nodesi - npm Package Compare versions
Comparing version 1.6.4 to 1.7.0
| 'use strict'; | ||
| const AllowedHosts = require('./allowed-hosts'); | ||
| const DataProvider = require('./data-provider'); | ||
@@ -13,2 +14,4 @@ const Logger = require('./logger'); | ||
| const logger = new Logger(config); | ||
| const allowedHosts = (typeof config.allowedHosts === 'object') ? config.allowedHosts : | ||
| new AllowedHosts(config, logger); | ||
@@ -115,3 +118,11 @@ function processHtmlText(html, options, state) { | ||
| return dataProvider.get(src, options) | ||
| return Promise.resolve() | ||
| .then(() => { | ||
| if(!allowedHosts.includes(src)) { | ||
| const err = new Error(`${src} is not included in allowedHosts or baseUrl.`); | ||
| err.blocked = true; | ||
| throw err; | ||
| } | ||
| }) | ||
| .then(() => dataProvider.get(src, options)) | ||
| .then(result => result.body) | ||
@@ -118,0 +129,0 @@ .catch(error => handleError(src, error)); |
| { | ||
| "name": "nodesi", | ||
| "version": "1.6.4", | ||
| "version": "1.7.0", | ||
| "description": "ESI: the good parts in node.js", | ||
@@ -8,2 +8,3 @@ "main": "esi.js", | ||
| "test": "mocha test/*.js", | ||
| "test:debug": "mocha --inspect-brk test/*.js", | ||
| "coverage": "istanbul cover node_modules/mocha/bin/_mocha -- --recursive", | ||
@@ -13,3 +14,3 @@ "perf": "node perf.js" | ||
| "engines": { | ||
| "node": ">=6.0.0" | ||
| "node": ">=8.0.0" | ||
| }, | ||
@@ -25,3 +26,3 @@ "dependencies": { | ||
| "istanbul": "0.4.5", | ||
| "mocha": "2.5.3" | ||
| "mocha": "3.3.0" | ||
| }, | ||
@@ -28,0 +29,0 @@ "keywords": [ |
@@ -45,3 +45,5 @@ [](https://travis-ci.org/Schibsted-Tech-Polska/nodesi) | ||
| var esi = new ESI(); | ||
| var esi = new ESI({ | ||
| allowedHosts: ['http://full-resource-path'] | ||
| }); | ||
| esi.process('<esi:include src="http://full-resource-path/stuff.html" />').then(function(result) { | ||
@@ -62,3 +64,3 @@ // result is a fetched html | ||
| All the ESI constructor options described below are also applicable for middleware function. | ||
| Just pass them like that: `esiMiddleWare({baseUrl: ...});` | ||
| Just pass them like that: `esiMiddleWare({baseUrl: ..., allowedHosts: [...]});` | ||
@@ -108,2 +110,19 @@ If you'd like to pass options like headers to ESI middleware, use `req.esiOptions` object: | ||
| ## Security | ||
| Since this module performs HTTP calls to external services, it is possible for a malicious agent to exploit that, especially if content of a <esi:include> tag can be provided by user. | ||
| In order to mitigate that risk you should use `allowedHosts` configuration option. It's supposed to be a list of trusted hosts (protocol + hostname + port), represented as strings or regular expressions. | ||
| #### Example: | ||
| ```javascript | ||
| var esi = new ESI({ | ||
| allowedHosts: ['https://exact-host:3000', /^http(s)?:\/\/other-host$/] | ||
| }); | ||
| ``` | ||
| If you're using `baseUrl` option then it's host will automatically be added to `allowedHosts`. | ||
| In case some url gets blocked you'll receive an error in your `onError` handler (see below) with `blocked` property set to `true`. | ||
| ## Error handling | ||
@@ -110,0 +129,0 @@ |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by17.6%
18347
- Lines of code
- increased by19.16%
311
- Number of lines in readme file
- increased by11.18%
189