search

eggjs / egg-security

Security plugin for egg, force performance too.
MIT License
238 stars 43 forks source link

domainWhiteList supports wildcard character(*) #26

Closed codefine closed 6 years ago

codefine commented 6 years ago

Add wildcard character(*) rule to domainWhiteList.

The config.security.domainWhileList can node like blow:

config.security = {
    domainWhiteList: [
        'http://192.168.1.100:8080', // normal string rule
        '192.168.1.*', // will transfer to RegExp rule
        '192.168.2.100:*', // will transfer to RegExp rule
        '*.somesite.com' // will transfer to RegExp rule
    ]
};

It helps greatly with client-server-separation development when using egg.

codecov-io commented 6 years ago

Codecov Report

Merging #26 into master will increase coverage by 0.02%. The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff            @@
##           master     #26      +/-   ##
=========================================
+ Coverage   95.88%   95.9%   +0.02%     
=========================================
  Files          26      26              
  Lines         437     440       +3     
=========================================
+ Hits          419     422       +3     
  Misses         18      18
Impacted Files Coverage Δ
lib/utils.js 77.08% <100%> (+1.52%) :arrow_up:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update e341fc3...bea0ccf. Read the comment docs.

dead-horse commented 6 years ago

use wildcard library like https://github.com/sindresorhus/matcher

codefine commented 6 years ago

@dead-horse 源文件使用endsWith来判断,这个模块需要植入到源文件中吧?

// utils.js
const matcher = require('matcher');
exports.isSafeDomain = function isSafeDomain(domain, domain_white_list) {
  // add prefix `.`, because all domains in white list are start with `.`
  const hostname = '.' + domain;
  return domain_white_list.some(function(rule) {
    // return matcher.isMatch(hostname, rule); // 直接使用的话会在'should return true when domain is save'用例的res.text.should.equal('true');返回false
    if (/\*/g.test(rule)) {
      return matcher.isMatch(hostname, rule);
    }
    return hostname.endsWith(rule);
  });
};

// utils.test.js
const domainWhiteList = [ '111.222.1.*' ];
utils.isSafeDomain('111.222.1.3', domainWhiteList).should.equal(true); // false

我添加的简单逻辑已经可以满足需求了,而且matcher的!功能和白名单语义互斥,也用不上。

我们这个项目前后端分离,开发时需要将所有局域网ip添加至白名单,需要设置成192.168.1.*; 而发布时则需要添加所有二级域名至白名单,需要设置成*.somedomain.com; 也可能是我理解的不够,无需修改源码就能实现,如果是这样的话,请死马大大给点思路。多谢🙏。

atian25 commented 6 years ago

ping @jtyjty99999

dead-horse commented 6 years ago

判断一下如果包含 wildcard 字符就用 wildcard 的库来处理,否则就沿用原来的 endsWith 好了

ghost commented 6 years ago

@dead-horse:This has been merged and fixed. So close this :)

atian25 commented 6 years ago

@Maledong this feature is landed ? which PR?

ghost commented 6 years ago

@atian25: https://github.com/eggjs/egg-security/pull/42