@eggjs/security 5.0.0-beta.19 → 5.0.0-beta.20

package/dist/types.d.ts

@@ -1,38 +1,3 @@
-import { SecurityConfig, SecurityHelperConfig } from "./config/config.default.js";
-import { HttpClientOptions, HttpClientRequestURL, HttpClientResponse } from "./lib/extend/safe_curl.js";
-
-//#region src/types.d.ts
-declare module 'egg' {
-  interface EggAppConfig {
-    /**
-     * security options
-     * @member Config#security
-     */
-    security: SecurityConfig;
-    helper: SecurityHelperConfig;
-  }
-  interface Agent {
-    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
-  }
-  interface Application {
-    injectCsrf(html: string): string;
-    injectNonce(html: string): string;
-    injectHijackingDefense(html: string): string;
-    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
-  }
-  interface Context {
-    get securityOptions(): Partial<SecurityConfig & SecurityHelperConfig>;
-    isSafeDomain(domain: string, customWhiteList?: string[]): boolean;
-    get nonce(): string;
-    get csrf(): string;
-    ensureCsrfSecret(rotate?: boolean): void;
-    rotateCsrfSecret(): void;
-    assertCsrf(): void;
-    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
-    unsafeRedirect(url: string, alt?: string): void;
-  }
-  interface Response {
-    unsafeRedirect(url: string, alt?: string): void;
-    redirect(url: string, alt?: string): void;
-  }
-}
+import "./config.default-D8v08Vox.js";
+import "./safe_curl-mqZZv_YQ.js";
+import "./types-BZR2U30p.js";

package/dist/types.js

@@ -1 +1,3 @@
+import "./types-DnJpiSJb.js";
+
 export {  };

package/dist/utils-Cajs5P8M.js

@@ -0,0 +1,127 @@
+import { normalize } from "node:path";
+import matcher from "matcher";
+import IP from "@eggjs/ip";
+
+//#region src/lib/utils.ts
+/**
+* Check whether a domain is in the safe domain white list or not.
+* @param {String} domain The inputted domain.
+* @param {Array<string>} whiteList The white list for domain.
+* @return {Boolean} If the `domain` is in the white list, return true; otherwise false.
+*/
+function isSafeDomain(domain, whiteList) {
+	if (typeof domain !== "string") return false;
+	domain = domain.toLowerCase();
+	const hostname = "." + domain;
+	return whiteList.some((rule) => {
+		if (rule.includes("*")) return matcher.isMatch(domain, rule);
+		if (domain === rule) return true;
+		if (!rule.startsWith(".")) rule = `.${rule}`;
+		return hostname.endsWith(rule);
+	});
+}
+function isSafePath(path, ctx) {
+	path = "." + path;
+	if (path.includes("%")) try {
+		path = decodeURIComponent(path);
+	} catch {
+		if (ctx.app.config.env === "local" || ctx.app.config.env === "unittest") ctx.coreLogger.warn("[@eggjs/security: dta global block] : decode file path %j failed.", path);
+	}
+	const normalizePath = normalize(path);
+	return !(normalizePath.startsWith("../") || normalizePath.startsWith("..\\"));
+}
+function checkIfIgnore(opts, ctx) {
+	if (!opts.enable) return true;
+	return !opts.matching?.(ctx);
+}
+const IP_RE = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/;
+const topDomains = {};
+[
+	".net.cn",
+	".gov.cn",
+	".org.cn",
+	".com.cn"
+].forEach((item) => {
+	topDomains[item] = 2 - item.split(".").length;
+});
+function getCookieDomain(hostname) {
+	if (IP_RE.test(hostname)) return hostname;
+	const splits = hostname.split(".");
+	let index = -2;
+	if (splits.length >= 4 && splits[splits.length - 3] === "test") index = -3;
+	let domain = getDomain(splits, index);
+	if (topDomains[domain]) domain = getDomain(splits, index + topDomains[domain]);
+	return domain;
+}
+function getDomain(splits, index) {
+	return "." + splits.slice(index).join(".");
+}
+function merge(origin, opts) {
+	if (!opts) return origin;
+	const res = {};
+	const originKeys = Object.keys(origin);
+	for (let i = 0; i < originKeys.length; i++) {
+		const key = originKeys[i];
+		res[key] = origin[key];
+	}
+	const keys = Object.keys(opts);
+	for (let i = 0; i < keys.length; i++) {
+		const key = keys[i];
+		res[key] = opts[key];
+	}
+	return res;
+}
+function preprocessConfig(config) {
+	const ssrf = config.ssrf;
+	if (ssrf && ssrf.ipBlackList && !ssrf.checkAddress) {
+		const blackList = ssrf.ipBlackList.map(getContains);
+		const exceptionList = (ssrf.ipExceptionList || []).map(getContains);
+		const hostnameExceptionList = ssrf.hostnameExceptionList;
+		ssrf.checkAddress = (ipAddresses, _family, hostname) => {
+			if (hostname && hostnameExceptionList) {
+				if (hostnameExceptionList.includes(hostname)) return true;
+			}
+			if (!Array.isArray(ipAddresses)) ipAddresses = [ipAddresses];
+			for (const ipAddress of ipAddresses) {
+				let address;
+				if (typeof ipAddress === "string") address = ipAddress;
+				else {
+					if (ipAddress.family === 6) continue;
+					address = ipAddress.address;
+				}
+				for (const exception of exceptionList) if (exception(address)) return true;
+				for (const contains of blackList) if (contains(address)) return false;
+			}
+			return true;
+		};
+	}
+	config.domainWhiteList = config.domainWhiteList || [];
+	config.domainWhiteList = config.domainWhiteList.map((domain) => domain.toLowerCase());
+	config.protocolWhiteList = config.protocolWhiteList || [];
+	config.protocolWhiteList = config.protocolWhiteList.map((protocol) => protocol.toLowerCase());
+	if (config.csrf && config.csrf.refererWhiteList) config.csrf.refererWhiteList = config.csrf.refererWhiteList.map((ref) => ref.toLowerCase());
+	const protocolWhiteListSet = new Set(config.protocolWhiteList);
+	protocolWhiteListSet.add("http");
+	protocolWhiteListSet.add("https");
+	protocolWhiteListSet.add("file");
+	protocolWhiteListSet.add("data");
+	Object.defineProperty(config, "__protocolWhiteListSet", {
+		value: protocolWhiteListSet,
+		enumerable: false
+	});
+}
+function getFromUrl(url, prop) {
+	try {
+		const parsed = new URL(url);
+		return Reflect.get(parsed, prop);
+	} catch {
+		return null;
+	}
+}
+function getContains(ip) {
+	if (IP.isV4Format(ip) || IP.isV6Format(ip)) return (address) => address === ip;
+	return IP.cidrSubnet(ip).contains;
+}
+
+//#endregion
+export { checkIfIgnore, getCookieDomain, getFromUrl, isSafeDomain, isSafePath, merge, preprocessConfig };

package/dist/xframe-q9fEZkVI.js

@@ -0,0 +1,18 @@
+import { checkIfIgnore } from "./utils-Cajs5P8M.js";
+
+//#region src/lib/middlewares/xframe.ts
+var xframe_default = (options) => {
+	return async function xframe(ctx, next) {
+		await next();
+		const opts = {
+			...options,
+			...ctx.securityOptions.xframe
+		};
+		if (checkIfIgnore(opts, ctx)) return;
+		const value = opts.value || "SAMEORIGIN";
+		ctx.set("x-frame-options", value);
+	};
+};
+
+//#endregion
+export { xframe_default };

package/dist/xssProtection-D5QsHX-e.js

@@ -0,0 +1,17 @@
+import { checkIfIgnore } from "./utils-Cajs5P8M.js";
+
+//#region src/lib/middlewares/xssProtection.ts
+var xssProtection_default = (options) => {
+	return async function xssProtection(ctx, next) {
+		await next();
+		const opts = {
+			...options,
+			...ctx.securityOptions.xssProtection
+		};
+		if (checkIfIgnore(opts, ctx)) return;
+		ctx.set("x-xss-protection", opts.value);
+	};
+};
+
+//#endregion
+export { xssProtection_default };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eggjs/security",
-  "version": "5.0.0-beta.19",
+  "version": "5.0.0-beta.20",
   "type": "module",
   "publishConfig": {
     "access": "public"
@@ -84,7 +84,7 @@
     "zod": "^3.24.1"
   },
   "peerDependencies": {
-    "egg": "4.1.0-beta.19"
+    "egg": "4.1.0-beta.20"
   },
   "devDependencies": {
     "@types/escape-html": "^1.0.4",
@@ -100,9 +100,9 @@
     "tsdown": "^0.15.4",
     "typescript": "^5.9.3",
     "vitest": "4.0.0-beta.16",
-    "@eggjs/mock": "7.0.0-beta.19",
-    "@eggjs/supertest": "9.0.0-beta.19",
-    "@eggjs/tsconfig": "3.1.0-beta.19"
+    "@eggjs/mock": "7.0.0-beta.20",
+    "@eggjs/tsconfig": "3.1.0-beta.20",
+    "@eggjs/supertest": "9.0.0-beta.20"
   },
   "files": [
     "dist"