.directives['upgrade-insecure-requests'] = value;
+        return this;
+    }
+    blockAllMixedContent(value = true) {
+        this.directives['block-all-mixed-content'] = value;
+        return this;
+    }
+    set(directive, values) {
+        if (typeof values === 'boolean') {
+            this.directives[directive] = values;
+        }
+        else {
+            this.directives[directive] = Array.isArray(values) ? values : [values];
+        }
+        return this;
+    }
+    build() {
+        return { ...this.directives };
+    }
+    toString() {
+        return serializeCsp(this.directives);
+    }
+}
+/**
+ * Service for dynamically applying and auditing Content Security Policies (CSP).
+ */
+class CspService {
+    meta = inject(Meta);
+    /**
+     * Applies the CSP policy dynamically by adding or updating a <meta http-equiv="Content-Security-Policy"> tag.
+     */
+    applyPolicy(policy) {
+        const content = typeof policy === 'string' ? policy : serializeCsp(policy);
+        this.meta.updateTag({
+            'http-equiv': 'Content-Security-Policy',
+            content,
+        });
+    }
+    /**
+     * Performs static analysis on a CSP policy and reports potential vulnerabilities or errors.
+     */
+    auditPolicy(policy) {
+        const directives = typeof policy === 'string' ? parseCsp(policy) : policy;
+        const issues = [];
+        // 1. Missing default-src
+        const defaultSrc = directives['default-src'];
+        if (!defaultSrc || defaultSrc.length === 0) {
+            issues.push({
+                severity: 'error',
+                directive: 'default-src',
+                message: "CSP policy is missing 'default-src' directive. It is recommended to set 'default-src \\'none\\'' and selectively override.",
+            });
+        }
+        // 2. Wildcards in sensitive directives
+        const sensitiveDirectives = [
+            'default-src',
+            'script-src',
+            'style-src',
+            'connect-src',
+            'img-src',
+            'font-src',
+            'object-src',
+            'frame-src',
+        ];
+        for (const dir of sensitiveDirectives) {
+            const val = directives[dir];
+            if (Array.isArray(val) && val.includes('*')) {
+                if (['default-src', 'script-src', 'connect-src'].includes(dir)) {
+                    issues.push({
+                        severity: 'error',
+                        directive: dir,
+                        message: `Directive '${dir}' contains the wildcard '*'. This allows loading or executing resources from any external origin.`,
+                    });
+                }
+                else {
+                    issues.push({
+                        severity: 'warning',
+                        directive: dir,
+                        message: `Directive '${dir}' contains the wildcard '*'. Consider restricting this to trusted origins.`,
+                    });
+                }
+            }
+        }
+        // 3. 'unsafe-inline' without safety fallback (nonces or hashes or strict-dynamic)
+        const inlineSensitiveDirectives = ['default-src', 'script-src', 'style-src'];
+        for (const dir of inlineSensitiveDirectives) {
+            const val = directives[dir];
+            if (Array.isArray(val) && val.includes("'unsafe-inline'")) {
+                const hasNonce = val.some((v) => v.startsWith("'nonce-"));
+                const hasHash = val.some((v) => v.startsWith("'sha256-") || v.startsWith("'sha384-") || v.startsWith("'sha512-"));
+                const hasStrictDynamic = dir === 'script-src' && val.includes("'strict-dynamic'");
+                if (!hasNonce && !hasHash && !hasStrictDynamic) {
+                    issues.push({
+                        severity: 'error',
+                        directive: dir,
+                        message: `Directive '${dir}' allows 'unsafe-inline' without nonces, hashes, or 'strict-dynamic'. This renders your application vulnerable to Cross-Site Scripting (XSS).`,
+                    });
+                }
+            }
+        }
+        // 4. Directives not supported in meta tags
+        const unsupportedMetaDirectives = ['frame-ancestors', 'sandbox', 'report-uri', 'report-to'];
+        for (const dir of unsupportedMetaDirectives) {
+            if (directives[dir] !== undefined) {
+                issues.push({
+                    severity: 'warning',
+                    directive: dir,
+                    message: `Directive '${dir}' is defined in the policy, but it is not supported or ignored when delivered via HTML <meta> tags.`,
+                });
+            }
+        }
+        // 5. Always add the general dynamic meta warning/info
+        issues.push({
+            severity: 'info',
+            message: 'Policies applied dynamically via <meta http-equiv="Content-Security-Policy"> only affect resources loaded after the tag is inserted.',
+        });
+        const isValid = !issues.some((issue) => issue.severity === 'error');
+        return {
+            isValid,
+            issues,
+        };
+    }
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "22.0.0", ngImport: i0, type: CspService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "22.0.0", ngImport: i0, type: CspService, providedIn: 'root' });
+}
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "22.0.0", ngImport: i0, type: CspService, decorators: [{
+            type: Injectable,
+            args: [{
+                    providedIn: 'root',
+                }]
+        }] });
+
 /**
  * Generated bundle index. Do not edit.
  */
 
-export { CSRF_CONFIG, ClipboardUnsupportedError, CsrfService, DEFAULT_ALLOWED_ATTRIBUTES, DEFAULT_ALLOWED_TAGS, HIBP_CONFIG, HibpService, InputSanitizerService, InvalidJwtError, JwtService, PasswordStrengthService, RATE_LIMITER_CONFIG, RateLimitExceededError, RateLimiterService, RegexAnalyzerService, RegexSecurityBuilder, RegexSecurityService, RegexWorkerPoolService, SANITIZER_CONFIG, SECURE_STORAGE_CONFIG, SecureMessageService, SecureStorageService, SensitiveClipboardService, SessionIdleService, WebCryptoService, assessPasswordStrength, containsScriptInjection, containsSqlInjectionHints, defaultSecurityConfig, isHtmlSafe, isUrlSafe, provideCsrf, provideHibp, provideInputSanitizer, provideJwt, providePasswordStrength, provideRateLimiter, provideRegexSecurity, provideSecureMessage, provideSecureStorage, provideSecurity, provideSensitiveClipboard, provideSessionIdle, provideWebCrypto, sanitizeHtmlString, sanitizeUrlString, withCsrfHeader };
+export { CSRF_CONFIG, ClipboardUnsupportedError, CspPolicyBuilder, CspService, CsrfService, DEFAULT_ALLOWED_ATTRIBUTES, DEFAULT_ALLOWED_TAGS, HIBP_CONFIG, HibpService, InputSanitizerService, InvalidJwtError, JwtService, PasswordStrengthService, RATE_LIMITER_CONFIG, RateLimitExceededError, RateLimiterService, RegexAnalyzerService, RegexSecurityBuilder, RegexSecurityService, RegexWorkerPoolService, SANITIZER_CONFIG, SECURE_STORAGE_CONFIG, SecureMessageService, SecureStorageService, SensitiveClipboardService, SessionIdleService, WebCryptoService, assessPasswordStrength, containsScriptInjection, containsSqlInjectionHints, defaultSecurityConfig, isHtmlSafe, isUrlSafe, parseCsp, provideCsrf, provideHibp, provideInputSanitizer, provideJwt, providePasswordStrength, provideRateLimiter, provideRegexSecurity, provideSecureMessage, provideSecureStorage, provideSecurity, provideSensitiveClipboard, provideSessionIdle, provideWebCrypto, sanitizeHtmlString, sanitizeUrlString, serializeCsp, withCsrfHeader };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@angular-helpers/security",
-  "version": "21.6.2",
+  "version": "22.1.0",
   "description": "Angular security helpers for preventing ReDoS and other security vulnerabilities",
   "keywords": [
     "angular",

package/types/angular-helpers-security.d.ts

@@ -276,7 +276,9 @@ declare class InputSanitizerService {
     isSupported(): boolean;
     /**
      * Parses and sanitizes an HTML string, keeping only allowed tags and attributes.
-     * Script execution is prevented — parsing is done via DOMParser, not innerHTML assignment.
+     * Leverages the native browser Sanitizer API (e.g. Element.prototype.setHTML) if available
+     * for high-performance execution, falling back to a custom DOMParser implementation on
+     * unsupported environments (such as older browsers or SSR).
      *
      * @throws {Error} When called in a non-browser environment.
      */
@@ -876,5 +878,91 @@ declare class RegexWorkerPoolService implements OnDestroy {
     static ɵprov: i0.ɵɵInjectableDeclaration<RegexWorkerPoolService>;
 }
 
-export { CSRF_CONFIG, ClipboardUnsupportedError, CsrfService, DEFAULT_ALLOWED_ATTRIBUTES, DEFAULT_ALLOWED_TAGS, HIBP_CONFIG, HibpService, InputSanitizerService, InvalidJwtError, JwtService, PasswordStrengthService, RATE_LIMITER_CONFIG, RateLimitExceededError, RateLimiterService, RegexAnalyzerService, RegexSecurityBuilder, RegexSecurityService, RegexWorkerPoolService, SANITIZER_CONFIG, SECURE_STORAGE_CONFIG, SecureMessageService, SecureStorageService, SensitiveClipboardService, SessionIdleService, WebCryptoService, assessPasswordStrength, containsScriptInjection, containsSqlInjectionHints, defaultSecurityConfig, isHtmlSafe, isUrlSafe, provideCsrf, provideHibp, provideInputSanitizer, provideJwt, providePasswordStrength, provideRateLimiter, provideRegexSecurity, provideSecureMessage, provideSecureStorage, provideSecurity, provideSensitiveClipboard, provideSessionIdle, provideWebCrypto, sanitizeHtmlString, sanitizeUrlString, withCsrfHeader };
-export type { AesEncryptResult, AesKeyLength, CopyStatus, CsrfConfig, CsrfHeaderOptions, CsrfStorageTarget, HashAlgorithm, HibpConfig, HibpResult, HmacAlgorithm, HtmlSanitizerOptions, HttpMethod, JwtStandardClaims, PasswordAssessment, PasswordLabel, PasswordScore, PasswordStrengthResult, RateLimitPolicy, RateLimiterConfig, RegexBuilderOptions, RegexSecurityConfig, RegexSecurityResult, RegexTestResult, SanitizerConfig, SecureMessage, SecureMessageConfig, SecureStorageConfig, SecurityConfig, SensitiveCopyOptions, SessionIdleConfig, StorageTarget };
+interface CspDirectives {
+    'default-src'?: string[];
+    'script-src'?: string[];
+    'style-src'?: string[];
+    'img-src'?: string[];
+    'connect-src'?: string[];
+    'font-src'?: string[];
+    'frame-src'?: string[];
+    'object-src'?: string[];
+    'media-src'?: string[];
+    'child-src'?: string[];
+    'worker-src'?: string[];
+    'manifest-src'?: string[];
+    'base-uri'?: string[];
+    'form-action'?: string[];
+    'frame-ancestors'?: string[];
+    'report-uri'?: string[];
+    'report-to'?: string[];
+    sandbox?: string[];
+    'upgrade-insecure-requests'?: boolean | string[];
+    'block-all-mixed-content'?: boolean | string[];
+    [key: string]: string[] | boolean | undefined;
+}
+interface CspAuditIssue {
+    severity: 'error' | 'warning' | 'info';
+    directive?: string;
+    message: string;
+}
+interface CspAuditReport {
+    isValid: boolean;
+    issues: CspAuditIssue[];
+}
+/**
+ * Serializes a CspDirectives object into a standard CSP policy string.
+ */
+declare function serializeCsp(directives: CspDirectives): string;
+/**
+ * Parses a CSP policy string into a CspDirectives object.
+ */
+declare function parseCsp(policy: string): CspDirectives;
+/**
+ * Fluent builder for creating Content Security Policy (CSP) directives.
+ */
+declare class CspPolicyBuilder {
+    private directives;
+    defaultSrc(values: string[] | string): this;
+    scriptSrc(values: string[] | string): this;
+    styleSrc(values: string[] | string): this;
+    imgSrc(values: string[] | string): this;
+    connectSrc(values: string[] | string): this;
+    fontSrc(values: string[] | string): this;
+    frameSrc(values: string[] | string): this;
+    objectSrc(values: string[] | string): this;
+    mediaSrc(values: string[] | string): this;
+    childSrc(values: string[] | string): this;
+    workerSrc(values: string[] | string): this;
+    manifestSrc(values: string[] | string): this;
+    baseUri(values: string[] | string): this;
+    formAction(values: string[] | string): this;
+    frameAncestors(values: string[] | string): this;
+    reportUri(values: string[] | string): this;
+    reportTo(values: string[] | string): this;
+    sandbox(values: string[] | string): this;
+    upgradeInsecureRequests(value?: boolean): this;
+    blockAllMixedContent(value?: boolean): this;
+    set(directive: string, values: string[] | string | boolean): this;
+    build(): CspDirectives;
+    toString(): string;
+}
+/**
+ * Service for dynamically applying and auditing Content Security Policies (CSP).
+ */
+declare class CspService {
+    private readonly meta;
+    /**
+     * Applies the CSP policy dynamically by adding or updating a <meta http-equiv="Content-Security-Policy"> tag.
+     */
+    applyPolicy(policy: string | CspDirectives): void;
+    /**
+     * Performs static analysis on a CSP policy and reports potential vulnerabilities or errors.
+     */
+    auditPolicy(policy: string | CspDirectives): CspAuditReport;
+    static ɵfac: i0.ɵɵFactoryDeclaration<CspService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<CspService>;
+}
+
+export { CSRF_CONFIG, ClipboardUnsupportedError, CspPolicyBuilder, CspService, CsrfService, DEFAULT_ALLOWED_ATTRIBUTES, DEFAULT_ALLOWED_TAGS, HIBP_CONFIG, HibpService, InputSanitizerService, InvalidJwtError, JwtService, PasswordStrengthService, RATE_LIMITER_CONFIG, RateLimitExceededError, RateLimiterService, RegexAnalyzerService, RegexSecurityBuilder, RegexSecurityService, RegexWorkerPoolService, SANITIZER_CONFIG, SECURE_STORAGE_CONFIG, SecureMessageService, SecureStorageService, SensitiveClipboardService, SessionIdleService, WebCryptoService, assessPasswordStrength, containsScriptInjection, containsSqlInjectionHints, defaultSecurityConfig, isHtmlSafe, isUrlSafe, parseCsp, provideCsrf, provideHibp, provideInputSanitizer, provideJwt, providePasswordStrength, provideRateLimiter, provideRegexSecurity, provideSecureMessage, provideSecureStorage, provideSecurity, provideSensitiveClipboard, provideSessionIdle, provideWebCrypto, sanitizeHtmlString, sanitizeUrlString, serializeCsp, withCsrfHeader };
+export type { AesEncryptResult, AesKeyLength, CopyStatus, CspAuditIssue, CspAuditReport, CspDirectives, CsrfConfig, CsrfHeaderOptions, CsrfStorageTarget, HashAlgorithm, HibpConfig, HibpResult, HmacAlgorithm, HtmlSanitizerOptions, HttpMethod, JwtStandardClaims, PasswordAssessment, PasswordLabel, PasswordScore, PasswordStrengthResult, RateLimitPolicy, RateLimiterConfig, RegexBuilderOptions, RegexSecurityConfig, RegexSecurityResult, RegexTestResult, SanitizerConfig, SecureMessage, SecureMessageConfig, SecureStorageConfig, SecurityConfig, SensitiveCopyOptions, SessionIdleConfig, StorageTarget };