@forge/csp 0.0.0-experimental-d18f8dd → 0.0.0-experimental-c3d0263

package/CHANGELOG.md

@@ -1,10 +1,64 @@
 # @forge/csp
 
-## 0.0.0-experimental-d18f8dd
+## 0.0.0-experimental-c3d0263
+
+### Minor Changes
+
+- e95919f: Added blob csp support for script content permissions with manifest validation
+- 56164fe: Add allow-pointer-lock to iframe sandbox
+
+## 1.10.0-next.1
+
+### Minor Changes
+
+- e95919f: Added blob csp support for script content permissions with manifest validation
+
+## 1.10.0-next.0
+
+### Minor Changes
+
+- 56164fe: Add allow-pointer-lock to iframe sandbox
+
+## 1.9.0
+
+### Minor Changes
+
+- 1c196ff: Add support for external fetch client to reference remote
 
 ### Patch Changes
 
-- d18f8dd: Force bump
+- 1dba082: Enabling new frame ancestors '_.atl-paas.net' and '_.atlassian.com'
+
+## 1.9.0-next.1
+
+### Minor Changes
+
+- 1c196ff: Add support for external fetch client to reference remote
+
+## 1.8.1-next.0
+
+### Patch Changes
+
+- 04e4152: Enabling new frame ancestors '_.atl-paas.net' and '_.atlassian.com'
+
+## 1.8.0
+
+### Minor Changes
+
+- d5f3fac: Remove deprecated method for handling CSP user config
+- f002362: Revert change for deprecated CSP
+
+## 1.8.0-next.1
+
+### Minor Changes
+
+- f002362: Revert change for deprecated CSP
+
+## 1.8.0-next.0
+
+### Minor Changes
+
+- d5f3fac: Remove deprecated method for handling CSP user config
 
 ## 1.7.1
 

package/out/csp/csp-injection-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"csp-injection-service.d.ts","sourceRoot":"","sources":["../../src/csp/csp-injection-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAE3D,OAAO,EAAE,UAAU,EAAmB,MAAM,UAAU,CAAC;AAUvD,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,eAAe;IAQvB,OAAO,CAAC,iBAAiB;IAIzB,OAAO,CAAC,qBAAqB;IAI7B,OAAO,CAAC,iBAAiB;IAYlB,gBAAgB,uBACD,UAAU,OACzB,iBAAiB,gDAErB,MAAM,EAAE,CA4CT;CACH"}
+{"version":3,"file":"csp-injection-service.d.ts","sourceRoot":"","sources":["../../src/csp/csp-injection-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAE3D,OAAO,EAAE,UAAU,EAAmB,MAAM,UAAU,CAAC;AAUvD,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,eAAe;IAQvB,OAAO,CAAC,iBAAiB;IAIzB,OAAO,CAAC,qBAAqB;IAI7B,OAAO,CAAC,iBAAiB;IAalB,gBAAgB,uBACD,UAAU,OACzB,iBAAiB,gDAErB,MAAM,EAAE,CA4CT;CACH"}

package/out/csp/csp-injection-service.js

@@ -48,7 +48,7 @@ class CSPInjectionService {
                 `script-src ${scriptSrc}`,
                 `style-src ${styleSrc}`,
                 `form-action 'self'`,
-                `sandbox allow-downloads allow-forms allow-modals allow-same-origin allow-scripts`,
+                `sandbox allow-downloads allow-forms allow-modals allow-pointer-lock allow-same-origin allow-scripts`,
                 `report-uri ${reportUri}`
             ];
         };
@@ -69,13 +69,14 @@ class CSPInjectionService {
     }
     getFrameAncestors(env) {
         if (env === 'prod')
-            return ['*.atlassian.net', 'bitbucket.org', '*.jira.com'];
+            return ['*.atlassian.net', 'bitbucket.org', '*.jira.com', '*.atlassian.com'];
         return [
             '*.jira-dev.com',
             'http://localhost:*',
             '*.devbucket.org',
             'https://staging.bb-inf.net',
-            'https://integration.bb-inf.net'
+            'https://integration.bb-inf.net',
+            '*.atl-paas.net'
         ];
     }
 }

package/out/csp/csp-processing-service.d.ts

@@ -1,17 +1,27 @@
 import type { Logger } from '@forge/cli-shared';
 import type { Permissions } from '@forge/manifest';
 import { ContentPermissions, CSPDetails, DocumentBody } from '../types';
+export declare class InvalidConnectSrc extends Error {
+    constructor();
+}
 export declare class CSPProcessingService {
     private readonly logger;
+    private STYLE_SRC_ALLOWLIST;
+    private QUOTED_SCRIPT_SRC_ALLOWLIST;
+    private UNQUOTED_SCRIPT_SRC_ALLOWLIST;
+    private SCRIPT_SRC_ALLOWLIST;
+    private BASE_64_HASH_PATTERNS;
     constructor(logger: Pick<Logger, 'info'>);
     getCspDetails(body: DocumentBody, permissions: Permissions): CSPDetails;
     getInvalidCspPermissions(contentPermissions: ContentPermissions): string[];
+    private assertValidFetchClient;
     private mapExternalPermissionsToCsp;
     private getStyleSrc;
     private getScriptSrc;
     private extractUniqueHashes;
     private getInlineScriptHashes;
     private hashScript;
+    private formatScriptSrc;
     private isValidUserScriptSrc;
     private isValidUserStyleSrc;
     private isSafeCsp;

package/out/csp/csp-processing-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"csp-processing-service.d.ts","sourceRoot":"","sources":["../../src/csp/csp-processing-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAKnD,OAAO,EAAE,kBAAkB,EAAE,UAAU,EAAE,YAAY,EAAuB,MAAM,UAAU,CAAC;AAiB7F,qBAAa,oBAAoB;IACnB,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC;IAElD,aAAa,CAAC,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,WAAW,GAAG,UAAU;IAkBvE,wBAAwB,CAAC,kBAAkB,EAAE,kBAAkB,GAAG,MAAM,EAAE;IASjF,OAAO,CAAC,2BAA2B;IAcnC,OAAO,CAAC,WAAW;IASnB,OAAO,CAAC,YAAY;IAWpB,OAAO,CAAC,mBAAmB;IAoB3B,OAAO,CAAC,qBAAqB;IAW7B,OAAO,CAAC,UAAU;IAKlB,OAAO,CAAC,oBAAoB;IAM5B,OAAO,CAAC,mBAAmB;IAW3B,OAAO,CAAC,SAAS;IAIjB,OAAO,CAAC,WAAW;IAKnB,OAAO,CAAC,oBAAoB;CAa7B"}
+{"version":3,"file":"csp-processing-service.d.ts","sourceRoot":"","sources":["../../src/csp/csp-processing-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,KAAK,EAAE,WAAW,EAAS,MAAM,iBAAiB,CAAC;AAK1D,OAAO,EAAE,kBAAkB,EAAE,UAAU,EAAE,YAAY,EAAuB,MAAM,UAAU,CAAC;AAE7F,qBAAa,iBAAkB,SAAQ,KAAK;;CAI3C;AAMD,qBAAa,oBAAoB;IAanB,OAAO,CAAC,QAAQ,CAAC,MAAM;IAXnC,OAAO,CAAC,mBAAmB,CAAuB;IAElD,OAAO,CAAC,2BAA2B,CAAqD;IACxF,OAAO,CAAC,6BAA6B,CAAa;IAClD,OAAO,CAAC,oBAAoB,CAAgF;IAE5G,OAAO,CAAC,qBAAqB,CAI3B;gBAC2B,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC;IAElD,aAAa,CAAC,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,WAAW,GAAG,UAAU;IAkBvE,wBAAwB,CAAC,kBAAkB,EAAE,kBAAkB,GAAG,MAAM,EAAE;IASjF,OAAO,CAAC,sBAAsB;IAW9B,OAAO,CAAC,2BAA2B;IAgBnC,OAAO,CAAC,WAAW;IASnB,OAAO,CAAC,YAAY;IASpB,OAAO,CAAC,mBAAmB;IAoB3B,OAAO,CAAC,qBAAqB;IAS7B,OAAO,CAAC,UAAU;IAIlB,OAAO,CAAC,eAAe;IAOvB,OAAO,CAAC,oBAAoB;IAM5B,OAAO,CAAC,mBAAmB;IAW3B,OAAO,CAAC,SAAS;IAIjB,OAAO,CAAC,WAAW;IAKnB,OAAO,CAAC,oBAAoB;CAa7B"}

package/out/csp/csp-processing-service.js

@@ -1,20 +1,28 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CSPProcessingService = void 0;
+exports.CSPProcessingService = exports.InvalidConnectSrc = void 0;
 const tslib_1 = require("tslib");
 const cheerio_1 = tslib_1.__importDefault(require("cheerio"));
 const content_security_policy_parser_1 = tslib_1.__importDefault(require("content-security-policy-parser"));
 const crypto_1 = tslib_1.__importDefault(require("crypto"));
-const STYLE_SRC_ALLOWLIST = [`'unsafe-inline'`];
-const SCRIPT_SRC_ALLOWLIST = [`'unsafe-inline'`, `'unsafe-eval'`, `'unsafe-hashes'`];
-const BASE_64_HASH_PATTERNS = [
-    /^'sha256-[a-zA-Z0-9=+/]{44}'$/,
-    /^'sha384-[a-zA-Z0-9=+/]{64}'$/,
-    /^'sha512-[a-zA-Z0-9=+/]{88}'$/
-];
+class InvalidConnectSrc extends Error {
+    constructor() {
+        super('fetch.client should be an array of strings');
+    }
+}
+exports.InvalidConnectSrc = InvalidConnectSrc;
 class CSPProcessingService {
     constructor(logger) {
         this.logger = logger;
+        this.STYLE_SRC_ALLOWLIST = [`'unsafe-inline'`];
+        this.QUOTED_SCRIPT_SRC_ALLOWLIST = ['unsafe-inline', 'unsafe-eval', 'unsafe-hashes'];
+        this.UNQUOTED_SCRIPT_SRC_ALLOWLIST = ['blob:'];
+        this.SCRIPT_SRC_ALLOWLIST = [...this.QUOTED_SCRIPT_SRC_ALLOWLIST, ...this.UNQUOTED_SCRIPT_SRC_ALLOWLIST];
+        this.BASE_64_HASH_PATTERNS = [
+            /^sha256-[a-zA-Z0-9=+/]{44}$/,
+            /^sha384-[a-zA-Z0-9=+/]{64}$/,
+            /^sha512-[a-zA-Z0-9=+/]{88}$/
+        ];
     }
     getCspDetails(body, permissions) {
         var _a, _b;
@@ -28,12 +36,22 @@ class CSPProcessingService {
         var _a, _b;
         const { styles, scripts } = contentPermissions;
         const invalidStyles = (_a = styles === null || styles === void 0 ? void 0 : styles.filter((styleSrc) => !this.isValidUserStyleSrc(`'${styleSrc}'`))) !== null && _a !== void 0 ? _a : [];
-        const invalidScripts = (_b = scripts === null || scripts === void 0 ? void 0 : scripts.filter((scriptSrc) => !this.isValidUserScriptSrc(`'${scriptSrc}'`))) !== null && _b !== void 0 ? _b : [];
+        const invalidScripts = (_b = scripts === null || scripts === void 0 ? void 0 : scripts.filter((scriptSrc) => !this.isValidUserScriptSrc(scriptSrc))) !== null && _b !== void 0 ? _b : [];
         return [...invalidStyles, ...invalidScripts];
     }
+    assertValidFetchClient(fetch) {
+        if (fetch === null || fetch === void 0 ? void 0 : fetch.client) {
+            for (const client of fetch === null || fetch === void 0 ? void 0 : fetch.client) {
+                if (typeof client !== 'string') {
+                    throw new InvalidConnectSrc();
+                }
+            }
+        }
+    }
     mapExternalPermissionsToCsp(externalPermissions) {
         var _a;
         const { images, media, scripts, fetch, styles, fonts, frames } = externalPermissions;
+        this.assertValidFetchClient(fetch);
         return {
             'img-src': images !== null && images !== void 0 ? images : [],
             'media-src': media !== null && media !== void 0 ? media : [],
@@ -47,17 +65,16 @@ class CSPProcessingService {
     getStyleSrc($, userStyleSrc) {
         var _a, _b;
         const quotedUserStyleSrc = (_a = userStyleSrc === null || userStyleSrc === void 0 ? void 0 : userStyleSrc.map((x) => `'${x}'`)) !== null && _a !== void 0 ? _a : [];
-        const deprecatedUserScriptSrc = (_b = this.getDeprecatedUserCsp($)['style-src']) !== null && _b !== void 0 ? _b : [];
-        const uniqueStyleSrc = [...new Set([...deprecatedUserScriptSrc, ...quotedUserStyleSrc])];
+        const deprecatedUserStyleSrc = (_b = this.getDeprecatedUserCsp($)['style-src']) !== null && _b !== void 0 ? _b : [];
+        const uniqueStyleSrc = [...new Set([...deprecatedUserStyleSrc, ...quotedUserStyleSrc])];
         return uniqueStyleSrc.filter((x) => this.isValidUserStyleSrc(x));
     }
     getScriptSrc($, userScriptSrc) {
         var _a;
         const generatedScriptHashes = this.getInlineScriptHashes($);
-        const quotedUserScriptSrc = (_a = userScriptSrc === null || userScriptSrc === void 0 ? void 0 : userScriptSrc.map((x) => `'${x}'`)) !== null && _a !== void 0 ? _a : [];
-        const validUserScriptSrc = quotedUserScriptSrc.filter((x) => this.isValidUserScriptSrc(x));
+        const validUserScriptSrc = (_a = userScriptSrc === null || userScriptSrc === void 0 ? void 0 : userScriptSrc.filter((x) => this.isValidUserScriptSrc(x))) !== null && _a !== void 0 ? _a : [];
         const { scriptSrc, userScriptHashes } = this.extractUniqueHashes(validUserScriptSrc, generatedScriptHashes);
-        return [...scriptSrc, ...generatedScriptHashes, ...userScriptHashes];
+        return [...scriptSrc, ...generatedScriptHashes, ...userScriptHashes].map((x) => this.formatScriptSrc(x));
     }
     extractUniqueHashes(userScriptSrc, existingScriptHashes) {
         var _a;
@@ -72,35 +89,40 @@ class CSPProcessingService {
         return { scriptSrc, userScriptHashes };
     }
     getInlineScriptHashes($) {
-        const scriptHashes = $('script:not([src])')
+        return $('script:not([src])')
             .map((_index, script) => {
             const html = $(script).html();
-            return html && `'sha256-${this.hashScript(html)}'`;
+            return html && `sha256-${this.hashScript(html)}`;
         })
             .get();
-        return scriptHashes;
     }
     hashScript(content) {
         const sha256 = crypto_1.default.createHash('sha256');
         return sha256.update(content).digest('base64');
     }
+    formatScriptSrc(scriptSrc) {
+        if (this.UNQUOTED_SCRIPT_SRC_ALLOWLIST.includes(scriptSrc)) {
+            return scriptSrc;
+        }
+        return `'${scriptSrc}'`;
+    }
     isValidUserScriptSrc(scriptSrc) {
         if (!this.isSafeCsp(scriptSrc))
             return false;
-        return this.isValidHash(scriptSrc) || SCRIPT_SRC_ALLOWLIST.includes(scriptSrc);
+        return this.isValidHash(scriptSrc) || this.SCRIPT_SRC_ALLOWLIST.includes(scriptSrc);
     }
     isValidUserStyleSrc(styleSrc) {
         if (!this.isSafeCsp(styleSrc)) {
             this.logger.info('discarding potentially-malicious CSP');
             return false;
         }
-        return STYLE_SRC_ALLOWLIST.includes(styleSrc);
+        return this.STYLE_SRC_ALLOWLIST.includes(styleSrc);
     }
     isSafeCsp(cspString) {
-        return /^[a-zA-Z0-9='"+\/ -]*$/.test(cspString);
+        return /^([a-zA-Z0-9='"+\/ -]|blob:)*$/.test(cspString);
     }
     isValidHash(cspString) {
-        return BASE_64_HASH_PATTERNS.some((pattern) => pattern.test(cspString));
+        return this.BASE_64_HASH_PATTERNS.some((pattern) => pattern.test(cspString));
     }
     getDeprecatedUserCsp($) {
         const cspContent = $('meta[http-equiv="Content-Security-Policy"]').attr('content');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@forge/csp",
-  "version": "0.0.0-experimental-d18f8dd",
+  "version": "0.0.0-experimental-c3d0263",
   "description": "Contains the CSP configuration for Custom UI resources in Forge",
   "main": "out/index.js",
   "author": "Atlassian",
@@ -11,8 +11,8 @@
     "clean": "rm -rf ./out && rm -f tsconfig.tsbuildinfo"
   },
   "devDependencies": {
-    "@forge/cli-shared": "^0.0.0-experimental-d18f8dd",
-    "@forge/manifest": "^0.0.0-experimental-d18f8dd",
+    "@forge/cli-shared": "^0.0.0-experimental-c3d0263",
+    "@forge/manifest": "^0.0.0-experimental-c3d0263",
     "@types/jest": "^26.0.0"
   },
   "dependencies": {