f

Author: fengmk2

__snapshots__/csp.test.ts.js

@@ -55,10 +55,6 @@ exports['test/csp.test.ts should ignore path 1'] = {
     "value": "1; mode=block"
   },
   "csp": {
-    "ignore": [
-      "/api/",
-      {}
-    ],
     "enable": true,
     "policy": {
       "script-src": [
@@ -80,7 +76,11 @@ exports['test/csp.test.ts should ignore path 1'] = {
         "'self'"
       ],
       "report-uri": "http://pointman.domain.com/csp?app=csp"
-    }
+    },
+    "ignore": [
+      "/api/",
+      {}
+    ]
   },
   "referrerPolicy": {
     "enable": false,

__snapshots__/csrf.test.ts.js

@@ -1,8 +1,4 @@
 exports['test/csrf.test.ts should update form with csrf token 1'] = {
-  "ignore": [
-    {},
-    null
-  ],
   "enable": true,
   "type": "ctoken",
   "ignoreJSON": false,
@@ -30,7 +26,11 @@ exports['test/csrf.test.ts should update form with csrf token 1'] = {
     "signed": false,
     "httpOnly": false,
     "overwrite": true
-  }
+  },
+  "ignore": [
+    {},
+    null
+  ]
 }
 
 exports['test/csrf.test.ts apps/csrf-supported-requests-default-config should works without error because csrf = false override default config 1'] = {

__snapshots__/xss.test.ts.js

@@ -0,0 +1,4 @@
+exports['test/xss.test.ts should set X-XSS-Protection header value 0 when config is number 0 1'] = {
+  "enable": true,
+  "value": 0
+}

package.json

@@ -53,7 +53,7 @@
     "@arethetypeswrong/cli": "^0.17.1",
     "@eggjs/bin": "7",
     "@eggjs/mock": "^6.0.5",
-    "@eggjs/supertest": "^8.1.1",
+    "@eggjs/supertest": "^8.2.0",
     "@eggjs/tsconfig": "1",
     "@types/escape-html": "^1.0.4",
     "@types/extend": "^3.0.4",

src/app.ts

@@ -13,7 +13,11 @@ export default class AgentBoot implements ILifecycleBoot {
     const app = this.app;
     app.config.coreMiddleware.push('securities');
     // parse config and check if config is legal
-    app.config.security = SecurityConfig.parse(app.config.security);
+    const parsed = SecurityConfig.parse(app.config.security);
+    if (typeof app.config.security.csrf === 'boolean') {
+      // support old config: `config.security.csrf = false`
+      app.config.security.csrf = parsed.csrf;
+    }
 
     if (app.config.security.csrf.enable) {
       const { ignoreJSON } = app.config.security.csrf;

src/app/extend/agent.ts

@@ -1,6 +1,14 @@
 import { EggCore } from '@eggjs/core';
-import { safeCurlForApplication } from '../../lib/extend/safe_curl.js';
+import {
+  safeCurlForApplication,
+  type HttpClientRequestURL,
+  type HttpClientOptions,
+  type HttpClientResponse,
+} from '../../lib/extend/safe_curl.js';
 
 export default class SecurityAgent extends EggCore {
-  safeCurl = safeCurlForApplication;
+  async safeCurl<T = any>(
+    url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>> {
+    return await safeCurlForApplication<T>(this, url, options);
+  }
 }

src/app/extend/application.ts

@@ -1,5 +1,10 @@
 import { EggCore } from '@eggjs/core';
-import { safeCurlForApplication } from '../../lib/extend/safe_curl.js';
+import {
+  safeCurlForApplication,
+  type HttpClientRequestURL,
+  type HttpClientOptions,
+  type HttpClientResponse,
+} from '../../lib/extend/safe_curl.js';
 
 const INPUT_CSRF = '\r\n<input type="hidden" name="_csrf" value="{{ctx.csrf}}" /></form>';
 const INJECTION_DEFENSE = '<!--for injection--><!--</html>--><!--for injection-->';
@@ -30,14 +35,17 @@ export default class SecurityApplication extends EggCore {
     return INJECTION_DEFENSE + html + INJECTION_DEFENSE;
   }
 
-  safeCurl = safeCurlForApplication;
+  async safeCurl<T = any>(
+    url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>> {
+    return await safeCurlForApplication<T>(this, url, options);
+  }
 }
 
 declare module '@eggjs/core' {
   interface EggCore {
     injectCsrf(html: string): string;
     injectNonce(html: string): string;
     injectHijackingDefense(html: string): string;
-    safeCurl: typeof safeCurlForApplication;
+    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
   }
 }

src/app/extend/context.ts

@@ -6,7 +6,7 @@ import * as utils from '../../lib/utils.js';
 import type {
   HttpClientRequestURL,
   HttpClientOptions,
-  HttpClientRequestReturn,
+  HttpClientResponse,
 } from '../../lib/extend/safe_curl.js';
 import { SecurityConfig, SecurityHelperConfig } from '../../types.js';
 
@@ -258,8 +258,13 @@ export default class SecurityContext extends Context {
     }
   }
 
-  async safeCurl(url: HttpClientRequestURL, options?: HttpClientOptions): HttpClientRequestReturn {
-    return await this.app.safeCurl(url, options);
+  async safeCurl<T = any>(
+    url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>> {
+    return await this.app.safeCurl<T>(url, options);
+  }
+
+  unsafeRedirect(url: string, alt?: string) {
+    this.response.unsafeRedirect(url, alt);
   }
 }
 
@@ -272,6 +277,6 @@ declare module '@eggjs/core' {
     ensureCsrfSecret(rotate?: boolean): void;
     rotateCsrfSecret(): void;
     assertCsrf(): void;
-    safeCurl(url: HttpClientRequestURL, options?: HttpClientOptions): HttpClientRequestReturn;
+    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
   }
 }

src/app/extend/response.ts

@@ -20,7 +20,9 @@ export default class SecurityResponse extends KoaResponse {
    * ctx.unsafeRedirect('http://www.domain.com');
    * ```
    */
-  unsafeRedirect = unsafeRedirect;
+  unsafeRedirect(url: string, alt?: string) {
+    unsafeRedirect.call(this, url, alt);
+  }
 
   // app.response.unsafeRedirect = app.response.redirect;
   // delegate(app.context, 'response').method('unsafeRedirect');
@@ -48,7 +50,8 @@ export default class SecurityResponse extends KoaResponse {
 
     // if begin with '/', it means an internal jump
     if (url[0] === '/' && url[1] !== '\\') {
-      return this.unsafeRedirect(url, alt);
+      this.unsafeRedirect(url, alt);
+      return;
     }
 
     let urlObject: URL;

src/config/config.default.ts

@@ -1,4 +1,5 @@
 import z from 'zod';
+import { Context } from '@eggjs/core';
 
 const CSRFSupportRequestItem = z.object({
   path: z.instanceof(RegExp),
@@ -38,7 +39,7 @@ export type SecurityMiddlewareName = z.infer<typeof SecurityMiddlewareName>;
 /**
  * (ctx) => boolean
  */
-const IgnoreOrMatchHandler = z.function().args(z.any()).returns(z.boolean());
+const IgnoreOrMatchHandler = z.function().args(z.instanceof(Context)).returns(z.boolean());
 export type IgnoreOrMatchHandler = z.infer<typeof IgnoreOrMatchHandler>;
 
 const IgnoreOrMatch = z.union([
@@ -154,7 +155,7 @@ export const SecurityConfig = z.object({
     cookieDomain: z.union([
       z.string(),
       z.function()
-        .args(z.any())
+        .args(z.instanceof(Context))
         .returns(z.string()),
     ]).optional(),
     /**
@@ -278,7 +279,7 @@ export const SecurityConfig = z.object({
      *
      * Default to `'1; mode=block'`
      */
-    value: z.string().default('1; mode=block'),
+    value: z.coerce.string().default('1; mode=block'),
   }).default({}),
   /**
    * content security policy config