npm - @eggjs/security - Versions diffs - 4.0.1 → 5.0.0-beta.15 - Mend

@eggjs/security 4.0.1 → 5.0.0-beta.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (252) hide show

package/README.md +46 -66
package/README.zh-CN.md +56 -68
package/dist/agent.d.ts +10 -0
package/dist/agent.js +15 -0
package/dist/app/extend/agent.d.ts +14 -0
package/dist/app/extend/agent.js +12 -0
package/dist/app/extend/application.d.ts +20 -0
package/dist/app/extend/application.js +32 -0
package/dist/app/extend/context.d.ts +74 -0
package/dist/app/extend/context.js +191 -0
package/dist/app/extend/helper.d.ts +24 -0
package/dist/app/extend/helper.js +7 -0
package/dist/app/extend/response.d.ts +45 -0
package/dist/app/extend/response.js +70 -0
package/dist/app/middleware/securities.d.ts +8 -0
package/dist/app/middleware/securities.js +39 -0
package/dist/app.d.ts +10 -0
package/dist/app.js +24 -0
package/dist/config/config.default.d.ts +874 -0
package/dist/config/config.default.js +170 -0
package/dist/config/config.local.d.ts +6 -0
package/dist/config/config.local.js +5 -0
package/dist/index.d.ts +1 -0
package/dist/index.js +3 -0
package/dist/lib/extend/safe_curl.d.ts +20 -0
package/dist/lib/extend/safe_curl.js +19 -0
package/dist/lib/helper/cliFilter.d.ts +7 -0
package/dist/lib/helper/cliFilter.js +18 -0
package/dist/lib/helper/escape.d.ts +2 -0
package/dist/lib/helper/escape.js +7 -0
package/dist/lib/helper/escapeShellArg.d.ts +4 -0
package/dist/lib/helper/escapeShellArg.js +7 -0
package/dist/lib/helper/escapeShellCmd.d.ts +4 -0
package/dist/lib/helper/escapeShellCmd.js +15 -0
package/dist/lib/helper/index.d.ts +24 -0
package/dist/lib/helper/index.js +25 -0
package/dist/lib/helper/shtml.d.ts +6 -0
package/dist/lib/helper/shtml.js +53 -0
package/dist/lib/helper/sjs.d.ts +7 -0
package/dist/lib/helper/sjs.js +36 -0
package/dist/lib/helper/sjson.d.ts +4 -0
package/dist/lib/helper/sjson.js +32 -0
package/dist/lib/helper/spath.d.ts +7 -0
package/dist/lib/helper/spath.js +16 -0
package/dist/lib/helper/surl.d.ts +6 -0
package/dist/lib/helper/surl.js +25 -0
package/dist/lib/middlewares/csp.d.ts +7 -0
package/dist/lib/middlewares/csp.js +46 -0
package/dist/lib/middlewares/csrf.d.ts +7 -0
package/dist/lib/middlewares/csrf.js +33 -0
package/dist/lib/middlewares/dta.d.ts +6 -0
package/dist/lib/middlewares/dta.js +13 -0
package/dist/lib/middlewares/hsts.d.ts +7 -0
package/dist/lib/middlewares/hsts.js +19 -0
package/dist/lib/middlewares/index.d.ts +18 -0
package/dist/lib/middlewares/index.js +27 -0
package/dist/lib/middlewares/methodnoallow.d.ts +6 -0
package/dist/lib/middlewares/methodnoallow.js +15 -0
package/dist/lib/middlewares/noopen.d.ts +7 -0
package/dist/lib/middlewares/noopen.js +17 -0
package/dist/lib/middlewares/nosniff.d.ts +7 -0
package/dist/lib/middlewares/nosniff.js +27 -0
package/dist/lib/middlewares/referrerPolicy.d.ts +7 -0
package/dist/lib/middlewares/referrerPolicy.js +31 -0
package/dist/lib/middlewares/xframe.d.ts +7 -0
package/dist/lib/middlewares/xframe.js +18 -0
package/dist/lib/middlewares/xssProtection.d.ts +7 -0
package/dist/lib/middlewares/xssProtection.js +17 -0
package/dist/lib/utils.d.ts +24 -0
package/dist/lib/utils.js +127 -0
package/dist/types.d.ts +12 -0
package/dist/types.js +5 -0
package/package.json +74 -70
package/dist/commonjs/agent.d.ts +0 -6
package/dist/commonjs/agent.js +0 -14
package/dist/commonjs/app/extend/agent.d.ts +0 -5
package/dist/commonjs/app/extend/agent.js +0 -11
package/dist/commonjs/app/extend/application.d.ts +0 -16
package/dist/commonjs/app/extend/application.js +0 -35
package/dist/commonjs/app/extend/context.d.ts +0 -68
package/dist/commonjs/app/extend/context.js +0 -283
package/dist/commonjs/app/extend/helper.d.ts +0 -12
package/dist/commonjs/app/extend/helper.js +0 -10
package/dist/commonjs/app/extend/response.d.ts +0 -41
package/dist/commonjs/app/extend/response.js +0 -85
package/dist/commonjs/app/middleware/securities.d.ts +0 -4
package/dist/commonjs/app/middleware/securities.js +0 -55
package/dist/commonjs/app.d.ts +0 -6
package/dist/commonjs/app.js +0 -29
package/dist/commonjs/config/config.default.d.ts +0 -871
package/dist/commonjs/config/config.default.js +0 -357
package/dist/commonjs/config/config.local.d.ts +0 -5
package/dist/commonjs/config/config.local.js +0 -10
package/dist/commonjs/index.d.ts +0 -1
package/dist/commonjs/index.js +0 -4
package/dist/commonjs/lib/extend/safe_curl.d.ts +0 -16
package/dist/commonjs/lib/extend/safe_curl.js +0 -28
package/dist/commonjs/lib/helper/cliFilter.d.ts +0 -4
package/dist/commonjs/lib/helper/cliFilter.js +0 -20
package/dist/commonjs/lib/helper/escape.d.ts +0 -2
package/dist/commonjs/lib/helper/escape.js +0 -8
package/dist/commonjs/lib/helper/escapeShellArg.d.ts +0 -1
package/dist/commonjs/lib/helper/escapeShellArg.js +0 -8
package/dist/commonjs/lib/helper/escapeShellCmd.d.ts +0 -1
package/dist/commonjs/lib/helper/escapeShellCmd.js +0 -17
package/dist/commonjs/lib/helper/index.d.ts +0 -21
package/dist/commonjs/lib/helper/index.js +0 -26
package/dist/commonjs/lib/helper/shtml.d.ts +0 -2
package/dist/commonjs/lib/helper/shtml.js +0 -76
package/dist/commonjs/lib/helper/sjs.d.ts +0 -4
package/dist/commonjs/lib/helper/sjs.js +0 -52
package/dist/commonjs/lib/helper/sjson.d.ts +0 -1
package/dist/commonjs/lib/helper/sjson.js +0 -45
package/dist/commonjs/lib/helper/spath.d.ts +0 -5
package/dist/commonjs/lib/helper/spath.js +0 -28
package/dist/commonjs/lib/helper/surl.d.ts +0 -2
package/dist/commonjs/lib/helper/surl.js +0 -33
package/dist/commonjs/lib/middlewares/csp.d.ts +0 -4
package/dist/commonjs/lib/middlewares/csp.js +0 -68
package/dist/commonjs/lib/middlewares/csrf.d.ts +0 -4
package/dist/commonjs/lib/middlewares/csrf.js +0 -42
package/dist/commonjs/lib/middlewares/dta.d.ts +0 -3
package/dist/commonjs/lib/middlewares/dta.js +0 -14
package/dist/commonjs/lib/middlewares/hsts.d.ts +0 -4
package/dist/commonjs/lib/middlewares/hsts.js +0 -23
package/dist/commonjs/lib/middlewares/index.d.ts +0 -13
package/dist/commonjs/lib/middlewares/index.js +0 -28
package/dist/commonjs/lib/middlewares/methodnoallow.d.ts +0 -3
package/dist/commonjs/lib/middlewares/methodnoallow.js +0 -22
package/dist/commonjs/lib/middlewares/noopen.d.ts +0 -4
package/dist/commonjs/lib/middlewares/noopen.js +0 -17
package/dist/commonjs/lib/middlewares/nosniff.d.ts +0 -4
package/dist/commonjs/lib/middlewares/nosniff.js +0 -30
package/dist/commonjs/lib/middlewares/referrerPolicy.d.ts +0 -4
package/dist/commonjs/lib/middlewares/referrerPolicy.js +0 -36
package/dist/commonjs/lib/middlewares/xframe.d.ts +0 -4
package/dist/commonjs/lib/middlewares/xframe.js +0 -19
package/dist/commonjs/lib/middlewares/xssProtection.d.ts +0 -4
package/dist/commonjs/lib/middlewares/xssProtection.js +0 -16
package/dist/commonjs/lib/utils.d.ts +0 -19
package/dist/commonjs/lib/utils.js +0 -206
package/dist/commonjs/package.json +0 -3
package/dist/commonjs/types.d.ts +0 -10
package/dist/commonjs/types.js +0 -5
package/dist/esm/agent.d.ts +0 -6
package/dist/esm/agent.js +0 -11
package/dist/esm/app/extend/agent.d.ts +0 -5
package/dist/esm/app/extend/agent.js +0 -8
package/dist/esm/app/extend/application.d.ts +0 -16
package/dist/esm/app/extend/application.js +0 -32
package/dist/esm/app/extend/context.d.ts +0 -68
package/dist/esm/app/extend/context.js +0 -244
package/dist/esm/app/extend/helper.d.ts +0 -12
package/dist/esm/app/extend/helper.js +0 -5
package/dist/esm/app/extend/response.d.ts +0 -41
package/dist/esm/app/extend/response.js +0 -82
package/dist/esm/app/middleware/securities.d.ts +0 -4
package/dist/esm/app/middleware/securities.js +0 -50
package/dist/esm/app.d.ts +0 -6
package/dist/esm/app.js +0 -26
package/dist/esm/config/config.default.d.ts +0 -871
package/dist/esm/config/config.default.js +0 -351
package/dist/esm/config/config.local.d.ts +0 -5
package/dist/esm/config/config.local.js +0 -8
package/dist/esm/index.d.ts +0 -1
package/dist/esm/index.js +0 -2
package/dist/esm/lib/extend/safe_curl.d.ts +0 -16
package/dist/esm/lib/extend/safe_curl.js +0 -25
package/dist/esm/lib/helper/cliFilter.d.ts +0 -4
package/dist/esm/lib/helper/cliFilter.js +0 -17
package/dist/esm/lib/helper/escape.d.ts +0 -2
package/dist/esm/lib/helper/escape.js +0 -3
package/dist/esm/lib/helper/escapeShellArg.d.ts +0 -1
package/dist/esm/lib/helper/escapeShellArg.js +0 -5
package/dist/esm/lib/helper/escapeShellCmd.d.ts +0 -1
package/dist/esm/lib/helper/escapeShellCmd.js +0 -14
package/dist/esm/lib/helper/index.d.ts +0 -21
package/dist/esm/lib/helper/index.js +0 -21
package/dist/esm/lib/helper/shtml.d.ts +0 -2
package/dist/esm/lib/helper/shtml.js +0 -70
package/dist/esm/lib/helper/sjs.d.ts +0 -4
package/dist/esm/lib/helper/sjs.js +0 -49
package/dist/esm/lib/helper/sjson.d.ts +0 -1
package/dist/esm/lib/helper/sjson.js +0 -39
package/dist/esm/lib/helper/spath.d.ts +0 -5
package/dist/esm/lib/helper/spath.js +0 -25
package/dist/esm/lib/helper/surl.d.ts +0 -2
package/dist/esm/lib/helper/surl.js +0 -30
package/dist/esm/lib/middlewares/csp.d.ts +0 -4
package/dist/esm/lib/middlewares/csp.js +0 -63
package/dist/esm/lib/middlewares/csrf.d.ts +0 -4
package/dist/esm/lib/middlewares/csrf.js +0 -37
package/dist/esm/lib/middlewares/dta.d.ts +0 -3
package/dist/esm/lib/middlewares/dta.js +0 -12
package/dist/esm/lib/middlewares/hsts.d.ts +0 -4
package/dist/esm/lib/middlewares/hsts.js +0 -21
package/dist/esm/lib/middlewares/index.d.ts +0 -13
package/dist/esm/lib/middlewares/index.js +0 -23
package/dist/esm/lib/middlewares/methodnoallow.d.ts +0 -3
package/dist/esm/lib/middlewares/methodnoallow.js +0 -20
package/dist/esm/lib/middlewares/noopen.d.ts +0 -4
package/dist/esm/lib/middlewares/noopen.js +0 -15
package/dist/esm/lib/middlewares/nosniff.d.ts +0 -4
package/dist/esm/lib/middlewares/nosniff.js +0 -28
package/dist/esm/lib/middlewares/referrerPolicy.d.ts +0 -4
package/dist/esm/lib/middlewares/referrerPolicy.js +0 -34
package/dist/esm/lib/middlewares/xframe.d.ts +0 -4
package/dist/esm/lib/middlewares/xframe.js +0 -17
package/dist/esm/lib/middlewares/xssProtection.d.ts +0 -4
package/dist/esm/lib/middlewares/xssProtection.js +0 -14
package/dist/esm/lib/utils.d.ts +0 -19
package/dist/esm/lib/utils.js +0 -194
package/dist/esm/package.json +0 -3
package/dist/esm/types.d.ts +0 -10
package/dist/esm/types.js +0 -3
package/dist/package.json +0 -4
package/src/agent.ts +0 -14
package/src/app/extend/agent.ts +0 -14
package/src/app/extend/application.ts +0 -51
package/src/app/extend/context.ts +0 -285
package/src/app/extend/helper.ts +0 -5
package/src/app/extend/response.ts +0 -95
package/src/app/middleware/securities.ts +0 -63
package/src/app.ts +0 -31
package/src/config/config.default.ts +0 -379
package/src/config/config.local.ts +0 -9
package/src/index.ts +0 -1
package/src/lib/extend/safe_curl.ts +0 -35
package/src/lib/helper/cliFilter.ts +0 -20
package/src/lib/helper/escape.ts +0 -3
package/src/lib/helper/escapeShellArg.ts +0 -4
package/src/lib/helper/escapeShellCmd.ts +0 -16
package/src/lib/helper/index.ts +0 -21
package/src/lib/helper/shtml.ts +0 -77
package/src/lib/helper/sjs.ts +0 -57
package/src/lib/helper/sjson.ts +0 -35
package/src/lib/helper/spath.ts +0 -27
package/src/lib/helper/surl.ts +0 -35
package/src/lib/middlewares/csp.ts +0 -70
package/src/lib/middlewares/csrf.ts +0 -44
package/src/lib/middlewares/dta.ts +0 -13
package/src/lib/middlewares/hsts.ts +0 -24
package/src/lib/middlewares/index.ts +0 -23
package/src/lib/middlewares/methodnoallow.ts +0 -23
package/src/lib/middlewares/noopen.ts +0 -18
package/src/lib/middlewares/nosniff.ts +0 -32
package/src/lib/middlewares/referrerPolicy.ts +0 -39
package/src/lib/middlewares/xframe.ts +0 -20
package/src/lib/middlewares/xssProtection.ts +0 -17
package/src/lib/utils.ts +0 -208
package/src/types.ts +0 -16
package/src/typings/index.d.ts +0 -4

package/src/lib/helper/shtml.ts DELETED Viewed

@@ -1,77 +0,0 @@
-import type { BaseContextClass } from '@eggjs/core';
-import xss from 'xss';
-import { isSafeDomain, getFromUrl } from '../utils.js';
-import type { SecurityHelperOnTagAttrHandler } from '../../types.js';
-const BUILD_IN_ON_TAG_ATTR = Symbol('buildInOnTagAttr');
-// default rule: https://github.com/leizongmin/js-xss/blob/master/lib/default.js
-// add domain filter based on xss module
-// custom options http://jsxss.com/zh/options.html
-// eg: support a tag，filter attributes except for title : whiteList: {a: ['title']}
-export default function shtml(this: BaseContextClass, val: string) {
-  if (typeof val !== 'string') {
-    return val;
-  }
-  const securityOptions = this.ctx.securityOptions;
-  let buildInOnTagAttrHandler: SecurityHelperOnTagAttrHandler | undefined;
-  const shtmlConfig = {
-    ...this.app.config.helper.shtml,
-    ...securityOptions.shtml,
-    [BUILD_IN_ON_TAG_ATTR]: buildInOnTagAttrHandler,
-  };
-  const domainWhiteList = this.app.config.security.domainWhiteList;
-  const app = this.app;
-  // filter href and src attribute if not in domain white list
-  if (!shtmlConfig[BUILD_IN_ON_TAG_ATTR]) {
-    shtmlConfig[BUILD_IN_ON_TAG_ATTR] = (_tag, name, value, isWhiteAttr) => {
-      if (isWhiteAttr && (name === 'href' || name === 'src')) {
-        if (!value) {
-          return;
-        }
-        value = String(value);
-        if (value[0] === '/' || value[0] === '#') {
-          return;
-        }
-        const hostname = getFromUrl(value, 'hostname');
-        if (!hostname) {
-          return;
-        }
-        // If we don't have our hostname in the app.security.domainWhiteList,
-        // Just check for `shtmlConfig.domainWhiteList` and `ctx.whiteList`.
-        if (!isSafeDomain(hostname, domainWhiteList)) {
-          // Check for `shtmlConfig.domainWhiteList` first (duplicated now)
-          if (shtmlConfig.domainWhiteList && shtmlConfig.domainWhiteList.length > 0) {
-            app.deprecate('[@eggjs/security/lib/helper/shtml] `config.helper.shtml.domainWhiteList` has been deprecate. Please use `config.security.domainWhiteList` instead.');
-            if (!isSafeDomain(hostname, shtmlConfig.domainWhiteList)) {
-              return '';
-            }
-          } else {
-            return '';
-          }
-        }
-      }
-    };
-    // avoid overriding user configuration 'onTagAttr'
-    if (shtmlConfig.onTagAttr) {
-      const customOnTagAttrHandler = shtmlConfig.onTagAttr;
-      shtmlConfig.onTagAttr = function(tag, name, value, isWhiteAttr) {
-        const result = customOnTagAttrHandler.apply(this, [ tag, name, value, isWhiteAttr ]);
-        if (result !== undefined) {
-          return result;
-        }
-        // fallback to build-in handler
-        return shtmlConfig[BUILD_IN_ON_TAG_ATTR]!.apply(this, [ tag, name, value, isWhiteAttr ]);
-      };
-    } else {
-      shtmlConfig.onTagAttr = shtmlConfig[BUILD_IN_ON_TAG_ATTR];
-    }
-  }
-  return xss(val, shtmlConfig);
-}

package/src/lib/helper/sjs.ts DELETED Viewed

@@ -1,57 +0,0 @@
-/**
- * Escape JavaScript to \xHH format
- */
-// escape \x00-\x7f
-// except 0-9,A-Z,a-z(\x2f-\x3a \x40-\x5b \x60-\x7b)
-// eslint-disable-next-line
-const MATCH_VULNERABLE_REGEXP = /[\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f]/;
-// eslint-enable-next-line
-const BASIC_ALPHABETS = new Set('abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ'.split(''));
-const map: Record<string, string> = {
-  '\t': '\\t',
-  '\n': '\\n',
-  '\r': '\\r',
-};
-export default function escapeJavaScript(text: string) {
-  const str = '' + text;
-  const match = MATCH_VULNERABLE_REGEXP.exec(str);
-  if (!match) {
-    return str;
-  }
-  let res = '';
-  let index = 0;
-  let lastIndex = 0;
-  let ascii;
-  for (index = match.index; index < str.length; index++) {
-    ascii = str[index];
-    if (BASIC_ALPHABETS.has(ascii)) {
-      continue;
-    } else {
-      if (map[ascii] === undefined) {
-        const code = ascii.charCodeAt(0);
-        if (code > 127) {
-          continue;
-        } else {
-          map[ascii] = '\\x' + code.toString(16);
-        }
-      }
-    }
-    if (lastIndex !== index) {
-      res += str.substring(lastIndex, index);
-    }
-    lastIndex = index + 1;
-    res += map[ascii];
-  }
-  return lastIndex !== index ? res + str.substring(lastIndex, index) : res;
-}

package/src/lib/helper/sjson.ts DELETED Viewed

@@ -1,35 +0,0 @@
-import sjs from './sjs.js';
-/**
- * escape json
- * for output json in script
- */
-function sanitizeKey(obj: any) {
-  if (typeof obj !== 'object') return obj;
-  if (Array.isArray(obj)) return obj;
-  if (obj === null) return null;
-  if (typeof obj === 'boolean') return obj;
-  if (typeof obj === 'number') return obj;
-  if (Buffer.isBuffer(obj)) return obj.toString();
-  for (const k in obj) {
-    const escapedK = sjs(k);
-    if (escapedK !== k) {
-      obj[escapedK] = sanitizeKey(obj[k]);
-      obj[k] = undefined;
-    } else {
-      obj[k] = sanitizeKey(obj[k]);
-    }
-  }
-  return obj;
-}
-export default function jsonEscape(obj: any) {
-  return JSON.stringify(sanitizeKey(obj), (_k, v) => {
-    if (typeof v === 'string') {
-      return sjs(v);
-    }
-    return v;
-  });
-}

package/src/lib/helper/spath.ts DELETED Viewed

@@ -1,27 +0,0 @@
-/**
- * File Inclusion
- */
-import type { BaseContextClass } from '@eggjs/core';
-export default function pathFilter(this: BaseContextClass, path: string) {
-  if (typeof path !== 'string') return path;
-  const pathSource = path;
-  while (path.indexOf('%') !== -1) {
-    try {
-      path = decodeURIComponent(path);
-    } catch (e) {
-      if (process.env.NODE_ENV !== 'production') {
-        // Not a PROD env, logging with a warning.
-        this.ctx.coreLogger.warn('[@eggjs/security/lib/helper/spath] : decode file path %j failed.', path);
-      }
-      break;
-    }
-  }
-  if (path.indexOf('..') !== -1 || path[0] === '/') {
-    return null;
-  }
-  return pathSource;
-}

package/src/lib/helper/surl.ts DELETED Viewed

@@ -1,35 +0,0 @@
-import type { BaseContextClass } from '@eggjs/core';
-const escapeMap: Record<string, string> = {
-  '"': '&quot;',
-  '<': '&lt;',
-  '>': '&gt;',
-  '\'': '&#x27;',
-};
-export default function surl(this: BaseContextClass, val: string) {
-  // Just get the converted the protocolWhiteList in `Set` mode,
-  // Avoid conversions in `foreach`
-  const protocolWhiteListSet = this.app.config.security.__protocolWhiteListSet!;
-  if (typeof val !== 'string') {
-    return val;
-  }
-  // only test on absolute path
-  if (val[0] !== '/') {
-    const arr = val.split('://', 2);
-    const protocol = arr.length > 1 ? arr[0].toLowerCase() : '';
-    if (protocol === '' || !protocolWhiteListSet.has(protocol)) {
-      if (this.app.config.env === 'local') {
-        this.ctx.coreLogger.warn('[@eggjs/security/surl] url: %j, protocol: %j, ' +
-          'protocol is empty or not in white list, convert to empty string', val, protocol);
-      }
-      return '';
-    }
-  }
-  return val.replace(/["'<>]/g, ch => {
-    return escapeMap[ch];
-  });
-}

package/src/lib/middlewares/csp.ts DELETED Viewed

@@ -1,70 +0,0 @@
-import extend from 'extend';
-import type { Context, Next } from '@eggjs/core';
-import { checkIfIgnore } from '../utils.js';
-import type { SecurityConfig } from '../../types.js';
-const HEADER = [
-  'x-content-security-policy',
-  'content-security-policy',
-];
-const REPORT_ONLY_HEADER = [
-  'x-content-security-policy-report-only',
-  'content-security-policy-report-only',
-];
-// Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
-const MSIE_REGEXP = / MSIE /i;
-export default (options: SecurityConfig['csp']) => {
-  return async function csp(ctx: Context, next: Next) {
-    await next();
-    const opts = {
-      ...options,
-      ...ctx.securityOptions.csp,
-    };
-    if (checkIfIgnore(opts, ctx)) return;
-    let finalHeader;
-    const matchedOption = extend(true, {}, opts.policy);
-    const bufArray = [];
-    const headers = opts.reportOnly ? REPORT_ONLY_HEADER : HEADER;
-    if (opts.supportIE && MSIE_REGEXP.test(ctx.get('user-agent'))) {
-      finalHeader = headers[0];
-    } else {
-      finalHeader = headers[1];
-    }
-    for (const key in matchedOption) {
-      const value = matchedOption[key];
-      // Other arrays are splitted into strings EXCEPT `sandbox`
-      // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
-      if (key === 'sandbox' && value === true) {
-        bufArray.push(key);
-      } else {
-        let values = (Array.isArray(value) ? value : [ value ]) as string[];
-        if (key === 'script-src') {
-          const hasNonce = values.some(function(val) {
-            return val.indexOf('nonce-') !== -1;
-          });
-          if (!hasNonce) {
-            values.push('\'nonce-' + ctx.nonce + '\'');
-          }
-        }
-        values = values.map(function(d) {
-          if (d.startsWith('.')) {
-            d = '*' + d;
-          }
-          return d;
-        });
-        bufArray.push(key + ' ' + values.join(' '));
-      }
-    }
-    const headerString = bufArray.join(';');
-    ctx.set(finalHeader, headerString);
-    ctx.set('x-csp-nonce', ctx.nonce);
-  };
-};

package/src/lib/middlewares/csrf.ts DELETED Viewed

@@ -1,44 +0,0 @@
-import { debuglog } from 'node:util';
-import type { Context, Next } from '@eggjs/core';
-import typeis from 'type-is';
-import { checkIfIgnore } from '../utils.js';
-import type { SecurityConfig } from '../../types.js';
-const debug = debuglog('@eggjs/security/lib/middlewares/csrf');
-export default (options: SecurityConfig['csrf']) => {
-  return function csrf(ctx: Context, next: Next) {
-    if (checkIfIgnore(options, ctx)) {
-      return next();
-    }
-    // ensure csrf token exists
-    if ([ 'any', 'all', 'ctoken' ].includes(options.type)) {
-      ctx.ensureCsrfSecret();
-    }
-    // supported requests
-    const method = ctx.method;
-    let isSupported = false;
-    for (const eachRule of options.supportedRequests) {
-      if (eachRule.path.test(ctx.path)) {
-        if (eachRule.methods.includes(method)) {
-          isSupported = true;
-          break;
-        }
-      }
-    }
-    if (!isSupported) {
-      return next();
-    }
-    if (options.ignoreJSON && typeis.is(ctx.get('content-type'), 'json')) {
-      return next();
-    }
-    const body = ctx.request.body;
-    debug('%s %s, got %j', ctx.method, ctx.url, body);
-    ctx.assertCsrf();
-    return next();
-  };
-};

package/src/lib/middlewares/dta.ts DELETED Viewed

@@ -1,13 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-import { isSafePath } from '../utils.js';
-// https://en.wikipedia.org/wiki/Directory_traversal_attack
-export default () => {
-  return function dta(ctx: Context, next: Next) {
-    const path = ctx.path;
-    if (!isSafePath(path, ctx)) {
-      ctx.throw(400);
-    }
-    return next();
-  };
-};

package/src/lib/middlewares/hsts.ts DELETED Viewed

@@ -1,24 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-import { checkIfIgnore } from '../utils.js';
-import type { SecurityConfig } from '../../types.js';
-// Set Strict-Transport-Security header
-export default (options: SecurityConfig['hsts']) => {
-  return async function hsts(ctx: Context, next: Next) {
-    await next();
-    const opts = {
-      ...options,
-      ...ctx.securityOptions.hsts,
-    };
-    if (checkIfIgnore(opts, ctx)) return;
-    let val = 'max-age=' + opts.maxAge;
-    // If opts.includeSubdomains is defined,
-    // the rule is also valid for all the sub domains of the website
-    if (opts.includeSubdomains) {
-      val += '; includeSubdomains';
-    }
-    ctx.set('strict-transport-security', val);
-  };
-};

package/src/lib/middlewares/index.ts DELETED Viewed

@@ -1,23 +0,0 @@
-import csp from './csp.js';
-import csrf from './csrf.js';
-import dta from './dta.js';
-import hsts from './hsts.js';
-import methodnoallow from './methodnoallow.js';
-import noopen from './noopen.js';
-import nosniff from './nosniff.js';
-import referrerPolicy from './referrerPolicy.js';
-import xframe from './xframe.js';
-import xssProtection from './xssProtection.js';
-export default {
-  csp,
-  csrf,
-  dta,
-  hsts,
-  methodnoallow,
-  noopen,
-  nosniff,
-  referrerPolicy,
-  xframe,
-  xssProtection,
-};

package/src/lib/middlewares/methodnoallow.ts DELETED Viewed

@@ -1,23 +0,0 @@
-import { METHODS } from 'node:http';
-import type { Context, Next } from '@eggjs/core';
-const METHODS_NOT_ALLOWED = [ 'TRACE', 'TRACK' ];
-const safeHttpMethodsMap: Record<string, boolean> = {};
-for (const method of METHODS) {
-  if (!METHODS_NOT_ALLOWED.includes(method)) {
-    safeHttpMethodsMap[method.toUpperCase()] = true;
-  }
-}
-// https://www.owasp.org/index.php/Cross_Site_Tracing
-// http://jsperf.com/find-by-map-with-find-by-array
-export default () => {
-  return function notAllow(ctx: Context, next: Next) {
-    // ctx.method is upper case
-    if (!safeHttpMethodsMap[ctx.method]) {
-      ctx.throw(405);
-    }
-    return next();
-  };
-};

package/src/lib/middlewares/noopen.ts DELETED Viewed

@@ -1,18 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-import { checkIfIgnore } from '../utils.js';
-import type { SecurityConfig } from '../../types.js';
-// @see http://blogs.msdn.com/b/ieinternals/archive/2009/06/30/internet-explorer-custom-http-headers.aspx
-export default (options: SecurityConfig['noopen']) => {
-  return async function noopen(ctx: Context, next: Next) {
-    await next();
-    const opts = {
-      ...options,
-      ...ctx.securityOptions.noopen,
-    };
-    if (checkIfIgnore(opts, ctx)) return;
-    ctx.set('x-download-options', 'noopen');
-  };
-};

package/src/lib/middlewares/nosniff.ts DELETED Viewed

@@ -1,32 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-import { checkIfIgnore } from '../utils.js';
-import type { SecurityConfig } from '../../types.js';
-// status codes for redirects
-// @see https://github.com/jshttp/statuses/blob/master/index.js#L33
-const RedirectStatus: Record<number, boolean> = {
-  300: true,
-  301: true,
-  302: true,
-  303: true,
-  305: true,
-  307: true,
-  308: true,
-};
-export default (options: SecurityConfig['nosniff']) => {
-  return async function nosniff(ctx: Context, next: Next) {
-    await next();
-    // ignore redirect response
-    if (RedirectStatus[ctx.status]) return;
-    const opts = {
-      ...options,
-      ...ctx.securityOptions.nosniff,
-    };
-    if (checkIfIgnore(opts, ctx)) return;
-    ctx.set('x-content-type-options', 'nosniff');
-  };
-};

package/src/lib/middlewares/referrerPolicy.ts DELETED Viewed

@@ -1,39 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-import { checkIfIgnore } from '../utils.js';
-import type { SecurityConfig } from '../../types.js';
-// https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Referrer-Policy
-const ALLOWED_POLICIES_ENUM = [
-  'no-referrer',
-  'no-referrer-when-downgrade',
-  'origin',
-  'origin-when-cross-origin',
-  'same-origin',
-  'strict-origin',
-  'strict-origin-when-cross-origin',
-  'unsafe-url',
-  '',
-];
-export default (options: SecurityConfig['referrerPolicy']) => {
-  return async function referrerPolicy(ctx: Context, next: Next) {
-    await next();
-    const opts = {
-      ...options,
-      // check refererPolicy for backward compatibility
-      // typo on the old version
-      // @see https://github.com/eggjs/security/blob/e3408408adec5f8d009d37f75126ed082481d0ac/lib/middlewares/referrerPolicy.js#L21C59-L21C72
-      ...(ctx.securityOptions as any).refererPolicy,
-      ...ctx.securityOptions.referrerPolicy,
-    };
-    if (checkIfIgnore(opts, ctx)) return;
-    const policy = opts.value;
-    if (!ALLOWED_POLICIES_ENUM.includes(policy)) {
-      throw new Error('"' + policy + '" is not available.');
-    }
-    ctx.set('referrer-policy', policy);
-  };
-};

package/src/lib/middlewares/xframe.ts DELETED Viewed

@@ -1,20 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-import { checkIfIgnore } from '../utils.js';
-import type { SecurityConfig } from '../../types.js';
-export default (options: SecurityConfig['xframe']) => {
-  return async function xframe(ctx: Context, next: Next) {
-    await next();
-    const opts = {
-      ...options,
-      ...ctx.securityOptions.xframe,
-    };
-    if (checkIfIgnore(opts, ctx)) return;
-    // DENY, SAMEORIGIN, ALLOW-FROM
-    // https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options?redirectlocale=en-US&redirectslug=The_X-FRAME-OPTIONS_response_header
-    const value = opts.value || 'SAMEORIGIN';
-    ctx.set('x-frame-options', value);
-  };
-};

package/src/lib/middlewares/xssProtection.ts DELETED Viewed

@@ -1,17 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-import { checkIfIgnore } from '../utils.js';
-import type { SecurityConfig } from '../../types.js';
-export default (options: SecurityConfig['xssProtection']) => {
-  return async function xssProtection(ctx: Context, next: Next) {
-    await next();
-    const opts = {
-      ...options,
-      ...ctx.securityOptions.xssProtection,
-    };
-    if (checkIfIgnore(opts, ctx)) return;
-    ctx.set('x-xss-protection', opts.value);
-  };
-};