@forge/csp 4.2.0 → 4.2.1-experimental-b695d2e

package/CHANGELOG.md

@@ -1,5 +1,29 @@
 # @forge/csp
 
+## 4.2.1-experimental-b695d2e
+
+### Major Changes
+
+- bc8e0c5: Setup cheerio as optional peer dependency to allow frontend consumption
+
+## 4.2.1
+
+### Patch Changes
+
+- aebd633: Patch @forge/csp IC frame ancestors csp bug
+- abf0bb1: Add support for custom getICDomain option in CSPInjectionService
+- e33aba7: Bumped a large number of vulnerable dependencies within forge templates via automatic upgrade
+- 8191ad1: Use cheerio/slim to reduce client bundle size and improve performance
+
+## 4.2.1-next.0
+
+### Patch Changes
+
+- aebd633: Patch @forge/csp IC frame ancestors csp bug
+- abf0bb1: Add support for custom getICDomain option in CSPInjectionService
+- e33aba7: Bumped a large number of vulnerable dependencies within forge templates via automatic upgrade
+- 8191ad1: Use cheerio/slim to reduce client bundle size and improve performance
+
 ## 4.2.0
 
 ### Minor Changes

package/out/csp/csp-injection-service.d.ts

@@ -1,13 +1,17 @@
 import type { LambdaEnvironment } from '@forge/cli-shared';
 import { CSPDetails } from '../types';
-declare type IcOptions = {
+declare type StandardIcOptions = {
     icLabel: string;
     serviceName: string;
 };
+declare type GetICDomainIcOptions = {
+    serviceName?: string;
+    getICDomain: () => string;
+};
+declare type IcOptions = StandardIcOptions | GetICDomainIcOptions;
 export declare const getAtlassianImageHost: (microsEnv: LambdaEnvironment, icOptions?: IcOptions) => string[];
 export declare const EXTERNAL_ALLOW_LISTED_IMAGES_HOSTS: string[];
 export declare class CSPInjectionService {
-    private isIsolatedContext;
     private getCSPReportUri;
     private getForgeGlobalCSP;
     private getMetalClientCSP;

package/out/csp/csp-injection-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"csp-injection-service.d.ts","sourceRoot":"","sources":["../../src/csp/csp-injection-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAE3D,OAAO,EAAE,UAAU,EAAmB,MAAM,UAAU,CAAC;AAEvD,aAAK,SAAS,GAAG;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AA6FF,eAAO,MAAM,qBAAqB,cAAe,iBAAiB,cAAc,SAAS,KAAG,MAAM,EAUjG,CAAC;AAMF,eAAO,MAAM,kCAAkC,UAAiE,CAAC;AAEjH,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,iBAAiB;IAIzB,OAAO,CAAC,eAAe;IAQvB,OAAO,CAAC,iBAAiB;IAWzB,OAAO,CAAC,iBAAiB;IAWzB,OAAO,CAAC,qBAAqB;IAI7B,OAAO,CAAC,aAAa;IAqBrB,OAAO,CAAC,iBAAiB;IAiDlB,gBAAgB;4BAQD,UAAU;mBACnB,iBAAiB;;;;;UAK1B,MAAM,EAAE,CA8DV;CACH"}
+{"version":3,"file":"csp-injection-service.d.ts","sourceRoot":"","sources":["../../src/csp/csp-injection-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAE3D,OAAO,EAAE,UAAU,EAAmB,MAAM,UAAU,CAAC;AAEvD,aAAK,iBAAiB,GAAG;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAIF,aAAK,oBAAoB,GAAG;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,MAAM,CAAC;CAC3B,CAAC;AAEF,aAAK,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC;AAyG1D,eAAO,MAAM,qBAAqB,cAAe,iBAAiB,cAAc,SAAS,KAAG,MAAM,EAUjG,CAAC;AAMF,eAAO,MAAM,kCAAkC,UAAiE,CAAC;AAEjH,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,eAAe;IAQvB,OAAO,CAAC,iBAAiB;IASzB,OAAO,CAAC,iBAAiB;IASzB,OAAO,CAAC,qBAAqB;IAI7B,OAAO,CAAC,aAAa;IAqBrB,OAAO,CAAC,iBAAiB;IAiDlB,gBAAgB;4BAQD,UAAU;mBACnB,iBAAiB;;;;;UAK1B,MAAM,EAAE,CA8DV;CACH"}

package/out/csp/csp-injection-service.js

@@ -2,6 +2,20 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.CSPInjectionService = exports.EXTERNAL_ALLOW_LISTED_IMAGES_HOSTS = exports.getAtlassianImageHost = void 0;
 const types_1 = require("../types");
+const isICEnvKey = (env) => env === 'ic-prod' || env === 'ic-stg';
+const makeICDomain = (env, icLabel) => `${icLabel}.${env === 'ic-prod' ? 'atlassian-isolated.net' : 'oasis-stg.com'}`;
+const getICDomain = (env, icOptions) => {
+    if ('getICDomain' in icOptions) {
+        return icOptions.getICDomain();
+    }
+    return makeICDomain(env, icOptions.icLabel);
+};
+const makeICHosts = (targetHostFunction) => {
+    return {
+        'ic-stg': (icOptions) => targetHostFunction('ic-stg', icOptions),
+        'ic-prod': (icOptions) => targetHostFunction('ic-prod', icOptions)
+    };
+};
 const ATLASSIAN_HOST = {
     ATLASSIAN_API_GATEWAY_HOST: {
         dev: 'https://api.dev.atlassian.com',
@@ -9,8 +23,7 @@ const ATLASSIAN_HOST = {
         prod: 'https://api.atlassian.com',
         'fedramp-stg': 'https://api.stg.atlassian-us-gov-mod.com',
         'fedramp-prod': 'https://api.atlassian-us-gov-mod.com',
-        'ic-stg': (_icOptions) => 'https://api.pear.oasis-stg.com',
-        'ic-prod': ({ icLabel }) => `https://api.${icLabel}.atlassian-isolated.net`
+        ...makeICHosts((env, icOptions) => `https://api.${getICDomain(env, icOptions)}`)
     },
     ATLASSIAN_MEDIA_GATEWAY_HOST: {
         dev: 'https://media.dev.atl-paas.net',
@@ -18,8 +31,7 @@ const ATLASSIAN_HOST = {
         prod: 'https://api.media.atlassian.com',
         'fedramp-stg': 'https://api-media.stg.atlassian-us-gov-mod.com',
         'fedramp-prod': 'https://api-media.atlassian-us-gov-mod.com',
-        'ic-stg': (_icOptions) => 'https://media-api.pear.oasis-stg.com',
-        'ic-prod': ({ icLabel }) => `https://media-api.${icLabel}.atlassian-isolated.net`
+        ...makeICHosts((env, icOptions) => `https://media-api.${getICDomain(env, icOptions)}`)
     },
     ATLASSIAN_AVATAR_HOST: {
         dev: 'avatar-management--avatars.us-west-2.staging.public.atl-paas.net',
@@ -28,7 +40,7 @@ const ATLASSIAN_HOST = {
         'fedramp-stg': 'avatar-management--avatars.us-east-1.staging.cdn.atlassian-us-gov-mod.com',
         'fedramp-prod': 'avatar-management--avatars.us-east-1.prod.cdn.atlassian-us-gov-mod.com',
         'ic-stg': (_icOptions) => 'avatar-management--avatars.us-west-2.staging.public.atl-paas.net',
-        'ic-prod': ({ icLabel }) => 'avatar-management--avatars.us-west-2.prod.public.atl-paas.net'
+        'ic-prod': (_icOptions) => 'avatar-management--avatars.us-west-2.prod.public.atl-paas.net'
     },
     ATLASSIAN_TEAM_HEADER_HOST: {
         dev: 'https://ptc-directory-sited-static.us-east-1.staging.public.atl-paas.net/gradients/',
@@ -36,8 +48,7 @@ const ATLASSIAN_HOST = {
         prod: 'https://ptc-directory-sited-static.us-east-1.prod.public.atl-paas.net/gradients/',
         'fedramp-stg': 'https://teams-directory-frontend.frontend.cdn.atlassian-us-gov-mod.com/assets/',
         'fedramp-prod': 'https://teams-directory-frontend.frontend.cdn.atlassian-us-gov-mod.com/assets/',
-        'ic-stg': (_icOptions) => 'https://teams-directory-frontend.services.pear.oasis-stg.com/bfa/',
-        'ic-prod': ({ icLabel }) => `https://teams-directory-frontend.services.${icLabel}.atlassian-isolated.net/bfa/`
+        ...makeICHosts((env, icOptions) => `https://teams-directory-frontend.services.${getICDomain(env, icOptions)}/bfa/`)
     },
     ATLASSIAN_TEAM_AVATAR_HOST: {
         dev: 'https://teams-directory-frontend.stg-east.frontend.public.atl-paas.net/assets/',
@@ -45,8 +56,7 @@ const ATLASSIAN_HOST = {
         prod: 'https://teams-directory-frontend.prod-east.frontend.public.atl-paas.net/assets/',
         'fedramp-stg': 'https://teams-directory-frontend.frontend.cdn.atlassian-us-gov-mod.com/assets/',
         'fedramp-prod': 'https://teams-directory-frontend.frontend.cdn.atlassian-us-gov-mod.com/assets/',
-        'ic-stg': (_icOptions) => 'https://teams-directory-frontend.services.pear.oasis-stg.com/bfa/',
-        'ic-prod': ({ icLabel }) => `https://teams-directory-frontend.services.${icLabel}.atlassian-isolated.net/bfa/`
+        ...makeICHosts((env, icOptions) => `https://teams-directory-frontend.services.${getICDomain(env, icOptions)}/bfa/`)
     },
     ATLASSIAN_EMOJIS_HOST: {
         dev: 'https://pf-emoji-service--cdn.ap-southeast-2.dev.public.atl-paas.net',
@@ -54,13 +64,12 @@ const ATLASSIAN_HOST = {
         prod: 'https://pf-emoji-service--cdn.us-east-1.prod.public.atl-paas.net',
         'fedramp-stg': 'https://pf-emoji-service--cdn.us-east-1.staging.cdn.atlassian-us-gov-mod.com',
         'fedramp-prod': 'https://pf-emoji-service--cdn.us-east-1.prod.cdn.atlassian-us-gov-mod.com',
-        'ic-stg': (_icOptions) => 'https://pf-emoji-service.pear.oasis-stg.com',
-        'ic-prod': ({ icLabel }) => `https://pf-emoji-service.${icLabel}.atlassian-isolated.net`
+        ...makeICHosts((env, icOptions) => `https://pf-emoji-service.${getICDomain(env, icOptions)}`)
     }
 };
 const getAtlassianHost = (hostType, microsEnv, icOptions) => {
     const hostMap = ATLASSIAN_HOST[hostType];
-    if (microsEnv === 'ic-prod' || microsEnv === 'ic-stg') {
+    if (isICEnvKey(microsEnv)) {
         if (!icOptions) {
             throw new Error('Missing IC label');
         }
@@ -82,35 +91,90 @@ const getAtlassianImageHost = (microsEnv, icOptions) => {
 exports.getAtlassianImageHost = getAtlassianImageHost;
 exports.EXTERNAL_ALLOW_LISTED_IMAGES_HOSTS = ['https://secure.gravatar.com', 'https://images.unsplash.com'];
 class CSPInjectionService {
-    isIsolatedContext(microsEnv, icOptions) {
-        return microsEnv.startsWith('ic') && !!icOptions;
+    constructor() {
+        this.getInjectableCSP = ({ existingCSPDetails, microsEnv, tunnelCSPReporterUri, hostname, isFedRAMP, icOptions }) => {
+            const reportUri = tunnelCSPReporterUri || this.getCSPReportUri(microsEnv, icOptions);
+            const defaultSrc = `'self'`;
+            const frameAncestors = ["'self'", ...this.getFrameAncestors(microsEnv, hostname, icOptions)].join(' ');
+            const frameSrc = ["'self'", hostname, ...this.getExistingCSPDetails(types_1.ExternalCspType.FRAME_SRC, existingCSPDetails)]
+                .filter((a) => a)
+                .join(' ');
+            const fontSrc = ["'self'", ...this.getExistingCSPDetails(types_1.ExternalCspType.FONT_SRC, existingCSPDetails)].join(' ');
+            const imgSrc = [
+                "'self'",
+                'data:',
+                'blob:',
+                hostname,
+                ...exports.EXTERNAL_ALLOW_LISTED_IMAGES_HOSTS,
+                ...(0, exports.getAtlassianImageHost)(microsEnv, icOptions),
+                ...this.getExistingCSPDetails(types_1.ExternalCspType.IMG_SRC, existingCSPDetails)
+            ]
+                .filter((a) => a)
+                .join(' ');
+            const mediaSrc = [
+                "'self'",
+                'data:',
+                'blob:',
+                hostname,
+                getAtlassianHost('ATLASSIAN_MEDIA_GATEWAY_HOST', microsEnv, icOptions),
+                ...this.getExistingCSPDetails(types_1.ExternalCspType.MEDIA_SRC, existingCSPDetails)
+            ]
+                .filter((a) => a)
+                .join(' ');
+            const connectSrc = [
+                "'self'",
+                ...this.getConnectSrc(microsEnv, !!tunnelCSPReporterUri, icOptions),
+                ...this.getExistingCSPDetails(types_1.ExternalCspType.CONNECT_SRC, existingCSPDetails)
+            ].join(' ');
+            const scriptSrc = [
+                "'self'",
+                this.getForgeGlobalCSP(microsEnv, isFedRAMP, icOptions),
+                ...this.getExistingCSPDetails(types_1.ExternalCspType.SCRIPT_SRC, existingCSPDetails)
+            ].join(' ');
+            const styleSrc = [
+                "'self'",
+                this.getForgeGlobalCSP(microsEnv, isFedRAMP, icOptions),
+                ...this.getExistingCSPDetails(types_1.ExternalCspType.STYLE_SRC, existingCSPDetails)
+            ].join(' ');
+            return [
+                `default-src ${defaultSrc}`,
+                `frame-ancestors ${frameAncestors}`,
+                `frame-src ${frameSrc}`,
+                `font-src ${fontSrc}`,
+                `img-src ${imgSrc}`,
+                `media-src ${mediaSrc}`,
+                `connect-src ${connectSrc}`,
+                `script-src ${scriptSrc}`,
+                `style-src ${styleSrc}`,
+                `form-action 'self'`,
+                `sandbox allow-downloads allow-forms allow-modals allow-pointer-lock allow-same-origin allow-scripts`,
+                `report-uri ${reportUri}`
+            ];
+        };
     }
     getCSPReportUri(microsEnv, icOptions) {
-        const serviceName = this.isIsolatedContext(microsEnv, icOptions) ? icOptions.serviceName : 'forge-cdn';
+        const serviceName = isICEnvKey(microsEnv) && icOptions ? icOptions.serviceName : 'forge-cdn';
         if (microsEnv === 'dev' || microsEnv === 'stg')
             return `https://web-security-reports.stg.services.atlassian.com/csp-report/${serviceName}`;
         return `https://web-security-reports.services.atlassian.com/csp-report/${serviceName}`;
     }
     getForgeGlobalCSP(microsEnv, isFedRAMP = false, icOptions) {
-        if (this.isIsolatedContext(microsEnv, icOptions)) {
-            return microsEnv === 'ic-stg'
-                ? 'https://forge.forge-cdn.pear.oasis-stg.com'
-                : `https://forge.forge-cdn.${icOptions.icLabel}.atlassian-isolated.net`;
+        if (isICEnvKey(microsEnv) && icOptions) {
+            return `https://forge.forge-cdn.${getICDomain(microsEnv, icOptions)}`;
         }
         return isFedRAMP
             ? `https://forge.cdn.${microsEnv.split('-')[1]}.atlassian-dev-us-gov-mod.net`
             : `https://forge.cdn.${microsEnv}.atlassian-dev.net`;
     }
     getMetalClientCSP(microsEnv, icOptions) {
-        if (this.isIsolatedContext(microsEnv, icOptions)) {
-            return microsEnv === 'ic-stg'
-                ? 'https://api.pear.oasis-stg/metal/ingest'
-                : `https://api.${icOptions.icLabel}.atlassian-isolated.net/metal/ingest`;
+        if (isICEnvKey(microsEnv) && icOptions) {
+            return `https://api.${getICDomain(microsEnv, icOptions)}/metal/ingest`;
         }
         return `https://api.${microsEnv === 'prod' ? '' : 'stg.'}atlassian.com/metal/ingest`;
     }
     getExistingCSPDetails(cspType, cspDetails) {
-        return cspDetails[cspType] ?? [];
+        var _a;
+        return (_a = cspDetails[cspType]) !== null && _a !== void 0 ? _a : [];
     }
     getConnectSrc(microsEnv, isTunnelling, icOptions) {
         const allowed = [];
@@ -123,7 +187,7 @@ class CSPInjectionService {
         allowed.push(getAtlassianHost('ATLASSIAN_MEDIA_GATEWAY_HOST', microsEnv, icOptions));
         return allowed;
     }
-    getFrameAncestors(microsEnv, hostname) {
+    getFrameAncestors(microsEnv, hostname, icOptions) {
         let frameAncestors = [];
         switch (microsEnv) {
             case 'dev':
@@ -144,10 +208,10 @@ class CSPInjectionService {
                 frameAncestors = ['*.atlassian-us-gov-mod.net'];
                 break;
             case 'ic-stg':
-                frameAncestors = ['*.oasis-stg.com'];
-                break;
             case 'ic-prod':
-                frameAncestors = ['*.atlassian-isolated.net'];
+                if (icOptions) {
+                    frameAncestors = [`*.${getICDomain(microsEnv, icOptions)}`];
+                }
                 break;
             case 'prod':
             default:
@@ -165,64 +229,5 @@ class CSPInjectionService {
         }
         return frameAncestors;
     }
-    getInjectableCSP = ({ existingCSPDetails, microsEnv, tunnelCSPReporterUri, hostname, isFedRAMP, icOptions }) => {
-        const reportUri = tunnelCSPReporterUri || this.getCSPReportUri(microsEnv, icOptions);
-        const defaultSrc = `'self'`;
-        const frameAncestors = ["'self'", ...this.getFrameAncestors(microsEnv, hostname)].join(' ');
-        const frameSrc = ["'self'", hostname, ...this.getExistingCSPDetails(types_1.ExternalCspType.FRAME_SRC, existingCSPDetails)]
-            .filter((a) => a)
-            .join(' ');
-        const fontSrc = ["'self'", ...this.getExistingCSPDetails(types_1.ExternalCspType.FONT_SRC, existingCSPDetails)].join(' ');
-        const imgSrc = [
-            "'self'",
-            'data:',
-            'blob:',
-            hostname,
-            ...exports.EXTERNAL_ALLOW_LISTED_IMAGES_HOSTS,
-            ...(0, exports.getAtlassianImageHost)(microsEnv, icOptions),
-            ...this.getExistingCSPDetails(types_1.ExternalCspType.IMG_SRC, existingCSPDetails)
-        ]
-            .filter((a) => a)
-            .join(' ');
-        const mediaSrc = [
-            "'self'",
-            'data:',
-            'blob:',
-            hostname,
-            getAtlassianHost('ATLASSIAN_MEDIA_GATEWAY_HOST', microsEnv, icOptions),
-            ...this.getExistingCSPDetails(types_1.ExternalCspType.MEDIA_SRC, existingCSPDetails)
-        ]
-            .filter((a) => a)
-            .join(' ');
-        const connectSrc = [
-            "'self'",
-            ...this.getConnectSrc(microsEnv, !!tunnelCSPReporterUri, icOptions),
-            ...this.getExistingCSPDetails(types_1.ExternalCspType.CONNECT_SRC, existingCSPDetails)
-        ].join(' ');
-        const scriptSrc = [
-            "'self'",
-            this.getForgeGlobalCSP(microsEnv, isFedRAMP, icOptions),
-            ...this.getExistingCSPDetails(types_1.ExternalCspType.SCRIPT_SRC, existingCSPDetails)
-        ].join(' ');
-        const styleSrc = [
-            "'self'",
-            this.getForgeGlobalCSP(microsEnv, isFedRAMP, icOptions),
-            ...this.getExistingCSPDetails(types_1.ExternalCspType.STYLE_SRC, existingCSPDetails)
-        ].join(' ');
-        return [
-            `default-src ${defaultSrc}`,
-            `frame-ancestors ${frameAncestors}`,
-            `frame-src ${frameSrc}`,
-            `font-src ${fontSrc}`,
-            `img-src ${imgSrc}`,
-            `media-src ${mediaSrc}`,
-            `connect-src ${connectSrc}`,
-            `script-src ${scriptSrc}`,
-            `style-src ${styleSrc}`,
-            `form-action 'self'`,
-            `sandbox allow-downloads allow-forms allow-modals allow-pointer-lock allow-same-origin allow-scripts`,
-            `report-uri ${reportUri}`
-        ];
-    };
 }
 exports.CSPInjectionService = CSPInjectionService;

package/out/csp/csp-processing-service.d.ts

@@ -1,17 +1,20 @@
 import type { Logger } from '@forge/cli-shared';
 import type { Permissions } from '@forge/manifest';
+import type { CheerioAPI, CheerioOptions } from 'cheerio/slim';
 import { ContentPermissions, CSPDetails, DocumentBody } from '../types';
+declare type CheerioLoader = (document: DocumentBody, options?: CheerioOptions) => CheerioAPI;
 export declare class InvalidConnectSrc extends Error {
     constructor();
 }
 export declare class CSPProcessingService {
     private readonly logger;
+    private readonly cheerioLoader;
     private STYLE_SRC_ALLOWLIST;
     private QUOTED_SCRIPT_SRC_ALLOWLIST;
     private UNQUOTED_SCRIPT_SRC_ALLOWLIST;
     private SCRIPT_SRC_ALLOWLIST;
     private BASE_64_HASH_PATTERNS;
-    constructor(logger: Pick<Logger, 'info'>);
+    constructor(logger: Pick<Logger, 'info'>, cheerioLoader: CheerioLoader);
     getCspDetails(body: DocumentBody, permissions: Permissions): CSPDetails;
     getInvalidCspPermissions(contentPermissions: ContentPermissions): string[];
     private assertValidFetchClient;
@@ -29,4 +32,5 @@ export declare class CSPProcessingService {
     private isValidHash;
     private getDeprecatedUserCsp;
 }
+export {};
 //# sourceMappingURL=csp-processing-service.d.ts.map

package/out/csp/csp-processing-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"csp-processing-service.d.ts","sourceRoot":"","sources":["../../src/csp/csp-processing-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,KAAK,EAAE,WAAW,EAAS,MAAM,iBAAiB,CAAC;AAK1D,OAAO,EAAE,kBAAkB,EAAE,UAAU,EAAE,YAAY,EAAuB,MAAM,UAAU,CAAC;AAE7F,qBAAa,iBAAkB,SAAQ,KAAK;;CAI3C;AAMD,qBAAa,oBAAoB;IAanB,OAAO,CAAC,QAAQ,CAAC,MAAM;IAXnC,OAAO,CAAC,mBAAmB,CAAuB;IAElD,OAAO,CAAC,2BAA2B,CAAqD;IACxF,OAAO,CAAC,6BAA6B,CAAa;IAClD,OAAO,CAAC,oBAAoB,CAAgF;IAE5G,OAAO,CAAC,qBAAqB,CAI3B;gBAC2B,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC;IAElD,aAAa,CAAC,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,WAAW,GAAG,UAAU;IAoBvE,wBAAwB,CAAC,kBAAkB,EAAE,kBAAkB,GAAG,MAAM,EAAE;IASjF,OAAO,CAAC,sBAAsB;IAW9B,OAAO,CAAC,mBAAmB;IAI3B,OAAO,CAAC,2BAA2B;IAgBnC,OAAO,CAAC,WAAW;IASnB,OAAO,CAAC,YAAY;IAQpB,OAAO,CAAC,mBAAmB;IAoB3B,OAAO,CAAC,qBAAqB;IAS7B,OAAO,CAAC,UAAU;IAIlB,OAAO,CAAC,eAAe;IAOvB,OAAO,CAAC,oBAAoB;IAM5B,OAAO,CAAC,mBAAmB;IAW3B,OAAO,CAAC,SAAS;IAIjB,OAAO,CAAC,WAAW;IAKnB,OAAO,CAAC,oBAAoB;CAa7B"}
+{"version":3,"file":"csp-processing-service.d.ts","sourceRoot":"","sources":["../../src/csp/csp-processing-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,KAAK,EAAE,WAAW,EAAS,MAAM,iBAAiB,CAAC;AAC1D,OAAO,KAAK,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAI/D,OAAO,EAAE,kBAAkB,EAAE,UAAU,EAAE,YAAY,EAAuB,MAAM,UAAU,CAAC;AAE7F,aAAK,aAAa,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,OAAO,CAAC,EAAE,cAAc,KAAK,UAAU,CAAC;AAEtF,qBAAa,iBAAkB,SAAQ,KAAK;;CAI3C;AAMD,qBAAa,oBAAoB;IAc7B,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAbhC,OAAO,CAAC,mBAAmB,CAAuB;IAElD,OAAO,CAAC,2BAA2B,CAAqD;IACxF,OAAO,CAAC,6BAA6B,CAAa;IAClD,OAAO,CAAC,oBAAoB,CAAgF;IAE5G,OAAO,CAAC,qBAAqB,CAI3B;gBAEiB,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,aAAa,EAAE,aAAa;IAGxC,aAAa,CAAC,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,WAAW,GAAG,UAAU;IAoBvE,wBAAwB,CAAC,kBAAkB,EAAE,kBAAkB,GAAG,MAAM,EAAE;IASjF,OAAO,CAAC,sBAAsB;IAW9B,OAAO,CAAC,mBAAmB;IAI3B,OAAO,CAAC,2BAA2B;IAgBnC,OAAO,CAAC,WAAW;IASnB,OAAO,CAAC,YAAY;IAQpB,OAAO,CAAC,mBAAmB;IAoB3B,OAAO,CAAC,qBAAqB;IAS7B,OAAO,CAAC,UAAU;IAIlB,OAAO,CAAC,eAAe;IAOvB,OAAO,CAAC,oBAAoB;IAM5B,OAAO,CAAC,mBAAmB;IAW3B,OAAO,CAAC,SAAS;IAIjB,OAAO,CAAC,WAAW;IAKnB,OAAO,CAAC,oBAAoB;CAa7B"}

package/out/csp/csp-processing-service.js

@@ -2,7 +2,6 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.CSPProcessingService = exports.InvalidConnectSrc = void 0;
 const tslib_1 = require("tslib");
-const cheerio_1 = require("cheerio");
 const content_security_policy_parser_1 = tslib_1.__importDefault(require("content-security-policy-parser"));
 const crypto_1 = tslib_1.__importDefault(require("crypto"));
 class InvalidConnectSrc extends Error {
@@ -12,23 +11,24 @@ class InvalidConnectSrc extends Error {
 }
 exports.InvalidConnectSrc = InvalidConnectSrc;
 class CSPProcessingService {
-    logger;
-    STYLE_SRC_ALLOWLIST = [`'unsafe-inline'`];
-    QUOTED_SCRIPT_SRC_ALLOWLIST = ['unsafe-inline', 'unsafe-eval', 'unsafe-hashes'];
-    UNQUOTED_SCRIPT_SRC_ALLOWLIST = ['blob:'];
-    SCRIPT_SRC_ALLOWLIST = [...this.QUOTED_SCRIPT_SRC_ALLOWLIST, ...this.UNQUOTED_SCRIPT_SRC_ALLOWLIST];
-    BASE_64_HASH_PATTERNS = [
-        /^sha256-[a-zA-Z0-9=+/]{44}$/,
-        /^sha384-[a-zA-Z0-9=+/]{64}$/,
-        /^sha512-[a-zA-Z0-9=+/]{88}$/
-    ];
-    constructor(logger) {
+    constructor(logger, cheerioLoader) {
         this.logger = logger;
+        this.cheerioLoader = cheerioLoader;
+        this.STYLE_SRC_ALLOWLIST = [`'unsafe-inline'`];
+        this.QUOTED_SCRIPT_SRC_ALLOWLIST = ['unsafe-inline', 'unsafe-eval', 'unsafe-hashes'];
+        this.UNQUOTED_SCRIPT_SRC_ALLOWLIST = ['blob:'];
+        this.SCRIPT_SRC_ALLOWLIST = [...this.QUOTED_SCRIPT_SRC_ALLOWLIST, ...this.UNQUOTED_SCRIPT_SRC_ALLOWLIST];
+        this.BASE_64_HASH_PATTERNS = [
+            /^sha256-[a-zA-Z0-9=+/]{44}$/,
+            /^sha384-[a-zA-Z0-9=+/]{64}$/,
+            /^sha512-[a-zA-Z0-9=+/]{88}$/
+        ];
     }
     getCspDetails(body, permissions) {
-        const { scripts, styles } = permissions?.content ?? { scripts: [], styles: [] };
-        const external = permissions?.external ?? {};
-        const $ = (0, cheerio_1.load)(body, { xml: { xmlMode: false } });
+        var _a, _b;
+        const { scripts, styles } = (_a = permissions === null || permissions === void 0 ? void 0 : permissions.content) !== null && _a !== void 0 ? _a : { scripts: [], styles: [] };
+        const external = (_b = permissions === null || permissions === void 0 ? void 0 : permissions.external) !== null && _b !== void 0 ? _b : {};
+        const $ = this.cheerioLoader(body, { xml: { xmlMode: false } });
         const { 'script-src': scriptSrc, 'style-src': styleSrc, ...mappedExternalCsp } = this.mapExternalPermissionsToCsp(external);
         return {
             'style-src': [...this.getStyleSrc($, styles), ...styleSrc],
@@ -37,14 +37,15 @@ class CSPProcessingService {
         };
     }
     getInvalidCspPermissions(contentPermissions) {
+        var _a, _b;
         const { styles, scripts } = contentPermissions;
-        const invalidStyles = styles?.filter((styleSrc) => !this.isValidUserStyleSrc(`'${styleSrc}'`)) ?? [];
-        const invalidScripts = scripts?.filter((scriptSrc) => !this.isValidUserScriptSrc(scriptSrc)) ?? [];
+        const invalidStyles = (_a = styles === null || styles === void 0 ? void 0 : styles.filter((styleSrc) => !this.isValidUserStyleSrc(`'${styleSrc}'`))) !== null && _a !== void 0 ? _a : [];
+        const invalidScripts = (_b = scripts === null || scripts === void 0 ? void 0 : scripts.filter((scriptSrc) => !this.isValidUserScriptSrc(scriptSrc))) !== null && _b !== void 0 ? _b : [];
         return [...invalidStyles, ...invalidScripts];
     }
     assertValidFetchClient(fetch) {
-        if (fetch?.client) {
-            for (const client of fetch?.client) {
+        if (fetch === null || fetch === void 0 ? void 0 : fetch.client) {
+            for (const client of fetch === null || fetch === void 0 ? void 0 : fetch.client) {
                 if (typeof client !== 'string') {
                     throw new InvalidConnectSrc();
                 }
@@ -52,42 +53,46 @@ class CSPProcessingService {
         }
     }
     egressesToStringMap(externalPermissions) {
-        return externalPermissions?.map((egress) => (typeof egress === 'object' ? egress.address : egress));
+        return externalPermissions === null || externalPermissions === void 0 ? void 0 : externalPermissions.map((egress) => (typeof egress === 'object' ? egress.address : egress));
     }
     mapExternalPermissionsToCsp(externalPermissions) {
+        var _a, _b, _c, _d, _e, _f, _g;
         const { images, media, scripts, fetch, styles, fonts, frames } = externalPermissions;
         this.assertValidFetchClient(fetch);
         return {
-            'img-src': this.egressesToStringMap(images) ?? [],
-            'media-src': this.egressesToStringMap(media) ?? [],
-            'script-src': this.egressesToStringMap(scripts) ?? [],
-            'style-src': this.egressesToStringMap(styles) ?? [],
-            'connect-src': fetch?.client ?? [],
-            'font-src': this.egressesToStringMap(fonts) ?? [],
-            'frame-src': this.egressesToStringMap(frames) ?? []
+            'img-src': (_a = this.egressesToStringMap(images)) !== null && _a !== void 0 ? _a : [],
+            'media-src': (_b = this.egressesToStringMap(media)) !== null && _b !== void 0 ? _b : [],
+            'script-src': (_c = this.egressesToStringMap(scripts)) !== null && _c !== void 0 ? _c : [],
+            'style-src': (_d = this.egressesToStringMap(styles)) !== null && _d !== void 0 ? _d : [],
+            'connect-src': (_e = fetch === null || fetch === void 0 ? void 0 : fetch.client) !== null && _e !== void 0 ? _e : [],
+            'font-src': (_f = this.egressesToStringMap(fonts)) !== null && _f !== void 0 ? _f : [],
+            'frame-src': (_g = this.egressesToStringMap(frames)) !== null && _g !== void 0 ? _g : []
         };
     }
     getStyleSrc($, userStyleSrc) {
-        const quotedUserStyleSrc = userStyleSrc?.map((x) => `'${x}'`) ?? [];
-        const deprecatedUserStyleSrc = this.getDeprecatedUserCsp($)['style-src'] ?? [];
+        var _a, _b;
+        const quotedUserStyleSrc = (_a = userStyleSrc === null || userStyleSrc === void 0 ? void 0 : userStyleSrc.map((x) => `'${x}'`)) !== null && _a !== void 0 ? _a : [];
+        const deprecatedUserStyleSrc = (_b = this.getDeprecatedUserCsp($)['style-src']) !== null && _b !== void 0 ? _b : [];
         const uniqueStyleSrc = [...new Set([...deprecatedUserStyleSrc, ...quotedUserStyleSrc])];
         return uniqueStyleSrc.filter((x) => this.isValidUserStyleSrc(x));
     }
     getScriptSrc($, userScriptSrc) {
-        const validUserScriptSrc = userScriptSrc?.filter((x) => this.isValidUserScriptSrc(x)) ?? [];
+        var _a;
+        const validUserScriptSrc = (_a = userScriptSrc === null || userScriptSrc === void 0 ? void 0 : userScriptSrc.filter((x) => this.isValidUserScriptSrc(x))) !== null && _a !== void 0 ? _a : [];
         const generatedScriptHashes = validUserScriptSrc.includes('unsafe-inline') ? [] : this.getInlineScriptHashes($);
         const { scriptSrc, userScriptHashes } = this.extractUniqueHashes(validUserScriptSrc, generatedScriptHashes);
         return [...scriptSrc, ...generatedScriptHashes, ...userScriptHashes].map((x) => this.formatScriptSrc(x));
     }
     extractUniqueHashes(userScriptSrc, existingScriptHashes) {
+        var _a;
         const userScriptHashes = [];
-        const scriptSrc = userScriptSrc?.filter((scriptSrc) => {
+        const scriptSrc = (_a = userScriptSrc === null || userScriptSrc === void 0 ? void 0 : userScriptSrc.filter((scriptSrc) => {
             const isValidHash = this.isValidHash(scriptSrc);
             if (isValidHash && !existingScriptHashes.includes(scriptSrc)) {
                 userScriptHashes.push(scriptSrc);
             }
             return !isValidHash;
-        }) ?? [];
+        })) !== null && _a !== void 0 ? _a : [];
         return { scriptSrc, userScriptHashes };
     }
     getInlineScriptHashes($) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@forge/csp",
-  "version": "4.2.0",
+  "version": "4.2.1-experimental-b695d2e",
   "description": "Contains the CSP configuration for Custom UI resources in Forge",
   "main": "out/index.js",
   "author": "Atlassian",
@@ -11,15 +11,23 @@
     "clean": "rm -rf ./out && rm -f tsconfig.tsbuildinfo"
   },
   "devDependencies": {
-    "@forge/cli-shared": "8.2.0",
-    "@forge/manifest": "10.2.0",
+    "@forge/cli-shared": "8.3.1-next.1-experimental-b695d2e",
+    "@forge/manifest": "10.2.2-next.1-experimental-b695d2e",
     "@types/jest": "^29.5.14",
-    "@types/node": "20.19.1"
+    "@types/node": "20.19.1",
+    "cheerio": "^1.1.0"
   },
   "dependencies": {
-    "cheerio": "^1.1.0",
     "content-security-policy-parser": "^0.4.1"
   },
+  "peerDependencies": {
+    "cheerio": "^1.1.0"
+  },
+  "peerDependenciesMeta": {
+    "cheerio": {
+      "optional": true
+    }
+  },
   "publishConfig": {
     "registry": "https://packages.atlassian.com/api/npm/npm-public/"
   }