npm - @midwayjs/security - Versions diffs - 3.0.13 → 3.1.2 - Mend

@midwayjs/security 3.0.13 → 3.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/configuration.js +2 -0
package/dist/index.d.ts +1 -0
package/dist/index.js +6 -1
package/dist/middleware/helper.d.ts +5 -0
package/dist/middleware/helper.js +100 -0
package/package.json +12 -10

package/dist/configuration.js CHANGED Viewed

@@ -20,12 +20,14 @@ const noopen_1 = require("./middleware/noopen");
 const _1 = require(".");
 const xssProtection_1 = require("./middleware/xssProtection");
 const csp_1 = require("./middleware/csp");
+const helper_1 = require("./middleware/helper");
 let SecurityConfiguration = class SecurityConfiguration {
     async onReady() {
         this.applicationManager
             .getApplications(['koa', 'faas', 'express', 'egg'])
             .forEach(app => {
             var _a, _b, _c, _d, _e, _f, _g;
+            app.useMiddleware(helper_1.SecurityHelper);
             if ((_a = this.security.csrf) === null || _a === void 0 ? void 0 : _a.enable) {
                 app.useMiddleware(csrf_1.CSRFMiddleware);
             }

package/dist/index.d.ts CHANGED Viewed

@@ -7,4 +7,5 @@ export * from './middleware/noopen';
 export * from './middleware/nosniff';
 export * from './middleware/xssProtection';
 export * from './middleware/csp';
+export * from './middleware/helper';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.js CHANGED Viewed

@@ -1,7 +1,11 @@
 "use strict";
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
-    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
 }) : (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     o[k2] = m[k];
@@ -21,4 +25,5 @@ __exportStar(require("./middleware/noopen"), exports);
 __exportStar(require("./middleware/nosniff"), exports);
 __exportStar(require("./middleware/xssProtection"), exports);
 __exportStar(require("./middleware/csp"), exports);
+__exportStar(require("./middleware/helper"), exports);
 //# sourceMappingURL=index.js.map

package/dist/middleware/helper.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import { BaseMiddleware } from './base';
+export declare class SecurityHelper extends BaseMiddleware {
+    compatibleMiddleware(context: any, req: any, res: any, next: any): Promise<any>;
+}
+//# sourceMappingURL=helper.d.ts.map

package/dist/middleware/helper.js ADDED Viewed

@@ -0,0 +1,100 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecurityHelper = void 0;
+const decorator_1 = require("@midwayjs/decorator");
+const base_1 = require("./base");
+const escape = require("escape-html");
+const xss_1 = require("xss");
+let SecurityHelper = class SecurityHelper extends base_1.BaseMiddleware {
+    async compatibleMiddleware(context, req, res, next) {
+        context.security = {
+            escape,
+            html: (htmlCode) => (0, xss_1.default)(htmlCode),
+            js: safeJS,
+            json: safeJSON,
+        };
+        return next();
+    }
+};
+SecurityHelper = __decorate([
+    (0, decorator_1.Middleware)()
+], SecurityHelper);
+exports.SecurityHelper = SecurityHelper;
+const MATCH_VULNERABLE_REGEXP = /[\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f]/;
+const BASIC_ALPHABETS = new Set('abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ'.split(''));
+const map = {
+    '\t': '\\t',
+    '\n': '\\n',
+    '\r': '\\r',
+};
+const safeJS = (jsCode) => {
+    jsCode = `${jsCode || ''}`;
+    const match = MATCH_VULNERABLE_REGEXP.exec(jsCode);
+    if (!match) {
+        return jsCode;
+    }
+    let res = '';
+    let index = 0;
+    let lastIndex = 0;
+    let ascii;
+    for (index = match.index; index < jsCode.length; index++) {
+        ascii = jsCode[index];
+        if (BASIC_ALPHABETS.has(ascii)) {
+            continue;
+        }
+        else {
+            if (map[ascii] === undefined) {
+                const code = ascii.charCodeAt(0);
+                if (code > 127) {
+                    continue;
+                }
+                else {
+                    map[ascii] = '\\x' + code.toString(16);
+                }
+            }
+        }
+        if (lastIndex !== index) {
+            res += jsCode.substring(lastIndex, index);
+        }
+        lastIndex = index + 1;
+        res += map[ascii];
+    }
+    return lastIndex !== index ? res + jsCode.substring(lastIndex, index) : res;
+};
+function sanitizeKey(obj) {
+    if (typeof obj !== 'object')
+        return obj;
+    if (Array.isArray(obj))
+        return obj;
+    if (obj === null)
+        return null;
+    if (obj instanceof Boolean)
+        return obj;
+    if (obj instanceof Number)
+        return obj;
+    if (obj instanceof Buffer)
+        return obj.toString();
+    for (const k in obj) {
+        const escapedK = safeJS(k);
+        if (escapedK !== k) {
+            obj[escapedK] = sanitizeKey(obj[k]);
+            obj[k] = undefined;
+        }
+        else {
+            obj[k] = sanitizeKey(obj[k]);
+        }
+    }
+    return obj;
+}
+const safeJSON = (object) => {
+    return JSON.stringify(sanitizeKey(object), (k, v) => {
+        return typeof v === 'string' ? safeJS(v) : v;
+    });
+};
+//# sourceMappingURL=helper.js.map

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@midwayjs/security",
-  "version": "3.0.13",
+  "version": "3.1.2",
   "description": "Midway Security Component",
   "main": "dist/index.js",
   "typings": "index.d.ts",
@@ -23,19 +23,21 @@
   "license": "MIT",
   "dependencies": {
     "csrf": "3.1.0",
+    "escape-html": "^1.0.3",
     "nanoid": "3.3.1",
     "picomatch": "2.3.1",
-    "platform": "1.3.6"
+    "platform": "1.3.6",
+    "xss": "^1.0.11"
   },
   "devDependencies": {
-    "@midwayjs/core": "^3.0.13",
+    "@midwayjs/core": "^3.1.2",
     "@midwayjs/decorator": "^3.0.10",
-    "@midwayjs/express": "^3.0.13",
-    "@midwayjs/faas": "^3.0.13",
-    "@midwayjs/koa": "^3.0.13",
-    "@midwayjs/mock": "^3.0.13",
-    "@midwayjs/serverless-app": "^3.0.13",
-    "@midwayjs/web": "^3.0.13"
+    "@midwayjs/express": "^3.1.2",
+    "@midwayjs/faas": "^3.1.2",
+    "@midwayjs/koa": "^3.1.2",
+    "@midwayjs/mock": "^3.1.2",
+    "@midwayjs/serverless-app": "^3.1.2",
+    "@midwayjs/web": "^3.1.2"
   },
-  "gitHead": "8c8338f4488ec65765c342dd5238ed3e61872b37"
+  "gitHead": "4ff3aa892b76d016f0ea123c7f9520d054d5c96b"
 }