f

__snapshots__/csp.test.ts.js

@@ -55,10 +55,6 @@ exports['test/csp.test.ts should ignore path 1'] = {
     "value": "1; mode=block"
   },
   "csp": {
-    "ignore": [
-      "/api/",
-      {}
-    ],
     "enable": true,
     "policy": {
       "script-src": [
@@ -80,7 +76,11 @@ exports['test/csp.test.ts should ignore path 1'] = {
         "'self'"
       ],
       "report-uri": "http://pointman.domain.com/csp?app=csp"
-    }
+    },
+    "ignore": [
+      "/api/",
+      {}
+    ]
   },
   "referrerPolicy": {
     "enable": false,

__snapshots__/csrf.test.ts.js

@@ -1,8 +1,4 @@
 exports['test/csrf.test.ts should update form with csrf token 1'] = {
-  "ignore": [
-    {},
-    null
-  ],
   "enable": true,
   "type": "ctoken",
   "ignoreJSON": false,
@@ -30,7 +26,11 @@ exports['test/csrf.test.ts should update form with csrf token 1'] = {
     "signed": false,
     "httpOnly": false,
     "overwrite": true
-  }
+  },
+  "ignore": [
+    {},
+    null
+  ]
 }
 
 exports['test/csrf.test.ts apps/csrf-supported-requests-default-config should works without error because csrf = false override default config 1'] = {

__snapshots__/xss.test.ts.js

@@ -0,0 +1,4 @@
+exports['test/xss.test.ts should set X-XSS-Protection header value 0 when config is number 0 1'] = {
+  "enable": true,
+  "value": 0
+}

package.json

@@ -53,7 +53,7 @@
     "@arethetypeswrong/cli": "^0.17.1",
     "@eggjs/bin": "7",
     "@eggjs/mock": "^6.0.5",
-    "@eggjs/supertest": "^8.1.1",
+    "@eggjs/supertest": "^8.2.0",
     "@eggjs/tsconfig": "1",
     "@types/escape-html": "^1.0.4",
     "@types/extend": "^3.0.4",

src/app.ts

@@ -13,7 +13,11 @@ export default class AgentBoot implements ILifecycleBoot {
     const app = this.app;
     app.config.coreMiddleware.push('securities');
     // parse config and check if config is legal
-    app.config.security = SecurityConfig.parse(app.config.security);
+    const parsed = SecurityConfig.parse(app.config.security);
+    if (typeof app.config.security.csrf === 'boolean') {
+      // support old config: `config.security.csrf = false`
+      app.config.security.csrf = parsed.csrf;
+    }
 
     if (app.config.security.csrf.enable) {
       const { ignoreJSON } = app.config.security.csrf;

src/app/extend/agent.ts

@@ -1,6 +1,14 @@
 import { EggCore } from '@eggjs/core';
-import { safeCurlForApplication } from '../../lib/extend/safe_curl.js';
+import {
+  safeCurlForApplication,
+  type HttpClientRequestURL,
+  type HttpClientOptions,
+  type HttpClientResponse,
+} from '../../lib/extend/safe_curl.js';
 
 export default class SecurityAgent extends EggCore {
-  safeCurl = safeCurlForApplication;
+  async safeCurl<T = any>(
+    url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>> {
+    return await safeCurlForApplication<T>(this, url, options);
+  }
 }

src/app/extend/application.ts

@@ -1,5 +1,10 @@
 import { EggCore } from '@eggjs/core';
-import { safeCurlForApplication } from '../../lib/extend/safe_curl.js';
+import {
+  safeCurlForApplication,
+  type HttpClientRequestURL,
+  type HttpClientOptions,
+  type HttpClientResponse,
+} from '../../lib/extend/safe_curl.js';
 
 const INPUT_CSRF = '\r\n<input type="hidden" name="_csrf" value="{{ctx.csrf}}" /></form>';
 const INJECTION_DEFENSE = '<!--for injection--><!--</html>--><!--for injection-->';
@@ -30,14 +35,17 @@ export default class SecurityApplication extends EggCore {
     return INJECTION_DEFENSE + html + INJECTION_DEFENSE;
   }
 
-  safeCurl = safeCurlForApplication;
+  async safeCurl<T = any>(
+    url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>> {
+    return await safeCurlForApplication<T>(this, url, options);
+  }
 }
 
 declare module '@eggjs/core' {
   interface EggCore {
     injectCsrf(html: string): string;
     injectNonce(html: string): string;
     injectHijackingDefense(html: string): string;
-    safeCurl: typeof safeCurlForApplication;
+    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
   }
 }

src/app/extend/context.ts

@@ -6,7 +6,7 @@ import * as utils from '../../lib/utils.js';
 import type {
   HttpClientRequestURL,
   HttpClientOptions,
-  HttpClientRequestReturn,
+  HttpClientResponse,
 } from '../../lib/extend/safe_curl.js';
 import { SecurityConfig, SecurityHelperConfig } from '../../types.js';
 
@@ -258,8 +258,13 @@ export default class SecurityContext extends Context {
     }
   }
 
-  async safeCurl(url: HttpClientRequestURL, options?: HttpClientOptions): HttpClientRequestReturn {
-    return await this.app.safeCurl(url, options);
+  async safeCurl<T = any>(
+    url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>> {
+    return await this.app.safeCurl<T>(url, options);
+  }
+
+  unsafeRedirect(url: string, alt?: string) {
+    this.response.unsafeRedirect(url, alt);
   }
 }
 
@@ -272,6 +277,6 @@ declare module '@eggjs/core' {
     ensureCsrfSecret(rotate?: boolean): void;
     rotateCsrfSecret(): void;
     assertCsrf(): void;
-    safeCurl(url: HttpClientRequestURL, options?: HttpClientOptions): HttpClientRequestReturn;
+    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
   }
 }

src/app/extend/response.ts

@@ -20,7 +20,9 @@ export default class SecurityResponse extends KoaResponse {
    * ctx.unsafeRedirect('http://www.domain.com');
    * ```
    */
-  unsafeRedirect = unsafeRedirect;
+  unsafeRedirect(url: string, alt?: string) {
+    unsafeRedirect.call(this, url, alt);
+  }
 
   // app.response.unsafeRedirect = app.response.redirect;
   // delegate(app.context, 'response').method('unsafeRedirect');
@@ -48,7 +50,8 @@ export default class SecurityResponse extends KoaResponse {
 
     // if begin with '/', it means an internal jump
     if (url[0] === '/' && url[1] !== '\\') {
-      return this.unsafeRedirect(url, alt);
+      this.unsafeRedirect(url, alt);
+      return;
     }
 
     let urlObject: URL;

src/config/config.default.ts

@@ -1,4 +1,5 @@
 import z from 'zod';
+import { Context } from '@eggjs/core';
 
 const CSRFSupportRequestItem = z.object({
   path: z.instanceof(RegExp),
@@ -38,7 +39,7 @@ export type SecurityMiddlewareName = z.infer<typeof SecurityMiddlewareName>;
 /**
  * (ctx) => boolean
  */
-const IgnoreOrMatchHandler = z.function().args(z.any()).returns(z.boolean());
+const IgnoreOrMatchHandler = z.function().args(z.instanceof(Context)).returns(z.boolean());
 export type IgnoreOrMatchHandler = z.infer<typeof IgnoreOrMatchHandler>;
 
 const IgnoreOrMatch = z.union([
@@ -154,7 +155,7 @@ export const SecurityConfig = z.object({
     cookieDomain: z.union([
       z.string(),
       z.function()
-        .args(z.any())
+        .args(z.instanceof(Context))
         .returns(z.string()),
     ]).optional(),
     /**
@@ -278,7 +279,7 @@ export const SecurityConfig = z.object({
      *
      * Default to `'1; mode=block'`
      */
-    value: z.string().default('1; mode=block'),
+    value: z.coerce.string().default('1; mode=block'),
   }).default({}),
   /**
    * content security policy config

src/lib/extend/safe_curl.ts

@@ -7,32 +7,29 @@ type HttpClient = EggCore['HttpClient'];
 type HttpClientParameters = Parameters<HttpClient['prototype']['request']>;
 export type HttpClientRequestURL = HttpClientParameters[0];
 export type HttpClientOptions = HttpClientParameters[1] & { checkAddress?: SSRFCheckAddressFunction };
-export type HttpClientRequestReturn = ReturnType<HttpClient['prototype']['request']>;
+export type HttpClientResponse<T = any> = Awaited<ReturnType<HttpClient['prototype']['request']>> & { data: T };
 
 /**
- * safe curl with ssrf protect
- * @param {String} url request url
- * @param {Object} options request options
- * @return {Promise} response
+ * safe curl with ssrf protection
  */
-export async function safeCurlForApplication(this: EggCore, url: HttpClientRequestURL, options: HttpClientOptions = {}): HttpClientRequestReturn {
-  const ssrfConfig = this.config.security.ssrf;
+export async function safeCurlForApplication<T = any>(app: EggCore, url: HttpClientRequestURL, options: HttpClientOptions = {}) {
+  const ssrfConfig = app.config.security.ssrf;
   if (ssrfConfig?.checkAddress) {
     options.checkAddress = ssrfConfig.checkAddress;
   } else {
-    this.logger.warn('[@eggjs/security] please configure `config.security.ssrf` first');
+    app.logger.warn('[@eggjs/security] please configure `config.security.ssrf` first');
   }
 
   if (ssrfConfig?.checkAddress) {
-    let httpClient = this[SSRF_HTTPCLIENT] as ReturnType<EggCore['createHttpClient']>;
+    let httpClient = app[SSRF_HTTPCLIENT] as ReturnType<EggCore['createHttpClient']>;
     // use the new httpClient init with checkAddress
     if (!httpClient) {
-      httpClient = this[SSRF_HTTPCLIENT] = this.createHttpClient({
+      httpClient = app[SSRF_HTTPCLIENT] = app.createHttpClient({
         checkAddress: ssrfConfig.checkAddress,
       });
     }
-    return await httpClient.request(url, options);
+    return await httpClient.request<T>(url, options);
   }
 
-  return await this.curl(url, options);
+  return await app.curl<T>(url, options);
 }

src/lib/middlewares/methodnoallow.ts

@@ -1,7 +1,7 @@
 import { METHODS } from 'node:http';
 import type { Context, Next } from '@eggjs/core';
 
-const METHODS_NOT_ALLOWED = [ 'trace', 'track' ];
+const METHODS_NOT_ALLOWED = [ 'TRACE', 'TRACK' ];
 const safeHttpMethodsMap: Record<string, boolean> = {};
 
 for (const method of METHODS) {

src/lib/middlewares/referrerPolicy.ts

@@ -21,6 +21,10 @@ export default (options: SecurityConfig['referrerPolicy']) => {
 
     const opts = {
       ...options,
+      // check refererPolicy for backward compatibility
+      // typo on the old version
+      // @see https://github.com/eggjs/security/blob/e3408408adec5f8d009d37f75126ed082481d0ac/lib/middlewares/referrerPolicy.js#L21C59-L21C72
+      ...(ctx.securityOptions as any).refererPolicy,
       ...ctx.securityOptions.referrerPolicy,
     };
     if (checkIfIgnore(opts, ctx)) return;

src/lib/utils.ts

@@ -1,6 +1,6 @@
 import { normalize } from 'node:path';
 import matcher from 'matcher';
-import * as IP from '@eggjs/ip';
+import IP from '@eggjs/ip';
 import { Context } from '@eggjs/core';
 import type { PathMatchingFun } from 'egg-path-matching';
 import { SecurityConfig } from '../types.js';

test/fixtures/apps/hsts-nosub/app/router.js

@@ -1,7 +1,5 @@
-'use strict';
-
 module.exports = function(app) {
-  app.get('/', function *(){
+  app.get('/', function(){
     this.body = '123';
   });
 };

test/fixtures/apps/noopen/app/router.js

@@ -1,12 +1,10 @@
-'use strict';
-
 module.exports = function(app) {
-  app.get('/', function *(){
+  app.get('/', function(){
     this.body = '123';
   });
 
-  app.get('/disable', function *(){
+  app.get('/disable', function(){
     this.securityOptions.noopen = { enable: false };
     this.body = '123';
   });
-};
+};

test/fixtures/apps/nosniff/app/router.js

@@ -1,25 +1,23 @@
-'use strict';
-
 module.exports = function(app) {
-  app.get('/', function *(){
+  app.get('/', function() {
     this.body = '123';
   });
 
-  app.get('/disable', function *(){
+  app.get('/disable', function() {
     this.securityOptions.nosniff = { enable: false };
     this.body = '123';
   });
 
-  app.get('/redirect', function *(){
+  app.get('/redirect', function() {
     this.redirect('/');
   });
 
-  app.get('/redirect301', function *(){
+  app.get('/redirect301', function() {
     this.status = 301;
     this.redirect('/');
   });
 
-  app.get('/redirect307', function *(){
+  app.get('/redirect307', function() {
     this.status = 307;
     this.redirect('/');
   });

test/fixtures/apps/referrer-config-compatibility/app/router.js

@@ -0,0 +1,13 @@
+module.exports = function(app) {
+  app.get('/', function() {
+    this.body = '123';
+  });
+  app.get('/referrer', function() {
+    const policy = this.query.policy;
+    this.body = '123';
+    this.securityOptions.refererPolicy = {
+      enable: true,
+      value: policy
+    }
+  });
+};

test/fixtures/apps/referrer-config-compatibility/config/config.js

@@ -0,0 +1,11 @@
+'use strict';
+
+exports.keys = 'test key';
+
+exports.security = {
+  defaultMiddleware: 'referrerPolicy',
+  referrerPolicy: {
+    value: 'origin',
+    enable: true
+  },
+};

test/fixtures/apps/referrer-config-compatibility/package.json

@@ -0,0 +1,3 @@
+{
+  "name": "referrer-config"
+}

test/fixtures/apps/referrer-config/app/router.js

@@ -1,15 +1,13 @@
-'use strict';
-
 module.exports = function(app) {
-  app.get('/', function *(){
+  app.get('/', function() {
     this.body = '123';
   });
-  app.get('/referrer', function *(){
+  app.get('/referrer', function() {
     const policy = this.query.policy;
     this.body = '123';
-    this.securityOptions.refererPolicy = {
+    this.securityOptions.referrerPolicy = {
       enable: true,
       value: policy
     }
   });
-};
+};

test/fixtures/apps/referrer/app/router.js

@@ -1,7 +1,5 @@
-'use strict';
-
 module.exports = function(app) {
-  app.get('/', function *(){
+  app.get('/', function(){
     this.body = '123';
   });
-};
+};