@eggjs/security 5.0.0-beta.20 → 5.0.0-beta.21

package/dist/safe_curl-UlViaxoF.js

@@ -1,19 +0,0 @@
-//#region src/lib/extend/safe_curl.ts
-const SSRF_HTTPCLIENT = Symbol("SSRF_HTTPCLIENT");
-/**
-* safe curl with ssrf protection
-*/
-async function safeCurlForApplication(app, url, options = {}) {
-	const ssrfConfig = app.config.security.ssrf;
-	if (ssrfConfig?.checkAddress) options.checkAddress = ssrfConfig.checkAddress;
-	else app.logger.warn("[@eggjs/security] please configure `config.security.ssrf` first");
-	if (ssrfConfig?.checkAddress) {
-		let httpClient = app[SSRF_HTTPCLIENT];
-		if (!httpClient) httpClient = app[SSRF_HTTPCLIENT] = app.createHttpClient({ checkAddress: ssrfConfig.checkAddress });
-		return await httpClient.request(url, options);
-	}
-	return await app.curl(url, options);
-}
-
-//#endregion
-export { safeCurlForApplication };

package/dist/safe_curl-mqZZv_YQ.d.ts

@@ -1,20 +0,0 @@
-import { SSRFCheckAddressFunction } from "./config.default-D8v08Vox.js";
-import * as egg0 from "egg";
-import { EggApplicationCore } from "egg";
-
-//#region src/lib/extend/safe_curl.d.ts
-type HttpClient = EggApplicationCore['HttpClient'];
-type HttpClientParameters = Parameters<HttpClient['prototype']['request']>;
-type HttpClientRequestURL = HttpClientParameters[0];
-type HttpClientOptions = HttpClientParameters[1] & {
-  checkAddress?: SSRFCheckAddressFunction;
-};
-type HttpClientResponse<T = any> = Awaited<ReturnType<HttpClient['prototype']['request']>> & {
-  data: T;
-};
-/**
- * safe curl with ssrf protection
- */
-declare function safeCurlForApplication<T = any>(app: EggApplicationCore, url: HttpClientRequestURL, options?: HttpClientOptions): Promise<egg0.HttpClientResponse<T>>;
-//#endregion
-export { HttpClientOptions, HttpClientRequestURL, HttpClientResponse, safeCurlForApplication };

package/dist/shtml-CAquTzgV.d.ts

@@ -1,6 +0,0 @@
-import { BaseContextClass } from "egg";
-
-//#region src/lib/helper/shtml.d.ts
-declare function shtml(this: BaseContextClass, val: string): string;
-//#endregion
-export { shtml };

package/dist/shtml-CgF4kOx-.js

@@ -1,53 +0,0 @@
-import { getFromUrl, isSafeDomain } from "./utils-Cajs5P8M.js";
-import xss from "xss";
-
-//#region src/lib/helper/shtml.ts
-const BUILD_IN_ON_TAG_ATTR = Symbol("buildInOnTagAttr");
-function shtml(val) {
-	if (typeof val !== "string") return val;
-	const securityOptions = this.ctx.securityOptions;
-	const shtmlConfig = {
-		...this.app.config.helper.shtml,
-		...securityOptions.shtml,
-		[BUILD_IN_ON_TAG_ATTR]: void 0
-	};
-	const domainWhiteList = this.app.config.security.domainWhiteList;
-	const app = this.app;
-	if (!shtmlConfig[BUILD_IN_ON_TAG_ATTR]) {
-		shtmlConfig[BUILD_IN_ON_TAG_ATTR] = (_tag, name, value, isWhiteAttr) => {
-			if (isWhiteAttr && (name === "href" || name === "src")) {
-				if (!value) return;
-				value = String(value);
-				if (value[0] === "/" || value[0] === "#") return;
-				const hostname = getFromUrl(value, "hostname");
-				if (!hostname) return;
-				if (!isSafeDomain(hostname, domainWhiteList)) if (shtmlConfig.domainWhiteList && shtmlConfig.domainWhiteList.length > 0) {
-					app.deprecate("[@eggjs/security/lib/helper/shtml] `config.helper.shtml.domainWhiteList` has been deprecate. Please use `config.security.domainWhiteList` instead.");
-					if (!isSafeDomain(hostname, shtmlConfig.domainWhiteList)) return "";
-				} else return "";
-			}
-		};
-		if (shtmlConfig.onTagAttr) {
-			const customOnTagAttrHandler = shtmlConfig.onTagAttr;
-			shtmlConfig.onTagAttr = function(tag, name, value, isWhiteAttr) {
-				const result = customOnTagAttrHandler.apply(this, [
-					tag,
-					name,
-					value,
-					isWhiteAttr
-				]);
-				if (result !== void 0) return result;
-				return shtmlConfig[BUILD_IN_ON_TAG_ATTR].apply(this, [
-					tag,
-					name,
-					value,
-					isWhiteAttr
-				]);
-			};
-		} else shtmlConfig.onTagAttr = shtmlConfig[BUILD_IN_ON_TAG_ATTR];
-	}
-	return xss(val, shtmlConfig);
-}
-
-//#endregion
-export { shtml };

package/dist/sjs-Cbmkk5xS.js

@@ -1,36 +0,0 @@
-//#region src/lib/helper/sjs.ts
-/**
-* Escape JavaScript to \xHH format
-*/
-const MATCH_VULNERABLE_REGEXP = /[\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f]/;
-const BASIC_ALPHABETS = new Set("abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ".split(""));
-const map = {
-	"	": "\\t",
-	"\n": "\\n",
-	"\r": "\\r"
-};
-function escapeJavaScript(text) {
-	const str = "" + text;
-	const match = MATCH_VULNERABLE_REGEXP.exec(str);
-	if (!match) return str;
-	let res = "";
-	let index = 0;
-	let lastIndex = 0;
-	let ascii;
-	for (index = match.index; index < str.length; index++) {
-		ascii = str[index];
-		if (BASIC_ALPHABETS.has(ascii)) continue;
-		else if (map[ascii] === void 0) {
-			const code = ascii.charCodeAt(0);
-			if (code > 127) continue;
-			else map[ascii] = "\\x" + code.toString(16);
-		}
-		if (lastIndex !== index) res += str.substring(lastIndex, index);
-		lastIndex = index + 1;
-		res += map[ascii];
-	}
-	return lastIndex !== index ? res + str.substring(lastIndex, index) : res;
-}
-
-//#endregion
-export { escapeJavaScript };

package/dist/sjs-QZIJYS71.d.ts

@@ -1,7 +0,0 @@
-//#region src/lib/helper/sjs.d.ts
-/**
- * Escape JavaScript to \xHH format
- */
-declare function escapeJavaScript(text: string): string;
-//#endregion
-export { escapeJavaScript };

package/dist/sjson-BetFnVR6.js

@@ -1,32 +0,0 @@
-import { escapeJavaScript } from "./sjs-Cbmkk5xS.js";
-
-//#region src/lib/helper/sjson.ts
-/**
-* escape json
-* for output json in script
-*/
-function sanitizeKey(obj) {
-	if (typeof obj !== "object") return obj;
-	if (Array.isArray(obj)) return obj;
-	if (obj === null) return null;
-	if (typeof obj === "boolean") return obj;
-	if (typeof obj === "number") return obj;
-	if (Buffer.isBuffer(obj)) return obj.toString();
-	for (const k in obj) {
-		const escapedK = escapeJavaScript(k);
-		if (escapedK !== k) {
-			obj[escapedK] = sanitizeKey(obj[k]);
-			obj[k] = void 0;
-		} else obj[k] = sanitizeKey(obj[k]);
-	}
-	return obj;
-}
-function jsonEscape(obj) {
-	return JSON.stringify(sanitizeKey(obj), (_k, v) => {
-		if (typeof v === "string") return escapeJavaScript(v);
-		return v;
-	});
-}
-
-//#endregion
-export { jsonEscape };

package/dist/sjson-O-vKJPws.d.ts

@@ -1,4 +0,0 @@
-//#region src/lib/helper/sjson.d.ts
-declare function jsonEscape(obj: any): string;
-//#endregion
-export { jsonEscape };

package/dist/spath-Bu9sy6Kz.js

@@ -1,16 +0,0 @@
-//#region src/lib/helper/spath.ts
-function pathFilter(path) {
-	if (typeof path !== "string") return path;
-	const pathSource = path;
-	while (path.indexOf("%") !== -1) try {
-		path = decodeURIComponent(path);
-	} catch {
-		if (process.env.NODE_ENV !== "production") this.ctx.coreLogger.warn("[@eggjs/security/lib/helper/spath] : decode file path %j failed.", path);
-		break;
-	}
-	if (path.indexOf("..") !== -1 || path[0] === "/") return null;
-	return pathSource;
-}
-
-//#endregion
-export { pathFilter };

package/dist/spath-DseDPHxf.d.ts

@@ -1,7 +0,0 @@
-import { BaseContextClass } from "egg";
-
-//#region src/lib/helper/spath.d.ts
-
-declare function pathFilter(this: BaseContextClass, path: string): string | null;
-//#endregion
-export { pathFilter };

package/dist/surl-ClleTea7.js

@@ -1,25 +0,0 @@
-//#region src/lib/helper/surl.ts
-const escapeMap = {
-	"\"": """,
-	"<": "&lt;",
-	">": "&gt;",
-	"'": "&#x27;"
-};
-function surl(val) {
-	const protocolWhiteListSet = this.app.config.security.__protocolWhiteListSet;
-	if (typeof val !== "string") return val;
-	if (val[0] !== "/") {
-		const arr = val.split("://", 2);
-		const protocol = arr.length > 1 ? arr[0].toLowerCase() : "";
-		if (protocol === "" || !protocolWhiteListSet.has(protocol)) {
-			if (this.app.config.env === "local") this.ctx.coreLogger.warn("[@eggjs/security/surl] url: %j, protocol: %j, protocol is empty or not in white list, convert to empty string", val, protocol);
-			return "";
-		}
-	}
-	return val.replace(/["'<>]/g, (ch) => {
-		return escapeMap[ch];
-	});
-}
-
-//#endregion
-export { surl };

package/dist/surl-JV70X_RZ.d.ts

@@ -1,6 +0,0 @@
-import { BaseContextClass } from "egg";
-
-//#region src/lib/helper/surl.d.ts
-declare function surl(this: BaseContextClass, val: string): string;
-//#endregion
-export { surl };

package/dist/types-BZR2U30p.d.ts

@@ -1,38 +0,0 @@
-import { SecurityConfig, SecurityHelperConfig } from "./config.default-D8v08Vox.js";
-import { HttpClientOptions, HttpClientRequestURL, HttpClientResponse } from "./safe_curl-mqZZv_YQ.js";
-
-//#region src/types.d.ts
-declare module 'egg' {
-  interface EggAppConfig {
-    /**
-     * security options
-     * @member Config#security
-     */
-    security: SecurityConfig;
-    helper: SecurityHelperConfig;
-  }
-  interface Agent {
-    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
-  }
-  interface Application {
-    injectCsrf(html: string): string;
-    injectNonce(html: string): string;
-    injectHijackingDefense(html: string): string;
-    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
-  }
-  interface Context {
-    get securityOptions(): Partial<SecurityConfig & SecurityHelperConfig>;
-    isSafeDomain(domain: string, customWhiteList?: string[]): boolean;
-    get nonce(): string;
-    get csrf(): string;
-    ensureCsrfSecret(rotate?: boolean): void;
-    rotateCsrfSecret(): void;
-    assertCsrf(): void;
-    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
-    unsafeRedirect(url: string, alt?: string): void;
-  }
-  interface Response {
-    unsafeRedirect(url: string, alt?: string): void;
-    redirect(url: string, alt?: string): void;
-  }
-}

package/dist/types-DnJpiSJb.js

@@ -1 +0,0 @@
-export {  };

package/dist/utils-Cajs5P8M.js

@@ -1,127 +0,0 @@
-import { normalize } from "node:path";
-import matcher from "matcher";
-import IP from "@eggjs/ip";
-
-//#region src/lib/utils.ts
-/**
-* Check whether a domain is in the safe domain white list or not.
-* @param {String} domain The inputted domain.
-* @param {Array<string>} whiteList The white list for domain.
-* @return {Boolean} If the `domain` is in the white list, return true; otherwise false.
-*/
-function isSafeDomain(domain, whiteList) {
-	if (typeof domain !== "string") return false;
-	domain = domain.toLowerCase();
-	const hostname = "." + domain;
-	return whiteList.some((rule) => {
-		if (rule.includes("*")) return matcher.isMatch(domain, rule);
-		if (domain === rule) return true;
-		if (!rule.startsWith(".")) rule = `.${rule}`;
-		return hostname.endsWith(rule);
-	});
-}
-function isSafePath(path, ctx) {
-	path = "." + path;
-	if (path.includes("%")) try {
-		path = decodeURIComponent(path);
-	} catch {
-		if (ctx.app.config.env === "local" || ctx.app.config.env === "unittest") ctx.coreLogger.warn("[@eggjs/security: dta global block] : decode file path %j failed.", path);
-	}
-	const normalizePath = normalize(path);
-	return !(normalizePath.startsWith("../") || normalizePath.startsWith("..\\"));
-}
-function checkIfIgnore(opts, ctx) {
-	if (!opts.enable) return true;
-	return !opts.matching?.(ctx);
-}
-const IP_RE = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/;
-const topDomains = {};
-[
-	".net.cn",
-	".gov.cn",
-	".org.cn",
-	".com.cn"
-].forEach((item) => {
-	topDomains[item] = 2 - item.split(".").length;
-});
-function getCookieDomain(hostname) {
-	if (IP_RE.test(hostname)) return hostname;
-	const splits = hostname.split(".");
-	let index = -2;
-	if (splits.length >= 4 && splits[splits.length - 3] === "test") index = -3;
-	let domain = getDomain(splits, index);
-	if (topDomains[domain]) domain = getDomain(splits, index + topDomains[domain]);
-	return domain;
-}
-function getDomain(splits, index) {
-	return "." + splits.slice(index).join(".");
-}
-function merge(origin, opts) {
-	if (!opts) return origin;
-	const res = {};
-	const originKeys = Object.keys(origin);
-	for (let i = 0; i < originKeys.length; i++) {
-		const key = originKeys[i];
-		res[key] = origin[key];
-	}
-	const keys = Object.keys(opts);
-	for (let i = 0; i < keys.length; i++) {
-		const key = keys[i];
-		res[key] = opts[key];
-	}
-	return res;
-}
-function preprocessConfig(config) {
-	const ssrf = config.ssrf;
-	if (ssrf && ssrf.ipBlackList && !ssrf.checkAddress) {
-		const blackList = ssrf.ipBlackList.map(getContains);
-		const exceptionList = (ssrf.ipExceptionList || []).map(getContains);
-		const hostnameExceptionList = ssrf.hostnameExceptionList;
-		ssrf.checkAddress = (ipAddresses, _family, hostname) => {
-			if (hostname && hostnameExceptionList) {
-				if (hostnameExceptionList.includes(hostname)) return true;
-			}
-			if (!Array.isArray(ipAddresses)) ipAddresses = [ipAddresses];
-			for (const ipAddress of ipAddresses) {
-				let address;
-				if (typeof ipAddress === "string") address = ipAddress;
-				else {
-					if (ipAddress.family === 6) continue;
-					address = ipAddress.address;
-				}
-				for (const exception of exceptionList) if (exception(address)) return true;
-				for (const contains of blackList) if (contains(address)) return false;
-			}
-			return true;
-		};
-	}
-	config.domainWhiteList = config.domainWhiteList || [];
-	config.domainWhiteList = config.domainWhiteList.map((domain) => domain.toLowerCase());
-	config.protocolWhiteList = config.protocolWhiteList || [];
-	config.protocolWhiteList = config.protocolWhiteList.map((protocol) => protocol.toLowerCase());
-	if (config.csrf && config.csrf.refererWhiteList) config.csrf.refererWhiteList = config.csrf.refererWhiteList.map((ref) => ref.toLowerCase());
-	const protocolWhiteListSet = new Set(config.protocolWhiteList);
-	protocolWhiteListSet.add("http");
-	protocolWhiteListSet.add("https");
-	protocolWhiteListSet.add("file");
-	protocolWhiteListSet.add("data");
-	Object.defineProperty(config, "__protocolWhiteListSet", {
-		value: protocolWhiteListSet,
-		enumerable: false
-	});
-}
-function getFromUrl(url, prop) {
-	try {
-		const parsed = new URL(url);
-		return Reflect.get(parsed, prop);
-	} catch {
-		return null;
-	}
-}
-function getContains(ip) {
-	if (IP.isV4Format(ip) || IP.isV6Format(ip)) return (address) => address === ip;
-	return IP.cidrSubnet(ip).contains;
-}
-
-//#endregion
-export { checkIfIgnore, getCookieDomain, getFromUrl, isSafeDomain, isSafePath, merge, preprocessConfig };

package/dist/xframe-q9fEZkVI.js

@@ -1,18 +0,0 @@
-import { checkIfIgnore } from "./utils-Cajs5P8M.js";
-
-//#region src/lib/middlewares/xframe.ts
-var xframe_default = (options) => {
-	return async function xframe(ctx, next) {
-		await next();
-		const opts = {
-			...options,
-			...ctx.securityOptions.xframe
-		};
-		if (checkIfIgnore(opts, ctx)) return;
-		const value = opts.value || "SAMEORIGIN";
-		ctx.set("x-frame-options", value);
-	};
-};
-
-//#endregion
-export { xframe_default };

package/dist/xssProtection-D5QsHX-e.js

@@ -1,17 +0,0 @@
-import { checkIfIgnore } from "./utils-Cajs5P8M.js";
-
-//#region src/lib/middlewares/xssProtection.ts
-var xssProtection_default = (options) => {
-	return async function xssProtection(ctx, next) {
-		await next();
-		const opts = {
-			...options,
-			...ctx.securityOptions.xssProtection
-		};
-		if (checkIfIgnore(opts, ctx)) return;
-		ctx.set("x-xss-protection", opts.value);
-	};
-};
-
-//#endregion
-export { xssProtection_default };