@eggjs/security 4.0.0

package/dist/esm/config/config.default.js

@@ -0,0 +1,351 @@
+import z from 'zod';
+import { Context } from '@eggjs/core';
+const CSRFSupportRequestItem = z.object({
+    path: z.instanceof(RegExp),
+    methods: z.array(z.string()),
+});
+export const LookupAddress = z.object({
+    address: z.string(),
+    family: z.number(),
+});
+const LookupAddressAndStringArray = z.union([z.string(), LookupAddress]).array();
+const SSRFCheckAddressFunction = z.function()
+    .args(z.union([z.string(), LookupAddress, LookupAddressAndStringArray]), z.union([z.number(), z.string()]), z.string())
+    .returns(z.boolean());
+export const SecurityMiddlewareName = z.enum([
+    'csrf',
+    'hsts',
+    'methodnoallow',
+    'noopen',
+    'nosniff',
+    'csp',
+    'xssProtection',
+    'xframe',
+    'dta',
+]);
+/**
+ * (ctx) => boolean
+ */
+const IgnoreOrMatchHandler = z.function().args(z.instanceof(Context)).returns(z.boolean());
+const IgnoreOrMatch = z.union([
+    z.string(), z.instanceof(RegExp), IgnoreOrMatchHandler,
+]);
+const IgnoreOrMatchOption = z.union([IgnoreOrMatch, IgnoreOrMatch.array()]).optional();
+/**
+ * security options
+ * @member Config#security
+ */
+export const SecurityConfig = z.object({
+    /**
+     * domain white list
+     *
+     * Default to `[]`
+     */
+    domainWhiteList: z.array(z.string()).default([]),
+    /**
+     * protocol white list
+     *
+     * Default to `[]`
+     */
+    protocolWhiteList: z.array(z.string()).default([]),
+    /**
+     * default open security middleware
+     *
+     * Default to `'csrf,hsts,methodnoallow,noopen,nosniff,csp,xssProtection,xframe,dta'`
+     */
+    defaultMiddleware: z.union([z.string(), z.array(SecurityMiddlewareName)])
+        .default(SecurityMiddlewareName.options),
+    /**
+     * whether defend csrf attack
+     */
+    csrf: z.preprocess(val => {
+        // transform old config, `csrf: false` to `csrf: { enable: false }`
+        if (typeof val === 'boolean') {
+            return { enable: val };
+        }
+        return val;
+    }, z.object({
+        match: IgnoreOrMatchOption,
+        ignore: IgnoreOrMatchOption,
+        /**
+         * Default to `true`
+         */
+        enable: z.boolean().default(true),
+        /**
+         * csrf token detect source type
+         *
+         * Default to `'ctoken'`
+         */
+        type: z.enum(['ctoken', 'referer', 'all', 'any']).default('ctoken'),
+        /**
+         * ignore json request
+         *
+         * Default to `false`
+         *
+         * @deprecated is not safe now, don't use it
+         */
+        ignoreJSON: z.boolean().default(false),
+        /**
+         * csrf token cookie name
+         *
+         * Default to `'csrfToken'`
+         */
+        cookieName: z.union([z.string(), z.array(z.string())]).default('csrfToken'),
+        /**
+         * csrf token session name
+         *
+         * Default to `'csrfToken'`
+         */
+        sessionName: z.string().default('csrfToken'),
+        /**
+         * csrf token request header name
+         *
+         * Default to `'x-csrf-token'`
+         */
+        headerName: z.string().default('x-csrf-token'),
+        /**
+         * csrf token request body field name
+         *
+         * Default to `'_csrf'`
+         */
+        bodyName: z.union([z.string(), z.array(z.string())]).default('_csrf'),
+        /**
+         * csrf token request query field name
+         *
+         * Default to `'_csrf'`
+         */
+        queryName: z.union([z.string(), z.array(z.string())]).default('_csrf'),
+        /**
+         * rotate csrf token when it is invalid
+         *
+         * Default to `false`
+         */
+        rotateWhenInvalid: z.boolean().default(false),
+        /**
+         * These config works when using `'ctoken'` type
+         *
+         * Default to `false`
+         */
+        useSession: z.boolean().default(false),
+        /**
+         * csrf token cookie domain setting,
+         * can be `(ctx) => string` or `string`
+         *
+         * Default to `undefined`, auto set the cookie domain in the safe way
+         */
+        cookieDomain: z.union([
+            z.string(),
+            z.function()
+                .args(z.instanceof(Context))
+                .returns(z.string()),
+        ]).optional(),
+        /**
+         * csrf token check requests config
+         */
+        supportedRequests: z.array(CSRFSupportRequestItem)
+            .default([
+            { path: /^\//, methods: ['POST', 'PATCH', 'DELETE', 'PUT', 'CONNECT'] },
+        ]),
+        /**
+         * referer or origin header white list.
+         * It only works when using `'referer'` type
+         *
+         * Default to `[]`
+         */
+        refererWhiteList: z.array(z.string()).default([]),
+        /**
+         * csrf token cookie options
+         *
+         * Default to `{
+         *   signed: false,
+         *   httpOnly: false,
+         *   overwrite: true,
+         * }`
+         */
+        cookieOptions: z.object({
+            signed: z.boolean(),
+            httpOnly: z.boolean(),
+            overwrite: z.boolean(),
+        }).default({
+            signed: false,
+            httpOnly: false,
+            overwrite: true,
+        }),
+    }).default({})),
+    /**
+     * whether enable X-Frame-Options response header
+     */
+    xframe: z.object({
+        match: IgnoreOrMatchOption,
+        ignore: IgnoreOrMatchOption,
+        /**
+         * Default to `true`
+         */
+        enable: z.boolean().default(true),
+        /**
+         * X-Frame-Options value, can be `'DENY'`, `'SAMEORIGIN'`, `'ALLOW-FROM https://example.com'`
+         *
+         * Default to `'SAMEORIGIN'`
+         */
+        value: z.string().default('SAMEORIGIN'),
+    }).default({}),
+    /**
+     * whether enable Strict-Transport-Security response header
+     */
+    hsts: z.object({
+        match: IgnoreOrMatchOption,
+        ignore: IgnoreOrMatchOption,
+        /**
+         * Default to `false`
+         */
+        enable: z.boolean().default(false),
+        /**
+         * Max age of Strict-Transport-Security in seconds
+         *
+         * Default to `365 * 24 * 3600`
+         */
+        maxAge: z.number().default(365 * 24 * 3600),
+        /**
+         * Whether include sub domains
+         *
+         * Default to `false`
+         */
+        includeSubdomains: z.boolean().default(false),
+    }).default({}),
+    /**
+     * whether enable Http Method filter
+     */
+    methodnoallow: z.object({
+        match: IgnoreOrMatchOption,
+        ignore: IgnoreOrMatchOption,
+        /**
+         * Default to `true`
+         */
+        enable: z.boolean().default(true),
+    }).default({}),
+    /**
+     * whether enable IE automatically download open
+     */
+    noopen: z.object({
+        match: IgnoreOrMatchOption,
+        ignore: IgnoreOrMatchOption,
+        /**
+         * Default to `true`
+         */
+        enable: z.boolean().default(true),
+    }).default({}),
+    /**
+     * whether enable IE8 automatically detect mime
+     */
+    nosniff: z.object({
+        match: IgnoreOrMatchOption,
+        ignore: IgnoreOrMatchOption,
+        /**
+         * Default to `true`
+         */
+        enable: z.boolean().default(true),
+    }).default({}),
+    /**
+     * whether enable IE8 XSS Filter
+     */
+    xssProtection: z.object({
+        match: IgnoreOrMatchOption,
+        ignore: IgnoreOrMatchOption,
+        /**
+         * Default to `true`
+         */
+        enable: z.boolean().default(true),
+        /**
+         * X-XSS-Protection response header value
+         *
+         * Default to `'1; mode=block'`
+         */
+        value: z.coerce.string().default('1; mode=block'),
+    }).default({}),
+    /**
+     * content security policy config
+     */
+    csp: z.object({
+        match: IgnoreOrMatchOption,
+        ignore: IgnoreOrMatchOption,
+        /**
+         * Default to `false`
+         */
+        enable: z.boolean().default(false),
+        // https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#csp_overview
+        policy: z.record(z.union([z.string(), z.array(z.string()), z.boolean()])).default({}),
+        /**
+         * whether enable report only mode
+         * Default to `undefined`
+         */
+        reportOnly: z.boolean().optional(),
+        /**
+         * whether support IE
+         * Default to `undefined`
+         */
+        supportIE: z.boolean().optional(),
+    }).default({}),
+    /**
+     * whether enable referrer policy
+     * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+     */
+    referrerPolicy: z.object({
+        match: IgnoreOrMatchOption,
+        ignore: IgnoreOrMatchOption,
+        /**
+         * Default to `false`
+         */
+        enable: z.boolean().default(false),
+        /**
+         * referrer policy value
+         *
+         * Default to `'no-referrer-when-downgrade'`
+         */
+        value: z.string().default('no-referrer-when-downgrade'),
+    }).default({}),
+    /**
+     * whether enable auto avoid directory traversal attack
+     */
+    dta: z.object({
+        match: IgnoreOrMatchOption,
+        ignore: IgnoreOrMatchOption,
+        /**
+         * Default to `true`
+         */
+        enable: z.boolean().default(true),
+    }).default({}),
+    ssrf: z.object({
+        ipBlackList: z.array(z.string()).optional(),
+        ipExceptionList: z.array(z.string()).optional(),
+        hostnameExceptionList: z.array(z.string()).optional(),
+        checkAddress: SSRFCheckAddressFunction.optional(),
+    }).default({}),
+    match: z.union([IgnoreOrMatch, IgnoreOrMatch.array()]).optional(),
+    ignore: z.union([IgnoreOrMatch, IgnoreOrMatch.array()]).optional(),
+    __protocolWhiteListSet: z.set(z.string()).optional().readonly(),
+});
+const SecurityHelperOnTagAttrHandler = z.function()
+    .args(z.string(), z.string(), z.string(), z.boolean())
+    .returns(z.union([z.string(), z.void()]));
+export const SecurityHelperConfig = z.object({
+    shtml: z.object({
+        /**
+         * tag attribute white list
+         */
+        whiteList: z.record(z.array(z.string())).optional(),
+        /**
+         * domain white list
+         * @deprecated use `config.security.domainWhiteList` instead
+         */
+        domainWhiteList: z.array(z.string()).optional(),
+        /**
+         * tag attribute handler
+         */
+        onTagAttr: SecurityHelperOnTagAttrHandler.optional(),
+    }).default({}),
+});
+export default {
+    security: SecurityConfig.parse({}),
+    helper: SecurityHelperConfig.parse({}),
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29uZmlnLmRlZmF1bHQuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvY29uZmlnL2NvbmZpZy5kZWZhdWx0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sQ0FBQyxNQUFNLEtBQUssQ0FBQztBQUNwQixPQUFPLEVBQUUsT0FBTyxFQUFFLE1BQU0sYUFBYSxDQUFDO0FBRXRDLE1BQU0sc0JBQXNCLEdBQUcsQ0FBQyxDQUFDLE1BQU0sQ0FBQztJQUN0QyxJQUFJLEVBQUUsQ0FBQyxDQUFDLFVBQVUsQ0FBQyxNQUFNLENBQUM7SUFDMUIsT0FBTyxFQUFFLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLE1BQU0sRUFBRSxDQUFDO0NBQzdCLENBQUMsQ0FBQztBQUdILE1BQU0sQ0FBQyxNQUFNLGFBQWEsR0FBRyxDQUFDLENBQUMsTUFBTSxDQUFDO0lBQ3BDLE9BQU8sRUFBRSxDQUFDLENBQUMsTUFBTSxFQUFFO0lBQ25CLE1BQU0sRUFBRSxDQUFDLENBQUMsTUFBTSxFQUFFO0NBQ25CLENBQUMsQ0FBQztBQUdILE1BQU0sMkJBQTJCLEdBQUcsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFFLENBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxhQUFhLENBQUUsQ0FBQyxDQUFDLEtBQUssRUFBRSxDQUFDO0FBQ25GLE1BQU0sd0JBQXdCLEdBQUcsQ0FBQyxDQUFDLFFBQVEsRUFBRTtLQUMxQyxJQUFJLENBQUMsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFFLENBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxhQUFhLEVBQUUsMkJBQTJCLENBQUUsQ0FBQyxFQUFFLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBRSxDQUFDLENBQUMsTUFBTSxFQUFFLEVBQUUsQ0FBQyxDQUFDLE1BQU0sRUFBRSxDQUFFLENBQUMsRUFBRSxDQUFDLENBQUMsTUFBTSxFQUFFLENBQUM7S0FDMUgsT0FBTyxDQUFDLENBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO0FBT3hCLE1BQU0sQ0FBQyxNQUFNLHNCQUFzQixHQUFHLENBQUMsQ0FBQyxJQUFJLENBQUM7SUFDM0MsTUFBTTtJQUNOLE1BQU07SUFDTixlQUFlO0lBQ2YsUUFBUTtJQUNSLFNBQVM7SUFDVCxLQUFLO0lBQ0wsZUFBZTtJQUNmLFFBQVE7SUFDUixLQUFLO0NBQ04sQ0FBQyxDQUFDO0FBR0g7O0dBRUc7QUFDSCxNQUFNLG9CQUFvQixHQUFHLENBQUMsQ0FBQyxRQUFRLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDLFVBQVUsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUMsT0FBTyxFQUFFLENBQUMsQ0FBQztBQUczRixNQUFNLGFBQWEsR0FBRyxDQUFDLENBQUMsS0FBSyxDQUFDO0lBQzVCLENBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxDQUFDLENBQUMsVUFBVSxDQUFDLE1BQU0sQ0FBQyxFQUFFLG9CQUFvQjtDQUN2RCxDQUFDLENBQUM7QUFHSCxNQUFNLG1CQUFtQixHQUFHLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBRSxhQUFhLEVBQUUsYUFBYSxDQUFDLEtBQUssRUFBRSxDQUFFLENBQUMsQ0FBQyxRQUFRLEVBQUUsQ0FBQztBQUd6Rjs7O0dBR0c7QUFDSCxNQUFNLENBQUMsTUFBTSxjQUFjLEdBQUcsQ0FBQyxDQUFDLE1BQU0sQ0FBQztJQUNyQzs7OztPQUlHO0lBQ0gsZUFBZSxFQUFFLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztJQUNoRDs7OztPQUlHO0lBQ0gsaUJBQWlCLEVBQUUsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsTUFBTSxFQUFFLENBQUMsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDO0lBQ2xEOzs7O09BSUc7SUFDSCxpQkFBaUIsRUFBRSxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUUsQ0FBQyxDQUFDLE1BQU0sRUFBRSxFQUFFLENBQUMsQ0FBQyxLQUFLLENBQUMsc0JBQXNCLENBQUMsQ0FBRSxDQUFDO1NBQ3hFLE9BQU8sQ0FBQyxzQkFBc0IsQ0FBQyxPQUFPLENBQUM7SUFDMUM7O09BRUc7SUFDSCxJQUFJLEVBQUUsQ0FBQyxDQUFDLFVBQVUsQ0FBQyxHQUFHLENBQUMsRUFBRTtRQUN2QixtRUFBbUU7UUFDbkUsSUFBSSxPQUFPLEdBQUcsS0FBSyxTQUFTLEVBQUUsQ0FBQztZQUM3QixPQUFPLEVBQUUsTUFBTSxFQUFFLEdBQUcsRUFBRSxDQUFDO1FBQ3pCLENBQUM7UUFDRCxPQUFPLEdBQUcsQ0FBQztJQUNiLENBQUMsRUFBRSxDQUFDLENBQUMsTUFBTSxDQUFDO1FBQ1YsS0FBSyxFQUFFLG1CQUFtQjtRQUMxQixNQUFNLEVBQUUsbUJBQW1CO1FBQzNCOztXQUVHO1FBQ0gsTUFBTSxFQUFFLENBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDO1FBQ2pDOzs7O1dBSUc7UUFDSCxJQUFJLEVBQUUsQ0FBQyxDQUFDLElBQUksQ0FBQyxDQUFFLFFBQVEsRUFBRSxTQUFTLEVBQUUsS0FBSyxFQUFFLEtBQUssQ0FBRSxDQUFDLENBQUMsT0FBTyxDQUFDLFFBQVEsQ0FBQztRQUNyRTs7Ozs7O1dBTUc7UUFDSCxVQUFVLEVBQUUsQ0FBQyxDQUFDLE9BQU8sRUFBRSxDQUFDLE9BQU8sQ0FBQyxLQUFLLENBQUM7UUFDdEM7Ozs7V0FJRztRQUNILFVBQVUsRUFBRSxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUUsQ0FBQyxDQUFDLE1BQU0sRUFBRSxFQUFFLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLENBQUUsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxXQUFXLENBQUM7UUFDN0U7Ozs7V0FJRztRQUNILFdBQVcsRUFBRSxDQUFDLENBQUMsTUFBTSxFQUFFLENBQUMsT0FBTyxDQUFDLFdBQVcsQ0FBQztRQUM1Qzs7OztXQUlHO1FBQ0gsVUFBVSxFQUFFLENBQUMsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxPQUFPLENBQUMsY0FBYyxDQUFDO1FBQzlDOzs7O1dBSUc7UUFDSCxRQUFRLEVBQUUsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFFLENBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxDQUFFLENBQUMsQ0FBQyxPQUFPLENBQUMsT0FBTyxDQUFDO1FBQ3ZFOzs7O1dBSUc7UUFDSCxTQUFTLEVBQUUsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFFLENBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxDQUFFLENBQUMsQ0FBQyxPQUFPLENBQUMsT0FBTyxDQUFDO1FBQ3hFOzs7O1dBSUc7UUFDSCxpQkFBaUIsRUFBRSxDQUFDLENBQUMsT0FBTyxFQUFFLENBQUMsT0FBTyxDQUFDLEtBQUssQ0FBQztRQUM3Qzs7OztXQUlHO1FBQ0gsVUFBVSxFQUFFLENBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxPQUFPLENBQUMsS0FBSyxDQUFDO1FBQ3RDOzs7OztXQUtHO1FBQ0gsWUFBWSxFQUFFLENBQUMsQ0FBQyxLQUFLLENBQUM7WUFDcEIsQ0FBQyxDQUFDLE1BQU0sRUFBRTtZQUNWLENBQUMsQ0FBQyxRQUFRLEVBQUU7aUJBQ1QsSUFBSSxDQUFDLENBQUMsQ0FBQyxVQUFVLENBQUMsT0FBTyxDQUFDLENBQUM7aUJBQzNCLE9BQU8sQ0FBQyxDQUFDLENBQUMsTUFBTSxFQUFFLENBQUM7U0FDdkIsQ0FBQyxDQUFDLFFBQVEsRUFBRTtRQUNiOztXQUVHO1FBQ0gsaUJBQWlCLEVBQUUsQ0FBQyxDQUFDLEtBQUssQ0FBQyxzQkFBc0IsQ0FBQzthQUMvQyxPQUFPLENBQUM7WUFDUCxFQUFFLElBQUksRUFBRSxLQUFLLEVBQUUsT0FBTyxFQUFFLENBQUUsTUFBTSxFQUFFLE9BQU8sRUFBRSxRQUFRLEVBQUUsS0FBSyxFQUFFLFNBQVMsQ0FBRSxFQUFFO1NBQzFFLENBQUM7UUFDSjs7Ozs7V0FLRztRQUNILGdCQUFnQixFQUFFLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztRQUNqRDs7Ozs7Ozs7V0FRRztRQUNILGFBQWEsRUFBRSxDQUFDLENBQUMsTUFBTSxDQUFDO1lBQ3RCLE1BQU0sRUFBRSxDQUFDLENBQUMsT0FBTyxFQUFFO1lBQ25CLFFBQVEsRUFBRSxDQUFDLENBQUMsT0FBTyxFQUFFO1lBQ3JCLFNBQVMsRUFBRSxDQUFDLENBQUMsT0FBTyxFQUFFO1NBQ3ZCLENBQUMsQ0FBQyxPQUFPLENBQUM7WUFDVCxNQUFNLEVBQUUsS0FBSztZQUNiLFFBQVEsRUFBRSxLQUFLO1lBQ2YsU0FBUyxFQUFFLElBQUk7U0FDaEIsQ0FBQztLQUNILENBQUMsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDLENBQUM7SUFDZjs7T0FFRztJQUNILE1BQU0sRUFBRSxDQUFDLENBQUMsTUFBTSxDQUFDO1FBQ2YsS0FBSyxFQUFFLG1CQUFtQjtRQUMxQixNQUFNLEVBQUUsbUJBQW1CO1FBQzNCOztXQUVHO1FBQ0gsTUFBTSxFQUFFLENBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDO1FBQ2pDOzs7O1dBSUc7UUFDSCxLQUFLLEVBQUUsQ0FBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLE9BQU8sQ0FBQyxZQUFZLENBQUM7S0FDeEMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7SUFDZDs7T0FFRztJQUNILElBQUksRUFBRSxDQUFDLENBQUMsTUFBTSxDQUFDO1FBQ2IsS0FBSyxFQUFFLG1CQUFtQjtRQUMxQixNQUFNLEVBQUUsbUJBQW1CO1FBQzNCOztXQUVHO1FBQ0gsTUFBTSxFQUFFLENBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxPQUFPLENBQUMsS0FBSyxDQUFDO1FBQ2xDOzs7O1dBSUc7UUFDSCxNQUFNLEVBQUUsQ0FBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLE9BQU8sQ0FBQyxHQUFHLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQztRQUMzQzs7OztXQUlHO1FBQ0gsaUJBQWlCLEVBQUUsQ0FBQyxDQUFDLE9BQU8sRUFBRSxDQUFDLE9BQU8sQ0FBQyxLQUFLLENBQUM7S0FDOUMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7SUFDZDs7T0FFRztJQUNILGFBQWEsRUFBRSxDQUFDLENBQUMsTUFBTSxDQUFDO1FBQ3RCLEtBQUssRUFBRSxtQkFBbUI7UUFDMUIsTUFBTSxFQUFFLG1CQUFtQjtRQUMzQjs7V0FFRztRQUNILE1BQU0sRUFBRSxDQUFDLENBQUMsT0FBTyxFQUFFLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBQztLQUNsQyxDQUFDLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztJQUNkOztPQUVHO0lBQ0gsTUFBTSxFQUFFLENBQUMsQ0FBQyxNQUFNLENBQUM7UUFDZixLQUFLLEVBQUUsbUJBQW1CO1FBQzFCLE1BQU0sRUFBRSxtQkFBbUI7UUFDM0I7O1dBRUc7UUFDSCxNQUFNLEVBQUUsQ0FBQyxDQUFDLE9BQU8sRUFBRSxDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUM7S0FDbEMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7SUFDZDs7T0FFRztJQUNILE9BQU8sRUFBRSxDQUFDLENBQUMsTUFBTSxDQUFDO1FBQ2hCLEtBQUssRUFBRSxtQkFBbUI7UUFDMUIsTUFBTSxFQUFFLG1CQUFtQjtRQUMzQjs7V0FFRztRQUNILE1BQU0sRUFBRSxDQUFDLENBQUMsT0FBTyxFQUFFLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBQztLQUNsQyxDQUFDLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztJQUNkOztPQUVHO0lBQ0gsYUFBYSxFQUFFLENBQUMsQ0FBQyxNQUFNLENBQUM7UUFDdEIsS0FBSyxFQUFFLG1CQUFtQjtRQUMxQixNQUFNLEVBQUUsbUJBQW1CO1FBQzNCOztXQUVHO1FBQ0gsTUFBTSxFQUFFLENBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDO1FBQ2pDOzs7O1dBSUc7UUFDSCxLQUFLLEVBQUUsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxNQUFNLEVBQUUsQ0FBQyxPQUFPLENBQUMsZUFBZSxDQUFDO0tBQ2xELENBQUMsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDO0lBQ2Q7O09BRUc7SUFDSCxHQUFHLEVBQUUsQ0FBQyxDQUFDLE1BQU0sQ0FBQztRQUNaLEtBQUssRUFBRSxtQkFBbUI7UUFDMUIsTUFBTSxFQUFFLG1CQUFtQjtRQUMzQjs7V0FFRztRQUNILE1BQU0sRUFBRSxDQUFDLENBQUMsT0FBTyxFQUFFLENBQUMsT0FBTyxDQUFDLEtBQUssQ0FBQztRQUNsQyxxRUFBcUU7UUFDckUsTUFBTSxFQUFFLENBQUMsQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFFLENBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxFQUFFLENBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBRSxDQUFDLENBQUMsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1FBQ3ZGOzs7V0FHRztRQUNILFVBQVUsRUFBRSxDQUFDLENBQUMsT0FBTyxFQUFFLENBQUMsUUFBUSxFQUFFO1FBQ2xDOzs7V0FHRztRQUNILFNBQVMsRUFBRSxDQUFDLENBQUMsT0FBTyxFQUFFLENBQUMsUUFBUSxFQUFFO0tBQ2xDLENBQUMsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDO0lBQ2Q7OztPQUdHO0lBQ0gsY0FBYyxFQUFFLENBQUMsQ0FBQyxNQUFNLENBQUM7UUFDdkIsS0FBSyxFQUFFLG1CQUFtQjtRQUMxQixNQUFNLEVBQUUsbUJBQW1CO1FBQzNCOztXQUVHO1FBQ0gsTUFBTSxFQUFFLENBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxPQUFPLENBQUMsS0FBSyxDQUFDO1FBQ2xDOzs7O1dBSUc7UUFDSCxLQUFLLEVBQUUsQ0FBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLE9BQU8sQ0FBQyw0QkFBNEIsQ0FBQztLQUN4RCxDQUFDLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztJQUNkOztPQUVHO0lBQ0gsR0FBRyxFQUFFLENBQUMsQ0FBQyxNQUFNLENBQUM7UUFDWixLQUFLLEVBQUUsbUJBQW1CO1FBQzFCLE1BQU0sRUFBRSxtQkFBbUI7UUFDM0I7O1dBRUc7UUFDSCxNQUFNLEVBQUUsQ0FBQyxDQUFDLE9BQU8sRUFBRSxDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUM7S0FDbEMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7SUFDZCxJQUFJLEVBQUUsQ0FBQyxDQUFDLE1BQU0sQ0FBQztRQUNiLFdBQVcsRUFBRSxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxDQUFDLFFBQVEsRUFBRTtRQUMzQyxlQUFlLEVBQUUsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsTUFBTSxFQUFFLENBQUMsQ0FBQyxRQUFRLEVBQUU7UUFDL0MscUJBQXFCLEVBQUUsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsTUFBTSxFQUFFLENBQUMsQ0FBQyxRQUFRLEVBQUU7UUFDckQsWUFBWSxFQUFFLHdCQUF3QixDQUFDLFFBQVEsRUFBRTtLQUNsRCxDQUFDLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztJQUNkLEtBQUssRUFBRSxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUUsYUFBYSxFQUFFLGFBQWEsQ0FBQyxLQUFLLEVBQUUsQ0FBRSxDQUFDLENBQUMsUUFBUSxFQUFFO0lBQ25FLE1BQU0sRUFBRSxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUUsYUFBYSxFQUFFLGFBQWEsQ0FBQyxLQUFLLEVBQUUsQ0FBRSxDQUFDLENBQUMsUUFBUSxFQUFFO0lBQ3BFLHNCQUFzQixFQUFFLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLENBQUMsUUFBUSxFQUFFLENBQUMsUUFBUSxFQUFFO0NBQ2hFLENBQUMsQ0FBQztBQUdILE1BQU0sOEJBQThCLEdBQUcsQ0FBQyxDQUFDLFFBQVEsRUFBRTtLQUNoRCxJQUFJLENBQUMsQ0FBQyxDQUFDLE1BQU0sRUFBRSxFQUFFLENBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxDQUFDLENBQUMsTUFBTSxFQUFFLEVBQUUsQ0FBQyxDQUFDLE9BQU8sRUFBRSxDQUFDO0tBQ3JELE9BQU8sQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUUsQ0FBQyxDQUFDLE1BQU0sRUFBRSxFQUFFLENBQUMsQ0FBQyxJQUFJLEVBQUUsQ0FBRSxDQUFDLENBQUMsQ0FBQztBQU85QyxNQUFNLENBQUMsTUFBTSxvQkFBb0IsR0FBRyxDQUFDLENBQUMsTUFBTSxDQUFDO0lBQzNDLEtBQUssRUFBRSxDQUFDLENBQUMsTUFBTSxDQUFDO1FBQ2Q7O1dBRUc7UUFDSCxTQUFTLEVBQUUsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxDQUFDLENBQUMsUUFBUSxFQUFFO1FBQ25EOzs7V0FHRztRQUNILGVBQWUsRUFBRSxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxDQUFDLFFBQVEsRUFBRTtRQUMvQzs7V0FFRztRQUNILFNBQVMsRUFBRSw4QkFBOEIsQ0FBQyxRQUFRLEVBQUU7S0FDckQsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7Q0FDZixDQUFDLENBQUM7QUFHSCxlQUFlO0lBQ2IsUUFBUSxFQUFFLGNBQWMsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDO0lBQ2xDLE1BQU0sRUFBRSxvQkFBb0IsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDO0NBQ3ZDLENBQUMifQ==

package/dist/esm/config/config.local.d.ts

@@ -0,0 +1,5 @@
+import { SecurityConfig } from '../types.js';
+declare const _default: {
+    security: SecurityConfig;
+};
+export default _default;

package/dist/esm/config/config.local.js

@@ -0,0 +1,8 @@
+export default {
+    security: {
+        hsts: {
+            enable: false,
+        },
+    },
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29uZmlnLmxvY2FsLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2NvbmZpZy9jb25maWcubG9jYWwudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBRUEsZUFBZTtJQUNiLFFBQVEsRUFBRTtRQUNSLElBQUksRUFBRTtZQUNKLE1BQU0sRUFBRSxLQUFLO1NBQ2Q7S0FDZ0I7Q0FDcEIsQ0FBQyJ9

package/dist/esm/index.d.ts

@@ -0,0 +1 @@
+import './types.js';

package/dist/esm/index.js

@@ -0,0 +1,12 @@
+import './types.js';
+// module.exports = require('./app/middleware/securities');
+// module.exports.csp = require('./lib/middlewares/csp');
+// module.exports.csrf = require('./lib/middlewares/csrf');
+// module.exports.methodNoAllow = require('./lib/middlewares/methodnoallow');
+// module.exports.noopen = require('./lib/middlewares/noopen');
+// module.exports.nosniff = require('./lib/middlewares/nosniff');
+// module.exports.xssProtection = require('./lib/middlewares/xssProtection');
+// module.exports.xframe = require('./lib/middlewares/xframe');
+// module.exports.safeRedirect = require('./lib/safe_redirect');
+// module.exports.utils = require('./lib/utils');
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxZQUFZLENBQUM7QUFFcEIsMkRBQTJEO0FBQzNELHlEQUF5RDtBQUN6RCwyREFBMkQ7QUFDM0QsNkVBQTZFO0FBQzdFLCtEQUErRDtBQUMvRCxpRUFBaUU7QUFDakUsNkVBQTZFO0FBQzdFLCtEQUErRDtBQUMvRCxnRUFBZ0U7QUFDaEUsaURBQWlEIn0=

package/dist/esm/lib/extend/safe_curl.d.ts

@@ -0,0 +1,16 @@
+import { EggCore } from '@eggjs/core';
+import type { SSRFCheckAddressFunction } from '../../types.js';
+type HttpClient = EggCore['HttpClient'];
+type HttpClientParameters = Parameters<HttpClient['prototype']['request']>;
+export type HttpClientRequestURL = HttpClientParameters[0];
+export type HttpClientOptions = HttpClientParameters[1] & {
+    checkAddress?: SSRFCheckAddressFunction;
+};
+export type HttpClientResponse<T = any> = Awaited<ReturnType<HttpClient['prototype']['request']>> & {
+    data: T;
+};
+/**
+ * safe curl with ssrf protection
+ */
+export declare function safeCurlForApplication<T = any>(app: EggCore, url: HttpClientRequestURL, options?: HttpClientOptions): Promise<import("urllib").HttpClientResponse<T>>;
+export {};

package/dist/esm/lib/extend/safe_curl.js

@@ -0,0 +1,25 @@
+const SSRF_HTTPCLIENT = Symbol('SSRF_HTTPCLIENT');
+/**
+ * safe curl with ssrf protection
+ */
+export async function safeCurlForApplication(app, url, options = {}) {
+    const ssrfConfig = app.config.security.ssrf;
+    if (ssrfConfig?.checkAddress) {
+        options.checkAddress = ssrfConfig.checkAddress;
+    }
+    else {
+        app.logger.warn('[@eggjs/security] please configure `config.security.ssrf` first');
+    }
+    if (ssrfConfig?.checkAddress) {
+        let httpClient = app[SSRF_HTTPCLIENT];
+        // use the new httpClient init with checkAddress
+        if (!httpClient) {
+            httpClient = app[SSRF_HTTPCLIENT] = app.createHttpClient({
+                checkAddress: ssrfConfig.checkAddress,
+            });
+        }
+        return await httpClient.request(url, options);
+    }
+    return await app.curl(url, options);
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2FmZV9jdXJsLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2xpYi9leHRlbmQvc2FmZV9jdXJsLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUdBLE1BQU0sZUFBZSxHQUFHLE1BQU0sQ0FBQyxpQkFBaUIsQ0FBQyxDQUFDO0FBUWxEOztHQUVHO0FBQ0gsTUFBTSxDQUFDLEtBQUssVUFBVSxzQkFBc0IsQ0FBVSxHQUFZLEVBQUUsR0FBeUIsRUFBRSxVQUE2QixFQUFFO0lBQzVILE1BQU0sVUFBVSxHQUFHLEdBQUcsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQztJQUM1QyxJQUFJLFVBQVUsRUFBRSxZQUFZLEVBQUUsQ0FBQztRQUM3QixPQUFPLENBQUMsWUFBWSxHQUFHLFVBQVUsQ0FBQyxZQUFZLENBQUM7SUFDakQsQ0FBQztTQUFNLENBQUM7UUFDTixHQUFHLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxpRUFBaUUsQ0FBQyxDQUFDO0lBQ3JGLENBQUM7SUFFRCxJQUFJLFVBQVUsRUFBRSxZQUFZLEVBQUUsQ0FBQztRQUM3QixJQUFJLFVBQVUsR0FBRyxHQUFHLENBQUMsZUFBZSxDQUE0QyxDQUFDO1FBQ2pGLGdEQUFnRDtRQUNoRCxJQUFJLENBQUMsVUFBVSxFQUFFLENBQUM7WUFDaEIsVUFBVSxHQUFHLEdBQUcsQ0FBQyxlQUFlLENBQUMsR0FBRyxHQUFHLENBQUMsZ0JBQWdCLENBQUM7Z0JBQ3ZELFlBQVksRUFBRSxVQUFVLENBQUMsWUFBWTthQUN0QyxDQUFDLENBQUM7UUFDTCxDQUFDO1FBQ0QsT0FBTyxNQUFNLFVBQVUsQ0FBQyxPQUFPLENBQUksR0FBRyxFQUFFLE9BQU8sQ0FBQyxDQUFDO0lBQ25ELENBQUM7SUFFRCxPQUFPLE1BQU0sR0FBRyxDQUFDLElBQUksQ0FBSSxHQUFHLEVBQUUsT0FBTyxDQUFDLENBQUM7QUFDekMsQ0FBQyJ9

package/dist/esm/lib/helper/cliFilter.d.ts

@@ -0,0 +1,4 @@
+/**
+ * remote command execution
+ */
+export default function cliFilter(text: string): string;

package/dist/esm/lib/helper/cliFilter.js

@@ -0,0 +1,17 @@
+/**
+ * remote command execution
+ */
+const BASIC_ALPHABETS = new Set('abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ.-_'.split(''));
+export default function cliFilter(text) {
+    const str = '' + text;
+    let res = '';
+    let ascii;
+    for (let index = 0; index < str.length; index++) {
+        ascii = str[index];
+        if (BASIC_ALPHABETS.has(ascii)) {
+            res += ascii;
+        }
+    }
+    return res;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xpRmlsdGVyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2xpYi9oZWxwZXIvY2xpRmlsdGVyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOztHQUVHO0FBRUgsTUFBTSxlQUFlLEdBQUcsSUFBSSxHQUFHLENBQUMsbUVBQW1FLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUM7QUFFL0csTUFBTSxDQUFDLE9BQU8sVUFBVSxTQUFTLENBQUMsSUFBWTtJQUM1QyxNQUFNLEdBQUcsR0FBRyxFQUFFLEdBQUcsSUFBSSxDQUFDO0lBQ3RCLElBQUksR0FBRyxHQUFHLEVBQUUsQ0FBQztJQUNiLElBQUksS0FBSyxDQUFDO0lBRVYsS0FBSyxJQUFJLEtBQUssR0FBRyxDQUFDLEVBQUUsS0FBSyxHQUFHLEdBQUcsQ0FBQyxNQUFNLEVBQUUsS0FBSyxFQUFFLEVBQUUsQ0FBQztRQUNoRCxLQUFLLEdBQUcsR0FBRyxDQUFDLEtBQUssQ0FBQyxDQUFDO1FBQ25CLElBQUksZUFBZSxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDO1lBQy9CLEdBQUcsSUFBSSxLQUFLLENBQUM7UUFDZixDQUFDO0lBQ0gsQ0FBQztJQUVELE9BQU8sR0FBRyxDQUFDO0FBQ2IsQ0FBQyJ9

package/dist/esm/lib/helper/escape.d.ts

@@ -0,0 +1,2 @@
+import escapeHTML from 'escape-html';
+export default escapeHTML;

package/dist/esm/lib/helper/escape.js

@@ -0,0 +1,3 @@
+import escapeHTML from 'escape-html';
+export default escapeHTML;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZXNjYXBlLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2xpYi9oZWxwZXIvZXNjYXBlLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sVUFBVSxNQUFNLGFBQWEsQ0FBQztBQUVyQyxlQUFlLFVBQVUsQ0FBQyJ9

package/dist/esm/lib/helper/escapeShellArg.d.ts

@@ -0,0 +1 @@
+export default function escapeShellArg(text: string): string;

package/dist/esm/lib/helper/escapeShellArg.js

@@ -0,0 +1,5 @@
+export default function escapeShellArg(text) {
+    const str = '' + text;
+    return '\'' + str.replace(/\\/g, '\\\\').replace(/\'/g, '\\\'') + '\'';
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZXNjYXBlU2hlbGxBcmcuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvbGliL2hlbHBlci9lc2NhcGVTaGVsbEFyZy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxNQUFNLENBQUMsT0FBTyxVQUFVLGNBQWMsQ0FBQyxJQUFZO0lBQ2pELE1BQU0sR0FBRyxHQUFHLEVBQUUsR0FBRyxJQUFJLENBQUM7SUFDdEIsT0FBTyxJQUFJLEdBQUcsR0FBRyxDQUFDLE9BQU8sQ0FBQyxLQUFLLEVBQUUsTUFBTSxDQUFDLENBQUMsT0FBTyxDQUFDLEtBQUssRUFBRSxNQUFNLENBQUMsR0FBRyxJQUFJLENBQUM7QUFDekUsQ0FBQyJ9

package/dist/esm/lib/helper/escapeShellCmd.d.ts

@@ -0,0 +1 @@
+export default function escapeShellCmd(text: string): string;

package/dist/esm/lib/helper/escapeShellCmd.js

@@ -0,0 +1,14 @@
+const BASIC_ALPHABETS = new Set('#&;`|*?~<>^()[]{}$;\'",\x0A\xFF'.split(''));
+export default function escapeShellCmd(text) {
+    const str = '' + text;
+    let res = '';
+    let ascii;
+    for (let index = 0; index < str.length; index++) {
+        ascii = str[index];
+        if (!BASIC_ALPHABETS.has(ascii)) {
+            res += ascii;
+        }
+    }
+    return res;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZXNjYXBlU2hlbGxDbWQuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvbGliL2hlbHBlci9lc2NhcGVTaGVsbENtZC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxNQUFNLGVBQWUsR0FBRyxJQUFJLEdBQUcsQ0FBQyxpQ0FBaUMsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQztBQUU3RSxNQUFNLENBQUMsT0FBTyxVQUFVLGNBQWMsQ0FBQyxJQUFZO0lBQ2pELE1BQU0sR0FBRyxHQUFHLEVBQUUsR0FBRyxJQUFJLENBQUM7SUFDdEIsSUFBSSxHQUFHLEdBQUcsRUFBRSxDQUFDO0lBQ2IsSUFBSSxLQUFLLENBQUM7SUFFVixLQUFLLElBQUksS0FBSyxHQUFHLENBQUMsRUFBRSxLQUFLLEdBQUcsR0FBRyxDQUFDLE1BQU0sRUFBRSxLQUFLLEVBQUUsRUFBRSxDQUFDO1FBQ2hELEtBQUssR0FBRyxHQUFHLENBQUMsS0FBSyxDQUFDLENBQUM7UUFDbkIsSUFBSSxDQUFDLGVBQWUsQ0FBQyxHQUFHLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQztZQUNoQyxHQUFHLElBQUksS0FBSyxDQUFDO1FBQ2YsQ0FBQztJQUNILENBQUM7SUFFRCxPQUFPLEdBQUcsQ0FBQztBQUNiLENBQUMifQ==

package/dist/esm/lib/helper/index.d.ts

@@ -0,0 +1,21 @@
+import cliFilter from './cliFilter.js';
+import escape from './escape.js';
+import escapeShellArg from './escapeShellArg.js';
+import escapeShellCmd from './escapeShellCmd.js';
+import shtml from './shtml.js';
+import sjs from './sjs.js';
+import sjson from './sjson.js';
+import spath from './spath.js';
+import surl from './surl.js';
+declare const _default: {
+    cliFilter: typeof cliFilter;
+    escape: typeof escape;
+    escapeShellArg: typeof escapeShellArg;
+    escapeShellCmd: typeof escapeShellCmd;
+    shtml: typeof shtml;
+    sjs: typeof sjs;
+    sjson: typeof sjson;
+    spath: typeof spath;
+    surl: typeof surl;
+};
+export default _default;

package/dist/esm/lib/helper/index.js

@@ -0,0 +1,21 @@
+import cliFilter from './cliFilter.js';
+import escape from './escape.js';
+import escapeShellArg from './escapeShellArg.js';
+import escapeShellCmd from './escapeShellCmd.js';
+import shtml from './shtml.js';
+import sjs from './sjs.js';
+import sjson from './sjson.js';
+import spath from './spath.js';
+import surl from './surl.js';
+export default {
+    cliFilter,
+    escape,
+    escapeShellArg,
+    escapeShellCmd,
+    shtml,
+    sjs,
+    sjson,
+    spath,
+    surl,
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvbGliL2hlbHBlci9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLFNBQVMsTUFBTSxnQkFBZ0IsQ0FBQztBQUN2QyxPQUFPLE1BQU0sTUFBTSxhQUFhLENBQUM7QUFDakMsT0FBTyxjQUFjLE1BQU0scUJBQXFCLENBQUM7QUFDakQsT0FBTyxjQUFjLE1BQU0scUJBQXFCLENBQUM7QUFDakQsT0FBTyxLQUFLLE1BQU0sWUFBWSxDQUFDO0FBQy9CLE9BQU8sR0FBRyxNQUFNLFVBQVUsQ0FBQztBQUMzQixPQUFPLEtBQUssTUFBTSxZQUFZLENBQUM7QUFDL0IsT0FBTyxLQUFLLE1BQU0sWUFBWSxDQUFDO0FBQy9CLE9BQU8sSUFBSSxNQUFNLFdBQVcsQ0FBQztBQUU3QixlQUFlO0lBQ2IsU0FBUztJQUNULE1BQU07SUFDTixjQUFjO0lBQ2QsY0FBYztJQUNkLEtBQUs7SUFDTCxHQUFHO0lBQ0gsS0FBSztJQUNMLEtBQUs7SUFDTCxJQUFJO0NBQ0wsQ0FBQyJ9

package/dist/esm/lib/helper/shtml.d.ts

@@ -0,0 +1,2 @@
+import type { BaseContextClass } from '@eggjs/core';
+export default function shtml(this: BaseContextClass, val: string): string;

package/dist/esm/lib/helper/shtml.js

@@ -0,0 +1,70 @@
+import xss from 'xss';
+import { isSafeDomain, getFromUrl } from '../utils.js';
+const BUILD_IN_ON_TAG_ATTR = Symbol('buildInOnTagAttr');
+// default rule: https://github.com/leizongmin/js-xss/blob/master/lib/default.js
+// add domain filter based on xss module
+// custom options http://jsxss.com/zh/options.html
+// eg: support a tag，filter attributes except for title : whiteList: {a: ['title']}
+export default function shtml(val) {
+    if (typeof val !== 'string') {
+        return val;
+    }
+    const securityOptions = this.ctx.securityOptions;
+    let buildInOnTagAttrHandler;
+    const shtmlConfig = {
+        ...this.app.config.helper.shtml,
+        ...securityOptions.shtml,
+        [BUILD_IN_ON_TAG_ATTR]: buildInOnTagAttrHandler,
+    };
+    const domainWhiteList = this.app.config.security.domainWhiteList;
+    const app = this.app;
+    // filter href and src attribute if not in domain white list
+    if (!shtmlConfig[BUILD_IN_ON_TAG_ATTR]) {
+        shtmlConfig[BUILD_IN_ON_TAG_ATTR] = (_tag, name, value, isWhiteAttr) => {
+            if (isWhiteAttr && (name === 'href' || name === 'src')) {
+                if (!value) {
+                    return;
+                }
+                value = String(value);
+                if (value[0] === '/' || value[0] === '#') {
+                    return;
+                }
+                const hostname = getFromUrl(value, 'hostname');
+                if (!hostname) {
+                    return;
+                }
+                // If we don't have our hostname in the app.security.domainWhiteList,
+                // Just check for `shtmlConfig.domainWhiteList` and `ctx.whiteList`.
+                if (!isSafeDomain(hostname, domainWhiteList)) {
+                    // Check for `shtmlConfig.domainWhiteList` first (duplicated now)
+                    if (shtmlConfig.domainWhiteList && shtmlConfig.domainWhiteList.length > 0) {
+                        app.deprecate('[@eggjs/security/lib/helper/shtml] `config.helper.shtml.domainWhiteList` has been deprecate. Please use `config.security.domainWhiteList` instead.');
+                        if (!isSafeDomain(hostname, shtmlConfig.domainWhiteList)) {
+                            return '';
+                        }
+                    }
+                    else {
+                        return '';
+                    }
+                }
+            }
+        };
+        // avoid overriding user configuration 'onTagAttr'
+        if (shtmlConfig.onTagAttr) {
+            const customOnTagAttrHandler = shtmlConfig.onTagAttr;
+            shtmlConfig.onTagAttr = function (tag, name, value, isWhiteAttr) {
+                const result = customOnTagAttrHandler.apply(this, [tag, name, value, isWhiteAttr]);
+                if (result !== undefined) {
+                    return result;
+                }
+                // fallback to build-in handler
+                return shtmlConfig[BUILD_IN_ON_TAG_ATTR].apply(this, [tag, name, value, isWhiteAttr]);
+            };
+        }
+        else {
+            shtmlConfig.onTagAttr = shtmlConfig[BUILD_IN_ON_TAG_ATTR];
+        }
+    }
+    return xss(val, shtmlConfig);
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2h0bWwuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvbGliL2hlbHBlci9zaHRtbC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFDQSxPQUFPLEdBQUcsTUFBTSxLQUFLLENBQUM7QUFDdEIsT0FBTyxFQUFFLFlBQVksRUFBRSxVQUFVLEVBQUUsTUFBTSxhQUFhLENBQUM7QUFHdkQsTUFBTSxvQkFBb0IsR0FBRyxNQUFNLENBQUMsa0JBQWtCLENBQUMsQ0FBQztBQUV4RCxnRkFBZ0Y7QUFDaEYsd0NBQXdDO0FBQ3hDLGtEQUFrRDtBQUNsRCxtRkFBbUY7QUFDbkYsTUFBTSxDQUFDLE9BQU8sVUFBVSxLQUFLLENBQXlCLEdBQVc7SUFDL0QsSUFBSSxPQUFPLEdBQUcsS0FBSyxRQUFRLEVBQUUsQ0FBQztRQUM1QixPQUFPLEdBQUcsQ0FBQztJQUNiLENBQUM7SUFFRCxNQUFNLGVBQWUsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLGVBQWUsQ0FBQztJQUNqRCxJQUFJLHVCQUFtRSxDQUFDO0lBQ3hFLE1BQU0sV0FBVyxHQUFHO1FBQ2xCLEdBQUcsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDLEtBQUs7UUFDL0IsR0FBRyxlQUFlLENBQUMsS0FBSztRQUN4QixDQUFDLG9CQUFvQixDQUFDLEVBQUUsdUJBQXVCO0tBQ2hELENBQUM7SUFDRixNQUFNLGVBQWUsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsZUFBZSxDQUFDO0lBQ2pFLE1BQU0sR0FBRyxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUM7SUFDckIsNERBQTREO0lBQzVELElBQUksQ0FBQyxXQUFXLENBQUMsb0JBQW9CLENBQUMsRUFBRSxDQUFDO1FBQ3ZDLFdBQVcsQ0FBQyxvQkFBb0IsQ0FBQyxHQUFHLENBQUMsSUFBSSxFQUFFLElBQUksRUFBRSxLQUFLLEVBQUUsV0FBVyxFQUFFLEVBQUU7WUFDckUsSUFBSSxXQUFXLElBQUksQ0FBQyxJQUFJLEtBQUssTUFBTSxJQUFJLElBQUksS0FBSyxLQUFLLENBQUMsRUFBRSxDQUFDO2dCQUN2RCxJQUFJLENBQUMsS0FBSyxFQUFFLENBQUM7b0JBQ1gsT0FBTztnQkFDVCxDQUFDO2dCQUVELEtBQUssR0FBRyxNQUFNLENBQUMsS0FBSyxDQUFDLENBQUM7Z0JBQ3RCLElBQUksS0FBSyxDQUFDLENBQUMsQ0FBQyxLQUFLLEdBQUcsSUFBSSxLQUFLLENBQUMsQ0FBQyxDQUFDLEtBQUssR0FBRyxFQUFFLENBQUM7b0JBQ3pDLE9BQU87Z0JBQ1QsQ0FBQztnQkFFRCxNQUFNLFFBQVEsR0FBRyxVQUFVLENBQUMsS0FBSyxFQUFFLFVBQVUsQ0FBQyxDQUFDO2dCQUMvQyxJQUFJLENBQUMsUUFBUSxFQUFFLENBQUM7b0JBQ2QsT0FBTztnQkFDVCxDQUFDO2dCQUVELHFFQUFxRTtnQkFDckUsb0VBQW9FO2dCQUNwRSxJQUFJLENBQUMsWUFBWSxDQUFDLFFBQVEsRUFBRSxlQUFlLENBQUMsRUFBRSxDQUFDO29CQUM3QyxpRUFBaUU7b0JBQ2pFLElBQUksV0FBVyxDQUFDLGVBQWUsSUFBSSxXQUFXLENBQUMsZUFBZSxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsQ0FBQzt3QkFDMUUsR0FBRyxDQUFDLFNBQVMsQ0FBQyxvSkFBb0osQ0FBQyxDQUFDO3dCQUNwSyxJQUFJLENBQUMsWUFBWSxDQUFDLFFBQVEsRUFBRSxXQUFXLENBQUMsZUFBZSxDQUFDLEVBQUUsQ0FBQzs0QkFDekQsT0FBTyxFQUFFLENBQUM7d0JBQ1osQ0FBQztvQkFDSCxDQUFDO3lCQUFNLENBQUM7d0JBQ04sT0FBTyxFQUFFLENBQUM7b0JBQ1osQ0FBQztnQkFDSCxDQUFDO1lBQ0gsQ0FBQztRQUNILENBQUMsQ0FBQztRQUVGLGtEQUFrRDtRQUNsRCxJQUFJLFdBQVcsQ0FBQyxTQUFTLEVBQUUsQ0FBQztZQUMxQixNQUFNLHNCQUFzQixHQUFHLFdBQVcsQ0FBQyxTQUFTLENBQUM7WUFDckQsV0FBVyxDQUFDLFNBQVMsR0FBRyxVQUFTLEdBQUcsRUFBRSxJQUFJLEVBQUUsS0FBSyxFQUFFLFdBQVc7Z0JBQzVELE1BQU0sTUFBTSxHQUFHLHNCQUFzQixDQUFDLEtBQUssQ0FBQyxJQUFJLEVBQUUsQ0FBRSxHQUFHLEVBQUUsSUFBSSxFQUFFLEtBQUssRUFBRSxXQUFXLENBQUUsQ0FBQyxDQUFDO2dCQUNyRixJQUFJLE1BQU0sS0FBSyxTQUFTLEVBQUUsQ0FBQztvQkFDekIsT0FBTyxNQUFNLENBQUM7Z0JBQ2hCLENBQUM7Z0JBQ0QsK0JBQStCO2dCQUMvQixPQUFPLFdBQVcsQ0FBQyxvQkFBb0IsQ0FBRSxDQUFDLEtBQUssQ0FBQyxJQUFJLEVBQUUsQ0FBRSxHQUFHLEVBQUUsSUFBSSxFQUFFLEtBQUssRUFBRSxXQUFXLENBQUUsQ0FBQyxDQUFDO1lBQzNGLENBQUMsQ0FBQztRQUNKLENBQUM7YUFBTSxDQUFDO1lBQ04sV0FBVyxDQUFDLFNBQVMsR0FBRyxXQUFXLENBQUMsb0JBQW9CLENBQUMsQ0FBQztRQUM1RCxDQUFDO0lBQ0gsQ0FBQztJQUVELE9BQU8sR0FBRyxDQUFDLEdBQUcsRUFBRSxXQUFXLENBQUMsQ0FBQztBQUMvQixDQUFDIn0=

package/dist/esm/lib/helper/sjs.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Escape JavaScript to \xHH format
+ */
+export default function escapeJavaScript(text: string): string;