@eggjs/security 5.0.0-beta.20 → 5.0.0-beta.21

package/dist/lib/helper/shtml.d.ts

@@ -1,2 +1,2 @@
-import { shtml } from "../../shtml-CAquTzgV.js";
-export { shtml as default };
+import type { BaseContextClass } from 'egg';
+export default function shtml(this: BaseContextClass, val: string): string;

package/dist/lib/helper/shtml.js

@@ -1,4 +1,69 @@
-import "../../utils-Cajs5P8M.js";
-import { shtml } from "../../shtml-CgF4kOx-.js";
-
-export { shtml as default };
+import xss from 'xss';
+import { isSafeDomain, getFromUrl } from "../utils.js";
+const BUILD_IN_ON_TAG_ATTR = Symbol('buildInOnTagAttr');
+// default rule: https://github.com/leizongmin/js-xss/blob/master/lib/default.js
+// add domain filter based on xss module
+// custom options http://jsxss.com/zh/options.html
+// eg: support a tag，filter attributes except for title : whiteList: {a: ['title']}
+export default function shtml(val) {
+    if (typeof val !== 'string') {
+        return val;
+    }
+    const securityOptions = this.ctx.securityOptions;
+    const shtmlConfig = {
+        ...this.app.config.helper.shtml,
+        ...securityOptions.shtml,
+        [BUILD_IN_ON_TAG_ATTR]: undefined,
+    };
+    const domainWhiteList = this.app.config.security.domainWhiteList;
+    const app = this.app;
+    // filter href and src attribute if not in domain white list
+    if (!shtmlConfig[BUILD_IN_ON_TAG_ATTR]) {
+        shtmlConfig[BUILD_IN_ON_TAG_ATTR] = (_tag, name, value, isWhiteAttr) => {
+            if (isWhiteAttr && (name === 'href' || name === 'src')) {
+                if (!value) {
+                    return;
+                }
+                value = String(value);
+                if (value[0] === '/' || value[0] === '#') {
+                    return;
+                }
+                const hostname = getFromUrl(value, 'hostname');
+                if (!hostname) {
+                    return;
+                }
+                // If we don't have our hostname in the app.security.domainWhiteList,
+                // Just check for `shtmlConfig.domainWhiteList` and `ctx.whiteList`.
+                if (!isSafeDomain(hostname, domainWhiteList)) {
+                    // Check for `shtmlConfig.domainWhiteList` first (duplicated now)
+                    if (shtmlConfig.domainWhiteList && shtmlConfig.domainWhiteList.length > 0) {
+                        app.deprecate('[@eggjs/security/lib/helper/shtml] `config.helper.shtml.domainWhiteList` has been deprecate. Please use `config.security.domainWhiteList` instead.');
+                        if (!isSafeDomain(hostname, shtmlConfig.domainWhiteList)) {
+                            return '';
+                        }
+                    }
+                    else {
+                        return '';
+                    }
+                }
+            }
+        };
+        // avoid overriding user configuration 'onTagAttr'
+        if (shtmlConfig.onTagAttr) {
+            const customOnTagAttrHandler = shtmlConfig.onTagAttr;
+            shtmlConfig.onTagAttr = function (tag, name, value, isWhiteAttr) {
+                const result = customOnTagAttrHandler.apply(this, [tag, name, value, isWhiteAttr]);
+                if (result !== undefined) {
+                    return result;
+                }
+                // fallback to build-in handler
+                return shtmlConfig[BUILD_IN_ON_TAG_ATTR].apply(this, [tag, name, value, isWhiteAttr]);
+            };
+        }
+        else {
+            shtmlConfig.onTagAttr = shtmlConfig[BUILD_IN_ON_TAG_ATTR];
+        }
+    }
+    return xss(val, shtmlConfig);
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2h0bWwuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGliL2hlbHBlci9zaHRtbC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFDQSxPQUFPLEdBQUcsTUFBTSxLQUFLLENBQUM7QUFFdEIsT0FBTyxFQUFFLFlBQVksRUFBRSxVQUFVLEVBQUUsTUFBTSxhQUFhLENBQUM7QUFHdkQsTUFBTSxvQkFBb0IsR0FBRyxNQUFNLENBQUMsa0JBQWtCLENBQUMsQ0FBQztBQUV4RCxnRkFBZ0Y7QUFDaEYsd0NBQXdDO0FBQ3hDLGtEQUFrRDtBQUNsRCxtRkFBbUY7QUFDbkYsTUFBTSxDQUFDLE9BQU8sVUFBVSxLQUFLLENBQXlCLEdBQVc7SUFDL0QsSUFBSSxPQUFPLEdBQUcsS0FBSyxRQUFRLEVBQUUsQ0FBQztRQUM1QixPQUFPLEdBQUcsQ0FBQztJQUNiLENBQUM7SUFFRCxNQUFNLGVBQWUsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLGVBQWUsQ0FBQztJQUNqRCxNQUFNLFdBQVcsR0FBRztRQUNsQixHQUFHLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLE1BQU0sQ0FBQyxLQUFLO1FBQy9CLEdBQUcsZUFBZSxDQUFDLEtBQUs7UUFDeEIsQ0FBQyxvQkFBb0IsQ0FBQyxFQUFFLFNBQXVEO0tBQ2hGLENBQUM7SUFDRixNQUFNLGVBQWUsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsZUFBZSxDQUFDO0lBQ2pFLE1BQU0sR0FBRyxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUM7SUFDckIsNERBQTREO0lBQzVELElBQUksQ0FBQyxXQUFXLENBQUMsb0JBQW9CLENBQUMsRUFBRSxDQUFDO1FBQ3ZDLFdBQVcsQ0FBQyxvQkFBb0IsQ0FBQyxHQUFHLENBQUMsSUFBSSxFQUFFLElBQUksRUFBRSxLQUFLLEVBQUUsV0FBVyxFQUFFLEVBQUU7WUFDckUsSUFBSSxXQUFXLElBQUksQ0FBQyxJQUFJLEtBQUssTUFBTSxJQUFJLElBQUksS0FBSyxLQUFLLENBQUMsRUFBRSxDQUFDO2dCQUN2RCxJQUFJLENBQUMsS0FBSyxFQUFFLENBQUM7b0JBQ1gsT0FBTztnQkFDVCxDQUFDO2dCQUVELEtBQUssR0FBRyxNQUFNLENBQUMsS0FBSyxDQUFDLENBQUM7Z0JBQ3RCLElBQUksS0FBSyxDQUFDLENBQUMsQ0FBQyxLQUFLLEdBQUcsSUFBSSxLQUFLLENBQUMsQ0FBQyxDQUFDLEtBQUssR0FBRyxFQUFFLENBQUM7b0JBQ3pDLE9BQU87Z0JBQ1QsQ0FBQztnQkFFRCxNQUFNLFFBQVEsR0FBRyxVQUFVLENBQUMsS0FBSyxFQUFFLFVBQVUsQ0FBQyxDQUFDO2dCQUMvQyxJQUFJLENBQUMsUUFBUSxFQUFFLENBQUM7b0JBQ2QsT0FBTztnQkFDVCxDQUFDO2dCQUVELHFFQUFxRTtnQkFDckUsb0VBQW9FO2dCQUNwRSxJQUFJLENBQUMsWUFBWSxDQUFDLFFBQVEsRUFBRSxlQUFlLENBQUMsRUFBRSxDQUFDO29CQUM3QyxpRUFBaUU7b0JBQ2pFLElBQUksV0FBVyxDQUFDLGVBQWUsSUFBSSxXQUFXLENBQUMsZUFBZSxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsQ0FBQzt3QkFDMUUsR0FBRyxDQUFDLFNBQVMsQ0FDWCxvSkFBb0osQ0FDckosQ0FBQzt3QkFDRixJQUFJLENBQUMsWUFBWSxDQUFDLFFBQVEsRUFBRSxXQUFXLENBQUMsZUFBZSxDQUFDLEVBQUUsQ0FBQzs0QkFDekQsT0FBTyxFQUFFLENBQUM7d0JBQ1osQ0FBQztvQkFDSCxDQUFDO3lCQUFNLENBQUM7d0JBQ04sT0FBTyxFQUFFLENBQUM7b0JBQ1osQ0FBQztnQkFDSCxDQUFDO1lBQ0gsQ0FBQztRQUNILENBQUMsQ0FBQztRQUVGLGtEQUFrRDtRQUNsRCxJQUFJLFdBQVcsQ0FBQyxTQUFTLEVBQUUsQ0FBQztZQUMxQixNQUFNLHNCQUFzQixHQUFHLFdBQVcsQ0FBQyxTQUFTLENBQUM7WUFDckQsV0FBVyxDQUFDLFNBQVMsR0FBRyxVQUFVLEdBQUcsRUFBRSxJQUFJLEVBQUUsS0FBSyxFQUFFLFdBQVc7Z0JBQzdELE1BQU0sTUFBTSxHQUFHLHNCQUFzQixDQUFDLEtBQUssQ0FBQyxJQUFJLEVBQUUsQ0FBQyxHQUFHLEVBQUUsSUFBSSxFQUFFLEtBQUssRUFBRSxXQUFXLENBQUMsQ0FBQyxDQUFDO2dCQUNuRixJQUFJLE1BQU0sS0FBSyxTQUFTLEVBQUUsQ0FBQztvQkFDekIsT0FBTyxNQUFNLENBQUM7Z0JBQ2hCLENBQUM7Z0JBQ0QsK0JBQStCO2dCQUMvQixPQUFPLFdBQVcsQ0FBQyxvQkFBb0IsQ0FBRSxDQUFDLEtBQUssQ0FBQyxJQUFJLEVBQUUsQ0FBQyxHQUFHLEVBQUUsSUFBSSxFQUFFLEtBQUssRUFBRSxXQUFXLENBQUMsQ0FBQyxDQUFDO1lBQ3pGLENBQUMsQ0FBQztRQUNKLENBQUM7YUFBTSxDQUFDO1lBQ04sV0FBVyxDQUFDLFNBQVMsR0FBRyxXQUFXLENBQUMsb0JBQW9CLENBQUMsQ0FBQztRQUM1RCxDQUFDO0lBQ0gsQ0FBQztJQUVELE9BQU8sR0FBRyxDQUFDLEdBQUcsRUFBRSxXQUFXLENBQUMsQ0FBQztBQUMvQixDQUFDIn0=

package/dist/lib/helper/sjs.d.ts

@@ -1,2 +1,4 @@
-import { escapeJavaScript } from "../../sjs-QZIJYS71.js";
-export { escapeJavaScript as default };
+/**
+ * Escape JavaScript to \xHH format
+ */
+export default function escapeJavaScript(text: string): string;

package/dist/lib/helper/sjs.js

@@ -1,3 +1,49 @@
-import { escapeJavaScript } from "../../sjs-Cbmkk5xS.js";
-
-export { escapeJavaScript as default };
+/**
+ * Escape JavaScript to \xHH format
+ */
+// escape \x00-\x7f
+// except 0-9,A-Z,a-z(\x2f-\x3a \x40-\x5b \x60-\x7b)
+// eslint-disable-next-line
+const MATCH_VULNERABLE_REGEXP = /[\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f]/;
+// eslint-enable-next-line
+const BASIC_ALPHABETS = new Set('abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ'.split(''));
+const map = {
+    '\t': '\\t',
+    '\n': '\\n',
+    '\r': '\\r',
+};
+export default function escapeJavaScript(text) {
+    const str = '' + text;
+    const match = MATCH_VULNERABLE_REGEXP.exec(str);
+    if (!match) {
+        return str;
+    }
+    let res = '';
+    let index = 0;
+    let lastIndex = 0;
+    let ascii;
+    for (index = match.index; index < str.length; index++) {
+        ascii = str[index];
+        if (BASIC_ALPHABETS.has(ascii)) {
+            continue;
+        }
+        else {
+            if (map[ascii] === undefined) {
+                const code = ascii.charCodeAt(0);
+                if (code > 127) {
+                    continue;
+                }
+                else {
+                    map[ascii] = '\\x' + code.toString(16);
+                }
+            }
+        }
+        if (lastIndex !== index) {
+            res += str.substring(lastIndex, index);
+        }
+        lastIndex = index + 1;
+        res += map[ascii];
+    }
+    return lastIndex !== index ? res + str.substring(lastIndex, index) : res;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2pzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2xpYi9oZWxwZXIvc2pzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOztHQUVHO0FBRUgsbUJBQW1CO0FBQ25CLG9EQUFvRDtBQUVwRCwyQkFBMkI7QUFDM0IsTUFBTSx1QkFBdUIsR0FBRyx3Q0FBd0MsQ0FBQztBQUN6RSwwQkFBMEI7QUFFMUIsTUFBTSxlQUFlLEdBQUcsSUFBSSxHQUFHLENBQUMsZ0VBQWdFLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUM7QUFFNUcsTUFBTSxHQUFHLEdBQTJCO0lBQ2xDLElBQUksRUFBRSxLQUFLO0lBQ1gsSUFBSSxFQUFFLEtBQUs7SUFDWCxJQUFJLEVBQUUsS0FBSztDQUNaLENBQUM7QUFFRixNQUFNLENBQUMsT0FBTyxVQUFVLGdCQUFnQixDQUFDLElBQVk7SUFDbkQsTUFBTSxHQUFHLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQztJQUN0QixNQUFNLEtBQUssR0FBRyx1QkFBdUIsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUM7SUFFaEQsSUFBSSxDQUFDLEtBQUssRUFBRSxDQUFDO1FBQ1gsT0FBTyxHQUFHLENBQUM7SUFDYixDQUFDO0lBRUQsSUFBSSxHQUFHLEdBQUcsRUFBRSxDQUFDO0lBQ2IsSUFBSSxLQUFLLEdBQUcsQ0FBQyxDQUFDO0lBQ2QsSUFBSSxTQUFTLEdBQUcsQ0FBQyxDQUFDO0lBQ2xCLElBQUksS0FBSyxDQUFDO0lBRVYsS0FBSyxLQUFLLEdBQUcsS0FBSyxDQUFDLEtBQUssRUFBRSxLQUFLLEdBQUcsR0FBRyxDQUFDLE1BQU0sRUFBRSxLQUFLLEVBQUUsRUFBRSxDQUFDO1FBQ3RELEtBQUssR0FBRyxHQUFHLENBQUMsS0FBSyxDQUFDLENBQUM7UUFDbkIsSUFBSSxlQUFlLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUM7WUFDL0IsU0FBUztRQUNYLENBQUM7YUFBTSxDQUFDO1lBQ04sSUFBSSxHQUFHLENBQUMsS0FBSyxDQUFDLEtBQUssU0FBUyxFQUFFLENBQUM7Z0JBQzdCLE1BQU0sSUFBSSxHQUFHLEtBQUssQ0FBQyxVQUFVLENBQUMsQ0FBQyxDQUFDLENBQUM7Z0JBQ2pDLElBQUksSUFBSSxHQUFHLEdBQUcsRUFBRSxDQUFDO29CQUNmLFNBQVM7Z0JBQ1gsQ0FBQztxQkFBTSxDQUFDO29CQUNOLEdBQUcsQ0FBQyxLQUFLLENBQUMsR0FBRyxLQUFLLEdBQUcsSUFBSSxDQUFDLFFBQVEsQ0FBQyxFQUFFLENBQUMsQ0FBQztnQkFDekMsQ0FBQztZQUNILENBQUM7UUFDSCxDQUFDO1FBRUQsSUFBSSxTQUFTLEtBQUssS0FBSyxFQUFFLENBQUM7WUFDeEIsR0FBRyxJQUFJLEdBQUcsQ0FBQyxTQUFTLENBQUMsU0FBUyxFQUFFLEtBQUssQ0FBQyxDQUFDO1FBQ3pDLENBQUM7UUFFRCxTQUFTLEdBQUcsS0FBSyxHQUFHLENBQUMsQ0FBQztRQUN0QixHQUFHLElBQUksR0FBRyxDQUFDLEtBQUssQ0FBQyxDQUFDO0lBQ3BCLENBQUM7SUFFRCxPQUFPLFNBQVMsS0FBSyxLQUFLLENBQUMsQ0FBQyxDQUFDLEdBQUcsR0FBRyxHQUFHLENBQUMsU0FBUyxDQUFDLFNBQVMsRUFBRSxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUMsR0FBRyxDQUFDO0FBQzNFLENBQUMifQ==

package/dist/lib/helper/sjson.d.ts

@@ -1,2 +1 @@
-import { jsonEscape } from "../../sjson-O-vKJPws.js";
-export { jsonEscape as default };
+export default function jsonEscape(obj: any): string;

package/dist/lib/helper/sjson.js

@@ -1,4 +1,39 @@
-import "../../sjs-Cbmkk5xS.js";
-import { jsonEscape } from "../../sjson-BetFnVR6.js";
-
-export { jsonEscape as default };
+import sjs from "./sjs.js";
+/**
+ * escape json
+ * for output json in script
+ */
+function sanitizeKey(obj) {
+    if (typeof obj !== 'object')
+        return obj;
+    if (Array.isArray(obj))
+        return obj;
+    if (obj === null)
+        return null;
+    if (typeof obj === 'boolean')
+        return obj;
+    if (typeof obj === 'number')
+        return obj;
+    if (Buffer.isBuffer(obj))
+        return obj.toString();
+    for (const k in obj) {
+        const escapedK = sjs(k);
+        if (escapedK !== k) {
+            obj[escapedK] = sanitizeKey(obj[k]);
+            obj[k] = undefined;
+        }
+        else {
+            obj[k] = sanitizeKey(obj[k]);
+        }
+    }
+    return obj;
+}
+export default function jsonEscape(obj) {
+    return JSON.stringify(sanitizeKey(obj), (_k, v) => {
+        if (typeof v === 'string') {
+            return sjs(v);
+        }
+        return v;
+    });
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2pzb24uanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGliL2hlbHBlci9zanNvbi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEdBQUcsTUFBTSxVQUFVLENBQUM7QUFFM0I7OztHQUdHO0FBRUgsU0FBUyxXQUFXLENBQUMsR0FBUTtJQUMzQixJQUFJLE9BQU8sR0FBRyxLQUFLLFFBQVE7UUFBRSxPQUFPLEdBQUcsQ0FBQztJQUN4QyxJQUFJLEtBQUssQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDO1FBQUUsT0FBTyxHQUFHLENBQUM7SUFDbkMsSUFBSSxHQUFHLEtBQUssSUFBSTtRQUFFLE9BQU8sSUFBSSxDQUFDO0lBQzlCLElBQUksT0FBTyxHQUFHLEtBQUssU0FBUztRQUFFLE9BQU8sR0FBRyxDQUFDO0lBQ3pDLElBQUksT0FBTyxHQUFHLEtBQUssUUFBUTtRQUFFLE9BQU8sR0FBRyxDQUFDO0lBQ3hDLElBQUksTUFBTSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUM7UUFBRSxPQUFPLEdBQUcsQ0FBQyxRQUFRLEVBQUUsQ0FBQztJQUVoRCxLQUFLLE1BQU0sQ0FBQyxJQUFJLEdBQUcsRUFBRSxDQUFDO1FBQ3BCLE1BQU0sUUFBUSxHQUFHLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUN4QixJQUFJLFFBQVEsS0FBSyxDQUFDLEVBQUUsQ0FBQztZQUNuQixHQUFHLENBQUMsUUFBUSxDQUFDLEdBQUcsV0FBVyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1lBQ3BDLEdBQUcsQ0FBQyxDQUFDLENBQUMsR0FBRyxTQUFTLENBQUM7UUFDckIsQ0FBQzthQUFNLENBQUM7WUFDTixHQUFHLENBQUMsQ0FBQyxDQUFDLEdBQUcsV0FBVyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQy9CLENBQUM7SUFDSCxDQUFDO0lBQ0QsT0FBTyxHQUFHLENBQUM7QUFDYixDQUFDO0FBRUQsTUFBTSxDQUFDLE9BQU8sVUFBVSxVQUFVLENBQUMsR0FBUTtJQUN6QyxPQUFPLElBQUksQ0FBQyxTQUFTLENBQUMsV0FBVyxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsRUFBRSxFQUFFLENBQUMsRUFBRSxFQUFFO1FBQ2hELElBQUksT0FBTyxDQUFDLEtBQUssUUFBUSxFQUFFLENBQUM7WUFDMUIsT0FBTyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDaEIsQ0FBQztRQUNELE9BQU8sQ0FBQyxDQUFDO0lBQ1gsQ0FBQyxDQUFDLENBQUM7QUFDTCxDQUFDIn0=

package/dist/lib/helper/spath.d.ts

@@ -1,2 +1,5 @@
-import { pathFilter } from "../../spath-DseDPHxf.js";
-export { pathFilter as default };
+/**
+ * File Inclusion
+ */
+import type { BaseContextClass } from 'egg';
+export default function pathFilter(this: BaseContextClass, path: string): string | null;

package/dist/lib/helper/spath.js

@@ -1,3 +1,25 @@
-import { pathFilter } from "../../spath-Bu9sy6Kz.js";
-
-export { pathFilter as default };
+/**
+ * File Inclusion
+ */
+export default function pathFilter(path) {
+    if (typeof path !== 'string')
+        return path;
+    const pathSource = path;
+    while (path.indexOf('%') !== -1) {
+        try {
+            path = decodeURIComponent(path);
+        }
+        catch {
+            if (process.env.NODE_ENV !== 'production') {
+                // Not a PROD env, logging with a warning.
+                this.ctx.coreLogger.warn('[@eggjs/security/lib/helper/spath] : decode file path %j failed.', path);
+            }
+            break;
+        }
+    }
+    if (path.indexOf('..') !== -1 || path[0] === '/') {
+        return null;
+    }
+    return pathSource;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic3BhdGguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGliL2hlbHBlci9zcGF0aC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQTs7R0FFRztBQUlILE1BQU0sQ0FBQyxPQUFPLFVBQVUsVUFBVSxDQUF5QixJQUFZO0lBQ3JFLElBQUksT0FBTyxJQUFJLEtBQUssUUFBUTtRQUFFLE9BQU8sSUFBSSxDQUFDO0lBRTFDLE1BQU0sVUFBVSxHQUFHLElBQUksQ0FBQztJQUV4QixPQUFPLElBQUksQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQyxDQUFDLEVBQUUsQ0FBQztRQUNoQyxJQUFJLENBQUM7WUFDSCxJQUFJLEdBQUcsa0JBQWtCLENBQUMsSUFBSSxDQUFDLENBQUM7UUFDbEMsQ0FBQztRQUFDLE1BQU0sQ0FBQztZQUNQLElBQUksT0FBTyxDQUFDLEdBQUcsQ0FBQyxRQUFRLEtBQUssWUFBWSxFQUFFLENBQUM7Z0JBQzFDLDBDQUEwQztnQkFDMUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLGtFQUFrRSxFQUFFLElBQUksQ0FBQyxDQUFDO1lBQ3JHLENBQUM7WUFDRCxNQUFNO1FBQ1IsQ0FBQztJQUNILENBQUM7SUFDRCxJQUFJLElBQUksQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQyxDQUFDLElBQUksSUFBSSxDQUFDLENBQUMsQ0FBQyxLQUFLLEdBQUcsRUFBRSxDQUFDO1FBQ2pELE9BQU8sSUFBSSxDQUFDO0lBQ2QsQ0FBQztJQUNELE9BQU8sVUFBVSxDQUFDO0FBQ3BCLENBQUMifQ==

package/dist/lib/helper/surl.d.ts

@@ -1,2 +1,2 @@
-import { surl } from "../../surl-JV70X_RZ.js";
-export { surl as default };
+import type { BaseContextClass } from 'egg';
+export default function surl(this: BaseContextClass, val: string): string;

package/dist/lib/helper/surl.js

@@ -1,3 +1,30 @@
-import { surl } from "../../surl-ClleTea7.js";
-
-export { surl as default };
+const escapeMap = {
+    '"': '"',
+    '<': '&lt;',
+    '>': '&gt;',
+    "'": '&#x27;',
+};
+export default function surl(val) {
+    // Just get the converted the protocolWhiteList in `Set` mode,
+    // Avoid conversions in `foreach`
+    const protocolWhiteListSet = this.app.config.security.__protocolWhiteListSet;
+    if (typeof val !== 'string') {
+        return val;
+    }
+    // only test on absolute path
+    if (val[0] !== '/') {
+        const arr = val.split('://', 2);
+        const protocol = arr.length > 1 ? arr[0].toLowerCase() : '';
+        if (protocol === '' || !protocolWhiteListSet.has(protocol)) {
+            if (this.app.config.env === 'local') {
+                this.ctx.coreLogger.warn('[@eggjs/security/surl] url: %j, protocol: %j, ' +
+                    'protocol is empty or not in white list, convert to empty string', val, protocol);
+            }
+            return '';
+        }
+    }
+    return val.replace(/["'<>]/g, ch => {
+        return escapeMap[ch];
+    });
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic3VybC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9saWIvaGVscGVyL3N1cmwudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBRUEsTUFBTSxTQUFTLEdBQTJCO0lBQ3hDLEdBQUcsRUFBRSxRQUFRO0lBQ2IsR0FBRyxFQUFFLE1BQU07SUFDWCxHQUFHLEVBQUUsTUFBTTtJQUNYLEdBQUcsRUFBRSxRQUFRO0NBQ2QsQ0FBQztBQUVGLE1BQU0sQ0FBQyxPQUFPLFVBQVUsSUFBSSxDQUF5QixHQUFXO0lBQzlELDhEQUE4RDtJQUM5RCxpQ0FBaUM7SUFDakMsTUFBTSxvQkFBb0IsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsc0JBQXVCLENBQUM7SUFFOUUsSUFBSSxPQUFPLEdBQUcsS0FBSyxRQUFRLEVBQUUsQ0FBQztRQUM1QixPQUFPLEdBQUcsQ0FBQztJQUNiLENBQUM7SUFFRCw2QkFBNkI7SUFDN0IsSUFBSSxHQUFHLENBQUMsQ0FBQyxDQUFDLEtBQUssR0FBRyxFQUFFLENBQUM7UUFDbkIsTUFBTSxHQUFHLEdBQUcsR0FBRyxDQUFDLEtBQUssQ0FBQyxLQUFLLEVBQUUsQ0FBQyxDQUFDLENBQUM7UUFDaEMsTUFBTSxRQUFRLEdBQUcsR0FBRyxDQUFDLE1BQU0sR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxXQUFXLEVBQUUsQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDO1FBQzVELElBQUksUUFBUSxLQUFLLEVBQUUsSUFBSSxDQUFDLG9CQUFvQixDQUFDLEdBQUcsQ0FBQyxRQUFRLENBQUMsRUFBRSxDQUFDO1lBQzNELElBQUksSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsR0FBRyxLQUFLLE9BQU8sRUFBRSxDQUFDO2dCQUNwQyxJQUFJLENBQUMsR0FBRyxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQ3RCLGdEQUFnRDtvQkFDOUMsaUVBQWlFLEVBQ25FLEdBQUcsRUFDSCxRQUFRLENBQ1QsQ0FBQztZQUNKLENBQUM7WUFDRCxPQUFPLEVBQUUsQ0FBQztRQUNaLENBQUM7SUFDSCxDQUFDO0lBRUQsT0FBTyxHQUFHLENBQUMsT0FBTyxDQUFDLFNBQVMsRUFBRSxFQUFFLENBQUMsRUFBRTtRQUNqQyxPQUFPLFNBQVMsQ0FBQyxFQUFFLENBQUMsQ0FBQztJQUN2QixDQUFDLENBQUMsQ0FBQztBQUNMLENBQUMifQ==

package/dist/lib/middlewares/csp.d.ts

@@ -1,7 +1,4 @@
-import { SecurityConfig } from "../../config.default-D8v08Vox.js";
-import { MiddlewareFunc } from "egg";
-
-//#region src/lib/middlewares/csp.d.ts
+import type { MiddlewareFunc } from 'egg';
+import type { SecurityConfig } from '../../config/config.default.ts';
 declare const _default: (options: SecurityConfig["csp"]) => MiddlewareFunc;
-//#endregion
-export { _default as default };
+export default _default;

package/dist/lib/middlewares/csp.js

@@ -1,4 +1,57 @@
-import "../../utils-Cajs5P8M.js";
-import { csp_default } from "../../csp-BW5AJd_f.js";
-
-export { csp_default as default };
+import extend from 'extend';
+import { checkIfIgnore } from "../utils.js";
+const HEADER = ['x-content-security-policy', 'content-security-policy'];
+const REPORT_ONLY_HEADER = ['x-content-security-policy-report-only', 'content-security-policy-report-only'];
+// Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
+const MSIE_REGEXP = / MSIE /i;
+export default (options) => {
+    return async function csp(ctx, next) {
+        await next();
+        const opts = {
+            ...options,
+            ...ctx.securityOptions.csp,
+        };
+        if (checkIfIgnore(opts, ctx))
+            return;
+        let finalHeader;
+        const matchedOption = extend(true, {}, opts.policy);
+        const bufArray = [];
+        const headers = opts.reportOnly ? REPORT_ONLY_HEADER : HEADER;
+        if (opts.supportIE && MSIE_REGEXP.test(ctx.get('user-agent'))) {
+            finalHeader = headers[0];
+        }
+        else {
+            finalHeader = headers[1];
+        }
+        for (const key in matchedOption) {
+            const value = matchedOption[key];
+            // Other arrays are splitted into strings EXCEPT `sandbox`
+            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
+            if (key === 'sandbox' && value === true) {
+                bufArray.push(key);
+            }
+            else {
+                let values = (Array.isArray(value) ? value : [value]);
+                if (key === 'script-src') {
+                    const hasNonce = values.some(function (val) {
+                        return val.indexOf('nonce-') !== -1;
+                    });
+                    if (!hasNonce) {
+                        values.push("'nonce-" + ctx.nonce + "'");
+                    }
+                }
+                values = values.map(function (d) {
+                    if (d.startsWith('.')) {
+                        d = '*' + d;
+                    }
+                    return d;
+                });
+                bufArray.push(key + ' ' + values.join(' '));
+            }
+        }
+        const headerString = bufArray.join(';');
+        ctx.set(finalHeader, headerString);
+        ctx.set('x-csp-nonce', ctx.nonce);
+    };
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY3NwLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2xpYi9taWRkbGV3YXJlcy9jc3AudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxNQUFNLE1BQU0sUUFBUSxDQUFDO0FBRzVCLE9BQU8sRUFBRSxhQUFhLEVBQUUsTUFBTSxhQUFhLENBQUM7QUFHNUMsTUFBTSxNQUFNLEdBQUcsQ0FBQywyQkFBMkIsRUFBRSx5QkFBeUIsQ0FBQyxDQUFDO0FBQ3hFLE1BQU0sa0JBQWtCLEdBQUcsQ0FBQyx1Q0FBdUMsRUFBRSxxQ0FBcUMsQ0FBQyxDQUFDO0FBRTVHLHFEQUFxRDtBQUNyRCxNQUFNLFdBQVcsR0FBRyxTQUFTLENBQUM7QUFFOUIsZUFBZSxDQUFDLE9BQThCLEVBQWtCLEVBQUU7SUFDaEUsT0FBTyxLQUFLLFVBQVUsR0FBRyxDQUFDLEdBQUcsRUFBRSxJQUFJO1FBQ2pDLE1BQU0sSUFBSSxFQUFFLENBQUM7UUFFYixNQUFNLElBQUksR0FBRztZQUNYLEdBQUcsT0FBTztZQUNWLEdBQUcsR0FBRyxDQUFDLGVBQWUsQ0FBQyxHQUFHO1NBQzNCLENBQUM7UUFDRixJQUFJLGFBQWEsQ0FBQyxJQUFJLEVBQUUsR0FBRyxDQUFDO1lBQUUsT0FBTztRQUVyQyxJQUFJLFdBQVcsQ0FBQztRQUNoQixNQUFNLGFBQWEsR0FBRyxNQUFNLENBQUMsSUFBSSxFQUFFLEVBQUUsRUFBRSxJQUFJLENBQUMsTUFBTSxDQUFDLENBQUM7UUFDcEQsTUFBTSxRQUFRLEdBQUcsRUFBRSxDQUFDO1FBRXBCLE1BQU0sT0FBTyxHQUFHLElBQUksQ0FBQyxVQUFVLENBQUMsQ0FBQyxDQUFDLGtCQUFrQixDQUFDLENBQUMsQ0FBQyxNQUFNLENBQUM7UUFDOUQsSUFBSSxJQUFJLENBQUMsU0FBUyxJQUFJLFdBQVcsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLEdBQUcsQ0FBQyxZQUFZLENBQUMsQ0FBQyxFQUFFLENBQUM7WUFDOUQsV0FBVyxHQUFHLE9BQU8sQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUMzQixDQUFDO2FBQU0sQ0FBQztZQUNOLFdBQVcsR0FBRyxPQUFPLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDM0IsQ0FBQztRQUVELEtBQUssTUFBTSxHQUFHLElBQUksYUFBYSxFQUFFLENBQUM7WUFDaEMsTUFBTSxLQUFLLEdBQUcsYUFBYSxDQUFDLEdBQUcsQ0FBQyxDQUFDO1lBQ2pDLDBEQUEwRDtZQUMxRCw0RkFBNEY7WUFDNUYsSUFBSSxHQUFHLEtBQUssU0FBUyxJQUFJLEtBQUssS0FBSyxJQUFJLEVBQUUsQ0FBQztnQkFDeEMsUUFBUSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQztZQUNyQixDQUFDO2lCQUFNLENBQUM7Z0JBQ04sSUFBSSxNQUFNLEdBQUcsQ0FBQyxLQUFLLENBQUMsT0FBTyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDLENBQWEsQ0FBQztnQkFDbEUsSUFBSSxHQUFHLEtBQUssWUFBWSxFQUFFLENBQUM7b0JBQ3pCLE1BQU0sUUFBUSxHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUMsVUFBVSxHQUFHO3dCQUN4QyxPQUFPLEdBQUcsQ0FBQyxPQUFPLENBQUMsUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUM7b0JBQ3RDLENBQUMsQ0FBQyxDQUFDO29CQUVILElBQUksQ0FBQyxRQUFRLEVBQUUsQ0FBQzt3QkFDZCxNQUFNLENBQUMsSUFBSSxDQUFDLFNBQVMsR0FBRyxHQUFHLENBQUMsS0FBSyxHQUFHLEdBQUcsQ0FBQyxDQUFDO29CQUMzQyxDQUFDO2dCQUNILENBQUM7Z0JBRUQsTUFBTSxHQUFHLE1BQU0sQ0FBQyxHQUFHLENBQUMsVUFBVSxDQUFDO29CQUM3QixJQUFJLENBQUMsQ0FBQyxVQUFVLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQzt3QkFDdEIsQ0FBQyxHQUFHLEdBQUcsR0FBRyxDQUFDLENBQUM7b0JBQ2QsQ0FBQztvQkFDRCxPQUFPLENBQUMsQ0FBQztnQkFDWCxDQUFDLENBQUMsQ0FBQztnQkFDSCxRQUFRLENBQUMsSUFBSSxDQUFDLEdBQUcsR0FBRyxHQUFHLEdBQUcsTUFBTSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDO1lBQzlDLENBQUM7UUFDSCxDQUFDO1FBQ0QsTUFBTSxZQUFZLEdBQUcsUUFBUSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQztRQUN4QyxHQUFHLENBQUMsR0FBRyxDQUFDLFdBQVcsRUFBRSxZQUFZLENBQUMsQ0FBQztRQUNuQyxHQUFHLENBQUMsR0FBRyxDQUFDLGFBQWEsRUFBRSxHQUFHLENBQUMsS0FBSyxDQUFDLENBQUM7SUFDcEMsQ0FBQyxDQUFDO0FBQ0osQ0FBQyxDQUFDIn0=

package/dist/lib/middlewares/csrf.d.ts

@@ -1,7 +1,4 @@
-import { SecurityConfig } from "../../config.default-D8v08Vox.js";
-import { MiddlewareFunc } from "egg";
-
-//#region src/lib/middlewares/csrf.d.ts
+import type { MiddlewareFunc } from 'egg';
+import type { SecurityConfig } from '../../config/config.default.ts';
 declare const _default: (options: SecurityConfig["csrf"]) => MiddlewareFunc;
-//#endregion
-export { _default as default };
+export default _default;

package/dist/lib/middlewares/csrf.js

@@ -1,4 +1,37 @@
-import "../../utils-Cajs5P8M.js";
-import { csrf_default } from "../../csrf-9aSLHiby.js";
-
-export { csrf_default as default };
+import { debuglog } from 'node:util';
+import typeis from 'type-is';
+import { checkIfIgnore } from "../utils.js";
+const debug = debuglog('egg/security/lib/middlewares/csrf');
+export default (options) => {
+    return function csrf(ctx, next) {
+        if (checkIfIgnore(options, ctx)) {
+            return next();
+        }
+        // ensure csrf token exists
+        if (['any', 'all', 'ctoken'].includes(options.type)) {
+            ctx.ensureCsrfSecret();
+        }
+        // supported requests
+        const method = ctx.method;
+        let isSupported = false;
+        for (const eachRule of options.supportedRequests) {
+            if (eachRule.path.test(ctx.path)) {
+                if (eachRule.methods.includes(method)) {
+                    isSupported = true;
+                    break;
+                }
+            }
+        }
+        if (!isSupported) {
+            return next();
+        }
+        if (options.ignoreJSON && typeis.is(ctx.get('content-type'), 'json')) {
+            return next();
+        }
+        const body = ctx.request.body;
+        debug('%s %s, got %j', ctx.method, ctx.url, body);
+        ctx.assertCsrf();
+        return next();
+    };
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY3NyZi5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9saWIvbWlkZGxld2FyZXMvY3NyZi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEVBQUUsUUFBUSxFQUFFLE1BQU0sV0FBVyxDQUFDO0FBR3JDLE9BQU8sTUFBTSxNQUFNLFNBQVMsQ0FBQztBQUU3QixPQUFPLEVBQUUsYUFBYSxFQUFFLE1BQU0sYUFBYSxDQUFDO0FBRzVDLE1BQU0sS0FBSyxHQUFHLFFBQVEsQ0FBQyxtQ0FBbUMsQ0FBQyxDQUFDO0FBRTVELGVBQWUsQ0FBQyxPQUErQixFQUFrQixFQUFFO0lBQ2pFLE9BQU8sU0FBUyxJQUFJLENBQUMsR0FBRyxFQUFFLElBQUk7UUFDNUIsSUFBSSxhQUFhLENBQUMsT0FBTyxFQUFFLEdBQUcsQ0FBQyxFQUFFLENBQUM7WUFDaEMsT0FBTyxJQUFJLEVBQUUsQ0FBQztRQUNoQixDQUFDO1FBRUQsMkJBQTJCO1FBQzNCLElBQUksQ0FBQyxLQUFLLEVBQUUsS0FBSyxFQUFFLFFBQVEsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQztZQUNwRCxHQUFHLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQztRQUN6QixDQUFDO1FBRUQscUJBQXFCO1FBQ3JCLE1BQU0sTUFBTSxHQUFHLEdBQUcsQ0FBQyxNQUFNLENBQUM7UUFDMUIsSUFBSSxXQUFXLEdBQUcsS0FBSyxDQUFDO1FBQ3hCLEtBQUssTUFBTSxRQUFRLElBQUksT0FBTyxDQUFDLGlCQUFpQixFQUFFLENBQUM7WUFDakQsSUFBSSxRQUFRLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQztnQkFDakMsSUFBSSxRQUFRLENBQUMsT0FBTyxDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDO29CQUN0QyxXQUFXLEdBQUcsSUFBSSxDQUFDO29CQUNuQixNQUFNO2dCQUNSLENBQUM7WUFDSCxDQUFDO1FBQ0gsQ0FBQztRQUNELElBQUksQ0FBQyxXQUFXLEVBQUUsQ0FBQztZQUNqQixPQUFPLElBQUksRUFBRSxDQUFDO1FBQ2hCLENBQUM7UUFFRCxJQUFJLE9BQU8sQ0FBQyxVQUFVLElBQUksTUFBTSxDQUFDLEVBQUUsQ0FBQyxHQUFHLENBQUMsR0FBRyxDQUFDLGNBQWMsQ0FBQyxFQUFFLE1BQU0sQ0FBQyxFQUFFLENBQUM7WUFDckUsT0FBTyxJQUFJLEVBQUUsQ0FBQztRQUNoQixDQUFDO1FBRUQsTUFBTSxJQUFJLEdBQUcsR0FBRyxDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUM7UUFDOUIsS0FBSyxDQUFDLGVBQWUsRUFBRSxHQUFHLENBQUMsTUFBTSxFQUFFLEdBQUcsQ0FBQyxHQUFHLEVBQUUsSUFBSSxDQUFDLENBQUM7UUFDbEQsR0FBRyxDQUFDLFVBQVUsRUFBRSxDQUFDO1FBQ2pCLE9BQU8sSUFBSSxFQUFFLENBQUM7SUFDaEIsQ0FBQyxDQUFDO0FBQ0osQ0FBQyxDQUFDIn0=

package/dist/lib/middlewares/dta.d.ts

@@ -1,6 +1,3 @@
-import { MiddlewareFunc } from "egg";
-
-//#region src/lib/middlewares/dta.d.ts
+import type { MiddlewareFunc } from 'egg';
 declare const _default: () => MiddlewareFunc;
-//#endregion
-export { _default as default };
+export default _default;

package/dist/lib/middlewares/dta.js

@@ -1,4 +1,12 @@
-import "../../utils-Cajs5P8M.js";
-import { dta_default } from "../../dta-DVAKEpJ3.js";
-
-export { dta_default as default };
+import { isSafePath } from "../utils.js";
+// https://en.wikipedia.org/wiki/Directory_traversal_attack
+export default () => {
+    return function dta(ctx, next) {
+        const path = ctx.path;
+        if (!isSafePath(path, ctx)) {
+            ctx.throw(400);
+        }
+        return next();
+    };
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZHRhLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2xpYi9taWRkbGV3YXJlcy9kdGEudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQ0EsT0FBTyxFQUFFLFVBQVUsRUFBRSxNQUFNLGFBQWEsQ0FBQztBQUV6QywyREFBMkQ7QUFDM0QsZUFBZSxHQUFtQixFQUFFO0lBQ2xDLE9BQU8sU0FBUyxHQUFHLENBQUMsR0FBRyxFQUFFLElBQUk7UUFDM0IsTUFBTSxJQUFJLEdBQUcsR0FBRyxDQUFDLElBQUksQ0FBQztRQUN0QixJQUFJLENBQUMsVUFBVSxDQUFDLElBQUksRUFBRSxHQUFHLENBQUMsRUFBRSxDQUFDO1lBQzNCLEdBQUcsQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUM7UUFDakIsQ0FBQztRQUNELE9BQU8sSUFBSSxFQUFFLENBQUM7SUFDaEIsQ0FBQyxDQUFDO0FBQ0osQ0FBQyxDQUFDIn0=

package/dist/lib/middlewares/hsts.d.ts

@@ -1,7 +1,4 @@
-import { SecurityConfig } from "../../config.default-D8v08Vox.js";
-import { MiddlewareFunc } from "egg";
-
-//#region src/lib/middlewares/hsts.d.ts
+import type { MiddlewareFunc } from 'egg';
+import type { SecurityConfig } from '../../config/config.default.ts';
 declare const _default: (options: SecurityConfig["hsts"]) => MiddlewareFunc;
-//#endregion
-export { _default as default };
+export default _default;

package/dist/lib/middlewares/hsts.js

@@ -1,4 +1,21 @@
-import "../../utils-Cajs5P8M.js";
-import { hsts_default } from "../../hsts-CWMKNTEh.js";
-
-export { hsts_default as default };
+import { checkIfIgnore } from "../utils.js";
+// Set Strict-Transport-Security header
+export default (options) => {
+    return async function hsts(ctx, next) {
+        await next();
+        const opts = {
+            ...options,
+            ...ctx.securityOptions.hsts,
+        };
+        if (checkIfIgnore(opts, ctx))
+            return;
+        let val = `max-age=${opts.maxAge}`;
+        // If opts.includeSubdomains is defined,
+        // the rule is also valid for all the sub domains of the website
+        if (opts.includeSubdomains) {
+            val = `${val}; includeSubdomains`;
+        }
+        ctx.set('strict-transport-security', val);
+    };
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaHN0cy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9saWIvbWlkZGxld2FyZXMvaHN0cy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFFQSxPQUFPLEVBQUUsYUFBYSxFQUFFLE1BQU0sYUFBYSxDQUFDO0FBRzVDLHVDQUF1QztBQUN2QyxlQUFlLENBQUMsT0FBK0IsRUFBa0IsRUFBRTtJQUNqRSxPQUFPLEtBQUssVUFBVSxJQUFJLENBQUMsR0FBRyxFQUFFLElBQUk7UUFDbEMsTUFBTSxJQUFJLEVBQUUsQ0FBQztRQUViLE1BQU0sSUFBSSxHQUFHO1lBQ1gsR0FBRyxPQUFPO1lBQ1YsR0FBRyxHQUFHLENBQUMsZUFBZSxDQUFDLElBQUk7U0FDNUIsQ0FBQztRQUNGLElBQUksYUFBYSxDQUFDLElBQUksRUFBRSxHQUFHLENBQUM7WUFBRSxPQUFPO1FBRXJDLElBQUksR0FBRyxHQUFHLFdBQVcsSUFBSSxDQUFDLE1BQU0sRUFBRSxDQUFDO1FBQ25DLHdDQUF3QztRQUN4QyxnRUFBZ0U7UUFDaEUsSUFBSSxJQUFJLENBQUMsaUJBQWlCLEVBQUUsQ0FBQztZQUMzQixHQUFHLEdBQUcsR0FBRyxHQUFHLHFCQUFxQixDQUFDO1FBQ3BDLENBQUM7UUFDRCxHQUFHLENBQUMsR0FBRyxDQUFDLDJCQUEyQixFQUFFLEdBQUcsQ0FBQyxDQUFDO0lBQzVDLENBQUMsQ0FBQztBQUNKLENBQUMsQ0FBQyJ9

package/dist/lib/middlewares/index.d.ts

@@ -1,18 +1,13 @@
-import { SecurityConfig } from "../../config.default-D8v08Vox.js";
-import * as egg1 from "egg";
-
-//#region src/lib/middlewares/index.d.ts
 declare const _default: {
-  csp: (options: SecurityConfig["csp"]) => egg1.MiddlewareFunc;
-  csrf: (options: SecurityConfig["csrf"]) => egg1.MiddlewareFunc;
-  dta: () => egg1.MiddlewareFunc;
-  hsts: (options: SecurityConfig["hsts"]) => egg1.MiddlewareFunc;
-  methodnoallow: () => egg1.MiddlewareFunc;
-  noopen: (options: SecurityConfig["noopen"]) => egg1.MiddlewareFunc;
-  nosniff: (options: SecurityConfig["nosniff"]) => egg1.MiddlewareFunc;
-  referrerPolicy: (options: SecurityConfig["referrerPolicy"]) => egg1.MiddlewareFunc;
-  xframe: (options: SecurityConfig["xframe"]) => egg1.MiddlewareFunc;
-  xssProtection: (options: SecurityConfig["xssProtection"]) => egg1.MiddlewareFunc;
+    csp: (options: import("../../config/config.default.ts").SecurityConfig["csp"]) => import("egg").MiddlewareFunc;
+    csrf: (options: import("../../config/config.default.ts").SecurityConfig["csrf"]) => import("egg").MiddlewareFunc;
+    dta: () => import("egg").MiddlewareFunc;
+    hsts: (options: import("../../config/config.default.ts").SecurityConfig["hsts"]) => import("egg").MiddlewareFunc;
+    methodnoallow: () => import("egg").MiddlewareFunc;
+    noopen: (options: import("../../config/config.default.ts").SecurityConfig["noopen"]) => import("egg").MiddlewareFunc;
+    nosniff: (options: import("../../config/config.default.ts").SecurityConfig["nosniff"]) => import("egg").MiddlewareFunc;
+    referrerPolicy: (options: import("../../config/config.default.ts").SecurityConfig["referrerPolicy"]) => import("egg").MiddlewareFunc;
+    xframe: (options: import("../../config/config.default.ts").SecurityConfig["xframe"]) => import("egg").MiddlewareFunc;
+    xssProtection: (options: import("../../config/config.default.ts").SecurityConfig["xssProtection"]) => import("egg").MiddlewareFunc;
 };
-//#endregion
-export { _default as default };
+export default _default;

package/dist/lib/middlewares/index.js

@@ -1,14 +1,23 @@
-import "../../utils-Cajs5P8M.js";
-import "../../csp-BW5AJd_f.js";
-import "../../csrf-9aSLHiby.js";
-import "../../dta-DVAKEpJ3.js";
-import "../../hsts-CWMKNTEh.js";
-import "../../methodnoallow-BAZONArS.js";
-import "../../noopen-C3jUBwoH.js";
-import "../../nosniff-CcLkhX2I.js";
-import "../../referrerPolicy-D4Uafq6c.js";
-import "../../xframe-q9fEZkVI.js";
-import "../../xssProtection-D5QsHX-e.js";
-import { middlewares_default } from "../../middlewares-CkQjv8t0.js";
-
-export { middlewares_default as default };
+import csp from "./csp.js";
+import csrf from "./csrf.js";
+import dta from "./dta.js";
+import hsts from "./hsts.js";
+import methodnoallow from "./methodnoallow.js";
+import noopen from "./noopen.js";
+import nosniff from "./nosniff.js";
+import referrerPolicy from "./referrerPolicy.js";
+import xframe from "./xframe.js";
+import xssProtection from "./xssProtection.js";
+export default {
+    csp,
+    csrf,
+    dta,
+    hsts,
+    methodnoallow,
+    noopen,
+    nosniff,
+    referrerPolicy,
+    xframe,
+    xssProtection,
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGliL21pZGRsZXdhcmVzL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sR0FBRyxNQUFNLFVBQVUsQ0FBQztBQUMzQixPQUFPLElBQUksTUFBTSxXQUFXLENBQUM7QUFDN0IsT0FBTyxHQUFHLE1BQU0sVUFBVSxDQUFDO0FBQzNCLE9BQU8sSUFBSSxNQUFNLFdBQVcsQ0FBQztBQUM3QixPQUFPLGFBQWEsTUFBTSxvQkFBb0IsQ0FBQztBQUMvQyxPQUFPLE1BQU0sTUFBTSxhQUFhLENBQUM7QUFDakMsT0FBTyxPQUFPLE1BQU0sY0FBYyxDQUFDO0FBQ25DLE9BQU8sY0FBYyxNQUFNLHFCQUFxQixDQUFDO0FBQ2pELE9BQU8sTUFBTSxNQUFNLGFBQWEsQ0FBQztBQUNqQyxPQUFPLGFBQWEsTUFBTSxvQkFBb0IsQ0FBQztBQUUvQyxlQUFlO0lBQ2IsR0FBRztJQUNILElBQUk7SUFDSixHQUFHO0lBQ0gsSUFBSTtJQUNKLGFBQWE7SUFDYixNQUFNO0lBQ04sT0FBTztJQUNQLGNBQWM7SUFDZCxNQUFNO0lBQ04sYUFBYTtDQUNkLENBQUMifQ==

package/dist/lib/middlewares/methodnoallow.d.ts

@@ -1,6 +1,3 @@
-import { MiddlewareFunc } from "egg";
-
-//#region src/lib/middlewares/methodnoallow.d.ts
+import type { MiddlewareFunc } from 'egg';
 declare const _default: () => MiddlewareFunc;
-//#endregion
-export { _default as default };
+export default _default;

package/dist/lib/middlewares/methodnoallow.js

@@ -1,3 +1,20 @@
-import { methodnoallow_default } from "../../methodnoallow-BAZONArS.js";
-
-export { methodnoallow_default as default };
+import { METHODS } from 'node:http';
+const METHODS_NOT_ALLOWED = ['TRACE', 'TRACK'];
+const safeHttpMethodsMap = {};
+for (const method of METHODS) {
+    if (!METHODS_NOT_ALLOWED.includes(method)) {
+        safeHttpMethodsMap[method.toUpperCase()] = true;
+    }
+}
+// https://www.owasp.org/index.php/Cross_Site_Tracing
+// http://jsperf.com/find-by-map-with-find-by-array
+export default () => {
+    return function notAllow(ctx, next) {
+        // ctx.method is upper case
+        if (!safeHttpMethodsMap[ctx.method]) {
+            ctx.throw(405);
+        }
+        return next();
+    };
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibWV0aG9kbm9hbGxvdy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9saWIvbWlkZGxld2FyZXMvbWV0aG9kbm9hbGxvdy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEVBQUUsT0FBTyxFQUFFLE1BQU0sV0FBVyxDQUFDO0FBSXBDLE1BQU0sbUJBQW1CLEdBQUcsQ0FBQyxPQUFPLEVBQUUsT0FBTyxDQUFDLENBQUM7QUFDL0MsTUFBTSxrQkFBa0IsR0FBNEIsRUFBRSxDQUFDO0FBRXZELEtBQUssTUFBTSxNQUFNLElBQUksT0FBTyxFQUFFLENBQUM7SUFDN0IsSUFBSSxDQUFDLG1CQUFtQixDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDO1FBQzFDLGtCQUFrQixDQUFDLE1BQU0sQ0FBQyxXQUFXLEVBQUUsQ0FBQyxHQUFHLElBQUksQ0FBQztJQUNsRCxDQUFDO0FBQ0gsQ0FBQztBQUVELHFEQUFxRDtBQUNyRCxtREFBbUQ7QUFDbkQsZUFBZSxHQUFtQixFQUFFO0lBQ2xDLE9BQU8sU0FBUyxRQUFRLENBQUMsR0FBRyxFQUFFLElBQUk7UUFDaEMsMkJBQTJCO1FBQzNCLElBQUksQ0FBQyxrQkFBa0IsQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLEVBQUUsQ0FBQztZQUNwQyxHQUFHLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDO1FBQ2pCLENBQUM7UUFDRCxPQUFPLElBQUksRUFBRSxDQUFDO0lBQ2hCLENBQUMsQ0FBQztBQUNKLENBQUMsQ0FBQyJ9

package/dist/lib/middlewares/noopen.d.ts

@@ -1,7 +1,4 @@
-import { SecurityConfig } from "../../config.default-D8v08Vox.js";
-import { MiddlewareFunc } from "egg";
-
-//#region src/lib/middlewares/noopen.d.ts
+import type { MiddlewareFunc } from 'egg';
+import type { SecurityConfig } from '../../config/config.default.ts';
 declare const _default: (options: SecurityConfig["noopen"]) => MiddlewareFunc;
-//#endregion
-export { _default as default };
+export default _default;

package/dist/lib/middlewares/noopen.js

@@ -1,4 +1,15 @@
-import "../../utils-Cajs5P8M.js";
-import { noopen_default } from "../../noopen-C3jUBwoH.js";
-
-export { noopen_default as default };
+import { checkIfIgnore } from "../utils.js";
+// @see http://blogs.msdn.com/b/ieinternals/archive/2009/06/30/internet-explorer-custom-http-headers.aspx
+export default (options) => {
+    return async function noopen(ctx, next) {
+        await next();
+        const opts = {
+            ...options,
+            ...ctx.securityOptions.noopen,
+        };
+        if (checkIfIgnore(opts, ctx))
+            return;
+        ctx.set('x-download-options', 'noopen');
+    };
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibm9vcGVuLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2xpYi9taWRkbGV3YXJlcy9ub29wZW4udHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBRUEsT0FBTyxFQUFFLGFBQWEsRUFBRSxNQUFNLGFBQWEsQ0FBQztBQUc1Qyx5R0FBeUc7QUFDekcsZUFBZSxDQUFDLE9BQWlDLEVBQWtCLEVBQUU7SUFDbkUsT0FBTyxLQUFLLFVBQVUsTUFBTSxDQUFDLEdBQUcsRUFBRSxJQUFJO1FBQ3BDLE1BQU0sSUFBSSxFQUFFLENBQUM7UUFFYixNQUFNLElBQUksR0FBRztZQUNYLEdBQUcsT0FBTztZQUNWLEdBQUcsR0FBRyxDQUFDLGVBQWUsQ0FBQyxNQUFNO1NBQzlCLENBQUM7UUFDRixJQUFJLGFBQWEsQ0FBQyxJQUFJLEVBQUUsR0FBRyxDQUFDO1lBQUUsT0FBTztRQUVyQyxHQUFHLENBQUMsR0FBRyxDQUFDLG9CQUFvQixFQUFFLFFBQVEsQ0FBQyxDQUFDO0lBQzFDLENBQUMsQ0FBQztBQUNKLENBQUMsQ0FBQyJ9