@elliemae/pui-cli 8.41.2 → 8.41.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/dist/cjs/server/csp.js +0 -6
  2. package/dist/cjs/webpack/interceptor-middleware.js +127 -0
  3. package/dist/cjs/webpack/webpack.dev.babel.js +1 -1
  4. package/dist/esm/server/csp.js +0 -6
  5. package/dist/esm/webpack/interceptor-middleware.js +107 -0
  6. package/dist/esm/webpack/webpack.dev.babel.js +1 -1
  7. package/dist/types/lib/webpack/interceptor-middleware.d.ts +10 -0
  8. package/dist/types/tsconfig.tsbuildinfo +1 -1
  9. package/package.json +1 -1
package/dist/cjs/server/csp.js CHANGED
@@ -69,11 +69,6 @@ const getScriptSrc = () => {
69
69
  const scriptSrc = [source, "'strict-dynamic'"];
70
70
  return true ? scriptSrc.concat(["'unsafe-eval'"]) : scriptSrc;
71
71
  };
72
- const getStyleSrc = () => {
73
- const source = (req, res) => `'nonce-${res.locals.cspNonce}'`;
74
- const scriptSrc = [source, "'strict-dynamic'"];
75
- return true ? scriptSrc.concat(["'unsafe-inline'"]) : scriptSrc;
76
- };
77
72
  const csp = (app) => {
78
73
  app.use((req, res, next) => {
79
74
  res.locals.cspNonce = import_crypto.default.randomBytes(32).toString("base64");
@@ -89,7 +84,6 @@ const csp = (app) => {
89
84
  frameAncestors: sources,
90
85
  objectSrc: ["'none'"],
91
86
  scriptSrc: getScriptSrc(),
92
- styleSrc: getStyleSrc(),
93
87
  upgradeInsecureRequests: [],
94
88
  reportTo: CSP_REPORT_URI
95
89
  },
package/dist/cjs/webpack/interceptor-middleware.js ADDED
@@ -0,0 +1,127 @@
1
+ "use strict";
2
+ var __defProp = Object.defineProperty;
3
+ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
4
+ var __getOwnPropNames = Object.getOwnPropertyNames;
5
+ var __hasOwnProp = Object.prototype.hasOwnProperty;
6
+ var __export = (target, all) => {
7
+ for (var name in all)
8
+ __defProp(target, name, { get: all[name], enumerable: true });
9
+ };
10
+ var __copyProps = (to, from, except, desc) => {
11
+ if (from && typeof from === "object" || typeof from === "function") {
12
+ for (let key of __getOwnPropNames(from))
13
+ if (!__hasOwnProp.call(to, key) && key !== except)
14
+ __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
15
+ }
16
+ return to;
17
+ };
18
+ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
19
+ var interceptor_middleware_exports = {};
20
+ __export(interceptor_middleware_exports, {
21
+ addCSPNonceMiddleware: () => addCSPNonceMiddleware,
22
+ interceptorMiddleware: () => interceptorMiddleware
23
+ });
24
+ module.exports = __toCommonJS(interceptor_middleware_exports);
25
+ const VALID_PARAMS = ["isInterceptable", "intercept", "afterSend"];
26
+ const validateParams = (methods) => {
27
+ Object.keys(methods).forEach((k) => {
28
+ if (VALID_PARAMS.indexOf(k) < 0) {
29
+ throw new Error(`${k} isn't a valid param (${VALID_PARAMS.join(", ")})`);
30
+ }
31
+ });
32
+ if (!("isInterceptable" in methods)) {
33
+ throw new Error("isInterceptable is a required param (function)");
34
+ }
35
+ };
36
+ const interceptorMiddleware = (fn) => (req, res, next) => {
37
+ const methods = fn(req, res);
38
+ validateParams(methods);
39
+ const originalEnd = res.end;
40
+ const originalWrite = res.write;
41
+ const chunks = [];
42
+ let isIntercepting;
43
+ let isFirstWrite = true;
44
+ function intercept(rawChunk, encoding) {
45
+ if (isFirstWrite) {
46
+ isFirstWrite = false;
47
+ isIntercepting = methods.isInterceptable();
48
+ }
49
+ if (isIntercepting) {
50
+ if (rawChunk) {
51
+ let tempChunk = rawChunk;
52
+ if (rawChunk !== null && !Buffer.isBuffer(tempChunk)) {
53
+ if (!encoding) {
54
+ tempChunk = Buffer.from(rawChunk);
55
+ } else {
56
+ tempChunk = Buffer.from(
57
+ rawChunk,
58
+ encoding
59
+ );
60
+ }
61
+ }
62
+ chunks.push(tempChunk);
63
+ }
64
+ }
65
+ return isIntercepting;
66
+ }
67
+ const newResWrite = (...args) => {
68
+ if (!intercept(args[0], args[1])) {
69
+ return originalWrite.apply(res, args);
70
+ }
71
+ return true;
72
+ };
73
+ res.write = newResWrite;
74
+ const afterSend = (oldBody, newBody) => {
75
+ if (typeof methods.afterSend === "function") {
76
+ process.nextTick(() => {
77
+ methods.afterSend?.(oldBody, newBody);
78
+ });
79
+ }
80
+ };
81
+ const newResEnd = (...args) => {
82
+ if (intercept(args[0], args[1])) {
83
+ isIntercepting = false;
84
+ const oldBody = Buffer.concat(args[0]).toString(
85
+ "utf-8"
86
+ );
87
+ if (methods.intercept) {
88
+ if (typeof methods.intercept !== "function") {
89
+ throw new Error(
90
+ "`send` must be a function with the body to be sent as the only param"
91
+ );
92
+ }
93
+ res.removeHeader("Content-Length");
94
+ methods.intercept(oldBody, (newBody) => {
95
+ args[0] = newBody;
96
+ originalEnd.apply(res, args);
97
+ afterSend(oldBody, newBody);
98
+ });
99
+ } else {
100
+ afterSend(oldBody, oldBody);
101
+ originalEnd.apply(res, args);
102
+ }
103
+ } else {
104
+ originalEnd.apply(res, args);
105
+ }
106
+ };
107
+ res.end = newResEnd;
108
+ next();
109
+ };
110
+ const addCSPNonceMiddleware = (middlewares) => {
111
+ const index = middlewares.findIndex(
112
+ (middleware) => middleware.name === "webpack-dev-middleware"
113
+ );
114
+ middlewares.splice(index, 0, {
115
+ name: "csp-nonce-middleware",
116
+ middleware: interceptorMiddleware((req, res) => ({
117
+ // Only HTML responses will be intercepted
118
+ isInterceptable() {
119
+ return /text\/html/.test(res.get("Content-Type") ?? "");
120
+ },
121
+ // Appends a paragraph at the end of the response body
122
+ intercept(body, send) {
123
+ send(body.replace(/__CSP_NONCE__/g, res.locals.cspNonce));
124
+ }
125
+ }))
126
+ });
127
+ };
package/dist/cjs/webpack/webpack.dev.babel.js CHANGED
@@ -100,7 +100,7 @@ const devConfig = {
100
100
  // Add development plugins
101
101
  plugins: [
102
102
  new import_html_webpack_plugin.default({
103
- inject: !(0, import_helpers.isAppLoaderEnabled)(),
103
+ inject: !(0, import_helpers.isAppLoaderEnabled)() && process.env.CSP !== "true",
104
104
  // Inject all files that are generated by webpack, e.g. bundle.js
105
105
  template: !(0, import_helpers.isAppLoaderEnabled)() ? "app/index.html" : "app/index-app-loader.html",
106
106
  emui: {
package/dist/esm/server/csp.js CHANGED
@@ -35,11 +35,6 @@ const getScriptSrc = () => {
35
35
  const scriptSrc = [source, "'strict-dynamic'"];
36
36
  return true ? scriptSrc.concat(["'unsafe-eval'"]) : scriptSrc;
37
37
  };
38
- const getStyleSrc = () => {
39
- const source = (req, res) => `'nonce-${res.locals.cspNonce}'`;
40
- const scriptSrc = [source, "'strict-dynamic'"];
41
- return true ? scriptSrc.concat(["'unsafe-inline'"]) : scriptSrc;
42
- };
43
38
  const csp = (app) => {
44
39
  app.use((req, res, next) => {
45
40
  res.locals.cspNonce = crypto.randomBytes(32).toString("base64");
@@ -55,7 +50,6 @@ const csp = (app) => {
55
50
  frameAncestors: sources,
56
51
  objectSrc: ["'none'"],
57
52
  scriptSrc: getScriptSrc(),
58
- styleSrc: getStyleSrc(),
59
53
  upgradeInsecureRequests: [],
60
54
  reportTo: CSP_REPORT_URI
61
55
  },
package/dist/esm/webpack/interceptor-middleware.js ADDED
@@ -0,0 +1,107 @@
1
+ const VALID_PARAMS = ["isInterceptable", "intercept", "afterSend"];
2
+ const validateParams = (methods) => {
3
+ Object.keys(methods).forEach((k) => {
4
+ if (VALID_PARAMS.indexOf(k) < 0) {
5
+ throw new Error(`${k} isn't a valid param (${VALID_PARAMS.join(", ")})`);
6
+ }
7
+ });
8
+ if (!("isInterceptable" in methods)) {
9
+ throw new Error("isInterceptable is a required param (function)");
10
+ }
11
+ };
12
+ const interceptorMiddleware = (fn) => (req, res, next) => {
13
+ const methods = fn(req, res);
14
+ validateParams(methods);
15
+ const originalEnd = res.end;
16
+ const originalWrite = res.write;
17
+ const chunks = [];
18
+ let isIntercepting;
19
+ let isFirstWrite = true;
20
+ function intercept(rawChunk, encoding) {
21
+ if (isFirstWrite) {
22
+ isFirstWrite = false;
23
+ isIntercepting = methods.isInterceptable();
24
+ }
25
+ if (isIntercepting) {
26
+ if (rawChunk) {
27
+ let tempChunk = rawChunk;
28
+ if (rawChunk !== null && !Buffer.isBuffer(tempChunk)) {
29
+ if (!encoding) {
30
+ tempChunk = Buffer.from(rawChunk);
31
+ } else {
32
+ tempChunk = Buffer.from(
33
+ rawChunk,
34
+ encoding
35
+ );
36
+ }
37
+ }
38
+ chunks.push(tempChunk);
39
+ }
40
+ }
41
+ return isIntercepting;
42
+ }
43
+ const newResWrite = (...args) => {
44
+ if (!intercept(args[0], args[1])) {
45
+ return originalWrite.apply(res, args);
46
+ }
47
+ return true;
48
+ };
49
+ res.write = newResWrite;
50
+ const afterSend = (oldBody, newBody) => {
51
+ if (typeof methods.afterSend === "function") {
52
+ process.nextTick(() => {
53
+ methods.afterSend?.(oldBody, newBody);
54
+ });
55
+ }
56
+ };
57
+ const newResEnd = (...args) => {
58
+ if (intercept(args[0], args[1])) {
59
+ isIntercepting = false;
60
+ const oldBody = Buffer.concat(args[0]).toString(
61
+ "utf-8"
62
+ );
63
+ if (methods.intercept) {
64
+ if (typeof methods.intercept !== "function") {
65
+ throw new Error(
66
+ "`send` must be a function with the body to be sent as the only param"
67
+ );
68
+ }
69
+ res.removeHeader("Content-Length");
70
+ methods.intercept(oldBody, (newBody) => {
71
+ args[0] = newBody;
72
+ originalEnd.apply(res, args);
73
+ afterSend(oldBody, newBody);
74
+ });
75
+ } else {
76
+ afterSend(oldBody, oldBody);
77
+ originalEnd.apply(res, args);
78
+ }
79
+ } else {
80
+ originalEnd.apply(res, args);
81
+ }
82
+ };
83
+ res.end = newResEnd;
84
+ next();
85
+ };
86
+ const addCSPNonceMiddleware = (middlewares) => {
87
+ const index = middlewares.findIndex(
88
+ (middleware) => middleware.name === "webpack-dev-middleware"
89
+ );
90
+ middlewares.splice(index, 0, {
91
+ name: "csp-nonce-middleware",
92
+ middleware: interceptorMiddleware((req, res) => ({
93
+ // Only HTML responses will be intercepted
94
+ isInterceptable() {
95
+ return /text\/html/.test(res.get("Content-Type") ?? "");
96
+ },
97
+ // Appends a paragraph at the end of the response body
98
+ intercept(body, send) {
99
+ send(body.replace(/__CSP_NONCE__/g, res.locals.cspNonce));
100
+ }
101
+ }))
102
+ });
103
+ };
104
+ export {
105
+ addCSPNonceMiddleware,
106
+ interceptorMiddleware
107
+ };
package/dist/esm/webpack/webpack.dev.babel.js CHANGED
@@ -70,7 +70,7 @@ const devConfig = {
70
70
  // Add development plugins
71
71
  plugins: [
72
72
  new HtmlWebpackPlugin({
73
- inject: !isAppLoaderEnabled(),
73
+ inject: !isAppLoaderEnabled() && process.env.CSP !== "true",
74
74
  // Inject all files that are generated by webpack, e.g. bundle.js
75
75
  template: !isAppLoaderEnabled() ? "app/index.html" : "app/index-app-loader.html",
76
76
  emui: {
package/dist/types/lib/webpack/interceptor-middleware.d.ts ADDED
@@ -0,0 +1,10 @@
1
+ import { Request, Response } from 'express';
2
+ import { Middleware } from 'webpack-dev-server';
3
+ type ReplacerFunction = (req: Request, res: Response) => {
4
+ isInterceptable: () => boolean;
5
+ intercept: (body: string, send: (body: string) => void) => void;
6
+ afterSend?: (oldBody: string, newBody: string) => void;
7
+ };
8
+ export declare const interceptorMiddleware: (fn: ReplacerFunction) => (req: Request, res: Response, next: () => void) => void;
9
+ export declare const addCSPNonceMiddleware: (middlewares: Middleware[]) => void;
10
+ export {};