@eggjs/security 5.0.0-beta.34 → 5.0.0-beta.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (71) hide show
  1. package/dist/agent.d.ts +9 -5
  2. package/dist/agent.js +14 -10
  3. package/dist/app/extend/agent.d.ts +8 -4
  4. package/dist/app/extend/agent.js +12 -8
  5. package/dist/app/extend/application.d.ts +11 -7
  6. package/dist/app/extend/application.js +32 -32
  7. package/dist/app/extend/context.d.ts +55 -51
  8. package/dist/app/extend/context.js +185 -240
  9. package/dist/app/extend/helper.d.ts +5 -2
  10. package/dist/app/extend/helper.js +8 -6
  11. package/dist/app/extend/response.d.ts +38 -34
  12. package/dist/app/extend/response.js +69 -82
  13. package/dist/app/middleware/securities.d.ts +5 -2
  14. package/dist/app/middleware/securities.js +38 -52
  15. package/dist/app.d.ts +9 -5
  16. package/dist/app.js +22 -24
  17. package/dist/config/config.default.d.ts +34 -45
  18. package/dist/config/config.default.js +158 -362
  19. package/dist/config/config.local.d.ts +6 -3
  20. package/dist/config/config.local.js +6 -8
  21. package/dist/index.d.ts +20 -16
  22. package/dist/index.js +24 -21
  23. package/dist/lib/extend/safe_curl.d.ts +16 -13
  24. package/dist/lib/extend/safe_curl.js +17 -23
  25. package/dist/lib/helper/cliFilter.d.ts +4 -4
  26. package/dist/lib/helper/cliFilter.js +16 -15
  27. package/dist/lib/helper/escape.d.ts +2 -2
  28. package/dist/lib/helper/escape.js +7 -3
  29. package/dist/lib/helper/escapeShellArg.d.ts +4 -1
  30. package/dist/lib/helper/escapeShellArg.js +6 -4
  31. package/dist/lib/helper/escapeShellCmd.d.ts +4 -1
  32. package/dist/lib/helper/escapeShellCmd.js +14 -13
  33. package/dist/lib/helper/index.d.ts +22 -19
  34. package/dist/lib/helper/index.js +19 -15
  35. package/dist/lib/helper/shtml.d.ts +6 -2
  36. package/dist/lib/helper/shtml.js +52 -68
  37. package/dist/lib/helper/sjs.d.ts +4 -4
  38. package/dist/lib/helper/sjs.js +31 -44
  39. package/dist/lib/helper/sjson.d.ts +4 -1
  40. package/dist/lib/helper/sjson.js +28 -35
  41. package/dist/lib/helper/spath.d.ts +7 -5
  42. package/dist/lib/helper/spath.js +15 -24
  43. package/dist/lib/helper/surl.d.ts +6 -2
  44. package/dist/lib/helper/surl.js +22 -27
  45. package/dist/lib/middlewares/csp.d.ts +6 -3
  46. package/dist/lib/middlewares/csp.js +43 -54
  47. package/dist/lib/middlewares/csrf.d.ts +6 -3
  48. package/dist/lib/middlewares/csrf.js +31 -35
  49. package/dist/lib/middlewares/dta.d.ts +5 -2
  50. package/dist/lib/middlewares/dta.js +11 -10
  51. package/dist/lib/middlewares/hsts.d.ts +6 -3
  52. package/dist/lib/middlewares/hsts.js +17 -19
  53. package/dist/lib/middlewares/index.d.ts +24 -21
  54. package/dist/lib/middlewares/index.js +26 -22
  55. package/dist/lib/middlewares/methodnoallow.d.ts +5 -2
  56. package/dist/lib/middlewares/methodnoallow.js +13 -18
  57. package/dist/lib/middlewares/noopen.d.ts +6 -3
  58. package/dist/lib/middlewares/noopen.js +14 -13
  59. package/dist/lib/middlewares/nosniff.d.ts +6 -3
  60. package/dist/lib/middlewares/nosniff.js +22 -24
  61. package/dist/lib/middlewares/referrerPolicy.d.ts +6 -3
  62. package/dist/lib/middlewares/referrerPolicy.js +27 -30
  63. package/dist/lib/middlewares/xframe.d.ts +6 -3
  64. package/dist/lib/middlewares/xframe.js +16 -15
  65. package/dist/lib/middlewares/xssProtection.d.ts +6 -3
  66. package/dist/lib/middlewares/xssProtection.js +15 -12
  67. package/dist/lib/utils.d.ts +22 -17
  68. package/dist/lib/utils.js +112 -177
  69. package/dist/types.d.ts +38 -36
  70. package/dist/types.js +1 -2
  71. package/package.json +31 -37
package/dist/app/extend/response.js CHANGED
@@ -1,83 +1,70 @@
1
- import { Response } from 'egg';
2
- import SecurityContext from "./context.js";
1
+ import "./context.js";
2
+ import { Response } from "egg";
3
+
4
+ //#region src/app/extend/response.ts
3
5
  const unsafeRedirect = Response.prototype.redirect;
4
- export default class SecurityResponse extends Response {
5
- /**
6
- * This is an unsafe redirection, and we WON'T check if the
7
- * destination url is safe or not.
8
- * Please DO NOT use this method unless in some very special cases,
9
- * otherwise there may be security vulnerabilities.
10
- *
11
- * @function Response#unsafeRedirect
12
- * @param {String} url URL to forward
13
- * @example
14
- * ```js
15
- * ctx.response.unsafeRedirect('http://www.domain.com');
16
- * ctx.unsafeRedirect('http://www.domain.com');
17
- * ```
18
- */
19
- unsafeRedirect(url, alt) {
20
- unsafeRedirect.call(this, url, alt);
21
- }
22
- // app.response.unsafeRedirect = app.response.redirect;
23
- // delegate(app.context, 'response').method('unsafeRedirect');
24
- /**
25
- * A safe redirection, and we'll check if the URL is in
26
- * a safe domain or not.
27
- * We've overridden the default Koa's implementation by adding a
28
- * white list as the filter for that.
29
- *
30
- * @function Response#redirect
31
- * @param {String} url URL to forward
32
- * @example
33
- * ```js
34
- * ctx.response.redirect('/login');
35
- * ctx.redirect('/login');
36
- * ```
37
- */
38
- redirect(url, alt) {
39
- url = (url || '/').trim();
40
- // Process with `//`
41
- if (url[0] === '/' && url[1] === '/') {
42
- url = '/';
43
- }
44
- // if begin with '/', it means an internal jump
45
- if (url[0] === '/' && url[1] !== '\\') {
46
- this.unsafeRedirect(url, alt);
47
- return;
48
- }
49
- let urlObject;
50
- try {
51
- urlObject = new URL(url);
52
- }
53
- catch {
54
- url = '/';
55
- this.unsafeRedirect(url);
56
- return;
57
- }
58
- const domainWhiteList = this.app.config.security.domainWhiteList;
59
- if (urlObject.protocol !== 'http:' && urlObject.protocol !== 'https:') {
60
- url = '/';
61
- }
62
- else if (!urlObject.hostname) {
63
- url = '/';
64
- }
65
- else {
66
- if (domainWhiteList && domainWhiteList.length !== 0) {
67
- if (!this.ctx.isSafeDomain(urlObject.hostname)) {
68
- const message = `a security problem has been detected for url "${url}", redirection is prohibited.`;
69
- if (process.env.NODE_ENV === 'production') {
70
- this.app.coreLogger.warn('[@eggjs/security/response/redirect] %s', message);
71
- url = '/';
72
- }
73
- else {
74
- // Exception will be thrown out in a non-PROD env.
75
- return this.ctx.throw(500, message);
76
- }
77
- }
78
- }
79
- }
80
- this.unsafeRedirect(url);
81
- }
82
- }
83
- //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicmVzcG9uc2UuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvYXBwL2V4dGVuZC9yZXNwb25zZS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEVBQUUsUUFBUSxFQUFFLE1BQU0sS0FBSyxDQUFDO0FBRS9CLE9BQU8sZUFBZSxNQUFNLGNBQWMsQ0FBQztBQUUzQyxNQUFNLGNBQWMsR0FBRyxRQUFRLENBQUMsU0FBUyxDQUFDLFFBQVEsQ0FBQztBQUVuRCxNQUFNLENBQUMsT0FBTyxPQUFPLGdCQUFpQixTQUFRLFFBQVE7SUFHcEQ7Ozs7Ozs7Ozs7Ozs7T0FhRztJQUNILGNBQWMsQ0FBQyxHQUFXLEVBQUUsR0FBWTtRQUN0QyxjQUFjLENBQUMsSUFBSSxDQUFDLElBQUksRUFBRSxHQUFHLEVBQUUsR0FBRyxDQUFDLENBQUM7SUFDdEMsQ0FBQztJQUVELHVEQUF1RDtJQUN2RCw4REFBOEQ7SUFDOUQ7Ozs7Ozs7Ozs7Ozs7T0FhRztJQUNILFFBQVEsQ0FBQyxHQUFXLEVBQUUsR0FBWTtRQUNoQyxHQUFHLEdBQUcsQ0FBQyxHQUFHLElBQUksR0FBRyxDQUFDLENBQUMsSUFBSSxFQUFFLENBQUM7UUFFMUIsb0JBQW9CO1FBQ3BCLElBQUksR0FBRyxDQUFDLENBQUMsQ0FBQyxLQUFLLEdBQUcsSUFBSSxHQUFHLENBQUMsQ0FBQyxDQUFDLEtBQUssR0FBRyxFQUFFLENBQUM7WUFDckMsR0FBRyxHQUFHLEdBQUcsQ0FBQztRQUNaLENBQUM7UUFFRCwrQ0FBK0M7UUFDL0MsSUFBSSxHQUFHLENBQUMsQ0FBQyxDQUFDLEtBQUssR0FBRyxJQUFJLEdBQUcsQ0FBQyxDQUFDLENBQUMsS0FBSyxJQUFJLEVBQUUsQ0FBQztZQUN0QyxJQUFJLENBQUMsY0FBYyxDQUFDLEdBQUcsRUFBRSxHQUFHLENBQUMsQ0FBQztZQUM5QixPQUFPO1FBQ1QsQ0FBQztRQUVELElBQUksU0FBYyxDQUFDO1FBQ25CLElBQUksQ0FBQztZQUNILFNBQVMsR0FBRyxJQUFJLEdBQUcsQ0FBQyxHQUFHLENBQUMsQ0FBQztRQUMzQixDQUFDO1FBQUMsTUFBTSxDQUFDO1lBQ1AsR0FBRyxHQUFHLEdBQUcsQ0FBQztZQUNWLElBQUksQ0FBQyxjQUFjLENBQUMsR0FBRyxDQUFDLENBQUM7WUFDekIsT0FBTztRQUNULENBQUM7UUFFRCxNQUFNLGVBQWUsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsZUFBZSxDQUFDO1FBQ2pFLElBQUksU0FBUyxDQUFDLFFBQVEsS0FBSyxPQUFPLElBQUksU0FBUyxDQUFDLFFBQVEsS0FBSyxRQUFRLEVBQUUsQ0FBQztZQUN0RSxHQUFHLEdBQUcsR0FBRyxDQUFDO1FBQ1osQ0FBQzthQUFNLElBQUksQ0FBQyxTQUFTLENBQUMsUUFBUSxFQUFFLENBQUM7WUFDL0IsR0FBRyxHQUFHLEdBQUcsQ0FBQztRQUNaLENBQUM7YUFBTSxDQUFDO1lBQ04sSUFBSSxlQUFlLElBQUksZUFBZSxDQUFDLE1BQU0sS0FBSyxDQUFDLEVBQUUsQ0FBQztnQkFDcEQsSUFBSSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsWUFBWSxDQUFDLFNBQVMsQ0FBQyxRQUFRLENBQUMsRUFBRSxDQUFDO29CQUMvQyxNQUFNLE9BQU8sR0FBRyxpREFBaUQsR0FBRywrQkFBK0IsQ0FBQztvQkFDcEcsSUFBSSxPQUFPLENBQUMsR0FBRyxDQUFDLFFBQVEsS0FBSyxZQUFZLEVBQUUsQ0FBQzt3QkFDMUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLHdDQUF3QyxFQUFFLE9BQU8sQ0FBQyxDQUFDO3dCQUM1RSxHQUFHLEdBQUcsR0FBRyxDQUFDO29CQUNaLENBQUM7eUJBQU0sQ0FBQzt3QkFDTixrREFBa0Q7d0JBQ2xELE9BQU8sSUFBSSxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsR0FBRyxFQUFFLE9BQU8sQ0FBQyxDQUFDO29CQUN0QyxDQUFDO2dCQUNILENBQUM7WUFDSCxDQUFDO1FBQ0gsQ0FBQztRQUNELElBQUksQ0FBQyxjQUFjLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDM0IsQ0FBQztDQUNGIn0=
6
+ var SecurityResponse = class extends Response {
7
+ /**
8
+ * This is an unsafe redirection, and we WON'T check if the
9
+ * destination url is safe or not.
10
+ * Please DO NOT use this method unless in some very special cases,
11
+ * otherwise there may be security vulnerabilities.
12
+ *
13
+ * @function Response#unsafeRedirect
14
+ * @param {String} url URL to forward
15
+ * @example
16
+ * ```js
17
+ * ctx.response.unsafeRedirect('http://www.domain.com');
18
+ * ctx.unsafeRedirect('http://www.domain.com');
19
+ * ```
20
+ */
21
+ unsafeRedirect(url, alt) {
22
+ unsafeRedirect.call(this, url, alt);
23
+ }
24
+ /**
25
+ * A safe redirection, and we'll check if the URL is in
26
+ * a safe domain or not.
27
+ * We've overridden the default Koa's implementation by adding a
28
+ * white list as the filter for that.
29
+ *
30
+ * @function Response#redirect
31
+ * @param {String} url URL to forward
32
+ * @example
33
+ * ```js
34
+ * ctx.response.redirect('/login');
35
+ * ctx.redirect('/login');
36
+ * ```
37
+ */
38
+ redirect(url, alt) {
39
+ url = (url || "/").trim();
40
+ if (url[0] === "/" && url[1] === "/") url = "/";
41
+ if (url[0] === "/" && url[1] !== "\\") {
42
+ this.unsafeRedirect(url, alt);
43
+ return;
44
+ }
45
+ let urlObject;
46
+ try {
47
+ urlObject = new URL(url);
48
+ } catch {
49
+ url = "/";
50
+ this.unsafeRedirect(url);
51
+ return;
52
+ }
53
+ const domainWhiteList = this.app.config.security.domainWhiteList;
54
+ if (urlObject.protocol !== "http:" && urlObject.protocol !== "https:") url = "/";
55
+ else if (!urlObject.hostname) url = "/";
56
+ else if (domainWhiteList && domainWhiteList.length !== 0) {
57
+ if (!this.ctx.isSafeDomain(urlObject.hostname)) {
58
+ const message = `a security problem has been detected for url "${url}", redirection is prohibited.`;
59
+ if (process.env.NODE_ENV === "production") {
60
+ this.app.coreLogger.warn("[@eggjs/security/response/redirect] %s", message);
61
+ url = "/";
62
+ } else return this.ctx.throw(500, message);
63
+ }
64
+ }
65
+ this.unsafeRedirect(url);
66
+ }
67
+ };
68
+
69
+ //#endregion
70
+ export { SecurityResponse as default };
package/dist/app/middleware/securities.d.ts CHANGED
@@ -1,3 +1,6 @@
1
- import type { Application, MiddlewareFunc } from 'egg';
1
+ import { Application, MiddlewareFunc } from "egg";
2
+
3
+ //#region src/app/middleware/securities.d.ts
2
4
  declare const _default: (_: unknown, app: Application) => MiddlewareFunc;
3
- export default _default;
5
+ //#endregion
6
+ export { _default as default };
package/dist/app/middleware/securities.js CHANGED
@@ -1,53 +1,39 @@
1
- import assert from 'node:assert';
2
- import compose from 'koa-compose';
3
- import { pathMatching } from '@eggjs/path-matching';
4
- import securityMiddlewares from "../../lib/middlewares/index.js";
5
- export default (_, app) => {
6
- const options = app.config.security;
7
- const middlewares = [];
8
- const defaultMiddlewares = typeof options.defaultMiddleware === 'string'
9
- ? options.defaultMiddleware
10
- .split(',')
11
- .map((m) => m.trim())
12
- .filter((m) => !!m)
13
- : options.defaultMiddleware;
14
- if (options.match || options.ignore) {
15
- app.coreLogger.warn('[@eggjs/security/middleware/securities] Please set `match` or `ignore` on sub config');
16
- }
17
- // format csrf.cookieDomain
18
- const originalCookieDomain = options.csrf.cookieDomain;
19
- if (originalCookieDomain && typeof originalCookieDomain !== 'function') {
20
- options.csrf.cookieDomain = () => originalCookieDomain;
21
- }
22
- defaultMiddlewares.forEach((middlewareName) => {
23
- const opt = Reflect.get(options, middlewareName);
24
- if (opt === false) {
25
- app.coreLogger.warn('[egg-security] Please use `config.security.%s = { enable: false }` instead of `config.security.%s = false`', middlewareName, middlewareName);
26
- }
27
- assert(opt === false || typeof opt === 'object', `config.security.${middlewareName} must be an object, or false(if you turn it off)`);
28
- if (opt === false || (opt && opt.enable === false)) {
29
- return;
30
- }
31
- if (middlewareName === 'csrf' && opt.useSession && !app.plugins.session) {
32
- throw new Error('csrf.useSession enabled, but session plugin is disabled');
33
- }
34
- // use opt.match first (compatibility)
35
- if (opt.match && opt.ignore) {
36
- app.coreLogger.warn('[@eggjs/security/middleware/securities] `options.match` and `options.ignore` are both set, using `options.match`');
37
- opt.ignore = undefined;
38
- }
39
- if (!opt.ignore && opt.blackUrls) {
40
- app.deprecate('[@eggjs/security/middleware/securities] Please use `config.security.xframe.ignore` instead, `config.security.xframe.blackUrls` will be removed very soon');
41
- opt.ignore = opt.blackUrls;
42
- }
43
- // set matching function to security middleware options
44
- opt.matching = pathMatching(opt);
45
- const createMiddleware = securityMiddlewares[middlewareName];
46
- const fn = createMiddleware(opt);
47
- middlewares.push(fn);
48
- app.coreLogger.info('[@eggjs/security/middleware/securities] use %s middleware', middlewareName);
49
- });
50
- app.coreLogger.info('[@eggjs/security/middleware/securities] compose %d middlewares into one security middleware', middlewares.length);
51
- return compose(middlewares);
1
+ import middlewares_default from "../../lib/middlewares/index.js";
2
+ import assert from "node:assert";
3
+ import { pathMatching } from "@eggjs/path-matching";
4
+ import compose from "koa-compose";
5
+
6
+ //#region src/app/middleware/securities.ts
7
+ var securities_default = (_, app) => {
8
+ const options = app.config.security;
9
+ const middlewares = [];
10
+ const defaultMiddlewares = typeof options.defaultMiddleware === "string" ? options.defaultMiddleware.split(",").map((m) => m.trim()).filter((m) => !!m) : options.defaultMiddleware;
11
+ if (options.match || options.ignore) app.coreLogger.warn("[@eggjs/security/middleware/securities] Please set `match` or `ignore` on sub config");
12
+ const originalCookieDomain = options.csrf.cookieDomain;
13
+ if (originalCookieDomain && typeof originalCookieDomain !== "function") options.csrf.cookieDomain = () => originalCookieDomain;
14
+ defaultMiddlewares.forEach((middlewareName) => {
15
+ const opt = Reflect.get(options, middlewareName);
16
+ if (opt === false) app.coreLogger.warn("[egg-security] Please use `config.security.%s = { enable: false }` instead of `config.security.%s = false`", middlewareName, middlewareName);
17
+ assert(opt === false || typeof opt === "object", `config.security.${middlewareName} must be an object, or false(if you turn it off)`);
18
+ if (opt === false || opt && opt.enable === false) return;
19
+ if (middlewareName === "csrf" && opt.useSession && !app.plugins.session) throw new Error("csrf.useSession enabled, but session plugin is disabled");
20
+ if (opt.match && opt.ignore) {
21
+ app.coreLogger.warn("[@eggjs/security/middleware/securities] `options.match` and `options.ignore` are both set, using `options.match`");
22
+ opt.ignore = void 0;
23
+ }
24
+ if (!opt.ignore && opt.blackUrls) {
25
+ app.deprecate("[@eggjs/security/middleware/securities] Please use `config.security.xframe.ignore` instead, `config.security.xframe.blackUrls` will be removed very soon");
26
+ opt.ignore = opt.blackUrls;
27
+ }
28
+ opt.matching = pathMatching(opt);
29
+ const createMiddleware = middlewares_default[middlewareName];
30
+ const fn = createMiddleware(opt);
31
+ middlewares.push(fn);
32
+ app.coreLogger.info("[@eggjs/security/middleware/securities] use %s middleware", middlewareName);
33
+ });
34
+ app.coreLogger.info("[@eggjs/security/middleware/securities] compose %d middlewares into one security middleware", middlewares.length);
35
+ return compose(middlewares);
52
36
  };
53
- //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2VjdXJpdGllcy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9hcHAvbWlkZGxld2FyZS9zZWN1cml0aWVzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sTUFBTSxNQUFNLGFBQWEsQ0FBQztBQUVqQyxPQUFPLE9BQU8sTUFBTSxhQUFhLENBQUM7QUFDbEMsT0FBTyxFQUFFLFlBQVksRUFBRSxNQUFNLHNCQUFzQixDQUFDO0FBR3BELE9BQU8sbUJBQW1CLE1BQU0sZ0NBQWdDLENBQUM7QUFHakUsZUFBZSxDQUFDLENBQVUsRUFBRSxHQUFnQixFQUFrQixFQUFFO0lBQzlELE1BQU0sT0FBTyxHQUFHLEdBQUcsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDO0lBQ3BDLE1BQU0sV0FBVyxHQUFxQixFQUFFLENBQUM7SUFDekMsTUFBTSxrQkFBa0IsR0FDdEIsT0FBTyxPQUFPLENBQUMsaUJBQWlCLEtBQUssUUFBUTtRQUMzQyxDQUFDLENBQUUsT0FBTyxDQUFDLGlCQUFpQjthQUN2QixLQUFLLENBQUMsR0FBRyxDQUFDO2FBQ1YsR0FBRyxDQUFDLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxDQUFDLENBQUMsSUFBSSxFQUFFLENBQUM7YUFDcEIsTUFBTSxDQUFDLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUE4QjtRQUNwRCxDQUFDLENBQUMsT0FBTyxDQUFDLGlCQUFpQixDQUFDO0lBRWhDLElBQUksT0FBTyxDQUFDLEtBQUssSUFBSSxPQUFPLENBQUMsTUFBTSxFQUFFLENBQUM7UUFDcEMsR0FBRyxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQUMsc0ZBQXNGLENBQUMsQ0FBQztJQUM5RyxDQUFDO0lBRUQsMkJBQTJCO0lBQzNCLE1BQU0sb0JBQW9CLEdBQUcsT0FBTyxDQUFDLElBQUksQ0FBQyxZQUFZLENBQUM7SUFDdkQsSUFBSSxvQkFBb0IsSUFBSSxPQUFPLG9CQUFvQixLQUFLLFVBQVUsRUFBRSxDQUFDO1FBQ3ZFLE9BQU8sQ0FBQyxJQUFJLENBQUMsWUFBWSxHQUFHLEdBQUcsRUFBRSxDQUFDLG9CQUFvQixDQUFDO0lBQ3pELENBQUM7SUFFRCxrQkFBa0IsQ0FBQyxPQUFPLENBQUMsQ0FBQyxjQUFzQyxFQUFFLEVBQUU7UUFDcEUsTUFBTSxHQUFHLEdBQUcsT0FBTyxDQUFDLEdBQUcsQ0FBQyxPQUFPLEVBQUUsY0FBYyxDQUFRLENBQUM7UUFDeEQsSUFBSSxHQUFHLEtBQUssS0FBSyxFQUFFLENBQUM7WUFDbEIsR0FBRyxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQ2pCLDRHQUE0RyxFQUM1RyxjQUFjLEVBQ2QsY0FBYyxDQUNmLENBQUM7UUFDSixDQUFDO1FBRUQsTUFBTSxDQUNKLEdBQUcsS0FBSyxLQUFLLElBQUksT0FBTyxHQUFHLEtBQUssUUFBUSxFQUN4QyxtQkFBbUIsY0FBYyxrREFBa0QsQ0FDcEYsQ0FBQztRQUVGLElBQUksR0FBRyxLQUFLLEtBQUssSUFBSSxDQUFDLEdBQUcsSUFBSSxHQUFHLENBQUMsTUFBTSxLQUFLLEtBQUssQ0FBQyxFQUFFLENBQUM7WUFDbkQsT0FBTztRQUNULENBQUM7UUFFRCxJQUFJLGNBQWMsS0FBSyxNQUFNLElBQUksR0FBRyxDQUFDLFVBQVUsSUFBSSxDQUFDLEdBQUcsQ0FBQyxPQUFPLENBQUMsT0FBTyxFQUFFLENBQUM7WUFDeEUsTUFBTSxJQUFJLEtBQUssQ0FBQyx5REFBeUQsQ0FBQyxDQUFDO1FBQzdFLENBQUM7UUFFRCxzQ0FBc0M7UUFDdEMsSUFBSSxHQUFHLENBQUMsS0FBSyxJQUFJLEdBQUcsQ0FBQyxNQUFNLEVBQUUsQ0FBQztZQUM1QixHQUFHLENBQUMsVUFBVSxDQUFDLElBQUksQ0FDakIsa0hBQWtILENBQ25ILENBQUM7WUFDRixHQUFHLENBQUMsTUFBTSxHQUFHLFNBQVMsQ0FBQztRQUN6QixDQUFDO1FBQ0QsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLElBQUksR0FBRyxDQUFDLFNBQVMsRUFBRSxDQUFDO1lBQ2pDLEdBQUcsQ0FBQyxTQUFTLENBQ1gsMEpBQTBKLENBQzNKLENBQUM7WUFDRixHQUFHLENBQUMsTUFBTSxHQUFHLEdBQUcsQ0FBQyxTQUFTLENBQUM7UUFDN0IsQ0FBQztRQUNELHVEQUF1RDtRQUN2RCxHQUFHLENBQUMsUUFBUSxHQUFHLFlBQVksQ0FBQyxHQUFHLENBQUMsQ0FBQztRQUVqQyxNQUFNLGdCQUFnQixHQUFHLG1CQUFtQixDQUFDLGNBQWtELENBQUMsQ0FBQztRQUNqRyxNQUFNLEVBQUUsR0FBRyxnQkFBZ0IsQ0FBQyxHQUFHLENBQUMsQ0FBQztRQUNqQyxXQUFXLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQyxDQUFDO1FBQ3JCLEdBQUcsQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLDJEQUEyRCxFQUFFLGNBQWMsQ0FBQyxDQUFDO0lBQ25HLENBQUMsQ0FBQyxDQUFDO0lBRUgsR0FBRyxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQ2pCLDZGQUE2RixFQUM3RixXQUFXLENBQUMsTUFBTSxDQUNuQixDQUFDO0lBQ0YsT0FBTyxPQUFPLENBQUMsV0FBVyxDQUFDLENBQUM7QUFDOUIsQ0FBQyxDQUFDIn0=
37
+
38
+ //#endregion
39
+ export { securities_default as default };
package/dist/app.d.ts CHANGED
@@ -1,6 +1,10 @@
1
- import type { ILifecycleBoot, Application } from 'egg';
2
- export default class AppBoot implements ILifecycleBoot {
3
- private readonly app;
4
- constructor(app: Application);
5
- configWillLoad(): void;
1
+ import { Application, ILifecycleBoot } from "egg";
2
+
3
+ //#region src/app.d.ts
4
+ declare class AppBoot implements ILifecycleBoot {
5
+ private readonly app;
6
+ constructor(app: Application);
7
+ configWillLoad(): void;
6
8
  }
9
+ //#endregion
10
+ export { AppBoot as default };
package/dist/app.js CHANGED
@@ -1,26 +1,24 @@
1
1
  import { preprocessConfig } from "./lib/utils.js";
2
2
  import { SecurityConfig } from "./config/config.default.js";
3
- export default class AppBoot {
4
- app;
5
- constructor(app) {
6
- this.app = app;
7
- }
8
- configWillLoad() {
9
- const app = this.app;
10
- app.config.coreMiddleware.push('securities');
11
- // parse config and check if config is legal
12
- const parsed = SecurityConfig.parse(app.config.security);
13
- if (typeof app.config.security.csrf === 'boolean') {
14
- // support old config: `config.security.csrf = false`
15
- app.config.security.csrf = parsed.csrf;
16
- }
17
- if (app.config.security.csrf.enable) {
18
- const { ignoreJSON } = app.config.security.csrf;
19
- if (ignoreJSON) {
20
- app.deprecate('[@eggjs/security/app] `config.security.csrf.ignoreJSON` is not safe now, please disable it.');
21
- }
22
- }
23
- preprocessConfig(app.config.security);
24
- }
25
- }
26
- //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXBwLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vc3JjL2FwcC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFFQSxPQUFPLEVBQUUsZ0JBQWdCLEVBQUUsTUFBTSxnQkFBZ0IsQ0FBQztBQUNsRCxPQUFPLEVBQUUsY0FBYyxFQUFFLE1BQU0sNEJBQTRCLENBQUM7QUFFNUQsTUFBTSxDQUFDLE9BQU8sT0FBTyxPQUFPO0lBQ1QsR0FBRyxDQUFDO0lBRXJCLFlBQVksR0FBZ0I7UUFDMUIsSUFBSSxDQUFDLEdBQUcsR0FBRyxHQUFHLENBQUM7SUFDakIsQ0FBQztJQUVELGNBQWM7UUFDWixNQUFNLEdBQUcsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDO1FBQ3JCLEdBQUcsQ0FBQyxNQUFNLENBQUMsY0FBYyxDQUFDLElBQUksQ0FBQyxZQUFZLENBQUMsQ0FBQztRQUM3Qyw0Q0FBNEM7UUFDNUMsTUFBTSxNQUFNLEdBQUcsY0FBYyxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxDQUFDO1FBQ3pELElBQUksT0FBTyxHQUFHLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxJQUFJLEtBQUssU0FBUyxFQUFFLENBQUM7WUFDbEQscURBQXFEO1lBQ3JELEdBQUcsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLElBQUksR0FBRyxNQUFNLENBQUMsSUFBSSxDQUFDO1FBQ3pDLENBQUM7UUFFRCxJQUFJLEdBQUcsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQyxNQUFNLEVBQUUsQ0FBQztZQUNwQyxNQUFNLEVBQUUsVUFBVSxFQUFFLEdBQUcsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDO1lBQ2hELElBQUksVUFBVSxFQUFFLENBQUM7Z0JBQ2YsR0FBRyxDQUFDLFNBQVMsQ0FBQyw2RkFBNkYsQ0FBQyxDQUFDO1lBQy9HLENBQUM7UUFDSCxDQUFDO1FBRUQsZ0JBQWdCLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsQ0FBQztJQUN4QyxDQUFDO0NBQ0YifQ==
3
+
4
+ //#region src/app.ts
5
+ var AppBoot = class {
6
+ app;
7
+ constructor(app) {
8
+ this.app = app;
9
+ }
10
+ configWillLoad() {
11
+ const app = this.app;
12
+ app.config.coreMiddleware.push("securities");
13
+ const parsed = SecurityConfig.parse(app.config.security);
14
+ if (typeof app.config.security.csrf === "boolean") app.config.security.csrf = parsed.csrf;
15
+ if (app.config.security.csrf.enable) {
16
+ const { ignoreJSON } = app.config.security.csrf;
17
+ if (ignoreJSON) app.deprecate("[@eggjs/security/app] `config.security.csrf.ignoreJSON` is not safe now, please disable it.");
18
+ }
19
+ preprocessConfig(app.config.security);
20
+ }
21
+ };
22
+
23
+ //#endregion
24
+ export { AppBoot as default };
package/dist/config/config.default.d.ts CHANGED
@@ -1,59 +1,48 @@
1
- import z from 'zod';
2
- import { Context } from 'egg';
1
+ import { Context } from "egg";
2
+ import z from "zod";
3
+
4
+ //#region src/config/config.default.d.ts
3
5
  declare const CSRFSupportRequestItem: z.ZodObject<{
4
- path: z.ZodType<RegExp>;
5
- methods: z.ZodArray<z.ZodString>;
6
+ path: z.ZodType<RegExp>;
7
+ methods: z.ZodArray<z.ZodString>;
6
8
  }>;
7
- export type CSRFSupportRequestItem = z.infer<typeof CSRFSupportRequestItem>;
8
- export declare const LookupAddress: z.ZodObject<{
9
- address: z.ZodString;
10
- family: z.ZodNumber;
9
+ type CSRFSupportRequestItem = z.infer<typeof CSRFSupportRequestItem>;
10
+ declare const LookupAddress: z.ZodObject<{
11
+ address: z.ZodString;
12
+ family: z.ZodNumber;
11
13
  }>;
12
- export type LookupAddress = z.infer<typeof LookupAddress>;
14
+ type LookupAddress = z.infer<typeof LookupAddress>;
13
15
  declare const LookupAddressAndStringArray: z.ZodArray<z.ZodUnion<[z.ZodString, typeof LookupAddress]>>;
14
- declare const SSRFCheckAddressFunction: z.ZodFunction<z.ZodTuple<[
15
- z.ZodUnion<[z.ZodString, typeof LookupAddress, typeof LookupAddressAndStringArray]>,
16
- z.ZodUnion<[z.ZodNumber, z.ZodString]>,
17
- z.ZodString
18
- ], z.ZodUnknown>, z.ZodBoolean>;
16
+ declare const SSRFCheckAddressFunction: z.ZodFunction<z.ZodTuple<[z.ZodUnion<[z.ZodString, typeof LookupAddress, typeof LookupAddressAndStringArray]>, z.ZodUnion<[z.ZodNumber, z.ZodString]>, z.ZodString], z.ZodUnknown>, z.ZodBoolean>;
19
17
  /**
20
- * SSRF check address function
21
- * `(address, family, hostname) => boolean`
22
- */
23
- export type SSRFCheckAddressFunction = z.infer<typeof SSRFCheckAddressFunction>;
24
- export declare const SecurityMiddlewareName: z.ZodEnum<[
25
- 'csrf',
26
- 'hsts',
27
- 'methodnoallow',
28
- 'noopen',
29
- 'nosniff',
30
- 'csp',
31
- 'xssProtection',
32
- 'xframe',
33
- 'dta'
34
- ]>;
35
- export type SecurityMiddlewareName = z.infer<typeof SecurityMiddlewareName>;
18
+ * SSRF check address function
19
+ * `(address, family, hostname) => boolean`
20
+ */
21
+ type SSRFCheckAddressFunction = z.infer<typeof SSRFCheckAddressFunction>;
22
+ declare const SecurityMiddlewareName: z.ZodEnum<["csrf", "hsts", "methodnoallow", "noopen", "nosniff", "csp", "xssProtection", "xframe", "dta"]>;
23
+ type SecurityMiddlewareName = z.infer<typeof SecurityMiddlewareName>;
36
24
  /**
37
- * (ctx) => boolean
38
- */
25
+ * (ctx) => boolean
26
+ */
39
27
  declare const IgnoreOrMatchHandler: z.ZodFunction<z.ZodTuple<[z.ZodType<Context>], z.ZodUnknown>, z.ZodBoolean>;
40
- export type IgnoreOrMatchHandler = z.infer<typeof IgnoreOrMatchHandler>;
28
+ type IgnoreOrMatchHandler = z.infer<typeof IgnoreOrMatchHandler>;
41
29
  declare const IgnoreOrMatch: z.ZodUnion<[z.ZodString, z.ZodType<RegExp>, typeof IgnoreOrMatchHandler]>;
42
- export type IgnoreOrMatch = z.infer<typeof IgnoreOrMatch>;
30
+ type IgnoreOrMatch = z.infer<typeof IgnoreOrMatch>;
43
31
  declare const IgnoreOrMatchOption: z.ZodOptional<z.ZodUnion<[typeof IgnoreOrMatch, z.ZodArray<typeof IgnoreOrMatch>]>>;
44
- export type IgnoreOrMatchOption = z.infer<typeof IgnoreOrMatchOption>;
45
- export declare const SecurityConfig: z.ZodObject<any>;
46
- export type SecurityConfig = z.infer<typeof SecurityConfig>;
32
+ type IgnoreOrMatchOption = z.infer<typeof IgnoreOrMatchOption>;
33
+ declare const SecurityConfig: z.ZodObject<any>;
34
+ type SecurityConfig = z.infer<typeof SecurityConfig>;
47
35
  declare const SecurityHelperOnTagAttrHandler: z.ZodFunction<z.ZodTuple<[z.ZodString, z.ZodString, z.ZodString, z.ZodBoolean], z.ZodUnknown>, z.ZodUnion<[z.ZodString, z.ZodVoid]>>;
48
36
  /**
49
- * (tag: string, name: string, value: string, isWhiteAttr: boolean) => string | void
50
- */
51
- export type SecurityHelperOnTagAttrHandler = z.infer<typeof SecurityHelperOnTagAttrHandler>;
52
- export declare const SecurityHelperConfig: z.ZodObject<any>;
53
- export type SecurityHelperConfig = z.infer<typeof SecurityHelperConfig>;
37
+ * (tag: string, name: string, value: string, isWhiteAttr: boolean) => string | void
38
+ */
39
+ type SecurityHelperOnTagAttrHandler = z.infer<typeof SecurityHelperOnTagAttrHandler>;
40
+ declare const SecurityHelperConfig: z.ZodObject<any>;
41
+ type SecurityHelperConfig = z.infer<typeof SecurityHelperConfig>;
54
42
  interface PluginConfig {
55
- security: SecurityConfig;
56
- helper: SecurityHelperConfig;
43
+ security: SecurityConfig;
44
+ helper: SecurityHelperConfig;
57
45
  }
58
46
  declare const config: PluginConfig;
59
- export default config;
47
+ //#endregion
48
+ export { CSRFSupportRequestItem, IgnoreOrMatch, IgnoreOrMatchHandler, IgnoreOrMatchOption, LookupAddress, SSRFCheckAddressFunction, SecurityConfig, SecurityHelperConfig, SecurityHelperOnTagAttrHandler, SecurityMiddlewareName, config as default };