From a1785525fc1acb5d0e329dd1446c3bc8b4f6e72f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E4=B8=80=E4=B8=9D?= <yisibl@users.noreply.github.com>
Date: Wed, 9 Aug 2023 21:24:02 +0800
Subject: [PATCH] =?UTF-8?q?feat:=20context=20=E4=B8=AD=E7=9A=84=20`isSafeD?=
 =?UTF-8?q?omain()`=20=E5=87=BD=E6=95=B0=E5=A2=9E=E5=8A=A0=E8=87=AA?=
 =?UTF-8?q?=E5=AE=9A=E4=B9=89=E7=99=BD=E5=90=8D=E5=8D=95=E5=8F=82=E6=95=B0?=
 =?UTF-8?q?=20(#86)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

此前，`isSafeDomain()` 只有一个参数，无法自定义白名单。

为了在 egg-cors 或其他插件中可以复用该函数的逻辑，现在增加第二个参数，
使其更加灵活。
---
 app/extend/context.js                         |  7 ++-
 test/context.test.js                          | 31 +++++++++++
 .../apps/isSafeDomain-custom/app/router.js    | 54 +++++++++++++++++++
 .../apps/isSafeDomain-custom/config/config.js |  8 +++
 .../apps/isSafeDomain-custom/package.json     |  3 ++
 5 files changed, 101 insertions(+), 2 deletions(-)
 create mode 100644 test/context.test.js
 create mode 100755 test/fixtures/apps/isSafeDomain-custom/app/router.js
 create mode 100755 test/fixtures/apps/isSafeDomain-custom/config/config.js
 create mode 100755 test/fixtures/apps/isSafeDomain-custom/package.json

diff --git a/app/extend/context.js b/app/extend/context.js
index ab74748..d687d94 100644
--- a/app/extend/context.js
+++ b/app/extend/context.js
@@ -38,11 +38,14 @@ module.exports = {
   /**
    * Check whether the specific `domain` is in / matches the whiteList or not.
    * @param {string} domain The assigned domain.
+   * @param {Array<string>} customWhiteList The custom white list for domain.
    * @return {boolean} If the domain is in / matches the whiteList, return true;
    * otherwise false.
    */
-  isSafeDomain(domain) {
-    const domainWhiteList = this.app.config.security.domainWhiteList;
+  // TODO: add customWhiteList option document.
+  isSafeDomain(domain, customWhiteList) {
+    const domainWhiteList = customWhiteList && customWhiteList.length > 0 ? customWhiteList : this.app.config.security.domainWhiteList;
+    // const domainWhiteList = this.app.config.security.domainWhiteList;
     return utils.isSafeDomain(domain, domainWhiteList);
   },
 
diff --git a/test/context.test.js b/test/context.test.js
new file mode 100644
index 0000000..b8c7a52
--- /dev/null
+++ b/test/context.test.js
@@ -0,0 +1,31 @@
+const { strict: assert } = require('node:assert');
+const mm = require('egg-mock');
+
+describe('test/context.test.js', () => {
+  afterEach(mm.restore);
+  describe('context.isSafeDomain', () => {
+    let app;
+    before(() => {
+      app = mm.app({
+        baseDir: 'apps/isSafeDomain-custom',
+      });
+      return app.ready();
+    });
+
+    it('should return false when domains are not safe', async () => {
+      const res = await app.httpRequest()
+        .get('/unsafe')
+        .set('accept', 'text/html')
+        .expect(200);
+      assert(res.text === 'false');
+    });
+
+    it('should return true when domains are safe', async () => {
+      const res = await app.httpRequest()
+        .get('/safe')
+        .set('accept', 'text/html')
+        .expect(200);
+      assert(res.text === 'true');
+    });
+  });
+});
diff --git a/test/fixtures/apps/isSafeDomain-custom/app/router.js b/test/fixtures/apps/isSafeDomain-custom/app/router.js
new file mode 100755
index 0000000..8a54181
--- /dev/null
+++ b/test/fixtures/apps/isSafeDomain-custom/app/router.js
@@ -0,0 +1,54 @@
+module.exports = function (app) {
+  const customWhiteList = [
+    '*.foo.com',
+    '*.bar.net',
+  ];
+
+  app.get('/unsafe', async function() {
+    const unsafeDomains = [
+      // unsafe
+      'aAa-domain.com',
+      '192.1.168.0',
+      'http://www.baidu.com/zh-CN',
+      'www.alimama.com',
+      'foo.com.cn',
+      'a.foo.com.cn',
+
+      // safe
+      'pre-www.foo.com',
+      'pre-www.bar.net',
+    ];
+    let unsafeCounter = 0;
+    for (let unsafeDomain of unsafeDomains) {
+      if (!this.isSafeDomain(unsafeDomain, customWhiteList)) {
+        unsafeCounter++;
+      }
+    }
+    
+    this.body = unsafeCounter === 6 ? false : true;
+  });
+
+  app.get('/safe', async function() {
+    const safeDomains = [
+      'a.foo.com',
+      'a.b.foo.com',
+      'a.b.c.foo.com',
+      'pre-www.foo.com',
+      'test.pre-www.foo.com',
+      'a.bar.net',
+      'a.b.bar.net',
+      'a.b.c.bar.net',
+      'pre-www.bar.net',
+      'test.pre-www.bar.net',
+    ];
+    let safeCounter = 0;
+
+    for (const safeDomain of safeDomains) {
+      if (this.isSafeDomain(safeDomain, customWhiteList)) {
+        safeCounter++;
+      }
+    }
+
+    this.body = safeCounter === 10;
+  });
+};
diff --git a/test/fixtures/apps/isSafeDomain-custom/config/config.js b/test/fixtures/apps/isSafeDomain-custom/config/config.js
new file mode 100755
index 0000000..f0f97a3
--- /dev/null
+++ b/test/fixtures/apps/isSafeDomain-custom/config/config.js
@@ -0,0 +1,8 @@
+'use strict';
+
+exports.keys = 'test key';
+
+exports.security = {
+  defaultMiddleware: 'xframe',
+  domainWhiteList: ['.domain.com', 'http://www.baidu.com', '192.*.0.*', '*.alibaba.com'],
+};
diff --git a/test/fixtures/apps/isSafeDomain-custom/package.json b/test/fixtures/apps/isSafeDomain-custom/package.json
new file mode 100755
index 0000000..c68ab7a
--- /dev/null
+++ b/test/fixtures/apps/isSafeDomain-custom/package.json
@@ -0,0 +1,3 @@
+{
+  "name": "isSafeDomain"
+}