@eggjs/security 4.0.0

package/dist/commonjs/config/config.default.js

@@ -0,0 +1,357 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecurityHelperConfig = exports.SecurityConfig = exports.SecurityMiddlewareName = exports.LookupAddress = void 0;
+const zod_1 = __importDefault(require("zod"));
+const core_1 = require("@eggjs/core");
+const CSRFSupportRequestItem = zod_1.default.object({
+    path: zod_1.default.instanceof(RegExp),
+    methods: zod_1.default.array(zod_1.default.string()),
+});
+exports.LookupAddress = zod_1.default.object({
+    address: zod_1.default.string(),
+    family: zod_1.default.number(),
+});
+const LookupAddressAndStringArray = zod_1.default.union([zod_1.default.string(), exports.LookupAddress]).array();
+const SSRFCheckAddressFunction = zod_1.default.function()
+    .args(zod_1.default.union([zod_1.default.string(), exports.LookupAddress, LookupAddressAndStringArray]), zod_1.default.union([zod_1.default.number(), zod_1.default.string()]), zod_1.default.string())
+    .returns(zod_1.default.boolean());
+exports.SecurityMiddlewareName = zod_1.default.enum([
+    'csrf',
+    'hsts',
+    'methodnoallow',
+    'noopen',
+    'nosniff',
+    'csp',
+    'xssProtection',
+    'xframe',
+    'dta',
+]);
+/**
+ * (ctx) => boolean
+ */
+const IgnoreOrMatchHandler = zod_1.default.function().args(zod_1.default.instanceof(core_1.Context)).returns(zod_1.default.boolean());
+const IgnoreOrMatch = zod_1.default.union([
+    zod_1.default.string(), zod_1.default.instanceof(RegExp), IgnoreOrMatchHandler,
+]);
+const IgnoreOrMatchOption = zod_1.default.union([IgnoreOrMatch, IgnoreOrMatch.array()]).optional();
+/**
+ * security options
+ * @member Config#security
+ */
+exports.SecurityConfig = zod_1.default.object({
+    /**
+     * domain white list
+     *
+     * Default to `[]`
+     */
+    domainWhiteList: zod_1.default.array(zod_1.default.string()).default([]),
+    /**
+     * protocol white list
+     *
+     * Default to `[]`
+     */
+    protocolWhiteList: zod_1.default.array(zod_1.default.string()).default([]),
+    /**
+     * default open security middleware
+     *
+     * Default to `'csrf,hsts,methodnoallow,noopen,nosniff,csp,xssProtection,xframe,dta'`
+     */
+    defaultMiddleware: zod_1.default.union([zod_1.default.string(), zod_1.default.array(exports.SecurityMiddlewareName)])
+        .default(exports.SecurityMiddlewareName.options),
+    /**
+     * whether defend csrf attack
+     */
+    csrf: zod_1.default.preprocess(val => {
+        // transform old config, `csrf: false` to `csrf: { enable: false }`
+        if (typeof val === 'boolean') {
+            return { enable: val };
+        }
+        return val;
+    }, zod_1.default.object({
+        match: IgnoreOrMatchOption,
+        ignore: IgnoreOrMatchOption,
+        /**
+         * Default to `true`
+         */
+        enable: zod_1.default.boolean().default(true),
+        /**
+         * csrf token detect source type
+         *
+         * Default to `'ctoken'`
+         */
+        type: zod_1.default.enum(['ctoken', 'referer', 'all', 'any']).default('ctoken'),
+        /**
+         * ignore json request
+         *
+         * Default to `false`
+         *
+         * @deprecated is not safe now, don't use it
+         */
+        ignoreJSON: zod_1.default.boolean().default(false),
+        /**
+         * csrf token cookie name
+         *
+         * Default to `'csrfToken'`
+         */
+        cookieName: zod_1.default.union([zod_1.default.string(), zod_1.default.array(zod_1.default.string())]).default('csrfToken'),
+        /**
+         * csrf token session name
+         *
+         * Default to `'csrfToken'`
+         */
+        sessionName: zod_1.default.string().default('csrfToken'),
+        /**
+         * csrf token request header name
+         *
+         * Default to `'x-csrf-token'`
+         */
+        headerName: zod_1.default.string().default('x-csrf-token'),
+        /**
+         * csrf token request body field name
+         *
+         * Default to `'_csrf'`
+         */
+        bodyName: zod_1.default.union([zod_1.default.string(), zod_1.default.array(zod_1.default.string())]).default('_csrf'),
+        /**
+         * csrf token request query field name
+         *
+         * Default to `'_csrf'`
+         */
+        queryName: zod_1.default.union([zod_1.default.string(), zod_1.default.array(zod_1.default.string())]).default('_csrf'),
+        /**
+         * rotate csrf token when it is invalid
+         *
+         * Default to `false`
+         */
+        rotateWhenInvalid: zod_1.default.boolean().default(false),
+        /**
+         * These config works when using `'ctoken'` type
+         *
+         * Default to `false`
+         */
+        useSession: zod_1.default.boolean().default(false),
+        /**
+         * csrf token cookie domain setting,
+         * can be `(ctx) => string` or `string`
+         *
+         * Default to `undefined`, auto set the cookie domain in the safe way
+         */
+        cookieDomain: zod_1.default.union([
+            zod_1.default.string(),
+            zod_1.default.function()
+                .args(zod_1.default.instanceof(core_1.Context))
+                .returns(zod_1.default.string()),
+        ]).optional(),
+        /**
+         * csrf token check requests config
+         */
+        supportedRequests: zod_1.default.array(CSRFSupportRequestItem)
+            .default([
+            { path: /^\//, methods: ['POST', 'PATCH', 'DELETE', 'PUT', 'CONNECT'] },
+        ]),
+        /**
+         * referer or origin header white list.
+         * It only works when using `'referer'` type
+         *
+         * Default to `[]`
+         */
+        refererWhiteList: zod_1.default.array(zod_1.default.string()).default([]),
+        /**
+         * csrf token cookie options
+         *
+         * Default to `{
+         *   signed: false,
+         *   httpOnly: false,
+         *   overwrite: true,
+         * }`
+         */
+        cookieOptions: zod_1.default.object({
+            signed: zod_1.default.boolean(),
+            httpOnly: zod_1.default.boolean(),
+            overwrite: zod_1.default.boolean(),
+        }).default({
+            signed: false,
+            httpOnly: false,
+            overwrite: true,
+        }),
+    }).default({})),
+    /**
+     * whether enable X-Frame-Options response header
+     */
+    xframe: zod_1.default.object({
+        match: IgnoreOrMatchOption,
+        ignore: IgnoreOrMatchOption,
+        /**
+         * Default to `true`
+         */
+        enable: zod_1.default.boolean().default(true),
+        /**
+         * X-Frame-Options value, can be `'DENY'`, `'SAMEORIGIN'`, `'ALLOW-FROM https://example.com'`
+         *
+         * Default to `'SAMEORIGIN'`
+         */
+        value: zod_1.default.string().default('SAMEORIGIN'),
+    }).default({}),
+    /**
+     * whether enable Strict-Transport-Security response header
+     */
+    hsts: zod_1.default.object({
+        match: IgnoreOrMatchOption,
+        ignore: IgnoreOrMatchOption,
+        /**
+         * Default to `false`
+         */
+        enable: zod_1.default.boolean().default(false),
+        /**
+         * Max age of Strict-Transport-Security in seconds
+         *
+         * Default to `365 * 24 * 3600`
+         */
+        maxAge: zod_1.default.number().default(365 * 24 * 3600),
+        /**
+         * Whether include sub domains
+         *
+         * Default to `false`
+         */
+        includeSubdomains: zod_1.default.boolean().default(false),
+    }).default({}),
+    /**
+     * whether enable Http Method filter
+     */
+    methodnoallow: zod_1.default.object({
+        match: IgnoreOrMatchOption,
+        ignore: IgnoreOrMatchOption,
+        /**
+         * Default to `true`
+         */
+        enable: zod_1.default.boolean().default(true),
+    }).default({}),
+    /**
+     * whether enable IE automatically download open
+     */
+    noopen: zod_1.default.object({
+        match: IgnoreOrMatchOption,
+        ignore: IgnoreOrMatchOption,
+        /**
+         * Default to `true`
+         */
+        enable: zod_1.default.boolean().default(true),
+    }).default({}),
+    /**
+     * whether enable IE8 automatically detect mime
+     */
+    nosniff: zod_1.default.object({
+        match: IgnoreOrMatchOption,
+        ignore: IgnoreOrMatchOption,
+        /**
+         * Default to `true`
+         */
+        enable: zod_1.default.boolean().default(true),
+    }).default({}),
+    /**
+     * whether enable IE8 XSS Filter
+     */
+    xssProtection: zod_1.default.object({
+        match: IgnoreOrMatchOption,
+        ignore: IgnoreOrMatchOption,
+        /**
+         * Default to `true`
+         */
+        enable: zod_1.default.boolean().default(true),
+        /**
+         * X-XSS-Protection response header value
+         *
+         * Default to `'1; mode=block'`
+         */
+        value: zod_1.default.coerce.string().default('1; mode=block'),
+    }).default({}),
+    /**
+     * content security policy config
+     */
+    csp: zod_1.default.object({
+        match: IgnoreOrMatchOption,
+        ignore: IgnoreOrMatchOption,
+        /**
+         * Default to `false`
+         */
+        enable: zod_1.default.boolean().default(false),
+        // https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#csp_overview
+        policy: zod_1.default.record(zod_1.default.union([zod_1.default.string(), zod_1.default.array(zod_1.default.string()), zod_1.default.boolean()])).default({}),
+        /**
+         * whether enable report only mode
+         * Default to `undefined`
+         */
+        reportOnly: zod_1.default.boolean().optional(),
+        /**
+         * whether support IE
+         * Default to `undefined`
+         */
+        supportIE: zod_1.default.boolean().optional(),
+    }).default({}),
+    /**
+     * whether enable referrer policy
+     * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+     */
+    referrerPolicy: zod_1.default.object({
+        match: IgnoreOrMatchOption,
+        ignore: IgnoreOrMatchOption,
+        /**
+         * Default to `false`
+         */
+        enable: zod_1.default.boolean().default(false),
+        /**
+         * referrer policy value
+         *
+         * Default to `'no-referrer-when-downgrade'`
+         */
+        value: zod_1.default.string().default('no-referrer-when-downgrade'),
+    }).default({}),
+    /**
+     * whether enable auto avoid directory traversal attack
+     */
+    dta: zod_1.default.object({
+        match: IgnoreOrMatchOption,
+        ignore: IgnoreOrMatchOption,
+        /**
+         * Default to `true`
+         */
+        enable: zod_1.default.boolean().default(true),
+    }).default({}),
+    ssrf: zod_1.default.object({
+        ipBlackList: zod_1.default.array(zod_1.default.string()).optional(),
+        ipExceptionList: zod_1.default.array(zod_1.default.string()).optional(),
+        hostnameExceptionList: zod_1.default.array(zod_1.default.string()).optional(),
+        checkAddress: SSRFCheckAddressFunction.optional(),
+    }).default({}),
+    match: zod_1.default.union([IgnoreOrMatch, IgnoreOrMatch.array()]).optional(),
+    ignore: zod_1.default.union([IgnoreOrMatch, IgnoreOrMatch.array()]).optional(),
+    __protocolWhiteListSet: zod_1.default.set(zod_1.default.string()).optional().readonly(),
+});
+const SecurityHelperOnTagAttrHandler = zod_1.default.function()
+    .args(zod_1.default.string(), zod_1.default.string(), zod_1.default.string(), zod_1.default.boolean())
+    .returns(zod_1.default.union([zod_1.default.string(), zod_1.default.void()]));
+exports.SecurityHelperConfig = zod_1.default.object({
+    shtml: zod_1.default.object({
+        /**
+         * tag attribute white list
+         */
+        whiteList: zod_1.default.record(zod_1.default.array(zod_1.default.string())).optional(),
+        /**
+         * domain white list
+         * @deprecated use `config.security.domainWhiteList` instead
+         */
+        domainWhiteList: zod_1.default.array(zod_1.default.string()).optional(),
+        /**
+         * tag attribute handler
+         */
+        onTagAttr: SecurityHelperOnTagAttrHandler.optional(),
+    }).default({}),
+});
+exports.default = {
+    security: exports.SecurityConfig.parse({}),
+    helper: exports.SecurityHelperConfig.parse({}),
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29uZmlnLmRlZmF1bHQuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvY29uZmlnL2NvbmZpZy5kZWZhdWx0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7OztBQUFBLDhDQUFvQjtBQUNwQixzQ0FBc0M7QUFFdEMsTUFBTSxzQkFBc0IsR0FBRyxhQUFDLENBQUMsTUFBTSxDQUFDO0lBQ3RDLElBQUksRUFBRSxhQUFDLENBQUMsVUFBVSxDQUFDLE1BQU0sQ0FBQztJQUMxQixPQUFPLEVBQUUsYUFBQyxDQUFDLEtBQUssQ0FBQyxhQUFDLENBQUMsTUFBTSxFQUFFLENBQUM7Q0FDN0IsQ0FBQyxDQUFDO0FBR1UsUUFBQSxhQUFhLEdBQUcsYUFBQyxDQUFDLE1BQU0sQ0FBQztJQUNwQyxPQUFPLEVBQUUsYUFBQyxDQUFDLE1BQU0sRUFBRTtJQUNuQixNQUFNLEVBQUUsYUFBQyxDQUFDLE1BQU0sRUFBRTtDQUNuQixDQUFDLENBQUM7QUFHSCxNQUFNLDJCQUEyQixHQUFHLGFBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBRSxhQUFDLENBQUMsTUFBTSxFQUFFLEVBQUUscUJBQWEsQ0FBRSxDQUFDLENBQUMsS0FBSyxFQUFFLENBQUM7QUFDbkYsTUFBTSx3QkFBd0IsR0FBRyxhQUFDLENBQUMsUUFBUSxFQUFFO0tBQzFDLElBQUksQ0FBQyxhQUFDLENBQUMsS0FBSyxDQUFDLENBQUUsYUFBQyxDQUFDLE1BQU0sRUFBRSxFQUFFLHFCQUFhLEVBQUUsMkJBQTJCLENBQUUsQ0FBQyxFQUFFLGFBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBRSxhQUFDLENBQUMsTUFBTSxFQUFFLEVBQUUsYUFBQyxDQUFDLE1BQU0sRUFBRSxDQUFFLENBQUMsRUFBRSxhQUFDLENBQUMsTUFBTSxFQUFFLENBQUM7S0FDMUgsT0FBTyxDQUFDLGFBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO0FBT1gsUUFBQSxzQkFBc0IsR0FBRyxhQUFDLENBQUMsSUFBSSxDQUFDO0lBQzNDLE1BQU07SUFDTixNQUFNO0lBQ04sZUFBZTtJQUNmLFFBQVE7SUFDUixTQUFTO0lBQ1QsS0FBSztJQUNMLGVBQWU7SUFDZixRQUFRO0lBQ1IsS0FBSztDQUNOLENBQUMsQ0FBQztBQUdIOztHQUVHO0FBQ0gsTUFBTSxvQkFBb0IsR0FBRyxhQUFDLENBQUMsUUFBUSxFQUFFLENBQUMsSUFBSSxDQUFDLGFBQUMsQ0FBQyxVQUFVLENBQUMsY0FBTyxDQUFDLENBQUMsQ0FBQyxPQUFPLENBQUMsYUFBQyxDQUFDLE9BQU8sRUFBRSxDQUFDLENBQUM7QUFHM0YsTUFBTSxhQUFhLEdBQUcsYUFBQyxDQUFDLEtBQUssQ0FBQztJQUM1QixhQUFDLENBQUMsTUFBTSxFQUFFLEVBQUUsYUFBQyxDQUFDLFVBQVUsQ0FBQyxNQUFNLENBQUMsRUFBRSxvQkFBb0I7Q0FDdkQsQ0FBQyxDQUFDO0FBR0gsTUFBTSxtQkFBbUIsR0FBRyxhQUFDLENBQUMsS0FBSyxDQUFDLENBQUUsYUFBYSxFQUFFLGFBQWEsQ0FBQyxLQUFLLEVBQUUsQ0FBRSxDQUFDLENBQUMsUUFBUSxFQUFFLENBQUM7QUFHekY7OztHQUdHO0FBQ1UsUUFBQSxjQUFjLEdBQUcsYUFBQyxDQUFDLE1BQU0sQ0FBQztJQUNyQzs7OztPQUlHO0lBQ0gsZUFBZSxFQUFFLGFBQUMsQ0FBQyxLQUFLLENBQUMsYUFBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztJQUNoRDs7OztPQUlHO0lBQ0gsaUJBQWlCLEVBQUUsYUFBQyxDQUFDLEtBQUssQ0FBQyxhQUFDLENBQUMsTUFBTSxFQUFFLENBQUMsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDO0lBQ2xEOzs7O09BSUc7SUFDSCxpQkFBaUIsRUFBRSxhQUFDLENBQUMsS0FBSyxDQUFDLENBQUUsYUFBQyxDQUFDLE1BQU0sRUFBRSxFQUFFLGFBQUMsQ0FBQyxLQUFLLENBQUMsOEJBQXNCLENBQUMsQ0FBRSxDQUFDO1NBQ3hFLE9BQU8sQ0FBQyw4QkFBc0IsQ0FBQyxPQUFPLENBQUM7SUFDMUM7O09BRUc7SUFDSCxJQUFJLEVBQUUsYUFBQyxDQUFDLFVBQVUsQ0FBQyxHQUFHLENBQUMsRUFBRTtRQUN2QixtRUFBbUU7UUFDbkUsSUFBSSxPQUFPLEdBQUcsS0FBSyxTQUFTLEVBQUUsQ0FBQztZQUM3QixPQUFPLEVBQUUsTUFBTSxFQUFFLEdBQUcsRUFBRSxDQUFDO1FBQ3pCLENBQUM7UUFDRCxPQUFPLEdBQUcsQ0FBQztJQUNiLENBQUMsRUFBRSxhQUFDLENBQUMsTUFBTSxDQUFDO1FBQ1YsS0FBSyxFQUFFLG1CQUFtQjtRQUMxQixNQUFNLEVBQUUsbUJBQW1CO1FBQzNCOztXQUVHO1FBQ0gsTUFBTSxFQUFFLGFBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDO1FBQ2pDOzs7O1dBSUc7UUFDSCxJQUFJLEVBQUUsYUFBQyxDQUFDLElBQUksQ0FBQyxDQUFFLFFBQVEsRUFBRSxTQUFTLEVBQUUsS0FBSyxFQUFFLEtBQUssQ0FBRSxDQUFDLENBQUMsT0FBTyxDQUFDLFFBQVEsQ0FBQztRQUNyRTs7Ozs7O1dBTUc7UUFDSCxVQUFVLEVBQUUsYUFBQyxDQUFDLE9BQU8sRUFBRSxDQUFDLE9BQU8sQ0FBQyxLQUFLLENBQUM7UUFDdEM7Ozs7V0FJRztRQUNILFVBQVUsRUFBRSxhQUFDLENBQUMsS0FBSyxDQUFDLENBQUUsYUFBQyxDQUFDLE1BQU0sRUFBRSxFQUFFLGFBQUMsQ0FBQyxLQUFLLENBQUMsYUFBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLENBQUUsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxXQUFXLENBQUM7UUFDN0U7Ozs7V0FJRztRQUNILFdBQVcsRUFBRSxhQUFDLENBQUMsTUFBTSxFQUFFLENBQUMsT0FBTyxDQUFDLFdBQVcsQ0FBQztRQUM1Qzs7OztXQUlHO1FBQ0gsVUFBVSxFQUFFLGFBQUMsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxPQUFPLENBQUMsY0FBYyxDQUFDO1FBQzlDOzs7O1dBSUc7UUFDSCxRQUFRLEVBQUUsYUFBQyxDQUFDLEtBQUssQ0FBQyxDQUFFLGFBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxhQUFDLENBQUMsS0FBSyxDQUFDLGFBQUMsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxDQUFFLENBQUMsQ0FBQyxPQUFPLENBQUMsT0FBTyxDQUFDO1FBQ3ZFOzs7O1dBSUc7UUFDSCxTQUFTLEVBQUUsYUFBQyxDQUFDLEtBQUssQ0FBQyxDQUFFLGFBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxhQUFDLENBQUMsS0FBSyxDQUFDLGFBQUMsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxDQUFFLENBQUMsQ0FBQyxPQUFPLENBQUMsT0FBTyxDQUFDO1FBQ3hFOzs7O1dBSUc7UUFDSCxpQkFBaUIsRUFBRSxhQUFDLENBQUMsT0FBTyxFQUFFLENBQUMsT0FBTyxDQUFDLEtBQUssQ0FBQztRQUM3Qzs7OztXQUlHO1FBQ0gsVUFBVSxFQUFFLGFBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxPQUFPLENBQUMsS0FBSyxDQUFDO1FBQ3RDOzs7OztXQUtHO1FBQ0gsWUFBWSxFQUFFLGFBQUMsQ0FBQyxLQUFLLENBQUM7WUFDcEIsYUFBQyxDQUFDLE1BQU0sRUFBRTtZQUNWLGFBQUMsQ0FBQyxRQUFRLEVBQUU7aUJBQ1QsSUFBSSxDQUFDLGFBQUMsQ0FBQyxVQUFVLENBQUMsY0FBTyxDQUFDLENBQUM7aUJBQzNCLE9BQU8sQ0FBQyxhQUFDLENBQUMsTUFBTSxFQUFFLENBQUM7U0FDdkIsQ0FBQyxDQUFDLFFBQVEsRUFBRTtRQUNiOztXQUVHO1FBQ0gsaUJBQWlCLEVBQUUsYUFBQyxDQUFDLEtBQUssQ0FBQyxzQkFBc0IsQ0FBQzthQUMvQyxPQUFPLENBQUM7WUFDUCxFQUFFLElBQUksRUFBRSxLQUFLLEVBQUUsT0FBTyxFQUFFLENBQUUsTUFBTSxFQUFFLE9BQU8sRUFBRSxRQUFRLEVBQUUsS0FBSyxFQUFFLFNBQVMsQ0FBRSxFQUFFO1NBQzFFLENBQUM7UUFDSjs7Ozs7V0FLRztRQUNILGdCQUFnQixFQUFFLGFBQUMsQ0FBQyxLQUFLLENBQUMsYUFBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztRQUNqRDs7Ozs7Ozs7V0FRRztRQUNILGFBQWEsRUFBRSxhQUFDLENBQUMsTUFBTSxDQUFDO1lBQ3RCLE1BQU0sRUFBRSxhQUFDLENBQUMsT0FBTyxFQUFFO1lBQ25CLFFBQVEsRUFBRSxhQUFDLENBQUMsT0FBTyxFQUFFO1lBQ3JCLFNBQVMsRUFBRSxhQUFDLENBQUMsT0FBTyxFQUFFO1NBQ3ZCLENBQUMsQ0FBQyxPQUFPLENBQUM7WUFDVCxNQUFNLEVBQUUsS0FBSztZQUNiLFFBQVEsRUFBRSxLQUFLO1lBQ2YsU0FBUyxFQUFFLElBQUk7U0FDaEIsQ0FBQztLQUNILENBQUMsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDLENBQUM7SUFDZjs7T0FFRztJQUNILE1BQU0sRUFBRSxhQUFDLENBQUMsTUFBTSxDQUFDO1FBQ2YsS0FBSyxFQUFFLG1CQUFtQjtRQUMxQixNQUFNLEVBQUUsbUJBQW1CO1FBQzNCOztXQUVHO1FBQ0gsTUFBTSxFQUFFLGFBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDO1FBQ2pDOzs7O1dBSUc7UUFDSCxLQUFLLEVBQUUsYUFBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLE9BQU8sQ0FBQyxZQUFZLENBQUM7S0FDeEMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7SUFDZDs7T0FFRztJQUNILElBQUksRUFBRSxhQUFDLENBQUMsTUFBTSxDQUFDO1FBQ2IsS0FBSyxFQUFFLG1CQUFtQjtRQUMxQixNQUFNLEVBQUUsbUJBQW1CO1FBQzNCOztXQUVHO1FBQ0gsTUFBTSxFQUFFLGFBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxPQUFPLENBQUMsS0FBSyxDQUFDO1FBQ2xDOzs7O1dBSUc7UUFDSCxNQUFNLEVBQUUsYUFBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLE9BQU8sQ0FBQyxHQUFHLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQztRQUMzQzs7OztXQUlHO1FBQ0gsaUJBQWlCLEVBQUUsYUFBQyxDQUFDLE9BQU8sRUFBRSxDQUFDLE9BQU8sQ0FBQyxLQUFLLENBQUM7S0FDOUMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7SUFDZDs7T0FFRztJQUNILGFBQWEsRUFBRSxhQUFDLENBQUMsTUFBTSxDQUFDO1FBQ3RCLEtBQUssRUFBRSxtQkFBbUI7UUFDMUIsTUFBTSxFQUFFLG1CQUFtQjtRQUMzQjs7V0FFRztRQUNILE1BQU0sRUFBRSxhQUFDLENBQUMsT0FBTyxFQUFFLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBQztLQUNsQyxDQUFDLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztJQUNkOztPQUVHO0lBQ0gsTUFBTSxFQUFFLGFBQUMsQ0FBQyxNQUFNLENBQUM7UUFDZixLQUFLLEVBQUUsbUJBQW1CO1FBQzFCLE1BQU0sRUFBRSxtQkFBbUI7UUFDM0I7O1dBRUc7UUFDSCxNQUFNLEVBQUUsYUFBQyxDQUFDLE9BQU8sRUFBRSxDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUM7S0FDbEMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7SUFDZDs7T0FFRztJQUNILE9BQU8sRUFBRSxhQUFDLENBQUMsTUFBTSxDQUFDO1FBQ2hCLEtBQUssRUFBRSxtQkFBbUI7UUFDMUIsTUFBTSxFQUFFLG1CQUFtQjtRQUMzQjs7V0FFRztRQUNILE1BQU0sRUFBRSxhQUFDLENBQUMsT0FBTyxFQUFFLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBQztLQUNsQyxDQUFDLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztJQUNkOztPQUVHO0lBQ0gsYUFBYSxFQUFFLGFBQUMsQ0FBQyxNQUFNLENBQUM7UUFDdEIsS0FBSyxFQUFFLG1CQUFtQjtRQUMxQixNQUFNLEVBQUUsbUJBQW1CO1FBQzNCOztXQUVHO1FBQ0gsTUFBTSxFQUFFLGFBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDO1FBQ2pDOzs7O1dBSUc7UUFDSCxLQUFLLEVBQUUsYUFBQyxDQUFDLE1BQU0sQ0FBQyxNQUFNLEVBQUUsQ0FBQyxPQUFPLENBQUMsZUFBZSxDQUFDO0tBQ2xELENBQUMsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDO0lBQ2Q7O09BRUc7SUFDSCxHQUFHLEVBQUUsYUFBQyxDQUFDLE1BQU0sQ0FBQztRQUNaLEtBQUssRUFBRSxtQkFBbUI7UUFDMUIsTUFBTSxFQUFFLG1CQUFtQjtRQUMzQjs7V0FFRztRQUNILE1BQU0sRUFBRSxhQUFDLENBQUMsT0FBTyxFQUFFLENBQUMsT0FBTyxDQUFDLEtBQUssQ0FBQztRQUNsQyxxRUFBcUU7UUFDckUsTUFBTSxFQUFFLGFBQUMsQ0FBQyxNQUFNLENBQUMsYUFBQyxDQUFDLEtBQUssQ0FBQyxDQUFFLGFBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxhQUFDLENBQUMsS0FBSyxDQUFDLGFBQUMsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxFQUFFLGFBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBRSxDQUFDLENBQUMsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1FBQ3ZGOzs7V0FHRztRQUNILFVBQVUsRUFBRSxhQUFDLENBQUMsT0FBTyxFQUFFLENBQUMsUUFBUSxFQUFFO1FBQ2xDOzs7V0FHRztRQUNILFNBQVMsRUFBRSxhQUFDLENBQUMsT0FBTyxFQUFFLENBQUMsUUFBUSxFQUFFO0tBQ2xDLENBQUMsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDO0lBQ2Q7OztPQUdHO0lBQ0gsY0FBYyxFQUFFLGFBQUMsQ0FBQyxNQUFNLENBQUM7UUFDdkIsS0FBSyxFQUFFLG1CQUFtQjtRQUMxQixNQUFNLEVBQUUsbUJBQW1CO1FBQzNCOztXQUVHO1FBQ0gsTUFBTSxFQUFFLGFBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxPQUFPLENBQUMsS0FBSyxDQUFDO1FBQ2xDOzs7O1dBSUc7UUFDSCxLQUFLLEVBQUUsYUFBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLE9BQU8sQ0FBQyw0QkFBNEIsQ0FBQztLQUN4RCxDQUFDLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztJQUNkOztPQUVHO0lBQ0gsR0FBRyxFQUFFLGFBQUMsQ0FBQyxNQUFNLENBQUM7UUFDWixLQUFLLEVBQUUsbUJBQW1CO1FBQzFCLE1BQU0sRUFBRSxtQkFBbUI7UUFDM0I7O1dBRUc7UUFDSCxNQUFNLEVBQUUsYUFBQyxDQUFDLE9BQU8sRUFBRSxDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUM7S0FDbEMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7SUFDZCxJQUFJLEVBQUUsYUFBQyxDQUFDLE1BQU0sQ0FBQztRQUNiLFdBQVcsRUFBRSxhQUFDLENBQUMsS0FBSyxDQUFDLGFBQUMsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxDQUFDLFFBQVEsRUFBRTtRQUMzQyxlQUFlLEVBQUUsYUFBQyxDQUFDLEtBQUssQ0FBQyxhQUFDLENBQUMsTUFBTSxFQUFFLENBQUMsQ0FBQyxRQUFRLEVBQUU7UUFDL0MscUJBQXFCLEVBQUUsYUFBQyxDQUFDLEtBQUssQ0FBQyxhQUFDLENBQUMsTUFBTSxFQUFFLENBQUMsQ0FBQyxRQUFRLEVBQUU7UUFDckQsWUFBWSxFQUFFLHdCQUF3QixDQUFDLFFBQVEsRUFBRTtLQUNsRCxDQUFDLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztJQUNkLEtBQUssRUFBRSxhQUFDLENBQUMsS0FBSyxDQUFDLENBQUUsYUFBYSxFQUFFLGFBQWEsQ0FBQyxLQUFLLEVBQUUsQ0FBRSxDQUFDLENBQUMsUUFBUSxFQUFFO0lBQ25FLE1BQU0sRUFBRSxhQUFDLENBQUMsS0FBSyxDQUFDLENBQUUsYUFBYSxFQUFFLGFBQWEsQ0FBQyxLQUFLLEVBQUUsQ0FBRSxDQUFDLENBQUMsUUFBUSxFQUFFO0lBQ3BFLHNCQUFzQixFQUFFLGFBQUMsQ0FBQyxHQUFHLENBQUMsYUFBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLENBQUMsUUFBUSxFQUFFLENBQUMsUUFBUSxFQUFFO0NBQ2hFLENBQUMsQ0FBQztBQUdILE1BQU0sOEJBQThCLEdBQUcsYUFBQyxDQUFDLFFBQVEsRUFBRTtLQUNoRCxJQUFJLENBQUMsYUFBQyxDQUFDLE1BQU0sRUFBRSxFQUFFLGFBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxhQUFDLENBQUMsTUFBTSxFQUFFLEVBQUUsYUFBQyxDQUFDLE9BQU8sRUFBRSxDQUFDO0tBQ3JELE9BQU8sQ0FBQyxhQUFDLENBQUMsS0FBSyxDQUFDLENBQUUsYUFBQyxDQUFDLE1BQU0sRUFBRSxFQUFFLGFBQUMsQ0FBQyxJQUFJLEVBQUUsQ0FBRSxDQUFDLENBQUMsQ0FBQztBQU9qQyxRQUFBLG9CQUFvQixHQUFHLGFBQUMsQ0FBQyxNQUFNLENBQUM7SUFDM0MsS0FBSyxFQUFFLGFBQUMsQ0FBQyxNQUFNLENBQUM7UUFDZDs7V0FFRztRQUNILFNBQVMsRUFBRSxhQUFDLENBQUMsTUFBTSxDQUFDLGFBQUMsQ0FBQyxLQUFLLENBQUMsYUFBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLENBQUMsQ0FBQyxRQUFRLEVBQUU7UUFDbkQ7OztXQUdHO1FBQ0gsZUFBZSxFQUFFLGFBQUMsQ0FBQyxLQUFLLENBQUMsYUFBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLENBQUMsUUFBUSxFQUFFO1FBQy9DOztXQUVHO1FBQ0gsU0FBUyxFQUFFLDhCQUE4QixDQUFDLFFBQVEsRUFBRTtLQUNyRCxDQUFDLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztDQUNmLENBQUMsQ0FBQztBQUdILGtCQUFlO0lBQ2IsUUFBUSxFQUFFLHNCQUFjLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQztJQUNsQyxNQUFNLEVBQUUsNEJBQW9CLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQztDQUN2QyxDQUFDIn0=

package/dist/commonjs/config/config.local.d.ts

@@ -0,0 +1,5 @@
+import { SecurityConfig } from '../types.js';
+declare const _default: {
+    security: SecurityConfig;
+};
+export default _default;

package/dist/commonjs/config/config.local.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = {
+    security: {
+        hsts: {
+            enable: false,
+        },
+    },
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29uZmlnLmxvY2FsLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2NvbmZpZy9jb25maWcubG9jYWwudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFFQSxrQkFBZTtJQUNiLFFBQVEsRUFBRTtRQUNSLElBQUksRUFBRTtZQUNKLE1BQU0sRUFBRSxLQUFLO1NBQ2Q7S0FDZ0I7Q0FDcEIsQ0FBQyJ9

package/dist/commonjs/index.d.ts

@@ -0,0 +1 @@
+import './types.js';

package/dist/commonjs/index.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+require("./types.js");
+// module.exports = require('./app/middleware/securities');
+// module.exports.csp = require('./lib/middlewares/csp');
+// module.exports.csrf = require('./lib/middlewares/csrf');
+// module.exports.methodNoAllow = require('./lib/middlewares/methodnoallow');
+// module.exports.noopen = require('./lib/middlewares/noopen');
+// module.exports.nosniff = require('./lib/middlewares/nosniff');
+// module.exports.xssProtection = require('./lib/middlewares/xssProtection');
+// module.exports.xframe = require('./lib/middlewares/xframe');
+// module.exports.safeRedirect = require('./lib/safe_redirect');
+// module.exports.utils = require('./lib/utils');
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFBQSxzQkFBb0I7QUFFcEIsMkRBQTJEO0FBQzNELHlEQUF5RDtBQUN6RCwyREFBMkQ7QUFDM0QsNkVBQTZFO0FBQzdFLCtEQUErRDtBQUMvRCxpRUFBaUU7QUFDakUsNkVBQTZFO0FBQzdFLCtEQUErRDtBQUMvRCxnRUFBZ0U7QUFDaEUsaURBQWlEIn0=

package/dist/commonjs/lib/extend/safe_curl.d.ts

@@ -0,0 +1,16 @@
+import { EggCore } from '@eggjs/core';
+import type { SSRFCheckAddressFunction } from '../../types.js';
+type HttpClient = EggCore['HttpClient'];
+type HttpClientParameters = Parameters<HttpClient['prototype']['request']>;
+export type HttpClientRequestURL = HttpClientParameters[0];
+export type HttpClientOptions = HttpClientParameters[1] & {
+    checkAddress?: SSRFCheckAddressFunction;
+};
+export type HttpClientResponse<T = any> = Awaited<ReturnType<HttpClient['prototype']['request']>> & {
+    data: T;
+};
+/**
+ * safe curl with ssrf protection
+ */
+export declare function safeCurlForApplication<T = any>(app: EggCore, url: HttpClientRequestURL, options?: HttpClientOptions): Promise<import("urllib").HttpClientResponse<T>>;
+export {};

package/dist/commonjs/lib/extend/safe_curl.js

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.safeCurlForApplication = safeCurlForApplication;
+const SSRF_HTTPCLIENT = Symbol('SSRF_HTTPCLIENT');
+/**
+ * safe curl with ssrf protection
+ */
+async function safeCurlForApplication(app, url, options = {}) {
+    const ssrfConfig = app.config.security.ssrf;
+    if (ssrfConfig?.checkAddress) {
+        options.checkAddress = ssrfConfig.checkAddress;
+    }
+    else {
+        app.logger.warn('[@eggjs/security] please configure `config.security.ssrf` first');
+    }
+    if (ssrfConfig?.checkAddress) {
+        let httpClient = app[SSRF_HTTPCLIENT];
+        // use the new httpClient init with checkAddress
+        if (!httpClient) {
+            httpClient = app[SSRF_HTTPCLIENT] = app.createHttpClient({
+                checkAddress: ssrfConfig.checkAddress,
+            });
+        }
+        return await httpClient.request(url, options);
+    }
+    return await app.curl(url, options);
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2FmZV9jdXJsLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2xpYi9leHRlbmQvc2FmZV9jdXJsLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBY0Esd0RBb0JDO0FBL0JELE1BQU0sZUFBZSxHQUFHLE1BQU0sQ0FBQyxpQkFBaUIsQ0FBQyxDQUFDO0FBUWxEOztHQUVHO0FBQ0ksS0FBSyxVQUFVLHNCQUFzQixDQUFVLEdBQVksRUFBRSxHQUF5QixFQUFFLFVBQTZCLEVBQUU7SUFDNUgsTUFBTSxVQUFVLEdBQUcsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDO0lBQzVDLElBQUksVUFBVSxFQUFFLFlBQVksRUFBRSxDQUFDO1FBQzdCLE9BQU8sQ0FBQyxZQUFZLEdBQUcsVUFBVSxDQUFDLFlBQVksQ0FBQztJQUNqRCxDQUFDO1NBQU0sQ0FBQztRQUNOLEdBQUcsQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLGlFQUFpRSxDQUFDLENBQUM7SUFDckYsQ0FBQztJQUVELElBQUksVUFBVSxFQUFFLFlBQVksRUFBRSxDQUFDO1FBQzdCLElBQUksVUFBVSxHQUFHLEdBQUcsQ0FBQyxlQUFlLENBQTRDLENBQUM7UUFDakYsZ0RBQWdEO1FBQ2hELElBQUksQ0FBQyxVQUFVLEVBQUUsQ0FBQztZQUNoQixVQUFVLEdBQUcsR0FBRyxDQUFDLGVBQWUsQ0FBQyxHQUFHLEdBQUcsQ0FBQyxnQkFBZ0IsQ0FBQztnQkFDdkQsWUFBWSxFQUFFLFVBQVUsQ0FBQyxZQUFZO2FBQ3RDLENBQUMsQ0FBQztRQUNMLENBQUM7UUFDRCxPQUFPLE1BQU0sVUFBVSxDQUFDLE9BQU8sQ0FBSSxHQUFHLEVBQUUsT0FBTyxDQUFDLENBQUM7SUFDbkQsQ0FBQztJQUVELE9BQU8sTUFBTSxHQUFHLENBQUMsSUFBSSxDQUFJLEdBQUcsRUFBRSxPQUFPLENBQUMsQ0FBQztBQUN6QyxDQUFDIn0=

package/dist/commonjs/lib/helper/cliFilter.d.ts

@@ -0,0 +1,4 @@
+/**
+ * remote command execution
+ */
+export default function cliFilter(text: string): string;

package/dist/commonjs/lib/helper/cliFilter.js

@@ -0,0 +1,20 @@
+"use strict";
+/**
+ * remote command execution
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = cliFilter;
+const BASIC_ALPHABETS = new Set('abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ.-_'.split(''));
+function cliFilter(text) {
+    const str = '' + text;
+    let res = '';
+    let ascii;
+    for (let index = 0; index < str.length; index++) {
+        ascii = str[index];
+        if (BASIC_ALPHABETS.has(ascii)) {
+            res += ascii;
+        }
+    }
+    return res;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xpRmlsdGVyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2xpYi9oZWxwZXIvY2xpRmlsdGVyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7QUFBQTs7R0FFRzs7QUFJSCw0QkFhQztBQWZELE1BQU0sZUFBZSxHQUFHLElBQUksR0FBRyxDQUFDLG1FQUFtRSxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDO0FBRS9HLFNBQXdCLFNBQVMsQ0FBQyxJQUFZO0lBQzVDLE1BQU0sR0FBRyxHQUFHLEVBQUUsR0FBRyxJQUFJLENBQUM7SUFDdEIsSUFBSSxHQUFHLEdBQUcsRUFBRSxDQUFDO0lBQ2IsSUFBSSxLQUFLLENBQUM7SUFFVixLQUFLLElBQUksS0FBSyxHQUFHLENBQUMsRUFBRSxLQUFLLEdBQUcsR0FBRyxDQUFDLE1BQU0sRUFBRSxLQUFLLEVBQUUsRUFBRSxDQUFDO1FBQ2hELEtBQUssR0FBRyxHQUFHLENBQUMsS0FBSyxDQUFDLENBQUM7UUFDbkIsSUFBSSxlQUFlLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUM7WUFDL0IsR0FBRyxJQUFJLEtBQUssQ0FBQztRQUNmLENBQUM7SUFDSCxDQUFDO0lBRUQsT0FBTyxHQUFHLENBQUM7QUFDYixDQUFDIn0=

package/dist/commonjs/lib/helper/escape.d.ts

@@ -0,0 +1,2 @@
+import escapeHTML from 'escape-html';
+export default escapeHTML;

package/dist/commonjs/lib/helper/escape.js

@@ -0,0 +1,8 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const escape_html_1 = __importDefault(require("escape-html"));
+exports.default = escape_html_1.default;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZXNjYXBlLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2xpYi9oZWxwZXIvZXNjYXBlLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7O0FBQUEsOERBQXFDO0FBRXJDLGtCQUFlLHFCQUFVLENBQUMifQ==

package/dist/commonjs/lib/helper/escapeShellArg.d.ts

@@ -0,0 +1 @@
+export default function escapeShellArg(text: string): string;

package/dist/commonjs/lib/helper/escapeShellArg.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = escapeShellArg;
+function escapeShellArg(text) {
+    const str = '' + text;
+    return '\'' + str.replace(/\\/g, '\\\\').replace(/\'/g, '\\\'') + '\'';
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZXNjYXBlU2hlbGxBcmcuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvbGliL2hlbHBlci9lc2NhcGVTaGVsbEFyZy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOztBQUFBLGlDQUdDO0FBSEQsU0FBd0IsY0FBYyxDQUFDLElBQVk7SUFDakQsTUFBTSxHQUFHLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQztJQUN0QixPQUFPLElBQUksR0FBRyxHQUFHLENBQUMsT0FBTyxDQUFDLEtBQUssRUFBRSxNQUFNLENBQUMsQ0FBQyxPQUFPLENBQUMsS0FBSyxFQUFFLE1BQU0sQ0FBQyxHQUFHLElBQUksQ0FBQztBQUN6RSxDQUFDIn0=

package/dist/commonjs/lib/helper/escapeShellCmd.d.ts

@@ -0,0 +1 @@
+export default function escapeShellCmd(text: string): string;

package/dist/commonjs/lib/helper/escapeShellCmd.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = escapeShellCmd;
+const BASIC_ALPHABETS = new Set('#&;`|*?~<>^()[]{}$;\'",\x0A\xFF'.split(''));
+function escapeShellCmd(text) {
+    const str = '' + text;
+    let res = '';
+    let ascii;
+    for (let index = 0; index < str.length; index++) {
+        ascii = str[index];
+        if (!BASIC_ALPHABETS.has(ascii)) {
+            res += ascii;
+        }
+    }
+    return res;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZXNjYXBlU2hlbGxDbWQuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvbGliL2hlbHBlci9lc2NhcGVTaGVsbENtZC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOztBQUVBLGlDQWFDO0FBZkQsTUFBTSxlQUFlLEdBQUcsSUFBSSxHQUFHLENBQUMsaUNBQWlDLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUM7QUFFN0UsU0FBd0IsY0FBYyxDQUFDLElBQVk7SUFDakQsTUFBTSxHQUFHLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQztJQUN0QixJQUFJLEdBQUcsR0FBRyxFQUFFLENBQUM7SUFDYixJQUFJLEtBQUssQ0FBQztJQUVWLEtBQUssSUFBSSxLQUFLLEdBQUcsQ0FBQyxFQUFFLEtBQUssR0FBRyxHQUFHLENBQUMsTUFBTSxFQUFFLEtBQUssRUFBRSxFQUFFLENBQUM7UUFDaEQsS0FBSyxHQUFHLEdBQUcsQ0FBQyxLQUFLLENBQUMsQ0FBQztRQUNuQixJQUFJLENBQUMsZUFBZSxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDO1lBQ2hDLEdBQUcsSUFBSSxLQUFLLENBQUM7UUFDZixDQUFDO0lBQ0gsQ0FBQztJQUVELE9BQU8sR0FBRyxDQUFDO0FBQ2IsQ0FBQyJ9

package/dist/commonjs/lib/helper/index.d.ts

@@ -0,0 +1,21 @@
+import cliFilter from './cliFilter.js';
+import escape from './escape.js';
+import escapeShellArg from './escapeShellArg.js';
+import escapeShellCmd from './escapeShellCmd.js';
+import shtml from './shtml.js';
+import sjs from './sjs.js';
+import sjson from './sjson.js';
+import spath from './spath.js';
+import surl from './surl.js';
+declare const _default: {
+    cliFilter: typeof cliFilter;
+    escape: typeof escape;
+    escapeShellArg: typeof escapeShellArg;
+    escapeShellCmd: typeof escapeShellCmd;
+    shtml: typeof shtml;
+    sjs: typeof sjs;
+    sjson: typeof sjson;
+    spath: typeof spath;
+    surl: typeof surl;
+};
+export default _default;

package/dist/commonjs/lib/helper/index.js

@@ -0,0 +1,26 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const cliFilter_js_1 = __importDefault(require("./cliFilter.js"));
+const escape_js_1 = __importDefault(require("./escape.js"));
+const escapeShellArg_js_1 = __importDefault(require("./escapeShellArg.js"));
+const escapeShellCmd_js_1 = __importDefault(require("./escapeShellCmd.js"));
+const shtml_js_1 = __importDefault(require("./shtml.js"));
+const sjs_js_1 = __importDefault(require("./sjs.js"));
+const sjson_js_1 = __importDefault(require("./sjson.js"));
+const spath_js_1 = __importDefault(require("./spath.js"));
+const surl_js_1 = __importDefault(require("./surl.js"));
+exports.default = {
+    cliFilter: cliFilter_js_1.default,
+    escape: escape_js_1.default,
+    escapeShellArg: escapeShellArg_js_1.default,
+    escapeShellCmd: escapeShellCmd_js_1.default,
+    shtml: shtml_js_1.default,
+    sjs: sjs_js_1.default,
+    sjson: sjson_js_1.default,
+    spath: spath_js_1.default,
+    surl: surl_js_1.default,
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvbGliL2hlbHBlci9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7OztBQUFBLGtFQUF1QztBQUN2Qyw0REFBaUM7QUFDakMsNEVBQWlEO0FBQ2pELDRFQUFpRDtBQUNqRCwwREFBK0I7QUFDL0Isc0RBQTJCO0FBQzNCLDBEQUErQjtBQUMvQiwwREFBK0I7QUFDL0Isd0RBQTZCO0FBRTdCLGtCQUFlO0lBQ2IsU0FBUyxFQUFULHNCQUFTO0lBQ1QsTUFBTSxFQUFOLG1CQUFNO0lBQ04sY0FBYyxFQUFkLDJCQUFjO0lBQ2QsY0FBYyxFQUFkLDJCQUFjO0lBQ2QsS0FBSyxFQUFMLGtCQUFLO0lBQ0wsR0FBRyxFQUFILGdCQUFHO0lBQ0gsS0FBSyxFQUFMLGtCQUFLO0lBQ0wsS0FBSyxFQUFMLGtCQUFLO0lBQ0wsSUFBSSxFQUFKLGlCQUFJO0NBQ0wsQ0FBQyJ9

package/dist/commonjs/lib/helper/shtml.d.ts

@@ -0,0 +1,2 @@
+import type { BaseContextClass } from '@eggjs/core';
+export default function shtml(this: BaseContextClass, val: string): string;