@arcis/node 1.0.0

package/dist/sanitizers/index.js

@@ -0,0 +1,610 @@
+'use strict';
+
+// src/core/constants.ts
+var INPUT = {
+  /** Default maximum input size (1MB) */
+  DEFAULT_MAX_SIZE: 1e6,
+  /** Maximum recursion depth for nested objects */
+  MAX_RECURSION_DEPTH: 10
+};
+var XSS_PATTERNS = [
+  /** Script tags (ReDoS-safe version) */
+  /<script[^>]*>[\s\S]*?<\/script>/gi,
+  /** javascript: protocol (allow optional spaces before colon) */
+  /javascript\s*:/gi,
+  /** vbscript: protocol */
+  /vbscript\s*:/gi,
+  /** Event handlers (onclick, onerror, etc.) — any separator before attribute */
+  /(?:[\s/])on\w+\s*=/gi,
+  /** iframe tags */
+  /<iframe/gi,
+  /** object tags */
+  /<object/gi,
+  /** embed tags */
+  /<embed/gi,
+  /** data: URIs (only dangerous ones, avoid false positives) */
+  /(?:^|[\s"'=])data:/gi,
+  /** URL-encoded script tags */
+  /%3Cscript/gi,
+  /** SVG with onload */
+  /<svg[^>]*onload/gi
+];
+var XSS_REMOVE_PATTERNS = [
+  /** Full script blocks (content + tags) */
+  /<script[^>]*>[\s\S]*?<\/script>/gi,
+  /** Standalone/unclosed script tags */
+  /<script[^>]*>/gi,
+  /** iframe — full block and partial/unclosed */
+  /<iframe[^>]*>[\s\S]*?<\/iframe>/gi,
+  /<iframe[^>]*/gi,
+  /** object — full block and partial/unclosed */
+  /<object[^>]*>[\s\S]*?<\/object>/gi,
+  /<object[^>]*/gi,
+  /** embed tags */
+  /<embed[^>]*/gi,
+  /** SVG with inline event handlers */
+  /<svg[^>]*onload[^>]*>/gi,
+  /** URL-encoded script tags */
+  /%3Cscript/gi,
+  /** Event handlers with quoted values: onclick="...", onerror='...' */
+  /(?:[\s/])on\w+\s*=\s*["'][^"']*["']/gi,
+  /** Event handlers with unquoted values: onload=value */
+  /(?:[\s/])on\w+\s*=\s*[^\s>]*/gi,
+  /** javascript: and vbscript: protocols (allow optional spaces before colon) */
+  /javascript\s*:/gi,
+  /vbscript\s*:/gi,
+  /** data: URIs with HTML/script content */
+  /data\s*:\s*text\/html[^>\s]*/gi
+];
+var SQL_PATTERNS = [
+  /** SQL keywords */
+  /(\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\b)/gi,
+  /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */
+  /(--|\/\*|\*\/|#)/g,
+  /** SQL statement separators */
+  /(;|\|\||&&)/g,
+  /** Boolean injection: OR 1=1 */
+  /\bOR\s+\d+\s*=\s*\d+/gi,
+  /** Boolean injection: OR 'a'='a' or OR "a"="a" (including mixed quotes) */
+  /\bOR\s+(['"])[^'"]*\1\s*=\s*(['"])[^'"]*\2/gi,
+  /\bOR\s+('[^']*'|"[^"]*")\s*=\s*('[^']*'|"[^"]*")/gi,
+  /** Boolean injection: AND 1=1 */
+  /\bAND\s+\d+\s*=\s*\d+/gi,
+  /** Boolean injection: AND 'a'='a' or AND "a"="a" (including mixed quotes) */
+  /\bAND\s+(['"])[^'"]*\1\s*=\s*(['"])[^'"]*\2/gi,
+  /\bAND\s+('[^']*'|"[^"]*")\s*=\s*('[^']*'|"[^"]*")/gi,
+  /** Time-based blind: SLEEP() */
+  /\bSLEEP\s*\(\s*\d+\s*\)/gi,
+  /** Time-based blind: BENCHMARK() */
+  /\bBENCHMARK\s*\(/gi
+];
+var PATH_PATTERNS = [
+  /** Unix path traversal */
+  /\.\.\//g,
+  /** Windows path traversal */
+  /\.\.\\/g,
+  /** URL-encoded traversal (%2e%2e) */
+  /%2e%2e/gi,
+  /** Double URL-encoded traversal (%252e) */
+  /%252e/gi,
+  /** Mixed encoding: ..%2F */
+  /\.\.%2F/gi,
+  /** Mixed encoding: %2e./ and .%2e/ */
+  /%2e\.[\\/]/gi,
+  /\.%2e[\\/]/gi,
+  /** Fully URL-encoded: %2e%2e%2f */
+  /%2e%2e%2f/gi,
+  /** Null byte injection in paths */
+  /\0/g
+];
+var COMMAND_PATTERNS = [
+  /**
+   * Shell metacharacters that enable command chaining/substitution.
+   * Bare ( and ) are excluded — they appear in common legitimate values
+   * (function calls in code fields, math expressions, etc.).
+   * Command substitution is caught by the $( combined pattern below.
+   * NOTE: ';', '&', '|' may appear in legitimate URL query strings
+   * and Markdown; consider disabling command checking (command: false)
+   * for fields that intentionally allow those characters.
+   */
+  /[;&|`]/g,
+  /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
+  /\$\(/g
+];
+var DANGEROUS_PROTO_KEYS = /* @__PURE__ */ new Set([
+  "__proto__",
+  "constructor",
+  "prototype",
+  "__definegetter__",
+  "__definesetter__",
+  "__lookupgetter__",
+  "__lookupsetter__"
+]);
+var NOSQL_DANGEROUS_KEYS = /* @__PURE__ */ new Set([
+  // Comparison
+  "$gt",
+  "$gte",
+  "$lt",
+  "$lte",
+  "$ne",
+  "$eq",
+  "$in",
+  "$nin",
+  // Logical
+  "$and",
+  "$or",
+  "$not",
+  "$nor",
+  // Element / evaluation
+  "$exists",
+  "$type",
+  "$regex",
+  "$where",
+  "$expr",
+  "$mod",
+  "$text",
+  // Array
+  "$elemMatch",
+  "$all",
+  "$size",
+  // JavaScript execution (critical)
+  "$function",
+  "$accumulator",
+  // Aggregation pipeline operators (injectable via $lookup etc.)
+  "$lookup",
+  "$match",
+  "$project",
+  "$group",
+  "$sort",
+  "$limit",
+  "$skip",
+  "$unwind",
+  "$addFields",
+  "$replaceRoot"
+]);
+
+// src/core/errors.ts
+var ArcisError = class extends Error {
+  constructor(message, statusCode = 500, code = "ARCIS_ERROR") {
+    super(message);
+    this.name = "ArcisError";
+    this.statusCode = statusCode;
+    this.code = code;
+    this.expose = statusCode < 500;
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, this.constructor);
+    }
+  }
+};
+var InputTooLargeError = class extends ArcisError {
+  constructor(maxSize, actualSize) {
+    super(`Input exceeds maximum size of ${maxSize} bytes`, 413, "INPUT_TOO_LARGE");
+    this.name = "InputTooLargeError";
+    this.maxSize = maxSize;
+    this.actualSize = actualSize;
+  }
+};
+var SecurityThreatError = class extends ArcisError {
+  constructor(threatType, pattern) {
+    super("Request blocked for security reasons", 400, "SECURITY_THREAT");
+    this.name = "SecurityThreatError";
+    this.threatType = threatType;
+    this.pattern = pattern;
+  }
+};
+
+// src/sanitizers/utils.ts
+function encodeHtmlEntities(str) {
+  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#x27;");
+}
+function isPlainObject(value) {
+  if (typeof value !== "object" || value === null || Array.isArray(value)) {
+    return false;
+  }
+  const proto = Object.getPrototypeOf(value);
+  return proto === Object.prototype || proto === null;
+}
+
+// src/sanitizers/xss.ts
+function sanitizeXss(input, collectThreats = false, htmlEncode = false) {
+  if (typeof input !== "string") {
+    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
+  }
+  const threats = [];
+  let value = input;
+  let wasSanitized = false;
+  for (const pattern of XSS_REMOVE_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(value)) {
+      pattern.lastIndex = 0;
+      if (collectThreats) {
+        const matches = value.match(pattern);
+        if (matches) {
+          for (const match of matches) {
+            threats.push({
+              type: "xss",
+              pattern: pattern.source,
+              original: match
+            });
+          }
+        }
+      }
+      value = value.replace(pattern, "");
+      wasSanitized = true;
+    }
+  }
+  if (htmlEncode) {
+    const encoded = encodeHtmlEntities(value);
+    if (encoded !== value) {
+      wasSanitized = true;
+    }
+    value = encoded;
+  }
+  if (collectThreats) {
+    return { value, wasSanitized, threats };
+  }
+  return value;
+}
+function detectXss(input) {
+  if (typeof input !== "string") return false;
+  if (/\s+on\w+\s*=/i.test(input)) return true;
+  if (/javascript\s*:/i.test(input)) return true;
+  if (/vbscript\s*:/i.test(input)) return true;
+  if (/data\s*:\s*text\/html/i.test(input)) return true;
+  for (const pattern of XSS_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(input)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/sanitizers/sql.ts
+function sanitizeSql(input, collectThreats = false) {
+  if (typeof input !== "string") {
+    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
+  }
+  const threats = [];
+  let value = input;
+  let wasSanitized = false;
+  for (const pattern of SQL_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(value)) {
+      pattern.lastIndex = 0;
+      if (collectThreats) {
+        const matches = value.match(pattern);
+        if (matches) {
+          for (const match of matches) {
+            threats.push({
+              type: "sql_injection",
+              pattern: pattern.source,
+              original: match
+            });
+          }
+        }
+      }
+      value = value.replace(pattern, " ");
+      wasSanitized = true;
+    }
+  }
+  if (collectThreats) {
+    return { value, wasSanitized, threats };
+  }
+  return value;
+}
+function detectSql(input) {
+  if (typeof input !== "string") return false;
+  for (const pattern of SQL_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(input)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/sanitizers/path.ts
+function sanitizePath(input, collectThreats = false) {
+  if (typeof input !== "string") {
+    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
+  }
+  const threats = [];
+  let value = input;
+  let wasSanitized = false;
+  for (const pattern of PATH_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(value)) {
+      pattern.lastIndex = 0;
+      if (collectThreats) {
+        const matches = value.match(pattern);
+        if (matches) {
+          for (const match of matches) {
+            threats.push({
+              type: "path_traversal",
+              pattern: pattern.source,
+              original: match
+            });
+          }
+        }
+      }
+      value = value.replace(pattern, "");
+      wasSanitized = true;
+    }
+  }
+  if (collectThreats) {
+    return { value, wasSanitized, threats };
+  }
+  return value;
+}
+function detectPathTraversal(input) {
+  if (typeof input !== "string") return false;
+  for (const pattern of PATH_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(input)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/sanitizers/command.ts
+function sanitizeCommand(input, collectThreats = false) {
+  if (typeof input !== "string") {
+    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
+  }
+  const threats = [];
+  let value = input;
+  let wasSanitized = false;
+  for (const pattern of COMMAND_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(value)) {
+      pattern.lastIndex = 0;
+      if (collectThreats) {
+        const matches = value.match(pattern);
+        if (matches) {
+          for (const match of matches) {
+            threats.push({
+              type: "command_injection",
+              pattern: pattern.source,
+              original: match
+            });
+          }
+        }
+      }
+      value = value.replace(pattern, " ");
+      wasSanitized = true;
+    }
+  }
+  if (collectThreats) {
+    return { value, wasSanitized, threats };
+  }
+  return value;
+}
+function detectCommandInjection(input) {
+  if (typeof input !== "string") return false;
+  for (const pattern of COMMAND_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(input)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/sanitizers/sanitize.ts
+function sanitizeString(value, options = {}) {
+  if (typeof value !== "string") return value;
+  const maxSize = options.maxSize ?? INPUT.DEFAULT_MAX_SIZE;
+  if (value.length > maxSize) {
+    throw new InputTooLargeError(maxSize, value.length);
+  }
+  const reject = options.mode !== "sanitize";
+  let result = value;
+  if (options.sql !== false) {
+    if (reject) {
+      if (detectSql(result)) {
+        throw new SecurityThreatError("sql_injection", "SQL pattern detected in input");
+      }
+    } else {
+      result = sanitizeSql(result);
+    }
+  }
+  if (options.path !== false) {
+    result = sanitizePath(result);
+  }
+  if (options.command !== false) {
+    if (reject) {
+      if (detectCommandInjection(result)) {
+        throw new SecurityThreatError("command_injection", "Shell metacharacter detected in input");
+      }
+    } else {
+      result = sanitizeCommand(result);
+    }
+  }
+  if (options.xss !== false) {
+    result = sanitizeXss(result, false, options.htmlEncode ?? false);
+  }
+  return result;
+}
+function sanitizeObject(obj, options = {}) {
+  if (obj === null || obj === void 0) return obj;
+  if (typeof obj === "string") return sanitizeString(obj, options);
+  if (typeof obj !== "object") return obj;
+  if (Array.isArray(obj)) return obj.map((item) => sanitizeObject(item, options));
+  return sanitizeObjectDepth(obj, options, 0);
+}
+function sanitizeObjectDepth(obj, options, depth) {
+  if (depth >= INPUT.MAX_RECURSION_DEPTH) return obj;
+  const result = {};
+  for (const key of Object.keys(obj)) {
+    if (options.proto !== false && DANGEROUS_PROTO_KEYS.has(key.toLowerCase())) {
+      continue;
+    }
+    if (options.nosql !== false && NOSQL_DANGEROUS_KEYS.has(key)) {
+      continue;
+    }
+    const sanitizedKey = sanitizeString(key, options);
+    const value = obj[key];
+    if (value === null || value === void 0) {
+      result[sanitizedKey] = value;
+    } else if (typeof value === "string") {
+      result[sanitizedKey] = sanitizeString(value, options);
+    } else if (Array.isArray(value)) {
+      result[sanitizedKey] = value.map((item) => sanitizeObject(item, options));
+    } else if (typeof value === "object") {
+      result[sanitizedKey] = sanitizeObjectDepth(value, options, depth + 1);
+    } else {
+      result[sanitizedKey] = value;
+    }
+  }
+  return result;
+}
+function createSanitizer(options = {}) {
+  return (req, _res, next) => {
+    try {
+      if (req.body && typeof req.body === "object") {
+        req.body = sanitizeObject(req.body, options);
+      }
+      if (req.query && typeof req.query === "object") {
+        const sanitizedQuery = sanitizeObject(req.query, options);
+        Object.defineProperty(req, "query", { value: sanitizedQuery, writable: true, configurable: true });
+      }
+      if (req.params && typeof req.params === "object") {
+        const sanitizedParams = sanitizeObject(req.params, options);
+        Object.defineProperty(req, "params", { value: sanitizedParams, writable: true, configurable: true });
+      }
+      next();
+    } catch (err) {
+      next(err);
+    }
+  };
+}
+
+// src/sanitizers/nosql.ts
+function isDangerousNoSqlKey(key) {
+  return NOSQL_DANGEROUS_KEYS.has(key);
+}
+function detectNoSqlInjection(obj, maxDepth = 10) {
+  if (maxDepth <= 0) return false;
+  if (obj === null || typeof obj !== "object") return false;
+  if (Array.isArray(obj)) {
+    return obj.some((item) => detectNoSqlInjection(item, maxDepth - 1));
+  }
+  for (const key of Object.keys(obj)) {
+    if (isDangerousNoSqlKey(key)) {
+      return true;
+    }
+    const value = obj[key];
+    if (typeof value === "object" && value !== null) {
+      if (detectNoSqlInjection(value, maxDepth - 1)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+function getDangerousOperators() {
+  return Array.from(NOSQL_DANGEROUS_KEYS);
+}
+
+// src/sanitizers/prototype.ts
+function isDangerousProtoKey(key) {
+  return DANGEROUS_PROTO_KEYS.has(key.toLowerCase());
+}
+function detectPrototypePollution(obj, maxDepth = 10) {
+  if (maxDepth <= 0) return false;
+  if (obj === null || typeof obj !== "object") return false;
+  if (Array.isArray(obj)) {
+    return obj.some((item) => detectPrototypePollution(item, maxDepth - 1));
+  }
+  for (const key of Object.keys(obj)) {
+    if (DANGEROUS_PROTO_KEYS.has(key.toLowerCase())) {
+      return true;
+    }
+    const value = obj[key];
+    if (typeof value === "object" && value !== null) {
+      if (detectPrototypePollution(value, maxDepth - 1)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+function getDangerousProtoKeys() {
+  return Array.from(DANGEROUS_PROTO_KEYS);
+}
+
+// src/sanitizers/headers.ts
+var HEADER_INJECTION_PATTERN = /\r\n|\r|\n|\0/g;
+function sanitizeHeaderValue(input, collectThreats = false) {
+  if (typeof input !== "string") {
+    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
+  }
+  const threats = [];
+  let wasSanitized = false;
+  if (HEADER_INJECTION_PATTERN.test(input)) {
+    HEADER_INJECTION_PATTERN.lastIndex = 0;
+    wasSanitized = true;
+    if (collectThreats) {
+      const matches = input.match(HEADER_INJECTION_PATTERN);
+      if (matches) {
+        for (const match of matches) {
+          threats.push({
+            type: "header_injection",
+            pattern: HEADER_INJECTION_PATTERN.source,
+            original: match
+          });
+        }
+      }
+    }
+  }
+  HEADER_INJECTION_PATTERN.lastIndex = 0;
+  const value = input.replace(HEADER_INJECTION_PATTERN, "");
+  if (collectThreats) {
+    return { value, wasSanitized, threats };
+  }
+  return value;
+}
+function sanitizeHeaders(headers) {
+  if (!headers || typeof headers !== "object") {
+    return {};
+  }
+  const result = {};
+  for (const [key, value] of Object.entries(headers)) {
+    const sanitizedKey = sanitizeHeaderValue(String(key));
+    const sanitizedValue = sanitizeHeaderValue(String(value));
+    result[sanitizedKey] = sanitizedValue;
+  }
+  return result;
+}
+function detectHeaderInjection(input) {
+  if (typeof input !== "string") return false;
+  HEADER_INJECTION_PATTERN.lastIndex = 0;
+  return HEADER_INJECTION_PATTERN.test(input);
+}
+
+exports.createSanitizer = createSanitizer;
+exports.detectCommandInjection = detectCommandInjection;
+exports.detectHeaderInjection = detectHeaderInjection;
+exports.detectNoSqlInjection = detectNoSqlInjection;
+exports.detectPathTraversal = detectPathTraversal;
+exports.detectPrototypePollution = detectPrototypePollution;
+exports.detectSql = detectSql;
+exports.detectXss = detectXss;
+exports.encodeHtmlEntities = encodeHtmlEntities;
+exports.getDangerousOperators = getDangerousOperators;
+exports.getDangerousProtoKeys = getDangerousProtoKeys;
+exports.isDangerousNoSqlKey = isDangerousNoSqlKey;
+exports.isDangerousProtoKey = isDangerousProtoKey;
+exports.isPlainObject = isPlainObject;
+exports.sanitizeCommand = sanitizeCommand;
+exports.sanitizeHeaderValue = sanitizeHeaderValue;
+exports.sanitizeHeaders = sanitizeHeaders;
+exports.sanitizeObject = sanitizeObject;
+exports.sanitizePath = sanitizePath;
+exports.sanitizeSql = sanitizeSql;
+exports.sanitizeString = sanitizeString;
+exports.sanitizeXss = sanitizeXss;
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map