Merge pull request #140 from krakenjs/list

Change whitelist/blacklist to allowlist/blocklist
krakenjs · Dec 22, 2020 · f9a5255 · f9a5255
2 parents 0483eda + 3efc640
commit f9a5255
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 42 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -1,11 +1,8 @@
 language: node_js
 
 node_js:
-  - "8"
-  - "6"
-  - "4"
-  - "0.12"
-  - "0.10"
+  - "10"
+  - "12"
 
 before_script:
   - npm install -g grunt-cli
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,11 +1,16 @@
+##### Unreleased
+
+* Changes `whitelist`/`blacklist` to `allowlist`/`blocklist` to follow [guidelines](https://chromium.googlesource.com/chromium/src/+/master/styleguide/inclusive_code.md#racially-neutral)
+
+
 ##### v1.6.1
 
 * Fixes issue with multiple `blacklist`/`whitelist` options
 * Typo in README
 
 ##### v1.6.0
 
-* Adds in `whitelist` and `blacklist` support for `csrf`
+* Adds in `allowlist` and `blocklist` support for `csrf`
 
 ##### v1.5.2
 

diff --git a/README.md b/README.md
@@ -60,10 +60,10 @@ __Please note that you must use [express-session](https://github.com/expressjs/s
 * `cookie.name` String - Required if cookie is an object and `angular` is not true. The CSRF cookie name to set.
 * `cookie.options` Object - Optional. A valid Express cookie options object.
 * `angular` Boolean - Optional. Shorthand setting to set `lusca` up to use the default settings for CSRF validation according to the [AngularJS docs]. Can be used with `cookie.options`.
-* `blacklist` Array or String - Optional. Allows defining a set of routes that will not have csrf protection.  All others will.
-* `whitelist` Array or String - Optional. Allows defining a set of routes that will have csrf protection.  All others will not.
+* `blocklist` Array or String - Optional. Allows defining a set of routes that will not have csrf protection.  All others will.
+* `allowlist` Array or String - Optional. Allows defining a set of routes that will have csrf protection.  All others will not.
 
-Notes: The app can use either a `blacklist` or a `whitelist`, not both.  By default, all post routes are whitelisted.
+Notes: The app can use either a `blocklist` or a `allowlist`, not both.  By default, all post routes are allowlisted.
 
 [angularjs docs]: https://docs.angularjs.org/api/ng/service/$http#cross-site-request-forgery-xsrf-protection
 

diff --git a/lib/csrf.js b/lib/csrf.js
@@ -14,7 +14,7 @@ var token = require('./token'),
  *    header {String} The name of the response header containing the CSRF token. Default "x-csrf-token".
  */
 module.exports = function (options) {
-    var impl, key, header, secret, cookie, whitelist, blacklist;
+    var impl, key, header, secret, cookie, allowlist, blocklist;
 
     options = options || {};
 
@@ -26,22 +26,22 @@ module.exports = function (options) {
         };
     }
 
-    whitelist = options.whitelist;
+    allowlist = options.allowlist || options.whitelist;
 
-    if (typeof whitelist === 'string') {
-        whitelist = [ whitelist ];
-    } else if (!Array.isArray(whitelist)) {
-        // Don't allow non string or array whitelist
-        whitelist = null;
+    if (typeof allowlist === 'string') {
+        allowlist = [ allowlist ];
+    } else if (!Array.isArray(allowlist)) {
+        // Don't allow non string or array allowlist
+        allowlist = null;
     }
 
-    blacklist = options.blacklist;
+    blocklist = options.blocklist || options.blacklist;
 
-    if (typeof blacklist === 'string') {
-        blacklist = [ blacklist ];
-    } else if (!Array.isArray(blacklist)) {
-        // Don't allow non string or array blacklist
-        blacklist = null;
+    if (typeof blocklist === 'string') {
+        blocklist = [ blocklist ];
+    } else if (!Array.isArray(blocklist)) {
+        // Don't allow non string or array blocklist
+        blocklist = null;
     }
 
     key = options.key || '_csrf';
@@ -91,15 +91,15 @@ module.exports = function (options) {
 
         var shouldBypass = false;
 
-        if (blacklist) {
-            blacklist.some(function (exclusion) {
+        if (blocklist) {
+            blocklist.some(function (exclusion) {
                 shouldBypass = req.path.indexOf(exclusion) === 0;
                 return shouldBypass;
             });
         }
 
-        if (whitelist) {
-            whitelist.some(function (inclusion) {
+        if (allowlist) {
+            allowlist.some(function (inclusion) {
                 shouldBypass = req.path.indexOf(inclusion) !== 0;
                 return shouldBypass;
             });

diff --git a/test/csrf.js b/test/csrf.js
@@ -42,73 +42,73 @@ describe('CSRF', function () {
                 done(err);
             });
     });
-    it('should not require token on post to blacklist', function (done) {
+    it('should not require token on post to blocklist', function (done) {
         var app = mock({
             csrf: {
-                blacklist: ['/blacklist1', '/blacklist2']
+                blocklist: ['/blocklist1', '/blocklist2']
             }
         });
 
-        app.post('/blacklist1', function (req, res) {
+        app.post('/blocklist1', function (req, res) {
             res.send(200);
         });
 
-        app.post('/blacklist2', function (req, res) {
+        app.post('/blocklist2', function (req, res) {
             res.send(200);
         });
 
-        app.post('/notblacklist', function (req, res) {
+        app.post('/notblocklist', function (req, res) {
             res.send(200);
         });
 
         request(app)
-            .post('/blacklist1')
+            .post('/blocklist1')
             .expect(200)
             .end(function (err, res) {});
 
         request(app)
-            .post('/blacklist2')
+            .post('/blocklist2')
             .expect(200)
             .end(function (err, res) {});
 
         request(app)
-            .post('/notblacklist')
+            .post('/notblocklist')
             .expect(403)
             .end(function (err, res) {
                 done(err);
             });
     });
-    it('should only require token on post to whitelist', function (done) {
+    it('should only require token on post to allowlist', function (done) {
         var app = mock({
             csrf: {
-                whitelist: ['/whitelist1', '/whitelist2']
+                allowlist: ['/allowlist1', '/allowlist2']
             }
         });
 
-        app.post('/whitelist1', function (req, res) {
+        app.post('/allowlist1', function (req, res) {
             res.send(200);
         });
 
-        app.post('/whitelist2', function (req, res) {
+        app.post('/allowlist2', function (req, res) {
             res.send(200);
         });
 
-        app.post('/notwhitelist', function (req, res) {
+        app.post('/notallowlist', function (req, res) {
             res.send(200);
         });
 
         request(app)
-            .post('/whitelist1')
+            .post('/allowlist1')
             .expect(403)
             .end(function (err, res) {});
 
         request(app)
-            .post('/whitelist2')
+            .post('/allowlist2')
             .expect(403)
             .end(function (err, res) {});
 
         request(app)
-            .post('/notwhitelist')
+            .post('/notallowlist')
             .expect(200)
             .end(function (err, res) {
                 done(err);