xiawaa 0.0.1-security → 2.5.18

package/lib/cors.js

@@ -0,0 +1,207 @@
+'use strict';
+
+const Boom = require('@hapi/boom');
+const Hoek = require('@hapi/hoek');
+
+let Route = null;                           // Delayed load due to circular dependency
+
+
+const internals = {};
+
+
+exports.route = function (options) {
+
+    if (!options) {
+        return false;
+    }
+
+    const settings = Hoek.clone(options);
+    settings._headers = settings.headers.concat(settings.additionalHeaders);
+    settings._headersString = settings._headers.join(',');
+    for (let i = 0; i < settings._headers.length; ++i) {
+        settings._headers[i] = settings._headers[i].toLowerCase();
+    }
+
+    if (settings._headers.indexOf('origin') === -1) {
+        settings._headers.push('origin');
+    }
+
+    settings._exposedHeaders = settings.exposedHeaders.concat(settings.additionalExposedHeaders).join(',');
+
+    if (settings.origin === 'ignore') {
+        settings._origin = false;
+    }
+    else if (settings.origin.indexOf('*') !== -1) {
+        Hoek.assert(settings.origin.length === 1, 'Cannot specify cors.origin * together with other values');
+        settings._origin = true;
+    }
+    else {
+        settings._origin = {
+            qualified: [],
+            wildcards: []
+        };
+
+        for (const origin of settings.origin) {
+            if (origin.indexOf('*') !== -1) {
+                settings._origin.wildcards.push(new RegExp('^' + Hoek.escapeRegex(origin).replace(/\\\*/g, '.*').replace(/\\\?/g, '.') + '$'));
+            }
+            else {
+                settings._origin.qualified.push(origin);
+            }
+        }
+    }
+
+    return settings;
+};
+
+
+exports.options = function (route, server) {
+
+    if (route.method === 'options' ||
+        !route.settings.cors) {
+
+        return;
+    }
+
+    exports.handler(server);
+};
+
+
+exports.handler = function (server) {
+
+    Route = Route || require('./route');
+
+    if (server._core.router.specials.options) {
+        return;
+    }
+
+    const definition = {
+        method: '_special',
+        path: '/{p*}',
+        handler: internals.handler,
+        options: {
+            cors: false
+        }
+    };
+
+    const route = new Route(definition, server, { special: true });
+    server._core.router.special('options', route);
+};
+
+
+internals.handler = function (request, h) {
+
+    // Validate CORS preflight request
+
+    const method = request.headers['access-control-request-method'];
+    if (!method) {
+        throw Boom.notFound('CORS error: Missing Access-Control-Request-Method header');
+    }
+
+    // Lookup route
+
+    const route = request.server.match(method, request.path, request.info.hostname);
+    if (!route) {
+        throw Boom.notFound();
+    }
+
+    const settings = route.settings.cors;
+    if (!settings) {
+        return { message: 'CORS is disabled for this route' };
+    }
+
+    // Validate Origin header
+
+    const origin = request.headers.origin;
+
+    if (!origin &&
+        settings._origin !== false) {
+
+        throw Boom.notFound('CORS error: Missing Origin header');
+    }
+
+    if (!exports.matchOrigin(origin, settings)) {
+        return { message: 'CORS error: Origin not allowed' };
+    }
+
+    // Validate allowed headers
+
+    let headers = request.headers['access-control-request-headers'];
+    if (headers) {
+        headers = headers.toLowerCase().split(/\s*,\s*/);
+        if (Hoek.intersect(headers, settings._headers).length !== headers.length) {
+            return { message: 'CORS error: Some headers are not allowed' };
+        }
+    }
+
+    // Reply with the route CORS headers
+
+    const response = h.response();
+    response._header('access-control-allow-origin', settings._origin ? origin : '*');
+    response._header('access-control-allow-methods', method);
+    response._header('access-control-allow-headers', settings._headersString);
+    response._header('access-control-max-age', settings.maxAge);
+
+    if (settings.credentials) {
+        response._header('access-control-allow-credentials', 'true');
+    }
+
+    if (settings._exposedHeaders) {
+        response._header('access-control-expose-headers', settings._exposedHeaders);
+    }
+
+    return response;
+};
+
+
+exports.headers = function (response) {
+
+    const request = response.request;
+    const settings = request.route.settings.cors;
+
+    if (settings._origin !== false) {
+        response.vary('origin');
+    }
+
+    if ((request.info.cors && !request.info.cors.isOriginMatch) ||                          // After route lookup
+        !exports.matchOrigin(request.headers.origin, request.route.settings.cors)) {        // Response from onRequest
+
+        return;
+    }
+
+    response._header('access-control-allow-origin', settings._origin ? request.headers.origin : '*');
+
+    if (settings.credentials) {
+        response._header('access-control-allow-credentials', 'true');
+    }
+
+    if (settings._exposedHeaders) {
+        response._header('access-control-expose-headers', settings._exposedHeaders, { append: true });
+    }
+};
+
+
+exports.matchOrigin = function (origin, settings) {
+
+    if (settings._origin === true ||
+        settings._origin === false) {
+
+        return true;
+    }
+
+    if (!origin) {
+        return false;
+    }
+
+    if (settings._origin.qualified.indexOf(origin) !== -1) {
+        return true;
+    }
+
+    for (const wildcard of settings._origin.wildcards) {
+        if (origin.match(wildcard)) {
+            return true;
+        }
+    }
+
+    return false;
+};

package/lib/ext.js

@@ -0,0 +1,96 @@
+'use strict';
+
+const Hoek = require('@hapi/hoek');
+const Topo = require('@hapi/topo');
+
+
+const internals = {};
+
+
+exports = module.exports = internals.Ext = class {
+
+    type = null;
+    nodes = null;
+
+    #core = null;
+    #routes = [];
+    #topo = new Topo.Sorter();
+
+    constructor(type, core) {
+
+        this.#core = core;
+        this.type = type;
+    }
+
+    add(event) {
+
+        const methods = [].concat(event.method);
+        for (const method of methods) {
+            const settings = {
+                before: event.options.before,
+                after: event.options.after,
+                group: event.realm.plugin,
+                sort: this.#core.extensionsSeq++
+            };
+
+            const node = {
+                func: method,                       // Request: function (request, h), Server: function (server)
+                bind: event.options.bind,
+                server: event.server,               // Server event
+                realm: event.realm,
+                timeout: event.options.timeout
+            };
+
+            this.#topo.add(node, settings);
+        }
+
+        this.nodes = this.#topo.nodes;
+
+        // Notify routes
+
+        for (const route of this.#routes) {
+            route.rebuild(event);
+        }
+    }
+
+    merge(others) {
+
+        const merge = [];
+        for (const other of others) {
+            merge.push(other.#topo);
+        }
+
+        this.#topo.merge(merge);
+        this.nodes = this.#topo.nodes.length ? this.#topo.nodes : null;
+    }
+
+    subscribe(route) {
+
+        this.#routes.push(route);
+    }
+
+    static combine(route, type) {
+
+        const ext = new internals.Ext(type, route._core);
+
+        const events = route.settings.ext[type];
+        if (events) {
+            for (let event of events) {
+                event = Object.assign({}, event);       // Shallow cloned
+                Hoek.assert(!event.options.sandbox, 'Cannot specify sandbox option for route extension');
+                event.realm = route.realm;
+                ext.add(event);
+            }
+        }
+
+        const server = route._core.extensions.route[type];
+        const realm = route.realm._extensions[type];
+
+        ext.merge([server, realm]);
+
+        server.subscribe(route);
+        realm.subscribe(route);
+
+        return ext;
+    }
+};

package/lib/handler.js

@@ -0,0 +1,165 @@
+'use strict';
+
+const Hoek = require('@hapi/hoek');
+
+
+const internals = {};
+
+
+exports.execute = async function (request) {
+
+    // Prerequisites
+
+    if (request._route._prerequisites) {
+        for (const set of request._route._prerequisites) {      // Serial execution of each set
+            const pres = [];
+            for (const item of set) {
+                pres.push(internals.handler(request, item.method, item));
+            }
+
+            const responses = await Promise.all(pres);                          // Parallel execution within sets
+            for (const response of responses) {
+                if (response !== undefined) {
+                    return response;
+                }
+            }
+        }
+    }
+
+    // Handler
+
+    const result = await internals.handler(request, request.route.settings.handler);
+    if (result._takeover ||
+        typeof result === 'symbol') {
+
+        return result;
+    }
+
+    request._setResponse(result);
+};
+
+
+internals.handler = async function (request, method, pre) {
+
+    const bind = request.route.settings.bind;
+    const realm = request.route.realm;
+    let response = await request._core.toolkit.execute(method, request, { bind, realm, continue: 'null' });
+
+    // Handler
+
+    if (!pre) {
+        if (response.isBoom) {
+            request._log(['handler', 'error'], response);
+            throw response;
+        }
+
+        return response;
+    }
+
+    // Pre
+
+    if (response.isBoom) {
+        response.assign = pre.assign;
+        response = await request._core.toolkit.failAction(request, pre.failAction, response, { tags: ['pre', 'error'], retain: true });
+    }
+
+    if (typeof response === 'symbol') {
+        return response;
+    }
+
+    if (pre.assign) {
+        request.pre[pre.assign] = (response.isBoom ? response : response.source);
+        request.preResponses[pre.assign] = response;
+    }
+
+    if (response._takeover) {
+        return response;
+    }
+};
+
+
+exports.defaults = function (method, handler, core) {
+
+    let defaults = null;
+
+    if (typeof handler === 'object') {
+        const type = Object.keys(handler)[0];
+        const serverHandler = core.decorations.handler.get(type);
+
+        Hoek.assert(serverHandler, 'Unknown handler:', type);
+
+        if (serverHandler.defaults) {
+            defaults = (typeof serverHandler.defaults === 'function' ? serverHandler.defaults(method) : serverHandler.defaults);
+        }
+    }
+
+    return defaults || {};
+};
+
+
+exports.configure = function (handler, route) {
+
+    if (typeof handler === 'object') {
+        const type = Object.keys(handler)[0];
+        const serverHandler = route._core.decorations.handler.get(type);
+
+        Hoek.assert(serverHandler, 'Unknown handler:', type);
+
+        return serverHandler(route.public, handler[type]);
+    }
+
+    return handler;
+};
+
+
+exports.prerequisitesConfig = function (config) {
+
+    if (!config) {
+        return null;
+    }
+
+    /*
+        [
+            [
+                function (request, h) { },
+                {
+                    method: function (request, h) { }
+                    assign: key1
+                },
+                {
+                    method: function (request, h) { },
+                    assign: key2
+                }
+            ],
+            {
+                method: function (request, h) { },
+                assign: key3
+            }
+        ]
+    */
+
+    const prerequisites = [];
+
+    for (let pres of config) {
+        pres = [].concat(pres);
+
+        const set = [];
+        for (let pre of pres) {
+            if (typeof pre !== 'object') {
+                pre = { method: pre };
+            }
+
+            const item = {
+                method: pre.method,
+                assign: pre.assign,
+                failAction: pre.failAction || 'error'
+            };
+
+            set.push(item);
+        }
+
+        prerequisites.push(set);
+    }
+
+    return prerequisites.length ? prerequisites : null;
+};

package/lib/headers.js

@@ -0,0 +1,187 @@
+'use strict';
+
+
+const Stream = require('stream');
+
+const Boom = require('@hapi/boom');
+
+
+const internals = {};
+
+
+exports.cache = function (response) {
+
+    const request = response.request;
+    if (response.headers['cache-control']) {
+        return;
+    }
+
+    const settings = request.route.settings.cache;
+    const policy = settings && request._route._cache && (settings._statuses.has(response.statusCode) || (response.statusCode === 304 && settings._statuses.has(200)));
+
+    if (policy ||
+        response.settings.ttl) {
+
+        const ttl = response.settings.ttl !== null ? response.settings.ttl : request._route._cache.ttl();
+        const privacy = request.auth.isAuthenticated || response.headers['set-cookie'] ? 'private' : settings.privacy || 'default';
+        response._header('cache-control', 'max-age=' + Math.floor(ttl / 1000) + ', must-revalidate' + (privacy !== 'default' ? ', ' + privacy : ''));
+    }
+    else if (settings) {
+        response._header('cache-control', settings.otherwise);
+    }
+};
+
+
+exports.content = async function (response) {
+
+    const request = response.request;
+    if (response._isPayloadSupported() ||
+        request.method === 'head') {
+
+        await response._marshal();
+
+        if (request.jsonp &&
+            response._payload.jsonp) {
+
+            response._header('content-type', 'text/javascript' + (response.settings.charset ? '; charset=' + response.settings.charset : ''));
+            response._header('x-content-type-options', 'nosniff');
+            response._payload.jsonp(request.jsonp);
+        }
+
+        if (response._payload.size &&
+            typeof response._payload.size === 'function') {
+
+            response._header('content-length', response._payload.size(), { override: false });
+        }
+
+        if (!response._isPayloadSupported()) {
+            response._close();                              // Close unused file streams
+            response._payload = new internals.Empty();      // Set empty stream
+        }
+
+        exports.type(response);
+    }
+    else {
+
+        // Set empty stream
+
+        response._close();                                  // Close unused file streams
+        response._payload = new internals.Empty();
+        delete response.headers['content-length'];
+    }
+};
+
+
+exports.state = async function (response) {
+
+    const request = response.request;
+    const states = [];
+
+    for (const stateName in request._states) {
+        states.push(request._states[stateName]);
+    }
+
+    try {
+        for (const name in request._core.states.cookies) {
+            const autoValue = request._core.states.cookies[name].autoValue;
+            if (!autoValue || name in request._states || name in request.state) {
+                continue;
+            }
+
+            if (typeof autoValue !== 'function') {
+                states.push({ name, value: autoValue });
+                continue;
+            }
+
+            const value = await autoValue(request);
+            states.push({ name, value });
+        }
+
+        if (!states.length) {
+            return;
+        }
+
+        let header = await request._core.states.format(states, request);
+        const existing = response.headers['set-cookie'];
+        if (existing) {
+            header = (Array.isArray(existing) ? existing : [existing]).concat(header);
+        }
+
+        response._header('set-cookie', header);
+    }
+    catch (err) {
+        const error = Boom.boomify(err);
+        request._log(['state', 'response', 'error'], error);
+        request._states = {};                                           // Clear broken state
+        throw error;
+    }
+};
+
+
+exports.type = function (response) {
+
+    const type = response.contentType;
+    if (type !== null && type !== response.headers['content-type']) {
+        response.type(type);
+    }
+};
+
+
+exports.entity = function (response) {
+
+    const request = response.request;
+
+    if (!request._entity) {
+        return;
+    }
+
+    if (request._entity.etag &&
+        !response.headers.etag) {
+
+        response.etag(request._entity.etag, { vary: request._entity.vary });
+    }
+
+    if (request._entity.modified &&
+        !response.headers['last-modified']) {
+
+        response.header('last-modified', request._entity.modified);
+    }
+};
+
+
+exports.unmodified = function (response) {
+
+    const request = response.request;
+    if (response.statusCode === 304) {
+        return;
+    }
+
+    const entity = {
+        etag: response.headers.etag,
+        vary: response.settings.varyEtag,
+        modified: response.headers['last-modified']
+    };
+
+    const etag = request._core.Response.unmodified(request, entity);
+    if (etag) {
+        response.code(304);
+
+        if (etag !== true) {                                // Override etag with incoming weak match
+            response.headers.etag = etag;
+        }
+    }
+};
+
+
+internals.Empty = class extends Stream.Readable {
+
+    _read(/* size */) {
+
+        this.push(null);
+    }
+
+    writeToStream(stream) {
+
+        stream.end();
+    }
+};

package/lib/index.js

@@ -0,0 +1,11 @@
+'use strict';
+
+const Server = require('./server');
+
+
+const internals = {};
+
+
+exports.Server = Server;
+
+exports.server = Server;