npm - @eggjs/security - Versions diffs - 4.0.0 - Mend

@eggjs/security 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (183) hide show

package/LICENSE +21 -0
package/README.md +569 -0
package/README.zh-CN.md +441 -0
package/dist/commonjs/agent.d.ts +6 -0
package/dist/commonjs/agent.js +14 -0
package/dist/commonjs/app/extend/agent.d.ts +5 -0
package/dist/commonjs/app/extend/agent.js +11 -0
package/dist/commonjs/app/extend/application.d.ts +16 -0
package/dist/commonjs/app/extend/application.js +35 -0
package/dist/commonjs/app/extend/context.d.ts +68 -0
package/dist/commonjs/app/extend/context.js +283 -0
package/dist/commonjs/app/extend/helper.d.ts +12 -0
package/dist/commonjs/app/extend/helper.js +10 -0
package/dist/commonjs/app/extend/response.d.ts +41 -0
package/dist/commonjs/app/extend/response.js +85 -0
package/dist/commonjs/app/middleware/securities.d.ts +4 -0
package/dist/commonjs/app/middleware/securities.js +55 -0
package/dist/commonjs/app.d.ts +6 -0
package/dist/commonjs/app.js +29 -0
package/dist/commonjs/config/config.default.d.ts +871 -0
package/dist/commonjs/config/config.default.js +357 -0
package/dist/commonjs/config/config.local.d.ts +5 -0
package/dist/commonjs/config/config.local.js +10 -0
package/dist/commonjs/index.d.ts +1 -0
package/dist/commonjs/index.js +14 -0
package/dist/commonjs/lib/extend/safe_curl.d.ts +16 -0
package/dist/commonjs/lib/extend/safe_curl.js +28 -0
package/dist/commonjs/lib/helper/cliFilter.d.ts +4 -0
package/dist/commonjs/lib/helper/cliFilter.js +20 -0
package/dist/commonjs/lib/helper/escape.d.ts +2 -0
package/dist/commonjs/lib/helper/escape.js +8 -0
package/dist/commonjs/lib/helper/escapeShellArg.d.ts +1 -0
package/dist/commonjs/lib/helper/escapeShellArg.js +8 -0
package/dist/commonjs/lib/helper/escapeShellCmd.d.ts +1 -0
package/dist/commonjs/lib/helper/escapeShellCmd.js +17 -0
package/dist/commonjs/lib/helper/index.d.ts +21 -0
package/dist/commonjs/lib/helper/index.js +26 -0
package/dist/commonjs/lib/helper/shtml.d.ts +2 -0
package/dist/commonjs/lib/helper/shtml.js +76 -0
package/dist/commonjs/lib/helper/sjs.d.ts +4 -0
package/dist/commonjs/lib/helper/sjs.js +52 -0
package/dist/commonjs/lib/helper/sjson.d.ts +1 -0
package/dist/commonjs/lib/helper/sjson.js +45 -0
package/dist/commonjs/lib/helper/spath.d.ts +5 -0
package/dist/commonjs/lib/helper/spath.js +28 -0
package/dist/commonjs/lib/helper/surl.d.ts +2 -0
package/dist/commonjs/lib/helper/surl.js +33 -0
package/dist/commonjs/lib/middlewares/csp.d.ts +4 -0
package/dist/commonjs/lib/middlewares/csp.js +68 -0
package/dist/commonjs/lib/middlewares/csrf.d.ts +4 -0
package/dist/commonjs/lib/middlewares/csrf.js +42 -0
package/dist/commonjs/lib/middlewares/dta.d.ts +3 -0
package/dist/commonjs/lib/middlewares/dta.js +14 -0
package/dist/commonjs/lib/middlewares/hsts.d.ts +4 -0
package/dist/commonjs/lib/middlewares/hsts.js +23 -0
package/dist/commonjs/lib/middlewares/index.d.ts +13 -0
package/dist/commonjs/lib/middlewares/index.js +28 -0
package/dist/commonjs/lib/middlewares/methodnoallow.d.ts +3 -0
package/dist/commonjs/lib/middlewares/methodnoallow.js +22 -0
package/dist/commonjs/lib/middlewares/noopen.d.ts +4 -0
package/dist/commonjs/lib/middlewares/noopen.js +17 -0
package/dist/commonjs/lib/middlewares/nosniff.d.ts +4 -0
package/dist/commonjs/lib/middlewares/nosniff.js +30 -0
package/dist/commonjs/lib/middlewares/referrerPolicy.d.ts +4 -0
package/dist/commonjs/lib/middlewares/referrerPolicy.js +36 -0
package/dist/commonjs/lib/middlewares/xframe.d.ts +4 -0
package/dist/commonjs/lib/middlewares/xframe.js +19 -0
package/dist/commonjs/lib/middlewares/xssProtection.d.ts +4 -0
package/dist/commonjs/lib/middlewares/xssProtection.js +16 -0
package/dist/commonjs/lib/utils.d.ts +19 -0
package/dist/commonjs/lib/utils.js +206 -0
package/dist/commonjs/package.json +3 -0
package/dist/commonjs/types.d.ts +10 -0
package/dist/commonjs/types.js +5 -0
package/dist/esm/agent.d.ts +6 -0
package/dist/esm/agent.js +11 -0
package/dist/esm/app/extend/agent.d.ts +5 -0
package/dist/esm/app/extend/agent.js +8 -0
package/dist/esm/app/extend/application.d.ts +16 -0
package/dist/esm/app/extend/application.js +32 -0
package/dist/esm/app/extend/context.d.ts +68 -0
package/dist/esm/app/extend/context.js +244 -0
package/dist/esm/app/extend/helper.d.ts +12 -0
package/dist/esm/app/extend/helper.js +5 -0
package/dist/esm/app/extend/response.d.ts +41 -0
package/dist/esm/app/extend/response.js +82 -0
package/dist/esm/app/middleware/securities.d.ts +4 -0
package/dist/esm/app/middleware/securities.js +50 -0
package/dist/esm/app.d.ts +6 -0
package/dist/esm/app.js +26 -0
package/dist/esm/config/config.default.d.ts +871 -0
package/dist/esm/config/config.default.js +351 -0
package/dist/esm/config/config.local.d.ts +5 -0
package/dist/esm/config/config.local.js +8 -0
package/dist/esm/index.d.ts +1 -0
package/dist/esm/index.js +12 -0
package/dist/esm/lib/extend/safe_curl.d.ts +16 -0
package/dist/esm/lib/extend/safe_curl.js +25 -0
package/dist/esm/lib/helper/cliFilter.d.ts +4 -0
package/dist/esm/lib/helper/cliFilter.js +17 -0
package/dist/esm/lib/helper/escape.d.ts +2 -0
package/dist/esm/lib/helper/escape.js +3 -0
package/dist/esm/lib/helper/escapeShellArg.d.ts +1 -0
package/dist/esm/lib/helper/escapeShellArg.js +5 -0
package/dist/esm/lib/helper/escapeShellCmd.d.ts +1 -0
package/dist/esm/lib/helper/escapeShellCmd.js +14 -0
package/dist/esm/lib/helper/index.d.ts +21 -0
package/dist/esm/lib/helper/index.js +21 -0
package/dist/esm/lib/helper/shtml.d.ts +2 -0
package/dist/esm/lib/helper/shtml.js +70 -0
package/dist/esm/lib/helper/sjs.d.ts +4 -0
package/dist/esm/lib/helper/sjs.js +49 -0
package/dist/esm/lib/helper/sjson.d.ts +1 -0
package/dist/esm/lib/helper/sjson.js +39 -0
package/dist/esm/lib/helper/spath.d.ts +5 -0
package/dist/esm/lib/helper/spath.js +25 -0
package/dist/esm/lib/helper/surl.d.ts +2 -0
package/dist/esm/lib/helper/surl.js +30 -0
package/dist/esm/lib/middlewares/csp.d.ts +4 -0
package/dist/esm/lib/middlewares/csp.js +63 -0
package/dist/esm/lib/middlewares/csrf.d.ts +4 -0
package/dist/esm/lib/middlewares/csrf.js +37 -0
package/dist/esm/lib/middlewares/dta.d.ts +3 -0
package/dist/esm/lib/middlewares/dta.js +12 -0
package/dist/esm/lib/middlewares/hsts.d.ts +4 -0
package/dist/esm/lib/middlewares/hsts.js +21 -0
package/dist/esm/lib/middlewares/index.d.ts +13 -0
package/dist/esm/lib/middlewares/index.js +23 -0
package/dist/esm/lib/middlewares/methodnoallow.d.ts +3 -0
package/dist/esm/lib/middlewares/methodnoallow.js +20 -0
package/dist/esm/lib/middlewares/noopen.d.ts +4 -0
package/dist/esm/lib/middlewares/noopen.js +15 -0
package/dist/esm/lib/middlewares/nosniff.d.ts +4 -0
package/dist/esm/lib/middlewares/nosniff.js +28 -0
package/dist/esm/lib/middlewares/referrerPolicy.d.ts +4 -0
package/dist/esm/lib/middlewares/referrerPolicy.js +34 -0
package/dist/esm/lib/middlewares/xframe.d.ts +4 -0
package/dist/esm/lib/middlewares/xframe.js +17 -0
package/dist/esm/lib/middlewares/xssProtection.d.ts +4 -0
package/dist/esm/lib/middlewares/xssProtection.js +14 -0
package/dist/esm/lib/utils.d.ts +19 -0
package/dist/esm/lib/utils.js +194 -0
package/dist/esm/package.json +3 -0
package/dist/esm/types.d.ts +10 -0
package/dist/esm/types.js +3 -0
package/dist/package.json +4 -0
package/package.json +116 -0
package/src/agent.ts +14 -0
package/src/app/extend/agent.ts +14 -0
package/src/app/extend/application.ts +51 -0
package/src/app/extend/context.ts +282 -0
package/src/app/extend/helper.ts +5 -0
package/src/app/extend/response.ts +95 -0
package/src/app/middleware/securities.ts +63 -0
package/src/app.ts +31 -0
package/src/config/config.default.ts +379 -0
package/src/config/config.local.ts +9 -0
package/src/index.ts +12 -0
package/src/lib/extend/safe_curl.ts +35 -0
package/src/lib/helper/cliFilter.ts +20 -0
package/src/lib/helper/escape.ts +3 -0
package/src/lib/helper/escapeShellArg.ts +4 -0
package/src/lib/helper/escapeShellCmd.ts +16 -0
package/src/lib/helper/index.ts +21 -0
package/src/lib/helper/shtml.ts +77 -0
package/src/lib/helper/sjs.ts +57 -0
package/src/lib/helper/sjson.ts +35 -0
package/src/lib/helper/spath.ts +27 -0
package/src/lib/helper/surl.ts +35 -0
package/src/lib/middlewares/csp.ts +70 -0
package/src/lib/middlewares/csrf.ts +44 -0
package/src/lib/middlewares/dta.ts +13 -0
package/src/lib/middlewares/hsts.ts +24 -0
package/src/lib/middlewares/index.ts +23 -0
package/src/lib/middlewares/methodnoallow.ts +23 -0
package/src/lib/middlewares/noopen.ts +18 -0
package/src/lib/middlewares/nosniff.ts +32 -0
package/src/lib/middlewares/referrerPolicy.ts +39 -0
package/src/lib/middlewares/xframe.ts +20 -0
package/src/lib/middlewares/xssProtection.ts +17 -0
package/src/lib/utils.ts +208 -0
package/src/types.ts +16 -0
package/src/typings/index.d.ts +4 -0

package/src/app/extend/context.ts ADDED Viewed

@@ -0,0 +1,282 @@
+import { debuglog } from 'node:util';
+import { nanoid } from 'nanoid/non-secure';
+import Tokens from 'csrf';
+import { Context } from '@eggjs/core';
+import * as utils from '../../lib/utils.js';
+import type {
+  HttpClientRequestURL,
+  HttpClientOptions,
+  HttpClientResponse,
+} from '../../lib/extend/safe_curl.js';
+import { SecurityConfig, SecurityHelperConfig } from '../../types.js';
+const debug = debuglog('@eggjs/security/app/extend/context');
+const tokens = new Tokens();
+const CSRF_SECRET = Symbol('egg-security#CSRF_SECRET');
+const _CSRF_SECRET = Symbol('egg-security#_CSRF_SECRET');
+const NEW_CSRF_SECRET = Symbol('egg-security#NEW_CSRF_SECRET');
+const LOG_CSRF_NOTICE = Symbol('egg-security#LOG_CSRF_NOTICE');
+const INPUT_TOKEN = Symbol('egg-security#INPUT_TOKEN');
+const NONCE_CACHE = Symbol('egg-security#NONCE_CACHE');
+const SECURITY_OPTIONS = Symbol('egg-security#SECURITY_OPTIONS');
+const CSRF_REFERER_CHECK = Symbol('egg-security#CSRF_REFERER_CHECK');
+const CSRF_CTOKEN_CHECK = Symbol('egg-security#CSRF_CTOKEN_CHECK');
+function findToken(obj: Record<string, string>, keys: string | string[]) {
+  if (!obj) return;
+  if (!keys || !keys.length) return;
+  if (typeof keys === 'string') return obj[keys];
+  for (const key of keys) {
+    if (obj[key]) return obj[key];
+  }
+}
+export default class SecurityContext extends Context {
+  get securityOptions() {
+    if (!this[SECURITY_OPTIONS]) {
+      this[SECURITY_OPTIONS] = {};
+    }
+    return this[SECURITY_OPTIONS] as Partial<SecurityConfig>;
+  }
+  /**
+   * Check whether the specific `domain` is in / matches the whiteList or not.
+   * @param {string} domain The assigned domain.
+   * @param {Array<string>} [customWhiteList] The custom white list for domain.
+   * @return {boolean} If the domain is in / matches the whiteList, return true;
+   * otherwise false.
+   */
+  isSafeDomain(domain: string, customWhiteList?: string[]): boolean {
+    const domainWhiteList =
+      customWhiteList && customWhiteList.length > 0 ? customWhiteList : this.app.config.security.domainWhiteList;
+    return utils.isSafeDomain(domain, domainWhiteList);
+  }
+  // Add nonce, random characters will be OK.
+  // https://w3c.github.io/webappsec/specs/content-security-policy/#nonce_source
+  get nonce(): string {
+    if (!this[NONCE_CACHE]) {
+      this[NONCE_CACHE] = nanoid(16);
+    }
+    return this[NONCE_CACHE] as string;
+  }
+  /**
+   * get csrf token, general use in template
+   * @return {String} csrf token
+   * @public
+   */
+  get csrf(): string {
+    // csrfSecret can be rotate, use NEW_CSRF_SECRET first
+    const secret = this[NEW_CSRF_SECRET] || this[CSRF_SECRET];
+    debug('get csrf token, NEW_CSRF_SECRET: %s, _CSRF_SECRET: %s', this[NEW_CSRF_SECRET], this[CSRF_SECRET]);
+    //  In order to protect against BREACH attacks,
+    //  the token is not simply the secret;
+    //  a random salt is prepended to the secret and used to scramble it.
+    //  http://breachattack.com/
+    return secret ? tokens.create(secret as string) : '';
+  }
+  /**
+   * get csrf secret from session or cookie
+   * @return {String} csrf secret
+   * @private
+   */
+  get [CSRF_SECRET](): string {
+    if (this[_CSRF_SECRET]) {
+      return this[_CSRF_SECRET] as string;
+    }
+    let {
+      useSession, sessionName,
+      cookieName: cookieNames,
+      cookieOptions,
+    } = this.app.config.security.csrf;
+    // get secret from session or cookie
+    if (useSession) {
+      this[_CSRF_SECRET] = (this.session as any)[sessionName] || '';
+    } else {
+      // cookieName support array. so we can change csrf cookie name smoothly
+      if (!Array.isArray(cookieNames)) {
+        cookieNames = [ cookieNames ];
+      }
+      for (const cookieName of cookieNames) {
+        this[_CSRF_SECRET] = this.cookies.get(cookieName, { signed: cookieOptions.signed }) || '';
+        if (this[_CSRF_SECRET]) {
+          break;
+        }
+      }
+    }
+    return this[_CSRF_SECRET] as string;
+  }
+  /**
+   * ensure csrf secret exists in session or cookie.
+   * @param {Boolean} [rotate] reset secret even if the secret exists
+   * @public
+   */
+  ensureCsrfSecret(rotate?: boolean) {
+    if (this[CSRF_SECRET] && !rotate) return;
+    debug('ensure csrf secret, exists: %s, rotate; %s', this[CSRF_SECRET], rotate);
+    const secret = tokens.secretSync();
+    this[NEW_CSRF_SECRET] = secret;
+    let {
+      useSession, sessionName,
+      cookieDomain,
+      cookieName: cookieNames,
+      cookieOptions,
+    } = this.app.config.security.csrf;
+    if (useSession) {
+      // TODO(fengmk2): need to refactor egg-session plugin to support ctx.session type define
+      (this.session as any)[sessionName] = secret;
+    } else {
+      if (typeof cookieDomain === 'function') {
+        cookieDomain = cookieDomain(this);
+      }
+      const cookieOpts = {
+        domain: cookieDomain,
+        ...cookieOptions,
+      };
+      // cookieName support array. so we can change csrf cookie name smoothly
+      if (!Array.isArray(cookieNames)) {
+        cookieNames = [ cookieNames ];
+      }
+      for (const cookieName of cookieNames) {
+        this.cookies.set(cookieName, secret, cookieOpts);
+      }
+    }
+  }
+  get [INPUT_TOKEN]() {
+    const { headerName, bodyName, queryName } = this.app.config.security.csrf;
+    // try order: query, body, header
+    const token = findToken(this.request.query, queryName)
+      || findToken(this.request.body, bodyName)
+      || (headerName && this.request.get<string>(headerName));
+    debug('get token: %j, secret: %j', token, this[CSRF_SECRET]);
+    return token;
+  }
+  /**
+   * rotate csrf secret exists in session or cookie.
+   * must rotate the secret when user login
+   * @public
+   */
+  rotateCsrfSecret() {
+    if (!this[NEW_CSRF_SECRET] && this[CSRF_SECRET]) {
+      this.ensureCsrfSecret(true);
+    }
+  }
+  /**
+   * assert csrf token/referer is present
+   * @public
+   */
+  assertCsrf() {
+    if (utils.checkIfIgnore(this.app.config.security.csrf, this)) {
+      debug('%s, ignore by csrf options', this.path);
+      return;
+    }
+    const { type } = this.app.config.security.csrf;
+    let message;
+    const messages = [];
+    switch (type) {
+      case 'ctoken':
+        message = this[CSRF_CTOKEN_CHECK]();
+        if (message) this.throw(403, message);
+        break;
+      case 'referer':
+        message = this[CSRF_REFERER_CHECK]();
+        if (message) this.throw(403, message);
+        break;
+      case 'all':
+        message = this[CSRF_CTOKEN_CHECK]();
+        if (message) this.throw(403, message);
+        message = this[CSRF_REFERER_CHECK]();
+        if (message) this.throw(403, message);
+        break;
+      case 'any':
+        message = this[CSRF_CTOKEN_CHECK]();
+        if (!message) return;
+        messages.push(message);
+        message = this[CSRF_REFERER_CHECK]();
+        if (!message) return;
+        messages.push(message);
+        this.throw(403, `both ctoken and referer check error: ${messages.join(', ')}`);
+        break;
+      default:
+        this.throw(`invalid type ${type}`);
+    }
+  }
+  [CSRF_CTOKEN_CHECK]() {
+    if (!this[CSRF_SECRET]) {
+      debug('missing csrf token');
+      this[LOG_CSRF_NOTICE]('missing csrf token');
+      return 'missing csrf token';
+    }
+    const token = this[INPUT_TOKEN];
+    // AJAX requests get csrf token from cookie, in this situation token will equal to secret
+    // synchronize form requests' token always changing to protect against BREACH attacks
+    if (token !== this[CSRF_SECRET] && !tokens.verify(this[CSRF_SECRET], token)) {
+      debug('verify secret and token error');
+      this[LOG_CSRF_NOTICE]('invalid csrf token');
+      const { rotateWhenInvalid } = this.app.config.security.csrf;
+      if (rotateWhenInvalid) {
+        this.rotateCsrfSecret();
+      }
+      return 'invalid csrf token';
+    }
+  }
+  [CSRF_REFERER_CHECK]() {
+    const { refererWhiteList } = this.app.config.security.csrf;
+    // check Origin/Referer headers
+    const referer = (this.headers.referer || this.headers.origin || '').toLowerCase();
+    if (!referer) {
+      debug('missing csrf referer or origin');
+      this[LOG_CSRF_NOTICE]('missing csrf referer or origin');
+      return 'missing csrf referer or origin';
+    }
+    const host = utils.getFromUrl(referer, 'host');
+    const domainList = refererWhiteList.concat(this.host);
+    if (!host || !utils.isSafeDomain(host, domainList)) {
+      debug('verify referer or origin error');
+      this[LOG_CSRF_NOTICE]('invalid csrf referer or origin');
+      return 'invalid csrf referer or origin';
+    }
+  }
+  [LOG_CSRF_NOTICE](msg: string) {
+    if (this.app.config.env === 'local') {
+      this.logger.warn(`${msg}. See https://eggjs.org/zh-cn/core/security.html#安全威胁csrf的防范`);
+    }
+  }
+  async safeCurl<T = any>(
+    url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>> {
+    return await this.app.safeCurl<T>(url, options);
+  }
+  unsafeRedirect(url: string, alt?: string) {
+    this.response.unsafeRedirect(url, alt);
+  }
+}
+declare module '@eggjs/core' {
+  interface Context {
+    get securityOptions(): Partial<SecurityConfig & SecurityHelperConfig>;
+    isSafeDomain(domain: string, customWhiteList?: string[]): boolean;
+    get nonce(): string;
+    get csrf(): string;
+    ensureCsrfSecret(rotate?: boolean): void;
+    rotateCsrfSecret(): void;
+    assertCsrf(): void;
+    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
+  }
+}

package/src/app/extend/helper.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import helpers from '../../lib/helper/index.js';
+export default {
+  ...helpers,
+};

package/src/app/extend/response.ts ADDED Viewed

@@ -0,0 +1,95 @@
+import { Response as KoaResponse } from '@eggjs/core';
+import SecurityContext from './context.js';
+const unsafeRedirect = KoaResponse.prototype.redirect;
+export default class SecurityResponse extends KoaResponse {
+  declare ctx: SecurityContext;
+  /**
+   * This is an unsafe redirection, and we WON'T check if the
+   * destination url is safe or not.
+   * Please DO NOT use this method unless in some very special cases,
+   * otherwise there may be security vulnerabilities.
+   *
+   * @function Response#unsafeRedirect
+   * @param {String} url URL to forward
+   * @example
+   * ```js
+   * ctx.response.unsafeRedirect('http://www.domain.com');
+   * ctx.unsafeRedirect('http://www.domain.com');
+   * ```
+   */
+  unsafeRedirect(url: string, alt?: string) {
+    unsafeRedirect.call(this, url, alt);
+  }
+  // app.response.unsafeRedirect = app.response.redirect;
+  // delegate(app.context, 'response').method('unsafeRedirect');
+  /**
+   * A safe redirection, and we'll check if the URL is in
+   * a safe domain or not.
+   * We've overridden the default Koa's implementation by adding a
+   * white list as the filter for that.
+   *
+   * @function Response#redirect
+   * @param {String} url URL to forward
+   * @example
+   * ```js
+   * ctx.response.redirect('/login');
+   * ctx.redirect('/login');
+   * ```
+   */
+  redirect(url: string, alt?: string) {
+    url = (url || '/').trim();
+    // Process with `//`
+    if (url[0] === '/' && url[1] === '/') {
+      url = '/';
+    }
+    // if begin with '/', it means an internal jump
+    if (url[0] === '/' && url[1] !== '\\') {
+      this.unsafeRedirect(url, alt);
+      return;
+    }
+    let urlObject: URL;
+    try {
+      urlObject = new URL(url);
+    } catch {
+      url = '/';
+      this.unsafeRedirect(url);
+      return;
+    }
+    const domainWhiteList = this.app.config.security.domainWhiteList;
+    if (urlObject.protocol !== 'http:' && urlObject.protocol !== 'https:') {
+      url = '/';
+    } else if (!urlObject.hostname) {
+      url = '/';
+    } else {
+      if (domainWhiteList && domainWhiteList.length !== 0) {
+        if (!this.ctx.isSafeDomain(urlObject.hostname)) {
+          const message = `a security problem has been detected for url "${url}", redirection is prohibited.`;
+          if (process.env.NODE_ENV === 'production') {
+            this.app.coreLogger.warn('[@eggjs/security/response/redirect] %s', message);
+            url = '/';
+          } else {
+            // Exception will be thrown out in a non-PROD env.
+            return this.ctx.throw(500, message);
+          }
+        }
+      }
+    }
+    this.unsafeRedirect(url);
+  }
+}
+declare module '@eggjs/core' {
+  // add Response overrides types
+  interface Response {
+    unsafeRedirect(url: string, alt?: string): void;
+    redirect(url: string, alt?: string): void;
+  }
+}

package/src/app/middleware/securities.ts ADDED Viewed

@@ -0,0 +1,63 @@
+import assert from 'node:assert';
+import compose from 'koa-compose';
+import { pathMatching } from 'egg-path-matching';
+import { EggCore, MiddlewareFunc } from '@eggjs/core';
+import securityMiddlewares from '../../lib/middlewares/index.js';
+import type { SecurityMiddlewareName } from '../../config/config.default.js';
+export default (_: unknown, app: EggCore) => {
+  const options = app.config.security;
+  const middlewares: MiddlewareFunc[] = [];
+  const defaultMiddlewares = typeof options.defaultMiddleware === 'string'
+    ? options.defaultMiddleware.split(',').map(m => m.trim()).filter(m => !!m) as SecurityMiddlewareName[]
+    : options.defaultMiddleware;
+  if (options.match || options.ignore) {
+    app.coreLogger.warn('[@eggjs/security/middleware/securities] Please set `match` or `ignore` on sub config');
+  }
+  // format csrf.cookieDomain
+  const originalCookieDomain = options.csrf.cookieDomain;
+  if (originalCookieDomain && typeof originalCookieDomain !== 'function') {
+    options.csrf.cookieDomain = () => originalCookieDomain;
+  }
+  defaultMiddlewares.forEach(middlewareName => {
+    const opt = Reflect.get(options, middlewareName) as any;
+    if (opt === false) {
+      app.coreLogger.warn('[egg-security] Please use `config.security.%s = { enable: false }` instead of `config.security.%s = false`', middlewareName, middlewareName);
+    }
+    assert(opt === false || typeof opt === 'object',
+      `config.security.${middlewareName} must be an object, or false(if you turn it off)`);
+    if (opt === false || opt && opt.enable === false) {
+      return;
+    }
+    if (middlewareName === 'csrf' && opt.useSession && !app.plugins.session) {
+      throw new Error('csrf.useSession enabled, but session plugin is disabled');
+    }
+    // use opt.match first (compatibility)
+    if (opt.match && opt.ignore) {
+      app.coreLogger.warn('[@eggjs/security/middleware/securities] `options.match` and `options.ignore` are both set, using `options.match`');
+      opt.ignore = undefined;
+    }
+    if (!opt.ignore && opt.blackUrls) {
+      app.deprecate('[@eggjs/security/middleware/securities] Please use `config.security.xframe.ignore` instead, `config.security.xframe.blackUrls` will be removed very soon');
+      opt.ignore = opt.blackUrls;
+    }
+    // set matching function to security middleware options
+    opt.matching = pathMatching(opt);
+    const createMiddleware = securityMiddlewares[middlewareName];
+    const fn = createMiddleware(opt);
+    middlewares.push(fn);
+    app.coreLogger.info('[@eggjs/security/middleware/securities] use %s middleware', middlewareName);
+  });
+  app.coreLogger.info('[@eggjs/security/middleware/securities] compose %d middlewares into one security middleware',
+    middlewares.length);
+  return compose(middlewares);
+};

package/src/app.ts ADDED Viewed

@@ -0,0 +1,31 @@
+import type { ILifecycleBoot, EggCore } from '@eggjs/core';
+import { preprocessConfig } from './lib/utils.js';
+import { SecurityConfig } from './config/config.default.js';
+export default class AgentBoot implements ILifecycleBoot {
+  private readonly app;
+  constructor(app: EggCore) {
+    this.app = app;
+  }
+  configWillLoad() {
+    const app = this.app;
+    app.config.coreMiddleware.push('securities');
+    // parse config and check if config is legal
+    const parsed = SecurityConfig.parse(app.config.security);
+    if (typeof app.config.security.csrf === 'boolean') {
+      // support old config: `config.security.csrf = false`
+      app.config.security.csrf = parsed.csrf;
+    }
+    if (app.config.security.csrf.enable) {
+      const { ignoreJSON } = app.config.security.csrf;
+      if (ignoreJSON) {
+        app.deprecate('[@eggjs/security/app] `config.security.csrf.ignoreJSON` is not safe now, please disable it.');
+      }
+    }
+    preprocessConfig(app.config.security);
+  }
+}