@eggjs/security 4.0.1 → 5.0.0-beta.17

package/dist/commonjs/lib/helper/shtml.js

@@ -1,76 +0,0 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.default = shtml;
-const xss_1 = __importDefault(require("xss"));
-const utils_js_1 = require("../utils.js");
-const BUILD_IN_ON_TAG_ATTR = Symbol('buildInOnTagAttr');
-// default rule: https://github.com/leizongmin/js-xss/blob/master/lib/default.js
-// add domain filter based on xss module
-// custom options http://jsxss.com/zh/options.html
-// eg: support a tag，filter attributes except for title : whiteList: {a: ['title']}
-function shtml(val) {
-    if (typeof val !== 'string') {
-        return val;
-    }
-    const securityOptions = this.ctx.securityOptions;
-    let buildInOnTagAttrHandler;
-    const shtmlConfig = {
-        ...this.app.config.helper.shtml,
-        ...securityOptions.shtml,
-        [BUILD_IN_ON_TAG_ATTR]: buildInOnTagAttrHandler,
-    };
-    const domainWhiteList = this.app.config.security.domainWhiteList;
-    const app = this.app;
-    // filter href and src attribute if not in domain white list
-    if (!shtmlConfig[BUILD_IN_ON_TAG_ATTR]) {
-        shtmlConfig[BUILD_IN_ON_TAG_ATTR] = (_tag, name, value, isWhiteAttr) => {
-            if (isWhiteAttr && (name === 'href' || name === 'src')) {
-                if (!value) {
-                    return;
-                }
-                value = String(value);
-                if (value[0] === '/' || value[0] === '#') {
-                    return;
-                }
-                const hostname = (0, utils_js_1.getFromUrl)(value, 'hostname');
-                if (!hostname) {
-                    return;
-                }
-                // If we don't have our hostname in the app.security.domainWhiteList,
-                // Just check for `shtmlConfig.domainWhiteList` and `ctx.whiteList`.
-                if (!(0, utils_js_1.isSafeDomain)(hostname, domainWhiteList)) {
-                    // Check for `shtmlConfig.domainWhiteList` first (duplicated now)
-                    if (shtmlConfig.domainWhiteList && shtmlConfig.domainWhiteList.length > 0) {
-                        app.deprecate('[@eggjs/security/lib/helper/shtml] `config.helper.shtml.domainWhiteList` has been deprecate. Please use `config.security.domainWhiteList` instead.');
-                        if (!(0, utils_js_1.isSafeDomain)(hostname, shtmlConfig.domainWhiteList)) {
-                            return '';
-                        }
-                    }
-                    else {
-                        return '';
-                    }
-                }
-            }
-        };
-        // avoid overriding user configuration 'onTagAttr'
-        if (shtmlConfig.onTagAttr) {
-            const customOnTagAttrHandler = shtmlConfig.onTagAttr;
-            shtmlConfig.onTagAttr = function (tag, name, value, isWhiteAttr) {
-                const result = customOnTagAttrHandler.apply(this, [tag, name, value, isWhiteAttr]);
-                if (result !== undefined) {
-                    return result;
-                }
-                // fallback to build-in handler
-                return shtmlConfig[BUILD_IN_ON_TAG_ATTR].apply(this, [tag, name, value, isWhiteAttr]);
-            };
-        }
-        else {
-            shtmlConfig.onTagAttr = shtmlConfig[BUILD_IN_ON_TAG_ATTR];
-        }
-    }
-    return (0, xss_1.default)(val, shtmlConfig);
-}
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2h0bWwuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvbGliL2hlbHBlci9zaHRtbC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7OztBQVdBLHdCQWlFQztBQTNFRCw4Q0FBc0I7QUFDdEIsMENBQXVEO0FBR3ZELE1BQU0sb0JBQW9CLEdBQUcsTUFBTSxDQUFDLGtCQUFrQixDQUFDLENBQUM7QUFFeEQsZ0ZBQWdGO0FBQ2hGLHdDQUF3QztBQUN4QyxrREFBa0Q7QUFDbEQsbUZBQW1GO0FBQ25GLFNBQXdCLEtBQUssQ0FBeUIsR0FBVztJQUMvRCxJQUFJLE9BQU8sR0FBRyxLQUFLLFFBQVEsRUFBRSxDQUFDO1FBQzVCLE9BQU8sR0FBRyxDQUFDO0lBQ2IsQ0FBQztJQUVELE1BQU0sZUFBZSxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUMsZUFBZSxDQUFDO0lBQ2pELElBQUksdUJBQW1FLENBQUM7SUFDeEUsTUFBTSxXQUFXLEdBQUc7UUFDbEIsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsS0FBSztRQUMvQixHQUFHLGVBQWUsQ0FBQyxLQUFLO1FBQ3hCLENBQUMsb0JBQW9CLENBQUMsRUFBRSx1QkFBdUI7S0FDaEQsQ0FBQztJQUNGLE1BQU0sZUFBZSxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxlQUFlLENBQUM7SUFDakUsTUFBTSxHQUFHLEdBQUcsSUFBSSxDQUFDLEdBQUcsQ0FBQztJQUNyQiw0REFBNEQ7SUFDNUQsSUFBSSxDQUFDLFdBQVcsQ0FBQyxvQkFBb0IsQ0FBQyxFQUFFLENBQUM7UUFDdkMsV0FBVyxDQUFDLG9CQUFvQixDQUFDLEdBQUcsQ0FBQyxJQUFJLEVBQUUsSUFBSSxFQUFFLEtBQUssRUFBRSxXQUFXLEVBQUUsRUFBRTtZQUNyRSxJQUFJLFdBQVcsSUFBSSxDQUFDLElBQUksS0FBSyxNQUFNLElBQUksSUFBSSxLQUFLLEtBQUssQ0FBQyxFQUFFLENBQUM7Z0JBQ3ZELElBQUksQ0FBQyxLQUFLLEVBQUUsQ0FBQztvQkFDWCxPQUFPO2dCQUNULENBQUM7Z0JBRUQsS0FBSyxHQUFHLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQztnQkFDdEIsSUFBSSxLQUFLLENBQUMsQ0FBQyxDQUFDLEtBQUssR0FBRyxJQUFJLEtBQUssQ0FBQyxDQUFDLENBQUMsS0FBSyxHQUFHLEVBQUUsQ0FBQztvQkFDekMsT0FBTztnQkFDVCxDQUFDO2dCQUVELE1BQU0sUUFBUSxHQUFHLElBQUEscUJBQVUsRUFBQyxLQUFLLEVBQUUsVUFBVSxDQUFDLENBQUM7Z0JBQy9DLElBQUksQ0FBQyxRQUFRLEVBQUUsQ0FBQztvQkFDZCxPQUFPO2dCQUNULENBQUM7Z0JBRUQscUVBQXFFO2dCQUNyRSxvRUFBb0U7Z0JBQ3BFLElBQUksQ0FBQyxJQUFBLHVCQUFZLEVBQUMsUUFBUSxFQUFFLGVBQWUsQ0FBQyxFQUFFLENBQUM7b0JBQzdDLGlFQUFpRTtvQkFDakUsSUFBSSxXQUFXLENBQUMsZUFBZSxJQUFJLFdBQVcsQ0FBQyxlQUFlLENBQUMsTUFBTSxHQUFHLENBQUMsRUFBRSxDQUFDO3dCQUMxRSxHQUFHLENBQUMsU0FBUyxDQUFDLG9KQUFvSixDQUFDLENBQUM7d0JBQ3BLLElBQUksQ0FBQyxJQUFBLHVCQUFZLEVBQUMsUUFBUSxFQUFFLFdBQVcsQ0FBQyxlQUFlLENBQUMsRUFBRSxDQUFDOzRCQUN6RCxPQUFPLEVBQUUsQ0FBQzt3QkFDWixDQUFDO29CQUNILENBQUM7eUJBQU0sQ0FBQzt3QkFDTixPQUFPLEVBQUUsQ0FBQztvQkFDWixDQUFDO2dCQUNILENBQUM7WUFDSCxDQUFDO1FBQ0gsQ0FBQyxDQUFDO1FBRUYsa0RBQWtEO1FBQ2xELElBQUksV0FBVyxDQUFDLFNBQVMsRUFBRSxDQUFDO1lBQzFCLE1BQU0sc0JBQXNCLEdBQUcsV0FBVyxDQUFDLFNBQVMsQ0FBQztZQUNyRCxXQUFXLENBQUMsU0FBUyxHQUFHLFVBQVMsR0FBRyxFQUFFLElBQUksRUFBRSxLQUFLLEVBQUUsV0FBVztnQkFDNUQsTUFBTSxNQUFNLEdBQUcsc0JBQXNCLENBQUMsS0FBSyxDQUFDLElBQUksRUFBRSxDQUFFLEdBQUcsRUFBRSxJQUFJLEVBQUUsS0FBSyxFQUFFLFdBQVcsQ0FBRSxDQUFDLENBQUM7Z0JBQ3JGLElBQUksTUFBTSxLQUFLLFNBQVMsRUFBRSxDQUFDO29CQUN6QixPQUFPLE1BQU0sQ0FBQztnQkFDaEIsQ0FBQztnQkFDRCwrQkFBK0I7Z0JBQy9CLE9BQU8sV0FBVyxDQUFDLG9CQUFvQixDQUFFLENBQUMsS0FBSyxDQUFDLElBQUksRUFBRSxDQUFFLEdBQUcsRUFBRSxJQUFJLEVBQUUsS0FBSyxFQUFFLFdBQVcsQ0FBRSxDQUFDLENBQUM7WUFDM0YsQ0FBQyxDQUFDO1FBQ0osQ0FBQzthQUFNLENBQUM7WUFDTixXQUFXLENBQUMsU0FBUyxHQUFHLFdBQVcsQ0FBQyxvQkFBb0IsQ0FBQyxDQUFDO1FBQzVELENBQUM7SUFDSCxDQUFDO0lBRUQsT0FBTyxJQUFBLGFBQUcsRUFBQyxHQUFHLEVBQUUsV0FBVyxDQUFDLENBQUM7QUFDL0IsQ0FBQyJ9

package/dist/commonjs/lib/helper/sjs.d.ts

@@ -1,4 +0,0 @@
-/**
- * Escape JavaScript to \xHH format
- */
-export default function escapeJavaScript(text: string): string;

package/dist/commonjs/lib/helper/sjs.js

@@ -1,52 +0,0 @@
-"use strict";
-/**
- * Escape JavaScript to \xHH format
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.default = escapeJavaScript;
-// escape \x00-\x7f
-// except 0-9,A-Z,a-z(\x2f-\x3a \x40-\x5b \x60-\x7b)
-// eslint-disable-next-line
-const MATCH_VULNERABLE_REGEXP = /[\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f]/;
-// eslint-enable-next-line
-const BASIC_ALPHABETS = new Set('abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ'.split(''));
-const map = {
-    '\t': '\\t',
-    '\n': '\\n',
-    '\r': '\\r',
-};
-function escapeJavaScript(text) {
-    const str = '' + text;
-    const match = MATCH_VULNERABLE_REGEXP.exec(str);
-    if (!match) {
-        return str;
-    }
-    let res = '';
-    let index = 0;
-    let lastIndex = 0;
-    let ascii;
-    for (index = match.index; index < str.length; index++) {
-        ascii = str[index];
-        if (BASIC_ALPHABETS.has(ascii)) {
-            continue;
-        }
-        else {
-            if (map[ascii] === undefined) {
-                const code = ascii.charCodeAt(0);
-                if (code > 127) {
-                    continue;
-                }
-                else {
-                    map[ascii] = '\\x' + code.toString(16);
-                }
-            }
-        }
-        if (lastIndex !== index) {
-            res += str.substring(lastIndex, index);
-        }
-        lastIndex = index + 1;
-        res += map[ascii];
-    }
-    return lastIndex !== index ? res + str.substring(lastIndex, index) : res;
-}
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2pzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2xpYi9oZWxwZXIvc2pzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7QUFBQTs7R0FFRzs7QUFpQkgsbUNBcUNDO0FBcERELG1CQUFtQjtBQUNuQixvREFBb0Q7QUFFcEQsMkJBQTJCO0FBQzNCLE1BQU0sdUJBQXVCLEdBQUcsd0NBQXdDLENBQUM7QUFDekUsMEJBQTBCO0FBRTFCLE1BQU0sZUFBZSxHQUFHLElBQUksR0FBRyxDQUFDLGdFQUFnRSxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDO0FBRTVHLE1BQU0sR0FBRyxHQUEyQjtJQUNsQyxJQUFJLEVBQUUsS0FBSztJQUNYLElBQUksRUFBRSxLQUFLO0lBQ1gsSUFBSSxFQUFFLEtBQUs7Q0FDWixDQUFDO0FBRUYsU0FBd0IsZ0JBQWdCLENBQUMsSUFBWTtJQUNuRCxNQUFNLEdBQUcsR0FBRyxFQUFFLEdBQUcsSUFBSSxDQUFDO0lBQ3RCLE1BQU0sS0FBSyxHQUFHLHVCQUF1QixDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUVoRCxJQUFJLENBQUMsS0FBSyxFQUFFLENBQUM7UUFDWCxPQUFPLEdBQUcsQ0FBQztJQUNiLENBQUM7SUFFRCxJQUFJLEdBQUcsR0FBRyxFQUFFLENBQUM7SUFDYixJQUFJLEtBQUssR0FBRyxDQUFDLENBQUM7SUFDZCxJQUFJLFNBQVMsR0FBRyxDQUFDLENBQUM7SUFDbEIsSUFBSSxLQUFLLENBQUM7SUFFVixLQUFLLEtBQUssR0FBRyxLQUFLLENBQUMsS0FBSyxFQUFFLEtBQUssR0FBRyxHQUFHLENBQUMsTUFBTSxFQUFFLEtBQUssRUFBRSxFQUFFLENBQUM7UUFDdEQsS0FBSyxHQUFHLEdBQUcsQ0FBQyxLQUFLLENBQUMsQ0FBQztRQUNuQixJQUFJLGVBQWUsQ0FBQyxHQUFHLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQztZQUMvQixTQUFTO1FBQ1gsQ0FBQzthQUFNLENBQUM7WUFDTixJQUFJLEdBQUcsQ0FBQyxLQUFLLENBQUMsS0FBSyxTQUFTLEVBQUUsQ0FBQztnQkFDN0IsTUFBTSxJQUFJLEdBQUcsS0FBSyxDQUFDLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQztnQkFDakMsSUFBSSxJQUFJLEdBQUcsR0FBRyxFQUFFLENBQUM7b0JBQ2YsU0FBUztnQkFDWCxDQUFDO3FCQUFNLENBQUM7b0JBQ04sR0FBRyxDQUFDLEtBQUssQ0FBQyxHQUFHLEtBQUssR0FBRyxJQUFJLENBQUMsUUFBUSxDQUFDLEVBQUUsQ0FBQyxDQUFDO2dCQUN6QyxDQUFDO1lBQ0gsQ0FBQztRQUNILENBQUM7UUFFRCxJQUFJLFNBQVMsS0FBSyxLQUFLLEVBQUUsQ0FBQztZQUN4QixHQUFHLElBQUksR0FBRyxDQUFDLFNBQVMsQ0FBQyxTQUFTLEVBQUUsS0FBSyxDQUFDLENBQUM7UUFDekMsQ0FBQztRQUVELFNBQVMsR0FBRyxLQUFLLEdBQUcsQ0FBQyxDQUFDO1FBQ3RCLEdBQUcsSUFBSSxHQUFHLENBQUMsS0FBSyxDQUFDLENBQUM7SUFDcEIsQ0FBQztJQUVELE9BQU8sU0FBUyxLQUFLLEtBQUssQ0FBQyxDQUFDLENBQUMsR0FBRyxHQUFHLEdBQUcsQ0FBQyxTQUFTLENBQUMsU0FBUyxFQUFFLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxHQUFHLENBQUM7QUFDM0UsQ0FBQyJ9

package/dist/commonjs/lib/helper/sjson.d.ts

@@ -1 +0,0 @@
-export default function jsonEscape(obj: any): string;

package/dist/commonjs/lib/helper/sjson.js

@@ -1,45 +0,0 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.default = jsonEscape;
-const sjs_js_1 = __importDefault(require("./sjs.js"));
-/**
- * escape json
- * for output json in script
- */
-function sanitizeKey(obj) {
-    if (typeof obj !== 'object')
-        return obj;
-    if (Array.isArray(obj))
-        return obj;
-    if (obj === null)
-        return null;
-    if (typeof obj === 'boolean')
-        return obj;
-    if (typeof obj === 'number')
-        return obj;
-    if (Buffer.isBuffer(obj))
-        return obj.toString();
-    for (const k in obj) {
-        const escapedK = (0, sjs_js_1.default)(k);
-        if (escapedK !== k) {
-            obj[escapedK] = sanitizeKey(obj[k]);
-            obj[k] = undefined;
-        }
-        else {
-            obj[k] = sanitizeKey(obj[k]);
-        }
-    }
-    return obj;
-}
-function jsonEscape(obj) {
-    return JSON.stringify(sanitizeKey(obj), (_k, v) => {
-        if (typeof v === 'string') {
-            return (0, sjs_js_1.default)(v);
-        }
-        return v;
-    });
-}
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2pzb24uanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvbGliL2hlbHBlci9zanNvbi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7OztBQTJCQSw2QkFPQztBQWxDRCxzREFBMkI7QUFFM0I7OztHQUdHO0FBRUgsU0FBUyxXQUFXLENBQUMsR0FBUTtJQUMzQixJQUFJLE9BQU8sR0FBRyxLQUFLLFFBQVE7UUFBRSxPQUFPLEdBQUcsQ0FBQztJQUN4QyxJQUFJLEtBQUssQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDO1FBQUUsT0FBTyxHQUFHLENBQUM7SUFDbkMsSUFBSSxHQUFHLEtBQUssSUFBSTtRQUFFLE9BQU8sSUFBSSxDQUFDO0lBQzlCLElBQUksT0FBTyxHQUFHLEtBQUssU0FBUztRQUFFLE9BQU8sR0FBRyxDQUFDO0lBQ3pDLElBQUksT0FBTyxHQUFHLEtBQUssUUFBUTtRQUFFLE9BQU8sR0FBRyxDQUFDO0lBQ3hDLElBQUksTUFBTSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUM7UUFBRSxPQUFPLEdBQUcsQ0FBQyxRQUFRLEVBQUUsQ0FBQztJQUVoRCxLQUFLLE1BQU0sQ0FBQyxJQUFJLEdBQUcsRUFBRSxDQUFDO1FBQ3BCLE1BQU0sUUFBUSxHQUFHLElBQUEsZ0JBQUcsRUFBQyxDQUFDLENBQUMsQ0FBQztRQUN4QixJQUFJLFFBQVEsS0FBSyxDQUFDLEVBQUUsQ0FBQztZQUNuQixHQUFHLENBQUMsUUFBUSxDQUFDLEdBQUcsV0FBVyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1lBQ3BDLEdBQUcsQ0FBQyxDQUFDLENBQUMsR0FBRyxTQUFTLENBQUM7UUFDckIsQ0FBQzthQUFNLENBQUM7WUFDTixHQUFHLENBQUMsQ0FBQyxDQUFDLEdBQUcsV0FBVyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQy9CLENBQUM7SUFDSCxDQUFDO0lBQ0QsT0FBTyxHQUFHLENBQUM7QUFDYixDQUFDO0FBRUQsU0FBd0IsVUFBVSxDQUFDLEdBQVE7SUFDekMsT0FBTyxJQUFJLENBQUMsU0FBUyxDQUFDLFdBQVcsQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDLEVBQUUsRUFBRSxDQUFDLEVBQUUsRUFBRTtRQUNoRCxJQUFJLE9BQU8sQ0FBQyxLQUFLLFFBQVEsRUFBRSxDQUFDO1lBQzFCLE9BQU8sSUFBQSxnQkFBRyxFQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ2hCLENBQUM7UUFDRCxPQUFPLENBQUMsQ0FBQztJQUNYLENBQUMsQ0FBQyxDQUFDO0FBQ0wsQ0FBQyJ9

package/dist/commonjs/lib/helper/spath.d.ts

@@ -1,5 +0,0 @@
-/**
- * File Inclusion
- */
-import type { BaseContextClass } from '@eggjs/core';
-export default function pathFilter(this: BaseContextClass, path: string): string | null;

package/dist/commonjs/lib/helper/spath.js

@@ -1,28 +0,0 @@
-"use strict";
-/**
- * File Inclusion
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.default = pathFilter;
-function pathFilter(path) {
-    if (typeof path !== 'string')
-        return path;
-    const pathSource = path;
-    while (path.indexOf('%') !== -1) {
-        try {
-            path = decodeURIComponent(path);
-        }
-        catch (e) {
-            if (process.env.NODE_ENV !== 'production') {
-                // Not a PROD env, logging with a warning.
-                this.ctx.coreLogger.warn('[@eggjs/security/lib/helper/spath] : decode file path %j failed.', path);
-            }
-            break;
-        }
-    }
-    if (path.indexOf('..') !== -1 || path[0] === '/') {
-        return null;
-    }
-    return pathSource;
-}
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic3BhdGguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvbGliL2hlbHBlci9zcGF0aC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiO0FBQUE7O0dBRUc7O0FBSUgsNkJBb0JDO0FBcEJELFNBQXdCLFVBQVUsQ0FBeUIsSUFBWTtJQUNyRSxJQUFJLE9BQU8sSUFBSSxLQUFLLFFBQVE7UUFBRSxPQUFPLElBQUksQ0FBQztJQUUxQyxNQUFNLFVBQVUsR0FBRyxJQUFJLENBQUM7SUFFeEIsT0FBTyxJQUFJLENBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsQ0FBQyxFQUFFLENBQUM7UUFDaEMsSUFBSSxDQUFDO1lBQ0gsSUFBSSxHQUFHLGtCQUFrQixDQUFDLElBQUksQ0FBQyxDQUFDO1FBQ2xDLENBQUM7UUFBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1lBQ1gsSUFBSSxPQUFPLENBQUMsR0FBRyxDQUFDLFFBQVEsS0FBSyxZQUFZLEVBQUUsQ0FBQztnQkFDMUMsMENBQTBDO2dCQUMxQyxJQUFJLENBQUMsR0FBRyxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQUMsa0VBQWtFLEVBQUUsSUFBSSxDQUFDLENBQUM7WUFDckcsQ0FBQztZQUNELE1BQU07UUFDUixDQUFDO0lBQ0gsQ0FBQztJQUNELElBQUksSUFBSSxDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDLENBQUMsSUFBSSxJQUFJLENBQUMsQ0FBQyxDQUFDLEtBQUssR0FBRyxFQUFFLENBQUM7UUFDakQsT0FBTyxJQUFJLENBQUM7SUFDZCxDQUFDO0lBQ0QsT0FBTyxVQUFVLENBQUM7QUFDcEIsQ0FBQyJ9

package/dist/commonjs/lib/helper/surl.d.ts

@@ -1,2 +0,0 @@
-import type { BaseContextClass } from '@eggjs/core';
-export default function surl(this: BaseContextClass, val: string): string;

package/dist/commonjs/lib/helper/surl.js

@@ -1,33 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.default = surl;
-const escapeMap = {
-    '"': '"',
-    '<': '&lt;',
-    '>': '&gt;',
-    '\'': '&#x27;',
-};
-function surl(val) {
-    // Just get the converted the protocolWhiteList in `Set` mode,
-    // Avoid conversions in `foreach`
-    const protocolWhiteListSet = this.app.config.security.__protocolWhiteListSet;
-    if (typeof val !== 'string') {
-        return val;
-    }
-    // only test on absolute path
-    if (val[0] !== '/') {
-        const arr = val.split('://', 2);
-        const protocol = arr.length > 1 ? arr[0].toLowerCase() : '';
-        if (protocol === '' || !protocolWhiteListSet.has(protocol)) {
-            if (this.app.config.env === 'local') {
-                this.ctx.coreLogger.warn('[@eggjs/security/surl] url: %j, protocol: %j, ' +
-                    'protocol is empty or not in white list, convert to empty string', val, protocol);
-            }
-            return '';
-        }
-    }
-    return val.replace(/["'<>]/g, ch => {
-        return escapeMap[ch];
-    });
-}
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic3VybC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9saWIvaGVscGVyL3N1cmwudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFTQSx1QkF5QkM7QUFoQ0QsTUFBTSxTQUFTLEdBQTJCO0lBQ3hDLEdBQUcsRUFBRSxRQUFRO0lBQ2IsR0FBRyxFQUFFLE1BQU07SUFDWCxHQUFHLEVBQUUsTUFBTTtJQUNYLElBQUksRUFBRSxRQUFRO0NBQ2YsQ0FBQztBQUVGLFNBQXdCLElBQUksQ0FBeUIsR0FBVztJQUM5RCw4REFBOEQ7SUFDOUQsaUNBQWlDO0lBQ2pDLE1BQU0sb0JBQW9CLEdBQUcsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLHNCQUF1QixDQUFDO0lBRTlFLElBQUksT0FBTyxHQUFHLEtBQUssUUFBUSxFQUFFLENBQUM7UUFDNUIsT0FBTyxHQUFHLENBQUM7SUFDYixDQUFDO0lBRUQsNkJBQTZCO0lBQzdCLElBQUksR0FBRyxDQUFDLENBQUMsQ0FBQyxLQUFLLEdBQUcsRUFBRSxDQUFDO1FBQ25CLE1BQU0sR0FBRyxHQUFHLEdBQUcsQ0FBQyxLQUFLLENBQUMsS0FBSyxFQUFFLENBQUMsQ0FBQyxDQUFDO1FBQ2hDLE1BQU0sUUFBUSxHQUFHLEdBQUcsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUMsV0FBVyxFQUFFLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQztRQUM1RCxJQUFJLFFBQVEsS0FBSyxFQUFFLElBQUksQ0FBQyxvQkFBb0IsQ0FBQyxHQUFHLENBQUMsUUFBUSxDQUFDLEVBQUUsQ0FBQztZQUMzRCxJQUFJLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLEdBQUcsS0FBSyxPQUFPLEVBQUUsQ0FBQztnQkFDcEMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLGdEQUFnRDtvQkFDdkUsaUVBQWlFLEVBQUUsR0FBRyxFQUFFLFFBQVEsQ0FBQyxDQUFDO1lBQ3RGLENBQUM7WUFDRCxPQUFPLEVBQUUsQ0FBQztRQUNaLENBQUM7SUFDSCxDQUFDO0lBRUQsT0FBTyxHQUFHLENBQUMsT0FBTyxDQUFDLFNBQVMsRUFBRSxFQUFFLENBQUMsRUFBRTtRQUNqQyxPQUFPLFNBQVMsQ0FBQyxFQUFFLENBQUMsQ0FBQztJQUN2QixDQUFDLENBQUMsQ0FBQztBQUNMLENBQUMifQ==

package/dist/commonjs/lib/middlewares/csp.d.ts

@@ -1,4 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-import type { SecurityConfig } from '../../types.js';
-declare const _default: (options: SecurityConfig["csp"]) => (ctx: Context, next: Next) => Promise<void>;
-export default _default;

package/dist/commonjs/lib/middlewares/csp.js

@@ -1,68 +0,0 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-const extend_1 = __importDefault(require("extend"));
-const utils_js_1 = require("../utils.js");
-const HEADER = [
-    'x-content-security-policy',
-    'content-security-policy',
-];
-const REPORT_ONLY_HEADER = [
-    'x-content-security-policy-report-only',
-    'content-security-policy-report-only',
-];
-// Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
-const MSIE_REGEXP = / MSIE /i;
-exports.default = (options) => {
-    return async function csp(ctx, next) {
-        await next();
-        const opts = {
-            ...options,
-            ...ctx.securityOptions.csp,
-        };
-        if ((0, utils_js_1.checkIfIgnore)(opts, ctx))
-            return;
-        let finalHeader;
-        const matchedOption = (0, extend_1.default)(true, {}, opts.policy);
-        const bufArray = [];
-        const headers = opts.reportOnly ? REPORT_ONLY_HEADER : HEADER;
-        if (opts.supportIE && MSIE_REGEXP.test(ctx.get('user-agent'))) {
-            finalHeader = headers[0];
-        }
-        else {
-            finalHeader = headers[1];
-        }
-        for (const key in matchedOption) {
-            const value = matchedOption[key];
-            // Other arrays are splitted into strings EXCEPT `sandbox`
-            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
-            if (key === 'sandbox' && value === true) {
-                bufArray.push(key);
-            }
-            else {
-                let values = (Array.isArray(value) ? value : [value]);
-                if (key === 'script-src') {
-                    const hasNonce = values.some(function (val) {
-                        return val.indexOf('nonce-') !== -1;
-                    });
-                    if (!hasNonce) {
-                        values.push('\'nonce-' + ctx.nonce + '\'');
-                    }
-                }
-                values = values.map(function (d) {
-                    if (d.startsWith('.')) {
-                        d = '*' + d;
-                    }
-                    return d;
-                });
-                bufArray.push(key + ' ' + values.join(' '));
-            }
-        }
-        const headerString = bufArray.join(';');
-        ctx.set(finalHeader, headerString);
-        ctx.set('x-csp-nonce', ctx.nonce);
-    };
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY3NwLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2xpYi9taWRkbGV3YXJlcy9jc3AudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7QUFBQSxvREFBNEI7QUFFNUIsMENBQTRDO0FBRzVDLE1BQU0sTUFBTSxHQUFHO0lBQ2IsMkJBQTJCO0lBQzNCLHlCQUF5QjtDQUMxQixDQUFDO0FBQ0YsTUFBTSxrQkFBa0IsR0FBRztJQUN6Qix1Q0FBdUM7SUFDdkMscUNBQXFDO0NBQ3RDLENBQUM7QUFFRixxREFBcUQ7QUFDckQsTUFBTSxXQUFXLEdBQUcsU0FBUyxDQUFDO0FBRTlCLGtCQUFlLENBQUMsT0FBOEIsRUFBRSxFQUFFO0lBQ2hELE9BQU8sS0FBSyxVQUFVLEdBQUcsQ0FBQyxHQUFZLEVBQUUsSUFBVTtRQUNoRCxNQUFNLElBQUksRUFBRSxDQUFDO1FBRWIsTUFBTSxJQUFJLEdBQUc7WUFDWCxHQUFHLE9BQU87WUFDVixHQUFHLEdBQUcsQ0FBQyxlQUFlLENBQUMsR0FBRztTQUMzQixDQUFDO1FBQ0YsSUFBSSxJQUFBLHdCQUFhLEVBQUMsSUFBSSxFQUFFLEdBQUcsQ0FBQztZQUFFLE9BQU87UUFFckMsSUFBSSxXQUFXLENBQUM7UUFDaEIsTUFBTSxhQUFhLEdBQUcsSUFBQSxnQkFBTSxFQUFDLElBQUksRUFBRSxFQUFFLEVBQUUsSUFBSSxDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBQ3BELE1BQU0sUUFBUSxHQUFHLEVBQUUsQ0FBQztRQUVwQixNQUFNLE9BQU8sR0FBRyxJQUFJLENBQUMsVUFBVSxDQUFDLENBQUMsQ0FBQyxrQkFBa0IsQ0FBQyxDQUFDLENBQUMsTUFBTSxDQUFDO1FBQzlELElBQUksSUFBSSxDQUFDLFNBQVMsSUFBSSxXQUFXLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxHQUFHLENBQUMsWUFBWSxDQUFDLENBQUMsRUFBRSxDQUFDO1lBQzlELFdBQVcsR0FBRyxPQUFPLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDM0IsQ0FBQzthQUFNLENBQUM7WUFDTixXQUFXLEdBQUcsT0FBTyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQzNCLENBQUM7UUFFRCxLQUFLLE1BQU0sR0FBRyxJQUFJLGFBQWEsRUFBRSxDQUFDO1lBQ2hDLE1BQU0sS0FBSyxHQUFHLGFBQWEsQ0FBQyxHQUFHLENBQUMsQ0FBQztZQUNqQywwREFBMEQ7WUFDMUQsNEZBQTRGO1lBQzVGLElBQUksR0FBRyxLQUFLLFNBQVMsSUFBSSxLQUFLLEtBQUssSUFBSSxFQUFFLENBQUM7Z0JBQ3hDLFFBQVEsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUM7WUFDckIsQ0FBQztpQkFBTSxDQUFDO2dCQUNOLElBQUksTUFBTSxHQUFHLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFFLEtBQUssQ0FBRSxDQUFhLENBQUM7Z0JBQ3BFLElBQUksR0FBRyxLQUFLLFlBQVksRUFBRSxDQUFDO29CQUN6QixNQUFNLFFBQVEsR0FBRyxNQUFNLENBQUMsSUFBSSxDQUFDLFVBQVMsR0FBRzt3QkFDdkMsT0FBTyxHQUFHLENBQUMsT0FBTyxDQUFDLFFBQVEsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDO29CQUN0QyxDQUFDLENBQUMsQ0FBQztvQkFFSCxJQUFJLENBQUMsUUFBUSxFQUFFLENBQUM7d0JBQ2QsTUFBTSxDQUFDLElBQUksQ0FBQyxVQUFVLEdBQUcsR0FBRyxDQUFDLEtBQUssR0FBRyxJQUFJLENBQUMsQ0FBQztvQkFDN0MsQ0FBQztnQkFDSCxDQUFDO2dCQUVELE1BQU0sR0FBRyxNQUFNLENBQUMsR0FBRyxDQUFDLFVBQVMsQ0FBQztvQkFDNUIsSUFBSSxDQUFDLENBQUMsVUFBVSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUM7d0JBQ3RCLENBQUMsR0FBRyxHQUFHLEdBQUcsQ0FBQyxDQUFDO29CQUNkLENBQUM7b0JBQ0QsT0FBTyxDQUFDLENBQUM7Z0JBQ1gsQ0FBQyxDQUFDLENBQUM7Z0JBQ0gsUUFBUSxDQUFDLElBQUksQ0FBQyxHQUFHLEdBQUcsR0FBRyxHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQztZQUM5QyxDQUFDO1FBQ0gsQ0FBQztRQUNELE1BQU0sWUFBWSxHQUFHLFFBQVEsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUM7UUFDeEMsR0FBRyxDQUFDLEdBQUcsQ0FBQyxXQUFXLEVBQUUsWUFBWSxDQUFDLENBQUM7UUFDbkMsR0FBRyxDQUFDLEdBQUcsQ0FBQyxhQUFhLEVBQUUsR0FBRyxDQUFDLEtBQUssQ0FBQyxDQUFDO0lBQ3BDLENBQUMsQ0FBQztBQUNKLENBQUMsQ0FBQyJ9

package/dist/commonjs/lib/middlewares/csrf.d.ts

@@ -1,4 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-import type { SecurityConfig } from '../../types.js';
-declare const _default: (options: SecurityConfig["csrf"]) => (ctx: Context, next: Next) => Promise<void>;
-export default _default;

package/dist/commonjs/lib/middlewares/csrf.js

@@ -1,42 +0,0 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-const node_util_1 = require("node:util");
-const type_is_1 = __importDefault(require("type-is"));
-const utils_js_1 = require("../utils.js");
-const debug = (0, node_util_1.debuglog)('@eggjs/security/lib/middlewares/csrf');
-exports.default = (options) => {
-    return function csrf(ctx, next) {
-        if ((0, utils_js_1.checkIfIgnore)(options, ctx)) {
-            return next();
-        }
-        // ensure csrf token exists
-        if (['any', 'all', 'ctoken'].includes(options.type)) {
-            ctx.ensureCsrfSecret();
-        }
-        // supported requests
-        const method = ctx.method;
-        let isSupported = false;
-        for (const eachRule of options.supportedRequests) {
-            if (eachRule.path.test(ctx.path)) {
-                if (eachRule.methods.includes(method)) {
-                    isSupported = true;
-                    break;
-                }
-            }
-        }
-        if (!isSupported) {
-            return next();
-        }
-        if (options.ignoreJSON && type_is_1.default.is(ctx.get('content-type'), 'json')) {
-            return next();
-        }
-        const body = ctx.request.body;
-        debug('%s %s, got %j', ctx.method, ctx.url, body);
-        ctx.assertCsrf();
-        return next();
-    };
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY3NyZi5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9saWIvbWlkZGxld2FyZXMvY3NyZi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7OztBQUFBLHlDQUFxQztBQUVyQyxzREFBNkI7QUFDN0IsMENBQTRDO0FBRzVDLE1BQU0sS0FBSyxHQUFHLElBQUEsb0JBQVEsRUFBQyxzQ0FBc0MsQ0FBQyxDQUFDO0FBRS9ELGtCQUFlLENBQUMsT0FBK0IsRUFBRSxFQUFFO0lBQ2pELE9BQU8sU0FBUyxJQUFJLENBQUMsR0FBWSxFQUFFLElBQVU7UUFDM0MsSUFBSSxJQUFBLHdCQUFhLEVBQUMsT0FBTyxFQUFFLEdBQUcsQ0FBQyxFQUFFLENBQUM7WUFDaEMsT0FBTyxJQUFJLEVBQUUsQ0FBQztRQUNoQixDQUFDO1FBRUQsMkJBQTJCO1FBQzNCLElBQUksQ0FBRSxLQUFLLEVBQUUsS0FBSyxFQUFFLFFBQVEsQ0FBRSxDQUFDLFFBQVEsQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQztZQUN0RCxHQUFHLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQztRQUN6QixDQUFDO1FBRUQscUJBQXFCO1FBQ3JCLE1BQU0sTUFBTSxHQUFHLEdBQUcsQ0FBQyxNQUFNLENBQUM7UUFDMUIsSUFBSSxXQUFXLEdBQUcsS0FBSyxDQUFDO1FBQ3hCLEtBQUssTUFBTSxRQUFRLElBQUksT0FBTyxDQUFDLGlCQUFpQixFQUFFLENBQUM7WUFDakQsSUFBSSxRQUFRLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQztnQkFDakMsSUFBSSxRQUFRLENBQUMsT0FBTyxDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDO29CQUN0QyxXQUFXLEdBQUcsSUFBSSxDQUFDO29CQUNuQixNQUFNO2dCQUNSLENBQUM7WUFDSCxDQUFDO1FBQ0gsQ0FBQztRQUNELElBQUksQ0FBQyxXQUFXLEVBQUUsQ0FBQztZQUNqQixPQUFPLElBQUksRUFBRSxDQUFDO1FBQ2hCLENBQUM7UUFFRCxJQUFJLE9BQU8sQ0FBQyxVQUFVLElBQUksaUJBQU0sQ0FBQyxFQUFFLENBQUMsR0FBRyxDQUFDLEdBQUcsQ0FBQyxjQUFjLENBQUMsRUFBRSxNQUFNLENBQUMsRUFBRSxDQUFDO1lBQ3JFLE9BQU8sSUFBSSxFQUFFLENBQUM7UUFDaEIsQ0FBQztRQUVELE1BQU0sSUFBSSxHQUFHLEdBQUcsQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDO1FBQzlCLEtBQUssQ0FBQyxlQUFlLEVBQUUsR0FBRyxDQUFDLE1BQU0sRUFBRSxHQUFHLENBQUMsR0FBRyxFQUFFLElBQUksQ0FBQyxDQUFDO1FBQ2xELEdBQUcsQ0FBQyxVQUFVLEVBQUUsQ0FBQztRQUNqQixPQUFPLElBQUksRUFBRSxDQUFDO0lBQ2hCLENBQUMsQ0FBQztBQUNKLENBQUMsQ0FBQyJ9

package/dist/commonjs/lib/middlewares/dta.d.ts

@@ -1,3 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-declare const _default: () => (ctx: Context, next: Next) => Promise<void>;
-export default _default;

package/dist/commonjs/lib/middlewares/dta.js

@@ -1,14 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-const utils_js_1 = require("../utils.js");
-// https://en.wikipedia.org/wiki/Directory_traversal_attack
-exports.default = () => {
-    return function dta(ctx, next) {
-        const path = ctx.path;
-        if (!(0, utils_js_1.isSafePath)(path, ctx)) {
-            ctx.throw(400);
-        }
-        return next();
-    };
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZHRhLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2xpYi9taWRkbGV3YXJlcy9kdGEudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFDQSwwQ0FBeUM7QUFFekMsMkRBQTJEO0FBQzNELGtCQUFlLEdBQUcsRUFBRTtJQUNsQixPQUFPLFNBQVMsR0FBRyxDQUFDLEdBQVksRUFBRSxJQUFVO1FBQzFDLE1BQU0sSUFBSSxHQUFHLEdBQUcsQ0FBQyxJQUFJLENBQUM7UUFDdEIsSUFBSSxDQUFDLElBQUEscUJBQVUsRUFBQyxJQUFJLEVBQUUsR0FBRyxDQUFDLEVBQUUsQ0FBQztZQUMzQixHQUFHLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDO1FBQ2pCLENBQUM7UUFDRCxPQUFPLElBQUksRUFBRSxDQUFDO0lBQ2hCLENBQUMsQ0FBQztBQUNKLENBQUMsQ0FBQyJ9

package/dist/commonjs/lib/middlewares/hsts.d.ts

@@ -1,4 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-import type { SecurityConfig } from '../../types.js';
-declare const _default: (options: SecurityConfig["hsts"]) => (ctx: Context, next: Next) => Promise<void>;
-export default _default;

package/dist/commonjs/lib/middlewares/hsts.js

@@ -1,23 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-const utils_js_1 = require("../utils.js");
-// Set Strict-Transport-Security header
-exports.default = (options) => {
-    return async function hsts(ctx, next) {
-        await next();
-        const opts = {
-            ...options,
-            ...ctx.securityOptions.hsts,
-        };
-        if ((0, utils_js_1.checkIfIgnore)(opts, ctx))
-            return;
-        let val = 'max-age=' + opts.maxAge;
-        // If opts.includeSubdomains is defined,
-        // the rule is also valid for all the sub domains of the website
-        if (opts.includeSubdomains) {
-            val += '; includeSubdomains';
-        }
-        ctx.set('strict-transport-security', val);
-    };
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaHN0cy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9saWIvbWlkZGxld2FyZXMvaHN0cy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOztBQUNBLDBDQUE0QztBQUc1Qyx1Q0FBdUM7QUFDdkMsa0JBQWUsQ0FBQyxPQUErQixFQUFFLEVBQUU7SUFDakQsT0FBTyxLQUFLLFVBQVUsSUFBSSxDQUFDLEdBQVksRUFBRSxJQUFVO1FBQ2pELE1BQU0sSUFBSSxFQUFFLENBQUM7UUFFYixNQUFNLElBQUksR0FBRztZQUNYLEdBQUcsT0FBTztZQUNWLEdBQUcsR0FBRyxDQUFDLGVBQWUsQ0FBQyxJQUFJO1NBQzVCLENBQUM7UUFDRixJQUFJLElBQUEsd0JBQWEsRUFBQyxJQUFJLEVBQUUsR0FBRyxDQUFDO1lBQUUsT0FBTztRQUVyQyxJQUFJLEdBQUcsR0FBRyxVQUFVLEdBQUcsSUFBSSxDQUFDLE1BQU0sQ0FBQztRQUNuQyx3Q0FBd0M7UUFDeEMsZ0VBQWdFO1FBQ2hFLElBQUksSUFBSSxDQUFDLGlCQUFpQixFQUFFLENBQUM7WUFDM0IsR0FBRyxJQUFJLHFCQUFxQixDQUFDO1FBQy9CLENBQUM7UUFDRCxHQUFHLENBQUMsR0FBRyxDQUFDLDJCQUEyQixFQUFFLEdBQUcsQ0FBQyxDQUFDO0lBQzVDLENBQUMsQ0FBQztBQUNKLENBQUMsQ0FBQyJ9

package/dist/commonjs/lib/middlewares/index.d.ts

@@ -1,13 +0,0 @@
-declare const _default: {
-    csp: (options: import("../../types.js").SecurityConfig["csp"]) => (ctx: import("@eggjs/core").Context, next: import("egg").Next) => Promise<void>;
-    csrf: (options: import("../../types.js").SecurityConfig["csrf"]) => (ctx: import("@eggjs/core").Context, next: import("egg").Next) => Promise<void>;
-    dta: () => (ctx: import("@eggjs/core").Context, next: import("egg").Next) => Promise<void>;
-    hsts: (options: import("../../types.js").SecurityConfig["hsts"]) => (ctx: import("@eggjs/core").Context, next: import("egg").Next) => Promise<void>;
-    methodnoallow: () => (ctx: import("@eggjs/core").Context, next: import("egg").Next) => Promise<void>;
-    noopen: (options: import("../../types.js").SecurityConfig["noopen"]) => (ctx: import("@eggjs/core").Context, next: import("egg").Next) => Promise<void>;
-    nosniff: (options: import("../../types.js").SecurityConfig["nosniff"]) => (ctx: import("@eggjs/core").Context, next: import("egg").Next) => Promise<void>;
-    referrerPolicy: (options: import("../../types.js").SecurityConfig["referrerPolicy"]) => (ctx: import("@eggjs/core").Context, next: import("egg").Next) => Promise<void>;
-    xframe: (options: import("../../types.js").SecurityConfig["xframe"]) => (ctx: import("@eggjs/core").Context, next: import("egg").Next) => Promise<void>;
-    xssProtection: (options: import("../../types.js").SecurityConfig["xssProtection"]) => (ctx: import("@eggjs/core").Context, next: import("egg").Next) => Promise<void>;
-};
-export default _default;

package/dist/commonjs/lib/middlewares/index.js

@@ -1,28 +0,0 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-const csp_js_1 = __importDefault(require("./csp.js"));
-const csrf_js_1 = __importDefault(require("./csrf.js"));
-const dta_js_1 = __importDefault(require("./dta.js"));
-const hsts_js_1 = __importDefault(require("./hsts.js"));
-const methodnoallow_js_1 = __importDefault(require("./methodnoallow.js"));
-const noopen_js_1 = __importDefault(require("./noopen.js"));
-const nosniff_js_1 = __importDefault(require("./nosniff.js"));
-const referrerPolicy_js_1 = __importDefault(require("./referrerPolicy.js"));
-const xframe_js_1 = __importDefault(require("./xframe.js"));
-const xssProtection_js_1 = __importDefault(require("./xssProtection.js"));
-exports.default = {
-    csp: csp_js_1.default,
-    csrf: csrf_js_1.default,
-    dta: dta_js_1.default,
-    hsts: hsts_js_1.default,
-    methodnoallow: methodnoallow_js_1.default,
-    noopen: noopen_js_1.default,
-    nosniff: nosniff_js_1.default,
-    referrerPolicy: referrerPolicy_js_1.default,
-    xframe: xframe_js_1.default,
-    xssProtection: xssProtection_js_1.default,
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvbGliL21pZGRsZXdhcmVzL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7O0FBQUEsc0RBQTJCO0FBQzNCLHdEQUE2QjtBQUM3QixzREFBMkI7QUFDM0Isd0RBQTZCO0FBQzdCLDBFQUErQztBQUMvQyw0REFBaUM7QUFDakMsOERBQW1DO0FBQ25DLDRFQUFpRDtBQUNqRCw0REFBaUM7QUFDakMsMEVBQStDO0FBRS9DLGtCQUFlO0lBQ2IsR0FBRyxFQUFILGdCQUFHO0lBQ0gsSUFBSSxFQUFKLGlCQUFJO0lBQ0osR0FBRyxFQUFILGdCQUFHO0lBQ0gsSUFBSSxFQUFKLGlCQUFJO0lBQ0osYUFBYSxFQUFiLDBCQUFhO0lBQ2IsTUFBTSxFQUFOLG1CQUFNO0lBQ04sT0FBTyxFQUFQLG9CQUFPO0lBQ1AsY0FBYyxFQUFkLDJCQUFjO0lBQ2QsTUFBTSxFQUFOLG1CQUFNO0lBQ04sYUFBYSxFQUFiLDBCQUFhO0NBQ2QsQ0FBQyJ9

package/dist/commonjs/lib/middlewares/methodnoallow.d.ts

@@ -1,3 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-declare const _default: () => (ctx: Context, next: Next) => Promise<void>;
-export default _default;

package/dist/commonjs/lib/middlewares/methodnoallow.js

@@ -1,22 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-const node_http_1 = require("node:http");
-const METHODS_NOT_ALLOWED = ['TRACE', 'TRACK'];
-const safeHttpMethodsMap = {};
-for (const method of node_http_1.METHODS) {
-    if (!METHODS_NOT_ALLOWED.includes(method)) {
-        safeHttpMethodsMap[method.toUpperCase()] = true;
-    }
-}
-// https://www.owasp.org/index.php/Cross_Site_Tracing
-// http://jsperf.com/find-by-map-with-find-by-array
-exports.default = () => {
-    return function notAllow(ctx, next) {
-        // ctx.method is upper case
-        if (!safeHttpMethodsMap[ctx.method]) {
-            ctx.throw(405);
-        }
-        return next();
-    };
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibWV0aG9kbm9hbGxvdy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9saWIvbWlkZGxld2FyZXMvbWV0aG9kbm9hbGxvdy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOztBQUFBLHlDQUFvQztBQUdwQyxNQUFNLG1CQUFtQixHQUFHLENBQUUsT0FBTyxFQUFFLE9BQU8sQ0FBRSxDQUFDO0FBQ2pELE1BQU0sa0JBQWtCLEdBQTRCLEVBQUUsQ0FBQztBQUV2RCxLQUFLLE1BQU0sTUFBTSxJQUFJLG1CQUFPLEVBQUUsQ0FBQztJQUM3QixJQUFJLENBQUMsbUJBQW1CLENBQUMsUUFBUSxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUM7UUFDMUMsa0JBQWtCLENBQUMsTUFBTSxDQUFDLFdBQVcsRUFBRSxDQUFDLEdBQUcsSUFBSSxDQUFDO0lBQ2xELENBQUM7QUFDSCxDQUFDO0FBRUQscURBQXFEO0FBQ3JELG1EQUFtRDtBQUNuRCxrQkFBZSxHQUFHLEVBQUU7SUFDbEIsT0FBTyxTQUFTLFFBQVEsQ0FBQyxHQUFZLEVBQUUsSUFBVTtRQUMvQywyQkFBMkI7UUFDM0IsSUFBSSxDQUFDLGtCQUFrQixDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDO1lBQ3BDLEdBQUcsQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUM7UUFDakIsQ0FBQztRQUNELE9BQU8sSUFBSSxFQUFFLENBQUM7SUFDaEIsQ0FBQyxDQUFDO0FBQ0osQ0FBQyxDQUFDIn0=

package/dist/commonjs/lib/middlewares/noopen.d.ts

@@ -1,4 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-import type { SecurityConfig } from '../../types.js';
-declare const _default: (options: SecurityConfig["noopen"]) => (ctx: Context, next: Next) => Promise<void>;
-export default _default;

package/dist/commonjs/lib/middlewares/noopen.js

@@ -1,17 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-const utils_js_1 = require("../utils.js");
-// @see http://blogs.msdn.com/b/ieinternals/archive/2009/06/30/internet-explorer-custom-http-headers.aspx
-exports.default = (options) => {
-    return async function noopen(ctx, next) {
-        await next();
-        const opts = {
-            ...options,
-            ...ctx.securityOptions.noopen,
-        };
-        if ((0, utils_js_1.checkIfIgnore)(opts, ctx))
-            return;
-        ctx.set('x-download-options', 'noopen');
-    };
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibm9vcGVuLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2xpYi9taWRkbGV3YXJlcy9ub29wZW4udHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFDQSwwQ0FBNEM7QUFHNUMseUdBQXlHO0FBQ3pHLGtCQUFlLENBQUMsT0FBaUMsRUFBRSxFQUFFO0lBQ25ELE9BQU8sS0FBSyxVQUFVLE1BQU0sQ0FBQyxHQUFZLEVBQUUsSUFBVTtRQUNuRCxNQUFNLElBQUksRUFBRSxDQUFDO1FBRWIsTUFBTSxJQUFJLEdBQUc7WUFDWCxHQUFHLE9BQU87WUFDVixHQUFHLEdBQUcsQ0FBQyxlQUFlLENBQUMsTUFBTTtTQUM5QixDQUFDO1FBQ0YsSUFBSSxJQUFBLHdCQUFhLEVBQUMsSUFBSSxFQUFFLEdBQUcsQ0FBQztZQUFFLE9BQU87UUFFckMsR0FBRyxDQUFDLEdBQUcsQ0FBQyxvQkFBb0IsRUFBRSxRQUFRLENBQUMsQ0FBQztJQUMxQyxDQUFDLENBQUM7QUFDSixDQUFDLENBQUMifQ==

package/dist/commonjs/lib/middlewares/nosniff.d.ts

@@ -1,4 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-import type { SecurityConfig } from '../../types.js';
-declare const _default: (options: SecurityConfig["nosniff"]) => (ctx: Context, next: Next) => Promise<void>;
-export default _default;

package/dist/commonjs/lib/middlewares/nosniff.js

@@ -1,30 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-const utils_js_1 = require("../utils.js");
-// status codes for redirects
-// @see https://github.com/jshttp/statuses/blob/master/index.js#L33
-const RedirectStatus = {
-    300: true,
-    301: true,
-    302: true,
-    303: true,
-    305: true,
-    307: true,
-    308: true,
-};
-exports.default = (options) => {
-    return async function nosniff(ctx, next) {
-        await next();
-        // ignore redirect response
-        if (RedirectStatus[ctx.status])
-            return;
-        const opts = {
-            ...options,
-            ...ctx.securityOptions.nosniff,
-        };
-        if ((0, utils_js_1.checkIfIgnore)(opts, ctx))
-            return;
-        ctx.set('x-content-type-options', 'nosniff');
-    };
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibm9zbmlmZi5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9saWIvbWlkZGxld2FyZXMvbm9zbmlmZi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOztBQUNBLDBDQUE0QztBQUc1Qyw2QkFBNkI7QUFDN0IsbUVBQW1FO0FBQ25FLE1BQU0sY0FBYyxHQUE0QjtJQUM5QyxHQUFHLEVBQUUsSUFBSTtJQUNULEdBQUcsRUFBRSxJQUFJO0lBQ1QsR0FBRyxFQUFFLElBQUk7SUFDVCxHQUFHLEVBQUUsSUFBSTtJQUNULEdBQUcsRUFBRSxJQUFJO0lBQ1QsR0FBRyxFQUFFLElBQUk7SUFDVCxHQUFHLEVBQUUsSUFBSTtDQUNWLENBQUM7QUFFRixrQkFBZSxDQUFDLE9BQWtDLEVBQUUsRUFBRTtJQUNwRCxPQUFPLEtBQUssVUFBVSxPQUFPLENBQUMsR0FBWSxFQUFFLElBQVU7UUFDcEQsTUFBTSxJQUFJLEVBQUUsQ0FBQztRQUViLDJCQUEyQjtRQUMzQixJQUFJLGNBQWMsQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDO1lBQUUsT0FBTztRQUV2QyxNQUFNLElBQUksR0FBRztZQUNYLEdBQUcsT0FBTztZQUNWLEdBQUcsR0FBRyxDQUFDLGVBQWUsQ0FBQyxPQUFPO1NBQy9CLENBQUM7UUFDRixJQUFJLElBQUEsd0JBQWEsRUFBQyxJQUFJLEVBQUUsR0FBRyxDQUFDO1lBQUUsT0FBTztRQUVyQyxHQUFHLENBQUMsR0FBRyxDQUFDLHdCQUF3QixFQUFFLFNBQVMsQ0FBQyxDQUFDO0lBQy9DLENBQUMsQ0FBQztBQUNKLENBQUMsQ0FBQyJ9

package/dist/commonjs/lib/middlewares/referrerPolicy.d.ts

@@ -1,4 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-import type { SecurityConfig } from '../../types.js';
-declare const _default: (options: SecurityConfig["referrerPolicy"]) => (ctx: Context, next: Next) => Promise<void>;
-export default _default;