npm - @eggjs/security - Versions diffs - 5.0.0-beta.34 → 5.0.0-beta.36 - Mend

@eggjs/security 5.0.0-beta.34 → 5.0.0-beta.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (71) hide show

package/dist/agent.d.ts +9 -5
package/dist/agent.js +14 -10
package/dist/app/extend/agent.d.ts +8 -4
package/dist/app/extend/agent.js +12 -8
package/dist/app/extend/application.d.ts +11 -7
package/dist/app/extend/application.js +32 -32
package/dist/app/extend/context.d.ts +55 -51
package/dist/app/extend/context.js +185 -240
package/dist/app/extend/helper.d.ts +5 -2
package/dist/app/extend/helper.js +8 -6
package/dist/app/extend/response.d.ts +38 -34
package/dist/app/extend/response.js +69 -82
package/dist/app/middleware/securities.d.ts +5 -2
package/dist/app/middleware/securities.js +38 -52
package/dist/app.d.ts +9 -5
package/dist/app.js +22 -24
package/dist/config/config.default.d.ts +34 -45
package/dist/config/config.default.js +158 -362
package/dist/config/config.local.d.ts +6 -3
package/dist/config/config.local.js +6 -8
package/dist/index.d.ts +20 -16
package/dist/index.js +24 -21
package/dist/lib/extend/safe_curl.d.ts +16 -13
package/dist/lib/extend/safe_curl.js +17 -23
package/dist/lib/helper/cliFilter.d.ts +4 -4
package/dist/lib/helper/cliFilter.js +16 -15
package/dist/lib/helper/escape.d.ts +2 -2
package/dist/lib/helper/escape.js +7 -3
package/dist/lib/helper/escapeShellArg.d.ts +4 -1
package/dist/lib/helper/escapeShellArg.js +6 -4
package/dist/lib/helper/escapeShellCmd.d.ts +4 -1
package/dist/lib/helper/escapeShellCmd.js +14 -13
package/dist/lib/helper/index.d.ts +22 -19
package/dist/lib/helper/index.js +19 -15
package/dist/lib/helper/shtml.d.ts +6 -2
package/dist/lib/helper/shtml.js +52 -68
package/dist/lib/helper/sjs.d.ts +4 -4
package/dist/lib/helper/sjs.js +31 -44
package/dist/lib/helper/sjson.d.ts +4 -1
package/dist/lib/helper/sjson.js +28 -35
package/dist/lib/helper/spath.d.ts +7 -5
package/dist/lib/helper/spath.js +15 -24
package/dist/lib/helper/surl.d.ts +6 -2
package/dist/lib/helper/surl.js +22 -27
package/dist/lib/middlewares/csp.d.ts +6 -3
package/dist/lib/middlewares/csp.js +43 -54
package/dist/lib/middlewares/csrf.d.ts +6 -3
package/dist/lib/middlewares/csrf.js +31 -35
package/dist/lib/middlewares/dta.d.ts +5 -2
package/dist/lib/middlewares/dta.js +11 -10
package/dist/lib/middlewares/hsts.d.ts +6 -3
package/dist/lib/middlewares/hsts.js +17 -19
package/dist/lib/middlewares/index.d.ts +24 -21
package/dist/lib/middlewares/index.js +26 -22
package/dist/lib/middlewares/methodnoallow.d.ts +5 -2
package/dist/lib/middlewares/methodnoallow.js +13 -18
package/dist/lib/middlewares/noopen.d.ts +6 -3
package/dist/lib/middlewares/noopen.js +14 -13
package/dist/lib/middlewares/nosniff.d.ts +6 -3
package/dist/lib/middlewares/nosniff.js +22 -24
package/dist/lib/middlewares/referrerPolicy.d.ts +6 -3
package/dist/lib/middlewares/referrerPolicy.js +27 -30
package/dist/lib/middlewares/xframe.d.ts +6 -3
package/dist/lib/middlewares/xframe.js +16 -15
package/dist/lib/middlewares/xssProtection.d.ts +6 -3
package/dist/lib/middlewares/xssProtection.js +15 -12
package/dist/lib/utils.d.ts +22 -17
package/dist/lib/utils.js +112 -177
package/dist/types.d.ts +38 -36
package/dist/types.js +1 -2
package/package.json +31 -37

package/dist/app/extend/context.js CHANGED Viewed

@@ -1,243 +1,188 @@
-import { debuglog } from 'node:util';
-import { nanoid } from 'nanoid/non-secure';
-import Tokens from 'csrf';
-import { Context } from 'egg';
-import * as utils from "../../lib/utils.js";
-const debug = debuglog('egg/security/app/extend/context');
+import { checkIfIgnore, getFromUrl, isSafeDomain } from "../../lib/utils.js";
+import { Context } from "egg";
+import { debuglog } from "node:util";
+import Tokens from "csrf";
+import { nanoid } from "nanoid/non-secure";
+//#region src/app/extend/context.ts
+const debug = debuglog("egg/security/app/extend/context");
 const tokens = new Tokens();
-const _CSRF_SECRET = Symbol('egg-security#_CSRF_SECRET');
-const NEW_CSRF_SECRET = Symbol('egg-security#NEW_CSRF_SECRET');
-const NONCE_CACHE = Symbol('egg-security#NONCE_CACHE');
-const SECURITY_OPTIONS = Symbol('egg-security#SECURITY_OPTIONS');
+const _CSRF_SECRET = Symbol("egg-security#_CSRF_SECRET");
+const NEW_CSRF_SECRET = Symbol("egg-security#NEW_CSRF_SECRET");
+const NONCE_CACHE = Symbol("egg-security#NONCE_CACHE");
+const SECURITY_OPTIONS = Symbol("egg-security#SECURITY_OPTIONS");
 function findToken(obj, keys) {
-    if (!obj)
-        return;
-    if (!keys || !keys.length)
-        return;
-    if (typeof keys === 'string')
-        return obj[keys];
-    for (const key of keys) {
-        if (obj[key])
-            return obj[key];
-    }
+	if (!obj) return;
+	if (!keys || !keys.length) return;
+	if (typeof keys === "string") return obj[keys];
+	for (const key of keys) if (obj[key]) return obj[key];
 }
-export default class SecurityContext extends Context {
-    get securityOptions() {
-        if (!this[SECURITY_OPTIONS]) {
-            this[SECURITY_OPTIONS] = {};
-        }
-        return this[SECURITY_OPTIONS];
-    }
-    /**
-     * Check whether the specific `domain` is in / matches the whiteList or not.
-     * @param {string} domain The assigned domain.
-     * @param {Array<string>} [customWhiteList] The custom white list for domain.
-     * @return {boolean} If the domain is in / matches the whiteList, return true;
-     * otherwise false.
-     */
-    isSafeDomain(domain, customWhiteList) {
-        const domainWhiteList = customWhiteList && customWhiteList.length > 0 ? customWhiteList : this.app.config.security.domainWhiteList;
-        return utils.isSafeDomain(domain, domainWhiteList);
-    }
-    // Add nonce, random characters will be OK.
-    // https://w3c.github.io/webappsec/specs/content-security-policy/#nonce_source
-    get nonce() {
-        if (!this[NONCE_CACHE]) {
-            this[NONCE_CACHE] = nanoid(16);
-        }
-        return this[NONCE_CACHE];
-    }
-    /**
-     * get csrf token, general use in template
-     * @return {String} csrf token
-     * @public
-     */
-    get csrf() {
-        // csrfSecret can be rotate, use NEW_CSRF_SECRET first
-        const secret = this[NEW_CSRF_SECRET] || this.getCsrfSecret();
-        debug('get csrf token, NEW_CSRF_SECRET: %s, _CSRF_SECRET: %s', this[NEW_CSRF_SECRET], this.getCsrfSecret());
-        //  In order to protect against BREACH attacks,
-        //  the token is not simply the secret;
-        //  a random salt is prepended to the secret and used to scramble it.
-        //  http://breachattack.com/
-        return secret ? tokens.create(secret) : '';
-    }
-    /**
-     * get csrf secret from session or cookie
-     * @return {String} csrf secret
-     * @private
-     */
-    getCsrfSecret() {
-        if (this[_CSRF_SECRET]) {
-            return this[_CSRF_SECRET];
-        }
-        let { useSession, sessionName, cookieName: cookieNames, cookieOptions } = this.app.config.security.csrf;
-        // get secret from session or cookie
-        if (useSession) {
-            this[_CSRF_SECRET] = this.session[sessionName] || '';
-        }
-        else {
-            // cookieName support array. so we can change csrf cookie name smoothly
-            if (!Array.isArray(cookieNames)) {
-                cookieNames = [cookieNames];
-            }
-            for (const cookieName of cookieNames) {
-                this[_CSRF_SECRET] = this.cookies.get(cookieName, { signed: cookieOptions.signed }) || '';
-                if (this[_CSRF_SECRET]) {
-                    break;
-                }
-            }
-        }
-        return this[_CSRF_SECRET];
-    }
-    /**
-     * ensure csrf secret exists in session or cookie.
-     * @param {Boolean} [rotate] reset secret even if the secret exists
-     * @public
-     */
-    ensureCsrfSecret(rotate) {
-        const csrfSecret = this.getCsrfSecret();
-        if (csrfSecret && !rotate) {
-            return;
-        }
-        debug('ensure csrf secret, exists: %s, rotate; %s', csrfSecret, rotate);
-        const secret = tokens.secretSync();
-        this[NEW_CSRF_SECRET] = secret;
-        let { useSession, sessionName, cookieDomain, cookieName: cookieNames, cookieOptions, } = this.app.config.security.csrf;
-        if (useSession) {
-            // TODO(fengmk2): need to refactor egg-session plugin to support ctx.session type define
-            this.session[sessionName] = secret;
-        }
-        else {
-            if (typeof cookieDomain === 'function') {
-                cookieDomain = cookieDomain(this);
-            }
-            const cookieOpts = {
-                domain: cookieDomain,
-                ...cookieOptions,
-            };
-            // cookieName support array. so we can change csrf cookie name smoothly
-            if (!Array.isArray(cookieNames)) {
-                cookieNames = [cookieNames];
-            }
-            for (const cookieName of cookieNames) {
-                this.cookies.set(cookieName, secret, cookieOpts);
-            }
-        }
-    }
-    getInputToken() {
-        const { headerName, bodyName, queryName } = this.app.config.security.csrf;
-        // try order: query, body, header
-        const token = findToken(this.request.query, queryName) ||
-            findToken(this.request.body, bodyName) ||
-            (headerName && this.request.get(headerName));
-        debug('get token: %j, secret: %j', token, this.getCsrfSecret());
-        return token;
-    }
-    /**
-     * rotate csrf secret exists in session or cookie.
-     * must rotate the secret when user login
-     * @public
-     */
-    rotateCsrfSecret() {
-        if (!this[NEW_CSRF_SECRET] && this.getCsrfSecret()) {
-            this.ensureCsrfSecret(true);
-        }
-    }
-    /**
-     * assert csrf token/referer is present
-     * @public
-     */
-    assertCsrf() {
-        if (utils.checkIfIgnore(this.app.config.security.csrf, this)) {
-            debug('%s, ignore by csrf options', this.path);
-            return;
-        }
-        const { type } = this.app.config.security.csrf;
-        let message;
-        const messages = [];
-        switch (type) {
-            case 'ctoken':
-                message = this.csrfCtokenCheck();
-                if (message)
-                    this.throw(403, message);
-                break;
-            case 'referer':
-                message = this.csrfRefererCheck();
-                if (message)
-                    this.throw(403, message);
-                break;
-            case 'all':
-                message = this.csrfCtokenCheck();
-                if (message)
-                    this.throw(403, message);
-                message = this.csrfRefererCheck();
-                if (message)
-                    this.throw(403, message);
-                break;
-            case 'any':
-                message = this.csrfCtokenCheck();
-                if (!message)
-                    return;
-                messages.push(message);
-                message = this.csrfRefererCheck();
-                if (!message)
-                    return;
-                messages.push(message);
-                this.throw(403, `both ctoken and referer check error: ${messages.join(', ')}`);
-                break;
-            default:
-                // @oxlint-disable-next-line Invalid type "never" of template literal expression
-                this.throw(`invalid type ${type}`);
-        }
-    }
-    csrfCtokenCheck() {
-        const csrfSecret = this.getCsrfSecret();
-        if (!csrfSecret) {
-            debug('missing csrf token');
-            this.logCsrfNotice('missing csrf token');
-            return 'missing csrf token';
-        }
-        const token = this.getInputToken();
-        // AJAX requests get csrf token from cookie, in this situation token will equal to secret
-        // synchronize form requests' token always changing to protect against BREACH attacks
-        if (token !== csrfSecret && !tokens.verify(csrfSecret, token)) {
-            debug('verify secret and token error');
-            this.logCsrfNotice('invalid csrf token');
-            const { rotateWhenInvalid } = this.app.config.security.csrf;
-            if (rotateWhenInvalid) {
-                this.rotateCsrfSecret();
-            }
-            return 'invalid csrf token';
-        }
-    }
-    csrfRefererCheck() {
-        const { refererWhiteList } = this.app.config.security.csrf;
-        // check Origin/Referer headers
-        const referer = (this.headers.referer ?? this.headers.origin ?? '').toLowerCase();
-        if (!referer) {
-            debug('missing csrf referer or origin');
-            this.logCsrfNotice('missing csrf referer or origin');
-            return 'missing csrf referer or origin';
-        }
-        const host = utils.getFromUrl(referer, 'host');
-        const domainList = refererWhiteList.concat(this.host);
-        if (!host || !utils.isSafeDomain(host, domainList)) {
-            debug('verify referer or origin error');
-            this.logCsrfNotice('invalid csrf referer or origin');
-            return 'invalid csrf referer or origin';
-        }
-    }
-    logCsrfNotice(msg) {
-        if (this.app.config.env === 'local') {
-            this.logger.warn(`${msg}. See https://eggjs.org/zh-CN/core/security/#%E5%AE%89%E5%85%A8%E5%A8%81%E8%83%81-csrf-%E7%9A%84%E9%98%B2%E8%8C%83`);
-        }
-    }
-    async safeCurl(url, options) {
-        return await this.app.safeCurl(url, options);
-    }
-    unsafeRedirect(url, alt) {
-        this.response.unsafeRedirect(url, alt);
-    }
-}
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29udGV4dC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9hcHAvZXh0ZW5kL2NvbnRleHQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLFFBQVEsRUFBRSxNQUFNLFdBQVcsQ0FBQztBQUVyQyxPQUFPLEVBQUUsTUFBTSxFQUFFLE1BQU0sbUJBQW1CLENBQUM7QUFDM0MsT0FBTyxNQUFNLE1BQU0sTUFBTSxDQUFDO0FBQzFCLE9BQU8sRUFBRSxPQUFPLEVBQUUsTUFBTSxLQUFLLENBQUM7QUFFOUIsT0FBTyxLQUFLLEtBQUssTUFBTSxvQkFBb0IsQ0FBQztBQUs1QyxNQUFNLEtBQUssR0FBRyxRQUFRLENBQUMsaUNBQWlDLENBQUMsQ0FBQztBQUUxRCxNQUFNLE1BQU0sR0FBRyxJQUFJLE1BQU0sRUFBRSxDQUFDO0FBRTVCLE1BQU0sWUFBWSxHQUFHLE1BQU0sQ0FBQywyQkFBMkIsQ0FBQyxDQUFDO0FBQ3pELE1BQU0sZUFBZSxHQUFHLE1BQU0sQ0FBQyw4QkFBOEIsQ0FBQyxDQUFDO0FBQy9ELE1BQU0sV0FBVyxHQUFHLE1BQU0sQ0FBQywwQkFBMEIsQ0FBQyxDQUFDO0FBQ3ZELE1BQU0sZ0JBQWdCLEdBQUcsTUFBTSxDQUFDLCtCQUErQixDQUFDLENBQUM7QUFFakUsU0FBUyxTQUFTLENBQUMsR0FBMkIsRUFBRSxJQUF1QjtJQUNyRSxJQUFJLENBQUMsR0FBRztRQUFFLE9BQU87SUFDakIsSUFBSSxDQUFDLElBQUksSUFBSSxDQUFDLElBQUksQ0FBQyxNQUFNO1FBQUUsT0FBTztJQUNsQyxJQUFJLE9BQU8sSUFBSSxLQUFLLFFBQVE7UUFBRSxPQUFPLEdBQUcsQ0FBQyxJQUFJLENBQUMsQ0FBQztJQUMvQyxLQUFLLE1BQU0sR0FBRyxJQUFJLElBQUksRUFBRSxDQUFDO1FBQ3ZCLElBQUksR0FBRyxDQUFDLEdBQUcsQ0FBQztZQUFFLE9BQU8sR0FBRyxDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQ2hDLENBQUM7QUFDSCxDQUFDO0FBRUQsTUFBTSxDQUFDLE9BQU8sT0FBTyxlQUFnQixTQUFRLE9BQU87SUFHbEQsSUFBSSxlQUFlO1FBQ2pCLElBQUksQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsRUFBRSxDQUFDO1lBQzVCLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxHQUFHLEVBQUUsQ0FBQztRQUM5QixDQUFDO1FBQ0QsT0FBTyxJQUFJLENBQUMsZ0JBQWdCLENBQTRCLENBQUM7SUFDM0QsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNILFlBQVksQ0FBQyxNQUFjLEVBQUUsZUFBMEI7UUFDckQsTUFBTSxlQUFlLEdBQ25CLGVBQWUsSUFBSSxlQUFlLENBQUMsTUFBTSxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUMsZUFBZSxDQUFDLENBQUMsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsZUFBZSxDQUFDO1FBQzdHLE9BQU8sS0FBSyxDQUFDLFlBQVksQ0FBQyxNQUFNLEVBQUUsZUFBZSxDQUFDLENBQUM7SUFDckQsQ0FBQztJQUVELDJDQUEyQztJQUMzQyw4RUFBOEU7SUFDOUUsSUFBSSxLQUFLO1FBQ1AsSUFBSSxDQUFDLElBQUksQ0FBQyxXQUFXLENBQUMsRUFBRSxDQUFDO1lBQ3ZCLElBQUksQ0FBQyxXQUFXLENBQUMsR0FBRyxNQUFNLENBQUMsRUFBRSxDQUFDLENBQUM7UUFDakMsQ0FBQztRQUNELE9BQU8sSUFBSSxDQUFDLFdBQVcsQ0FBVyxDQUFDO0lBQ3JDLENBQUM7SUFFRDs7OztPQUlHO0lBQ0gsSUFBSSxJQUFJO1FBQ04sc0RBQXNEO1FBQ3RELE1BQU0sTUFBTSxHQUFHLElBQUksQ0FBQyxlQUFlLENBQUMsSUFBSSxJQUFJLENBQUMsYUFBYSxFQUFFLENBQUM7UUFDN0QsS0FBSyxDQUFDLHVEQUF1RCxFQUFFLElBQUksQ0FBQyxlQUFlLENBQUMsRUFBRSxJQUFJLENBQUMsYUFBYSxFQUFFLENBQUMsQ0FBQztRQUM1RywrQ0FBK0M7UUFDL0MsdUNBQXVDO1FBQ3ZDLHFFQUFxRTtRQUNyRSw0QkFBNEI7UUFDNUIsT0FBTyxNQUFNLENBQUMsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsTUFBZ0IsQ0FBQyxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUM7SUFDdkQsQ0FBQztJQUVEOzs7O09BSUc7SUFDSyxhQUFhO1FBQ25CLElBQUksSUFBSSxDQUFDLFlBQVksQ0FBQyxFQUFFLENBQUM7WUFDdkIsT0FBTyxJQUFJLENBQUMsWUFBWSxDQUFXLENBQUM7UUFDdEMsQ0FBQztRQUNELElBQUksRUFBRSxVQUFVLEVBQUUsV0FBVyxFQUFFLFVBQVUsRUFBRSxXQUFXLEVBQUUsYUFBYSxFQUFFLEdBQUcsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQztRQUN4RyxvQ0FBb0M7UUFDcEMsSUFBSSxVQUFVLEVBQUUsQ0FBQztZQUNmLElBQUksQ0FBQyxZQUFZLENBQUMsR0FBSSxJQUFJLENBQUMsT0FBZSxDQUFDLFdBQVcsQ0FBQyxJQUFJLEVBQUUsQ0FBQztRQUNoRSxDQUFDO2FBQU0sQ0FBQztZQUNOLHVFQUF1RTtZQUN2RSxJQUFJLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQyxXQUFXLENBQUMsRUFBRSxDQUFDO2dCQUNoQyxXQUFXLEdBQUcsQ0FBQyxXQUFXLENBQUMsQ0FBQztZQUM5QixDQUFDO1lBQ0QsS0FBSyxNQUFNLFVBQVUsSUFBSSxXQUFXLEVBQUUsQ0FBQztnQkFDckMsSUFBSSxDQUFDLFlBQVksQ0FBQyxHQUFHLElBQUksQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLFVBQVUsRUFBRSxFQUFFLE1BQU0sRUFBRSxhQUFhLENBQUMsTUFBTSxFQUFFLENBQUMsSUFBSSxFQUFFLENBQUM7Z0JBQzFGLElBQUksSUFBSSxDQUFDLFlBQVksQ0FBQyxFQUFFLENBQUM7b0JBQ3ZCLE1BQU07Z0JBQ1IsQ0FBQztZQUNILENBQUM7UUFDSCxDQUFDO1FBQ0QsT0FBTyxJQUFJLENBQUMsWUFBWSxDQUFXLENBQUM7SUFDdEMsQ0FBQztJQUVEOzs7O09BSUc7SUFDSCxnQkFBZ0IsQ0FBQyxNQUFnQjtRQUMvQixNQUFNLFVBQVUsR0FBRyxJQUFJLENBQUMsYUFBYSxFQUFFLENBQUM7UUFDeEMsSUFBSSxVQUFVLElBQUksQ0FBQyxNQUFNLEVBQUUsQ0FBQztZQUMxQixPQUFPO1FBQ1QsQ0FBQztRQUNELEtBQUssQ0FBQyw0Q0FBNEMsRUFBRSxVQUFVLEVBQUUsTUFBTSxDQUFDLENBQUM7UUFDeEUsTUFBTSxNQUFNLEdBQUcsTUFBTSxDQUFDLFVBQVUsRUFBRSxDQUFDO1FBQ25DLElBQUksQ0FBQyxlQUFlLENBQUMsR0FBRyxNQUFNLENBQUM7UUFDL0IsSUFBSSxFQUNGLFVBQVUsRUFDVixXQUFXLEVBQ1gsWUFBWSxFQUNaLFVBQVUsRUFBRSxXQUFXLEVBQ3ZCLGFBQWEsR0FDZCxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUM7UUFFbEMsSUFBSSxVQUFVLEVBQUUsQ0FBQztZQUNmLHdGQUF3RjtZQUN2RixJQUFJLENBQUMsT0FBZSxDQUFDLFdBQVcsQ0FBQyxHQUFHLE1BQU0sQ0FBQztRQUM5QyxDQUFDO2FBQU0sQ0FBQztZQUNOLElBQUksT0FBTyxZQUFZLEtBQUssVUFBVSxFQUFFLENBQUM7Z0JBQ3ZDLFlBQVksR0FBRyxZQUFZLENBQUMsSUFBSSxDQUFDLENBQUM7WUFDcEMsQ0FBQztZQUNELE1BQU0sVUFBVSxHQUFHO2dCQUNqQixNQUFNLEVBQUUsWUFBWTtnQkFDcEIsR0FBRyxhQUFhO2FBQ2pCLENBQUM7WUFDRix1RUFBdUU7WUFDdkUsSUFBSSxDQUFDLEtBQUssQ0FBQyxPQUFPLENBQUMsV0FBVyxDQUFDLEVBQUUsQ0FBQztnQkFDaEMsV0FBVyxHQUFHLENBQUMsV0FBVyxDQUFDLENBQUM7WUFDOUIsQ0FBQztZQUNELEtBQUssTUFBTSxVQUFVLElBQUksV0FBVyxFQUFFLENBQUM7Z0JBQ3JDLElBQUksQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLFVBQVUsRUFBRSxNQUFNLEVBQUUsVUFBVSxDQUFDLENBQUM7WUFDbkQsQ0FBQztRQUNILENBQUM7SUFDSCxDQUFDO0lBRU8sYUFBYTtRQUNuQixNQUFNLEVBQUUsVUFBVSxFQUFFLFFBQVEsRUFBRSxTQUFTLEVBQUUsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDO1FBQzFFLGlDQUFpQztRQUNqQyxNQUFNLEtBQUssR0FDVCxTQUFTLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxLQUFLLEVBQUUsU0FBUyxDQUFDO1lBQ3hDLFNBQVMsQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLElBQUksRUFBRSxRQUFRLENBQUM7WUFDdEMsQ0FBQyxVQUFVLElBQUksSUFBSSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQVMsVUFBVSxDQUFDLENBQUMsQ0FBQztRQUN2RCxLQUFLLENBQUMsMkJBQTJCLEVBQUUsS0FBSyxFQUFFLElBQUksQ0FBQyxhQUFhLEVBQUUsQ0FBQyxDQUFDO1FBQ2hFLE9BQU8sS0FBSyxDQUFDO0lBQ2YsQ0FBQztJQUVEOzs7O09BSUc7SUFDSCxnQkFBZ0I7UUFDZCxJQUFJLENBQUMsSUFBSSxDQUFDLGVBQWUsQ0FBQyxJQUFJLElBQUksQ0FBQyxhQUFhLEVBQUUsRUFBRSxDQUFDO1lBQ25ELElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUM5QixDQUFDO0lBQ0gsQ0FBQztJQUVEOzs7T0FHRztJQUNILFVBQVU7UUFDUixJQUFJLEtBQUssQ0FBQyxhQUFhLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLElBQUksRUFBRSxJQUFJLENBQUMsRUFBRSxDQUFDO1lBQzdELEtBQUssQ0FBQyw0QkFBNEIsRUFBRSxJQUFJLENBQUMsSUFBSSxDQUFDLENBQUM7WUFDL0MsT0FBTztRQUNULENBQUM7UUFFRCxNQUFNLEVBQUUsSUFBSSxFQUFFLEdBQUcsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQztRQUMvQyxJQUFJLE9BQU8sQ0FBQztRQUNaLE1BQU0sUUFBUSxHQUFHLEVBQUUsQ0FBQztRQUNwQixRQUFRLElBQUksRUFBRSxDQUFDO1lBQ2IsS0FBSyxRQUFRO2dCQUNYLE9BQU8sR0FBRyxJQUFJLENBQUMsZUFBZSxFQUFFLENBQUM7Z0JBQ2pDLElBQUksT0FBTztvQkFBRSxJQUFJLENBQUMsS0FBSyxDQUFDLEdBQUcsRUFBRSxPQUFPLENBQUMsQ0FBQztnQkFDdEMsTUFBTTtZQUNSLEtBQUssU0FBUztnQkFDWixPQUFPLEdBQUcsSUFBSSxDQUFDLGdCQUFnQixFQUFFLENBQUM7Z0JBQ2xDLElBQUksT0FBTztvQkFBRSxJQUFJLENBQUMsS0FBSyxDQUFDLEdBQUcsRUFBRSxPQUFPLENBQUMsQ0FBQztnQkFDdEMsTUFBTTtZQUNSLEtBQUssS0FBSztnQkFDUixPQUFPLEdBQUcsSUFBSSxDQUFDLGVBQWUsRUFBRSxDQUFDO2dCQUNqQyxJQUFJLE9BQU87b0JBQUUsSUFBSSxDQUFDLEtBQUssQ0FBQyxHQUFHLEVBQUUsT0FBTyxDQUFDLENBQUM7Z0JBQ3RDLE9BQU8sR0FBRyxJQUFJLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQztnQkFDbEMsSUFBSSxPQUFPO29CQUFFLElBQUksQ0FBQyxLQUFLLENBQUMsR0FBRyxFQUFFLE9BQU8sQ0FBQyxDQUFDO2dCQUN0QyxNQUFNO1lBQ1IsS0FBSyxLQUFLO2dCQUNSLE9BQU8sR0FBRyxJQUFJLENBQUMsZUFBZSxFQUFFLENBQUM7Z0JBQ2pDLElBQUksQ0FBQyxPQUFPO29CQUFFLE9BQU87Z0JBQ3JCLFFBQVEsQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLENBQUM7Z0JBQ3ZCLE9BQU8sR0FBRyxJQUFJLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQztnQkFDbEMsSUFBSSxDQUFDLE9BQU87b0JBQUUsT0FBTztnQkFDckIsUUFBUSxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUMsQ0FBQztnQkFDdkIsSUFBSSxDQUFDLEtBQUssQ0FBQyxHQUFHLEVBQUUsd0NBQXdDLFFBQVEsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQyxDQUFDO2dCQUMvRSxNQUFNO1lBQ1I7Z0JBQ0UsZ0ZBQWdGO2dCQUNoRixJQUFJLENBQUMsS0FBSyxDQUFDLGdCQUFnQixJQUFJLEVBQUUsQ0FBQyxDQUFDO1FBQ3ZDLENBQUM7SUFDSCxDQUFDO0lBRU8sZUFBZTtRQUNyQixNQUFNLFVBQVUsR0FBRyxJQUFJLENBQUMsYUFBYSxFQUFFLENBQUM7UUFDeEMsSUFBSSxDQUFDLFVBQVUsRUFBRSxDQUFDO1lBQ2hCLEtBQUssQ0FBQyxvQkFBb0IsQ0FBQyxDQUFDO1lBQzVCLElBQUksQ0FBQyxhQUFhLENBQUMsb0JBQW9CLENBQUMsQ0FBQztZQUN6QyxPQUFPLG9CQUFvQixDQUFDO1FBQzlCLENBQUM7UUFDRCxNQUFNLEtBQUssR0FBRyxJQUFJLENBQUMsYUFBYSxFQUFFLENBQUM7UUFDbkMseUZBQXlGO1FBQ3pGLHFGQUFxRjtRQUNyRixJQUFJLEtBQUssS0FBSyxVQUFVLElBQUksQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDLFVBQVUsRUFBRSxLQUFlLENBQUMsRUFBRSxDQUFDO1lBQ3hFLEtBQUssQ0FBQywrQkFBK0IsQ0FBQyxDQUFDO1lBQ3ZDLElBQUksQ0FBQyxhQUFhLENBQUMsb0JBQW9CLENBQUMsQ0FBQztZQUN6QyxNQUFNLEVBQUUsaUJBQWlCLEVBQUUsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDO1lBQzVELElBQUksaUJBQWlCLEVBQUUsQ0FBQztnQkFDdEIsSUFBSSxDQUFDLGdCQUFnQixFQUFFLENBQUM7WUFDMUIsQ0FBQztZQUNELE9BQU8sb0JBQW9CLENBQUM7UUFDOUIsQ0FBQztJQUNILENBQUM7SUFFTyxnQkFBZ0I7UUFDdEIsTUFBTSxFQUFFLGdCQUFnQixFQUFFLEdBQUcsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQztRQUMzRCwrQkFBK0I7UUFDL0IsTUFBTSxPQUFPLEdBQUcsQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLE9BQU8sSUFBSSxJQUFJLENBQUMsT0FBTyxDQUFDLE1BQU0sSUFBSSxFQUFFLENBQUMsQ0FBQyxXQUFXLEVBQUUsQ0FBQztRQUVsRixJQUFJLENBQUMsT0FBTyxFQUFFLENBQUM7WUFDYixLQUFLLENBQUMsZ0NBQWdDLENBQUMsQ0FBQztZQUN4QyxJQUFJLENBQUMsYUFBYSxDQUFDLGdDQUFnQyxDQUFDLENBQUM7WUFDckQsT0FBTyxnQ0FBZ0MsQ0FBQztRQUMxQyxDQUFDO1FBRUQsTUFBTSxJQUFJLEdBQUcsS0FBSyxDQUFDLFVBQVUsQ0FBQyxPQUFPLEVBQUUsTUFBTSxDQUFDLENBQUM7UUFDL0MsTUFBTSxVQUFVLEdBQUcsZ0JBQWdCLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUN0RCxJQUFJLENBQUMsSUFBSSxJQUFJLENBQUMsS0FBSyxDQUFDLFlBQVksQ0FBQyxJQUFJLEVBQUUsVUFBVSxDQUFDLEVBQUUsQ0FBQztZQUNuRCxLQUFLLENBQUMsZ0NBQWdDLENBQUMsQ0FBQztZQUN4QyxJQUFJLENBQUMsYUFBYSxDQUFDLGdDQUFnQyxDQUFDLENBQUM7WUFDckQsT0FBTyxnQ0FBZ0MsQ0FBQztRQUMxQyxDQUFDO0lBQ0gsQ0FBQztJQUVPLGFBQWEsQ0FBQyxHQUFXO1FBQy9CLElBQUksSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsR0FBRyxLQUFLLE9BQU8sRUFBRSxDQUFDO1lBQ3BDLElBQUksQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUNkLEdBQUcsR0FBRyxvSEFBb0gsQ0FDM0gsQ0FBQztRQUNKLENBQUM7SUFDSCxDQUFDO0lBRUQsS0FBSyxDQUFDLFFBQVEsQ0FBVSxHQUF5QixFQUFFLE9BQTJCO1FBQzVFLE9BQU8sTUFBTSxJQUFJLENBQUMsR0FBRyxDQUFDLFFBQVEsQ0FBSSxHQUFHLEVBQUUsT0FBTyxDQUFDLENBQUM7SUFDbEQsQ0FBQztJQUVELGNBQWMsQ0FBQyxHQUFXLEVBQUUsR0FBWTtRQUN0QyxJQUFJLENBQUMsUUFBUSxDQUFDLGNBQWMsQ0FBQyxHQUFHLEVBQUUsR0FBRyxDQUFDLENBQUM7SUFDekMsQ0FBQztDQUNGIn0=
+var SecurityContext = class extends Context {
+	get securityOptions() {
+		if (!this[SECURITY_OPTIONS]) this[SECURITY_OPTIONS] = {};
+		return this[SECURITY_OPTIONS];
+	}
+	/**
+	* Check whether the specific `domain` is in / matches the whiteList or not.
+	* @param {string} domain The assigned domain.
+	* @param {Array<string>} [customWhiteList] The custom white list for domain.
+	* @return {boolean} If the domain is in / matches the whiteList, return true;
+	* otherwise false.
+	*/
+	isSafeDomain(domain, customWhiteList) {
+		const domainWhiteList = customWhiteList && customWhiteList.length > 0 ? customWhiteList : this.app.config.security.domainWhiteList;
+		return isSafeDomain(domain, domainWhiteList);
+	}
+	get nonce() {
+		if (!this[NONCE_CACHE]) this[NONCE_CACHE] = nanoid(16);
+		return this[NONCE_CACHE];
+	}
+	/**
+	* get csrf token, general use in template
+	* @return {String} csrf token
+	* @public
+	*/
+	get csrf() {
+		const secret = this[NEW_CSRF_SECRET] || this.getCsrfSecret();
+		debug("get csrf token, NEW_CSRF_SECRET: %s, _CSRF_SECRET: %s", this[NEW_CSRF_SECRET], this.getCsrfSecret());
+		return secret ? tokens.create(secret) : "";
+	}
+	/**
+	* get csrf secret from session or cookie
+	* @return {String} csrf secret
+	* @private
+	*/
+	getCsrfSecret() {
+		if (this[_CSRF_SECRET]) return this[_CSRF_SECRET];
+		let { useSession, sessionName, cookieName: cookieNames, cookieOptions } = this.app.config.security.csrf;
+		if (useSession) this[_CSRF_SECRET] = this.session[sessionName] || "";
+		else {
+			if (!Array.isArray(cookieNames)) cookieNames = [cookieNames];
+			for (const cookieName of cookieNames) {
+				this[_CSRF_SECRET] = this.cookies.get(cookieName, { signed: cookieOptions.signed }) || "";
+				if (this[_CSRF_SECRET]) break;
+			}
+		}
+		return this[_CSRF_SECRET];
+	}
+	/**
+	* ensure csrf secret exists in session or cookie.
+	* @param {Boolean} [rotate] reset secret even if the secret exists
+	* @public
+	*/
+	ensureCsrfSecret(rotate) {
+		const csrfSecret = this.getCsrfSecret();
+		if (csrfSecret && !rotate) return;
+		debug("ensure csrf secret, exists: %s, rotate; %s", csrfSecret, rotate);
+		const secret = tokens.secretSync();
+		this[NEW_CSRF_SECRET] = secret;
+		let { useSession, sessionName, cookieDomain, cookieName: cookieNames, cookieOptions } = this.app.config.security.csrf;
+		if (useSession) this.session[sessionName] = secret;
+		else {
+			if (typeof cookieDomain === "function") cookieDomain = cookieDomain(this);
+			const cookieOpts = {
+				domain: cookieDomain,
+				...cookieOptions
+			};
+			if (!Array.isArray(cookieNames)) cookieNames = [cookieNames];
+			for (const cookieName of cookieNames) this.cookies.set(cookieName, secret, cookieOpts);
+		}
+	}
+	getInputToken() {
+		const { headerName, bodyName, queryName } = this.app.config.security.csrf;
+		const token = findToken(this.request.query, queryName) || findToken(this.request.body, bodyName) || headerName && this.request.get(headerName);
+		debug("get token: %j, secret: %j", token, this.getCsrfSecret());
+		return token;
+	}
+	/**
+	* rotate csrf secret exists in session or cookie.
+	* must rotate the secret when user login
+	* @public
+	*/
+	rotateCsrfSecret() {
+		if (!this[NEW_CSRF_SECRET] && this.getCsrfSecret()) this.ensureCsrfSecret(true);
+	}
+	/**
+	* assert csrf token/referer is present
+	* @public
+	*/
+	assertCsrf() {
+		if (checkIfIgnore(this.app.config.security.csrf, this)) {
+			debug("%s, ignore by csrf options", this.path);
+			return;
+		}
+		const { type } = this.app.config.security.csrf;
+		let message;
+		const messages = [];
+		switch (type) {
+			case "ctoken":
+				message = this.csrfCtokenCheck();
+				if (message) this.throw(403, message);
+				break;
+			case "referer":
+				message = this.csrfRefererCheck();
+				if (message) this.throw(403, message);
+				break;
+			case "all":
+				message = this.csrfCtokenCheck();
+				if (message) this.throw(403, message);
+				message = this.csrfRefererCheck();
+				if (message) this.throw(403, message);
+				break;
+			case "any":
+				message = this.csrfCtokenCheck();
+				if (!message) return;
+				messages.push(message);
+				message = this.csrfRefererCheck();
+				if (!message) return;
+				messages.push(message);
+				this.throw(403, `both ctoken and referer check error: ${messages.join(", ")}`);
+				break;
+			default: this.throw(`invalid type ${type}`);
+		}
+	}
+	csrfCtokenCheck() {
+		const csrfSecret = this.getCsrfSecret();
+		if (!csrfSecret) {
+			debug("missing csrf token");
+			this.logCsrfNotice("missing csrf token");
+			return "missing csrf token";
+		}
+		const token = this.getInputToken();
+		if (token !== csrfSecret && !tokens.verify(csrfSecret, token)) {
+			debug("verify secret and token error");
+			this.logCsrfNotice("invalid csrf token");
+			const { rotateWhenInvalid } = this.app.config.security.csrf;
+			if (rotateWhenInvalid) this.rotateCsrfSecret();
+			return "invalid csrf token";
+		}
+	}
+	csrfRefererCheck() {
+		const { refererWhiteList } = this.app.config.security.csrf;
+		const referer = (this.headers.referer ?? this.headers.origin ?? "").toLowerCase();
+		if (!referer) {
+			debug("missing csrf referer or origin");
+			this.logCsrfNotice("missing csrf referer or origin");
+			return "missing csrf referer or origin";
+		}
+		const host = getFromUrl(referer, "host");
+		const domainList = refererWhiteList.concat(this.host);
+		if (!host || !isSafeDomain(host, domainList)) {
+			debug("verify referer or origin error");
+			this.logCsrfNotice("invalid csrf referer or origin");
+			return "invalid csrf referer or origin";
+		}
+	}
+	logCsrfNotice(msg) {
+		if (this.app.config.env === "local") this.logger.warn(`${msg}. See https://eggjs.org/zh-CN/core/security/#%E5%AE%89%E5%85%A8%E5%A8%81%E8%83%81-csrf-%E7%9A%84%E9%98%B2%E8%8C%83`);
+	}
+	async safeCurl(url, options) {
+		return await this.app.safeCurl(url, options);
+	}
+	unsafeRedirect(url, alt) {
+		this.response.unsafeRedirect(url, alt);
+	}
+};
+//#endregion
+export { SecurityContext as default };

package/dist/app/extend/helper.d.ts CHANGED Viewed

@@ -1,3 +1,6 @@
-import helpers from '../../lib/helper/index.ts';
+import helpers from "../../lib/helper/index.js";
+//#region src/app/extend/helper.d.ts
 declare const securityHelpers: typeof helpers;
-export default securityHelpers;
+//#endregion
+export { securityHelpers as default };

package/dist/app/extend/helper.js CHANGED Viewed

@@ -1,6 +1,8 @@
-import helpers from "../../lib/helper/index.js";
-const securityHelpers = {
-    ...helpers,
-};
-export default securityHelpers;
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaGVscGVyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2FwcC9leHRlbmQvaGVscGVyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sT0FBTyxNQUFNLDJCQUEyQixDQUFDO0FBRWhELE1BQU0sZUFBZSxHQUFtQjtJQUN0QyxHQUFHLE9BQU87Q0FDWCxDQUFDO0FBRUYsZUFBZSxlQUFlLENBQUMifQ==
+import helper_default$1 from "../../lib/helper/index.js";
+//#region src/app/extend/helper.ts
+const securityHelpers = { ...helper_default$1 };
+var helper_default = securityHelpers;
+//#endregion
+export { helper_default as default };

package/dist/app/extend/response.d.ts CHANGED Viewed

@@ -1,35 +1,39 @@
-import { Response } from 'egg';
-import SecurityContext from './context.ts';
-export default class SecurityResponse extends Response {
-    ctx: SecurityContext;
-    /**
-     * This is an unsafe redirection, and we WON'T check if the
-     * destination url is safe or not.
-     * Please DO NOT use this method unless in some very special cases,
-     * otherwise there may be security vulnerabilities.
-     *
-     * @function Response#unsafeRedirect
-     * @param {String} url URL to forward
-     * @example
-     * ```js
-     * ctx.response.unsafeRedirect('http://www.domain.com');
-     * ctx.unsafeRedirect('http://www.domain.com');
-     * ```
-     */
-    unsafeRedirect(url: string, alt?: string): void;
-    /**
-     * A safe redirection, and we'll check if the URL is in
-     * a safe domain or not.
-     * We've overridden the default Koa's implementation by adding a
-     * white list as the filter for that.
-     *
-     * @function Response#redirect
-     * @param {String} url URL to forward
-     * @example
-     * ```js
-     * ctx.response.redirect('/login');
-     * ctx.redirect('/login');
-     * ```
-     */
-    redirect(url: string, alt?: string): void;
+import SecurityContext from "./context.js";
+import { Response } from "egg";
+//#region src/app/extend/response.d.ts
+declare class SecurityResponse extends Response {
+  ctx: SecurityContext;
+  /**
+  * This is an unsafe redirection, and we WON'T check if the
+  * destination url is safe or not.
+  * Please DO NOT use this method unless in some very special cases,
+  * otherwise there may be security vulnerabilities.
+  *
+  * @function Response#unsafeRedirect
+  * @param {String} url URL to forward
+  * @example
+  * ```js
+  * ctx.response.unsafeRedirect('http://www.domain.com');
+  * ctx.unsafeRedirect('http://www.domain.com');
+  * ```
+  */
+  unsafeRedirect(url: string, alt?: string): void;
+  /**
+  * A safe redirection, and we'll check if the URL is in
+  * a safe domain or not.
+  * We've overridden the default Koa's implementation by adding a
+  * white list as the filter for that.
+  *
+  * @function Response#redirect
+  * @param {String} url URL to forward
+  * @example
+  * ```js
+  * ctx.response.redirect('/login');
+  * ctx.redirect('/login');
+  * ```
+  */
+  redirect(url: string, alt?: string): void;
 }
+//#endregion
+export { SecurityResponse as default };