npm - @arcis/node - Versions diffs - 1.0.0 - Mend

@arcis/node 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

package/README.md +222 -0
package/dist/core/index.d.mts +170 -0
package/dist/core/index.d.ts +170 -0
package/dist/core/index.js +327 -0
package/dist/core/index.js.map +1 -0
package/dist/core/index.mjs +307 -0
package/dist/core/index.mjs.map +1 -0
package/dist/headers-BJq2OA0i.d.ts +284 -0
package/dist/headers-DBQedhrb.d.mts +284 -0
package/dist/index-BgHPM7LC.d.ts +129 -0
package/dist/index-BpT7flAQ.d.ts +255 -0
package/dist/index-JaFOUKyK.d.mts +255 -0
package/dist/index-nAgXexwD.d.mts +129 -0
package/dist/index.d.mts +139 -0
package/dist/index.d.ts +139 -0
package/dist/index.js +1860 -0
package/dist/index.js.map +1 -0
package/dist/index.mjs +1797 -0
package/dist/index.mjs.map +1 -0
package/dist/logging/index.d.mts +38 -0
package/dist/logging/index.d.ts +38 -0
package/dist/logging/index.js +140 -0
package/dist/logging/index.js.map +1 -0
package/dist/logging/index.mjs +136 -0
package/dist/logging/index.mjs.map +1 -0
package/dist/middleware/index.d.mts +3 -0
package/dist/middleware/index.d.ts +3 -0
package/dist/middleware/index.js +1173 -0
package/dist/middleware/index.js.map +1 -0
package/dist/middleware/index.mjs +1156 -0
package/dist/middleware/index.mjs.map +1 -0
package/dist/sanitizers/index.d.mts +24 -0
package/dist/sanitizers/index.d.ts +24 -0
package/dist/sanitizers/index.js +610 -0
package/dist/sanitizers/index.js.map +1 -0
package/dist/sanitizers/index.mjs +587 -0
package/dist/sanitizers/index.mjs.map +1 -0
package/dist/stores/index.d.mts +106 -0
package/dist/stores/index.d.ts +106 -0
package/dist/stores/index.js +149 -0
package/dist/stores/index.js.map +1 -0
package/dist/stores/index.mjs +145 -0
package/dist/stores/index.mjs.map +1 -0
package/dist/types-BOdL3ZWo.d.mts +264 -0
package/dist/types-BOdL3ZWo.d.ts +264 -0
package/dist/validation/index.d.mts +3 -0
package/dist/validation/index.d.ts +3 -0
package/dist/validation/index.js +705 -0
package/dist/validation/index.js.map +1 -0
package/dist/validation/index.mjs +699 -0
package/dist/validation/index.mjs.map +1 -0
package/package.json +109 -0

package/dist/sanitizers/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/core/constants.ts","../../src/core/errors.ts","../../src/sanitizers/utils.ts","../../src/sanitizers/xss.ts","../../src/sanitizers/sql.ts","../../src/sanitizers/path.ts","../../src/sanitizers/command.ts","../../src/sanitizers/sanitize.ts","../../src/sanitizers/nosql.ts","../../src/sanitizers/prototype.ts","../../src/sanitizers/headers.ts"],"names":[],"mappings":";;;AAQO,IAAM,KAAA,GAAQ;AAAA;AAAA,EAEnB,gBAAA,EAAkB,GAAA;AAAA;AAAA,EAElB,mBAAA,EAAqB;AACvB,CAAA;AAwDO,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,mCAAA;AAAA;AAAA,EAEA,kBAAA;AAAA;AAAA,EAEA,gBAAA;AAAA;AAAA,EAEA,sBAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,UAAA;AAAA;AAAA,EAEA,sBAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAQO,IAAM,mBAAA,GAAsB;AAAA;AAAA,EAEjC,mCAAA;AAAA;AAAA,EAEA,iBAAA;AAAA;AAAA,EAEA,mCAAA;AAAA,EACA,gBAAA;AAAA;AAAA,EAEA,mCAAA;AAAA,EACA,gBAAA;AAAA;AAAA,EAEA,eAAA;AAAA;AAAA,EAEA,yBAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA,uCAAA;AAAA;AAAA,EAEA,gCAAA;AAAA;AAAA,EAEA,kBAAA;AAAA,EACA,gBAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAKO,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,qFAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA,cAAA;AAAA;AAAA,EAEA,wBAAA;AAAA;AAAA,EAEA,8CAAA;AAAA,EACA,oDAAA;AAAA;AAAA,EAEA,yBAAA;AAAA;AAAA,EAEA,+CAAA;AAAA,EACA,qDAAA;AAAA;AAAA,EAEA,2BAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAKO,IAAM,aAAA,GAAgB;AAAA;AAAA,EAE3B,SAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,UAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,cAAA;AAAA,EACA,cAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAKO,IAAM,gBAAA,GAAmB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAU9B,SAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAiBO,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA,EAC1C,WAAA;AAAA,EACA,aAAA;AAAA,EACA,WAAA;AAAA,EACA,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA;AACF,CAAC,CAAA;AAGM,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA;AAAA,EAE1C,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,MAAA;AAAA;AAAA,EAEnD,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,MAAA;AAAA;AAAA,EAEvB,SAAA;AAAA,EAAW,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,QAAA;AAAA,EAAU,OAAA;AAAA,EAAS,MAAA;AAAA,EAAQ,OAAA;AAAA;AAAA,EAEzD,YAAA;AAAA,EAAc,MAAA;AAAA,EAAQ,OAAA;AAAA;AAAA,EAEtB,WAAA;AAAA,EAAa,cAAA;AAAA;AAAA,EAEb,SAAA;AAAA,EAAW,QAAA;AAAA,EAAU,UAAA;AAAA,EAAY,QAAA;AAAA,EAAU,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,OAAA;AAAA,EAC9D,SAAA;AAAA,EAAW,YAAA;AAAA,EAAc;AAC3B,CAAC,CAAA;;;ACjOM,IAAM,UAAA,GAAN,cAAyB,KAAA,CAAM;AAAA,EAMpC,WAAA,CAAY,OAAA,EAAiB,UAAA,GAAa,GAAA,EAAK,OAAO,aAAA,EAAe;AACnE,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,YAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAGZ,IAAA,IAAA,CAAK,SAAS,UAAA,GAAa,GAAA;AAG3B,IAAA,IAAI,MAAM,iBAAA,EAAmB;AAC3B,MAAA,KAAA,CAAM,iBAAA,CAAkB,IAAA,EAAM,IAAA,CAAK,WAAW,CAAA;AAAA,IAChD;AAAA,EACF;AACF,CAAA;AAkCO,IAAM,kBAAA,GAAN,cAAiC,UAAA,CAAW;AAAA,EAIjD,WAAA,CAAY,SAAiB,UAAA,EAAoB;AAC/C,IAAA,KAAA,CAAM,CAAA,8BAAA,EAAiC,OAAO,CAAA,MAAA,CAAA,EAAU,GAAA,EAAK,iBAAiB,CAAA;AAC9E,IAAA,IAAA,CAAK,IAAA,GAAO,oBAAA;AACZ,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,EACpB;AACF,CAAA;AAKO,IAAM,mBAAA,GAAN,cAAkC,UAAA,CAAW;AAAA,EAIlD,WAAA,CAAY,YAAoB,OAAA,EAAiB;AAC/C,IAAA,KAAA,CAAM,sCAAA,EAAwC,KAAK,iBAAiB,CAAA;AACpE,IAAA,IAAA,CAAK,IAAA,GAAO,qBAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AACF,CAAA;;;AC5EO,SAAS,mBAAmB,GAAA,EAAqB;AACtD,EAAA,OAAO,IACJ,OAAA,CAAQ,IAAA,EAAM,OAAO,CAAA,CACrB,OAAA,CAAQ,MAAM,MAAM,CAAA,CACpB,QAAQ,IAAA,EAAM,MAAM,EACpB,OAAA,CAAQ,IAAA,EAAM,QAAQ,CAAA,CACtB,OAAA,CAAQ,MAAM,QAAQ,CAAA;AAC3B;AAQO,SAAS,cAAc,KAAA,EAAkD;AAC9E,EAAA,IAAI,OAAO,UAAU,QAAA,IAAY,KAAA,KAAU,QAAQ,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACvE,IAAA,OAAO,KAAA;AAAA,EACT;AAIA,EAAA,MAAM,KAAA,GAAQ,MAAA,CAAO,cAAA,CAAe,KAAe,CAAA;AACnD,EAAA,OAAO,KAAA,KAAU,MAAA,CAAO,SAAA,IAAa,KAAA,KAAU,IAAA;AACjD;;;ACLO,SAAS,WAAA,CAAY,KAAA,EAAe,cAAA,GAAiB,KAAA,EAAO,aAAa,KAAA,EAAgC;AAC9G,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,OAAO,cAAA,GACH,EAAE,KAAA,EAAO,MAAA,CAAO,KAAK,CAAA,EAAG,YAAA,EAAc,KAAA,EAAO,OAAA,EAAS,EAAC,EAAE,GACzD,OAAO,KAAK,CAAA;AAAA,EAClB;AAEA,EAAA,MAAM,UAAwB,EAAC;AAC/B,EAAA,IAAI,KAAA,GAAQ,KAAA;AACZ,EAAA,IAAI,YAAA,GAAe,KAAA;AAInB,EAAA,KAAA,MAAW,WAAW,mBAAA,EAAqB;AACzC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AACpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,MAAM,OAAA,GAAU,KAAA,CAAM,KAAA,CAAM,OAAO,CAAA;AACnC,QAAA,IAAI,OAAA,EAAS;AACX,UAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,YAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,cACX,IAAA,EAAM,KAAA;AAAA,cACN,SAAS,OAAA,CAAQ,MAAA;AAAA,cACjB,QAAA,EAAU;AAAA,aACX,CAAA;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAEA,MAAA,KAAA,GAAQ,KAAA,CAAM,OAAA,CAAQ,OAAA,EAAS,EAAE,CAAA;AACjC,MAAA,YAAA,GAAe,IAAA;AAAA,IACjB;AAAA,EACF;AAMA,EAAA,IAAI,UAAA,EAAY;AACd,IAAA,MAAM,OAAA,GAAU,mBAAmB,KAAK,CAAA;AACxC,IAAA,IAAI,YAAY,KAAA,EAAO;AACrB,MAAA,YAAA,GAAe,IAAA;AAAA,IACjB;AACA,IAAA,KAAA,GAAQ,OAAA;AAAA,EACV;AAEA,EAAA,IAAI,cAAA,EAAgB;AAClB,IAAA,OAAO,EAAE,KAAA,EAAO,YAAA,EAAc,OAAA,EAAQ;AAAA,EACxC;AAEA,EAAA,OAAO,KAAA;AACT;AASO,SAAS,UAAU,KAAA,EAAwB;AAChD,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AAGtC,EAAA,IAAI,eAAA,CAAgB,IAAA,CAAK,KAAK,CAAA,EAAG,OAAO,IAAA;AAGxC,EAAA,IAAI,iBAAA,CAAkB,IAAA,CAAK,KAAK,CAAA,EAAG,OAAO,IAAA;AAC1C,EAAA,IAAI,eAAA,CAAgB,IAAA,CAAK,KAAK,CAAA,EAAG,OAAO,IAAA;AACxC,EAAA,IAAI,wBAAA,CAAyB,IAAA,CAAK,KAAK,CAAA,EAAG,OAAO,IAAA;AAGjD,EAAA,KAAA,MAAW,WAAW,YAAA,EAAc;AAClC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AACpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;;;AC1FO,SAAS,WAAA,CAAY,KAAA,EAAe,cAAA,GAAiB,KAAA,EAAgC;AAC1F,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,OAAO,cAAA,GACH,EAAE,KAAA,EAAO,MAAA,CAAO,KAAK,CAAA,EAAG,YAAA,EAAc,KAAA,EAAO,OAAA,EAAS,EAAC,EAAE,GACzD,OAAO,KAAK,CAAA;AAAA,EAClB;AAEA,EAAA,MAAM,UAAwB,EAAC;AAC/B,EAAA,IAAI,KAAA,GAAQ,KAAA;AACZ,EAAA,IAAI,YAAA,GAAe,KAAA;AAEnB,EAAA,KAAA,MAAW,WAAW,YAAA,EAAc;AAElC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,MAAM,OAAA,GAAU,KAAA,CAAM,KAAA,CAAM,OAAO,CAAA;AACnC,QAAA,IAAI,OAAA,EAAS;AACX,UAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,YAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,cACX,IAAA,EAAM,eAAA;AAAA,cACN,SAAS,OAAA,CAAQ,MAAA;AAAA,cACjB,QAAA,EAAU;AAAA,aACX,CAAA;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAIA,MAAA,KAAA,GAAQ,KAAA,CAAM,OAAA,CAAQ,OAAA,EAAS,GAAG,CAAA;AAClC,MAAA,YAAA,GAAe,IAAA;AAAA,IACjB;AAAA,EACF;AAEA,EAAA,IAAI,cAAA,EAAgB;AAClB,IAAA,OAAO,EAAE,KAAA,EAAO,YAAA,EAAc,OAAA,EAAQ;AAAA,EACxC;AAEA,EAAA,OAAO,KAAA;AACT;AASO,SAAS,UAAU,KAAA,EAAwB;AAChD,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AAEtC,EAAA,KAAA,MAAW,WAAW,YAAA,EAAc;AAClC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AACpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;;;AC/DO,SAAS,YAAA,CAAa,KAAA,EAAe,cAAA,GAAiB,KAAA,EAAgC;AAC3F,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,OAAO,cAAA,GACH,EAAE,KAAA,EAAO,MAAA,CAAO,KAAK,CAAA,EAAG,YAAA,EAAc,KAAA,EAAO,OAAA,EAAS,EAAC,EAAE,GACzD,OAAO,KAAK,CAAA;AAAA,EAClB;AAEA,EAAA,MAAM,UAAwB,EAAC;AAC/B,EAAA,IAAI,KAAA,GAAQ,KAAA;AACZ,EAAA,IAAI,YAAA,GAAe,KAAA;AAEnB,EAAA,KAAA,MAAW,WAAW,aAAA,EAAe;AAEnC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,MAAM,OAAA,GAAU,KAAA,CAAM,KAAA,CAAM,OAAO,CAAA;AACnC,QAAA,IAAI,OAAA,EAAS;AACX,UAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,YAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,cACX,IAAA,EAAM,gBAAA;AAAA,cACN,SAAS,OAAA,CAAQ,MAAA;AAAA,cACjB,QAAA,EAAU;AAAA,aACX,CAAA;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAEA,MAAA,KAAA,GAAQ,KAAA,CAAM,OAAA,CAAQ,OAAA,EAAS,EAAE,CAAA;AACjC,MAAA,YAAA,GAAe,IAAA;AAAA,IACjB;AAAA,EACF;AAEA,EAAA,IAAI,cAAA,EAAgB;AAClB,IAAA,OAAO,EAAE,KAAA,EAAO,YAAA,EAAc,OAAA,EAAQ;AAAA,EACxC;AAEA,EAAA,OAAO,KAAA;AACT;AASO,SAAS,oBAAoB,KAAA,EAAwB;AAC1D,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AAEtC,EAAA,KAAA,MAAW,WAAW,aAAA,EAAe;AACnC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AACpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;;;AC7DO,SAAS,eAAA,CAAgB,KAAA,EAAe,cAAA,GAAiB,KAAA,EAAgC;AAC9F,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,OAAO,cAAA,GACH,EAAE,KAAA,EAAO,MAAA,CAAO,KAAK,CAAA,EAAG,YAAA,EAAc,KAAA,EAAO,OAAA,EAAS,EAAC,EAAE,GACzD,OAAO,KAAK,CAAA;AAAA,EAClB;AAEA,EAAA,MAAM,UAAwB,EAAC;AAC/B,EAAA,IAAI,KAAA,GAAQ,KAAA;AACZ,EAAA,IAAI,YAAA,GAAe,KAAA;AAEnB,EAAA,KAAA,MAAW,WAAW,gBAAA,EAAkB;AAEtC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,MAAM,OAAA,GAAU,KAAA,CAAM,KAAA,CAAM,OAAO,CAAA;AACnC,QAAA,IAAI,OAAA,EAAS;AACX,UAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,YAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,cACX,IAAA,EAAM,mBAAA;AAAA,cACN,SAAS,OAAA,CAAQ,MAAA;AAAA,cACjB,QAAA,EAAU;AAAA,aACX,CAAA;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAEA,MAAA,KAAA,GAAQ,KAAA,CAAM,OAAA,CAAQ,OAAA,EAAS,GAAG,CAAA;AAClC,MAAA,YAAA,GAAe,IAAA;AAAA,IACjB;AAAA,EACF;AAEA,EAAA,IAAI,cAAA,EAAgB;AAClB,IAAA,OAAO,EAAE,KAAA,EAAO,YAAA,EAAc,OAAA,EAAQ;AAAA,EACxC;AAEA,EAAA,OAAO,KAAA;AACT;AASO,SAAS,uBAAuB,KAAA,EAAwB;AAC7D,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AAEtC,EAAA,KAAA,MAAW,WAAW,gBAAA,EAAkB;AACtC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AACpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;;;ACjDO,SAAS,cAAA,CAAe,KAAA,EAAe,OAAA,GAA2B,EAAC,EAAW;AACnF,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AAGtC,EAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,OAAA,IAAW,KAAA,CAAM,gBAAA;AACzC,EAAA,IAAI,KAAA,CAAM,SAAS,OAAA,EAAS;AAC1B,IAAA,MAAM,IAAI,kBAAA,CAAmB,OAAA,EAAS,KAAA,CAAM,MAAM,CAAA;AAAA,EACpD;AAEA,EAAA,MAAM,MAAA,GAAS,QAAQ,IAAA,KAAS,UAAA;AAChC,EAAA,IAAI,MAAA,GAAS,KAAA;AAGb,EAAA,IAAI,OAAA,CAAQ,QAAQ,KAAA,EAAO;AACzB,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,IAAI,SAAA,CAAU,MAAM,CAAA,EAAG;AACrB,QAAA,MAAM,IAAI,mBAAA,CAAoB,eAAA,EAAiB,+BAA+B,CAAA;AAAA,MAChF;AAAA,IACF,CAAA,MAAO;AACL,MAAA,MAAA,GAAS,YAAY,MAAM,CAAA;AAAA,IAC7B;AAAA,EACF;AAGA,EAAA,IAAI,OAAA,CAAQ,SAAS,KAAA,EAAO;AAC1B,IAAA,MAAA,GAAS,aAAa,MAAM,CAAA;AAAA,EAC9B;AAGA,EAAA,IAAI,OAAA,CAAQ,YAAY,KAAA,EAAO;AAC7B,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,IAAI,sBAAA,CAAuB,MAAM,CAAA,EAAG;AAClC,QAAA,MAAM,IAAI,mBAAA,CAAoB,mBAAA,EAAqB,uCAAuC,CAAA;AAAA,MAC5F;AAAA,IACF,CAAA,MAAO;AACL,MAAA,MAAA,GAAS,gBAAgB,MAAM,CAAA;AAAA,IACjC;AAAA,EACF;AAIA,EAAA,IAAI,OAAA,CAAQ,QAAQ,KAAA,EAAO;AACzB,IAAA,MAAA,GAAS,WAAA,CAAY,MAAA,EAAQ,KAAA,EAAO,OAAA,CAAQ,cAAc,KAAK,CAAA;AAAA,EACjE;AAEA,EAAA,OAAO,MAAA;AACT;AAUO,SAAS,cAAA,CAAe,GAAA,EAAc,OAAA,GAA2B,EAAC,EAAY;AACnF,EAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAC9C,EAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,cAAA,CAAe,KAAK,OAAO,CAAA;AAC/D,EAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AACpC,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG,OAAO,GAAA,CAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,cAAA,CAAe,IAAA,EAAM,OAAO,CAAC,CAAA;AAE5E,EAAA,OAAO,mBAAA,CAAoB,GAAA,EAAgC,OAAA,EAAS,CAAC,CAAA;AACvE;AAKA,SAAS,mBAAA,CACP,GAAA,EACA,OAAA,EACA,KAAA,EACyB;AACzB,EAAA,IAAI,KAAA,IAAS,KAAA,CAAM,mBAAA,EAAqB,OAAO,GAAA;AAE/C,EAAA,MAAM,SAAkC,EAAC;AAEzC,EAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,GAAG,CAAA,EAAG;AAElC,IAAA,IAAI,OAAA,CAAQ,UAAU,KAAA,IAAS,oBAAA,CAAqB,IAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AAC1E,MAAA;AAAA,IACF;AAGA,IAAA,IAAI,QAAQ,KAAA,KAAU,KAAA,IAAS,oBAAA,CAAqB,GAAA,CAAI,GAAG,CAAA,EAAG;AAC5D,MAAA;AAAA,IACF;AAIA,IAAA,MAAM,YAAA,GAAe,cAAA,CAAe,GAAA,EAAK,OAAO,CAAA;AAGhD,IAAA,MAAM,KAAA,GAAQ,IAAI,GAAG,CAAA;AACrB,IAAA,IAAI,KAAA,KAAU,IAAA,IAAQ,KAAA,KAAU,MAAA,EAAW;AACzC,MAAA,MAAA,CAAO,YAAY,CAAA,GAAI,KAAA;AAAA,IACzB,CAAA,MAAA,IAAW,OAAO,KAAA,KAAU,QAAA,EAAU;AACpC,MAAA,MAAA,CAAO,YAAY,CAAA,GAAI,cAAA,CAAe,KAAA,EAAO,OAAO,CAAA;AAAA,IACtD,CAAA,MAAA,IAAW,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AAC/B,MAAA,MAAA,CAAO,YAAY,IAAI,KAAA,CAAM,GAAA,CAAI,UAAQ,cAAA,CAAe,IAAA,EAAM,OAAO,CAAC,CAAA;AAAA,IACxE,CAAA,MAAA,IAAW,OAAO,KAAA,KAAU,QAAA,EAAU;AACpC,MAAA,MAAA,CAAO,YAAY,CAAA,GAAI,mBAAA,CAAoB,KAAA,EAAkC,OAAA,EAAS,QAAQ,CAAC,CAAA;AAAA,IACjG,CAAA,MAAO;AACL,MAAA,MAAA,CAAO,YAAY,CAAA,GAAI,KAAA;AAAA,IACzB;AAAA,EACF;AAEA,EAAA,OAAO,MAAA;AACT;AAeO,SAAS,eAAA,CAAgB,OAAA,GAA2B,EAAC,EAAmB;AAC7E,EAAA,OAAO,CAAC,GAAA,EAAc,IAAA,EAAgB,IAAA,KAAuB;AAC3D,IAAA,IAAI;AACF,MAAA,IAAI,GAAA,CAAI,IAAA,IAAQ,OAAO,GAAA,CAAI,SAAS,QAAA,EAAU;AAC5C,QAAA,GAAA,CAAI,IAAA,GAAO,cAAA,CAAe,GAAA,CAAI,IAAA,EAAM,OAAO,CAAA;AAAA,MAC7C;AACA,MAAA,IAAI,GAAA,CAAI,KAAA,IAAS,OAAO,GAAA,CAAI,UAAU,QAAA,EAAU;AAC9C,QAAA,MAAM,cAAA,GAAiB,cAAA,CAAe,GAAA,CAAI,KAAA,EAAO,OAAO,CAAA;AAExD,QAAA,MAAA,CAAO,cAAA,CAAe,GAAA,EAAK,OAAA,EAAS,EAAE,KAAA,EAAO,gBAAgB,QAAA,EAAU,IAAA,EAAM,YAAA,EAAc,IAAA,EAAM,CAAA;AAAA,MACnG;AACA,MAAA,IAAI,GAAA,CAAI,MAAA,IAAU,OAAO,GAAA,CAAI,WAAW,QAAA,EAAU;AAChD,QAAA,MAAM,eAAA,GAAkB,cAAA,CAAe,GAAA,CAAI,MAAA,EAAQ,OAAO,CAAA;AAC1D,QAAA,MAAA,CAAO,cAAA,CAAe,GAAA,EAAK,QAAA,EAAU,EAAE,KAAA,EAAO,iBAAiB,QAAA,EAAU,IAAA,EAAM,YAAA,EAAc,IAAA,EAAM,CAAA;AAAA,MACrG;AACA,MAAA,IAAA,EAAK;AAAA,IACP,SAAS,GAAA,EAAK;AACZ,MAAA,IAAA,CAAK,GAAG,CAAA;AAAA,IACV;AAAA,EACF,CAAA;AACF;;;AChKO,SAAS,oBAAoB,GAAA,EAAsB;AACxD,EAAA,OAAO,oBAAA,CAAqB,IAAI,GAAG,CAAA;AACrC;AASO,SAAS,oBAAA,CAAqB,GAAA,EAAc,QAAA,GAAW,EAAA,EAAa;AACzE,EAAA,IAAI,QAAA,IAAY,GAAG,OAAO,KAAA;AAC1B,EAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,OAAO,GAAA,KAAQ,UAAU,OAAO,KAAA;AAEpD,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,IAAA,OAAO,IAAI,IAAA,CAAK,CAAA,IAAA,KAAQ,qBAAqB,IAAA,EAAM,QAAA,GAAW,CAAC,CAAC,CAAA;AAAA,EAClE;AAEA,EAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,GAA8B,CAAA,EAAG;AAC7D,IAAA,IAAI,mBAAA,CAAoB,GAAG,CAAA,EAAG;AAC5B,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,MAAM,KAAA,GAAS,IAAgC,GAAG,CAAA;AAClD,IAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,KAAU,IAAA,EAAM;AAC/C,MAAA,IAAI,oBAAA,CAAqB,KAAA,EAAO,QAAA,GAAW,CAAC,CAAA,EAAG;AAC7C,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;AAQO,SAAS,qBAAA,GAAkC;AAChD,EAAA,OAAO,KAAA,CAAM,KAAK,oBAAoB,CAAA;AACxC;;;ACxCO,SAAS,oBAAoB,GAAA,EAAsB;AACxD,EAAA,OAAO,oBAAA,CAAqB,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA;AACnD;AASO,SAAS,wBAAA,CAAyB,GAAA,EAAc,QAAA,GAAW,EAAA,EAAa;AAC7E,EAAA,IAAI,QAAA,IAAY,GAAG,OAAO,KAAA;AAC1B,EAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,OAAO,GAAA,KAAQ,UAAU,OAAO,KAAA;AAEpD,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,IAAA,OAAO,IAAI,IAAA,CAAK,CAAA,IAAA,KAAQ,yBAAyB,IAAA,EAAM,QAAA,GAAW,CAAC,CAAC,CAAA;AAAA,EACtE;AAEA,EAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,GAA8B,CAAA,EAAG;AAC7D,IAAA,IAAI,oBAAA,CAAqB,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AAC/C,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,MAAM,KAAA,GAAS,IAAgC,GAAG,CAAA;AAClD,IAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,KAAU,IAAA,EAAM;AAC/C,MAAA,IAAI,wBAAA,CAAyB,KAAA,EAAO,QAAA,GAAW,CAAC,CAAA,EAAG;AACjD,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;AAQO,SAAS,qBAAA,GAAkC;AAChD,EAAA,OAAO,KAAA,CAAM,KAAK,oBAAoB,CAAA;AACxC;;;AC9CA,IAAM,wBAAA,GAA2B,gBAAA;AAkB1B,SAAS,mBAAA,CAAoB,KAAA,EAAe,cAAA,GAAiB,KAAA,EAAgC;AAClG,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,OAAO,cAAA,GACH,EAAE,KAAA,EAAO,MAAA,CAAO,KAAK,CAAA,EAAG,YAAA,EAAc,KAAA,EAAO,OAAA,EAAS,EAAC,EAAE,GACzD,OAAO,KAAK,CAAA;AAAA,EAClB;AAEA,EAAA,MAAM,UAAwB,EAAC;AAC/B,EAAA,IAAI,YAAA,GAAe,KAAA;AAEnB,EAAA,IAAI,wBAAA,CAAyB,IAAA,CAAK,KAAK,CAAA,EAAG;AACxC,IAAA,wBAAA,CAAyB,SAAA,GAAY,CAAA;AACrC,IAAA,YAAA,GAAe,IAAA;AAEf,IAAA,IAAI,cAAA,EAAgB;AAClB,MAAA,MAAM,OAAA,GAAU,KAAA,CAAM,KAAA,CAAM,wBAAwB,CAAA;AACpD,MAAA,IAAI,OAAA,EAAS;AACX,QAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,UAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,YACX,IAAA,EAAM,kBAAA;AAAA,YACN,SAAS,wBAAA,CAAyB,MAAA;AAAA,YAClC,QAAA,EAAU;AAAA,WACX,CAAA;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,EAAA,wBAAA,CAAyB,SAAA,GAAY,CAAA;AACrC,EAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,OAAA,CAAQ,wBAAA,EAA0B,EAAE,CAAA;AAExD,EAAA,IAAI,cAAA,EAAgB;AAClB,IAAA,OAAO,EAAE,KAAA,EAAO,YAAA,EAAc,OAAA,EAAQ;AAAA,EACxC;AAEA,EAAA,OAAO,KAAA;AACT;AAaO,SAAS,gBAAgB,OAAA,EAAyD;AACvF,EAAA,IAAI,CAAC,OAAA,IAAW,OAAO,OAAA,KAAY,QAAA,EAAU;AAC3C,IAAA,OAAO,EAAC;AAAA,EACV;AAEA,EAAA,MAAM,SAAiC,EAAC;AAExC,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,EAAG;AAClD,IAAA,MAAM,YAAA,GAAe,mBAAA,CAAoB,MAAA,CAAO,GAAG,CAAC,CAAA;AACpD,IAAA,MAAM,cAAA,GAAiB,mBAAA,CAAoB,MAAA,CAAO,KAAK,CAAC,CAAA;AACxD,IAAA,MAAA,CAAO,YAAY,CAAA,GAAI,cAAA;AAAA,EACzB;AAEA,EAAA,OAAO,MAAA;AACT;AASO,SAAS,sBAAsB,KAAA,EAAwB;AAC5D,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AAEtC,EAAA,wBAAA,CAAyB,SAAA,GAAY,CAAA;AACrC,EAAA,OAAO,wBAAA,CAAyB,KAAK,KAAK,CAAA;AAC5C","file":"index.js","sourcesContent":["/**\r\n * @module @arcis/node/core/constants\r\n * Named constants for Arcis - no magic numbers\r\n */\r\n\r\n// =============================================================================\r\n// INPUT LIMITS\r\n// =============================================================================\r\nexport const INPUT = {\r\n /** Default maximum input size (1MB) */\r\n DEFAULT_MAX_SIZE: 1_000_000,\r\n /** Maximum recursion depth for nested objects */\r\n MAX_RECURSION_DEPTH: 10,\r\n} as const;\r\n\r\n// =============================================================================\r\n// RATE LIMITING\r\n// =============================================================================\r\nexport const RATE_LIMIT = {\r\n /** Default window size (1 minute) */\r\n DEFAULT_WINDOW_MS: 60_000,\r\n /** Default max requests per window */\r\n DEFAULT_MAX_REQUESTS: 100,\r\n /** Default HTTP status code for rate limited responses */\r\n DEFAULT_STATUS_CODE: 429,\r\n /** Default error message */\r\n DEFAULT_MESSAGE: 'Too many requests, please try again later.',\r\n /** Minimum window size (1 second) */\r\n MIN_WINDOW_MS: 1_000,\r\n /** Maximum window size (24 hours) */\r\n MAX_WINDOW_MS: 86_400_000,\r\n} as const;\r\n\r\n// =============================================================================\r\n// SECURITY HEADERS\r\n// =============================================================================\r\nexport const HEADERS = {\r\n /** Default Content Security Policy */\r\n DEFAULT_CSP: [\r\n \"default-src 'self'\",\r\n \"script-src 'self'\",\r\n \"style-src 'self' 'unsafe-inline'\",\r\n \"img-src 'self' data: https:\",\r\n \"font-src 'self'\",\r\n \"object-src 'none'\",\r\n \"frame-ancestors 'none'\",\r\n ].join('; '),\r\n /** Default HSTS max age (1 year in seconds) */\r\n HSTS_MAX_AGE: 31_536_000,\r\n /** Default X-Frame-Options value */\r\n FRAME_OPTIONS: 'DENY' as const,\r\n /** Default X-Content-Type-Options value */\r\n CONTENT_TYPE_OPTIONS: 'nosniff',\r\n /** Default Referrer-Policy value */\r\n REFERRER_POLICY: 'strict-origin-when-cross-origin',\r\n /** Default Permissions-Policy value */\r\n PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\r\n /** Default Cache-Control value for security */\r\n CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\r\n} as const;\r\n\r\n// =============================================================================\r\n// XSS PATTERNS (ReDoS-safe)\r\n// =============================================================================\r\n\r\n/**\r\n * Detection patterns — used to flag whether a string contains XSS payloads.\r\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\r\n */\r\nexport const XSS_PATTERNS = [\r\n /** Script tags (ReDoS-safe version) */\r\n /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\r\n /** javascript: protocol (allow optional spaces before colon) */\r\n /javascript\\s*:/gi,\r\n /** vbscript: protocol */\r\n /vbscript\\s*:/gi,\r\n /** Event handlers (onclick, onerror, etc.) — any separator before attribute */\r\n /(?:[\\s/])on\\w+\\s*=/gi,\r\n /** iframe tags */\r\n /<iframe/gi,\r\n /** object tags */\r\n /<object/gi,\r\n /** embed tags */\r\n /<embed/gi,\r\n /** data: URIs (only dangerous ones, avoid false positives) */\r\n /(?:^|[\\s\"'=])data:/gi,\r\n /** URL-encoded script tags */\r\n /%3Cscript/gi,\r\n /** SVG with onload */\r\n /<svg[^>]*onload/gi,\r\n] as const;\r\n\r\n/**\r\n * Removal patterns — used by sanitizeXss() to strip dangerous content.\r\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\r\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\r\n * Must stay in sync with XSS_PATTERNS above.\r\n */\r\nexport const XSS_REMOVE_PATTERNS = [\r\n /** Full script blocks (content + tags) */\r\n /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\r\n /** Standalone/unclosed script tags */\r\n /<script[^>]*>/gi,\r\n /** iframe — full block and partial/unclosed */\r\n /<iframe[^>]*>[\\s\\S]*?<\\/iframe>/gi,\r\n /<iframe[^>]*/gi,\r\n /** object — full block and partial/unclosed */\r\n /<object[^>]*>[\\s\\S]*?<\\/object>/gi,\r\n /<object[^>]*/gi,\r\n /** embed tags */\r\n /<embed[^>]*/gi,\r\n /** SVG with inline event handlers */\r\n /<svg[^>]*onload[^>]*>/gi,\r\n /** URL-encoded script tags */\r\n /%3Cscript/gi,\r\n /** Event handlers with quoted values: onclick=\"...\", onerror='...' */\r\n /(?:[\\s/])on\\w+\\s*=\\s*[\"'][^\"']*[\"']/gi,\r\n /** Event handlers with unquoted values: onload=value */\r\n /(?:[\\s/])on\\w+\\s*=\\s*[^\\s>]*/gi,\r\n /** javascript: and vbscript: protocols (allow optional spaces before colon) */\r\n /javascript\\s*:/gi,\r\n /vbscript\\s*:/gi,\r\n /** data: URIs with HTML/script content */\r\n /data\\s*:\\s*text\\/html[^>\\s]*/gi,\r\n] as const;\r\n\r\n// =============================================================================\r\n// SQL INJECTION PATTERNS\r\n// =============================================================================\r\nexport const SQL_PATTERNS = [\r\n /** SQL keywords */\r\n /(\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\\b)/gi,\r\n /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */\r\n /(--|\\/\\*|\\*\\/|#)/g,\r\n /** SQL statement separators */\r\n /(;|\\|\\||&&)/g,\r\n /** Boolean injection: OR 1=1 */\r\n /\\bOR\\s+\\d+\\s*=\\s*\\d+/gi,\r\n /** Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) */\r\n /\\bOR\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\r\n /\\bOR\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\r\n /** Boolean injection: AND 1=1 */\r\n /\\bAND\\s+\\d+\\s*=\\s*\\d+/gi,\r\n /** Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) */\r\n /\\bAND\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\r\n /\\bAND\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\r\n /** Time-based blind: SLEEP() */\r\n /\\bSLEEP\\s*\$\\s*\\d+\\s*\$/gi,\r\n /** Time-based blind: BENCHMARK() */\r\n /\\bBENCHMARK\\s*\\(/gi,\r\n] as const;\r\n\r\n// =============================================================================\r\n// PATH TRAVERSAL PATTERNS\r\n// =============================================================================\r\nexport const PATH_PATTERNS = [\r\n /** Unix path traversal */\r\n /\\.\\.\\//g,\r\n /** Windows path traversal */\r\n /\\.\\.\\\\/g,\r\n /** URL-encoded traversal (%2e%2e) */\r\n /%2e%2e/gi,\r\n /** Double URL-encoded traversal (%252e) */\r\n /%252e/gi,\r\n /** Mixed encoding: ..%2F */\r\n /\\.\\.%2F/gi,\r\n /** Mixed encoding: %2e./ and .%2e/ */\r\n /%2e\\.[\\\\/]/gi,\r\n /\\.%2e[\\\\/]/gi,\r\n /** Fully URL-encoded: %2e%2e%2f */\r\n /%2e%2e%2f/gi,\r\n /** Null byte injection in paths */\r\n /\\0/g,\r\n] as const;\r\n\r\n// =============================================================================\r\n// COMMAND INJECTION PATTERNS\r\n// =============================================================================\r\nexport const COMMAND_PATTERNS = [\r\n /**\r\n * Shell metacharacters that enable command chaining/substitution.\r\n * Bare ( and ) are excluded — they appear in common legitimate values\r\n * (function calls in code fields, math expressions, etc.).\r\n * Command substitution is caught by the $( combined pattern below.\r\n * NOTE: ';', '&', '|' may appear in legitimate URL query strings\r\n * and Markdown; consider disabling command checking (command: false)\r\n * for fields that intentionally allow those characters.\r\n */\r\n /[;&|`]/g,\r\n /** Command substitution: $( ... ) — matched as a pair to reduce false positives */\r\n /\\$\\(/g,\r\n] as const;\r\n\r\n// =============================================================================\r\n// DANGEROUS KEYS\r\n// =============================================================================\r\n\r\n/**\r\n * Prototype pollution keys to block.\r\n * Stored lowercase — always compare with key.toLowerCase().\r\n *\r\n * Includes:\r\n * - __proto__: direct prototype assignment\r\n * - constructor: access to constructor.prototype chain\r\n * - prototype: direct prototype property\r\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\r\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\r\n */\r\nexport const DANGEROUS_PROTO_KEYS = new Set([\r\n '__proto__',\r\n 'constructor',\r\n 'prototype',\r\n '__definegetter__',\r\n '__definesetter__',\r\n '__lookupgetter__',\r\n '__lookupsetter__',\r\n]);\r\n\r\n/** MongoDB operators to block */\r\nexport const NOSQL_DANGEROUS_KEYS = new Set([\r\n // Comparison\r\n '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\r\n // Logical\r\n '$and', '$or', '$not', '$nor',\r\n // Element / evaluation\r\n '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text',\r\n // Array\r\n '$elemMatch', '$all', '$size',\r\n // JavaScript execution (critical)\r\n '$function', '$accumulator',\r\n // Aggregation pipeline operators (injectable via $lookup etc.)\r\n '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\r\n '$unwind', '$addFields', '$replaceRoot',\r\n]);\r\n\r\n// =============================================================================\r\n// REDACTION\r\n// =============================================================================\r\nexport const REDACTION = {\r\n /** Replacement text for redacted values */\r\n REPLACEMENT: '[REDACTED]',\r\n /** Truncation indicator */\r\n TRUNCATED: '[TRUNCATED]',\r\n /** Max depth indicator */\r\n MAX_DEPTH: '[MAX_DEPTH]',\r\n /** Default max message length */\r\n DEFAULT_MAX_LENGTH: 10_000,\r\n /** Default sensitive keys to redact */\r\n SENSITIVE_KEYS: new Set([\r\n 'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\r\n 'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\r\n 'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\r\n 'privateKey', 'access_token', 'accessToken', 'refresh_token',\r\n 'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\r\n 'credentials', 'x-api-key', 'x-auth-token',\r\n ]),\r\n} as const;\r\n\r\n// =============================================================================\r\n// VALIDATION PATTERNS\r\n// =============================================================================\r\nexport const VALIDATION = {\r\n /**\r\n * Email regex pattern.\r\n * Rejects consecutive dots in local part (e.g. test..foo@example.com),\r\n * leading/trailing dots, and other common invalid forms.\r\n */\r\n EMAIL: /^[^\\s@.][^\\s@]*(?:\\.[^\\s@.][^\\s@]*)*@[^\\s@]+\\.[^\\s@]+$/,\r\n /**\r\n * URL regex pattern.\r\n * Only allows http:// and https:// — explicitly rejects javascript:,\r\n * data:, vbscript:, and other dangerous URI schemes.\r\n */\r\n URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]*$/,\r\n /** UUID regex pattern (v4) */\r\n UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\r\n} as const;\r\n\r\n// =============================================================================\r\n// ERROR MESSAGES\r\n// =============================================================================\r\nexport const ERRORS = {\r\n /** Generic error message (production) */\r\n INTERNAL_SERVER_ERROR: 'Internal Server Error',\r\n /** Input too large error */\r\n INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\r\n /** Validation error messages */\r\n VALIDATION: {\r\n REQUIRED: (field: string) => `${field} is required`,\r\n INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\r\n MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\r\n MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\r\n MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\r\n MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\r\n INVALID_FORMAT: (field: string) => `${field} format is invalid`,\r\n INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\r\n INVALID_URL: (field: string) => `${field} must be a valid URL`,\r\n INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\r\n INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\r\n MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\r\n MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\r\n },\r\n} as const;\r\n\r\n// =============================================================================\r\n// BLOCKED TEXT (for sanitizer replacements)\r\n// =============================================================================\r\nexport const BLOCKED = '[BLOCKED]' as const;\r\n","/**\r\n * @module @arcis/node/core/errors\r\n * Custom error classes for Arcis\r\n */\r\n\r\n/**\r\n * Base class for all Arcis errors\r\n */\r\nexport class ArcisError extends Error {\r\n public readonly statusCode: number;\r\n public readonly code: string;\r\n /** Whether the error message is safe to expose to API clients. */\r\n public readonly expose: boolean;\r\n\r\n constructor(message: string, statusCode = 500, code = 'ARCIS_ERROR') {\r\n super(message);\r\n this.name = 'ArcisError';\r\n this.statusCode = statusCode;\r\n this.code = code;\r\n // Client errors (4xx) have controlled messages — safe to expose.\r\n // Server errors (5xx) may contain internal details — hide by default.\r\n this.expose = statusCode < 500;\r\n\r\n // Maintains proper stack trace for where error was thrown (V8 engines)\r\n if (Error.captureStackTrace) {\r\n Error.captureStackTrace(this, this.constructor);\r\n }\r\n }\r\n}\r\n\r\n/**\r\n * Error thrown when input validation fails\r\n */\r\nexport class ValidationError extends ArcisError {\r\n public readonly errors: string[];\r\n\r\n constructor(errors: string[]) {\r\n super('Validation failed', 400, 'VALIDATION_ERROR');\r\n this.name = 'ValidationError';\r\n this.errors = errors;\r\n }\r\n}\r\n\r\n/** Alias for ValidationError (backwards compatibility) */\r\nexport { ValidationError as ArcisValidationError };\r\n\r\n/**\r\n * Error thrown when rate limit is exceeded\r\n */\r\nexport class RateLimitError extends ArcisError {\r\n public readonly retryAfter: number;\r\n\r\n constructor(message: string, retryAfter: number) {\r\n super(message, 429, 'RATE_LIMIT_EXCEEDED');\r\n this.name = 'RateLimitError';\r\n this.retryAfter = retryAfter;\r\n }\r\n}\r\n\r\n/**\r\n * Error thrown when input is too large\r\n */\r\nexport class InputTooLargeError extends ArcisError {\r\n public readonly maxSize: number;\r\n public readonly actualSize: number;\r\n\r\n constructor(maxSize: number, actualSize: number) {\r\n super(`Input exceeds maximum size of ${maxSize} bytes`, 413, 'INPUT_TOO_LARGE');\r\n this.name = 'InputTooLargeError';\r\n this.maxSize = maxSize;\r\n this.actualSize = actualSize;\r\n }\r\n}\r\n\r\n/**\r\n * Error thrown when security threat is detected\r\n */\r\nexport class SecurityThreatError extends ArcisError {\r\n public readonly threatType: string;\r\n public readonly pattern: string;\r\n\r\n constructor(threatType: string, pattern: string) {\r\n super('Request blocked for security reasons', 400, 'SECURITY_THREAT');\r\n this.name = 'SecurityThreatError';\r\n this.threatType = threatType;\r\n this.pattern = pattern;\r\n }\r\n}\r\n\r\n/**\r\n * Error thrown when sanitization fails\r\n */\r\nexport class SanitizationError extends ArcisError {\r\n constructor(message: string) {\r\n super(message, 400, 'SANITIZATION_ERROR');\r\n this.name = 'SanitizationError';\r\n }\r\n}\r\n","/**\r\n * @module @arcis/node/sanitizers/utils\r\n * Shared utilities for sanitizers\r\n */\r\n\r\n/**\r\n * Encodes HTML entities to prevent interpretation as markup.\r\n * \r\n * @param str - The string to encode\r\n * @returns The encoded string\r\n */\r\nexport function encodeHtmlEntities(str: string): string {\r\n return str\r\n .replace(/&/g, '&')\r\n .replace(/</g, '<')\r\n .replace(/>/g, '>')\r\n .replace(/\"/g, '"')\r\n .replace(/'/g, ''');\r\n}\r\n\r\n/**\r\n * Checks if a value is a plain object (not null, array, Date, etc.)\r\n * \r\n * @param value - Value to check\r\n * @returns True if plain object\r\n */\r\nexport function isPlainObject(value: unknown): value is Record<string, unknown> {\r\n if (typeof value !== 'object' || value === null || Array.isArray(value)) {\r\n return false;\r\n }\r\n // Check the actual prototype chain rather than toString, which can be spoofed\r\n // via Symbol.toStringTag. Accepts both Object.prototype (plain {}) and null\r\n // prototype objects (Object.create(null)).\r\n const proto = Object.getPrototypeOf(value as object);\r\n return proto === Object.prototype || proto === null;\r\n}\r\n","/**\r\n * @module @arcis/node/sanitizers/xss\r\n * XSS (Cross-Site Scripting) prevention\r\n */\r\n\r\nimport { XSS_PATTERNS, XSS_REMOVE_PATTERNS } from '../core/constants';\r\nimport { encodeHtmlEntities } from './utils';\r\nimport type { SanitizeResult, ThreatInfo } from '../core/types';\r\n\r\n/**\r\n * Sanitizes a string to prevent XSS attacks.\r\n * \r\n * Strategy:\r\n * 1. Remove dangerous patterns (script tags, event handlers, etc.)\r\n * 2. HTML-encode the remaining content\r\n * \r\n * @param input - The string to sanitize\r\n * @param collectThreats - Whether to collect threat information (default: false for performance)\r\n * @returns Sanitized string or SanitizeResult if collectThreats is true\r\n * \r\n * @example\r\n * sanitizeXss(\"<script>alert('xss')</script>\")\r\n * // Returns: \"<script>alert('xss')</script>\"\r\n * \r\n * @example\r\n * sanitizeXss(\"<img onerror='alert(1)'>\")\r\n * // Returns: \"<img>\" (event handler removed)\r\n */\r\nexport function sanitizeXss(input: string, collectThreats?: false, htmlEncode?: boolean): string;\r\nexport function sanitizeXss(input: string, collectThreats: true, htmlEncode?: boolean): SanitizeResult;\r\nexport function sanitizeXss(input: string, collectThreats = false, htmlEncode = false): string | SanitizeResult {\r\n if (typeof input !== 'string') {\r\n return collectThreats \r\n ? { value: String(input), wasSanitized: false, threats: [] }\r\n : String(input);\r\n }\r\n\r\n const threats: ThreatInfo[] = [];\r\n let value = input;\r\n let wasSanitized = false;\r\n\r\n // Remove dangerous patterns FIRST — XSS_REMOVE_PATTERNS is the single\r\n // source of truth (defined in constants.ts alongside XSS_PATTERNS).\r\n for (const pattern of XSS_REMOVE_PATTERNS) {\r\n pattern.lastIndex = 0;\r\n if (pattern.test(value)) {\r\n pattern.lastIndex = 0;\r\n \r\n if (collectThreats) {\r\n const matches = value.match(pattern);\r\n if (matches) {\r\n for (const match of matches) {\r\n threats.push({\r\n type: 'xss',\r\n pattern: pattern.source,\r\n original: match,\r\n });\r\n }\r\n }\r\n }\r\n \r\n value = value.replace(pattern, '');\r\n wasSanitized = true;\r\n }\r\n }\r\n\r\n // HTML-encode only when explicitly requested (SSR/template context).\r\n // Do NOT encode by default — this is a REST API middleware; encoding\r\n // here corrupts JSON data with HTML entities (<, &, etc.) that\r\n // consumers would receive verbatim.\r\n if (htmlEncode) {\r\n const encoded = encodeHtmlEntities(value);\r\n if (encoded !== value) {\r\n wasSanitized = true;\r\n }\r\n value = encoded;\r\n }\r\n\r\n if (collectThreats) {\r\n return { value, wasSanitized, threats };\r\n }\r\n \r\n return value;\r\n}\r\n\r\n/**\r\n * Checks if a string contains potential XSS patterns.\r\n * Does not sanitize — use sanitizeXss() for that.\r\n * \r\n * @param input - The string to check\r\n * @returns True if XSS patterns detected\r\n */\r\nexport function detectXss(input: string): boolean {\r\n if (typeof input !== 'string') return false;\r\n \r\n // Check for event handlers\r\n if (/\\s+on\\w+\\s*=/i.test(input)) return true;\r\n \r\n // Check for dangerous protocols\r\n if (/javascript\\s*:/i.test(input)) return true;\r\n if (/vbscript\\s*:/i.test(input)) return true;\r\n if (/data\\s*:\\s*text\\/html/i.test(input)) return true;\r\n \r\n // Check for patterns from constants\r\n for (const pattern of XSS_PATTERNS) {\r\n pattern.lastIndex = 0;\r\n if (pattern.test(input)) {\r\n return true;\r\n }\r\n }\r\n \r\n return false;\r\n}\r\n","/**\r\n * @module @arcis/node/sanitizers/sql\r\n * SQL injection prevention\r\n */\r\n\r\nimport { SQL_PATTERNS } from '../core/constants';\r\nimport type { SanitizeResult, ThreatInfo } from '../core/types';\r\n\r\n/**\r\n * Sanitizes a string to prevent SQL injection attacks.\r\n * Replaces dangerous SQL patterns with [BLOCKED].\r\n * \r\n * @param input - The string to sanitize\r\n * @param collectThreats - Whether to collect threat information (default: false for performance)\r\n * @returns Sanitized string or SanitizeResult if collectThreats is true\r\n * \r\n * @example\r\n * sanitizeSql(\"'; DROP TABLE users; --\")\r\n * // Returns: \"'; TABLE users \"\r\n */\r\nexport function sanitizeSql(input: string, collectThreats?: false): string;\r\nexport function sanitizeSql(input: string, collectThreats: true): SanitizeResult;\r\nexport function sanitizeSql(input: string, collectThreats = false): string | SanitizeResult {\r\n if (typeof input !== 'string') {\r\n return collectThreats \r\n ? { value: String(input), wasSanitized: false, threats: [] }\r\n : String(input);\r\n }\r\n\r\n const threats: ThreatInfo[] = [];\r\n let value = input;\r\n let wasSanitized = false;\r\n\r\n for (const pattern of SQL_PATTERNS) {\r\n // Reset regex lastIndex for global patterns\r\n pattern.lastIndex = 0;\r\n \r\n if (pattern.test(value)) {\r\n pattern.lastIndex = 0; // Reset again for replace\r\n \r\n if (collectThreats) {\r\n const matches = value.match(pattern);\r\n if (matches) {\r\n for (const match of matches) {\r\n threats.push({\r\n type: 'sql_injection',\r\n pattern: pattern.source,\r\n original: match,\r\n });\r\n }\r\n }\r\n }\r\n \r\n // Replace the matched content with a space to avoid concatenating surrounding\r\n // tokens into new dangerous strings (e.g. \"SELECTname\" after stripping \"SELECT\").\r\n value = value.replace(pattern, ' ');\r\n wasSanitized = true;\r\n }\r\n }\r\n\r\n if (collectThreats) {\r\n return { value, wasSanitized, threats };\r\n }\r\n \r\n return value;\r\n}\r\n\r\n/**\r\n * Checks if a string contains potential SQL injection patterns.\r\n * Does not sanitize — use sanitizeSql() for that.\r\n * \r\n * @param input - The string to check\r\n * @returns True if SQL injection patterns detected\r\n */\r\nexport function detectSql(input: string): boolean {\r\n if (typeof input !== 'string') return false;\r\n \r\n for (const pattern of SQL_PATTERNS) {\r\n pattern.lastIndex = 0;\r\n if (pattern.test(input)) {\r\n return true;\r\n }\r\n }\r\n \r\n return false;\r\n}\r\n","/**\r\n * @module @arcis/node/sanitizers/path\r\n * Path traversal prevention\r\n */\r\n\r\nimport { PATH_PATTERNS } from '../core/constants';\r\nimport type { SanitizeResult, ThreatInfo } from '../core/types';\r\n\r\n/**\r\n * Sanitizes a string to prevent path traversal attacks.\r\n * Removes ../ and ..\\ patterns (including URL-encoded variants).\r\n * \r\n * @param input - The string to sanitize\r\n * @param collectThreats - Whether to collect threat information (default: false for performance)\r\n * @returns Sanitized string or SanitizeResult if collectThreats is true\r\n * \r\n * @example\r\n * sanitizePath(\"../../etc/passwd\")\r\n * // Returns: \"etc/passwd\"\r\n */\r\nexport function sanitizePath(input: string, collectThreats?: false): string;\r\nexport function sanitizePath(input: string, collectThreats: true): SanitizeResult;\r\nexport function sanitizePath(input: string, collectThreats = false): string | SanitizeResult {\r\n if (typeof input !== 'string') {\r\n return collectThreats \r\n ? { value: String(input), wasSanitized: false, threats: [] }\r\n : String(input);\r\n }\r\n\r\n const threats: ThreatInfo[] = [];\r\n let value = input;\r\n let wasSanitized = false;\r\n\r\n for (const pattern of PATH_PATTERNS) {\r\n // Reset regex lastIndex for global patterns\r\n pattern.lastIndex = 0;\r\n \r\n if (pattern.test(value)) {\r\n pattern.lastIndex = 0; // Reset again for replace\r\n \r\n if (collectThreats) {\r\n const matches = value.match(pattern);\r\n if (matches) {\r\n for (const match of matches) {\r\n threats.push({\r\n type: 'path_traversal',\r\n pattern: pattern.source,\r\n original: match,\r\n });\r\n }\r\n }\r\n }\r\n \r\n value = value.replace(pattern, '');\r\n wasSanitized = true;\r\n }\r\n }\r\n\r\n if (collectThreats) {\r\n return { value, wasSanitized, threats };\r\n }\r\n \r\n return value;\r\n}\r\n\r\n/**\r\n * Checks if a string contains path traversal patterns.\r\n * Does not sanitize — use sanitizePath() for that.\r\n * \r\n * @param input - The string to check\r\n * @returns True if path traversal patterns detected\r\n */\r\nexport function detectPathTraversal(input: string): boolean {\r\n if (typeof input !== 'string') return false;\r\n \r\n for (const pattern of PATH_PATTERNS) {\r\n pattern.lastIndex = 0;\r\n if (pattern.test(input)) {\r\n return true;\r\n }\r\n }\r\n \r\n return false;\r\n}\r\n","/**\r\n * @module @arcis/node/sanitizers/command\r\n * Command injection prevention\r\n */\r\n\r\nimport { COMMAND_PATTERNS } from '../core/constants';\r\nimport type { SanitizeResult, ThreatInfo } from '../core/types';\r\n\r\n/**\r\n * Sanitizes a string to prevent command injection attacks.\r\n * Replaces shell metacharacters and dangerous commands with [BLOCKED].\r\n * \r\n * @param input - The string to sanitize\r\n * @param collectThreats - Whether to collect threat information (default: false for performance)\r\n * @returns Sanitized string or SanitizeResult if collectThreats is true\r\n * \r\n * @example\r\n * sanitizeCommand(\"file.txt; rm -rf /\")\r\n * // Returns: \"file.txt rm -rf /\"\r\n */\r\nexport function sanitizeCommand(input: string, collectThreats?: false): string;\r\nexport function sanitizeCommand(input: string, collectThreats: true): SanitizeResult;\r\nexport function sanitizeCommand(input: string, collectThreats = false): string | SanitizeResult {\r\n if (typeof input !== 'string') {\r\n return collectThreats \r\n ? { value: String(input), wasSanitized: false, threats: [] }\r\n : String(input);\r\n }\r\n\r\n const threats: ThreatInfo[] = [];\r\n let value = input;\r\n let wasSanitized = false;\r\n\r\n for (const pattern of COMMAND_PATTERNS) {\r\n // Reset regex lastIndex for global patterns\r\n pattern.lastIndex = 0;\r\n \r\n if (pattern.test(value)) {\r\n pattern.lastIndex = 0; // Reset again for replace\r\n \r\n if (collectThreats) {\r\n const matches = value.match(pattern);\r\n if (matches) {\r\n for (const match of matches) {\r\n threats.push({\r\n type: 'command_injection',\r\n pattern: pattern.source,\r\n original: match,\r\n });\r\n }\r\n }\r\n }\r\n \r\n value = value.replace(pattern, ' ');\r\n wasSanitized = true;\r\n }\r\n }\r\n\r\n if (collectThreats) {\r\n return { value, wasSanitized, threats };\r\n }\r\n \r\n return value;\r\n}\r\n\r\n/**\r\n * Checks if a string contains command injection patterns.\r\n * Does not sanitize — use sanitizeCommand() for that.\r\n * \r\n * @param input - The string to check\r\n * @returns True if command injection patterns detected\r\n */\r\nexport function detectCommandInjection(input: string): boolean {\r\n if (typeof input !== 'string') return false;\r\n \r\n for (const pattern of COMMAND_PATTERNS) {\r\n pattern.lastIndex = 0;\r\n if (pattern.test(input)) {\r\n return true;\r\n }\r\n }\r\n \r\n return false;\r\n}\r\n","/**\r\n * @module @arcis/node/sanitizers/sanitize\r\n * Main sanitization functions that combine all sanitizers\r\n */\r\n\r\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\r\nimport { INPUT, DANGEROUS_PROTO_KEYS, NOSQL_DANGEROUS_KEYS } from '../core/constants';\r\nimport { InputTooLargeError, SecurityThreatError } from '../core/errors';\r\nimport type { SanitizeOptions } from '../core/types';\r\nimport { sanitizeXss } from './xss';\r\nimport { sanitizeSql, detectSql } from './sql';\r\nimport { sanitizePath } from './path';\r\nimport { sanitizeCommand, detectCommandInjection } from './command';\r\n\r\n/**\r\n * Sanitize a string value against multiple attack vectors.\r\n * \r\n * Order matters: We do XSS encoding LAST because:\r\n * 1. Other sanitizers need to see the original patterns (e.g., SQL keywords)\r\n * 2. HTML encoding is the final safe output transformation\r\n * 3. Encoded entities like < shouldn't be treated as SQL/command threats\r\n * \r\n * @param value - The string to sanitize\r\n * @param options - Sanitization options\r\n * @returns The sanitized string\r\n * \r\n * @example\r\n * sanitizeString(\"<script>alert('xss')</script>\")\r\n * // Returns: \"<script>alert('xss')</script>\"\r\n * \r\n * @example\r\n * sanitizeString(\"../../etc/passwd\")\r\n * // Returns: \"etc/passwd\"\r\n */\r\nexport function sanitizeString(value: string, options: SanitizeOptions = {}): string {\r\n if (typeof value !== 'string') return value;\r\n\r\n // Input size limit to prevent DoS\r\n const maxSize = options.maxSize ?? INPUT.DEFAULT_MAX_SIZE;\r\n if (value.length > maxSize) {\r\n throw new InputTooLargeError(maxSize, value.length);\r\n }\r\n\r\n const reject = options.mode !== 'sanitize'; // default: 'reject'\r\n let result = value;\r\n\r\n // 1. SQL injection\r\n if (options.sql !== false) {\r\n if (reject) {\r\n if (detectSql(result)) {\r\n throw new SecurityThreatError('sql_injection', 'SQL pattern detected in input');\r\n }\r\n } else {\r\n result = sanitizeSql(result);\r\n }\r\n }\r\n\r\n // 2. Path traversal prevention\r\n if (options.path !== false) {\r\n result = sanitizePath(result);\r\n }\r\n\r\n // 3. Command injection\r\n if (options.command !== false) {\r\n if (reject) {\r\n if (detectCommandInjection(result)) {\r\n throw new SecurityThreatError('command_injection', 'Shell metacharacter detected in input');\r\n }\r\n } else {\r\n result = sanitizeCommand(result);\r\n }\r\n }\r\n\r\n // 4. XSS stripping — always runs to remove dangerous patterns.\r\n // HTML encoding is opt-in via options.htmlEncode (for SSR contexts only).\r\n if (options.xss !== false) {\r\n result = sanitizeXss(result, false, options.htmlEncode ?? false);\r\n }\r\n\r\n return result;\r\n}\r\n\r\n/**\r\n * Sanitize an object recursively, including nested objects and arrays.\r\n * Also removes prototype pollution and NoSQL injection keys.\r\n * \r\n * @param obj - The object to sanitize\r\n * @param options - Sanitization options\r\n * @returns The sanitized object\r\n */\r\nexport function sanitizeObject(obj: unknown, options: SanitizeOptions = {}): unknown {\r\n if (obj === null || obj === undefined) return obj;\r\n if (typeof obj === 'string') return sanitizeString(obj, options);\r\n if (typeof obj !== 'object') return obj;\r\n if (Array.isArray(obj)) return obj.map(item => sanitizeObject(item, options));\r\n\r\n return sanitizeObjectDepth(obj as Record<string, unknown>, options, 0);\r\n}\r\n\r\n/**\r\n * Internal recursive sanitization with depth tracking.\r\n */\r\nfunction sanitizeObjectDepth(\r\n obj: Record<string, unknown>,\r\n options: SanitizeOptions,\r\n depth: number\r\n): Record<string, unknown> {\r\n if (depth >= INPUT.MAX_RECURSION_DEPTH) return obj;\r\n\r\n const result: Record<string, unknown> = {};\r\n\r\n for (const key of Object.keys(obj)) {\r\n // Prototype pollution protection - always block dangerous keys (case-insensitive)\r\n if (options.proto !== false && DANGEROUS_PROTO_KEYS.has(key.toLowerCase())) {\r\n continue;\r\n }\r\n\r\n // NoSQL injection - skip dangerous MongoDB operators in keys\r\n if (options.nosql !== false && NOSQL_DANGEROUS_KEYS.has(key)) {\r\n continue;\r\n }\r\n\r\n // Sanitize the key against all active threat vectors (not just XSS).\r\n // Keys can carry injection payloads that bubble into query builders or ORMs.\r\n const sanitizedKey = sanitizeString(key, options);\r\n\r\n // Recursively sanitize value\r\n const value = obj[key];\r\n if (value === null || value === undefined) {\r\n result[sanitizedKey] = value;\r\n } else if (typeof value === 'string') {\r\n result[sanitizedKey] = sanitizeString(value, options);\r\n } else if (Array.isArray(value)) {\r\n result[sanitizedKey] = value.map(item => sanitizeObject(item, options));\r\n } else if (typeof value === 'object') {\r\n result[sanitizedKey] = sanitizeObjectDepth(value as Record<string, unknown>, options, depth + 1);\r\n } else {\r\n result[sanitizedKey] = value;\r\n }\r\n }\r\n\r\n return result;\r\n}\r\n\r\n/**\r\n * Create Express middleware for request sanitization.\r\n * Sanitizes req.body, req.query, and req.params.\r\n * \r\n * @param options - Sanitization options\r\n * @returns Express middleware\r\n * \r\n * @example\r\n * app.use(createSanitizer());\r\n * \r\n * @example\r\n * app.use(createSanitizer({ xss: true, sql: true, nosql: true }));\r\n */\r\nexport function createSanitizer(options: SanitizeOptions = {}): RequestHandler {\r\n return (req: Request, _res: Response, next: NextFunction) => {\r\n try {\r\n if (req.body && typeof req.body === 'object') {\r\n req.body = sanitizeObject(req.body, options);\r\n }\r\n if (req.query && typeof req.query === 'object') {\r\n const sanitizedQuery = sanitizeObject(req.query, options);\r\n // Express 5: req.query is a getter with no setter — override on instance\r\n Object.defineProperty(req, 'query', { value: sanitizedQuery, writable: true, configurable: true });\r\n }\r\n if (req.params && typeof req.params === 'object') {\r\n const sanitizedParams = sanitizeObject(req.params, options);\r\n Object.defineProperty(req, 'params', { value: sanitizedParams, writable: true, configurable: true });\r\n }\r\n next();\r\n } catch (err) {\r\n next(err);\r\n }\r\n };\r\n}\r\n","/**\r\n * @module @arcis/node/sanitizers/nosql\r\n * NoSQL injection prevention (MongoDB operators)\r\n */\r\n\r\nimport { NOSQL_DANGEROUS_KEYS } from '../core/constants';\r\n\r\n/**\r\n * Checks if a key is a dangerous MongoDB operator.\r\n * \r\n * @param key - The key to check\r\n * @returns True if the key is a MongoDB operator\r\n * \r\n * @example\r\n * isDangerousNoSqlKey('$gt') // true\r\n * isDangerousNoSqlKey('name') // false\r\n */\r\nexport function isDangerousNoSqlKey(key: string): boolean {\r\n return NOSQL_DANGEROUS_KEYS.has(key);\r\n}\r\n\r\n/**\r\n * Recursively checks if an object contains dangerous MongoDB operators.\r\n * \r\n * @param obj - The object to check\r\n * @param maxDepth - Maximum recursion depth (default: 10)\r\n * @returns True if dangerous operators found\r\n */\r\nexport function detectNoSqlInjection(obj: unknown, maxDepth = 10): boolean {\r\n if (maxDepth <= 0) return false;\r\n if (obj === null || typeof obj !== 'object') return false;\r\n \r\n if (Array.isArray(obj)) {\r\n return obj.some(item => detectNoSqlInjection(item, maxDepth - 1));\r\n }\r\n \r\n for (const key of Object.keys(obj as Record<string, unknown>)) {\r\n if (isDangerousNoSqlKey(key)) {\r\n return true;\r\n }\r\n \r\n const value = (obj as Record<string, unknown>)[key];\r\n if (typeof value === 'object' && value !== null) {\r\n if (detectNoSqlInjection(value, maxDepth - 1)) {\r\n return true;\r\n }\r\n }\r\n }\r\n \r\n return false;\r\n}\r\n\r\n/**\r\n * Get list of all MongoDB operators considered dangerous.\r\n * Useful for documentation or custom validation.\r\n * \r\n * @returns Array of dangerous operator strings\r\n */\r\nexport function getDangerousOperators(): string[] {\r\n return Array.from(NOSQL_DANGEROUS_KEYS);\r\n}\r\n","/**\r\n * @module @arcis/node/sanitizers/prototype\r\n * Prototype pollution prevention\r\n */\r\n\r\nimport { DANGEROUS_PROTO_KEYS } from '../core/constants';\r\n\r\n/**\r\n * Checks if a key is dangerous for prototype pollution.\r\n * Case-insensitive — catches __PROTO__, Constructor, etc.\r\n *\r\n * @param key - The key to check\r\n * @returns True if the key could cause prototype pollution\r\n *\r\n * @example\r\n * isDangerousProtoKey('__proto__') // true\r\n * isDangerousProtoKey('__PROTO__') // true\r\n * isDangerousProtoKey('Constructor') // true\r\n * isDangerousProtoKey('name') // false\r\n */\r\nexport function isDangerousProtoKey(key: string): boolean {\r\n return DANGEROUS_PROTO_KEYS.has(key.toLowerCase());\r\n}\r\n\r\n/**\r\n * Recursively checks if an object contains prototype pollution keys.\r\n * \r\n * @param obj - The object to check\r\n * @param maxDepth - Maximum recursion depth (default: 10)\r\n * @returns True if dangerous keys found\r\n */\r\nexport function detectPrototypePollution(obj: unknown, maxDepth = 10): boolean {\r\n if (maxDepth <= 0) return false;\r\n if (obj === null || typeof obj !== 'object') return false;\r\n \r\n if (Array.isArray(obj)) {\r\n return obj.some(item => detectPrototypePollution(item, maxDepth - 1));\r\n }\r\n \r\n for (const key of Object.keys(obj as Record<string, unknown>)) {\r\n if (DANGEROUS_PROTO_KEYS.has(key.toLowerCase())) {\r\n return true;\r\n }\r\n \r\n const value = (obj as Record<string, unknown>)[key];\r\n if (typeof value === 'object' && value !== null) {\r\n if (detectPrototypePollution(value, maxDepth - 1)) {\r\n return true;\r\n }\r\n }\r\n }\r\n \r\n return false;\r\n}\r\n\r\n/**\r\n * Get list of all keys considered dangerous for prototype pollution.\r\n * Useful for documentation or custom validation.\r\n * \r\n * @returns Array of dangerous key strings\r\n */\r\nexport function getDangerousProtoKeys(): string[] {\r\n return Array.from(DANGEROUS_PROTO_KEYS);\r\n}\r\n","/**\r\n * @module @arcis/node/sanitizers/headers\r\n * HTTP Header Injection & CRLF Injection prevention\r\n *\r\n * Prevents attackers from injecting newline characters (\\r\\n) into HTTP header\r\n * values, which can lead to response splitting, session fixation, XSS via\r\n * injected headers, and cache poisoning.\r\n */\r\n\r\nimport type { SanitizeResult, ThreatInfo } from '../core/types';\r\n\r\n/**\r\n * Characters and sequences that enable header injection.\r\n * - \\r\\n (CRLF) — HTTP header delimiter, enables response splitting\r\n * - \\r, \\n alone — partial line breaks, some servers normalize to CRLF\r\n * - \\0 (null byte) — can truncate header values in some implementations\r\n */\r\nconst HEADER_INJECTION_PATTERN = /\\r\\n|\\r|\\n|\\0/g;\r\n\r\n/**\r\n * Sanitizes a header value by stripping CRLF sequences, bare CR/LF, and null bytes.\r\n *\r\n * @param input - The header value to sanitize\r\n * @param collectThreats - Whether to collect threat information (default: false)\r\n * @returns Sanitized string or SanitizeResult if collectThreats is true\r\n *\r\n * @example\r\n * sanitizeHeaderValue(\"safe-value\")\r\n * // Returns: \"safe-value\"\r\n *\r\n * sanitizeHeaderValue(\"value\\r\\nX-Injected: evil\")\r\n * // Returns: \"valueX-Injected: evil\"\r\n */\r\nexport function sanitizeHeaderValue(input: string, collectThreats?: false): string;\r\nexport function sanitizeHeaderValue(input: string, collectThreats: true): SanitizeResult;\r\nexport function sanitizeHeaderValue(input: string, collectThreats = false): string | SanitizeResult {\r\n if (typeof input !== 'string') {\r\n return collectThreats\r\n ? { value: String(input), wasSanitized: false, threats: [] }\r\n : String(input);\r\n }\r\n\r\n const threats: ThreatInfo[] = [];\r\n let wasSanitized = false;\r\n\r\n if (HEADER_INJECTION_PATTERN.test(input)) {\r\n HEADER_INJECTION_PATTERN.lastIndex = 0;\r\n wasSanitized = true;\r\n\r\n if (collectThreats) {\r\n const matches = input.match(HEADER_INJECTION_PATTERN);\r\n if (matches) {\r\n for (const match of matches) {\r\n threats.push({\r\n type: 'header_injection',\r\n pattern: HEADER_INJECTION_PATTERN.source,\r\n original: match,\r\n });\r\n }\r\n }\r\n }\r\n }\r\n\r\n HEADER_INJECTION_PATTERN.lastIndex = 0;\r\n const value = input.replace(HEADER_INJECTION_PATTERN, '');\r\n\r\n if (collectThreats) {\r\n return { value, wasSanitized, threats };\r\n }\r\n\r\n return value;\r\n}\r\n\r\n/**\r\n * Sanitizes an object of header key-value pairs.\r\n * Strips CRLF/null bytes from both keys and values.\r\n *\r\n * @param headers - Object with header names as keys and header values as values\r\n * @returns New object with sanitized header names and values\r\n *\r\n * @example\r\n * sanitizeHeaders({ \"X-Custom\": \"safe\", \"X-Bad\\r\\n\": \"value\\r\\ninjected\" })\r\n * // Returns: { \"X-Custom\": \"safe\", \"X-Bad\": \"valueinjected\" }\r\n */\r\nexport function sanitizeHeaders(headers: Record<string, string>): Record<string, string> {\r\n if (!headers || typeof headers !== 'object') {\r\n return {};\r\n }\r\n\r\n const result: Record<string, string> = {};\r\n\r\n for (const [key, value] of Object.entries(headers)) {\r\n const sanitizedKey = sanitizeHeaderValue(String(key));\r\n const sanitizedValue = sanitizeHeaderValue(String(value));\r\n result[sanitizedKey] = sanitizedValue;\r\n }\r\n\r\n return result;\r\n}\r\n\r\n/**\r\n * Checks if a string contains HTTP header injection patterns (CRLF, null bytes).\r\n * Does not sanitize — use sanitizeHeaderValue() for that.\r\n *\r\n * @param input - The string to check\r\n * @returns True if header injection patterns detected\r\n */\r\nexport function detectHeaderInjection(input: string): boolean {\r\n if (typeof input !== 'string') return false;\r\n\r\n HEADER_INJECTION_PATTERN.lastIndex = 0;\r\n return HEADER_INJECTION_PATTERN.test(input);\r\n}\r\n"]}