@forge/csp 0.0.0-experimental-d18f8dd

package/CHANGELOG.md

@@ -0,0 +1,247 @@
+# @forge/csp
+
+## 0.0.0-experimental-d18f8dd
+
+### Patch Changes
+
+- d18f8dd: Force bump
+
+## 1.7.1
+
+### Patch Changes
+
+- 4b41a80: Added egress messaging to install prompts
+
+## 1.7.1-next.0
+
+### Patch Changes
+
+- 4b41a80: Added egress messaging to install prompts
+
+## 1.7.0
+
+### Minor Changes
+
+- ef00257: Add \*.jira.com to allowed host site list
+
+### Patch Changes
+
+- d7a1fe3: Update dependencies to remove any transitive dependencies on request
+
+## 1.7.0-next.1
+
+### Patch Changes
+
+- d7a1fe3: Update dependencies to remove any transitive dependencies on request
+
+## 1.7.0-next.0
+
+### Minor Changes
+
+- ef00257: Add \*.jira.com to allowed host site list
+
+## 1.6.0
+
+### Minor Changes
+
+- 8714f5a: Add support for fonts and frames as part of Egress Permissions for Custom UI apps
+
+### Patch Changes
+
+- f8ae8a2: Add support for Bitbucket origin in Custom UI
+
+## 1.6.0-next.1
+
+### Patch Changes
+
+- f8ae8a2: Add support for Bitbucket origin in Custom UI
+
+## 1.6.0-next.0
+
+### Minor Changes
+
+- 8714f5a: Add support for fonts and frames as part of Egress Permissions for Custom UI apps
+
+## 1.5.0
+
+### Minor Changes
+
+- 638194f: Fix logic to detect missing fetch egress permission
+
+## 1.5.0-next.0
+
+### Minor Changes
+
+- 638194f: Fix logic to detect missing fetch egress permission
+
+## 1.4.0
+
+### Minor Changes
+
+- 05f608f: Added external fetch linting
+
+### Patch Changes
+
+- bd9194a: Added error protection to egress filtering for URLs with no protocol
+
+## 1.4.0-next.1
+
+### Patch Changes
+
+- bd9194a: Added error protection to egress filtering for URLs with no protocol
+
+## 1.4.0-next.0
+
+### Minor Changes
+
+- 05f608f: Added external fetch linting
+
+## 1.3.0
+
+### Minor Changes
+
+- 9ec2911: Allow style-src as part of Egress Permissions for Custom UI apps
+
+### Patch Changes
+
+- 2ddcdb2: Update frame-ancestors for dev
+- 2b3c55d: Fix to restrict frame ancestors of Custom UI apps
+
+## 1.3.0-next.2
+
+### Patch Changes
+
+- 2ddcdb2: Update frame-ancestors for dev
+
+## 1.3.0-next.1
+
+### Minor Changes
+
+- 9ec2911: Allow style-src as part of Egress Permissions for Custom UI apps
+
+## 1.2.1-next.0
+
+### Patch Changes
+
+- 2b3c55d: Fix to restrict frame ancestors of Custom UI apps
+
+## 1.2.0
+
+### Minor Changes
+
+- 6c482ef: Add `allow-downloads allow-modals` to sandbox
+
+## 1.2.0-next.0
+
+### Minor Changes
+
+- 6c482ef: Add `allow-downloads allow-modals` to sandbox
+
+## 1.1.0
+
+### Minor Changes
+
+- f478087: Added logic handle external egress permissions
+- c3ee9e7: Convert permissions.external to CSP options for Custom UI
+
+### Patch Changes
+
+- 74a0279: Allowlist images from Atlassian API inside Custom UI apps
+- f8bb329: Adding on user defined CSP from the manifest
+
+## 1.1.0-next.3
+
+### Minor Changes
+
+- c3ee9e7: Convert permissions.external to CSP options for Custom UI
+
+## 1.1.0-next.2
+
+### Minor Changes
+
+- f478087: Added logic handle external egress permissions
+
+## 1.0.2-next.1
+
+### Patch Changes
+
+- f8bb329: Adding on user defined CSP from the manifest
+
+## 1.0.2-next.0
+
+### Patch Changes
+
+- 8ad9442: Allowlist images from Atlassian API inside Custom UI apps
+
+## 1.0.1
+
+### Patch Changes
+
+- 4ef25ff: change occurrences of Csp to CSP for consistency
+
+## 1.0.1-next.0
+
+### Patch Changes
+
+- 4ef25ff: change occurrences of Csp to CSP for consistency
+
+## 1.0.0
+
+### Major Changes
+
+- 1daf2c5: Forge packages to 1.0.0 for upcoming platform GA 🎉
+
+### Patch Changes
+
+- ca7a9e1: Add local tunnel Custom UI CSP reported server
+
+## 1.0.0-next.1
+
+### Major Changes
+
+- 1daf2c5: Forge is now generally available 🎉
+
+## 0.1.2-next.0
+
+### Patch Changes
+
+- 1b3bfe1: Add local tunnel Custom UI CSP reported server
+
+## 0.1.1
+
+### Patch Changes
+
+- 69064a4: Add secure.gravatar.com to img-src
+
+## 0.1.1-next.0
+
+### Patch Changes
+
+- 69064a4: Add secure.gravatar.com to img-src
+
+## 0.1.0
+
+### Minor Changes
+
+- 41dcd69: Moved CSP logic to its own package and bridge script to cli-shared
+
+### Patch Changes
+
+- a7f8517: Move cli-shared out of the main deps of the CDN
+
+## 0.1.0-next.1
+
+### Patch Changes
+
+- a7f8517: Move cli-shared out of the main deps of the CDN
+
+## 0.1.0-next.0
+
+### Minor Changes
+
+- 41dcd69: Moved CSP logic to its own package and bridge script to cli-shared
+
+### Patch Changes
+
+- Updated dependencies [41dcd69]
+  - @forge/cli-shared@0.13.0-next.5

package/out/csp/csp-injection-service.d.ts

@@ -0,0 +1,10 @@
+import type { LambdaEnvironment } from '@forge/cli-shared';
+import { CSPDetails } from '../types';
+export declare class CSPInjectionService {
+    private getCSPReportUri;
+    private getForgeGlobalCSP;
+    private getExistingCSPDetails;
+    private getFrameAncestors;
+    getInjectableCSP: (existingCSPDetails: CSPDetails, env: LambdaEnvironment, tunnelCSPReporterUri?: string | undefined) => string[];
+}
+//# sourceMappingURL=csp-injection-service.d.ts.map

package/out/csp/csp-injection-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"csp-injection-service.d.ts","sourceRoot":"","sources":["../../src/csp/csp-injection-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAE3D,OAAO,EAAE,UAAU,EAAmB,MAAM,UAAU,CAAC;AAUvD,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,eAAe;IAQvB,OAAO,CAAC,iBAAiB;IAIzB,OAAO,CAAC,qBAAqB;IAI7B,OAAO,CAAC,iBAAiB;IAYlB,gBAAgB,uBACD,UAAU,OACzB,iBAAiB,gDAErB,MAAM,EAAE,CA4CT;CACH"}

package/out/csp/csp-injection-service.js

@@ -0,0 +1,82 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CSPInjectionService = void 0;
+const types_1 = require("../types");
+const atlassianImageHosts = {
+    dev: ['https://avatar-management--avatars.us-west-2.staging.public.atl-paas.net', 'https://api.dev.atlassian.com'],
+    stg: ['https://avatar-management--avatars.us-west-2.staging.public.atl-paas.net', 'https://api.stg.atlassian.com'],
+    prod: ['https://avatar-management--avatars.us-west-2.prod.public.atl-paas.net', 'https://api.atlassian.com']
+};
+const gravatarUrl = 'https://secure.gravatar.com';
+class CSPInjectionService {
+    constructor() {
+        this.getInjectableCSP = (existingCSPDetails, env, tunnelCSPReporterUri) => {
+            const reportUri = tunnelCSPReporterUri || this.getCSPReportUri(env);
+            const defaultSrc = `'self'`;
+            const frameAncestors = ["'self'", ...this.getFrameAncestors(env)].join(' ');
+            const frameSrc = ["'self'", ...this.getExistingCSPDetails(types_1.ExternalCspType.FRAME_SRC, existingCSPDetails)].join(' ');
+            const fontSrc = ["'self'", ...this.getExistingCSPDetails(types_1.ExternalCspType.FONT_SRC, existingCSPDetails)].join(' ');
+            const imgSrc = [
+                "'self'",
+                'data:',
+                'blob:',
+                gravatarUrl,
+                ...atlassianImageHosts[env],
+                ...this.getExistingCSPDetails(types_1.ExternalCspType.IMG_SRC, existingCSPDetails)
+            ].join(' ');
+            const mediaSrc = [
+                "'self'",
+                'data:',
+                'blob:',
+                ...this.getExistingCSPDetails(types_1.ExternalCspType.MEDIA_SRC, existingCSPDetails)
+            ].join(' ');
+            const connectSrc = ["'self'", ...this.getExistingCSPDetails(types_1.ExternalCspType.CONNECT_SRC, existingCSPDetails)].join(' ');
+            const scriptSrc = [
+                "'self'",
+                this.getForgeGlobalCSP(env),
+                ...this.getExistingCSPDetails(types_1.ExternalCspType.SCRIPT_SRC, existingCSPDetails)
+            ].join(' ');
+            const styleSrc = ["'self'", ...this.getExistingCSPDetails(types_1.ExternalCspType.STYLE_SRC, existingCSPDetails)].join(' ');
+            return [
+                `default-src ${defaultSrc}`,
+                `frame-ancestors ${frameAncestors}`,
+                `frame-src ${frameSrc}`,
+                `font-src ${fontSrc}`,
+                `img-src ${imgSrc}`,
+                `media-src ${mediaSrc}`,
+                `connect-src ${connectSrc}`,
+                `script-src ${scriptSrc}`,
+                `style-src ${styleSrc}`,
+                `form-action 'self'`,
+                `sandbox allow-downloads allow-forms allow-modals allow-same-origin allow-scripts`,
+                `report-uri ${reportUri}`
+            ];
+        };
+    }
+    getCSPReportUri(env, tunnelCSPReporterUri) {
+        if (tunnelCSPReporterUri)
+            return tunnelCSPReporterUri;
+        if (env === 'prod')
+            return 'https://web-security-reports.services.atlassian.com/csp-report/forge-cdn';
+        return 'https://web-security-reports.stg.services.atlassian.com/csp-report/forge-cdn';
+    }
+    getForgeGlobalCSP(env) {
+        return `https://forge.cdn.${env}.atlassian-dev.net`;
+    }
+    getExistingCSPDetails(cspType, cspDetails) {
+        var _a;
+        return (_a = cspDetails[cspType]) !== null && _a !== void 0 ? _a : [];
+    }
+    getFrameAncestors(env) {
+        if (env === 'prod')
+            return ['*.atlassian.net', 'bitbucket.org', '*.jira.com'];
+        return [
+            '*.jira-dev.com',
+            'http://localhost:*',
+            '*.devbucket.org',
+            'https://staging.bb-inf.net',
+            'https://integration.bb-inf.net'
+        ];
+    }
+}
+exports.CSPInjectionService = CSPInjectionService;

package/out/csp/csp-processing-service.d.ts

@@ -0,0 +1,21 @@
+import type { Logger } from '@forge/cli-shared';
+import type { Permissions } from '@forge/manifest';
+import { ContentPermissions, CSPDetails, DocumentBody } from '../types';
+export declare class CSPProcessingService {
+    private readonly logger;
+    constructor(logger: Pick<Logger, 'info'>);
+    getCspDetails(body: DocumentBody, permissions: Permissions): CSPDetails;
+    getInvalidCspPermissions(contentPermissions: ContentPermissions): string[];
+    private mapExternalPermissionsToCsp;
+    private getStyleSrc;
+    private getScriptSrc;
+    private extractUniqueHashes;
+    private getInlineScriptHashes;
+    private hashScript;
+    private isValidUserScriptSrc;
+    private isValidUserStyleSrc;
+    private isSafeCsp;
+    private isValidHash;
+    private getDeprecatedUserCsp;
+}
+//# sourceMappingURL=csp-processing-service.d.ts.map

package/out/csp/csp-processing-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"csp-processing-service.d.ts","sourceRoot":"","sources":["../../src/csp/csp-processing-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAKnD,OAAO,EAAE,kBAAkB,EAAE,UAAU,EAAE,YAAY,EAAuB,MAAM,UAAU,CAAC;AAiB7F,qBAAa,oBAAoB;IACnB,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC;IAElD,aAAa,CAAC,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,WAAW,GAAG,UAAU;IAkBvE,wBAAwB,CAAC,kBAAkB,EAAE,kBAAkB,GAAG,MAAM,EAAE;IASjF,OAAO,CAAC,2BAA2B;IAcnC,OAAO,CAAC,WAAW;IASnB,OAAO,CAAC,YAAY;IAWpB,OAAO,CAAC,mBAAmB;IAoB3B,OAAO,CAAC,qBAAqB;IAW7B,OAAO,CAAC,UAAU;IAKlB,OAAO,CAAC,oBAAoB;IAM5B,OAAO,CAAC,mBAAmB;IAW3B,OAAO,CAAC,SAAS;IAIjB,OAAO,CAAC,WAAW;IAKnB,OAAO,CAAC,oBAAoB;CAa7B"}

package/out/csp/csp-processing-service.js

@@ -0,0 +1,117 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CSPProcessingService = void 0;
+const tslib_1 = require("tslib");
+const cheerio_1 = tslib_1.__importDefault(require("cheerio"));
+const content_security_policy_parser_1 = tslib_1.__importDefault(require("content-security-policy-parser"));
+const crypto_1 = tslib_1.__importDefault(require("crypto"));
+const STYLE_SRC_ALLOWLIST = [`'unsafe-inline'`];
+const SCRIPT_SRC_ALLOWLIST = [`'unsafe-inline'`, `'unsafe-eval'`, `'unsafe-hashes'`];
+const BASE_64_HASH_PATTERNS = [
+    /^'sha256-[a-zA-Z0-9=+/]{44}'$/,
+    /^'sha384-[a-zA-Z0-9=+/]{64}'$/,
+    /^'sha512-[a-zA-Z0-9=+/]{88}'$/
+];
+class CSPProcessingService {
+    constructor(logger) {
+        this.logger = logger;
+    }
+    getCspDetails(body, permissions) {
+        var _a, _b;
+        const { scripts, styles } = (_a = permissions === null || permissions === void 0 ? void 0 : permissions.content) !== null && _a !== void 0 ? _a : { scripts: [], styles: [] };
+        const external = (_b = permissions === null || permissions === void 0 ? void 0 : permissions.external) !== null && _b !== void 0 ? _b : {};
+        const $ = cheerio_1.default.load(body);
+        const _c = this.mapExternalPermissionsToCsp(external), { 'script-src': scriptSrc, 'style-src': styleSrc } = _c, mappedExternalCsp = tslib_1.__rest(_c, ['script-src', 'style-src']);
+        return Object.assign({ 'style-src': [...this.getStyleSrc($, styles), ...styleSrc], 'script-src': [...this.getScriptSrc($, scripts), ...scriptSrc] }, mappedExternalCsp);
+    }
+    getInvalidCspPermissions(contentPermissions) {
+        var _a, _b;
+        const { styles, scripts } = contentPermissions;
+        const invalidStyles = (_a = styles === null || styles === void 0 ? void 0 : styles.filter((styleSrc) => !this.isValidUserStyleSrc(`'${styleSrc}'`))) !== null && _a !== void 0 ? _a : [];
+        const invalidScripts = (_b = scripts === null || scripts === void 0 ? void 0 : scripts.filter((scriptSrc) => !this.isValidUserScriptSrc(`'${scriptSrc}'`))) !== null && _b !== void 0 ? _b : [];
+        return [...invalidStyles, ...invalidScripts];
+    }
+    mapExternalPermissionsToCsp(externalPermissions) {
+        var _a;
+        const { images, media, scripts, fetch, styles, fonts, frames } = externalPermissions;
+        return {
+            'img-src': images !== null && images !== void 0 ? images : [],
+            'media-src': media !== null && media !== void 0 ? media : [],
+            'script-src': scripts !== null && scripts !== void 0 ? scripts : [],
+            'style-src': styles !== null && styles !== void 0 ? styles : [],
+            'connect-src': (_a = fetch === null || fetch === void 0 ? void 0 : fetch.client) !== null && _a !== void 0 ? _a : [],
+            'font-src': fonts !== null && fonts !== void 0 ? fonts : [],
+            'frame-src': frames !== null && frames !== void 0 ? frames : []
+        };
+    }
+    getStyleSrc($, userStyleSrc) {
+        var _a, _b;
+        const quotedUserStyleSrc = (_a = userStyleSrc === null || userStyleSrc === void 0 ? void 0 : userStyleSrc.map((x) => `'${x}'`)) !== null && _a !== void 0 ? _a : [];
+        const deprecatedUserScriptSrc = (_b = this.getDeprecatedUserCsp($)['style-src']) !== null && _b !== void 0 ? _b : [];
+        const uniqueStyleSrc = [...new Set([...deprecatedUserScriptSrc, ...quotedUserStyleSrc])];
+        return uniqueStyleSrc.filter((x) => this.isValidUserStyleSrc(x));
+    }
+    getScriptSrc($, userScriptSrc) {
+        var _a;
+        const generatedScriptHashes = this.getInlineScriptHashes($);
+        const quotedUserScriptSrc = (_a = userScriptSrc === null || userScriptSrc === void 0 ? void 0 : userScriptSrc.map((x) => `'${x}'`)) !== null && _a !== void 0 ? _a : [];
+        const validUserScriptSrc = quotedUserScriptSrc.filter((x) => this.isValidUserScriptSrc(x));
+        const { scriptSrc, userScriptHashes } = this.extractUniqueHashes(validUserScriptSrc, generatedScriptHashes);
+        return [...scriptSrc, ...generatedScriptHashes, ...userScriptHashes];
+    }
+    extractUniqueHashes(userScriptSrc, existingScriptHashes) {
+        var _a;
+        const userScriptHashes = [];
+        const scriptSrc = (_a = userScriptSrc === null || userScriptSrc === void 0 ? void 0 : userScriptSrc.filter((scriptSrc) => {
+            const isValidHash = this.isValidHash(scriptSrc);
+            if (isValidHash && !existingScriptHashes.includes(scriptSrc)) {
+                userScriptHashes.push(scriptSrc);
+            }
+            return !isValidHash;
+        })) !== null && _a !== void 0 ? _a : [];
+        return { scriptSrc, userScriptHashes };
+    }
+    getInlineScriptHashes($) {
+        const scriptHashes = $('script:not([src])')
+            .map((_index, script) => {
+            const html = $(script).html();
+            return html && `'sha256-${this.hashScript(html)}'`;
+        })
+            .get();
+        return scriptHashes;
+    }
+    hashScript(content) {
+        const sha256 = crypto_1.default.createHash('sha256');
+        return sha256.update(content).digest('base64');
+    }
+    isValidUserScriptSrc(scriptSrc) {
+        if (!this.isSafeCsp(scriptSrc))
+            return false;
+        return this.isValidHash(scriptSrc) || SCRIPT_SRC_ALLOWLIST.includes(scriptSrc);
+    }
+    isValidUserStyleSrc(styleSrc) {
+        if (!this.isSafeCsp(styleSrc)) {
+            this.logger.info('discarding potentially-malicious CSP');
+            return false;
+        }
+        return STYLE_SRC_ALLOWLIST.includes(styleSrc);
+    }
+    isSafeCsp(cspString) {
+        return /^[a-zA-Z0-9='"+\/ -]*$/.test(cspString);
+    }
+    isValidHash(cspString) {
+        return BASE_64_HASH_PATTERNS.some((pattern) => pattern.test(cspString));
+    }
+    getDeprecatedUserCsp($) {
+        const cspContent = $('meta[http-equiv="Content-Security-Policy"]').attr('content');
+        if (!cspContent) {
+            return {};
+        }
+        if (!this.isSafeCsp(cspContent)) {
+            this.logger.info('discarding potentially-malicious CSP');
+            return {};
+        }
+        return content_security_policy_parser_1.default(cspContent);
+    }
+}
+exports.CSPProcessingService = CSPProcessingService;

package/out/csp/index.d.ts

@@ -0,0 +1,3 @@
+export * from './csp-injection-service';
+export * from './csp-processing-service';
+//# sourceMappingURL=index.d.ts.map

package/out/csp/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/csp/index.ts"],"names":[],"mappings":"AAEA,cAAc,yBAAyB,CAAC;AACxC,cAAc,0BAA0B,CAAC"}

package/out/csp/index.js

@@ -0,0 +1,5 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const tslib_1 = require("tslib");
+tslib_1.__exportStar(require("./csp-injection-service"), exports);
+tslib_1.__exportStar(require("./csp-processing-service"), exports);

package/out/egress/egress-filtering-service.d.ts

@@ -0,0 +1,11 @@
+export declare class EgressFilteringService {
+    private readonly URLs;
+    private readonly wildcardDomains;
+    private readonly allowsEverything;
+    constructor(allowList: string[]);
+    private safeURL;
+    isValidUrl(url: string): boolean;
+    private domainCheck;
+    private domainIsAllowed;
+}
+//# sourceMappingURL=egress-filtering-service.d.ts.map

package/out/egress/egress-filtering-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"egress-filtering-service.d.ts","sourceRoot":"","sources":["../../src/egress/egress-filtering-service.ts"],"names":[],"mappings":"AAGA,qBAAa,sBAAsB;IACjC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAQ;IAC7B,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAQ;IACxC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAU;gBAE/B,SAAS,EAAE,MAAM,EAAE;IAY/B,OAAO,CAAC,OAAO;IAOR,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IAQvC,OAAO,CAAC,WAAW;IAWnB,OAAO,CAAC,eAAe;CAWxB"}

package/out/egress/egress-filtering-service.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EgressFilteringService = void 0;
+const tslib_1 = require("tslib");
+const micromatch_1 = tslib_1.__importDefault(require("micromatch"));
+const url_1 = require("url");
+class EgressFilteringService {
+    constructor(allowList) {
+        this.URLs = allowList
+            .filter((domainOrURL) => !domainOrURL.startsWith('*'))
+            .map((url) => this.safeURL(url));
+        this.wildcardDomains = allowList
+            .filter((domainOrURL) => domainOrURL !== '*')
+            .map((url) => this.safeURL(url))
+            .filter((url) => url.hostname.startsWith('*'));
+        this.allowsEverything = allowList.includes('*');
+    }
+    safeURL(url, defaultProtocol = 'https://') {
+        const protocolRegex = /^(.*:\/\/)/;
+        return new url_1.URL(protocolRegex.test(url) ? url : `${defaultProtocol}${url}`);
+    }
+    isValidUrl(url) {
+        if (this.allowsEverything) {
+            return true;
+        }
+        return this.domainIsAllowed(this.safeURL(url));
+    }
+    domainCheck(domain, allowList) {
+        const hostnameMatchedProtocol = allowList
+            .filter((allowed) => allowed.protocol === domain.protocol)
+            .map((url) => url.hostname);
+        return (micromatch_1.default([domain.hostname], hostnameMatchedProtocol, {
+            dot: true
+        }).length > 0);
+    }
+    domainIsAllowed(domain) {
+        if (this.domainCheck(domain, this.URLs)) {
+            return true;
+        }
+        if (this.domainCheck(domain, this.wildcardDomains)) {
+            return true;
+        }
+        return false;
+    }
+}
+exports.EgressFilteringService = EgressFilteringService;

package/out/egress/index.d.ts

@@ -0,0 +1,3 @@
+export * from './egress-filtering-service';
+export * from './utils';
+//# sourceMappingURL=index.d.ts.map

package/out/egress/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/egress/index.ts"],"names":[],"mappings":"AAEA,cAAc,4BAA4B,CAAC;AAC3C,cAAc,SAAS,CAAC"}

package/out/egress/index.js

@@ -0,0 +1,5 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const tslib_1 = require("tslib");
+tslib_1.__exportStar(require("./egress-filtering-service"), exports);
+tslib_1.__exportStar(require("./utils"), exports);

package/out/egress/utils.d.ts

@@ -0,0 +1,3 @@
+declare const sortAndGroupEgressPermissionsByDomain: (egressAddresses: string[]) => Array<string>;
+export { sortAndGroupEgressPermissionsByDomain };
+//# sourceMappingURL=utils.d.ts.map

package/out/egress/utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/egress/utils.ts"],"names":[],"mappings":"AAGA,QAAA,MAAM,qCAAqC,oBAAqB,MAAM,EAAE,KAAG,KAAK,CAAC,MAAM,CA2BtF,CAAC;AAEF,OAAO,EAAE,qCAAqC,EAAE,CAAC"}

package/out/egress/utils.js

@@ -0,0 +1,31 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sortAndGroupEgressPermissionsByDomain = void 0;
+const tslib_1 = require("tslib");
+const micromatch_1 = tslib_1.__importDefault(require("micromatch"));
+const url_1 = require("url");
+const sortAndGroupEgressPermissionsByDomain = (egressAddresses) => {
+    const protocolRegex = /^(.*?:\/\/)/;
+    const domainSet = new Set();
+    const groupSet = new Set();
+    const removeSet = new Set();
+    if ((egressAddresses === null || egressAddresses === void 0 ? void 0 : egressAddresses.length) === 0) {
+        return [];
+    }
+    egressAddresses.forEach((item) => {
+        const itemWithProtocol = protocolRegex.test(item) ? item : `https://${item}`;
+        const url = new url_1.URL(itemWithProtocol);
+        if (url.hostname.startsWith('*')) {
+            groupSet.add(url.hostname.substring(2));
+            removeSet.add('!' + url.hostname);
+        }
+        else {
+            domainSet.add(url.hostname);
+        }
+    });
+    if (removeSet.size === 0) {
+        return [...domainSet];
+    }
+    return [...new Set(micromatch_1.default([...domainSet], [...removeSet]).concat([...groupSet]))].sort();
+};
+exports.sortAndGroupEgressPermissionsByDomain = sortAndGroupEgressPermissionsByDomain;

package/out/index.d.ts

@@ -0,0 +1,4 @@
+export * from './csp';
+export * from './egress';
+export * from './types';
+//# sourceMappingURL=index.d.ts.map

package/out/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,cAAc,OAAO,CAAC;AACtB,cAAc,UAAU,CAAC;AACzB,cAAc,SAAS,CAAC"}

package/out/index.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const tslib_1 = require("tslib");
+tslib_1.__exportStar(require("./csp"), exports);
+tslib_1.__exportStar(require("./egress"), exports);
+tslib_1.__exportStar(require("./types"), exports);

package/out/types.d.ts

@@ -0,0 +1,16 @@
+/// <reference types="node" />
+import type { Permissions } from '@forge/manifest';
+export declare type DocumentBody = string | Buffer;
+export declare type ContentPermissions = NonNullable<Permissions['content']>;
+export declare type ExternalPermissions = NonNullable<Permissions['external']>;
+export declare enum ExternalCspType {
+    IMG_SRC = "img-src",
+    MEDIA_SRC = "media-src",
+    SCRIPT_SRC = "script-src",
+    STYLE_SRC = "style-src",
+    CONNECT_SRC = "connect-src",
+    FONT_SRC = "font-src",
+    FRAME_SRC = "frame-src"
+}
+export declare type CSPDetails = Record<ExternalCspType, string[]>;
+//# sourceMappingURL=types.d.ts.map

package/out/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":";AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAEnD,oBAAY,YAAY,GAAG,MAAM,GAAG,MAAM,CAAC;AAE3C,oBAAY,kBAAkB,GAAG,WAAW,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,CAAC;AACrE,oBAAY,mBAAmB,GAAG,WAAW,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,CAAC;AACvE,oBAAY,eAAe;IACzB,OAAO,YAAY;IACnB,SAAS,cAAc;IACvB,UAAU,eAAe;IACzB,SAAS,cAAc;IACvB,WAAW,gBAAgB;IAC3B,QAAQ,aAAa;IACrB,SAAS,cAAc;CACxB;AACD,oBAAY,UAAU,GAAG,MAAM,CAAC,eAAe,EAAE,MAAM,EAAE,CAAC,CAAC"}

package/out/types.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ExternalCspType = void 0;
+var ExternalCspType;
+(function (ExternalCspType) {
+    ExternalCspType["IMG_SRC"] = "img-src";
+    ExternalCspType["MEDIA_SRC"] = "media-src";
+    ExternalCspType["SCRIPT_SRC"] = "script-src";
+    ExternalCspType["STYLE_SRC"] = "style-src";
+    ExternalCspType["CONNECT_SRC"] = "connect-src";
+    ExternalCspType["FONT_SRC"] = "font-src";
+    ExternalCspType["FRAME_SRC"] = "frame-src";
+})(ExternalCspType = exports.ExternalCspType || (exports.ExternalCspType = {}));

package/package.json

@@ -0,0 +1,23 @@
+{
+  "name": "@forge/csp",
+  "version": "0.0.0-experimental-d18f8dd",
+  "description": "Contains the CSP configuration for Custom UI resources in Forge",
+  "main": "out/index.js",
+  "author": "Atlassian",
+  "license": "UNLICENSED",
+  "scripts": {
+    "build": "yarn run clean && yarn run compile",
+    "compile": "tsc -b -v",
+    "clean": "rm -rf ./out && rm -f tsconfig.tsbuildinfo"
+  },
+  "devDependencies": {
+    "@forge/cli-shared": "^0.0.0-experimental-d18f8dd",
+    "@forge/manifest": "^0.0.0-experimental-d18f8dd",
+    "@types/jest": "^26.0.0"
+  },
+  "dependencies": {
+    "cheerio": "^0.22.0",
+    "content-security-policy-parser": "^0.3.0",
+    "micromatch": "^4.0.2"
+  }
+}