npm package diff

Package: @forge/csp

Versions: 4.2.0-experimental-959d7b9 - 4.2.0-experimental-a6c1d53

File: package/out/csp/csp-processing-service.js

Index: package/out/csp/csp-processing-service.js
===================================================================
--- package/out/csp/csp-processing-service.js
+++ package/out/csp/csp-processing-service.js
@@ -11,24 +11,24 @@
     }
 }
 exports.InvalidConnectSrc = InvalidConnectSrc;
 class CSPProcessingService {
-    logger;
-    STYLE_SRC_ALLOWLIST = [`'unsafe-inline'`];
-    QUOTED_SCRIPT_SRC_ALLOWLIST = ['unsafe-inline', 'unsafe-eval', 'unsafe-hashes'];
-    UNQUOTED_SCRIPT_SRC_ALLOWLIST = ['blob:'];
-    SCRIPT_SRC_ALLOWLIST = [...this.QUOTED_SCRIPT_SRC_ALLOWLIST, ...this.UNQUOTED_SCRIPT_SRC_ALLOWLIST];
-    BASE_64_HASH_PATTERNS = [
-        /^sha256-[a-zA-Z0-9=+/]{44}$/,
-        /^sha384-[a-zA-Z0-9=+/]{64}$/,
-        /^sha512-[a-zA-Z0-9=+/]{88}$/
-    ];
     constructor(logger) {
         this.logger = logger;
+        this.STYLE_SRC_ALLOWLIST = [`'unsafe-inline'`];
+        this.QUOTED_SCRIPT_SRC_ALLOWLIST = ['unsafe-inline', 'unsafe-eval', 'unsafe-hashes'];
+        this.UNQUOTED_SCRIPT_SRC_ALLOWLIST = ['blob:'];
+        this.SCRIPT_SRC_ALLOWLIST = [...this.QUOTED_SCRIPT_SRC_ALLOWLIST, ...this.UNQUOTED_SCRIPT_SRC_ALLOWLIST];
+        this.BASE_64_HASH_PATTERNS = [
+            /^sha256-[a-zA-Z0-9=+/]{44}$/,
+            /^sha384-[a-zA-Z0-9=+/]{64}$/,
+            /^sha512-[a-zA-Z0-9=+/]{88}$/
+        ];
     }
     getCspDetails(body, permissions) {
-        const { scripts, styles } = permissions?.content ?? { scripts: [], styles: [] };
-        const external = permissions?.external ?? {};
+        var _a, _b;
+        const { scripts, styles } = (_a = permissions === null || permissions === void 0 ? void 0 : permissions.content) !== null && _a !== void 0 ? _a : { scripts: [], styles: [] };
+        const external = (_b = permissions === null || permissions === void 0 ? void 0 : permissions.external) !== null && _b !== void 0 ? _b : {};
         const $ = (0, cheerio_1.load)(body, { xml: { xmlMode: false } });
         const { 'script-src': scriptSrc, 'style-src': styleSrc, ...mappedExternalCsp } = this.mapExternalPermissionsToCsp(external);
         return {
             'style-src': [...this.getStyleSrc($, styles), ...styleSrc],
@@ -36,59 +36,64 @@
             ...mappedExternalCsp
         };
     }
     getInvalidCspPermissions(contentPermissions) {
+        var _a, _b;
         const { styles, scripts } = contentPermissions;
-        const invalidStyles = styles?.filter((styleSrc) => !this.isValidUserStyleSrc(`'${styleSrc}'`)) ?? [];
-        const invalidScripts = scripts?.filter((scriptSrc) => !this.isValidUserScriptSrc(scriptSrc)) ?? [];
+        const invalidStyles = (_a = styles === null || styles === void 0 ? void 0 : styles.filter((styleSrc) => !this.isValidUserStyleSrc(`'${styleSrc}'`))) !== null && _a !== void 0 ? _a : [];
+        const invalidScripts = (_b = scripts === null || scripts === void 0 ? void 0 : scripts.filter((scriptSrc) => !this.isValidUserScriptSrc(scriptSrc))) !== null && _b !== void 0 ? _b : [];
         return [...invalidStyles, ...invalidScripts];
     }
     assertValidFetchClient(fetch) {
-        if (fetch?.client) {
-            for (const client of fetch?.client) {
+        if (fetch === null || fetch === void 0 ? void 0 : fetch.client) {
+            for (const client of fetch === null || fetch === void 0 ? void 0 : fetch.client) {
                 if (typeof client !== 'string') {
                     throw new InvalidConnectSrc();
                 }
             }
         }
     }
     egressesToStringMap(externalPermissions) {
-        return externalPermissions?.map((egress) => (typeof egress === 'object' ? egress.address : egress));
+        return externalPermissions === null || externalPermissions === void 0 ? void 0 : externalPermissions.map((egress) => (typeof egress === 'object' ? egress.address : egress));
     }
     mapExternalPermissionsToCsp(externalPermissions) {
+        var _a, _b, _c, _d, _e, _f, _g;
         const { images, media, scripts, fetch, styles, fonts, frames } = externalPermissions;
         this.assertValidFetchClient(fetch);
         return {
-            'img-src': this.egressesToStringMap(images) ?? [],
-            'media-src': this.egressesToStringMap(media) ?? [],
-            'script-src': this.egressesToStringMap(scripts) ?? [],
-            'style-src': this.egressesToStringMap(styles) ?? [],
-            'connect-src': fetch?.client ?? [],
-            'font-src': this.egressesToStringMap(fonts) ?? [],
-            'frame-src': this.egressesToStringMap(frames) ?? []
+            'img-src': (_a = this.egressesToStringMap(images)) !== null && _a !== void 0 ? _a : [],
+            'media-src': (_b = this.egressesToStringMap(media)) !== null && _b !== void 0 ? _b : [],
+            'script-src': (_c = this.egressesToStringMap(scripts)) !== null && _c !== void 0 ? _c : [],
+            'style-src': (_d = this.egressesToStringMap(styles)) !== null && _d !== void 0 ? _d : [],
+            'connect-src': (_e = fetch === null || fetch === void 0 ? void 0 : fetch.client) !== null && _e !== void 0 ? _e : [],
+            'font-src': (_f = this.egressesToStringMap(fonts)) !== null && _f !== void 0 ? _f : [],
+            'frame-src': (_g = this.egressesToStringMap(frames)) !== null && _g !== void 0 ? _g : []
         };
     }
     getStyleSrc($, userStyleSrc) {
-        const quotedUserStyleSrc = userStyleSrc?.map((x) => `'${x}'`) ?? [];
-        const deprecatedUserStyleSrc = this.getDeprecatedUserCsp($)['style-src'] ?? [];
+        var _a, _b;
+        const quotedUserStyleSrc = (_a = userStyleSrc === null || userStyleSrc === void 0 ? void 0 : userStyleSrc.map((x) => `'${x}'`)) !== null && _a !== void 0 ? _a : [];
+        const deprecatedUserStyleSrc = (_b = this.getDeprecatedUserCsp($)['style-src']) !== null && _b !== void 0 ? _b : [];
         const uniqueStyleSrc = [...new Set([...deprecatedUserStyleSrc, ...quotedUserStyleSrc])];
         return uniqueStyleSrc.filter((x) => this.isValidUserStyleSrc(x));
     }
     getScriptSrc($, userScriptSrc) {
-        const validUserScriptSrc = userScriptSrc?.filter((x) => this.isValidUserScriptSrc(x)) ?? [];
+        var _a;
+        const validUserScriptSrc = (_a = userScriptSrc === null || userScriptSrc === void 0 ? void 0 : userScriptSrc.filter((x) => this.isValidUserScriptSrc(x))) !== null && _a !== void 0 ? _a : [];
         const generatedScriptHashes = validUserScriptSrc.includes('unsafe-inline') ? [] : this.getInlineScriptHashes($);
         const { scriptSrc, userScriptHashes } = this.extractUniqueHashes(validUserScriptSrc, generatedScriptHashes);
         return [...scriptSrc, ...generatedScriptHashes, ...userScriptHashes].map((x) => this.formatScriptSrc(x));
     }
     extractUniqueHashes(userScriptSrc, existingScriptHashes) {
+        var _a;
         const userScriptHashes = [];
-        const scriptSrc = userScriptSrc?.filter((scriptSrc) => {
+        const scriptSrc = (_a = userScriptSrc === null || userScriptSrc === void 0 ? void 0 : userScriptSrc.filter((scriptSrc) => {
             const isValidHash = this.isValidHash(scriptSrc);
             if (isValidHash && !existingScriptHashes.includes(scriptSrc)) {
                 userScriptHashes.push(scriptSrc);
             }
             return !isValidHash;
-        }) ?? [];
+        })) !== null && _a !== void 0 ? _a : [];
         return { scriptSrc, userScriptHashes };
     }
     getInlineScriptHashes($) {
         return $('script:not([src])')