@forge/csp 1.9.0 → 1.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/CHANGELOG.md +19 -0
  2. package/out/csp/csp-injection-service.js +1 -1
  3. package/out/csp/csp-processing-service.d.ts +6 -0
  4. package/out/csp/csp-processing-service.d.ts.map +1 -1
  5. package/out/csp/csp-processing-service.js +26 -20
  6. package/package.json +3 -3
package/CHANGELOG.md CHANGED
@@ -1,5 +1,24 @@
1
1
  # @forge/csp
2
2
 
3
+ ## 1.10.0
4
+
5
+ ### Minor Changes
6
+
7
+ - e95919f: Added blob csp support for script content permissions with manifest validation
8
+ - 56164fe: Add allow-pointer-lock to iframe sandbox
9
+
10
+ ## 1.10.0-next.1
11
+
12
+ ### Minor Changes
13
+
14
+ - e95919f: Added blob csp support for script content permissions with manifest validation
15
+
16
+ ## 1.10.0-next.0
17
+
18
+ ### Minor Changes
19
+
20
+ - 56164fe: Add allow-pointer-lock to iframe sandbox
21
+
3
22
  ## 1.9.0
4
23
 
5
24
  ### Minor Changes
package/out/csp/csp-injection-service.js CHANGED
@@ -48,7 +48,7 @@ class CSPInjectionService {
48
48
  `script-src ${scriptSrc}`,
49
49
  `style-src ${styleSrc}`,
50
50
  `form-action 'self'`,
51
- `sandbox allow-downloads allow-forms allow-modals allow-same-origin allow-scripts`,
51
+ `sandbox allow-downloads allow-forms allow-modals allow-pointer-lock allow-same-origin allow-scripts`,
52
52
  `report-uri ${reportUri}`
53
53
  ];
54
54
  };
package/out/csp/csp-processing-service.d.ts CHANGED
@@ -6,6 +6,11 @@ export declare class InvalidConnectSrc extends Error {
6
6
  }
7
7
  export declare class CSPProcessingService {
8
8
  private readonly logger;
9
+ private STYLE_SRC_ALLOWLIST;
10
+ private QUOTED_SCRIPT_SRC_ALLOWLIST;
11
+ private UNQUOTED_SCRIPT_SRC_ALLOWLIST;
12
+ private SCRIPT_SRC_ALLOWLIST;
13
+ private BASE_64_HASH_PATTERNS;
9
14
  constructor(logger: Pick<Logger, 'info'>);
10
15
  getCspDetails(body: DocumentBody, permissions: Permissions): CSPDetails;
11
16
  getInvalidCspPermissions(contentPermissions: ContentPermissions): string[];
@@ -16,6 +21,7 @@ export declare class CSPProcessingService {
16
21
  private extractUniqueHashes;
17
22
  private getInlineScriptHashes;
18
23
  private hashScript;
24
+ private formatScriptSrc;
19
25
  private isValidUserScriptSrc;
20
26
  private isValidUserStyleSrc;
21
27
  private isSafeCsp;
package/out/csp/csp-processing-service.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"csp-processing-service.d.ts","sourceRoot":"","sources":["../../src/csp/csp-processing-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,KAAK,EAAE,WAAW,EAAS,MAAM,iBAAiB,CAAC;AAK1D,OAAO,EAAE,kBAAkB,EAAE,UAAU,EAAE,YAAY,EAAuB,MAAM,UAAU,CAAC;AAa7F,qBAAa,iBAAkB,SAAQ,KAAK;;CAI3C;AAMD,qBAAa,oBAAoB;IACnB,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC;IAElD,aAAa,CAAC,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,WAAW,GAAG,UAAU;IAkBvE,wBAAwB,CAAC,kBAAkB,EAAE,kBAAkB,GAAG,MAAM,EAAE;IASjF,OAAO,CAAC,sBAAsB;IAW9B,OAAO,CAAC,2BAA2B;IAgBnC,OAAO,CAAC,WAAW;IASnB,OAAO,CAAC,YAAY;IAWpB,OAAO,CAAC,mBAAmB;IAoB3B,OAAO,CAAC,qBAAqB;IAW7B,OAAO,CAAC,UAAU;IAKlB,OAAO,CAAC,oBAAoB;IAM5B,OAAO,CAAC,mBAAmB;IAW3B,OAAO,CAAC,SAAS;IAIjB,OAAO,CAAC,WAAW;IAKnB,OAAO,CAAC,oBAAoB;CAa7B"}
1
+ {"version":3,"file":"csp-processing-service.d.ts","sourceRoot":"","sources":["../../src/csp/csp-processing-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,KAAK,EAAE,WAAW,EAAS,MAAM,iBAAiB,CAAC;AAK1D,OAAO,EAAE,kBAAkB,EAAE,UAAU,EAAE,YAAY,EAAuB,MAAM,UAAU,CAAC;AAE7F,qBAAa,iBAAkB,SAAQ,KAAK;;CAI3C;AAMD,qBAAa,oBAAoB;IAanB,OAAO,CAAC,QAAQ,CAAC,MAAM;IAXnC,OAAO,CAAC,mBAAmB,CAAuB;IAElD,OAAO,CAAC,2BAA2B,CAAqD;IACxF,OAAO,CAAC,6BAA6B,CAAa;IAClD,OAAO,CAAC,oBAAoB,CAAgF;IAE5G,OAAO,CAAC,qBAAqB,CAI3B;gBAC2B,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC;IAElD,aAAa,CAAC,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,WAAW,GAAG,UAAU;IAkBvE,wBAAwB,CAAC,kBAAkB,EAAE,kBAAkB,GAAG,MAAM,EAAE;IASjF,OAAO,CAAC,sBAAsB;IAW9B,OAAO,CAAC,2BAA2B;IAgBnC,OAAO,CAAC,WAAW;IASnB,OAAO,CAAC,YAAY;IASpB,OAAO,CAAC,mBAAmB;IAoB3B,OAAO,CAAC,qBAAqB;IAS7B,OAAO,CAAC,UAAU;IAIlB,OAAO,CAAC,eAAe;IAOvB,OAAO,CAAC,oBAAoB;IAM5B,OAAO,CAAC,mBAAmB;IAW3B,OAAO,CAAC,SAAS;IAIjB,OAAO,CAAC,WAAW;IAKnB,OAAO,CAAC,oBAAoB;CAa7B"}
package/out/csp/csp-processing-service.js CHANGED
@@ -5,13 +5,6 @@ const tslib_1 = require("tslib");
5
5
  const cheerio_1 = tslib_1.__importDefault(require("cheerio"));
6
6
  const content_security_policy_parser_1 = tslib_1.__importDefault(require("content-security-policy-parser"));
7
7
  const crypto_1 = tslib_1.__importDefault(require("crypto"));
8
- const STYLE_SRC_ALLOWLIST = [`'unsafe-inline'`];
9
- const SCRIPT_SRC_ALLOWLIST = [`'unsafe-inline'`, `'unsafe-eval'`, `'unsafe-hashes'`];
10
- const BASE_64_HASH_PATTERNS = [
11
- /^'sha256-[a-zA-Z0-9=+/]{44}'$/,
12
- /^'sha384-[a-zA-Z0-9=+/]{64}'$/,
13
- /^'sha512-[a-zA-Z0-9=+/]{88}'$/
14
- ];
15
8
  class InvalidConnectSrc extends Error {
16
9
  constructor() {
17
10
  super('fetch.client should be an array of strings');
@@ -21,6 +14,15 @@ exports.InvalidConnectSrc = InvalidConnectSrc;
21
14
  class CSPProcessingService {
22
15
  constructor(logger) {
23
16
  this.logger = logger;
17
+ this.STYLE_SRC_ALLOWLIST = [`'unsafe-inline'`];
18
+ this.QUOTED_SCRIPT_SRC_ALLOWLIST = ['unsafe-inline', 'unsafe-eval', 'unsafe-hashes'];
19
+ this.UNQUOTED_SCRIPT_SRC_ALLOWLIST = ['blob:'];
20
+ this.SCRIPT_SRC_ALLOWLIST = [...this.QUOTED_SCRIPT_SRC_ALLOWLIST, ...this.UNQUOTED_SCRIPT_SRC_ALLOWLIST];
21
+ this.BASE_64_HASH_PATTERNS = [
22
+ /^sha256-[a-zA-Z0-9=+/]{44}$/,
23
+ /^sha384-[a-zA-Z0-9=+/]{64}$/,
24
+ /^sha512-[a-zA-Z0-9=+/]{88}$/
25
+ ];
24
26
  }
25
27
  getCspDetails(body, permissions) {
26
28
  var _a, _b;
@@ -34,7 +36,7 @@ class CSPProcessingService {
34
36
  var _a, _b;
35
37
  const { styles, scripts } = contentPermissions;
36
38
  const invalidStyles = (_a = styles === null || styles === void 0 ? void 0 : styles.filter((styleSrc) => !this.isValidUserStyleSrc(`'${styleSrc}'`))) !== null && _a !== void 0 ? _a : [];
37
- const invalidScripts = (_b = scripts === null || scripts === void 0 ? void 0 : scripts.filter((scriptSrc) => !this.isValidUserScriptSrc(`'${scriptSrc}'`))) !== null && _b !== void 0 ? _b : [];
39
+ const invalidScripts = (_b = scripts === null || scripts === void 0 ? void 0 : scripts.filter((scriptSrc) => !this.isValidUserScriptSrc(scriptSrc))) !== null && _b !== void 0 ? _b : [];
38
40
  return [...invalidStyles, ...invalidScripts];
39
41
  }
40
42
  assertValidFetchClient(fetch) {
@@ -63,17 +65,16 @@ class CSPProcessingService {
63
65
  getStyleSrc($, userStyleSrc) {
64
66
  var _a, _b;
65
67
  const quotedUserStyleSrc = (_a = userStyleSrc === null || userStyleSrc === void 0 ? void 0 : userStyleSrc.map((x) => `'${x}'`)) !== null && _a !== void 0 ? _a : [];
66
- const deprecatedUserScriptSrc = (_b = this.getDeprecatedUserCsp($)['style-src']) !== null && _b !== void 0 ? _b : [];
67
- const uniqueStyleSrc = [...new Set([...deprecatedUserScriptSrc, ...quotedUserStyleSrc])];
68
+ const deprecatedUserStyleSrc = (_b = this.getDeprecatedUserCsp($)['style-src']) !== null && _b !== void 0 ? _b : [];
69
+ const uniqueStyleSrc = [...new Set([...deprecatedUserStyleSrc, ...quotedUserStyleSrc])];
68
70
  return uniqueStyleSrc.filter((x) => this.isValidUserStyleSrc(x));
69
71
  }
70
72
  getScriptSrc($, userScriptSrc) {
71
73
  var _a;
72
74
  const generatedScriptHashes = this.getInlineScriptHashes($);
73
- const quotedUserScriptSrc = (_a = userScriptSrc === null || userScriptSrc === void 0 ? void 0 : userScriptSrc.map((x) => `'${x}'`)) !== null && _a !== void 0 ? _a : [];
74
- const validUserScriptSrc = quotedUserScriptSrc.filter((x) => this.isValidUserScriptSrc(x));
75
+ const validUserScriptSrc = (_a = userScriptSrc === null || userScriptSrc === void 0 ? void 0 : userScriptSrc.filter((x) => this.isValidUserScriptSrc(x))) !== null && _a !== void 0 ? _a : [];
75
76
  const { scriptSrc, userScriptHashes } = this.extractUniqueHashes(validUserScriptSrc, generatedScriptHashes);
76
- return [...scriptSrc, ...generatedScriptHashes, ...userScriptHashes];
77
+ return [...scriptSrc, ...generatedScriptHashes, ...userScriptHashes].map((x) => this.formatScriptSrc(x));
77
78
  }
78
79
  extractUniqueHashes(userScriptSrc, existingScriptHashes) {
79
80
  var _a;
@@ -88,35 +89,40 @@ class CSPProcessingService {
88
89
  return { scriptSrc, userScriptHashes };
89
90
  }
90
91
  getInlineScriptHashes($) {
91
- const scriptHashes = $('script:not([src])')
92
+ return $('script:not([src])')
92
93
  .map((_index, script) => {
93
94
  const html = $(script).html();
94
- return html && `'sha256-${this.hashScript(html)}'`;
95
+ return html && `sha256-${this.hashScript(html)}`;
95
96
  })
96
97
  .get();
97
- return scriptHashes;
98
98
  }
99
99
  hashScript(content) {
100
100
  const sha256 = crypto_1.default.createHash('sha256');
101
101
  return sha256.update(content).digest('base64');
102
102
  }
103
+ formatScriptSrc(scriptSrc) {
104
+ if (this.UNQUOTED_SCRIPT_SRC_ALLOWLIST.includes(scriptSrc)) {
105
+ return scriptSrc;
106
+ }
107
+ return `'${scriptSrc}'`;
108
+ }
103
109
  isValidUserScriptSrc(scriptSrc) {
104
110
  if (!this.isSafeCsp(scriptSrc))
105
111
  return false;
106
- return this.isValidHash(scriptSrc) || SCRIPT_SRC_ALLOWLIST.includes(scriptSrc);
112
+ return this.isValidHash(scriptSrc) || this.SCRIPT_SRC_ALLOWLIST.includes(scriptSrc);
107
113
  }
108
114
  isValidUserStyleSrc(styleSrc) {
109
115
  if (!this.isSafeCsp(styleSrc)) {
110
116
  this.logger.info('discarding potentially-malicious CSP');
111
117
  return false;
112
118
  }
113
- return STYLE_SRC_ALLOWLIST.includes(styleSrc);
119
+ return this.STYLE_SRC_ALLOWLIST.includes(styleSrc);
114
120
  }
115
121
  isSafeCsp(cspString) {
116
- return /^[a-zA-Z0-9='"+\/ -]*$/.test(cspString);
122
+ return /^([a-zA-Z0-9='"+\/ -]|blob:)*$/.test(cspString);
117
123
  }
118
124
  isValidHash(cspString) {
119
- return BASE_64_HASH_PATTERNS.some((pattern) => pattern.test(cspString));
125
+ return this.BASE_64_HASH_PATTERNS.some((pattern) => pattern.test(cspString));
120
126
  }
121
127
  getDeprecatedUserCsp($) {
122
128
  const cspContent = $('meta[http-equiv="Content-Security-Policy"]').attr('content');
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@forge/csp",
3
- "version": "1.9.0",
3
+ "version": "1.10.0",
4
4
  "description": "Contains the CSP configuration for Custom UI resources in Forge",
5
5
  "main": "out/index.js",
6
6
  "author": "Atlassian",
@@ -11,8 +11,8 @@
11
11
  "clean": "rm -rf ./out && rm -f tsconfig.tsbuildinfo"
12
12
  },
13
13
  "devDependencies": {
14
- "@forge/cli-shared": "^2.2.0",
15
- "@forge/manifest": "^3.0.0",
14
+ "@forge/cli-shared": "^2.3.0",
15
+ "@forge/manifest": "^3.3.0",
16
16
  "@types/jest": "^26.0.0"
17
17
  },
18
18
  "dependencies": {