@arcis/node 1.1.0 → 1.2.0

package/dist/{headers-DBQedhrb.d.mts → pii-CXcHMlnX.d.mts}

@@ -1,5 +1,5 @@
 import { RequestHandler } from 'express';
-import { i as SanitizeOptions, j as SanitizeResult } from './types-BOdL3ZWo.mjs';
+import { i as SanitizeOptions, j as SanitizeResult } from './types-CsOFHoD9.mjs';
 
 /**
  * @module @arcis/node/sanitizers/sanitize
@@ -170,6 +170,80 @@ declare function sanitizeCommand(input: string, collectThreats: true): SanitizeR
  */
 declare function detectCommandInjection(input: string): boolean;
 
+/**
+ * @module @arcis/node/sanitizers/ssti
+ * Server-Side Template Injection (SSTI) prevention
+ */
+
+/**
+ * Sanitizes a string to prevent SSTI attacks.
+ * Removes template expression syntax.
+ */
+declare function sanitizeSsti(input: string, collectThreats?: false): string;
+declare function sanitizeSsti(input: string, collectThreats: true): SanitizeResult;
+/**
+ * Checks if a string contains SSTI patterns.
+ * Does not sanitize — use sanitizeSsti() for that.
+ *
+ * @param input - The string to check
+ * @returns True if SSTI patterns detected
+ */
+declare function detectSsti(input: string): boolean;
+
+/**
+ * @module @arcis/node/sanitizers/xxe
+ * XML External Entity (XXE) injection prevention
+ */
+
+/**
+ * Sanitizes a string to prevent XXE attacks.
+ * Removes DOCTYPE, ENTITY, and CDATA constructs.
+ */
+declare function sanitizeXxe(input: string, collectThreats?: false): string;
+declare function sanitizeXxe(input: string, collectThreats: true): SanitizeResult;
+/**
+ * Checks if a string contains XXE patterns.
+ * Does not sanitize — use sanitizeXxe() for that.
+ *
+ * @param input - The string to check
+ * @returns True if XXE patterns detected
+ */
+declare function detectXxe(input: string): boolean;
+
+/**
+ * @module @arcis/node/sanitizers/jsonp
+ * JSONP callback sanitization to prevent XSS via callback parameters
+ */
+/**
+ * Validates and sanitizes a JSONP callback parameter.
+ *
+ * Returns the callback name if safe, or null if the callback is dangerous.
+ * Use this to validate `?callback=` query parameters before wrapping responses.
+ *
+ * @param callback - The callback parameter value
+ * @param maxLength - Maximum allowed length (default: 128)
+ * @returns The safe callback name, or null if invalid
+ *
+ * @example
+ * ```ts
+ * const cb = sanitizeJsonpCallback(req.query.callback);
+ * if (cb) {
+ *   res.set('Content-Type', 'application/javascript');
+ *   res.send(`${cb}(${JSON.stringify(data)})`);
+ * } else {
+ *   res.status(400).json({ error: 'Invalid callback' });
+ * }
+ * ```
+ */
+declare function sanitizeJsonpCallback(callback: string, maxLength?: number): string | null;
+/**
+ * Checks if a JSONP callback parameter contains potentially dangerous content.
+ *
+ * @param callback - The callback parameter value
+ * @returns True if the callback is dangerous / invalid
+ */
+declare function detectJsonpInjection(callback: string): boolean;
+
 /**
  * @module @arcis/node/sanitizers/nosql
  * NoSQL injection prevention (MongoDB operators)
@@ -281,4 +355,84 @@ declare function sanitizeHeaders(headers: Record<string, string>): Record<string
  */
 declare function detectHeaderInjection(input: string): boolean;
 
-export { detectHeaderInjection as a, detectNoSqlInjection as b, createSanitizer as c, detectCommandInjection as d, detectPathTraversal as e, detectPrototypePollution as f, detectSql as g, detectXss as h, getDangerousOperators as i, getDangerousProtoKeys as j, isDangerousNoSqlKey as k, isDangerousProtoKey as l, sanitizeHeaderValue as m, sanitizeHeaders as n, sanitizeObject as o, sanitizePath as p, sanitizeSql as q, sanitizeString as r, sanitizeCommand as s, sanitizeXss as t };
+/**
+ * @module @arcis/node/sanitizers/pii
+ * PII (Personally Identifiable Information) detection and redaction
+ *
+ * Detects: email addresses, phone numbers, credit card numbers, SSNs, IP addresses
+ */
+type PiiType = 'email' | 'phone' | 'credit_card' | 'ssn' | 'ip_address';
+interface PiiMatch {
+    type: PiiType;
+    value: string;
+    start: number;
+    end: number;
+}
+interface PiiScanOptions {
+    /** PII types to scan for. Default: all types */
+    types?: PiiType[];
+}
+interface PiiRedactOptions extends PiiScanOptions {
+    /** Replacement for redacted values. Default: '[REDACTED]' */
+    replacement?: string;
+    /** Use type-specific replacements like '[EMAIL]', '[SSN]'. Default: false */
+    typeLabels?: boolean;
+}
+/**
+ * Scan a string for PII and return all matches.
+ *
+ * @param input - String to scan
+ * @param options - Optional scan configuration
+ * @returns Array of PII matches with type, value, and position
+ *
+ * @example
+ * scanPii('Call me at 555-123-4567 or email john@example.com')
+ * // [
+ * //   { type: 'phone', value: '555-123-4567', start: 11, end: 23 },
+ * //   { type: 'email', value: 'john@example.com', start: 33, end: 49 }
+ * // ]
+ */
+declare function scanPii(input: string, options?: PiiScanOptions): PiiMatch[];
+/**
+ * Check if a string contains any PII.
+ *
+ * @param input - String to check
+ * @param options - Optional scan configuration
+ * @returns true if PII is detected
+ */
+declare function detectPii(input: string, options?: PiiScanOptions): boolean;
+/**
+ * Redact PII from a string, replacing matches with a placeholder.
+ *
+ * @param input - String to redact
+ * @param options - Redaction options
+ * @returns String with PII replaced
+ *
+ * @example
+ * redactPii('Email: john@example.com, SSN: 123-45-6789')
+ * // 'Email: [REDACTED], SSN: [REDACTED]'
+ *
+ * redactPii('Email: john@example.com', { typeLabels: true })
+ * // 'Email: [EMAIL]'
+ */
+declare function redactPii(input: string, options?: PiiRedactOptions): string;
+/**
+ * Scan an object's string values for PII recursively.
+ *
+ * @param obj - Object to scan
+ * @param options - Optional scan configuration
+ * @returns Array of PII matches with the field path prepended
+ */
+declare function scanObjectPii(obj: Record<string, unknown>, options?: PiiScanOptions, path?: string): (PiiMatch & {
+    field: string;
+})[];
+/**
+ * Redact PII from all string values in an object recursively.
+ *
+ * @param obj - Object to redact
+ * @param options - Redaction options
+ * @returns New object with PII redacted
+ */
+declare function redactObjectPii<T extends Record<string, unknown>>(obj: T, options?: PiiRedactOptions): T;
+
+export { sanitizeString as A, sanitizeXss as B, sanitizeXxe as C, scanObjectPii as D, scanPii as E, type PiiRedactOptions as F, type PiiScanOptions as G, type PiiType as H, type PiiMatch as P, detectHeaderInjection as a, detectJsonpInjection as b, createSanitizer as c, detectCommandInjection as d, detectNoSqlInjection as e, detectPathTraversal as f, detectPii as g, detectPrototypePollution as h, detectSql as i, detectSsti as j, detectXss as k, detectXxe as l, getDangerousOperators as m, getDangerousProtoKeys as n, isDangerousNoSqlKey as o, isDangerousProtoKey as p, redactPii as q, redactObjectPii as r, sanitizeCommand as s, sanitizeHeaderValue as t, sanitizeHeaders as u, sanitizeJsonpCallback as v, sanitizeObject as w, sanitizePath as x, sanitizeSql as y, sanitizeSsti as z };

package/dist/{headers-BJq2OA0i.d.ts → pii-DhNpl7M3.d.ts}

@@ -1,5 +1,5 @@
 import { RequestHandler } from 'express';
-import { i as SanitizeOptions, j as SanitizeResult } from './types-BOdL3ZWo.js';
+import { i as SanitizeOptions, j as SanitizeResult } from './types-CsOFHoD9.js';
 
 /**
  * @module @arcis/node/sanitizers/sanitize
@@ -170,6 +170,80 @@ declare function sanitizeCommand(input: string, collectThreats: true): SanitizeR
  */
 declare function detectCommandInjection(input: string): boolean;
 
+/**
+ * @module @arcis/node/sanitizers/ssti
+ * Server-Side Template Injection (SSTI) prevention
+ */
+
+/**
+ * Sanitizes a string to prevent SSTI attacks.
+ * Removes template expression syntax.
+ */
+declare function sanitizeSsti(input: string, collectThreats?: false): string;
+declare function sanitizeSsti(input: string, collectThreats: true): SanitizeResult;
+/**
+ * Checks if a string contains SSTI patterns.
+ * Does not sanitize — use sanitizeSsti() for that.
+ *
+ * @param input - The string to check
+ * @returns True if SSTI patterns detected
+ */
+declare function detectSsti(input: string): boolean;
+
+/**
+ * @module @arcis/node/sanitizers/xxe
+ * XML External Entity (XXE) injection prevention
+ */
+
+/**
+ * Sanitizes a string to prevent XXE attacks.
+ * Removes DOCTYPE, ENTITY, and CDATA constructs.
+ */
+declare function sanitizeXxe(input: string, collectThreats?: false): string;
+declare function sanitizeXxe(input: string, collectThreats: true): SanitizeResult;
+/**
+ * Checks if a string contains XXE patterns.
+ * Does not sanitize — use sanitizeXxe() for that.
+ *
+ * @param input - The string to check
+ * @returns True if XXE patterns detected
+ */
+declare function detectXxe(input: string): boolean;
+
+/**
+ * @module @arcis/node/sanitizers/jsonp
+ * JSONP callback sanitization to prevent XSS via callback parameters
+ */
+/**
+ * Validates and sanitizes a JSONP callback parameter.
+ *
+ * Returns the callback name if safe, or null if the callback is dangerous.
+ * Use this to validate `?callback=` query parameters before wrapping responses.
+ *
+ * @param callback - The callback parameter value
+ * @param maxLength - Maximum allowed length (default: 128)
+ * @returns The safe callback name, or null if invalid
+ *
+ * @example
+ * ```ts
+ * const cb = sanitizeJsonpCallback(req.query.callback);
+ * if (cb) {
+ *   res.set('Content-Type', 'application/javascript');
+ *   res.send(`${cb}(${JSON.stringify(data)})`);
+ * } else {
+ *   res.status(400).json({ error: 'Invalid callback' });
+ * }
+ * ```
+ */
+declare function sanitizeJsonpCallback(callback: string, maxLength?: number): string | null;
+/**
+ * Checks if a JSONP callback parameter contains potentially dangerous content.
+ *
+ * @param callback - The callback parameter value
+ * @returns True if the callback is dangerous / invalid
+ */
+declare function detectJsonpInjection(callback: string): boolean;
+
 /**
  * @module @arcis/node/sanitizers/nosql
  * NoSQL injection prevention (MongoDB operators)
@@ -281,4 +355,84 @@ declare function sanitizeHeaders(headers: Record<string, string>): Record<string
  */
 declare function detectHeaderInjection(input: string): boolean;
 
-export { detectHeaderInjection as a, detectNoSqlInjection as b, createSanitizer as c, detectCommandInjection as d, detectPathTraversal as e, detectPrototypePollution as f, detectSql as g, detectXss as h, getDangerousOperators as i, getDangerousProtoKeys as j, isDangerousNoSqlKey as k, isDangerousProtoKey as l, sanitizeHeaderValue as m, sanitizeHeaders as n, sanitizeObject as o, sanitizePath as p, sanitizeSql as q, sanitizeString as r, sanitizeCommand as s, sanitizeXss as t };
+/**
+ * @module @arcis/node/sanitizers/pii
+ * PII (Personally Identifiable Information) detection and redaction
+ *
+ * Detects: email addresses, phone numbers, credit card numbers, SSNs, IP addresses
+ */
+type PiiType = 'email' | 'phone' | 'credit_card' | 'ssn' | 'ip_address';
+interface PiiMatch {
+    type: PiiType;
+    value: string;
+    start: number;
+    end: number;
+}
+interface PiiScanOptions {
+    /** PII types to scan for. Default: all types */
+    types?: PiiType[];
+}
+interface PiiRedactOptions extends PiiScanOptions {
+    /** Replacement for redacted values. Default: '[REDACTED]' */
+    replacement?: string;
+    /** Use type-specific replacements like '[EMAIL]', '[SSN]'. Default: false */
+    typeLabels?: boolean;
+}
+/**
+ * Scan a string for PII and return all matches.
+ *
+ * @param input - String to scan
+ * @param options - Optional scan configuration
+ * @returns Array of PII matches with type, value, and position
+ *
+ * @example
+ * scanPii('Call me at 555-123-4567 or email john@example.com')
+ * // [
+ * //   { type: 'phone', value: '555-123-4567', start: 11, end: 23 },
+ * //   { type: 'email', value: 'john@example.com', start: 33, end: 49 }
+ * // ]
+ */
+declare function scanPii(input: string, options?: PiiScanOptions): PiiMatch[];
+/**
+ * Check if a string contains any PII.
+ *
+ * @param input - String to check
+ * @param options - Optional scan configuration
+ * @returns true if PII is detected
+ */
+declare function detectPii(input: string, options?: PiiScanOptions): boolean;
+/**
+ * Redact PII from a string, replacing matches with a placeholder.
+ *
+ * @param input - String to redact
+ * @param options - Redaction options
+ * @returns String with PII replaced
+ *
+ * @example
+ * redactPii('Email: john@example.com, SSN: 123-45-6789')
+ * // 'Email: [REDACTED], SSN: [REDACTED]'
+ *
+ * redactPii('Email: john@example.com', { typeLabels: true })
+ * // 'Email: [EMAIL]'
+ */
+declare function redactPii(input: string, options?: PiiRedactOptions): string;
+/**
+ * Scan an object's string values for PII recursively.
+ *
+ * @param obj - Object to scan
+ * @param options - Optional scan configuration
+ * @returns Array of PII matches with the field path prepended
+ */
+declare function scanObjectPii(obj: Record<string, unknown>, options?: PiiScanOptions, path?: string): (PiiMatch & {
+    field: string;
+})[];
+/**
+ * Redact PII from all string values in an object recursively.
+ *
+ * @param obj - Object to redact
+ * @param options - Redaction options
+ * @returns New object with PII redacted
+ */
+declare function redactObjectPii<T extends Record<string, unknown>>(obj: T, options?: PiiRedactOptions): T;
+
+export { sanitizeString as A, sanitizeXss as B, sanitizeXxe as C, scanObjectPii as D, scanPii as E, type PiiRedactOptions as F, type PiiScanOptions as G, type PiiType as H, type PiiMatch as P, detectHeaderInjection as a, detectJsonpInjection as b, createSanitizer as c, detectCommandInjection as d, detectNoSqlInjection as e, detectPathTraversal as f, detectPii as g, detectPrototypePollution as h, detectSql as i, detectSsti as j, detectXss as k, detectXxe as l, getDangerousOperators as m, getDangerousProtoKeys as n, isDangerousNoSqlKey as o, isDangerousProtoKey as p, redactPii as q, redactObjectPii as r, sanitizeCommand as s, sanitizeHeaderValue as t, sanitizeHeaders as u, sanitizeJsonpCallback as v, sanitizeObject as w, sanitizePath as x, sanitizeSql as y, sanitizeSsti as z };

package/dist/sanitizers/index.d.mts

@@ -1,6 +1,6 @@
-export { c as createSanitizer, d as detectCommandInjection, a as detectHeaderInjection, b as detectNoSqlInjection, e as detectPathTraversal, f as detectPrototypePollution, g as detectSql, h as detectXss, i as getDangerousOperators, j as getDangerousProtoKeys, k as isDangerousNoSqlKey, l as isDangerousProtoKey, s as sanitizeCommand, m as sanitizeHeaderValue, n as sanitizeHeaders, o as sanitizeObject, p as sanitizePath, q as sanitizeSql, r as sanitizeString, t as sanitizeXss } from '../headers-DBQedhrb.mjs';
+export { c as createSanitizer, d as detectCommandInjection, a as detectHeaderInjection, b as detectJsonpInjection, e as detectNoSqlInjection, f as detectPathTraversal, g as detectPii, h as detectPrototypePollution, i as detectSql, j as detectSsti, k as detectXss, l as detectXxe, m as getDangerousOperators, n as getDangerousProtoKeys, o as isDangerousNoSqlKey, p as isDangerousProtoKey, r as redactObjectPii, q as redactPii, s as sanitizeCommand, t as sanitizeHeaderValue, u as sanitizeHeaders, v as sanitizeJsonpCallback, w as sanitizeObject, x as sanitizePath, y as sanitizeSql, z as sanitizeSsti, A as sanitizeString, B as sanitizeXss, C as sanitizeXxe, D as scanObjectPii, E as scanPii } from '../pii-CXcHMlnX.mjs';
 import 'express';
-import '../types-BOdL3ZWo.mjs';
+import '../types-CsOFHoD9.mjs';
 
 /**
  * @module @arcis/node/sanitizers/utils

package/dist/sanitizers/index.d.ts

@@ -1,6 +1,6 @@
-export { c as createSanitizer, d as detectCommandInjection, a as detectHeaderInjection, b as detectNoSqlInjection, e as detectPathTraversal, f as detectPrototypePollution, g as detectSql, h as detectXss, i as getDangerousOperators, j as getDangerousProtoKeys, k as isDangerousNoSqlKey, l as isDangerousProtoKey, s as sanitizeCommand, m as sanitizeHeaderValue, n as sanitizeHeaders, o as sanitizeObject, p as sanitizePath, q as sanitizeSql, r as sanitizeString, t as sanitizeXss } from '../headers-BJq2OA0i.js';
+export { c as createSanitizer, d as detectCommandInjection, a as detectHeaderInjection, b as detectJsonpInjection, e as detectNoSqlInjection, f as detectPathTraversal, g as detectPii, h as detectPrototypePollution, i as detectSql, j as detectSsti, k as detectXss, l as detectXxe, m as getDangerousOperators, n as getDangerousProtoKeys, o as isDangerousNoSqlKey, p as isDangerousProtoKey, r as redactObjectPii, q as redactPii, s as sanitizeCommand, t as sanitizeHeaderValue, u as sanitizeHeaders, v as sanitizeJsonpCallback, w as sanitizeObject, x as sanitizePath, y as sanitizeSql, z as sanitizeSsti, A as sanitizeString, B as sanitizeXss, C as sanitizeXxe, D as scanObjectPii, E as scanPii } from '../pii-DhNpl7M3.js';
 import 'express';
-import '../types-BOdL3ZWo.js';
+import '../types-CsOFHoD9.js';
 
 /**
  * @module @arcis/node/sanitizers/utils