@hmcts/rpx-xui-node-lib 2.30.7-2541-v2 → 2.30.7-final-new-csp
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/common/util/contentSecurityPolicy.d.ts.map +1 -1
- package/dist/common/util/contentSecurityPolicy.js +0 -3
- package/dist/common/util/contentSecurityPolicy.js.map +1 -1
- package/dist/common/util/csp.d.ts +10 -0
- package/dist/common/util/csp.d.ts.map +1 -0
- package/dist/common/util/csp.js +43 -0
- package/dist/common/util/csp.js.map +1 -0
- package/dist/common/util/index.d.ts +2 -0
- package/dist/common/util/index.d.ts.map +1 -1
- package/dist/common/util/index.js +7 -3
- package/dist/common/util/index.js.map +1 -1
- package/package.json +5 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"contentSecurityPolicy.d.ts","sourceRoot":"","sources":["../../../src/common/util/contentSecurityPolicy.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,eAAe;;;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"contentSecurityPolicy.d.ts","sourceRoot":"","sources":["../../../src/common/util/contentSecurityPolicy.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,eAAe;;;;;;;;;;;;;CAmD3B,CAAA;AAED,eAAO,MAAM,wBAAwB,GAAI,QAAQ,GAAG,QAEnD,CAAA"}
|
|
@@ -41,15 +41,12 @@ exports.SECURITY_POLICY = {
|
|
|
41
41
|
mediaSrc: ["'self'"],
|
|
42
42
|
scriptSrc: [
|
|
43
43
|
"'self'",
|
|
44
|
-
"'unsafe-inline'",
|
|
45
|
-
"'unsafe-eval'",
|
|
46
44
|
'https://*.google-analytics.com',
|
|
47
45
|
'https://*.googletagmanager.com',
|
|
48
46
|
'az416426.vo.msecnd.net',
|
|
49
47
|
],
|
|
50
48
|
styleSrc: [
|
|
51
49
|
"'self'",
|
|
52
|
-
"'unsafe-inline'",
|
|
53
50
|
'https://fonts.googleapis.com',
|
|
54
51
|
'https://fonts.gstatic.com',
|
|
55
52
|
'https://www.googletagmanager.com',
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"contentSecurityPolicy.js","sourceRoot":"","sources":["../../../src/common/util/contentSecurityPolicy.ts"],"names":[],"mappings":";;;AAAa,QAAA,eAAe,GAAG;IAC3B,UAAU,EAAE;QACR,UAAU,EAAE;YACR,oBAAoB;YACpB,UAAU;YACV,8BAA8B;YAC9B,oBAAoB;YACpB,gCAAgC;YAChC,gCAAgC;YAChC,gCAAgC;YAChC,aAAa;YACb,6BAA6B;YAC7B,+CAA+C;YAC/C,gDAAgD;YAChD,oDAAoD;YACpD,gDAAgD;YAChD,gDAAgD;YAChD,2CAA2C;YAC3C,4CAA4C;YAC5C,6BAA6B;SAChC;QACD,UAAU,EAAE,CAAC,QAAQ,CAAC;QACtB,OAAO,EAAE,CAAC,QAAQ,EAAE,2BAA2B,EAAE,OAAO,CAAC;QACzD,UAAU,EAAE,CAAC,QAAQ,CAAC;QACtB,cAAc,EAAE,CAAC,QAAQ,CAAC;QAC1B,QAAQ,EAAE,CAAC,QAAQ,CAAC;QACpB,MAAM,EAAE;YACJ,QAAQ;YACR,OAAO;YACP,gCAAgC;YAChC,gCAAgC;YAChC,0CAA0C;YAC1C,kCAAkC;YAClC,0BAA0B;YAC1B,0BAA0B;YAC1B,2BAA2B;SAC9B;QACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;QACpB,SAAS,EAAE;YACP,QAAQ;YACR,
|
|
1
|
+
{"version":3,"file":"contentSecurityPolicy.js","sourceRoot":"","sources":["../../../src/common/util/contentSecurityPolicy.ts"],"names":[],"mappings":";;;AAAa,QAAA,eAAe,GAAG;IAC3B,UAAU,EAAE;QACR,UAAU,EAAE;YACR,oBAAoB;YACpB,UAAU;YACV,8BAA8B;YAC9B,oBAAoB;YACpB,gCAAgC;YAChC,gCAAgC;YAChC,gCAAgC;YAChC,aAAa;YACb,6BAA6B;YAC7B,+CAA+C;YAC/C,gDAAgD;YAChD,oDAAoD;YACpD,gDAAgD;YAChD,gDAAgD;YAChD,2CAA2C;YAC3C,4CAA4C;YAC5C,6BAA6B;SAChC;QACD,UAAU,EAAE,CAAC,QAAQ,CAAC;QACtB,OAAO,EAAE,CAAC,QAAQ,EAAE,2BAA2B,EAAE,OAAO,CAAC;QACzD,UAAU,EAAE,CAAC,QAAQ,CAAC;QACtB,cAAc,EAAE,CAAC,QAAQ,CAAC;QAC1B,QAAQ,EAAE,CAAC,QAAQ,CAAC;QACpB,MAAM,EAAE;YACJ,QAAQ;YACR,OAAO;YACP,gCAAgC;YAChC,gCAAgC;YAChC,0CAA0C;YAC1C,kCAAkC;YAClC,0BAA0B;YAC1B,0BAA0B;YAC1B,2BAA2B;SAC9B;QACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;QACpB,SAAS,EAAE;YACP,QAAQ;YACR,gCAAgC;YAChC,gCAAgC;YAChC,wBAAwB;SAC3B;QACD,QAAQ,EAAE;YACN,QAAQ;YACR,8BAA8B;YAC9B,2BAA2B;YAC3B,kCAAkC;SACrC;KACJ;CACJ,CAAA;AAEM,MAAM,wBAAwB,GAAG,CAAC,MAAW,EAAE,EAAE;IACpD,OAAO,MAAM,CAAC,qBAAqB,CAAC,uBAAe,CAAC,CAAA;AACxD,CAAC,CAAA;AAFY,QAAA,wBAAwB,4BAEpC"}
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
import { Request, Response, NextFunction } from 'express';
|
|
2
|
+
export declare function csp({ extraScript, extraStyle, extraConnect, extraFont, extraImg, defaultCsp }?: {
|
|
3
|
+
extraScript?: string[] | undefined;
|
|
4
|
+
extraStyle?: string[] | undefined;
|
|
5
|
+
extraConnect?: string[] | undefined;
|
|
6
|
+
extraFont?: string[] | undefined;
|
|
7
|
+
extraImg?: string[] | undefined;
|
|
8
|
+
defaultCsp?: {} | undefined;
|
|
9
|
+
}): (req: Request, res: Response, next: NextFunction) => void;
|
|
10
|
+
//# sourceMappingURL=csp.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"csp.d.ts","sourceRoot":"","sources":["../../../src/common/util/csp.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAK1D,wBAAgB,GAAG,CAAC,EAClB,WAA6E,EAC7E,UAA2E,EAC3E,YAA+E,EAC/E,SAAyE,EACzE,QAAuE,EACvE,UAAe,EAChB;;;;;;;CAAK,IACI,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,UAoCxD"}
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
+
};
|
|
5
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
+
exports.csp = csp;
|
|
7
|
+
const helmet_1 = __importDefault(require("helmet"));
|
|
8
|
+
const node_crypto_1 = __importDefault(require("node:crypto"));
|
|
9
|
+
const deepmerge_1 = __importDefault(require("deepmerge"));
|
|
10
|
+
function csp(_a) {
|
|
11
|
+
var _b, _c, _d, _e, _f;
|
|
12
|
+
var { extraScript = ((_b = process.env.CSP_SCRIPT_EXTRA) !== null && _b !== void 0 ? _b : '').split(',').filter(Boolean), extraStyle = ((_c = process.env.CSP_STYLE_EXTRA) !== null && _c !== void 0 ? _c : '').split(',').filter(Boolean), extraConnect = ((_d = process.env.CSP_CONNECT_EXTRA) !== null && _d !== void 0 ? _d : '').split(',').filter(Boolean), extraFont = ((_e = process.env.CSP_FONT_EXTRA) !== null && _e !== void 0 ? _e : '').split(',').filter(Boolean), extraImg = ((_f = process.env.CSP_IMG_EXTRA) !== null && _f !== void 0 ? _f : '').split(',').filter(Boolean), defaultCsp = {} } = _a === void 0 ? {} : _a;
|
|
13
|
+
return (req, res, next) => {
|
|
14
|
+
const nonce = node_crypto_1.default.randomBytes(16).toString('base64');
|
|
15
|
+
res.locals.cspNonce = nonce;
|
|
16
|
+
const newCsp = {
|
|
17
|
+
useDefaults: true,
|
|
18
|
+
directives: {
|
|
19
|
+
// dashed form is fine too, but keep the SAME spelling everywhere
|
|
20
|
+
defaultSrc: ["'self'"],
|
|
21
|
+
scriptSrc: ["'self'", `'nonce-${nonce}'`, ...extraScript],
|
|
22
|
+
styleSrc: ["'self'", `'nonce-${nonce}'`, ...extraStyle],
|
|
23
|
+
/* THIS authorises inline *attribute* styles */
|
|
24
|
+
styleSrcAttr: ["'unsafe-inline'"],
|
|
25
|
+
/* THIS authorises inline scripts such as javascript:void(0) */
|
|
26
|
+
/* TODO: this should be removed in future via replacing such lines in common-lib and toolkit */
|
|
27
|
+
scriptSrcAttr: ["'unsafe-inline'"],
|
|
28
|
+
connectSrc: ["'self'", "blob:", "data:", ...extraConnect],
|
|
29
|
+
imgSrc: ["'self'", "data:", ...extraImg],
|
|
30
|
+
fontSrc: ["'self'", "data:", "https://fonts.gstatic.com", ...extraFont],
|
|
31
|
+
objectSrc: ["'none'"],
|
|
32
|
+
frameSrc: ["'self'"],
|
|
33
|
+
frameAncestors: ["'self'"],
|
|
34
|
+
formAction: ["'none'"]
|
|
35
|
+
},
|
|
36
|
+
reportOnly: process.env.CSP_REPORT_ONLY === 'true'
|
|
37
|
+
};
|
|
38
|
+
// deep‑merge so we don’t lose anything from SECURITY_POLICY
|
|
39
|
+
const finalCsp = (0, deepmerge_1.default)(defaultCsp, newCsp);
|
|
40
|
+
helmet_1.default.contentSecurityPolicy(finalCsp)(req, res, next);
|
|
41
|
+
};
|
|
42
|
+
}
|
|
43
|
+
//# sourceMappingURL=csp.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"csp.js","sourceRoot":"","sources":["../../../src/common/util/csp.ts"],"names":[],"mappings":";;;;;AAKA,kBA4CC;AAhDD,oDAA4B;AAC5B,8DAAiC;AACjC,0DAA8B;AAE9B,SAAgB,GAAG,CAAC,EAOd;;QAPc,EAClB,WAAW,GAAG,CAAC,MAAA,OAAO,CAAC,GAAG,CAAC,gBAAgB,mCAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,EAC7E,UAAU,GAAG,CAAC,MAAA,OAAO,CAAC,GAAG,CAAC,eAAe,mCAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,EAC3E,YAAY,GAAG,CAAC,MAAA,OAAO,CAAC,GAAG,CAAC,iBAAiB,mCAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,EAC/E,SAAS,GAAG,CAAC,MAAA,OAAO,CAAC,GAAG,CAAC,cAAc,mCAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,EACzE,QAAQ,GAAG,CAAC,MAAA,OAAO,CAAC,GAAG,CAAC,aAAa,mCAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,EACvE,UAAU,GAAG,EAAE,EAChB,mBAAG,EAAE;IACJ,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QACzD,MAAM,KAAK,GAAG,qBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACxD,GAAG,CAAC,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAC;QAE5B,MAAM,MAAM,GAAG;YACb,WAAW,EAAE,IAAI;YACjB,UAAU,EAAE;gBACV,iEAAiE;gBACjE,UAAU,EAAE,CAAC,QAAQ,CAAC;gBACtB,SAAS,EAAE,CAAC,QAAQ,EAAE,UAAU,KAAK,GAAG,EAAE,GAAG,WAAW,CAAC;gBACzD,QAAQ,EAAE,CAAC,QAAQ,EAAE,UAAU,KAAK,GAAG,EAAE,GAAG,UAAU,CAAC;gBAEvD,+CAA+C;gBAC/C,YAAY,EAAE,CAAC,iBAAiB,CAAC;gBAEjC,+DAA+D;gBAC/D,+FAA+F;gBAC/F,aAAa,EAAE,CAAC,iBAAiB,CAAC;gBAElC,UAAU,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,YAAY,CAAC;gBACzD,MAAM,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,QAAQ,CAAC;gBACxC,OAAO,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,2BAA2B,EAAE,GAAG,SAAS,CAAC;gBAEvE,SAAS,EAAE,CAAC,QAAQ,CAAC;gBACrB,QAAQ,EAAE,CAAC,QAAQ,CAAC;gBACpB,cAAc,EAAE,CAAC,QAAQ,CAAC;gBAC1B,UAAU,EAAE,CAAC,QAAQ,CAAC;aACvB;YACD,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe,KAAK,MAAM;SACnD,CAAC;QAEF,4DAA4D;QAC5D,MAAM,QAAQ,GAAG,IAAA,mBAAK,EAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QAE3C,gBAAM,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;IACzD,CAAC,CAAC;AACJ,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/common/util/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAA;AACjC,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAA;AACrD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAA;AAClE,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AACvC,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAA;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AACvD,OAAO,EAAE,qBAAqB,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAA"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/common/util/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,GAAG,EAAE,MAAM,OAAO,CAAA;AAC3B,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAA;AACjC,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAA;AACrD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAA;AAClE,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AACvC,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAA;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AACvD,OAAO,EAAE,qBAAqB,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAA"}
|
|
@@ -1,12 +1,16 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.getUserSessionTimeout = exports.arrayPatternMatch = exports.isStringPatternMatch = exports.sortArray = exports.getContentSecurityPolicy = exports.getLogger = exports.hasKey = void 0;
|
|
3
|
+
exports.getUserSessionTimeout = exports.arrayPatternMatch = exports.isStringPatternMatch = exports.sortArray = exports.getContentSecurityPolicy = exports.getLogger = exports.hasKey = exports.csp = exports.SECURITY_POLICY = void 0;
|
|
4
|
+
var contentSecurityPolicy_1 = require("./contentSecurityPolicy");
|
|
5
|
+
Object.defineProperty(exports, "SECURITY_POLICY", { enumerable: true, get: function () { return contentSecurityPolicy_1.SECURITY_POLICY; } });
|
|
6
|
+
var csp_1 = require("./csp");
|
|
7
|
+
Object.defineProperty(exports, "csp", { enumerable: true, get: function () { return csp_1.csp; } });
|
|
4
8
|
var hasKey_1 = require("./hasKey");
|
|
5
9
|
Object.defineProperty(exports, "hasKey", { enumerable: true, get: function () { return hasKey_1.hasKey; } });
|
|
6
10
|
var debug_logger_1 = require("./debug.logger");
|
|
7
11
|
Object.defineProperty(exports, "getLogger", { enumerable: true, get: function () { return debug_logger_1.getLogger; } });
|
|
8
|
-
var
|
|
9
|
-
Object.defineProperty(exports, "getContentSecurityPolicy", { enumerable: true, get: function () { return
|
|
12
|
+
var contentSecurityPolicy_2 = require("./contentSecurityPolicy");
|
|
13
|
+
Object.defineProperty(exports, "getContentSecurityPolicy", { enumerable: true, get: function () { return contentSecurityPolicy_2.getContentSecurityPolicy; } });
|
|
10
14
|
var sortArray_1 = require("./sortArray");
|
|
11
15
|
Object.defineProperty(exports, "sortArray", { enumerable: true, get: function () { return sortArray_1.sortArray; } });
|
|
12
16
|
var stringPatternMatch_1 = require("./stringPatternMatch");
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/common/util/index.ts"],"names":[],"mappings":";;;AAAA,mCAAiC;AAAxB,gGAAA,MAAM,OAAA;AACf,+CAAqD;AAA5C,yGAAA,SAAS,OAAA;AAClB,iEAAkE;AAAzD,iIAAA,wBAAwB,OAAA;AACjC,yCAAuC;AAA9B,sGAAA,SAAS,OAAA;AAClB,2DAA2D;AAAlD,0HAAA,oBAAoB,OAAA;AAC7B,yDAAuD;AAA9C,sHAAA,iBAAiB,OAAA;AAC1B,6CAA8E;AAArE,oHAAA,qBAAqB,OAAA"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/common/util/index.ts"],"names":[],"mappings":";;;AAAA,iEAA0D;AAAjD,wHAAA,eAAe,OAAA;AACxB,6BAA2B;AAAlB,0FAAA,GAAG,OAAA;AACZ,mCAAiC;AAAxB,gGAAA,MAAM,OAAA;AACf,+CAAqD;AAA5C,yGAAA,SAAS,OAAA;AAClB,iEAAkE;AAAzD,iIAAA,wBAAwB,OAAA;AACjC,yCAAuC;AAA9B,sGAAA,SAAS,OAAA;AAClB,2DAA2D;AAAlD,0HAAA,oBAAoB,OAAA;AAC7B,yDAAuD;AAA9C,sHAAA,iBAAiB,OAAA;AAC1B,6CAA8E;AAArE,oHAAA,qBAAqB,OAAA"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@hmcts/rpx-xui-node-lib",
|
|
3
|
-
"version": "2.30.7-
|
|
3
|
+
"version": "2.30.7-final-new-csp",
|
|
4
4
|
"description": "Common nodejs library components for XUI",
|
|
5
5
|
"main": "dist/index",
|
|
6
6
|
"types": "dist/index.d.ts",
|
|
@@ -40,6 +40,9 @@
|
|
|
40
40
|
"files": [
|
|
41
41
|
"dist/**/*"
|
|
42
42
|
],
|
|
43
|
+
"peerDependencies": {
|
|
44
|
+
"helmet": "^7.0.0"
|
|
45
|
+
},
|
|
43
46
|
"devDependencies": {
|
|
44
47
|
"@commitlint/cli": "^17.8.1",
|
|
45
48
|
"@commitlint/config-conventional": "^8.2.0",
|
|
@@ -64,6 +67,7 @@
|
|
|
64
67
|
"commitlint-config-cz": "^0.13.1",
|
|
65
68
|
"cz-conventional-changelog": "^3.3.0",
|
|
66
69
|
"eslint": "^9.25.1",
|
|
70
|
+
"helmet": "^7.0.0",
|
|
67
71
|
"husky": "^8.0.0",
|
|
68
72
|
"jest": "^29.7.0",
|
|
69
73
|
"jest-config": "29.5.0",
|