npm - @eggjs/security - Versions diffs - 4.0.1 → 5.0.0-beta.17 - Mend

@eggjs/security 4.0.1 → 5.0.0-beta.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (252) hide show

package/README.md +46 -66
package/README.zh-CN.md +56 -68
package/dist/agent.d.ts +10 -0
package/dist/agent.js +15 -0
package/dist/app/extend/agent.d.ts +9 -0
package/dist/app/extend/agent.js +12 -0
package/dist/app/extend/application.d.ts +12 -0
package/dist/app/extend/application.js +32 -0
package/dist/app/extend/context.d.ts +61 -0
package/dist/app/extend/context.js +191 -0
package/dist/app/extend/helper.d.ts +24 -0
package/dist/app/extend/helper.js +7 -0
package/dist/app/extend/response.d.ts +39 -0
package/dist/app/extend/response.js +70 -0
package/dist/app/middleware/securities.d.ts +8 -0
package/dist/app/middleware/securities.js +39 -0
package/dist/app.d.ts +10 -0
package/dist/app.js +24 -0
package/dist/config/config.default.d.ts +870 -0
package/dist/config/config.default.js +166 -0
package/dist/config/config.local.d.ts +6 -0
package/dist/config/config.local.js +5 -0
package/dist/index.d.ts +1 -0
package/dist/index.js +5 -0
package/dist/lib/extend/safe_curl.d.ts +20 -0
package/dist/lib/extend/safe_curl.js +19 -0
package/dist/lib/helper/cliFilter.d.ts +7 -0
package/dist/lib/helper/cliFilter.js +18 -0
package/dist/lib/helper/escape.d.ts +2 -0
package/dist/lib/helper/escape.js +7 -0
package/dist/lib/helper/escapeShellArg.d.ts +4 -0
package/dist/lib/helper/escapeShellArg.js +7 -0
package/dist/lib/helper/escapeShellCmd.d.ts +4 -0
package/dist/lib/helper/escapeShellCmd.js +15 -0
package/dist/lib/helper/index.d.ts +24 -0
package/dist/lib/helper/index.js +25 -0
package/dist/lib/helper/shtml.d.ts +6 -0
package/dist/lib/helper/shtml.js +53 -0
package/dist/lib/helper/sjs.d.ts +7 -0
package/dist/lib/helper/sjs.js +36 -0
package/dist/lib/helper/sjson.d.ts +4 -0
package/dist/lib/helper/sjson.js +32 -0
package/dist/lib/helper/spath.d.ts +7 -0
package/dist/lib/helper/spath.js +16 -0
package/dist/lib/helper/surl.d.ts +6 -0
package/dist/lib/helper/surl.js +25 -0
package/dist/lib/middlewares/csp.d.ts +7 -0
package/dist/lib/middlewares/csp.js +46 -0
package/dist/lib/middlewares/csrf.d.ts +7 -0
package/dist/lib/middlewares/csrf.js +33 -0
package/dist/lib/middlewares/dta.d.ts +6 -0
package/dist/lib/middlewares/dta.js +13 -0
package/dist/lib/middlewares/hsts.d.ts +7 -0
package/dist/lib/middlewares/hsts.js +19 -0
package/dist/lib/middlewares/index.d.ts +18 -0
package/dist/lib/middlewares/index.js +27 -0
package/dist/lib/middlewares/methodnoallow.d.ts +6 -0
package/dist/lib/middlewares/methodnoallow.js +15 -0
package/dist/lib/middlewares/noopen.d.ts +7 -0
package/dist/lib/middlewares/noopen.js +17 -0
package/dist/lib/middlewares/nosniff.d.ts +7 -0
package/dist/lib/middlewares/nosniff.js +27 -0
package/dist/lib/middlewares/referrerPolicy.d.ts +7 -0
package/dist/lib/middlewares/referrerPolicy.js +31 -0
package/dist/lib/middlewares/xframe.d.ts +7 -0
package/dist/lib/middlewares/xframe.js +18 -0
package/dist/lib/middlewares/xssProtection.d.ts +7 -0
package/dist/lib/middlewares/xssProtection.js +17 -0
package/dist/lib/utils.d.ts +24 -0
package/dist/lib/utils.js +127 -0
package/dist/types.d.ts +38 -0
package/dist/types.js +1 -0
package/package.json +75 -71
package/dist/commonjs/agent.d.ts +0 -6
package/dist/commonjs/agent.js +0 -14
package/dist/commonjs/app/extend/agent.d.ts +0 -5
package/dist/commonjs/app/extend/agent.js +0 -11
package/dist/commonjs/app/extend/application.d.ts +0 -16
package/dist/commonjs/app/extend/application.js +0 -35
package/dist/commonjs/app/extend/context.d.ts +0 -68
package/dist/commonjs/app/extend/context.js +0 -283
package/dist/commonjs/app/extend/helper.d.ts +0 -12
package/dist/commonjs/app/extend/helper.js +0 -10
package/dist/commonjs/app/extend/response.d.ts +0 -41
package/dist/commonjs/app/extend/response.js +0 -85
package/dist/commonjs/app/middleware/securities.d.ts +0 -4
package/dist/commonjs/app/middleware/securities.js +0 -55
package/dist/commonjs/app.d.ts +0 -6
package/dist/commonjs/app.js +0 -29
package/dist/commonjs/config/config.default.d.ts +0 -871
package/dist/commonjs/config/config.default.js +0 -357
package/dist/commonjs/config/config.local.d.ts +0 -5
package/dist/commonjs/config/config.local.js +0 -10
package/dist/commonjs/index.d.ts +0 -1
package/dist/commonjs/index.js +0 -4
package/dist/commonjs/lib/extend/safe_curl.d.ts +0 -16
package/dist/commonjs/lib/extend/safe_curl.js +0 -28
package/dist/commonjs/lib/helper/cliFilter.d.ts +0 -4
package/dist/commonjs/lib/helper/cliFilter.js +0 -20
package/dist/commonjs/lib/helper/escape.d.ts +0 -2
package/dist/commonjs/lib/helper/escape.js +0 -8
package/dist/commonjs/lib/helper/escapeShellArg.d.ts +0 -1
package/dist/commonjs/lib/helper/escapeShellArg.js +0 -8
package/dist/commonjs/lib/helper/escapeShellCmd.d.ts +0 -1
package/dist/commonjs/lib/helper/escapeShellCmd.js +0 -17
package/dist/commonjs/lib/helper/index.d.ts +0 -21
package/dist/commonjs/lib/helper/index.js +0 -26
package/dist/commonjs/lib/helper/shtml.d.ts +0 -2
package/dist/commonjs/lib/helper/shtml.js +0 -76
package/dist/commonjs/lib/helper/sjs.d.ts +0 -4
package/dist/commonjs/lib/helper/sjs.js +0 -52
package/dist/commonjs/lib/helper/sjson.d.ts +0 -1
package/dist/commonjs/lib/helper/sjson.js +0 -45
package/dist/commonjs/lib/helper/spath.d.ts +0 -5
package/dist/commonjs/lib/helper/spath.js +0 -28
package/dist/commonjs/lib/helper/surl.d.ts +0 -2
package/dist/commonjs/lib/helper/surl.js +0 -33
package/dist/commonjs/lib/middlewares/csp.d.ts +0 -4
package/dist/commonjs/lib/middlewares/csp.js +0 -68
package/dist/commonjs/lib/middlewares/csrf.d.ts +0 -4
package/dist/commonjs/lib/middlewares/csrf.js +0 -42
package/dist/commonjs/lib/middlewares/dta.d.ts +0 -3
package/dist/commonjs/lib/middlewares/dta.js +0 -14
package/dist/commonjs/lib/middlewares/hsts.d.ts +0 -4
package/dist/commonjs/lib/middlewares/hsts.js +0 -23
package/dist/commonjs/lib/middlewares/index.d.ts +0 -13
package/dist/commonjs/lib/middlewares/index.js +0 -28
package/dist/commonjs/lib/middlewares/methodnoallow.d.ts +0 -3
package/dist/commonjs/lib/middlewares/methodnoallow.js +0 -22
package/dist/commonjs/lib/middlewares/noopen.d.ts +0 -4
package/dist/commonjs/lib/middlewares/noopen.js +0 -17
package/dist/commonjs/lib/middlewares/nosniff.d.ts +0 -4
package/dist/commonjs/lib/middlewares/nosniff.js +0 -30
package/dist/commonjs/lib/middlewares/referrerPolicy.d.ts +0 -4
package/dist/commonjs/lib/middlewares/referrerPolicy.js +0 -36
package/dist/commonjs/lib/middlewares/xframe.d.ts +0 -4
package/dist/commonjs/lib/middlewares/xframe.js +0 -19
package/dist/commonjs/lib/middlewares/xssProtection.d.ts +0 -4
package/dist/commonjs/lib/middlewares/xssProtection.js +0 -16
package/dist/commonjs/lib/utils.d.ts +0 -19
package/dist/commonjs/lib/utils.js +0 -206
package/dist/commonjs/package.json +0 -3
package/dist/commonjs/types.d.ts +0 -10
package/dist/commonjs/types.js +0 -5
package/dist/esm/agent.d.ts +0 -6
package/dist/esm/agent.js +0 -11
package/dist/esm/app/extend/agent.d.ts +0 -5
package/dist/esm/app/extend/agent.js +0 -8
package/dist/esm/app/extend/application.d.ts +0 -16
package/dist/esm/app/extend/application.js +0 -32
package/dist/esm/app/extend/context.d.ts +0 -68
package/dist/esm/app/extend/context.js +0 -244
package/dist/esm/app/extend/helper.d.ts +0 -12
package/dist/esm/app/extend/helper.js +0 -5
package/dist/esm/app/extend/response.d.ts +0 -41
package/dist/esm/app/extend/response.js +0 -82
package/dist/esm/app/middleware/securities.d.ts +0 -4
package/dist/esm/app/middleware/securities.js +0 -50
package/dist/esm/app.d.ts +0 -6
package/dist/esm/app.js +0 -26
package/dist/esm/config/config.default.d.ts +0 -871
package/dist/esm/config/config.default.js +0 -351
package/dist/esm/config/config.local.d.ts +0 -5
package/dist/esm/config/config.local.js +0 -8
package/dist/esm/index.d.ts +0 -1
package/dist/esm/index.js +0 -2
package/dist/esm/lib/extend/safe_curl.d.ts +0 -16
package/dist/esm/lib/extend/safe_curl.js +0 -25
package/dist/esm/lib/helper/cliFilter.d.ts +0 -4
package/dist/esm/lib/helper/cliFilter.js +0 -17
package/dist/esm/lib/helper/escape.d.ts +0 -2
package/dist/esm/lib/helper/escape.js +0 -3
package/dist/esm/lib/helper/escapeShellArg.d.ts +0 -1
package/dist/esm/lib/helper/escapeShellArg.js +0 -5
package/dist/esm/lib/helper/escapeShellCmd.d.ts +0 -1
package/dist/esm/lib/helper/escapeShellCmd.js +0 -14
package/dist/esm/lib/helper/index.d.ts +0 -21
package/dist/esm/lib/helper/index.js +0 -21
package/dist/esm/lib/helper/shtml.d.ts +0 -2
package/dist/esm/lib/helper/shtml.js +0 -70
package/dist/esm/lib/helper/sjs.d.ts +0 -4
package/dist/esm/lib/helper/sjs.js +0 -49
package/dist/esm/lib/helper/sjson.d.ts +0 -1
package/dist/esm/lib/helper/sjson.js +0 -39
package/dist/esm/lib/helper/spath.d.ts +0 -5
package/dist/esm/lib/helper/spath.js +0 -25
package/dist/esm/lib/helper/surl.d.ts +0 -2
package/dist/esm/lib/helper/surl.js +0 -30
package/dist/esm/lib/middlewares/csp.d.ts +0 -4
package/dist/esm/lib/middlewares/csp.js +0 -63
package/dist/esm/lib/middlewares/csrf.d.ts +0 -4
package/dist/esm/lib/middlewares/csrf.js +0 -37
package/dist/esm/lib/middlewares/dta.d.ts +0 -3
package/dist/esm/lib/middlewares/dta.js +0 -12
package/dist/esm/lib/middlewares/hsts.d.ts +0 -4
package/dist/esm/lib/middlewares/hsts.js +0 -21
package/dist/esm/lib/middlewares/index.d.ts +0 -13
package/dist/esm/lib/middlewares/index.js +0 -23
package/dist/esm/lib/middlewares/methodnoallow.d.ts +0 -3
package/dist/esm/lib/middlewares/methodnoallow.js +0 -20
package/dist/esm/lib/middlewares/noopen.d.ts +0 -4
package/dist/esm/lib/middlewares/noopen.js +0 -15
package/dist/esm/lib/middlewares/nosniff.d.ts +0 -4
package/dist/esm/lib/middlewares/nosniff.js +0 -28
package/dist/esm/lib/middlewares/referrerPolicy.d.ts +0 -4
package/dist/esm/lib/middlewares/referrerPolicy.js +0 -34
package/dist/esm/lib/middlewares/xframe.d.ts +0 -4
package/dist/esm/lib/middlewares/xframe.js +0 -17
package/dist/esm/lib/middlewares/xssProtection.d.ts +0 -4
package/dist/esm/lib/middlewares/xssProtection.js +0 -14
package/dist/esm/lib/utils.d.ts +0 -19
package/dist/esm/lib/utils.js +0 -194
package/dist/esm/package.json +0 -3
package/dist/esm/types.d.ts +0 -10
package/dist/esm/types.js +0 -3
package/dist/package.json +0 -4
package/src/agent.ts +0 -14
package/src/app/extend/agent.ts +0 -14
package/src/app/extend/application.ts +0 -51
package/src/app/extend/context.ts +0 -285
package/src/app/extend/helper.ts +0 -5
package/src/app/extend/response.ts +0 -95
package/src/app/middleware/securities.ts +0 -63
package/src/app.ts +0 -31
package/src/config/config.default.ts +0 -379
package/src/config/config.local.ts +0 -9
package/src/index.ts +0 -1
package/src/lib/extend/safe_curl.ts +0 -35
package/src/lib/helper/cliFilter.ts +0 -20
package/src/lib/helper/escape.ts +0 -3
package/src/lib/helper/escapeShellArg.ts +0 -4
package/src/lib/helper/escapeShellCmd.ts +0 -16
package/src/lib/helper/index.ts +0 -21
package/src/lib/helper/shtml.ts +0 -77
package/src/lib/helper/sjs.ts +0 -57
package/src/lib/helper/sjson.ts +0 -35
package/src/lib/helper/spath.ts +0 -27
package/src/lib/helper/surl.ts +0 -35
package/src/lib/middlewares/csp.ts +0 -70
package/src/lib/middlewares/csrf.ts +0 -44
package/src/lib/middlewares/dta.ts +0 -13
package/src/lib/middlewares/hsts.ts +0 -24
package/src/lib/middlewares/index.ts +0 -23
package/src/lib/middlewares/methodnoallow.ts +0 -23
package/src/lib/middlewares/noopen.ts +0 -18
package/src/lib/middlewares/nosniff.ts +0 -32
package/src/lib/middlewares/referrerPolicy.ts +0 -39
package/src/lib/middlewares/xframe.ts +0 -20
package/src/lib/middlewares/xssProtection.ts +0 -17
package/src/lib/utils.ts +0 -208
package/src/types.ts +0 -16
package/src/typings/index.d.ts +0 -4

package/dist/lib/middlewares/dta.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+import { MiddlewareFunc } from "egg";
+//#region src/lib/middlewares/dta.d.ts
+declare const _default: () => MiddlewareFunc;
+//#endregion
+export { _default as default };

package/dist/lib/middlewares/dta.js ADDED Viewed

@@ -0,0 +1,13 @@
+import { isSafePath } from "../utils.js";
+//#region src/lib/middlewares/dta.ts
+var dta_default = () => {
+	return function dta(ctx, next) {
+		const path = ctx.path;
+		if (!isSafePath(path, ctx)) ctx.throw(400);
+		return next();
+	};
+};
+//#endregion
+export { dta_default as default };

package/dist/lib/middlewares/hsts.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import { SecurityConfig } from "../../config/config.default.js";
+import { MiddlewareFunc } from "egg";
+//#region src/lib/middlewares/hsts.d.ts
+declare const _default: (options: SecurityConfig["hsts"]) => MiddlewareFunc;
+//#endregion
+export { _default as default };

package/dist/lib/middlewares/hsts.js ADDED Viewed

@@ -0,0 +1,19 @@
+import { checkIfIgnore } from "../utils.js";
+//#region src/lib/middlewares/hsts.ts
+var hsts_default = (options) => {
+	return async function hsts(ctx, next) {
+		await next();
+		const opts = {
+			...options,
+			...ctx.securityOptions.hsts
+		};
+		if (checkIfIgnore(opts, ctx)) return;
+		let val = `max-age=${opts.maxAge}`;
+		if (opts.includeSubdomains) val = `${val}; includeSubdomains`;
+		ctx.set("strict-transport-security", val);
+	};
+};
+//#endregion
+export { hsts_default as default };

package/dist/lib/middlewares/index.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import { SecurityConfig } from "../../config/config.default.js";
+import * as egg1 from "egg";
+//#region src/lib/middlewares/index.d.ts
+declare const _default: {
+  csp: (options: SecurityConfig["csp"]) => egg1.MiddlewareFunc;
+  csrf: (options: SecurityConfig["csrf"]) => egg1.MiddlewareFunc;
+  dta: () => egg1.MiddlewareFunc;
+  hsts: (options: SecurityConfig["hsts"]) => egg1.MiddlewareFunc;
+  methodnoallow: () => egg1.MiddlewareFunc;
+  noopen: (options: SecurityConfig["noopen"]) => egg1.MiddlewareFunc;
+  nosniff: (options: SecurityConfig["nosniff"]) => egg1.MiddlewareFunc;
+  referrerPolicy: (options: SecurityConfig["referrerPolicy"]) => egg1.MiddlewareFunc;
+  xframe: (options: SecurityConfig["xframe"]) => egg1.MiddlewareFunc;
+  xssProtection: (options: SecurityConfig["xssProtection"]) => egg1.MiddlewareFunc;
+};
+//#endregion
+export { _default as default };

package/dist/lib/middlewares/index.js ADDED Viewed

@@ -0,0 +1,27 @@
+import csp_default from "./csp.js";
+import csrf_default from "./csrf.js";
+import dta_default from "./dta.js";
+import hsts_default from "./hsts.js";
+import methodnoallow_default from "./methodnoallow.js";
+import noopen_default from "./noopen.js";
+import nosniff_default from "./nosniff.js";
+import referrerPolicy_default from "./referrerPolicy.js";
+import xframe_default from "./xframe.js";
+import xssProtection_default from "./xssProtection.js";
+//#region src/lib/middlewares/index.ts
+var middlewares_default = {
+	csp: csp_default,
+	csrf: csrf_default,
+	dta: dta_default,
+	hsts: hsts_default,
+	methodnoallow: methodnoallow_default,
+	noopen: noopen_default,
+	nosniff: nosniff_default,
+	referrerPolicy: referrerPolicy_default,
+	xframe: xframe_default,
+	xssProtection: xssProtection_default
+};
+//#endregion
+export { middlewares_default as default };

package/dist/lib/middlewares/methodnoallow.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+import { MiddlewareFunc } from "egg";
+//#region src/lib/middlewares/methodnoallow.d.ts
+declare const _default: () => MiddlewareFunc;
+//#endregion
+export { _default as default };

package/dist/lib/middlewares/methodnoallow.js ADDED Viewed

@@ -0,0 +1,15 @@
+import { METHODS } from "node:http";
+//#region src/lib/middlewares/methodnoallow.ts
+const METHODS_NOT_ALLOWED = ["TRACE", "TRACK"];
+const safeHttpMethodsMap = {};
+for (const method of METHODS) if (!METHODS_NOT_ALLOWED.includes(method)) safeHttpMethodsMap[method.toUpperCase()] = true;
+var methodnoallow_default = () => {
+	return function notAllow(ctx, next) {
+		if (!safeHttpMethodsMap[ctx.method]) ctx.throw(405);
+		return next();
+	};
+};
+//#endregion
+export { methodnoallow_default as default };

package/dist/lib/middlewares/noopen.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import { SecurityConfig } from "../../config/config.default.js";
+import { MiddlewareFunc } from "egg";
+//#region src/lib/middlewares/noopen.d.ts
+declare const _default: (options: SecurityConfig["noopen"]) => MiddlewareFunc;
+//#endregion
+export { _default as default };

package/dist/lib/middlewares/noopen.js ADDED Viewed

@@ -0,0 +1,17 @@
+import { checkIfIgnore } from "../utils.js";
+//#region src/lib/middlewares/noopen.ts
+var noopen_default = (options) => {
+	return async function noopen(ctx, next) {
+		await next();
+		const opts = {
+			...options,
+			...ctx.securityOptions.noopen
+		};
+		if (checkIfIgnore(opts, ctx)) return;
+		ctx.set("x-download-options", "noopen");
+	};
+};
+//#endregion
+export { noopen_default as default };

package/dist/lib/middlewares/nosniff.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import { SecurityConfig } from "../../config/config.default.js";
+import { MiddlewareFunc } from "egg";
+//#region src/lib/middlewares/nosniff.d.ts
+declare const _default: (options: SecurityConfig["nosniff"]) => MiddlewareFunc;
+//#endregion
+export { _default as default };

package/dist/lib/middlewares/nosniff.js ADDED Viewed

@@ -0,0 +1,27 @@
+import { checkIfIgnore } from "../utils.js";
+//#region src/lib/middlewares/nosniff.ts
+const RedirectStatus = {
+	300: true,
+	301: true,
+	302: true,
+	303: true,
+	305: true,
+	307: true,
+	308: true
+};
+var nosniff_default = (options) => {
+	return async function nosniff(ctx, next) {
+		await next();
+		if (RedirectStatus[ctx.status]) return;
+		const opts = {
+			...options,
+			...ctx.securityOptions.nosniff
+		};
+		if (checkIfIgnore(opts, ctx)) return;
+		ctx.set("x-content-type-options", "nosniff");
+	};
+};
+//#endregion
+export { nosniff_default as default };

package/dist/lib/middlewares/referrerPolicy.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import { SecurityConfig } from "../../config/config.default.js";
+import { MiddlewareFunc } from "egg";
+//#region src/lib/middlewares/referrerPolicy.d.ts
+declare const _default: (options: SecurityConfig["referrerPolicy"]) => MiddlewareFunc;
+//#endregion
+export { _default as default };

package/dist/lib/middlewares/referrerPolicy.js ADDED Viewed

@@ -0,0 +1,31 @@
+import { checkIfIgnore } from "../utils.js";
+//#region src/lib/middlewares/referrerPolicy.ts
+const ALLOWED_POLICIES_ENUM = [
+	"no-referrer",
+	"no-referrer-when-downgrade",
+	"origin",
+	"origin-when-cross-origin",
+	"same-origin",
+	"strict-origin",
+	"strict-origin-when-cross-origin",
+	"unsafe-url",
+	""
+];
+var referrerPolicy_default = (options) => {
+	return async function referrerPolicy(ctx, next) {
+		await next();
+		const opts = {
+			...options,
+			...ctx.securityOptions.refererPolicy,
+			...ctx.securityOptions.referrerPolicy
+		};
+		if (checkIfIgnore(opts, ctx)) return;
+		const policy = opts.value;
+		if (!ALLOWED_POLICIES_ENUM.includes(policy)) throw new Error(`"${policy}" is not available.`);
+		ctx.set("referrer-policy", policy);
+	};
+};
+//#endregion
+export { referrerPolicy_default as default };

package/dist/lib/middlewares/xframe.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import { SecurityConfig } from "../../config/config.default.js";
+import { MiddlewareFunc } from "egg";
+//#region src/lib/middlewares/xframe.d.ts
+declare const _default: (options: SecurityConfig["xframe"]) => MiddlewareFunc;
+//#endregion
+export { _default as default };

package/dist/lib/middlewares/xframe.js ADDED Viewed

@@ -0,0 +1,18 @@
+import { checkIfIgnore } from "../utils.js";
+//#region src/lib/middlewares/xframe.ts
+var xframe_default = (options) => {
+	return async function xframe(ctx, next) {
+		await next();
+		const opts = {
+			...options,
+			...ctx.securityOptions.xframe
+		};
+		if (checkIfIgnore(opts, ctx)) return;
+		const value = opts.value || "SAMEORIGIN";
+		ctx.set("x-frame-options", value);
+	};
+};
+//#endregion
+export { xframe_default as default };

package/dist/lib/middlewares/xssProtection.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import { SecurityConfig } from "../../config/config.default.js";
+import { MiddlewareFunc } from "egg";
+//#region src/lib/middlewares/xssProtection.d.ts
+declare const _default: (options: SecurityConfig["xssProtection"]) => MiddlewareFunc;
+//#endregion
+export { _default as default };

package/dist/lib/middlewares/xssProtection.js ADDED Viewed

@@ -0,0 +1,17 @@
+import { checkIfIgnore } from "../utils.js";
+//#region src/lib/middlewares/xssProtection.ts
+var xssProtection_default = (options) => {
+	return async function xssProtection(ctx, next) {
+		await next();
+		const opts = {
+			...options,
+			...ctx.securityOptions.xssProtection
+		};
+		if (checkIfIgnore(opts, ctx)) return;
+		ctx.set("x-xss-protection", opts.value);
+	};
+};
+//#endregion
+export { xssProtection_default as default };

package/dist/lib/utils.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+import { SecurityConfig } from "../config/config.default.js";
+import { Context } from "egg";
+import { PathMatchingFun } from "egg-path-matching";
+//#region src/lib/utils.d.ts
+/**
+ * Check whether a domain is in the safe domain white list or not.
+ * @param {String} domain The inputted domain.
+ * @param {Array<string>} whiteList The white list for domain.
+ * @return {Boolean} If the `domain` is in the white list, return true; otherwise false.
+ */
+declare function isSafeDomain(domain: string, whiteList: string[]): boolean;
+declare function isSafePath(path: string, ctx: Context): boolean;
+declare function checkIfIgnore(opts: {
+  enable: boolean;
+  matching?: PathMatchingFun;
+}, ctx: Context): boolean;
+declare function getCookieDomain(hostname: string): string;
+declare function merge(origin: Record<string, any>, opts?: Record<string, any>): Record<string, any>;
+declare function preprocessConfig(config: SecurityConfig): void;
+declare function getFromUrl(url: string, prop: string): string | null;
+//#endregion
+export { checkIfIgnore, getCookieDomain, getFromUrl, isSafeDomain, isSafePath, merge, preprocessConfig };

package/dist/lib/utils.js ADDED Viewed

@@ -0,0 +1,127 @@
+import { normalize } from "node:path";
+import matcher from "matcher";
+import IP from "@eggjs/ip";
+//#region src/lib/utils.ts
+/**
+* Check whether a domain is in the safe domain white list or not.
+* @param {String} domain The inputted domain.
+* @param {Array<string>} whiteList The white list for domain.
+* @return {Boolean} If the `domain` is in the white list, return true; otherwise false.
+*/
+function isSafeDomain(domain, whiteList) {
+	if (typeof domain !== "string") return false;
+	domain = domain.toLowerCase();
+	const hostname = "." + domain;
+	return whiteList.some((rule) => {
+		if (rule.includes("*")) return matcher.isMatch(domain, rule);
+		if (domain === rule) return true;
+		if (!rule.startsWith(".")) rule = `.${rule}`;
+		return hostname.endsWith(rule);
+	});
+}
+function isSafePath(path, ctx) {
+	path = "." + path;
+	if (path.includes("%")) try {
+		path = decodeURIComponent(path);
+	} catch {
+		if (ctx.app.config.env === "local" || ctx.app.config.env === "unittest") ctx.coreLogger.warn("[@eggjs/security: dta global block] : decode file path %j failed.", path);
+	}
+	const normalizePath = normalize(path);
+	return !(normalizePath.startsWith("../") || normalizePath.startsWith("..\\"));
+}
+function checkIfIgnore(opts, ctx) {
+	if (!opts.enable) return true;
+	return !opts.matching?.(ctx);
+}
+const IP_RE = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/;
+const topDomains = {};
+[
+	".net.cn",
+	".gov.cn",
+	".org.cn",
+	".com.cn"
+].forEach((item) => {
+	topDomains[item] = 2 - item.split(".").length;
+});
+function getCookieDomain(hostname) {
+	if (IP_RE.test(hostname)) return hostname;
+	const splits = hostname.split(".");
+	let index = -2;
+	if (splits.length >= 4 && splits[splits.length - 3] === "test") index = -3;
+	let domain = getDomain(splits, index);
+	if (topDomains[domain]) domain = getDomain(splits, index + topDomains[domain]);
+	return domain;
+}
+function getDomain(splits, index) {
+	return "." + splits.slice(index).join(".");
+}
+function merge(origin, opts) {
+	if (!opts) return origin;
+	const res = {};
+	const originKeys = Object.keys(origin);
+	for (let i = 0; i < originKeys.length; i++) {
+		const key = originKeys[i];
+		res[key] = origin[key];
+	}
+	const keys = Object.keys(opts);
+	for (let i = 0; i < keys.length; i++) {
+		const key = keys[i];
+		res[key] = opts[key];
+	}
+	return res;
+}
+function preprocessConfig(config) {
+	const ssrf = config.ssrf;
+	if (ssrf && ssrf.ipBlackList && !ssrf.checkAddress) {
+		const blackList = ssrf.ipBlackList.map(getContains);
+		const exceptionList = (ssrf.ipExceptionList || []).map(getContains);
+		const hostnameExceptionList = ssrf.hostnameExceptionList;
+		ssrf.checkAddress = (ipAddresses, _family, hostname) => {
+			if (hostname && hostnameExceptionList) {
+				if (hostnameExceptionList.includes(hostname)) return true;
+			}
+			if (!Array.isArray(ipAddresses)) ipAddresses = [ipAddresses];
+			for (const ipAddress of ipAddresses) {
+				let address;
+				if (typeof ipAddress === "string") address = ipAddress;
+				else {
+					if (ipAddress.family === 6) continue;
+					address = ipAddress.address;
+				}
+				for (const exception of exceptionList) if (exception(address)) return true;
+				for (const contains of blackList) if (contains(address)) return false;
+			}
+			return true;
+		};
+	}
+	config.domainWhiteList = config.domainWhiteList || [];
+	config.domainWhiteList = config.domainWhiteList.map((domain) => domain.toLowerCase());
+	config.protocolWhiteList = config.protocolWhiteList || [];
+	config.protocolWhiteList = config.protocolWhiteList.map((protocol) => protocol.toLowerCase());
+	if (config.csrf && config.csrf.refererWhiteList) config.csrf.refererWhiteList = config.csrf.refererWhiteList.map((ref) => ref.toLowerCase());
+	const protocolWhiteListSet = new Set(config.protocolWhiteList);
+	protocolWhiteListSet.add("http");
+	protocolWhiteListSet.add("https");
+	protocolWhiteListSet.add("file");
+	protocolWhiteListSet.add("data");
+	Object.defineProperty(config, "__protocolWhiteListSet", {
+		value: protocolWhiteListSet,
+		enumerable: false
+	});
+}
+function getFromUrl(url, prop) {
+	try {
+		const parsed = new URL(url);
+		return Reflect.get(parsed, prop);
+	} catch {
+		return null;
+	}
+}
+function getContains(ip) {
+	if (IP.isV4Format(ip) || IP.isV6Format(ip)) return (address) => address === ip;
+	return IP.cidrSubnet(ip).contains;
+}
+//#endregion
+export { checkIfIgnore, getCookieDomain, getFromUrl, isSafeDomain, isSafePath, merge, preprocessConfig };

package/dist/types.d.ts ADDED Viewed

@@ -0,0 +1,38 @@
+import { SecurityConfig, SecurityHelperConfig } from "./config/config.default.js";
+import { HttpClientOptions, HttpClientRequestURL, HttpClientResponse } from "./lib/extend/safe_curl.js";
+//#region src/types.d.ts
+declare module 'egg' {
+  interface EggAppConfig {
+    /**
+     * security options
+     * @member Config#security
+     */
+    security: SecurityConfig;
+    helper: SecurityHelperConfig;
+  }
+  interface Agent {
+    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
+  }
+  interface Application {
+    injectCsrf(html: string): string;
+    injectNonce(html: string): string;
+    injectHijackingDefense(html: string): string;
+    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
+  }
+  interface Context {
+    get securityOptions(): Partial<SecurityConfig & SecurityHelperConfig>;
+    isSafeDomain(domain: string, customWhiteList?: string[]): boolean;
+    get nonce(): string;
+    get csrf(): string;
+    ensureCsrfSecret(rotate?: boolean): void;
+    rotateCsrfSecret(): void;
+    assertCsrf(): void;
+    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
+    unsafeRedirect(url: string, alt?: string): void;
+  }
+  interface Response {
+    unsafeRedirect(url: string, alt?: string): void;
+    redirect(url: string, alt?: string): void;
+  }
+}

package/dist/types.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export { };