npm - @eggjs/security - Versions diffs - 4.0.0 → 5.0.0-beta.15 - Mend

@eggjs/security 4.0.0 → 5.0.0-beta.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (252) hide show

package/README.md +47 -67
package/README.zh-CN.md +56 -68
package/dist/agent.d.ts +10 -0
package/dist/agent.js +15 -0
package/dist/app/extend/agent.d.ts +14 -0
package/dist/app/extend/agent.js +12 -0
package/dist/app/extend/application.d.ts +20 -0
package/dist/app/extend/application.js +32 -0
package/dist/app/extend/context.d.ts +74 -0
package/dist/app/extend/context.js +191 -0
package/dist/app/extend/helper.d.ts +24 -0
package/dist/app/extend/helper.js +7 -0
package/dist/app/extend/response.d.ts +45 -0
package/dist/app/extend/response.js +70 -0
package/dist/app/middleware/securities.d.ts +8 -0
package/dist/app/middleware/securities.js +39 -0
package/dist/app.d.ts +10 -0
package/dist/app.js +24 -0
package/dist/config/config.default.d.ts +874 -0
package/dist/config/config.default.js +170 -0
package/dist/config/config.local.d.ts +6 -0
package/dist/config/config.local.js +5 -0
package/dist/index.d.ts +1 -0
package/dist/index.js +3 -0
package/dist/lib/extend/safe_curl.d.ts +20 -0
package/dist/lib/extend/safe_curl.js +19 -0
package/dist/lib/helper/cliFilter.d.ts +7 -0
package/dist/lib/helper/cliFilter.js +18 -0
package/dist/lib/helper/escape.d.ts +2 -0
package/dist/lib/helper/escape.js +7 -0
package/dist/lib/helper/escapeShellArg.d.ts +4 -0
package/dist/lib/helper/escapeShellArg.js +7 -0
package/dist/lib/helper/escapeShellCmd.d.ts +4 -0
package/dist/lib/helper/escapeShellCmd.js +15 -0
package/dist/lib/helper/index.d.ts +24 -0
package/dist/lib/helper/index.js +25 -0
package/dist/lib/helper/shtml.d.ts +6 -0
package/dist/lib/helper/shtml.js +53 -0
package/dist/lib/helper/sjs.d.ts +7 -0
package/dist/lib/helper/sjs.js +36 -0
package/dist/lib/helper/sjson.d.ts +4 -0
package/dist/lib/helper/sjson.js +32 -0
package/dist/lib/helper/spath.d.ts +7 -0
package/dist/lib/helper/spath.js +16 -0
package/dist/lib/helper/surl.d.ts +6 -0
package/dist/lib/helper/surl.js +25 -0
package/dist/lib/middlewares/csp.d.ts +7 -0
package/dist/lib/middlewares/csp.js +46 -0
package/dist/lib/middlewares/csrf.d.ts +7 -0
package/dist/lib/middlewares/csrf.js +33 -0
package/dist/lib/middlewares/dta.d.ts +6 -0
package/dist/lib/middlewares/dta.js +13 -0
package/dist/lib/middlewares/hsts.d.ts +7 -0
package/dist/lib/middlewares/hsts.js +19 -0
package/dist/lib/middlewares/index.d.ts +18 -0
package/dist/lib/middlewares/index.js +27 -0
package/dist/lib/middlewares/methodnoallow.d.ts +6 -0
package/dist/lib/middlewares/methodnoallow.js +15 -0
package/dist/lib/middlewares/noopen.d.ts +7 -0
package/dist/lib/middlewares/noopen.js +17 -0
package/dist/lib/middlewares/nosniff.d.ts +7 -0
package/dist/lib/middlewares/nosniff.js +27 -0
package/dist/lib/middlewares/referrerPolicy.d.ts +7 -0
package/dist/lib/middlewares/referrerPolicy.js +31 -0
package/dist/lib/middlewares/xframe.d.ts +7 -0
package/dist/lib/middlewares/xframe.js +18 -0
package/dist/lib/middlewares/xssProtection.d.ts +7 -0
package/dist/lib/middlewares/xssProtection.js +17 -0
package/dist/lib/utils.d.ts +24 -0
package/dist/lib/utils.js +127 -0
package/dist/types.d.ts +12 -0
package/dist/types.js +5 -0
package/package.json +74 -70
package/dist/commonjs/agent.d.ts +0 -6
package/dist/commonjs/agent.js +0 -14
package/dist/commonjs/app/extend/agent.d.ts +0 -5
package/dist/commonjs/app/extend/agent.js +0 -11
package/dist/commonjs/app/extend/application.d.ts +0 -16
package/dist/commonjs/app/extend/application.js +0 -35
package/dist/commonjs/app/extend/context.d.ts +0 -68
package/dist/commonjs/app/extend/context.js +0 -283
package/dist/commonjs/app/extend/helper.d.ts +0 -12
package/dist/commonjs/app/extend/helper.js +0 -10
package/dist/commonjs/app/extend/response.d.ts +0 -41
package/dist/commonjs/app/extend/response.js +0 -85
package/dist/commonjs/app/middleware/securities.d.ts +0 -4
package/dist/commonjs/app/middleware/securities.js +0 -55
package/dist/commonjs/app.d.ts +0 -6
package/dist/commonjs/app.js +0 -29
package/dist/commonjs/config/config.default.d.ts +0 -871
package/dist/commonjs/config/config.default.js +0 -357
package/dist/commonjs/config/config.local.d.ts +0 -5
package/dist/commonjs/config/config.local.js +0 -10
package/dist/commonjs/index.d.ts +0 -1
package/dist/commonjs/index.js +0 -14
package/dist/commonjs/lib/extend/safe_curl.d.ts +0 -16
package/dist/commonjs/lib/extend/safe_curl.js +0 -28
package/dist/commonjs/lib/helper/cliFilter.d.ts +0 -4
package/dist/commonjs/lib/helper/cliFilter.js +0 -20
package/dist/commonjs/lib/helper/escape.d.ts +0 -2
package/dist/commonjs/lib/helper/escape.js +0 -8
package/dist/commonjs/lib/helper/escapeShellArg.d.ts +0 -1
package/dist/commonjs/lib/helper/escapeShellArg.js +0 -8
package/dist/commonjs/lib/helper/escapeShellCmd.d.ts +0 -1
package/dist/commonjs/lib/helper/escapeShellCmd.js +0 -17
package/dist/commonjs/lib/helper/index.d.ts +0 -21
package/dist/commonjs/lib/helper/index.js +0 -26
package/dist/commonjs/lib/helper/shtml.d.ts +0 -2
package/dist/commonjs/lib/helper/shtml.js +0 -76
package/dist/commonjs/lib/helper/sjs.d.ts +0 -4
package/dist/commonjs/lib/helper/sjs.js +0 -52
package/dist/commonjs/lib/helper/sjson.d.ts +0 -1
package/dist/commonjs/lib/helper/sjson.js +0 -45
package/dist/commonjs/lib/helper/spath.d.ts +0 -5
package/dist/commonjs/lib/helper/spath.js +0 -28
package/dist/commonjs/lib/helper/surl.d.ts +0 -2
package/dist/commonjs/lib/helper/surl.js +0 -33
package/dist/commonjs/lib/middlewares/csp.d.ts +0 -4
package/dist/commonjs/lib/middlewares/csp.js +0 -68
package/dist/commonjs/lib/middlewares/csrf.d.ts +0 -4
package/dist/commonjs/lib/middlewares/csrf.js +0 -42
package/dist/commonjs/lib/middlewares/dta.d.ts +0 -3
package/dist/commonjs/lib/middlewares/dta.js +0 -14
package/dist/commonjs/lib/middlewares/hsts.d.ts +0 -4
package/dist/commonjs/lib/middlewares/hsts.js +0 -23
package/dist/commonjs/lib/middlewares/index.d.ts +0 -13
package/dist/commonjs/lib/middlewares/index.js +0 -28
package/dist/commonjs/lib/middlewares/methodnoallow.d.ts +0 -3
package/dist/commonjs/lib/middlewares/methodnoallow.js +0 -22
package/dist/commonjs/lib/middlewares/noopen.d.ts +0 -4
package/dist/commonjs/lib/middlewares/noopen.js +0 -17
package/dist/commonjs/lib/middlewares/nosniff.d.ts +0 -4
package/dist/commonjs/lib/middlewares/nosniff.js +0 -30
package/dist/commonjs/lib/middlewares/referrerPolicy.d.ts +0 -4
package/dist/commonjs/lib/middlewares/referrerPolicy.js +0 -36
package/dist/commonjs/lib/middlewares/xframe.d.ts +0 -4
package/dist/commonjs/lib/middlewares/xframe.js +0 -19
package/dist/commonjs/lib/middlewares/xssProtection.d.ts +0 -4
package/dist/commonjs/lib/middlewares/xssProtection.js +0 -16
package/dist/commonjs/lib/utils.d.ts +0 -19
package/dist/commonjs/lib/utils.js +0 -206
package/dist/commonjs/package.json +0 -3
package/dist/commonjs/types.d.ts +0 -10
package/dist/commonjs/types.js +0 -5
package/dist/esm/agent.d.ts +0 -6
package/dist/esm/agent.js +0 -11
package/dist/esm/app/extend/agent.d.ts +0 -5
package/dist/esm/app/extend/agent.js +0 -8
package/dist/esm/app/extend/application.d.ts +0 -16
package/dist/esm/app/extend/application.js +0 -32
package/dist/esm/app/extend/context.d.ts +0 -68
package/dist/esm/app/extend/context.js +0 -244
package/dist/esm/app/extend/helper.d.ts +0 -12
package/dist/esm/app/extend/helper.js +0 -5
package/dist/esm/app/extend/response.d.ts +0 -41
package/dist/esm/app/extend/response.js +0 -82
package/dist/esm/app/middleware/securities.d.ts +0 -4
package/dist/esm/app/middleware/securities.js +0 -50
package/dist/esm/app.d.ts +0 -6
package/dist/esm/app.js +0 -26
package/dist/esm/config/config.default.d.ts +0 -871
package/dist/esm/config/config.default.js +0 -351
package/dist/esm/config/config.local.d.ts +0 -5
package/dist/esm/config/config.local.js +0 -8
package/dist/esm/index.d.ts +0 -1
package/dist/esm/index.js +0 -12
package/dist/esm/lib/extend/safe_curl.d.ts +0 -16
package/dist/esm/lib/extend/safe_curl.js +0 -25
package/dist/esm/lib/helper/cliFilter.d.ts +0 -4
package/dist/esm/lib/helper/cliFilter.js +0 -17
package/dist/esm/lib/helper/escape.d.ts +0 -2
package/dist/esm/lib/helper/escape.js +0 -3
package/dist/esm/lib/helper/escapeShellArg.d.ts +0 -1
package/dist/esm/lib/helper/escapeShellArg.js +0 -5
package/dist/esm/lib/helper/escapeShellCmd.d.ts +0 -1
package/dist/esm/lib/helper/escapeShellCmd.js +0 -14
package/dist/esm/lib/helper/index.d.ts +0 -21
package/dist/esm/lib/helper/index.js +0 -21
package/dist/esm/lib/helper/shtml.d.ts +0 -2
package/dist/esm/lib/helper/shtml.js +0 -70
package/dist/esm/lib/helper/sjs.d.ts +0 -4
package/dist/esm/lib/helper/sjs.js +0 -49
package/dist/esm/lib/helper/sjson.d.ts +0 -1
package/dist/esm/lib/helper/sjson.js +0 -39
package/dist/esm/lib/helper/spath.d.ts +0 -5
package/dist/esm/lib/helper/spath.js +0 -25
package/dist/esm/lib/helper/surl.d.ts +0 -2
package/dist/esm/lib/helper/surl.js +0 -30
package/dist/esm/lib/middlewares/csp.d.ts +0 -4
package/dist/esm/lib/middlewares/csp.js +0 -63
package/dist/esm/lib/middlewares/csrf.d.ts +0 -4
package/dist/esm/lib/middlewares/csrf.js +0 -37
package/dist/esm/lib/middlewares/dta.d.ts +0 -3
package/dist/esm/lib/middlewares/dta.js +0 -12
package/dist/esm/lib/middlewares/hsts.d.ts +0 -4
package/dist/esm/lib/middlewares/hsts.js +0 -21
package/dist/esm/lib/middlewares/index.d.ts +0 -13
package/dist/esm/lib/middlewares/index.js +0 -23
package/dist/esm/lib/middlewares/methodnoallow.d.ts +0 -3
package/dist/esm/lib/middlewares/methodnoallow.js +0 -20
package/dist/esm/lib/middlewares/noopen.d.ts +0 -4
package/dist/esm/lib/middlewares/noopen.js +0 -15
package/dist/esm/lib/middlewares/nosniff.d.ts +0 -4
package/dist/esm/lib/middlewares/nosniff.js +0 -28
package/dist/esm/lib/middlewares/referrerPolicy.d.ts +0 -4
package/dist/esm/lib/middlewares/referrerPolicy.js +0 -34
package/dist/esm/lib/middlewares/xframe.d.ts +0 -4
package/dist/esm/lib/middlewares/xframe.js +0 -17
package/dist/esm/lib/middlewares/xssProtection.d.ts +0 -4
package/dist/esm/lib/middlewares/xssProtection.js +0 -14
package/dist/esm/lib/utils.d.ts +0 -19
package/dist/esm/lib/utils.js +0 -194
package/dist/esm/package.json +0 -3
package/dist/esm/types.d.ts +0 -10
package/dist/esm/types.js +0 -3
package/dist/package.json +0 -4
package/src/agent.ts +0 -14
package/src/app/extend/agent.ts +0 -14
package/src/app/extend/application.ts +0 -51
package/src/app/extend/context.ts +0 -282
package/src/app/extend/helper.ts +0 -5
package/src/app/extend/response.ts +0 -95
package/src/app/middleware/securities.ts +0 -63
package/src/app.ts +0 -31
package/src/config/config.default.ts +0 -379
package/src/config/config.local.ts +0 -9
package/src/index.ts +0 -12
package/src/lib/extend/safe_curl.ts +0 -35
package/src/lib/helper/cliFilter.ts +0 -20
package/src/lib/helper/escape.ts +0 -3
package/src/lib/helper/escapeShellArg.ts +0 -4
package/src/lib/helper/escapeShellCmd.ts +0 -16
package/src/lib/helper/index.ts +0 -21
package/src/lib/helper/shtml.ts +0 -77
package/src/lib/helper/sjs.ts +0 -57
package/src/lib/helper/sjson.ts +0 -35
package/src/lib/helper/spath.ts +0 -27
package/src/lib/helper/surl.ts +0 -35
package/src/lib/middlewares/csp.ts +0 -70
package/src/lib/middlewares/csrf.ts +0 -44
package/src/lib/middlewares/dta.ts +0 -13
package/src/lib/middlewares/hsts.ts +0 -24
package/src/lib/middlewares/index.ts +0 -23
package/src/lib/middlewares/methodnoallow.ts +0 -23
package/src/lib/middlewares/noopen.ts +0 -18
package/src/lib/middlewares/nosniff.ts +0 -32
package/src/lib/middlewares/referrerPolicy.ts +0 -39
package/src/lib/middlewares/xframe.ts +0 -20
package/src/lib/middlewares/xssProtection.ts +0 -17
package/src/lib/utils.ts +0 -208
package/src/types.ts +0 -16
package/src/typings/index.d.ts +0 -4

package/src/lib/utils.ts DELETED Viewed

@@ -1,208 +0,0 @@
-import { normalize } from 'node:path';
-import matcher from 'matcher';
-import IP from '@eggjs/ip';
-import { Context } from '@eggjs/core';
-import type { PathMatchingFun } from 'egg-path-matching';
-import { SecurityConfig } from '../types.js';
-/**
- * Check whether a domain is in the safe domain white list or not.
- * @param {String} domain The inputted domain.
- * @param {Array<string>} whiteList The white list for domain.
- * @return {Boolean} If the `domain` is in the white list, return true; otherwise false.
- */
-export function isSafeDomain(domain: string, whiteList: string[]): boolean {
-  // domain must be string, otherwise return false
-  if (typeof domain !== 'string') return false;
-  // Ignore case sensitive first
-  domain = domain.toLowerCase();
-  // add prefix `.`, because all domains in white list start with `.`
-  const hostname = '.' + domain;
-  return whiteList.some(rule => {
-    // Check whether we've got '*' as a wild character symbol
-    if (rule.includes('*')) {
-      return matcher.isMatch(domain, rule);
-    }
-    // If domain is an absolute path such as `http://...`
-    // We can directly check whether it directly equals to `domain`
-    // And we don't need to cope with `endWith`.
-    if (domain === rule) return true;
-    // ensure wwweggjs.com not match eggjs.com
-    if (!/^\./.test(rule)) rule = `.${rule}`;
-    return hostname.endsWith(rule);
-  });
-}
-export function isSafePath(path: string, ctx: Context) {
-  path = '.' + path;
-  if (path.includes('%')) {
-    try {
-      path = decodeURIComponent(path);
-    } catch (e) {
-      if (ctx.app.config.env === 'local' || ctx.app.config.env === 'unittest') {
-        // not under production environment, output log
-        ctx.coreLogger.warn('[@eggjs/security: dta global block] : decode file path %j failed.', path);
-      }
-    }
-  }
-  const normalizePath = normalize(path);
-  return !(normalizePath.startsWith('../') || normalizePath.startsWith('..\\'));
-}
-export function checkIfIgnore(opts: { enable: boolean; matching?: PathMatchingFun; }, ctx: Context) {
-  // check opts.enable first
-  if (!opts.enable) return true;
-  return !opts.matching?.(ctx);
-}
-const IP_RE = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/;
-const topDomains: Record<string, number> = {};
-[
-  '.net.cn', '.gov.cn', '.org.cn', '.com.cn',
-].forEach(item => {
-  topDomains[item] = 2 - item.split('.').length;
-});
-export function getCookieDomain(hostname: string) {
-  // TODO(fengmk2): support ipv6
-  if (IP_RE.test(hostname)) {
-    return hostname;
-  }
-  // app.test.domain.com => .test.domain.com
-  // app.stable.domain.com => .domain.com
-  // app.domain.com => .domain.com
-  // domain=.domain.com;
-  const splits = hostname.split('.');
-  let index = -2;
-  // only when `*.test.*.com` set `.test.*.com`
-  if (splits.length >= 4 && splits[splits.length - 3] === 'test') {
-    index = -3;
-  }
-  let domain = getDomain(splits, index);
-  if (topDomains[domain]) {
-    // app.foo.org.cn => .foo.org.cn
-    domain = getDomain(splits, index + topDomains[domain]);
-  }
-  return domain;
-}
-function getDomain(splits: string[], index: number) {
-  return '.' + splits.slice(index).join('.');
-}
-export function merge(origin: Record<string, any>, opts?: Record<string, any>) {
-  if (!opts) {
-    return origin;
-  }
-  const res: Record<string, any> = {};
-  const originKeys = Object.keys(origin);
-  for (let i = 0; i < originKeys.length; i++) {
-    const key = originKeys[i];
-    res[key] = origin[key];
-  }
-  const keys = Object.keys(opts);
-  for (let i = 0; i < keys.length; i++) {
-    const key = keys[i];
-    res[key] = opts[key];
-  }
-  return res;
-}
-export function preprocessConfig(config: SecurityConfig) {
-  // transfer ssrf.ipBlackList to ssrf.checkAddress
-  // ssrf.ipExceptionList can easily pick out unwanted ips from ipBlackList
-  // checkAddress has higher priority than ipBlackList
-  const ssrf = config.ssrf;
-  if (ssrf && ssrf.ipBlackList && !ssrf.checkAddress) {
-    const blackList = ssrf.ipBlackList.map(getContains);
-    const exceptionList = (ssrf.ipExceptionList || []).map(getContains);
-    const hostnameExceptionList = ssrf.hostnameExceptionList;
-    ssrf.checkAddress = (ipAddresses, _family, hostname) => {
-      // Check white hostname first
-      if (hostname && hostnameExceptionList) {
-        if (hostnameExceptionList.includes(hostname)) {
-          return true;
-        }
-      }
-      // ipAddresses will be array address on Node.js >= 20
-      // [
-      //   { address: '220.181.125.241', family: 4 },
-      //   { address: '240e:964:ea02:b00:3::3ec', family: 6 }
-      // ]
-      if (!Array.isArray(ipAddresses)) {
-        ipAddresses = [ ipAddresses ];
-      }
-      for (const ipAddress of ipAddresses) {
-        let address: string;
-        if (typeof ipAddress === 'string') {
-          address = ipAddress;
-        } else {
-          // FIXME: should support ipv6
-          if (ipAddress.family === 6) {
-            continue;
-          }
-          address = ipAddress.address;
-        }
-        // check white list first
-        for (const exception of exceptionList) {
-          if (exception(address)) {
-            return true;
-          }
-        }
-        // check black list
-        for (const contains of blackList) {
-          if (contains(address)) {
-            return false;
-          }
-        }
-      }
-      // default allow
-      return true;
-    };
-  }
-  // Make sure that `whiteList` or `protocolWhiteList` is case insensitive
-  config.domainWhiteList = config.domainWhiteList || [];
-  config.domainWhiteList = config.domainWhiteList.map((domain: string) => domain.toLowerCase());
-  config.protocolWhiteList = config.protocolWhiteList || [];
-  config.protocolWhiteList = config.protocolWhiteList.map((protocol: string) => protocol.toLowerCase());
-  // Make sure refererWhiteList is case insensitive
-  if (config.csrf && config.csrf.refererWhiteList) {
-    config.csrf.refererWhiteList = config.csrf.refererWhiteList.map((ref: string) => ref.toLowerCase());
-  }
-  // Directly converted to Set collection by a private property (not documented),
-  // And we NO LONGER need to do conversion in `foreach` again and again in `lib/helper/surl.ts`.
-  const protocolWhiteListSet = new Set(config.protocolWhiteList);
-  protocolWhiteListSet.add('http');
-  protocolWhiteListSet.add('https');
-  protocolWhiteListSet.add('file');
-  protocolWhiteListSet.add('data');
-  Object.defineProperty(config, '__protocolWhiteListSet', {
-    value: protocolWhiteListSet,
-    enumerable: false,
-  });
-}
-export function getFromUrl(url: string, prop?: string): string | null {
-  try {
-    const parsed = new URL(url);
-    return prop ? Reflect.get(parsed, prop) : parsed;
-  } catch {
-    return null;
-  }
-}
-function getContains(ip: string) {
-  if (IP.isV4Format(ip) || IP.isV6Format(ip)) {
-    return (address: string) => address === ip;
-  }
-  return IP.cidrSubnet(ip).contains;
-}

package/src/types.ts DELETED Viewed

@@ -1,16 +0,0 @@
-import './app/extend/application.js';
-import './app/extend/context.js';
-import type {
-  SecurityConfig,
-  SecurityHelperConfig,
-} from './config/config.default.js';
-export type * from './config/config.default.js';
-declare module '@eggjs/core' {
-  // add EggAppConfig overrides types
-  interface EggAppConfig {
-    security: SecurityConfig;
-    helper: SecurityHelperConfig;
-  }
-}

package/src/typings/index.d.ts DELETED Viewed

@@ -1,4 +0,0 @@
-// make sure to import egg typings and let typescript know about it
-// @see https://github.com/whxaxes/blog/issues/11
-// and https://www.typescriptlang.org/docs/handbook/declaration-merging.html
-import 'egg';