@arcis/node 1.0.0 → 1.2.0

package/dist/validation/index.mjs

@@ -1,3 +1,5 @@
+import { promises } from 'dns';
+
 // src/core/constants.ts
 var INPUT = {
   /** Default maximum input size (1MB) */
@@ -49,7 +51,11 @@ var SQL_PATTERNS = [
   /** Time-based blind: SLEEP() */
   /\bSLEEP\s*\(\s*\d+\s*\)/gi,
   /** Time-based blind: BENCHMARK() */
-  /\bBENCHMARK\s*\(/gi
+  /\bBENCHMARK\s*\(/gi,
+  /** Time-based blind: PostgreSQL pg_sleep() */
+  /\bpg_sleep\s*\(/gi,
+  /** Time-based blind: MSSQL WAITFOR DELAY */
+  /\bWAITFOR\s+DELAY\b/gi
 ];
 var PATH_PATTERNS = [
   /** Unix path traversal */
@@ -67,6 +73,10 @@ var PATH_PATTERNS = [
   /\.%2e[\\/]/gi,
   /** Fully URL-encoded: %2e%2e%2f */
   /%2e%2e%2f/gi,
+  /** Double URL-encoded forward slash: %252f */
+  /%252f/gi,
+  /** Dotdotslash bypass: ....// or ....\\ */
+  /\.{2,}[/\\]{2,}/g,
   /** Null byte injection in paths */
   /\0/g
 ];
@@ -82,7 +92,9 @@ var COMMAND_PATTERNS = [
    */
   /[;&|`]/g,
   /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
-  /\$\(/g
+  /\$\(/g,
+  /** URL-encoded newline/carriage-return injection (%0a, %0d) */
+  /%0[ad]/gi
 ];
 var VALIDATION = {
   /**
@@ -694,6 +706,489 @@ function isDangerousExtension(filename) {
   return ext !== "" && DANGEROUS_EXTENSIONS.has(ext);
 }
 
-export { createValidator, isDangerousExtension, sanitizeFilename, validate, validateFile };
+// src/validation/url.ts
+function validateUrl(url, options = {}) {
+  const {
+    allowedProtocols = ["http:", "https:"],
+    blockedHosts = [],
+    allowedHosts = [],
+    allowLocalhost = false,
+    allowPrivate = false
+  } = options;
+  if (typeof url !== "string" || url.trim() === "") {
+    return { safe: false, reason: "invalid URL: empty or not a string" };
+  }
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    return { safe: false, reason: "invalid URL: failed to parse" };
+  }
+  if (!allowedProtocols.includes(parsed.protocol)) {
+    return { safe: false, reason: `disallowed protocol: ${parsed.protocol}` };
+  }
+  if (parsed.username || parsed.password) {
+    return { safe: false, reason: "URL contains credentials" };
+  }
+  const hostname = parsed.hostname.toLowerCase();
+  if (allowedHosts.some((h) => hostname === h.toLowerCase())) {
+    return { safe: true };
+  }
+  if (blockedHosts.some((h) => hostname === h.toLowerCase())) {
+    return { safe: false, reason: `blocked host: ${hostname}` };
+  }
+  if (!allowLocalhost) {
+    if (hostname === "localhost" || hostname === "127.0.0.1" || hostname === "[::1]" || hostname === "::1" || hostname === "0.0.0.0" || hostname.endsWith(".localhost")) {
+      return { safe: false, reason: "loopback address" };
+    }
+    if (/^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(hostname)) {
+      return { safe: false, reason: "loopback address" };
+    }
+  }
+  if (!allowLocalhost || !allowPrivate) {
+    const decimalCheck = checkDecimalIp(hostname, allowLocalhost, allowPrivate);
+    if (decimalCheck) {
+      return { safe: false, reason: decimalCheck };
+    }
+  }
+  if (!allowLocalhost || !allowPrivate) {
+    const octalCheck = checkOctalIp(hostname, allowLocalhost, allowPrivate);
+    if (octalCheck) {
+      return { safe: false, reason: octalCheck };
+    }
+  }
+  if (!allowPrivate) {
+    const privateCheck = checkPrivateIp(hostname);
+    if (privateCheck) {
+      return { safe: false, reason: privateCheck };
+    }
+  }
+  return { safe: true };
+}
+function isUrlSafe(url, options = {}) {
+  return validateUrl(url, options).safe;
+}
+function checkPrivateIp(hostname) {
+  if (/^10\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(hostname)) {
+    return "private address (10.0.0.0/8)";
+  }
+  const match172 = hostname.match(/^172\.(\d{1,3})\.\d{1,3}\.\d{1,3}$/);
+  if (match172) {
+    const second = parseInt(match172[1], 10);
+    if (second >= 16 && second <= 31) {
+      return "private address (172.16.0.0/12)";
+    }
+  }
+  if (/^192\.168\.\d{1,3}\.\d{1,3}$/.test(hostname)) {
+    return "private address (192.168.0.0/16)";
+  }
+  if (/^169\.254\.\d{1,3}\.\d{1,3}$/.test(hostname)) {
+    return "link-local address (169.254.0.0/16)";
+  }
+  if (/^0\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(hostname)) {
+    return "current network address (0.0.0.0/8)";
+  }
+  if (hostname === "metadata.google.internal" || hostname === "metadata.internal" || hostname === "metadata.azure.internal") {
+    return "cloud metadata endpoint";
+  }
+  const ipv6 = hostname.replace(/^\[|\]$/g, "");
+  if (ipv6 === "::1" || ipv6 === "::" || ipv6.startsWith("fc") || ipv6.startsWith("fd") || ipv6.startsWith("fe80")) {
+    return "private IPv6 address";
+  }
+  const mappedDotted = ipv6.match(/^::ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/i);
+  if (mappedDotted) {
+    const mappedIp = mappedDotted[1];
+    if (/^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(mappedIp)) {
+      return "IPv6-mapped loopback address";
+    }
+    const mappedCheck = checkPrivateIp(mappedIp);
+    if (mappedCheck) {
+      return `IPv6-mapped ${mappedCheck}`;
+    }
+  }
+  const mappedHex = ipv6.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i);
+  if (mappedHex) {
+    const hi = parseInt(mappedHex[1], 16);
+    const lo = parseInt(mappedHex[2], 16);
+    const a = hi >> 8 & 255;
+    const b = hi & 255;
+    const c = lo >> 8 & 255;
+    const d = lo & 255;
+    const dotted = `${a}.${b}.${c}.${d}`;
+    if (a === 127) {
+      return "IPv6-mapped loopback address";
+    }
+    const hexCheck = checkPrivateIp(dotted);
+    if (hexCheck) {
+      return `IPv6-mapped ${hexCheck}`;
+    }
+  }
+  return null;
+}
+function checkDecimalIp(hostname, allowLocalhost, allowPrivate) {
+  if (!/^\d+$/.test(hostname)) return null;
+  const num = parseInt(hostname, 10);
+  if (isNaN(num) || num < 0 || num > 4294967295) return null;
+  const a = num >>> 24 & 255;
+  const b = num >>> 16 & 255;
+  const c = num >>> 8 & 255;
+  const d = num & 255;
+  const dotted = `${a}.${b}.${c}.${d}`;
+  if (!allowLocalhost && a === 127) {
+    return `loopback address (decimal IP: ${dotted})`;
+  }
+  if (!allowPrivate) {
+    const privateCheck = checkPrivateIp(dotted);
+    if (privateCheck) {
+      return `${privateCheck} (decimal IP: ${dotted})`;
+    }
+  }
+  return null;
+}
+function checkOctalIp(hostname, allowLocalhost, allowPrivate) {
+  const parts = hostname.split(".");
+  if (parts.length !== 4) return null;
+  const hasAlternateNotation = parts.some((p) => /^0[0-7]+$/.test(p) || /^0x[0-9a-fA-F]+$/i.test(p));
+  if (!hasAlternateNotation) return null;
+  const octets = [];
+  for (const part of parts) {
+    let val;
+    if (/^0x[0-9a-fA-F]+$/i.test(part)) {
+      val = parseInt(part, 16);
+    } else if (/^0[0-7]*$/.test(part)) {
+      val = parseInt(part, 8);
+    } else if (/^\d+$/.test(part)) {
+      val = parseInt(part, 10);
+    } else {
+      return null;
+    }
+    if (val < 0 || val > 255) return null;
+    octets.push(val);
+  }
+  const dotted = octets.join(".");
+  if (!allowLocalhost && octets[0] === 127) {
+    return `loopback address (octal IP: ${dotted})`;
+  }
+  if (!allowPrivate) {
+    const privateCheck = checkPrivateIp(dotted);
+    if (privateCheck) {
+      return `${privateCheck} (octal IP: ${dotted})`;
+    }
+  }
+  return null;
+}
+
+// src/validation/redirect.ts
+var DANGEROUS_PROTOCOLS = /^(javascript|data|vbscript|blob):/i;
+var CONTROL_CHARS = /[\t\n\r]/g;
+function validateRedirect(url, options = {}) {
+  const {
+    allowedHosts = [],
+    allowProtocolRelative = false,
+    allowedProtocols = ["http:", "https:"]
+  } = options;
+  if (typeof url !== "string" || url.trim() === "") {
+    return { safe: false, reason: "invalid redirect: empty or not a string" };
+  }
+  const cleaned = url.replace(CONTROL_CHARS, "");
+  if (DANGEROUS_PROTOCOLS.test(cleaned)) {
+    const proto = cleaned.match(DANGEROUS_PROTOCOLS);
+    return { safe: false, reason: `dangerous protocol: ${proto[0]}` };
+  }
+  if (cleaned.startsWith("\\")) {
+    return { safe: false, reason: "backslash-prefixed URL (browser treats as protocol-relative)" };
+  }
+  if (cleaned.startsWith("//")) {
+    if (!allowProtocolRelative) {
+      const host2 = extractHost(cleaned);
+      if (host2 && allowedHosts.some((h) => host2 === h.toLowerCase())) {
+        return { safe: true };
+      }
+      return { safe: false, reason: "protocol-relative URL not in allowed hosts" };
+    }
+    const host = extractHost(cleaned);
+    if (host && allowedHosts.length > 0 && !allowedHosts.some((h) => host === h.toLowerCase())) {
+      return { safe: false, reason: "protocol-relative URL not in allowed hosts" };
+    }
+    return { safe: true };
+  }
+  let parsed;
+  try {
+    parsed = new URL(cleaned);
+  } catch {
+    return { safe: true };
+  }
+  if (!allowedProtocols.includes(parsed.protocol)) {
+    return { safe: false, reason: `disallowed protocol: ${parsed.protocol}` };
+  }
+  const hostname = parsed.hostname.toLowerCase();
+  if (allowedHosts.length === 0) {
+    return { safe: false, reason: "absolute URL not in allowed hosts" };
+  }
+  if (!allowedHosts.some((h) => hostname === h.toLowerCase())) {
+    return { safe: false, reason: `host not allowed: ${hostname}` };
+  }
+  return { safe: true };
+}
+function isRedirectSafe(url, options = {}) {
+  return validateRedirect(url, options).safe;
+}
+function extractHost(url) {
+  const match = url.match(/^\/\/([^/:?#]+)/);
+  return match ? match[1].toLowerCase() : null;
+}
+var MAX_EMAIL_LENGTH = 254;
+var MAX_LOCAL_LENGTH = 64;
+var MAX_DOMAIN_LENGTH = 255;
+var EMAIL_SYNTAX = /^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*\.[a-zA-Z]{2,}$/;
+var FREE_PROVIDERS = /* @__PURE__ */ new Set([
+  "gmail.com",
+  "yahoo.com",
+  "hotmail.com",
+  "outlook.com",
+  "aol.com",
+  "protonmail.com",
+  "proton.me",
+  "icloud.com",
+  "mail.com",
+  "zoho.com",
+  "yandex.com",
+  "gmx.com",
+  "gmx.net",
+  "live.com",
+  "msn.com",
+  "me.com",
+  "mac.com",
+  "fastmail.com",
+  "tutanota.com",
+  "hey.com"
+]);
+var DISPOSABLE_DOMAINS = /* @__PURE__ */ new Set([
+  // Popular disposable services
+  "guerrillamail.com",
+  "guerrillamail.net",
+  "guerrillamail.org",
+  "tempmail.com",
+  "temp-mail.org",
+  "temp-mail.io",
+  "throwaway.email",
+  "throwaway.com",
+  "mailinator.com",
+  "mailinator.net",
+  "yopmail.com",
+  "yopmail.fr",
+  "yopmail.net",
+  "sharklasers.com",
+  "grr.la",
+  "guerrillamail.info",
+  "guerrillamail.biz",
+  "guerrillamail.de",
+  "trashmail.com",
+  "trashmail.me",
+  "trashmail.net",
+  "dispostable.com",
+  "maildrop.cc",
+  "mailnesia.com",
+  "tempail.com",
+  "mohmal.com",
+  "getnada.com",
+  "emailondeck.com",
+  "discard.email",
+  "fakeinbox.com",
+  "mailcatch.com",
+  "mintemail.com",
+  "tempr.email",
+  "tempinbox.com",
+  "burnermail.io",
+  "mailsac.com",
+  "harakirimail.com",
+  "tempmailo.com",
+  "emailfake.com",
+  "crazymailing.com",
+  "armyspy.com",
+  "dayrep.com",
+  "einrot.com",
+  "fleckens.hu",
+  "gustr.com",
+  "jourrapide.com",
+  "rhyta.com",
+  "superrito.com",
+  "teleworm.us",
+  "10minutemail.com",
+  "10minutemail.net",
+  "minutemail.com",
+  "tempsky.com",
+  "spamgourmet.com",
+  "mytrashmail.com",
+  "mailexpire.com",
+  "safetymail.info",
+  "filzmail.com",
+  "trashymail.com",
+  "sharkmail.com",
+  "jetable.org",
+  "nospam.ze.tc",
+  "trash-me.com",
+  "dodgit.com",
+  "mailmoat.com",
+  "spamfree24.org",
+  "incognitomail.org",
+  "tempomail.fr",
+  "ephemail.net",
+  "hidemail.de",
+  "spaml.de",
+  "uggsrock.com",
+  "binkmail.com",
+  "suremail.info",
+  "bugmenot.com"
+]);
+var DOMAIN_TYPOS = {
+  "gmial.com": "gmail.com",
+  "gmaill.com": "gmail.com",
+  "gmai.com": "gmail.com",
+  "gamil.com": "gmail.com",
+  "gnail.com": "gmail.com",
+  "gmal.com": "gmail.com",
+  "gmil.com": "gmail.com",
+  "gmail.co": "gmail.com",
+  "gmail.cm": "gmail.com",
+  "gmail.om": "gmail.com",
+  "gmail.con": "gmail.com",
+  "gmail.cim": "gmail.com",
+  "gmail.comm": "gmail.com",
+  "yahooo.com": "yahoo.com",
+  "yaho.com": "yahoo.com",
+  "yahoo.co": "yahoo.com",
+  "yahoo.cm": "yahoo.com",
+  "yahoo.con": "yahoo.com",
+  "yahho.com": "yahoo.com",
+  "hotmial.com": "hotmail.com",
+  "hotmal.com": "hotmail.com",
+  "hotmai.com": "hotmail.com",
+  "hotmil.com": "hotmail.com",
+  "hotmail.co": "hotmail.com",
+  "hotmail.cm": "hotmail.com",
+  "hotmail.con": "hotmail.com",
+  "outlok.com": "outlook.com",
+  "outloo.com": "outlook.com",
+  "outlook.co": "outlook.com",
+  "outlook.cm": "outlook.com",
+  "protonmal.com": "protonmail.com",
+  "protonmail.co": "protonmail.com",
+  "icloud.co": "icloud.com",
+  "icloud.cm": "icloud.com",
+  "icoud.com": "icloud.com"
+};
+function invalidResult(reason, email) {
+  return {
+    valid: false,
+    reason,
+    suggestion: null,
+    isFree: false,
+    isDisposable: false,
+    normalized: email
+  };
+}
+function validateEmail(email, options = {}) {
+  const {
+    checkDisposable = true,
+    suggestTypoFix = true,
+    blockedDomains = [],
+    allowedDomains = []
+  } = options;
+  const normalized = email.trim().toLowerCase();
+  if (!normalized || normalized.length > MAX_EMAIL_LENGTH) {
+    return invalidResult("invalid_syntax", normalized);
+  }
+  const atIndex = normalized.lastIndexOf("@");
+  if (atIndex === -1) {
+    return invalidResult("invalid_syntax", normalized);
+  }
+  const localPart = normalized.slice(0, atIndex);
+  const domain = normalized.slice(atIndex + 1);
+  if (localPart.length === 0 || localPart.length > MAX_LOCAL_LENGTH) {
+    return invalidResult("invalid_syntax", normalized);
+  }
+  if (domain.length === 0 || domain.length > MAX_DOMAIN_LENGTH) {
+    return invalidResult("invalid_syntax", normalized);
+  }
+  if (localPart.includes("..")) {
+    return invalidResult("invalid_syntax", normalized);
+  }
+  if (localPart.startsWith(".") || localPart.endsWith(".")) {
+    return invalidResult("invalid_syntax", normalized);
+  }
+  if (!EMAIL_SYNTAX.test(normalized)) {
+    return invalidResult("invalid_syntax", normalized);
+  }
+  const allowedSet = new Set(allowedDomains.map((d) => d.toLowerCase()));
+  if (allowedSet.has(domain)) {
+    return {
+      valid: true,
+      reason: "valid",
+      suggestion: null,
+      isFree: FREE_PROVIDERS.has(domain),
+      isDisposable: false,
+      normalized
+    };
+  }
+  const blockedSet = new Set(blockedDomains.map((d) => d.toLowerCase()));
+  if (blockedSet.has(domain)) {
+    return invalidResult("blocked", normalized);
+  }
+  const isDisposable = DISPOSABLE_DOMAINS.has(domain);
+  if (checkDisposable && isDisposable) {
+    return {
+      valid: false,
+      reason: "disposable",
+      suggestion: null,
+      isFree: false,
+      isDisposable: true,
+      normalized
+    };
+  }
+  const isFree = FREE_PROVIDERS.has(domain);
+  if (suggestTypoFix && DOMAIN_TYPOS[domain]) {
+    const corrected = `${localPart}@${DOMAIN_TYPOS[domain]}`;
+    return {
+      valid: true,
+      reason: "typo",
+      suggestion: corrected,
+      isFree: FREE_PROVIDERS.has(DOMAIN_TYPOS[domain]),
+      isDisposable: false,
+      normalized
+    };
+  }
+  return {
+    valid: true,
+    reason: "valid",
+    suggestion: null,
+    isFree,
+    isDisposable,
+    normalized
+  };
+}
+async function verifyEmailMx(email) {
+  if (!isValidEmailSyntax(email)) return false;
+  const atIndex = email.lastIndexOf("@");
+  const domain = email.slice(atIndex + 1).trim().toLowerCase();
+  if (!domain) return false;
+  try {
+    const records = await promises.resolveMx(domain);
+    return records.length > 0;
+  } catch {
+    return false;
+  }
+}
+function isValidEmailSyntax(email) {
+  const normalized = email.trim().toLowerCase();
+  if (!normalized || normalized.length > MAX_EMAIL_LENGTH) return false;
+  const atIndex = normalized.lastIndexOf("@");
+  if (atIndex === -1) return false;
+  const localPart = normalized.slice(0, atIndex);
+  if (localPart.includes("..") || localPart.startsWith(".") || localPart.endsWith(".")) return false;
+  return EMAIL_SYNTAX.test(normalized);
+}
+
+export { createValidator, isDangerousExtension, isRedirectSafe, isUrlSafe, isValidEmailSyntax, sanitizeFilename, validate, validateEmail, validateFile, validateRedirect, validateUrl, verifyEmailMx };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map