@eggjs/security 4.0.0

package/dist/esm/lib/utils.js

@@ -0,0 +1,194 @@
+import { normalize } from 'node:path';
+import matcher from 'matcher';
+import IP from '@eggjs/ip';
+/**
+ * Check whether a domain is in the safe domain white list or not.
+ * @param {String} domain The inputted domain.
+ * @param {Array<string>} whiteList The white list for domain.
+ * @return {Boolean} If the `domain` is in the white list, return true; otherwise false.
+ */
+export function isSafeDomain(domain, whiteList) {
+    // domain must be string, otherwise return false
+    if (typeof domain !== 'string')
+        return false;
+    // Ignore case sensitive first
+    domain = domain.toLowerCase();
+    // add prefix `.`, because all domains in white list start with `.`
+    const hostname = '.' + domain;
+    return whiteList.some(rule => {
+        // Check whether we've got '*' as a wild character symbol
+        if (rule.includes('*')) {
+            return matcher.isMatch(domain, rule);
+        }
+        // If domain is an absolute path such as `http://...`
+        // We can directly check whether it directly equals to `domain`
+        // And we don't need to cope with `endWith`.
+        if (domain === rule)
+            return true;
+        // ensure wwweggjs.com not match eggjs.com
+        if (!/^\./.test(rule))
+            rule = `.${rule}`;
+        return hostname.endsWith(rule);
+    });
+}
+export function isSafePath(path, ctx) {
+    path = '.' + path;
+    if (path.includes('%')) {
+        try {
+            path = decodeURIComponent(path);
+        }
+        catch (e) {
+            if (ctx.app.config.env === 'local' || ctx.app.config.env === 'unittest') {
+                // not under production environment, output log
+                ctx.coreLogger.warn('[@eggjs/security: dta global block] : decode file path %j failed.', path);
+            }
+        }
+    }
+    const normalizePath = normalize(path);
+    return !(normalizePath.startsWith('../') || normalizePath.startsWith('..\\'));
+}
+export function checkIfIgnore(opts, ctx) {
+    // check opts.enable first
+    if (!opts.enable)
+        return true;
+    return !opts.matching?.(ctx);
+}
+const IP_RE = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/;
+const topDomains = {};
+[
+    '.net.cn', '.gov.cn', '.org.cn', '.com.cn',
+].forEach(item => {
+    topDomains[item] = 2 - item.split('.').length;
+});
+export function getCookieDomain(hostname) {
+    // TODO(fengmk2): support ipv6
+    if (IP_RE.test(hostname)) {
+        return hostname;
+    }
+    // app.test.domain.com => .test.domain.com
+    // app.stable.domain.com => .domain.com
+    // app.domain.com => .domain.com
+    // domain=.domain.com;
+    const splits = hostname.split('.');
+    let index = -2;
+    // only when `*.test.*.com` set `.test.*.com`
+    if (splits.length >= 4 && splits[splits.length - 3] === 'test') {
+        index = -3;
+    }
+    let domain = getDomain(splits, index);
+    if (topDomains[domain]) {
+        // app.foo.org.cn => .foo.org.cn
+        domain = getDomain(splits, index + topDomains[domain]);
+    }
+    return domain;
+}
+function getDomain(splits, index) {
+    return '.' + splits.slice(index).join('.');
+}
+export function merge(origin, opts) {
+    if (!opts) {
+        return origin;
+    }
+    const res = {};
+    const originKeys = Object.keys(origin);
+    for (let i = 0; i < originKeys.length; i++) {
+        const key = originKeys[i];
+        res[key] = origin[key];
+    }
+    const keys = Object.keys(opts);
+    for (let i = 0; i < keys.length; i++) {
+        const key = keys[i];
+        res[key] = opts[key];
+    }
+    return res;
+}
+export function preprocessConfig(config) {
+    // transfer ssrf.ipBlackList to ssrf.checkAddress
+    // ssrf.ipExceptionList can easily pick out unwanted ips from ipBlackList
+    // checkAddress has higher priority than ipBlackList
+    const ssrf = config.ssrf;
+    if (ssrf && ssrf.ipBlackList && !ssrf.checkAddress) {
+        const blackList = ssrf.ipBlackList.map(getContains);
+        const exceptionList = (ssrf.ipExceptionList || []).map(getContains);
+        const hostnameExceptionList = ssrf.hostnameExceptionList;
+        ssrf.checkAddress = (ipAddresses, _family, hostname) => {
+            // Check white hostname first
+            if (hostname && hostnameExceptionList) {
+                if (hostnameExceptionList.includes(hostname)) {
+                    return true;
+                }
+            }
+            // ipAddresses will be array address on Node.js >= 20
+            // [
+            //   { address: '220.181.125.241', family: 4 },
+            //   { address: '240e:964:ea02:b00:3::3ec', family: 6 }
+            // ]
+            if (!Array.isArray(ipAddresses)) {
+                ipAddresses = [ipAddresses];
+            }
+            for (const ipAddress of ipAddresses) {
+                let address;
+                if (typeof ipAddress === 'string') {
+                    address = ipAddress;
+                }
+                else {
+                    // FIXME: should support ipv6
+                    if (ipAddress.family === 6) {
+                        continue;
+                    }
+                    address = ipAddress.address;
+                }
+                // check white list first
+                for (const exception of exceptionList) {
+                    if (exception(address)) {
+                        return true;
+                    }
+                }
+                // check black list
+                for (const contains of blackList) {
+                    if (contains(address)) {
+                        return false;
+                    }
+                }
+            }
+            // default allow
+            return true;
+        };
+    }
+    // Make sure that `whiteList` or `protocolWhiteList` is case insensitive
+    config.domainWhiteList = config.domainWhiteList || [];
+    config.domainWhiteList = config.domainWhiteList.map((domain) => domain.toLowerCase());
+    config.protocolWhiteList = config.protocolWhiteList || [];
+    config.protocolWhiteList = config.protocolWhiteList.map((protocol) => protocol.toLowerCase());
+    // Make sure refererWhiteList is case insensitive
+    if (config.csrf && config.csrf.refererWhiteList) {
+        config.csrf.refererWhiteList = config.csrf.refererWhiteList.map((ref) => ref.toLowerCase());
+    }
+    // Directly converted to Set collection by a private property (not documented),
+    // And we NO LONGER need to do conversion in `foreach` again and again in `lib/helper/surl.ts`.
+    const protocolWhiteListSet = new Set(config.protocolWhiteList);
+    protocolWhiteListSet.add('http');
+    protocolWhiteListSet.add('https');
+    protocolWhiteListSet.add('file');
+    protocolWhiteListSet.add('data');
+    Object.defineProperty(config, '__protocolWhiteListSet', {
+        value: protocolWhiteListSet,
+        enumerable: false,
+    });
+}
+export function getFromUrl(url, prop) {
+    try {
+        const parsed = new URL(url);
+        return prop ? Reflect.get(parsed, prop) : parsed;
+    }
+    catch {
+        return null;
+    }
+}
+function getContains(ip) {
+    if (IP.isV4Format(ip) || IP.isV6Format(ip)) {
+        return (address) => address === ip;
+    }
+    return IP.cidrSubnet(ip).contains;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidXRpbHMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGliL3V0aWxzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sRUFBRSxTQUFTLEVBQUUsTUFBTSxXQUFXLENBQUM7QUFDdEMsT0FBTyxPQUFPLE1BQU0sU0FBUyxDQUFDO0FBQzlCLE9BQU8sRUFBRSxNQUFNLFdBQVcsQ0FBQztBQUszQjs7Ozs7R0FLRztBQUNILE1BQU0sVUFBVSxZQUFZLENBQUMsTUFBYyxFQUFFLFNBQW1CO0lBQzlELGdEQUFnRDtJQUNoRCxJQUFJLE9BQU8sTUFBTSxLQUFLLFFBQVE7UUFBRSxPQUFPLEtBQUssQ0FBQztJQUM3Qyw4QkFBOEI7SUFDOUIsTUFBTSxHQUFHLE1BQU0sQ0FBQyxXQUFXLEVBQUUsQ0FBQztJQUM5QixtRUFBbUU7SUFDbkUsTUFBTSxRQUFRLEdBQUcsR0FBRyxHQUFHLE1BQU0sQ0FBQztJQUU5QixPQUFPLFNBQVMsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLEVBQUU7UUFDM0IseURBQXlEO1FBQ3pELElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDO1lBQ3ZCLE9BQU8sT0FBTyxDQUFDLE9BQU8sQ0FBQyxNQUFNLEVBQUUsSUFBSSxDQUFDLENBQUM7UUFDdkMsQ0FBQztRQUNELHFEQUFxRDtRQUNyRCwrREFBK0Q7UUFDL0QsNENBQTRDO1FBQzVDLElBQUksTUFBTSxLQUFLLElBQUk7WUFBRSxPQUFPLElBQUksQ0FBQztRQUNqQywwQ0FBMEM7UUFDMUMsSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDO1lBQUUsSUFBSSxHQUFHLElBQUksSUFBSSxFQUFFLENBQUM7UUFDekMsT0FBTyxRQUFRLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQyxDQUFDO0lBQ2pDLENBQUMsQ0FBQyxDQUFDO0FBQ0wsQ0FBQztBQUVELE1BQU0sVUFBVSxVQUFVLENBQUMsSUFBWSxFQUFFLEdBQVk7SUFDbkQsSUFBSSxHQUFHLEdBQUcsR0FBRyxJQUFJLENBQUM7SUFDbEIsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUM7UUFDdkIsSUFBSSxDQUFDO1lBQ0gsSUFBSSxHQUFHLGtCQUFrQixDQUFDLElBQUksQ0FBQyxDQUFDO1FBQ2xDLENBQUM7UUFBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1lBQ1gsSUFBSSxHQUFHLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxHQUFHLEtBQUssT0FBTyxJQUFJLEdBQUcsQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLEdBQUcsS0FBSyxVQUFVLEVBQUUsQ0FBQztnQkFDeEUsK0NBQStDO2dCQUMvQyxHQUFHLENBQUMsVUFBVSxDQUFDLElBQUksQ0FBQyxtRUFBbUUsRUFBRSxJQUFJLENBQUMsQ0FBQztZQUNqRyxDQUFDO1FBQ0gsQ0FBQztJQUNILENBQUM7SUFDRCxNQUFNLGFBQWEsR0FBRyxTQUFTLENBQUMsSUFBSSxDQUFDLENBQUM7SUFDdEMsT0FBTyxDQUFDLENBQUMsYUFBYSxDQUFDLFVBQVUsQ0FBQyxLQUFLLENBQUMsSUFBSSxhQUFhLENBQUMsVUFBVSxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUM7QUFDaEYsQ0FBQztBQUVELE1BQU0sVUFBVSxhQUFhLENBQUMsSUFBc0QsRUFBRSxHQUFZO0lBQ2hHLDBCQUEwQjtJQUMxQixJQUFJLENBQUMsSUFBSSxDQUFDLE1BQU07UUFBRSxPQUFPLElBQUksQ0FBQztJQUM5QixPQUFPLENBQUMsSUFBSSxDQUFDLFFBQVEsRUFBRSxDQUFDLEdBQUcsQ0FBQyxDQUFDO0FBQy9CLENBQUM7QUFFRCxNQUFNLEtBQUssR0FBRyxzQ0FBc0MsQ0FBQztBQUNyRCxNQUFNLFVBQVUsR0FBMkIsRUFBRSxDQUFDO0FBQzlDO0lBQ0UsU0FBUyxFQUFFLFNBQVMsRUFBRSxTQUFTLEVBQUUsU0FBUztDQUMzQyxDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUMsRUFBRTtJQUNmLFVBQVUsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLEdBQUcsSUFBSSxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQyxNQUFNLENBQUM7QUFDaEQsQ0FBQyxDQUFDLENBQUM7QUFFSCxNQUFNLFVBQVUsZUFBZSxDQUFDLFFBQWdCO0lBQzlDLDhCQUE4QjtJQUM5QixJQUFJLEtBQUssQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLEVBQUUsQ0FBQztRQUN6QixPQUFPLFFBQVEsQ0FBQztJQUNsQixDQUFDO0lBQ0QsMENBQTBDO0lBQzFDLHVDQUF1QztJQUN2QyxnQ0FBZ0M7SUFDaEMsc0JBQXNCO0lBQ3RCLE1BQU0sTUFBTSxHQUFHLFFBQVEsQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDbkMsSUFBSSxLQUFLLEdBQUcsQ0FBQyxDQUFDLENBQUM7SUFFZiw2Q0FBNkM7SUFDN0MsSUFBSSxNQUFNLENBQUMsTUFBTSxJQUFJLENBQUMsSUFBSSxNQUFNLENBQUMsTUFBTSxDQUFDLE1BQU0sR0FBRyxDQUFDLENBQUMsS0FBSyxNQUFNLEVBQUUsQ0FBQztRQUMvRCxLQUFLLEdBQUcsQ0FBQyxDQUFDLENBQUM7SUFDYixDQUFDO0lBQ0QsSUFBSSxNQUFNLEdBQUcsU0FBUyxDQUFDLE1BQU0sRUFBRSxLQUFLLENBQUMsQ0FBQztJQUN0QyxJQUFJLFVBQVUsQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDO1FBQ3ZCLGdDQUFnQztRQUNoQyxNQUFNLEdBQUcsU0FBUyxDQUFDLE1BQU0sRUFBRSxLQUFLLEdBQUcsVUFBVSxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUM7SUFDekQsQ0FBQztJQUNELE9BQU8sTUFBTSxDQUFDO0FBQ2hCLENBQUM7QUFFRCxTQUFTLFNBQVMsQ0FBQyxNQUFnQixFQUFFLEtBQWE7SUFDaEQsT0FBTyxHQUFHLEdBQUcsTUFBTSxDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUMsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUM7QUFDN0MsQ0FBQztBQUVELE1BQU0sVUFBVSxLQUFLLENBQUMsTUFBMkIsRUFBRSxJQUEwQjtJQUMzRSxJQUFJLENBQUMsSUFBSSxFQUFFLENBQUM7UUFDVixPQUFPLE1BQU0sQ0FBQztJQUNoQixDQUFDO0lBQ0QsTUFBTSxHQUFHLEdBQXdCLEVBQUUsQ0FBQztJQUVwQyxNQUFNLFVBQVUsR0FBRyxNQUFNLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxDQUFDO0lBQ3ZDLEtBQUssSUFBSSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsR0FBRyxVQUFVLENBQUMsTUFBTSxFQUFFLENBQUMsRUFBRSxFQUFFLENBQUM7UUFDM0MsTUFBTSxHQUFHLEdBQUcsVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQzFCLEdBQUcsQ0FBQyxHQUFHLENBQUMsR0FBRyxNQUFNLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDekIsQ0FBQztJQUVELE1BQU0sSUFBSSxHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLENBQUM7SUFDL0IsS0FBSyxJQUFJLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQyxHQUFHLElBQUksQ0FBQyxNQUFNLEVBQUUsQ0FBQyxFQUFFLEVBQUUsQ0FBQztRQUNyQyxNQUFNLEdBQUcsR0FBRyxJQUFJLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDcEIsR0FBRyxDQUFDLEdBQUcsQ0FBQyxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUN2QixDQUFDO0lBQ0QsT0FBTyxHQUFHLENBQUM7QUFDYixDQUFDO0FBRUQsTUFBTSxVQUFVLGdCQUFnQixDQUFDLE1BQXNCO0lBQ3JELGlEQUFpRDtJQUNqRCx5RUFBeUU7SUFDekUsb0RBQW9EO0lBQ3BELE1BQU0sSUFBSSxHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUM7SUFDekIsSUFBSSxJQUFJLElBQUksSUFBSSxDQUFDLFdBQVcsSUFBSSxDQUFDLElBQUksQ0FBQyxZQUFZLEVBQUUsQ0FBQztRQUNuRCxNQUFNLFNBQVMsR0FBRyxJQUFJLENBQUMsV0FBVyxDQUFDLEdBQUcsQ0FBQyxXQUFXLENBQUMsQ0FBQztRQUNwRCxNQUFNLGFBQWEsR0FBRyxDQUFDLElBQUksQ0FBQyxlQUFlLElBQUksRUFBRSxDQUFDLENBQUMsR0FBRyxDQUFDLFdBQVcsQ0FBQyxDQUFDO1FBQ3BFLE1BQU0scUJBQXFCLEdBQUcsSUFBSSxDQUFDLHFCQUFxQixDQUFDO1FBQ3pELElBQUksQ0FBQyxZQUFZLEdBQUcsQ0FBQyxXQUFXLEVBQUUsT0FBTyxFQUFFLFFBQVEsRUFBRSxFQUFFO1lBQ3JELDZCQUE2QjtZQUM3QixJQUFJLFFBQVEsSUFBSSxxQkFBcUIsRUFBRSxDQUFDO2dCQUN0QyxJQUFJLHFCQUFxQixDQUFDLFFBQVEsQ0FBQyxRQUFRLENBQUMsRUFBRSxDQUFDO29CQUM3QyxPQUFPLElBQUksQ0FBQztnQkFDZCxDQUFDO1lBQ0gsQ0FBQztZQUNELHFEQUFxRDtZQUNyRCxJQUFJO1lBQ0osK0NBQStDO1lBQy9DLHVEQUF1RDtZQUN2RCxJQUFJO1lBQ0osSUFBSSxDQUFDLEtBQUssQ0FBQyxPQUFPLENBQUMsV0FBVyxDQUFDLEVBQUUsQ0FBQztnQkFDaEMsV0FBVyxHQUFHLENBQUUsV0FBVyxDQUFFLENBQUM7WUFDaEMsQ0FBQztZQUNELEtBQUssTUFBTSxTQUFTLElBQUksV0FBVyxFQUFFLENBQUM7Z0JBQ3BDLElBQUksT0FBZSxDQUFDO2dCQUNwQixJQUFJLE9BQU8sU0FBUyxLQUFLLFFBQVEsRUFBRSxDQUFDO29CQUNsQyxPQUFPLEdBQUcsU0FBUyxDQUFDO2dCQUN0QixDQUFDO3FCQUFNLENBQUM7b0JBQ04sNkJBQTZCO29CQUM3QixJQUFJLFNBQVMsQ0FBQyxNQUFNLEtBQUssQ0FBQyxFQUFFLENBQUM7d0JBQzNCLFNBQVM7b0JBQ1gsQ0FBQztvQkFDRCxPQUFPLEdBQUcsU0FBUyxDQUFDLE9BQU8sQ0FBQztnQkFDOUIsQ0FBQztnQkFDRCx5QkFBeUI7Z0JBQ3pCLEtBQUssTUFBTSxTQUFTLElBQUksYUFBYSxFQUFFLENBQUM7b0JBQ3RDLElBQUksU0FBUyxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7d0JBQ3ZCLE9BQU8sSUFBSSxDQUFDO29CQUNkLENBQUM7Z0JBQ0gsQ0FBQztnQkFDRCxtQkFBbUI7Z0JBQ25CLEtBQUssTUFBTSxRQUFRLElBQUksU0FBUyxFQUFFLENBQUM7b0JBQ2pDLElBQUksUUFBUSxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7d0JBQ3RCLE9BQU8sS0FBSyxDQUFDO29CQUNmLENBQUM7Z0JBQ0gsQ0FBQztZQUNILENBQUM7WUFDRCxnQkFBZ0I7WUFDaEIsT0FBTyxJQUFJLENBQUM7UUFDZCxDQUFDLENBQUM7SUFDSixDQUFDO0lBRUQsd0VBQXdFO0lBQ3hFLE1BQU0sQ0FBQyxlQUFlLEdBQUcsTUFBTSxDQUFDLGVBQWUsSUFBSSxFQUFFLENBQUM7SUFDdEQsTUFBTSxDQUFDLGVBQWUsR0FBRyxNQUFNLENBQUMsZUFBZSxDQUFDLEdBQUcsQ0FBQyxDQUFDLE1BQWMsRUFBRSxFQUFFLENBQUMsTUFBTSxDQUFDLFdBQVcsRUFBRSxDQUFDLENBQUM7SUFFOUYsTUFBTSxDQUFDLGlCQUFpQixHQUFHLE1BQU0sQ0FBQyxpQkFBaUIsSUFBSSxFQUFFLENBQUM7SUFDMUQsTUFBTSxDQUFDLGlCQUFpQixHQUFHLE1BQU0sQ0FBQyxpQkFBaUIsQ0FBQyxHQUFHLENBQUMsQ0FBQyxRQUFnQixFQUFFLEVBQUUsQ0FBQyxRQUFRLENBQUMsV0FBVyxFQUFFLENBQUMsQ0FBQztJQUV0RyxpREFBaUQ7SUFDakQsSUFBSSxNQUFNLENBQUMsSUFBSSxJQUFJLE1BQU0sQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQztRQUNoRCxNQUFNLENBQUMsSUFBSSxDQUFDLGdCQUFnQixHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsR0FBRyxDQUFDLENBQUMsR0FBVyxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUMsV0FBVyxFQUFFLENBQUMsQ0FBQztJQUN0RyxDQUFDO0lBRUQsK0VBQStFO0lBQy9FLCtGQUErRjtJQUMvRixNQUFNLG9CQUFvQixHQUFHLElBQUksR0FBRyxDQUFDLE1BQU0sQ0FBQyxpQkFBaUIsQ0FBQyxDQUFDO0lBQy9ELG9CQUFvQixDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsQ0FBQztJQUNqQyxvQkFBb0IsQ0FBQyxHQUFHLENBQUMsT0FBTyxDQUFDLENBQUM7SUFDbEMsb0JBQW9CLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxDQUFDO0lBQ2pDLG9CQUFvQixDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsQ0FBQztJQUVqQyxNQUFNLENBQUMsY0FBYyxDQUFDLE1BQU0sRUFBRSx3QkFBd0IsRUFBRTtRQUN0RCxLQUFLLEVBQUUsb0JBQW9CO1FBQzNCLFVBQVUsRUFBRSxLQUFLO0tBQ2xCLENBQUMsQ0FBQztBQUNMLENBQUM7QUFFRCxNQUFNLFVBQVUsVUFBVSxDQUFDLEdBQVcsRUFBRSxJQUFhO0lBQ25ELElBQUksQ0FBQztRQUNILE1BQU0sTUFBTSxHQUFHLElBQUksR0FBRyxDQUFDLEdBQUcsQ0FBQyxDQUFDO1FBQzVCLE9BQU8sSUFBSSxDQUFDLENBQUMsQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSxJQUFJLENBQUMsQ0FBQyxDQUFDLENBQUMsTUFBTSxDQUFDO0lBQ25ELENBQUM7SUFBQyxNQUFNLENBQUM7UUFDUCxPQUFPLElBQUksQ0FBQztJQUNkLENBQUM7QUFDSCxDQUFDO0FBRUQsU0FBUyxXQUFXLENBQUMsRUFBVTtJQUM3QixJQUFJLEVBQUUsQ0FBQyxVQUFVLENBQUMsRUFBRSxDQUFDLElBQUksRUFBRSxDQUFDLFVBQVUsQ0FBQyxFQUFFLENBQUMsRUFBRSxDQUFDO1FBQzNDLE9BQU8sQ0FBQyxPQUFlLEVBQUUsRUFBRSxDQUFDLE9BQU8sS0FBSyxFQUFFLENBQUM7SUFDN0MsQ0FBQztJQUNELE9BQU8sRUFBRSxDQUFDLFVBQVUsQ0FBQyxFQUFFLENBQUMsQ0FBQyxRQUFRLENBQUM7QUFDcEMsQ0FBQyJ9

package/dist/esm/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "module"
+}

package/dist/esm/types.d.ts

@@ -0,0 +1,10 @@
+import './app/extend/application.js';
+import './app/extend/context.js';
+import type { SecurityConfig, SecurityHelperConfig } from './config/config.default.js';
+export type * from './config/config.default.js';
+declare module '@eggjs/core' {
+    interface EggAppConfig {
+        security: SecurityConfig;
+        helper: SecurityHelperConfig;
+    }
+}

package/dist/esm/types.js

@@ -0,0 +1,3 @@
+import './app/extend/application.js';
+import './app/extend/context.js';
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidHlwZXMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvdHlwZXMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyw2QkFBNkIsQ0FBQztBQUNyQyxPQUFPLHlCQUF5QixDQUFDIn0=

package/dist/package.json

@@ -0,0 +1,4 @@
+{
+  "name": "@eggjs/security",
+  "version": "4.0.0"
+}

package/package.json

@@ -0,0 +1,116 @@
+{
+  "name": "@eggjs/security",
+  "version": "4.0.0",
+  "publishConfig": {
+    "access": "public"
+  },
+  "description": "security plugin in egg framework",
+  "eggPlugin": {
+    "name": "security",
+    "optionalDependencies": [
+      "session"
+    ],
+    "exports": {
+      "import": "./dist/esm",
+      "require": "./dist/commonjs",
+      "typescript": "./src"
+    }
+  },
+  "keywords": [
+    "egg",
+    "eggPlugin",
+    "egg-plugin",
+    "security"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/eggjs/security.git"
+  },
+  "bugs": {
+    "url": "https://github.com/eggjs/egg/issues"
+  },
+  "homepage": "https://github.com/eggjs/security#readme",
+  "author": "jtyjty99999",
+  "license": "MIT",
+  "engines": {
+    "node": ">= 18.19.0"
+  },
+  "dependencies": {
+    "@eggjs/core": "^6.2.13",
+    "@eggjs/ip": "^2.1.0",
+    "csrf": "^3.0.6",
+    "egg-path-matching": "^2.1.0",
+    "escape-html": "^1.0.3",
+    "extend": "^3.0.1",
+    "koa-compose": "^4.1.0",
+    "matcher": "^4.0.0",
+    "nanoid": "^3.3.8",
+    "type-is": "^1.6.18",
+    "xss": "^1.0.3",
+    "zod": "^3.24.1"
+  },
+  "devDependencies": {
+    "@arethetypeswrong/cli": "^0.17.1",
+    "@eggjs/bin": "7",
+    "@eggjs/mock": "^6.0.5",
+    "@eggjs/supertest": "^8.2.0",
+    "@eggjs/tsconfig": "1",
+    "@types/escape-html": "^1.0.4",
+    "@types/extend": "^3.0.4",
+    "@types/koa-compose": "^3.2.8",
+    "@types/mocha": "10",
+    "@types/node": "22",
+    "@types/type-is": "^1.6.7",
+    "beautify-benchmark": "^0.2.4",
+    "benchmark": "^2.1.4",
+    "egg": "^4.0.1",
+    "egg-view-nunjucks": "^2.3.0",
+    "eslint": "8",
+    "eslint-config-egg": "14",
+    "rimraf": "6",
+    "snap-shot-it": "^7.9.10",
+    "spy": "^1.0.0",
+    "supertest": "^6.3.3",
+    "tshy": "3",
+    "tshy-after": "1",
+    "typescript": "5"
+  },
+  "scripts": {
+    "lint": "eslint --cache src test --ext .ts",
+    "pretest": "npm run clean && npm run lint -- --fix",
+    "test": "egg-bin test",
+    "test:snapshot:update": "SNAPSHOT_UPDATE=1 egg-bin test",
+    "preci": "npm run clean &&  npm run lint",
+    "ci": "egg-bin cov",
+    "postci": "npm run prepublishOnly && npm run clean",
+    "clean": "rimraf dist",
+    "prepublishOnly": "tshy && tshy-after && attw --pack"
+  },
+  "type": "module",
+  "tshy": {
+    "exports": {
+      ".": "./src/index.ts",
+      "./package.json": "./package.json"
+    }
+  },
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/esm/index.d.ts",
+        "default": "./dist/esm/index.js"
+      },
+      "require": {
+        "types": "./dist/commonjs/index.d.ts",
+        "default": "./dist/commonjs/index.js"
+      }
+    },
+    "./package.json": "./package.json"
+  },
+  "files": [
+    "dist",
+    "src"
+  ],
+  "types": "./dist/commonjs/index.d.ts",
+  "main": "./dist/commonjs/index.js",
+  "module": "./dist/esm/index.js"
+}

package/src/agent.ts

@@ -0,0 +1,14 @@
+import type { ILifecycleBoot, EggCore } from '@eggjs/core';
+import { preprocessConfig } from './lib/utils.js';
+
+export default class AgentBoot implements ILifecycleBoot {
+  private readonly agent;
+
+  constructor(agent: EggCore) {
+    this.agent = agent;
+  }
+
+  async configWillLoad() {
+    preprocessConfig(this.agent.config.security);
+  }
+}

package/src/app/extend/agent.ts

@@ -0,0 +1,14 @@
+import { EggCore } from '@eggjs/core';
+import {
+  safeCurlForApplication,
+  type HttpClientRequestURL,
+  type HttpClientOptions,
+  type HttpClientResponse,
+} from '../../lib/extend/safe_curl.js';
+
+export default class SecurityAgent extends EggCore {
+  async safeCurl<T = any>(
+    url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>> {
+    return await safeCurlForApplication<T>(this, url, options);
+  }
+}

package/src/app/extend/application.ts

@@ -0,0 +1,51 @@
+import { EggCore } from '@eggjs/core';
+import {
+  safeCurlForApplication,
+  type HttpClientRequestURL,
+  type HttpClientOptions,
+  type HttpClientResponse,
+} from '../../lib/extend/safe_curl.js';
+
+const INPUT_CSRF = '\r\n<input type="hidden" name="_csrf" value="{{ctx.csrf}}" /></form>';
+const INJECTION_DEFENSE = '<!--for injection--><!--</html>--><!--for injection-->';
+
+export default class SecurityApplication extends EggCore {
+  injectCsrf(html: string) {
+    html = html.replace(/(<form.*?>)([\s\S]*?)<\/form>/gi, (_, $1, $2) => {
+      const match = $2;
+      if (match.indexOf('name="_csrf"') !== -1 || match.indexOf('name=\'_csrf\'') !== -1) {
+        return $1 + match + '</form>';
+      }
+      return $1 + match + INPUT_CSRF;
+    });
+    return html;
+  }
+
+  injectNonce(html: string) {
+    html = html.replace(/<script(.*?)>([\s\S]*?)<\/script[^>]*?>/gi, (_, $1, $2) => {
+      if (!$1.includes('nonce=')) {
+        $1 += ' nonce="{{ctx.nonce}}"';
+      }
+      return '<script' + $1 + '>' + $2 + '</script>';
+    });
+    return html;
+  }
+
+  injectHijackingDefense(html: string) {
+    return INJECTION_DEFENSE + html + INJECTION_DEFENSE;
+  }
+
+  async safeCurl<T = any>(
+    url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>> {
+    return await safeCurlForApplication<T>(this, url, options);
+  }
+}
+
+declare module '@eggjs/core' {
+  interface EggCore {
+    injectCsrf(html: string): string;
+    injectNonce(html: string): string;
+    injectHijackingDefense(html: string): string;
+    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
+  }
+}