@forge/csp 1.8.0-next.0 → 1.8.0-next.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"csp-processing-service.d.ts","sourceRoot":"","sources":["../../src/csp/csp-processing-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;
|
|
1
|
+
{"version":3,"file":"csp-processing-service.d.ts","sourceRoot":"","sources":["../../src/csp/csp-processing-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAKnD,OAAO,EAAE,kBAAkB,EAAE,UAAU,EAAE,YAAY,EAAuB,MAAM,UAAU,CAAC;AAiB7F,qBAAa,oBAAoB;IACnB,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC;IAElD,aAAa,CAAC,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,WAAW,GAAG,UAAU;IAkBvE,wBAAwB,CAAC,kBAAkB,EAAE,kBAAkB,GAAG,MAAM,EAAE;IASjF,OAAO,CAAC,2BAA2B;IAcnC,OAAO,CAAC,WAAW;IASnB,OAAO,CAAC,YAAY;IAWpB,OAAO,CAAC,mBAAmB;IAoB3B,OAAO,CAAC,qBAAqB;IAW7B,OAAO,CAAC,UAAU;IAKlB,OAAO,CAAC,oBAAoB;IAM5B,OAAO,CAAC,mBAAmB;IAW3B,OAAO,CAAC,SAAS;IAIjB,OAAO,CAAC,WAAW;IAKnB,OAAO,CAAC,oBAAoB;CAa7B"}
|
|
@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
3
3
|
exports.CSPProcessingService = void 0;
|
|
4
4
|
const tslib_1 = require("tslib");
|
|
5
5
|
const cheerio_1 = tslib_1.__importDefault(require("cheerio"));
|
|
6
|
+
const content_security_policy_parser_1 = tslib_1.__importDefault(require("content-security-policy-parser"));
|
|
6
7
|
const crypto_1 = tslib_1.__importDefault(require("crypto"));
|
|
7
8
|
const STYLE_SRC_ALLOWLIST = [`'unsafe-inline'`];
|
|
8
9
|
const SCRIPT_SRC_ALLOWLIST = [`'unsafe-inline'`, `'unsafe-eval'`, `'unsafe-hashes'`];
|
|
@@ -44,9 +45,10 @@ class CSPProcessingService {
|
|
|
44
45
|
};
|
|
45
46
|
}
|
|
46
47
|
getStyleSrc($, userStyleSrc) {
|
|
47
|
-
var _a;
|
|
48
|
+
var _a, _b;
|
|
48
49
|
const quotedUserStyleSrc = (_a = userStyleSrc === null || userStyleSrc === void 0 ? void 0 : userStyleSrc.map((x) => `'${x}'`)) !== null && _a !== void 0 ? _a : [];
|
|
49
|
-
const
|
|
50
|
+
const deprecatedUserScriptSrc = (_b = this.getDeprecatedUserCsp($)['style-src']) !== null && _b !== void 0 ? _b : [];
|
|
51
|
+
const uniqueStyleSrc = [...new Set([...deprecatedUserScriptSrc, ...quotedUserStyleSrc])];
|
|
50
52
|
return uniqueStyleSrc.filter((x) => this.isValidUserStyleSrc(x));
|
|
51
53
|
}
|
|
52
54
|
getScriptSrc($, userScriptSrc) {
|
|
@@ -100,5 +102,16 @@ class CSPProcessingService {
|
|
|
100
102
|
isValidHash(cspString) {
|
|
101
103
|
return BASE_64_HASH_PATTERNS.some((pattern) => pattern.test(cspString));
|
|
102
104
|
}
|
|
105
|
+
getDeprecatedUserCsp($) {
|
|
106
|
+
const cspContent = $('meta[http-equiv="Content-Security-Policy"]').attr('content');
|
|
107
|
+
if (!cspContent) {
|
|
108
|
+
return {};
|
|
109
|
+
}
|
|
110
|
+
if (!this.isSafeCsp(cspContent)) {
|
|
111
|
+
this.logger.info('discarding potentially-malicious CSP');
|
|
112
|
+
return {};
|
|
113
|
+
}
|
|
114
|
+
return content_security_policy_parser_1.default(cspContent);
|
|
115
|
+
}
|
|
103
116
|
}
|
|
104
117
|
exports.CSPProcessingService = CSPProcessingService;
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@forge/csp",
|
|
3
|
-
"version": "1.8.0-next.
|
|
3
|
+
"version": "1.8.0-next.1",
|
|
4
4
|
"description": "Contains the CSP configuration for Custom UI resources in Forge",
|
|
5
5
|
"main": "out/index.js",
|
|
6
6
|
"author": "Atlassian",
|
|
@@ -17,6 +17,7 @@
|
|
|
17
17
|
},
|
|
18
18
|
"dependencies": {
|
|
19
19
|
"cheerio": "^0.22.0",
|
|
20
|
+
"content-security-policy-parser": "^0.3.0",
|
|
20
21
|
"micromatch": "^4.0.2"
|
|
21
22
|
}
|
|
22
23
|
}
|