Ecosyste.ms: OpenCollective

An open API service for software projects hosted on Open Collective.

github.com/eggjs/egg-security

Security plugin for egg, force performance too.
https://github.com/eggjs/egg-security

test: fix test case fail on Node.js 20 (#89)

52832ddbe05ff0657acea569b61a38790678bbb4 authored 12 months ago by fengmk2 <[email protected]>
Release 3.2.0

[skip ci]

## [3.2.0](https://github.com/eggjs/egg-security/compare/v3.1.0...v3.2.0) (2024-01-04...

9f469ec0f8952810c157397132f4d301ac5c64fd authored 12 months ago by semantic-release-bot <[email protected]>
feat: CSRF cookies allow the use of signatures (#88)

Co-authored-by: sullayang(杨金伟) <[email protected]>

da1b53222448bb646ad6fb1d726a6168a43eafcf authored 12 months ago by sullay <[email protected]>
Release 3.1.0

[skip ci]

## [3.1.0](https://github.com/eggjs/egg-security/compare/v3.0.0...v3.1.0) (2023-08-09...

7777aa8d63efa081504bef8e1d9ecb3a3a562273 authored over 1 year ago by semantic-release-bot <[email protected]>
feat: context 中的 `isSafeDomain()` 函数增加自定义白名单参数 (#86)

此前,`isSafeDomain()` 只有一个参数,无法自定义白名单。

为了在 egg-cors 或其他插件中可以复用该函数的逻辑,现在增加第二个参数,
使其更加灵活。

a1785525fc1acb5d0e329dd1446c3bc8b4f6e72f authored over 1 year ago by 一丝 <[email protected]>
Release 3.0.0

[skip ci]

## [3.0.0](https://github.com/eggjs/egg-security/compare/v2.11.0...v3.0.0) (2023-05-1...

17ccfb5449435306b0a1d5e6977ee9eabb10695c authored over 1 year ago by semantic-release-bot <[email protected]>
feat: upgrade deps to latest versions (#82)

BREAKING CHANGE: drop Node.js < 14 support

c3ca817eca2fa6a034f9402f6ad5c4a8e9194178 authored over 1 year ago by fengmk2 <[email protected]>
chore: auto release on action (#81)

6c5825cda637e2c502f7e066fa90c905592d2386 authored about 2 years ago by fengmk2 <[email protected]>
Release 2.11.0

f74c7dd7f5bb913052fa9b6d5434892b690773a6 authored over 2 years ago by TZ <[email protected]>
feat: csrf cookie support cookieOptions (#80)

b97b2b292d249eee69822baa8fe62da9161597d2 authored over 2 years ago by 大木匠贰 <[email protected]>
Release 2.10.1

742f3f2b2e2ae79a5ffd2785347c4ffcf16dd2b4 authored over 2 years ago by fengmk2 <[email protected]>
🐛 FIX: Add warning message on `false` value config (#79)

e.g.: [egg-security] Please use `config.security.csrf = { enable: false }` instead of `config.se...

4bb47419f0f9a8703401e0ee1f0b7d496519c587 authored over 2 years ago by fengmk2 <[email protected]>
📖 DOC: Add CONNECT method on CSRF default config

184d109dc0e83f2568bbfcf5837f4a8aadb9eff8 authored over 2 years ago by fengmk2 <[email protected]>
Release 2.10.0

6044cf7b3218aaa2839d1e51997d6a9f1c6fa27f authored over 2 years ago by fengmk2 <[email protected]>
🐛 FIX: Should detect all rules before ignore on CSRF (#78)

https://github.com/eggjs/egg-security/pull/78

59558faf0a5e0fca29f2703a65be91364f708867 authored over 2 years ago by fengmk2 <[email protected]>
feat: make csrf supported method configurable (#74)

The current version's csrf protection only doesn't support GET, and
supported methods aren't co...

2d1b28f94cee80f931d25d9b0905b2b2b10e195f authored over 2 years ago by Anemone95 <[email protected]>
deps: use nanoid@3 (#77)

closes https://github.com/eggjs/egg-security/pull/73

61a5543391d6a29050ddf12d39d3997811143852 authored over 2 years ago by fengmk2 <[email protected]>
Release 2.9.1

ff9fae1e399adeb828c643290729629957de0511 authored over 2 years ago by fengmk2 <[email protected]>
fix: should match script end tags like </script > (#76)

Create codeql-analysis.yml

https://github.com/eggjs/egg-security/security/code-scanning/1

0b3fb1ebd9107c555f15cc97722a5a390a98e1e5 authored over 2 years ago by fengmk2 <[email protected]>
🤖 TEST: Run ci on GitHub Action (#75)

1cde8178e0058136f62203752622efe02467fa3b authored over 2 years ago by fengmk2 <[email protected]>
Delete SECURITY.md

23fef7d3a4150afa4e001be186bc191c08878a75 authored about 3 years ago by fengmk2 <[email protected]>
docs: Add Security Policy

f6aeb977203db5686fe279d0e8b3ec1a64535e07 authored about 3 years ago by fengmk2 <[email protected]>
Release 2.9.0

31647057a9373cdc9ed30d25fcc9c2aa3c5163d2 authored over 3 years ago by dead-horse <[email protected]>
add ssrf.ipExceptionList (#70)

9d80e90d273a3ac24231d200ac248f44d1fbd822 authored over 3 years ago by shadyzoz <[email protected]>
docs: fix typos (#68)

79c38e001b431466361c711680d975eb0cfcb301 authored over 4 years ago by viko16 <[email protected]>
Release 2.8.0

3d64f0586078c26d2b28bacf3efec9427a9136d4 authored over 4 years ago by dead-horse <[email protected]>
feat: csrf support any, fix isSafeDomain bug (#67)

a9aff4ff75b343fc8b12248d304d3dba82f71bc1 authored over 4 years ago by Yiyu He <[email protected]>
feat: config.cookieName support array (#66)

beeded1901d77af65a9580e2e80027d71997fc52 authored over 4 years ago by Yiyu He <[email protected]>
test: content-length should not be empty string

5bd471995ffdc93de146ae94e0644da15acb04a7 authored almost 5 years ago by pusongyang <[email protected]>
docs: typos & optimization (#63)

Co-authored-by: TZ | 天猪 <[email protected]>

def5bfa8a2139ca3e2f221ded0dc66d1b405d418 authored almost 5 years ago by 吖猩 <[email protected]>
Release 2.7.1

8c4639e36538deca2dd8fb845d95297be79f84ef authored about 5 years ago by fengmk2 <[email protected]>
fix(security): use new URL instead of url.parse (#62)

ef0e439ee743f3d8069f81eb8bf614f5564de932 authored about 5 years ago by Yiyu He <[email protected]>
Release 2.7.0

1dee165c5388b9085d4c5752d1b179607173e6f0 authored about 5 years ago by TZ <[email protected]>
feat: add escapeShellArg and escapeShellCmd (#60)

f03aeed246ca7dffc589d98b0dd4966700c4d90d authored about 5 years ago by p0sec <[email protected]>
style: fix document (#59)

22b155f63db42f880c4ac1ae1035ca1ad6ac6586 authored about 5 years ago by 刘放 <[email protected]>
Release 2.6.1

94fa49964a776e3d9977e66ff8b82329f519e5d9 authored over 5 years ago by wanghx <[email protected]>
fix: csrf false check (#58)

* fix: should not check type while csrf.enable is false

* feat: add pr template

b72a1eb5b9cfbfc9a8821d3b560f2402f12b709e authored over 5 years ago by 吖猩 <[email protected]>
Release 2.6.0

2e30af890cc78dda59d7773fcee668490ecb8c6c authored over 5 years ago by wanghx <[email protected]>
feat: csrf support referer type (#56)

a1b8e006feef717d8cc9767d001a48efa56fca79 authored over 5 years ago by 吖猩 <[email protected]>
chore: show contributors on README (#55)

189064406befc7e284f67eb22d95aa1d13079ee9 authored almost 6 years ago by fengmk2 <[email protected]>
Release 2.5.0

612d8783ec8368e8263b24e2ed3cda02dc591d33 authored almost 6 years ago by fengmk2 <[email protected]>
deps: update packs and ignore lock file (#54)

- Add 'package-lock.json' into the git ignore list.
- Update related packs.

4fcadc4d34f915333bd02264f49ccb28400bfb1f authored almost 6 years ago by Maledong <[email protected]>
test: use expectLog to assert log (#53)

make sure log assert is stable on windows too

577224217e079fd6fe38b7a86401d99ddf03a22c authored almost 6 years ago by fengmk2 <[email protected]>
Release 2.4.3

f7445d043039d27dab10bd4518bad2df7234894b authored almost 6 years ago by dead-horse <[email protected]>
fix: make sure domain is string before use it (#52)

avoid TypeError on isSafeDomain(null)

b80202ffde474e3ade09f6dc4b29a9bb925e4241 authored almost 6 years ago by fengmk2 <[email protected]>
Release 2.4.2

44c6e7b074116490f9b9a7e610f260e669425bb9 authored almost 6 years ago by dead-horse <[email protected]>
fix: fix referrer-policy enum check (#50)

ad21465b3a40f6c9e38fa58ba85b8e86eda47ca3 authored almost 6 years ago by Century Guo <[email protected]>
Release 2.4.1

6ba702416a72479b1c22701a0a257fe91804f3b4 authored about 6 years ago by TZ <[email protected]>
fix: shtml check domainWhiteList hostname get null (#49)

ec293ee7a66bd7a61dfa90c2b207950b45e7bfbc authored about 6 years ago by 豆糜 <[email protected]>
Release 2.4.0

edc94f9df718c42f86a0c3f5fb802b124e1ab116 authored over 6 years ago by dead-horse <[email protected]>
bug (methodnoallow): Fix for '`OPTIONS` not allowed' (#40)

57bc4d9bb1334e699f87306820a0e6bb42d6aed8 authored over 6 years ago by Maledong <[email protected]>
chore: improve npm scripts (#48)

8ead61eb38370b6dade6785bc945fbb32caedd63 authored over 6 years ago by Maledong <[email protected]>
doc (README.zh-CN.md, README.md): Fix typos and add missing trans (#45)

817d11462e43aee9986f3cd4b13acf9a1e70f7b9 authored over 6 years ago by Maledong <[email protected]>
Release 2.3.1

747248b90bdc26c87255342162a69b3f961af687 authored over 6 years ago by dead-horse <[email protected]>
chore (shtml,cliFilter,sjs,README): Modifications of files (#47)

9baf72ece4431b55eb85dd0daf4b8ace6ddb314e authored over 6 years ago by Maledong <[email protected]>
fix: preprocess config in app.js (#46)

8997866d5ff9d3aa445752be1d3b93ed94dc113b authored over 6 years ago by Yiyu He <[email protected]>
Release 2.3.0

156201061ee0567d14fdcb928624b5896cff1a79 authored over 6 years ago by dead-horse <[email protected]>
Fix: Make `domain` and `whiteList`, `protocalWhiteList` case insensitive

lower case

Change Logs:

1) securities.js:Add convert `whiteList` and `protocalWhiteList` t...

835eff54fb2fe159ce86cc810f714259ba988bca authored over 6 years ago by Maledong <[email protected]>
fix: use faster non-secure ID generator (#43)

81f757a291f1a8084c6b5e106de11f16a6ef1e0a authored over 6 years ago by Andrey Sitnik <[email protected]>
utils (isSafeDomain): Use `matcher` to check for a wild character of a (#42)

72e7ceb04e2d4ff2d65ebb8926aa938093da289c authored over 6 years ago by Maledong <[email protected]>
doc: Translate from Chinese into English for several files for their comments (#41)

Because there are still many comments in Chinese instead of in English,
we must translate them ...

a7035cfa7bea9e53be4227964836a1de79f7b75c authored over 6 years ago by Maledong <[email protected]>
Release 2.2.3

ca205990a63f6d37d07ccc5aee643629d1374736 authored over 6 years ago by fengmk2 <[email protected]>
fix: disable nosniff on redirect status (#38)

from status 300 ~ 308
see https://github.com/jshttp/statuses/blob/master/index.js#L30

b5e17410045cb36b68d2e4f897c60ea6841c0f42 authored over 6 years ago by fengmk2 <[email protected]>
Release 2.2.2

bef87dc8930f3ae9deb2583a368798916f5f7ba6 authored over 6 years ago by dead-horse <[email protected]>
fix: format illegal url (#36)

dbc9a445816d69ec59320b8f655d6e965a16edfb authored over 6 years ago by Yiyu He <[email protected]>
docs: update warning infomation for ignoreJSON (#35)

96761278b0f167c315af9d00842456aaa3a420fc authored over 6 years ago by Haoliang Gao <[email protected]>
Release 2.2.1

b6ebf6028e08f14d4ea6c05fd69b433d0338b7be authored over 6 years ago by popomore <[email protected]>
docs: fix SSRF link (#34)

e6e5e65034d314646bd5cf98303cce97fece86dd authored over 6 years ago by Haoliang Gao <[email protected]>
Release 2.2.0

21ba3591f1d866caacd299893f5f774f40045a4b authored over 6 years ago by dead-horse <[email protected]>
deps: add missing dependencies ip

4f045a05da0db6c03f3578ee13aff3721f3ceec2 authored over 6 years ago by dead-horse <[email protected]>
feat: support safeCurl for SSRF protection (#32)

eba45551f6170761792389632bdaae2afcae57d0 authored over 6 years ago by Yiyu He <[email protected]>
fix: deprecate ignoreJSON (#30)

abc33d176f2ca832eddd42ae5967c25e0f91c97a authored over 6 years ago by Yiyu He <[email protected]>
Release 2.1.0

119725d926bfcf4d45030459a81b1e834b713fdc authored almost 7 years ago by fengmk2 <[email protected]>
feat: add RefererPolicy support (#27)

97f372c275cb3db99d4bdd86b19583464cdce4e3 authored almost 7 years ago by Adams <[email protected]>
chore:bump to 2.0.1

76bd83fbe96e7e81a3a0a61d182c5d7e480c7856 authored almost 7 years ago by jtyjty99999 <[email protected]>
fix: absolute path detect should ignore evil path (#28)

223e1ba7ae7dcd53164adfbdf0850268a2025eb9 authored almost 7 years ago by fengmk2 <[email protected]>
Release 2.0.0

e341fc3caf4781606c7e081d243579745aa874ed authored about 7 years ago by dead-horse <[email protected]>
refactor: use async function and support egg@2 (#25)

0ec7d2f5af03c31623b9286125d74652ba596b8b authored about 7 years ago by Yiyu He <[email protected]>
Release 1.12.1

3fa64e1bec32ed5258c11b0211b3143a60999967 authored over 7 years ago by dead-horse <[email protected]>
fix(csrf): ignore json request even body not exist (#23)

870a7e2d26ad622a035e70565a9ca6830465326f authored over 7 years ago by Yiyu He <[email protected]>
Release 1.12.0

13381db03340e8990543d4827d35387aa0f2f104 authored over 7 years ago by dead-horse <[email protected]>
feat: make session plugin optional (#22)

5c21f64b2a0a9bd796f65fd9800585e958823f0b authored over 7 years ago by Yiyu He <[email protected]>
Release 1.11.0

4db1186d8dd66e2040442713a738e5c8594fd538 authored over 7 years ago by fengmk2 <[email protected]>
feat: add global path blocking to avoid directory traversal attack (#19)

closes https://github.com/eggjs/egg/issues/1049

87878a243870ddc2a786b6ccaffb0789b1342764 authored over 7 years ago by Adams <[email protected]>
Release 1.10.2

006298e63791fc3f9d4194953c3e6d171b58f3d5 authored over 7 years ago by fengmk2 <[email protected]>
fix: should not assert csrf when path match ignore (#20)

be6724c55d271d1a015047d21294a3c2ac1f86e9 authored over 7 years ago by Yiyu He <[email protected]>
Release 1.10.1

7aa4dc3e5a60e2245a1a9efd8e01cea7b312b108 authored over 7 years ago by popomore <[email protected]>
docs: fix License url (#18)

59c89232b2f20f733ae5f38de88d78534bc3ccc7 authored over 7 years ago by Haoliang Gao <[email protected]>
Release 1.10.0

dd9e3baa4c6e91ac3b09993f70c3b2f415174d4a authored over 7 years ago by dead-horse <[email protected]>
feat: config.security.csrf.cookieDomain can be function (#17)

d4560210902a8417d746702ba8edc8f6f75e644a authored over 7 years ago by fengmk2 <[email protected]>
Release 1.9.0

50608bfe2787aca398679a123627ee7658e6d3a0 authored over 7 years ago by shaoshuai0102 <[email protected]>
feat: use egg-path-matching to support fn (#15)

8f3f83d7ec170888b8c8f9139d1fc55d1c25562a authored over 7 years ago by Yiyu He <[email protected]>
Release 1.8.0

35c0c9d795163ea92384c296b3776d90e507b64d authored almost 8 years ago by dead-horse <[email protected]>
feat:support muiltiple query/body key to valid csrf token (#14)

0072c0dedb36a41b08e91562fae3f79563fb3475 authored almost 8 years ago by Adams <[email protected]>
Release 1.7.0

814038bf38c58d318f77cc1ad71c79dde8acade2 authored almost 8 years ago by shaoshuai0102 <[email protected]>
feat: add ctx.rotateCsrfToken (#13)

* feat: add ctx.rotateCsrfToken

* test

b2f4cbe80ab2d96c19357e5e9c0e8d8e9418c3a4 authored almost 8 years ago by Yiyu He <[email protected]>
Release 1.6.0

84c41896b69d8e2fd057f957315f14e6aa019a25 authored almost 8 years ago by popomore <[email protected]>
refactor: add csrf faq url to error msg in local env (#12)

eggjs/egg#387

a22c09533b9dd08353caae4921957cb5cf01c4cd authored almost 8 years ago by Shawn <[email protected]>
Release: 1.5.0

f3b1d2ead7ecd864569b74bb29cbb67dc857359d authored almost 8 years ago by jtyjty99999 <[email protected]>
feat: surl support protocol whitelist (#11)

2d33f55546dcf4069bea5d1510d3237da0a574df authored almost 8 years ago by Adams <[email protected]>