@eggjs/security 4.0.1 → 5.0.0-beta.17

package/README.md

@@ -1,8 +1,6 @@
 # @eggjs/security
 
 [![NPM version][npm-image]][npm-url]
-[![Node.js CI](https://github.com/eggjs/security/actions/workflows/nodejs.yml/badge.svg)](https://github.com/eggjs/security/actions/workflows/nodejs.yml)
-[![Test coverage][codecov-image]][codecov-url]
 [![Known Vulnerabilities][snyk-image]][snyk-url]
 [![npm download][download-image]][download-url]
 [![Node.js Version](https://img.shields.io/node/v/@eggjs/security.svg?style=flat)](https://nodejs.org/en/download/)
@@ -11,8 +9,6 @@
 
 [npm-image]: https://img.shields.io/npm/v/@eggjs/security.svg?style=flat-square
 [npm-url]: https://npmjs.org/package/@eggjs/security
-[codecov-image]: https://codecov.io/gh/eggjs/security/branch/master/graph/badge.svg
-[codecov-url]: https://codecov.io/gh/eggjs/security
 [snyk-image]: https://snyk.io/test/npm/@eggjs/security/badge.svg?style=flat-square
 [snyk-url]: https://snyk.io/test/npm/@eggjs/security
 [download-image]: https://img.shields.io/npm/dm/@eggjs/security.svg?style=flat-square
@@ -88,7 +84,7 @@ exports.security = {
 };
 ```
 
-__mention：`match` has higher priority than `ignore`__
+**mention：`match` has higher priority than `ignore`**
 
 ### Dynamic configuration for security plugins depend on context
 
@@ -109,8 +105,8 @@ async ctx => {
   // disable configuration
   ctx.securityOptions.xssProtection = {
     enable: false,
-  }
-}
+  };
+};
 ```
 
 Not all security plugins support dynamic configuration, only the following plugins list support
@@ -122,7 +118,7 @@ Not all security plugins support dynamic configuration, only the following plugi
 - xframe
 - xssProtection
 
-And in ` helper `：
+And in `helper`：
 
 - shtml
 
@@ -130,8 +126,7 @@ helper is the same way to configure.
 
 ```js
 ctx.securityOptions.shtml = {
-  whiteList: {
-  },
+  whiteList: {},
 };
 ```
 
@@ -151,7 +146,7 @@ Note: [egg-cors](https://github.com/eggjs/egg-cors) module uses this function in
 
 ```js
 exports.security = {
-  domainWhiteList: ['http://localhost:4200']
+  domainWhiteList: ['http://localhost:4200'],
 };
 ```
 
@@ -159,7 +154,7 @@ exports.security = {
 
 ### CSRF
 
-__usage__
+**usage**
 
 - `ctx.csrf` getter for CSRF token
 
@@ -172,8 +167,7 @@ browser:
 
 ```html
 <form method="POST" action="/upload?_csrf={{ ctx.csrf | safe }}" enctype="multipart/form-data">
-  title: <input name="title" />
-  file: <input name="file" type="file" />
+  title: <input name="title" /> file: <input name="file" type="file" />
   <button type="submit">上传</button>
 </form>
 ```
@@ -189,10 +183,10 @@ var csrftoken = Cookies.get('csrftoken');
 
 function csrfSafeMethod(method) {
   // these HTTP methods do not require CSRF protection
-  return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
+  return /^(GET|HEAD|OPTIONS|TRACE)$/.test(method);
 }
 $.ajaxSetup({
-  beforeSend: function(xhr, settings) {
+  beforeSend: function (xhr, settings) {
     if (!csrfSafeMethod(settings.type) && !this.crossDomain) {
       xhr.setRequestHeader('x-csrf-token', csrftoken);
     }
@@ -207,22 +201,23 @@ there are some options that you can customize:
 ```js
 exports.security = {
   csrf: {
-    type: 'ctoken',             // can be ctoken, referer, all or any, default to ctoken
-    useSession: false,          // if useSession set to true, the secret will keep in session instead of cookie
-    ignoreJSON: false,          // skip check JSON requests if ignoreJSON set to true
-    cookieName: 'csrfToken',    // csrf token's cookie name
-    sessionName: 'csrfToken',   // csrf token's session name
+    type: 'ctoken', // can be ctoken, referer, all or any, default to ctoken
+    useSession: false, // if useSession set to true, the secret will keep in session instead of cookie
+    ignoreJSON: false, // skip check JSON requests if ignoreJSON set to true
+    cookieName: 'csrfToken', // csrf token's cookie name
+    sessionName: 'csrfToken', // csrf token's session name
     headerName: 'x-csrf-token', // request csrf token's name in header
-    bodyName: '_csrf',          // request csrf token's name in body
-    queryName: '_csrf',         // request csrf token's name in query
-    rotateWhenInvalid: false,   // rotate csrf secret when csrf token invalid. For multi applications which be deployed on the same domain, as tokens from one application may impact others.
-    refererWhiteList: [],       // referer white list
-    supportedRequests: [        // supported URL path and method, the package will match URL path regex patterns one by one until path matched. We recommend you set {path: /^\//, methods:['POST','PATCH','DELETE','PUT','CONNECT']} as the last rule in the list, which is also the default config.
-      {path: /^\//, methods:['POST','PATCH','DELETE','PUT','CONNECT']}
+    bodyName: '_csrf', // request csrf token's name in body
+    queryName: '_csrf', // request csrf token's name in query
+    rotateWhenInvalid: false, // rotate csrf secret when csrf token invalid. For multi applications which be deployed on the same domain, as tokens from one application may impact others.
+    refererWhiteList: [], // referer white list
+    supportedRequests: [
+      // supported URL path and method, the package will match URL path regex patterns one by one until path matched. We recommend you set {path: /^\//, methods:['POST','PATCH','DELETE','PUT','CONNECT']} as the last rule in the list, which is also the default config.
+      { path: /^\//, methods: ['POST', 'PATCH', 'DELETE', 'PUT', 'CONNECT'] },
     ],
-    cookieOptions: {},          // csrf token's cookie options
+    cookieOptions: {}, // csrf token's cookie options
   },
-}
+};
 ```
 
 `methods` in `supportedRequests` can be empty, which means if you set `supportedRequests: [{path: /.*/, methods:[]}]`, the whole csrf protection will be disabled.
@@ -243,7 +238,7 @@ If you need to use `ctx.redirect`, you need to do the following configuration in
 
 ```js
 exports.security = {
-  domainWhiteList:['.domain.com'],  // security whitelist, starts with '.'
+  domainWhiteList: ['.domain.com'], // security whitelist, starts with '.'
 };
 ```
 
@@ -256,7 +251,7 @@ Based on [jsonp-body](https://github.com/node-modules/jsonp-body).
 Defense:
 
 - The longest callback function name limit of 50 characters.
-- Callback function only allows "[","]","a-zA-Z0123456789_", "$" "." to prevent `xss` or `utf-7` attack.
+- Callback function only allows "[","]","a-zA-Z0123456789\_", "$" "." to prevent `xss` or `utf-7` attack.
 
 Config：
 
@@ -283,7 +278,7 @@ url filter.
 
 Used for url in html tags (like `<a href=""/><img src=""/>`),please do not call under other places.
 
-  `helper.surl($value)`。
+`helper.surl($value)`。
 
 **Mention: Particular attention, if you need to resolve URL use `surl`，`surl` need warpped in quotes, Otherwise will lead to XSS vulnerability.**
 
@@ -321,7 +316,7 @@ So if you want `surl` support custom protocol, please extend the security `proto
 
 ```js
 exports.security = {
-  protocolWhitelist: ['test']
+  protocolWhitelist: ['test'],
 };
 ```
 
@@ -356,10 +351,8 @@ const value = `<a href="http://www.domain.com">google</a><script>evilcode…</sc
 
 // in your view
 <html>
-<body>
-  ${helper.shtml($value)}
-</body>
-</html>
+  <body>${helper.shtml($value)}</body>
+</html>;
 // => <a href="http://www.domain.com">google</a>&lt;script&gt;evilcode…&lt;/script&gt;
 ```
 
@@ -371,7 +364,9 @@ shtml based on [xss](https://github.com/leizongmin/js-xss/), and add filter by d
 For example, only support `a` tag, and filter all attributes except for `title`:
 
 ```javascript
-whiteList: {a: ['title']}
+whiteList: {
+  a: ['title'];
+}
 ```
 
 options:
@@ -423,14 +418,12 @@ If you want to output json in javascript without encoding, it will be a risk for
 sjson supports json encode，it will iterate all keys in json, then escape all characters in the value to `\x` to avoid XSS attack, and keep the json structure unchanged.
 If you want to output json string in your views, please use `${ctx.helper.sjson(var)}`to escape.
 
-__it has a very complex process and will lost performance, so avoid the use as far as possible__
+**it has a very complex process and will lost performance, so avoid the use as far as possible**
 
 example:
 
 ```js
-  <script>
-    window.locals = ${ctx.helper.sjson(locals)};
-  </script>
+<script>window.locals = ${ctx.helper.sjson(locals)};</script>
 ```
 
 ### .cliFilter()
@@ -442,17 +435,13 @@ If you want to get user submit for command's parameter, please use `cliFilter`
 before fix:
 
 ```js
-
-  cp.exec("bash /home/admin/ali-knowledge-graph-backend/initrun.sh " + port);
-
+cp.exec('bash /home/admin/ali-knowledge-graph-backend/initrun.sh ' + port);
 ```
 
 after fix:
 
 ```js
-
-  cp.exec("bash /home/admin/ali-knowledge-graph-backend/initrun.sh " + ctx.helper.cliFilter(port));
-
+cp.exec('bash /home/admin/ali-knowledge-graph-backend/initrun.sh ' + ctx.helper.cliFilter(port));
 ```
 
 ### .escapeShellArg()
@@ -460,7 +449,7 @@ after fix:
 Escape command line arguments. Add single quotes around a string and quotes/escapes any existing single quotes allowing you to pass a string directly to a shell function and having it be treated as a single safe argument.
 
 ```js
-const ip = '127.0.0.1 && cat /etc/passwd'
+const ip = '127.0.0.1 && cat /etc/passwd';
 const cmd = 'ping -c 1 ' + this.helper.escapeShellArg(ip);
 
 console.log(cmd);
@@ -469,10 +458,10 @@ console.log(cmd);
 
 ### .escapeShellCmd()
 
-Command line escape to remove the following characters from the entered command line: ```#&;`|*?~<>^()[]{}$;'", 0x0A and 0xFF```
+Command line escape to remove the following characters from the entered command line: ``#&;`|*?~<>^()[]{}$;'", 0x0A and 0xFF``
 
 ```js
-const ip = '127.0.0.1 && cat /etc/passwd'
+const ip = '127.0.0.1 && cat /etc/passwd';
 const cmd = 'ping -c 1 ' + this.helper.escapeShellCmd(ip);
 
 console.log(cmd);
@@ -524,7 +513,7 @@ In a [Server-Side Request Forgery (SSRF)](https://www.owasp.org/index.php/Server
 
 - ipBlackList(Array) - specific which IP addresses are illegal when requested with `safeCurl`.
 - ipExceptionList(Array) - specific which IP addresses are legal within ipBlackList.
-hostnameExceptionList(Array) - specifies which hostnames are legal within ipBlackList.
+  hostnameExceptionList(Array) - specifies which hostnames are legal within ipBlackList.
 - checkAddress(Function) - determine the ip by the function's return value, `false` means illegal ip.
 
 ```js
@@ -532,24 +521,15 @@ hostnameExceptionList(Array) - specifies which hostnames are legal within ipBlac
 exports.security = {
   ssrf: {
     // support both cidr subnet or specific IP
-    ipBlackList: [
-      '10.0.0.0/8',
-      '127.0.0.1',
-      '0.0.0.0/32',
-    ],
+    ipBlackList: ['10.0.0.0/8', '127.0.0.1', '0.0.0.0/32'],
     // support both cidr subnet or specific IP
-    ipExceptionList: [
-      '10.1.1.1',
-      '10.10.0.1/24',
-    ],
+    ipExceptionList: ['10.1.1.1', '10.10.0.1/24'],
     // legal hostname
-    hostnameExceptionList: [
-      'example.com',
-    ],
+    hostnameExceptionList: ['example.com'],
     // checkAddress has higher priority than ipBlackList
     checkAddress(ip) {
       return ip !== '127.0.0.1';
-    }
+    },
   },
 };
 ```
@@ -564,6 +544,6 @@ exports.security = {
 
 ## Contributors
 
-[![Contributors](https://contrib.rocks/image?repo=eggjs/security)](https://github.com/eggjs/security/graphs/contributors)
+[![Contributors](https://contrib.rocks/image?repo=eggjs/egg)](https://github.com/eggjs/egg/graphs/contributors)
 
 Made with [contributors-img](https://contrib.rocks).

package/README.zh-CN.md

@@ -1,8 +1,6 @@
 # @eggjs/security
 
 [![NPM version][npm-image]][npm-url]
-[![Node.js CI](https://github.com/eggjs/security/actions/workflows/nodejs.yml/badge.svg)](https://github.com/eggjs/security/actions/workflows/nodejs.yml)
-[![Test coverage][codecov-image]][codecov-url]
 [![Known Vulnerabilities][snyk-image]][snyk-url]
 [![npm download][download-image]][download-url]
 [![Node.js Version](https://img.shields.io/node/v/eggjs/security.svg?style=flat)](https://nodejs.org/en/download/)
@@ -11,8 +9,6 @@
 
 [npm-image]: https://img.shields.io/npm/v/@eggjs/security.svg?style=flat-square
 [npm-url]: https://npmjs.org/package/@eggjs/security
-[codecov-image]: https://codecov.io/gh/eggjs/security/branch/master/graph/badge.svg
-[codecov-url]: https://codecov.io/gh/eggjs/security
 [snyk-image]: https://snyk.io/test/npm/@eggjs/security/badge.svg?style=flat-square
 [snyk-url]: https://snyk.io/test/npm/@eggjs/security
 [download-image]: https://img.shields.io/npm/dm/@eggjs/security.svg?style=flat-square
@@ -62,7 +58,6 @@ exports.security = {
     },
   },
 };
-
 ```
 
 如果需要针对某一路径忽略某安全选项，则配置 ignore 选项，例如针对 `/example` 关闭 xframe，以便合作商户能够嵌入我们的页面：
@@ -77,10 +72,9 @@ exports.security = {
     // ...
   },
 };
-
 ```
 
-__注意：如果存在 match 则忽略 ignore。__
+**注意：如果存在 match 则忽略 ignore。**
 
 ## API
 
@@ -92,9 +86,9 @@ __注意：如果存在 match 则忽略 ignore。__
 
 ### csrf
 
-__使用__
+**使用**
 
-* `ctx.csrf` 获取 csrf token
+- `ctx.csrf` 获取 csrf token
 
 一般在 POST 表单时使用。
 
@@ -108,8 +102,7 @@ __使用__
 
 ```html
 <form method="POST" action="/upload?_csrf={{ ctx.csrf | safe }}" enctype="multipart/form-data">
-  title: <input name="title" />
-  file: <input name="file" type="file" />
+  title: <input name="title" /> file: <input name="file" type="file" />
   <button type="submit">上传</button>
 </form>
 ```
@@ -118,18 +111,18 @@ __使用__
 
 ajax 防跨站攻击。
 
-__使用__
+**使用**
 
 在 ajax 请求时，以 `ctoken` 为 name 带上 ctoken 即可。
 
 ctoken 从 cookie 中获取
 
-__安全开发者约定__
+**安全开发者约定**
 
-* `ctx.ctoken` 获取 ctoken 的逻辑。使用者不要调用，安全插件内部使用。
-* `ctx.setCTOKEN()` 设置 ctoken 的逻辑。使用者不要调用，安全插件内部使用。
-* `ctx.assertCTOKEN()` ctoken 校验逻辑。使用者不要调用，安全插件内部使用。
-* `ctx.setCTOKEN()`会将cookie设置到主域名下，主要考虑主域名下其他子域名对应的应用之间的互相调用。例如 A.xx.com 域种了 ctoken,会设置cookie到xx.com域上，在 B.xx.com 域的时候可以利用 ctoken 去请求，在 A 域 jsonp 请求 B 域的时候，B 域也可以验证 ctoken。
+- `ctx.ctoken` 获取 ctoken 的逻辑。使用者不要调用，安全插件内部使用。
+- `ctx.setCTOKEN()` 设置 ctoken 的逻辑。使用者不要调用，安全插件内部使用。
+- `ctx.assertCTOKEN()` ctoken 校验逻辑。使用者不要调用，安全插件内部使用。
+- `ctx.setCTOKEN()`会将cookie设置到主域名下，主要考虑主域名下其他子域名对应的应用之间的互相调用。例如 A.xx.com 域种了 ctoken,会设置cookie到xx.com域上，在 B.xx.com 域的时候可以利用 ctoken 去请求，在 A 域 jsonp 请求 B 域的时候，B 域也可以验证 ctoken。
 
 可拓展实现。例如 ctoken token 存在什么 cookie，存什么字段等，都可以通过以上两个接口拓展。
 
@@ -138,29 +131,30 @@ __安全开发者约定__
 ```js
 exports.security = {
   csrf: {
-    type: 'ctoken',             // 可以是 ctoken / referer / all, 默认为 ctoken
-    useSession: false,          // 如果设为 true，secret 将存储在 session 中
-    ignoreJSON: false,          // 如果设为 true ，将忽略 json 请求
-    cookieName: 'csrfToken',    // csrf 的 token 在 cookie 中存储的 key 名称
-    sessionName: 'csrfToken',   // csrf 的 token 在 session 中存储的 key 名称
+    type: 'ctoken', // 可以是 ctoken / referer / all, 默认为 ctoken
+    useSession: false, // 如果设为 true，secret 将存储在 session 中
+    ignoreJSON: false, // 如果设为 true ，将忽略 json 请求
+    cookieName: 'csrfToken', // csrf 的 token 在 cookie 中存储的 key 名称
+    sessionName: 'csrfToken', // csrf 的 token 在 session 中存储的 key 名称
     headerName: 'x-csrf-token', // csrf token 在 header 中的名称
-    bodyName: '_csrf',          // csrf token 在 body 中的名称
-    queryName: '_csrf',         // csrf token 在 query 中的名称
-    rotateWhenInvalid: false,   // csrf invalid 时刷新 token，用于同域名下多个业务 token 可能互相影响的情况
-    refererWhiteList: [],       // referer 白名单
-    supportedRequests: [        // 支持的 url path pattern 和方法，根据配置名单由上至下匹配 url path 正则，建议在自定义时配置 {path: /^\//, methods:['POST','PATCH','DELETE','PUT','CONNECT']} 为兜底规则
-      {path: /^\//, methods:['POST','PATCH','DELETE','PUT','CONNECT']},
+    bodyName: '_csrf', // csrf token 在 body 中的名称
+    queryName: '_csrf', // csrf token 在 query 中的名称
+    rotateWhenInvalid: false, // csrf invalid 时刷新 token，用于同域名下多个业务 token 可能互相影响的情况
+    refererWhiteList: [], // referer 白名单
+    supportedRequests: [
+      // 支持的 url path pattern 和方法，根据配置名单由上至下匹配 url path 正则，建议在自定义时配置 {path: /^\//, methods:['POST','PATCH','DELETE','PUT','CONNECT']} 为兜底规则
+      { path: /^\//, methods: ['POST', 'PATCH', 'DELETE', 'PUT', 'CONNECT'] },
     ],
   },
-}
+};
 ```
 
 注意，methods 可以为空， 如果将 supportedRequests 设置为`supportedRequests: [{path: /^\//, methods:[]}]`, 那么等效于关闭 csrf 防御。
 
 ### safe redirect
 
-* `ctx.redirect(url)` 如果不在配置的白名单内，则禁止
-* `ctx.unsafeRedirect(url)` 不建议使用
+- `ctx.redirect(url)` 如果不在配置的白名单内，则禁止
+- `ctx.unsafeRedirect(url)` 不建议使用
 
 安全方案覆盖了默认的`ctx.redirect`方法，所有的跳转均会经过安全域名的判断。
 
@@ -168,7 +162,7 @@ exports.security = {
 
 ```js
 exports.security = {
-  domainWhiteList:['.domain.com'],  // 安全白名单，以.开头
+  domainWhiteList: ['.domain.com'], // 安全白名单，以.开头
 };
 ```
 
@@ -180,13 +174,13 @@ exports.security = {
 
 防御内容：
 
-* callback函数名词最长50个字符限制
-* callback函数名只允许"[","]","a-zA-Z0123456789_", "$" "."，防止一般的 xss，utf-7 xss等攻击
+- callback函数名词最长50个字符限制
+- callback函数名只允许"[","]","a-zA-Z0123456789\_", "$" "."，防止一般的 xss，utf-7 xss等攻击
 
 可定义配置：
 
-* callback 默认 `_callback`，可以改名
-* limit - 函数名 length 限制，默认 50
+- callback 默认 `_callback`，可以改名
+- limit - 函数名 length 限制，默认 50
 
 ## helper
 
@@ -210,7 +204,7 @@ url 过滤。
 
 对模板中要输出的变量，加 `helper.surl($value)`。
 
-__特别需要注意的是在需要解析url的地方，surl 外面一定要加上双引号，否则就会导致XSS漏洞。__
+**特别需要注意的是在需要解析url的地方，surl 外面一定要加上双引号，否则就会导致XSS漏洞。**
 
 不使用 surl
 
@@ -268,22 +262,22 @@ const value = `<a href="http://www.domain.com">google</a><script>evilcode…</sc
 
 // 模板
 <html>
-<body>
-  ${helper.shtml($value)}
-</body>
-</html>
+  <body>${helper.shtml($value)}</body>
+</html>;
 // => <a href="http://www.domain.com">google</a>&lt;script&gt;evilcode…&lt;/script&gt;
 ```
 
 shtml 在 [xss](https://github.com/leizongmin/js-xss/) 模块基础上增加了针对域名的过滤。
 
-* [默认规则](https://github.com/leizongmin/js-xss/blob/master/lib/default.js)
-* 自定义过滤项 <http://jsxss.com/zh/options.html>
+- [默认规则](https://github.com/leizongmin/js-xss/blob/master/lib/default.js)
+- 自定义过滤项 <http://jsxss.com/zh/options.html>
 
 例如只支持 a 标签，且除了 title 其他属性都过滤掉：
 
 ```javascript
-whiteList: {a: ['title']}
+whiteList: {
+  a: ['title'];
+}
 ```
 
 options:
@@ -315,9 +309,9 @@ ${helper.shtml($html)}
 
 不合法的路径包括：
 
-* 使用 `..` 的相对路径
-* 使用 `/` 开头的绝对路径
-* 以及以上试图通过 url encode 试图绕过校验的结果字符串
+- 使用 `..` 的相对路径
+- 使用 `/` 开头的绝对路径
+- 以及以上试图通过 url encode 试图绕过校验的结果字符串
 
 ```js
 const foo = '/usr/local/bin';
@@ -332,14 +326,12 @@ json转义
 在js中输出json，若未做转义，易被利用为xss漏洞。提供此宏做json encode，会遍历json中的key，将value的值中，所有非白名单字符转义为\x形式，防止xss攻击。同时保持json结构不变。
 若你有模板中输出一个json字符串给js应用的场景，请使用 `${this.helper.sjson(变量名)}`进行转义。
 
-__处理过程较复杂，性能损耗较大，尽量避免使用__
+**处理过程较复杂，性能损耗较大，尽量避免使用**
 
 实例:
 
 ```js
-  <script>
-    window.locals = ${this.helper.sjson(locals)};
-  </script>
+<script>window.locals = ${this.helper.sjson(locals)};</script>
 ```
 
 ### .cliFilter()
@@ -351,17 +343,13 @@ __处理过程较复杂，性能损耗较大，尽量避免使用__
 修复前：
 
 ```js
-
-  cp.exec("bash /home/admin/ali-knowledge-graph-backend/initrun.sh " + port);
-
+cp.exec('bash /home/admin/ali-knowledge-graph-backend/initrun.sh ' + port);
 ```
 
 修复后：
 
 ```js
-
-  cp.exec("bash /home/admin/ali-knowledge-graph-backend/initrun.sh " + this.helper.cliFilter(port));
-
+cp.exec('bash /home/admin/ali-knowledge-graph-backend/initrun.sh ' + this.helper.cliFilter(port));
 ```
 
 如果因为业务需要，需要在参数中添加白名单之外的字符。可以将用户输入按照该字符分割，并使用过滤函数过滤每一段数据。
@@ -373,7 +361,7 @@ __处理过程较复杂，性能损耗较大，尽量避免使用__
 命令行参数转义。给字符串增加一对单引号并且能引用或者转码任何已经存在的单引号， 这样以确保能够直接将一个字符串传入 shell 函数，并且还是确保安全的。
 
 ```js
-const ip = '127.0.0.1 && cat /etc/passwd'
+const ip = '127.0.0.1 && cat /etc/passwd';
 const cmd = 'ping -c 1 ' + this.helper.escapeShellArg(ip);
 
 console.log(cmd);
@@ -382,10 +370,10 @@ console.log(cmd);
 
 ### .escapeShellCmd()
 
-命令行转义，从输入的命令行中删除下列字符: ```#&;`|*?~<>^()[]{}$;'", 0x0A 和 0xFF```
+命令行转义，从输入的命令行中删除下列字符: ``#&;`|*?~<>^()[]{}$;'", 0x0A 和 0xFF``
 
 ```js
-const ip = '127.0.0.1 && cat /etc/passwd'
+const ip = '127.0.0.1 && cat /etc/passwd';
 const cmd = 'ping -c 1 ' + this.helper.escapeShellCmd(ip);
 
 console.log(cmd);
@@ -398,14 +386,14 @@ console.log(cmd);
 
 默认开启，如果是 http 站点，需要关闭
 
-* maxAge 默认一年 `365 * 24 * 3600`
-* includeSubdomains 默认 false
+- maxAge 默认一年 `365 * 24 * 3600`
+- includeSubdomains 默认 false
 
 ### csp
 
 默认关闭。需要开启的话，需要和安全工程师确定开启策略。
 
-* policy 策略
+- policy 策略
 
 ### X-Download-Options:noopen
 
@@ -419,16 +407,16 @@ console.log(cmd);
 
 默认 SAMEORIGIN，只允许同域把本页面当作 iframe 嵌入。
 
-* value 默认值 `SAMEORIGIN`
+- value 默认值 `SAMEORIGIN`
 
 ### X-XSS-Protection
 
-* close 默认值false，即设置为 `1; mode=block`
+- close 默认值false，即设置为 `1; mode=block`
 
 ## 其他
 
-* crossdomain.xml robots.txt 支持，默认都不加，系统可自行加，需要咨询项目安全工程师
-* 禁止 trace track 两种类型请求
+- crossdomain.xml robots.txt 支持，默认都不加，系统可自行加，需要咨询项目安全工程师
+- 禁止 trace track 两种类型请求
 
 ## License
 
@@ -436,6 +424,6 @@ console.log(cmd);
 
 ## Contributors
 
-[![Contributors](https://contrib.rocks/image?repo=eggjs/security)](https://github.com/eggjs/security/graphs/contributors)
+[![Contributors](https://contrib.rocks/image?repo=eggjs/egg)](https://github.com/eggjs/egg/graphs/contributors)
 
 Made with [contributors-img](https://contrib.rocks).

package/dist/agent.d.ts

@@ -0,0 +1,10 @@
+import { Agent, ILifecycleBoot } from "egg";
+
+//#region src/agent.d.ts
+declare class AgentBoot implements ILifecycleBoot {
+  private readonly agent;
+  constructor(agent: Agent);
+  configWillLoad(): Promise<void>;
+}
+//#endregion
+export { AgentBoot as default };

package/dist/agent.js

@@ -0,0 +1,15 @@
+import { preprocessConfig } from "./lib/utils.js";
+
+//#region src/agent.ts
+var AgentBoot = class {
+	agent;
+	constructor(agent) {
+		this.agent = agent;
+	}
+	async configWillLoad() {
+		preprocessConfig(this.agent.config.security);
+	}
+};
+
+//#endregion
+export { AgentBoot as default };

package/dist/app/extend/agent.d.ts

@@ -0,0 +1,9 @@
+import { HttpClientOptions, HttpClientRequestURL, HttpClientResponse } from "../../lib/extend/safe_curl.js";
+import { Agent } from "egg";
+
+//#region src/app/extend/agent.d.ts
+declare class SecurityAgent extends Agent {
+  safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
+}
+//#endregion
+export { SecurityAgent as default };

package/dist/app/extend/agent.js

@@ -0,0 +1,12 @@
+import { safeCurlForApplication } from "../../lib/extend/safe_curl.js";
+import { Agent } from "egg";
+
+//#region src/app/extend/agent.ts
+var SecurityAgent = class extends Agent {
+	async safeCurl(url, options) {
+		return await safeCurlForApplication(this, url, options);
+	}
+};
+
+//#endregion
+export { SecurityAgent as default };

package/dist/app/extend/application.d.ts

@@ -0,0 +1,12 @@
+import { HttpClientOptions, HttpClientRequestURL, HttpClientResponse } from "../../lib/extend/safe_curl.js";
+import { Application } from "egg";
+
+//#region src/app/extend/application.d.ts
+declare class SecurityApplication extends Application {
+  injectCsrf(html: string): string;
+  injectNonce(html: string): string;
+  injectHijackingDefense(html: string): string;
+  safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
+}
+//#endregion
+export { SecurityApplication as default };