f

fengmk2 · fengmk2 · commit af085f0fb52d · 2025-01-16T00:33:42.000+08:00
diff --git a/package.json b/package.json
@@ -42,7 +42,6 @@
     "egg-path-matching": "^2.1.0",
     "escape-html": "^1.0.3",
     "extend": "^3.0.1",
-    "extend2": "^4.0.0",
     "koa-compose": "^4.1.0",
     "matcher": "^4.0.0",
     "nanoid": "^3.3.8",
@@ -55,6 +54,7 @@
     "@eggjs/mock": "^6.0.5",
     "@eggjs/tsconfig": "1",
     "@types/escape-html": "^1.0.4",
+    "@types/extend": "^3.0.4",
     "@types/koa-compose": "^3.2.8",
     "@types/mocha": "10",
     "@types/node": "22",
diff --git a/src/lib/middlewares/csp.ts b/src/lib/middlewares/csp.ts
@@ -1,6 +1,6 @@
-import { extend } from 'extend2';
+import extend from 'extend';
 import type { Context, Next } from '@eggjs/core';
-import * as utils from '../utils.js';
+import { checkIfIgnore } from '../utils.js';
 import type { SecurityConfig } from '../../types.js';
 
 const HEADER = [
@@ -23,10 +23,9 @@ export default (options: SecurityConfig['csp']) => {
       ...options,
       ...ctx.securityOptions.csp,
     };
-    if (utils.checkIfIgnore(opts, ctx)) return;
+    if (checkIfIgnore(opts, ctx)) return;
 
     let finalHeader;
-    let value;
     const matchedOption = extend(true, {}, opts.policy);
     const bufArray = [];
 
@@ -38,30 +37,30 @@ export default (options: SecurityConfig['csp']) => {
     }
 
     for (const key in matchedOption) {
-      value = matchedOption[key];
-      value = Array.isArray(value) ? value : [ value ];
-
+      const value = matchedOption[key];
       // Other arrays are splitted into strings EXCEPT `sandbox`
-      if (key === 'sandbox' && value[0] === true) {
+      // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
+      if (key === 'sandbox' && value === true) {
         bufArray.push(key);
       } else {
+        let values = (Array.isArray(value) ? value : [ value ]) as string[];
         if (key === 'script-src') {
-          const hasNonce = value.some(function(val) {
+          const hasNonce = values.some(function(val) {
             return val.indexOf('nonce-') !== -1;
           });
 
           if (!hasNonce) {
-            value.push('\'nonce-' + ctx.nonce + '\'');
+            values.push('\'nonce-' + ctx.nonce + '\'');
           }
         }
 
-        value = value.map(function(d) {
+        values = values.map(function(d) {
           if (d.startsWith('.')) {
             d = '*' + d;
           }
           return d;
         });
-        bufArray.push(key + ' ' + value.join(' '));
+        bufArray.push(key + ' ' + values.join(' '));
       }
     }
     const headerString = bufArray.join(';');
diff --git a/src/types.ts b/src/types.ts
@@ -221,7 +221,7 @@ export interface SecurityConfig {
      */
     enable: boolean;
     // https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#csp_overview
-    policy: Record<string, string | string[]>;
+    policy: Record<string, string | string[] | boolean>;
     /**
      * whether enable report only mode
      * Default to `undefined`
diff --git a/test/csp.test.ts b/test/csp.test.ts
@@ -1,34 +1,37 @@
-const { strict: assert } = require('node:assert');
-const mm = require('egg-mock');
+import { strict as assert } from 'node:assert';
+import { mm, MockApplication } from '@eggjs/mock';
 
-describe('test/csp.test.js', () => {
-  let app;
-  let app2;
-  let app3;
-  let app4;
+describe('test/csp.test.ts', () => {
+  let app: MockApplication;
+  let app2: MockApplication;
+  let app3: MockApplication;
+  let app4: MockApplication;
   before(async () => {
     app = mm.app({
       baseDir: 'apps/csp',
-      plugin: 'security',
     });
     await app.ready();
     app2 = mm.app({
       baseDir: 'apps/csp-ignore',
-      plugin: 'security',
     });
     await app2.ready();
     app3 = mm.app({
       baseDir: 'apps/csp-reportonly',
-      plugin: 'security',
     });
     await app3.ready();
     app4 = mm.app({
       baseDir: 'apps/csp-supportie',
-      plugin: 'security',
     });
     await app4.ready();
   });
 
+  after(async () => {
+    await app.close();
+    await app2.close();
+    await app3.close();
+    await app4.close();
+  });
+
   afterEach(mm.restore);
 
   describe('directives', () => {
@@ -84,9 +87,8 @@ describe('test/csp.test.js', () => {
       const nonce = res.text;
       const header = res.headers['content-security-policy'];
       const re_nonce = /nonce-([^']+)/;
-      header.match(re_nonce, function(_, match) {
-        assert.equal(nonce, match);
-      });
+      const m = re_nonce.exec(header);
+      assert.equal(nonce, m![1], header);
     });
 
     it('should have X-CSP-Nonce header', async () => {
diff --git a/test/fixtures/apps/csp-reportonly/app/router.js b/test/fixtures/apps/csp-reportonly/app/router.js
@@ -1,10 +1,8 @@
-'use strict';
-
 module.exports = function(app) {
-  app.get('/testcsp', function *(){
+  app.get('/testcsp', function(){
     this.body = this.nonce;
   });
-   app.get('/testcsp2', function *(){
+   app.get('/testcsp2', function(){
     this.body = this.nonce;
   });
 };
diff --git a/test/fixtures/apps/csp-supportie/config/config.js b/test/fixtures/apps/csp-supportie/config/config.js
@@ -1,5 +1,3 @@
-'use strict';
-
 exports.keys = 'test key';
 
 exports.security = {

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,3 @@`
`1`		`-'use strict';`
`2`		`-`
`3`	`1`	`exports.keys = 'test key';`
`4`	`2`
`5`	`3`	`exports.security = {`