npm - @posiwise/common-services - Versions diffs - 0.1.94 → 0.1.98 - Mend

@posiwise/common-services 0.1.94 → 0.1.98

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/fesm2022/posiwise-common-services.mjs +69 -2
package/fesm2022/posiwise-common-services.mjs.map +1 -1
package/lib/permission.service.d.ts +2 -0
package/lib/script-loader.service.d.ts +1 -0
package/package.json +1 -1

package/fesm2022/posiwise-common-services.mjs CHANGED Viewed

@@ -36,6 +36,16 @@ class ScriptLoaderService {
         this.document = document;
         this._scripts = {};
     }
+    getCspNonce() {
+        // Prefer explicit global set by server-side renderer
+        const w = globalThis;
+        if (w?.__cspNonce)
+            return w.__cspNonce;
+        // Fallback: try to read nonce from any existing script tag
+        const anyScript = this.document.querySelector('script[nonce]');
+        const n = anyScript?.nonce || anyScript?.getAttribute('nonce') || undefined;
+        return n || undefined;
+    }
     load(tag, ...scripts) {
         scripts.forEach((src) => {
             if (!this._scripts[src]) {
@@ -73,6 +83,9 @@ class ScriptLoaderService {
                 const scriptTag = document.createElement('script');
                 scriptTag.type = 'text/javascript';
                 scriptTag.src = this._scripts[src].src;
+                const nonce = this.getCspNonce();
+                if (nonce)
+                    scriptTag.nonce = nonce;
                 scriptTag.onload = () => {
                     this._scripts[src].loaded = true;
                     resolve({ src, loaded: true });
@@ -1464,13 +1477,64 @@ class PermissionService {
         }
         expr = this.handleNonBooleanPermissions(permission, expr, productKey, permission_key, productSlug);
         // Now expr is made of true/false values with &&, ||, ()
-        // eslint-disable-next-line no-eval
-        return eval(expr); // NOSONAR
+        // Safe parser: no eval() - CSP 'unsafe-eval' not required
+        return this.evaluateBooleanExpression(expr);
+    }
+    /** Safe boolean expression parser - replaces eval() for CSP compliance. */
+    evaluateBooleanExpression(expr) {
+        expr = expr.replace(/\s+/g, ' ').trim();
+        if (!expr)
+            return false;
+        if (expr === 'true')
+            return true;
+        if (expr === 'false')
+            return false;
+        let depth = 0;
+        for (let i = 0; i < expr.length - 1; i++) {
+            const c = expr[i];
+            if (c === '(')
+                depth++;
+            else if (c === ')')
+                depth--;
+            else if (depth === 0 && expr.substring(i, i + 2) === '||') {
+                const left = expr.substring(0, i).trim();
+                const right = expr.substring(i + 2).trim();
+                return (this.evaluateBooleanExpression(left) || this.evaluateBooleanExpression(right));
+            }
+        }
+        depth = 0;
+        for (let i = 0; i < expr.length - 1; i++) {
+            const c = expr[i];
+            if (c === '(')
+                depth++;
+            else if (c === ')')
+                depth--;
+            else if (depth === 0 && expr.substring(i, i + 2) === '&&') {
+                const left = expr.substring(0, i).trim();
+                const right = expr.substring(i + 2).trim();
+                return (this.evaluateBooleanExpression(left) && this.evaluateBooleanExpression(right));
+            }
+        }
+        if (expr.startsWith('(') && expr.endsWith(')')) {
+            let d = 0;
+            for (let j = 1; j < expr.length - 1; j++) {
+                if (expr[j] === '(')
+                    d++;
+                if (expr[j] === ')')
+                    d--;
+                if (d < 0)
+                    return false;
+            }
+            return this.evaluateBooleanExpression(expr.substring(1, expr.length - 1));
+        }
+        return false;
     }
     handleNonBooleanPermissions(permission, expr, productKey, permission_key, productSlug) {
         if (typeof permission !== 'boolean') {
             permission.split(' ').forEach(x => {
                 const raw = x.trim();
+                if (!raw)
+                    return; // Skip empty tokens (e.g. from double spaces) - avoids malformed expr
                 if (['||', '&&', '(', ')'].includes(raw)) {
                     expr += ` ${raw} `;
                 }
@@ -2838,6 +2902,9 @@ class SentryErrorHandler {
                 : 'production';
             const config = {
                 dsn: null,
+                // Disable Session Replay (uses eval internally) for CSP 'unsafe-eval' compliance
+                replaysSessionSampleRate: 0,
+                replaysOnErrorSampleRate: 0,
                 // NOTE: We intentionally do not enable Performance Tracing here.
                 // The previous integration (`BrowserTracing` + `routingInstrumentation`) was part of
                 // the legacy `@sentry/angular-ivy` API and isn't available in `@sentry/angular` v10.