npm - @arcis/node - Versions diffs - 1.1.0 → 1.2.0 - Mend

@arcis/node 1.1.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (50) hide show

package/README.md +156 -211
package/dist/core/index.d.mts +4 -4
package/dist/core/index.d.ts +4 -4
package/dist/core/index.js +13 -2
package/dist/core/index.js.map +1 -1
package/dist/core/index.mjs +13 -2
package/dist/core/index.mjs.map +1 -1
package/dist/{index-CslcoZUN.d.mts → index-A-m-pPeW.d.mts} +1 -1
package/dist/{index-CCcPuTBo.d.mts → index-CgK94hY_.d.mts} +96 -2
package/dist/{index-iCOw8Fcg.d.ts → index-Co5kPRZz.d.ts} +1 -1
package/dist/{index-BvcFpoR3.d.ts → index-D_bdJcF0.d.ts} +96 -2
package/dist/index.d.mts +4 -4
package/dist/index.d.ts +4 -4
package/dist/index.js +553 -5
package/dist/index.js.map +1 -1
package/dist/index.mjs +540 -7
package/dist/index.mjs.map +1 -1
package/dist/logging/index.d.mts +1 -1
package/dist/logging/index.d.ts +1 -1
package/dist/logging/index.js +12 -1
package/dist/logging/index.js.map +1 -1
package/dist/logging/index.mjs +12 -1
package/dist/logging/index.mjs.map +1 -1
package/dist/middleware/index.d.mts +2 -2
package/dist/middleware/index.d.ts +2 -2
package/dist/middleware/index.js +146 -4
package/dist/middleware/index.js.map +1 -1
package/dist/middleware/index.mjs +143 -5
package/dist/middleware/index.mjs.map +1 -1
package/dist/{headers-DBQedhrb.d.mts → pii-CXcHMlnX.d.mts} +156 -2
package/dist/{headers-BJq2OA0i.d.ts → pii-DhNpl7M3.d.ts} +156 -2
package/dist/sanitizers/index.d.mts +2 -2
package/dist/sanitizers/index.d.ts +2 -2
package/dist/sanitizers/index.js +331 -3
package/dist/sanitizers/index.js.map +1 -1
package/dist/sanitizers/index.mjs +321 -4
package/dist/sanitizers/index.mjs.map +1 -1
package/dist/stores/index.d.mts +1 -1
package/dist/stores/index.d.ts +1 -1
package/dist/stores/index.js.map +1 -1
package/dist/stores/index.mjs.map +1 -1
package/dist/{types-BOdL3ZWo.d.mts → types-CsOFHoD9.d.mts} +6 -1
package/dist/{types-BOdL3ZWo.d.ts → types-CsOFHoD9.d.ts} +6 -1
package/dist/validation/index.d.mts +2 -2
package/dist/validation/index.d.ts +2 -2
package/dist/validation/index.js +105 -3
package/dist/validation/index.js.map +1 -1
package/dist/validation/index.mjs +105 -3
package/dist/validation/index.mjs.map +1 -1
package/package.json +114 -114

package/dist/sanitizers/index.js CHANGED Viewed

@@ -76,7 +76,11 @@ var SQL_PATTERNS = [
   /** Time-based blind: SLEEP() */
   /\bSLEEP\s*\(\s*\d+\s*\)/gi,
   /** Time-based blind: BENCHMARK() */
-  /\bBENCHMARK\s*\(/gi
+  /\bBENCHMARK\s*\(/gi,
+  /** Time-based blind: PostgreSQL pg_sleep() */
+  /\bpg_sleep\s*\(/gi,
+  /** Time-based blind: MSSQL WAITFOR DELAY */
+  /\bWAITFOR\s+DELAY\b/gi
 ];
 var PATH_PATTERNS = [
   /** Unix path traversal */
@@ -94,6 +98,10 @@ var PATH_PATTERNS = [
   /\.%2e[\\/]/gi,
   /** Fully URL-encoded: %2e%2e%2f */
   /%2e%2e%2f/gi,
+  /** Double URL-encoded forward slash: %252f */
+  /%252f/gi,
+  /** Dotdotslash bypass: ....// or ....\\ */
+  /\.{2,}[/\\]{2,}/g,
   /** Null byte injection in paths */
   /\0/g
 ];
@@ -109,7 +117,9 @@ var COMMAND_PATTERNS = [
    */
   /[;&|`]/g,
   /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
-  /\$\(/g
+  /\$\(/g,
+  /** URL-encoded newline/carriage-return injection (%0a, %0d) */
+  /%0[ad]/gi
 ];
 var DANGEROUS_PROTO_KEYS = /* @__PURE__ */ new Set([
   "__proto__",
@@ -143,6 +153,7 @@ var NOSQL_DANGEROUS_KEYS = /* @__PURE__ */ new Set([
   "$expr",
   "$mod",
   "$text",
+  "$jsonSchema",
   // Array
   "$elemMatch",
   "$all",
@@ -432,7 +443,8 @@ function sanitizeObject(obj, options = {}) {
   if (typeof obj === "string") return sanitizeString(obj, options);
   if (typeof obj !== "object") return obj;
   if (Array.isArray(obj)) return obj.map((item) => sanitizeObject(item, options));
-  return sanitizeObjectDepth(obj, options, 0);
+  const result = sanitizeObjectDepth(obj, options, 0);
+  return options.freeze ? Object.freeze(result) : result;
 }
 function sanitizeObjectDepth(obj, options, depth) {
   if (depth >= INPUT.MAX_RECURSION_DEPTH) return obj;
@@ -535,6 +547,179 @@ function getDangerousProtoKeys() {
   return Array.from(DANGEROUS_PROTO_KEYS);
 }
+// src/sanitizers/ssti.ts
+var SSTI_DETECT_PATTERNS = [
+  /** Jinja2 / Twig / Nunjucks: {{ ... }} */
+  /\{\{.*?\}\}/g,
+  /** Freemarker / Thymeleaf / Spring EL: ${ ... } */
+  /\$\{.*?\}/g,
+  /** ERB / EJS: <%= ... %> or <% ... %> */
+  /<%[=\-]?.*?%>/gs,
+  /** Pug / Jade / Slim: #{ ... } */
+  /#\{.*?\}/g,
+  /** Python dunder sandbox escape */
+  /__(?:class|mro|subclasses|globals|builtins|import)__/gi,
+  /** Jinja2 config leak: {{config.X}} or {{config['X']}} */
+  /\{\{\s*config[.\[]/gi,
+  /** Jinja2 built-in objects */
+  /\{\{\s*(?:self|request|lipsum|cycler|joiner|namespace|range)\b/gi
+];
+var SSTI_REMOVE_PATTERNS = [
+  /\{\{.*?\}\}/g,
+  /\$\{.*?\}/g,
+  /<%[=\-]?.*?%>/gs,
+  /#\{.*?\}/g,
+  /__(?:class|mro|subclasses|globals|builtins|import)__/gi
+];
+function sanitizeSsti(input, collectThreats = false) {
+  if (typeof input !== "string") {
+    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
+  }
+  const threats = [];
+  let value = input;
+  let wasSanitized = false;
+  for (const pattern of SSTI_REMOVE_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(value)) {
+      pattern.lastIndex = 0;
+      if (collectThreats) {
+        const matches = value.match(pattern);
+        if (matches) {
+          for (const match of matches) {
+            threats.push({
+              type: "ssti",
+              pattern: pattern.source,
+              original: match
+            });
+          }
+        }
+      }
+      value = value.replace(pattern, "");
+      wasSanitized = true;
+    }
+  }
+  if (collectThreats) {
+    return { value, wasSanitized, threats };
+  }
+  return value;
+}
+function detectSsti(input) {
+  if (typeof input !== "string") return false;
+  for (const pattern of SSTI_DETECT_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(input)) {
+      return true;
+    }
+  }
+  return false;
+}
+// src/sanitizers/xxe.ts
+var XXE_DETECT_PATTERNS = [
+  /** DOCTYPE declaration */
+  /<!DOCTYPE\b/gi,
+  /** ENTITY declaration */
+  /<!ENTITY\b/gi,
+  /** SYSTEM keyword with URI */
+  /\bSYSTEM\s+["']/gi,
+  /** PUBLIC keyword with URI */
+  /\bPUBLIC\s+["']/gi,
+  /** Parameter entity reference (%entity;) */
+  /%\s*\w+\s*;/g,
+  /** CDATA section (often used to smuggle payloads) */
+  /<!\[CDATA\[/gi
+];
+var XXE_REMOVE_PATTERNS = [
+  /** Full DOCTYPE block with optional internal subset: <!DOCTYPE ... [...]> */
+  /<!DOCTYPE\s[^[>]*(?:\[[^\]]*\]\s*)?>|<!DOCTYPE\s[^>]*>/gi,
+  /** Full ENTITY declaration: <!ENTITY ... > */
+  /<!ENTITY[^>]*>/gi,
+  /** CDATA sections: <![CDATA[ ... ]]> */
+  /<!\[CDATA\[[\s\S]*?\]\]>/gi
+];
+function sanitizeXxe(input, collectThreats = false) {
+  if (typeof input !== "string") {
+    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
+  }
+  const threats = [];
+  let value = input;
+  let wasSanitized = false;
+  for (const pattern of XXE_REMOVE_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(value)) {
+      pattern.lastIndex = 0;
+      if (collectThreats) {
+        const matches = value.match(pattern);
+        if (matches) {
+          for (const match of matches) {
+            threats.push({
+              type: "xxe",
+              pattern: pattern.source,
+              original: match
+            });
+          }
+        }
+      }
+      value = value.replace(pattern, "");
+      wasSanitized = true;
+    }
+  }
+  if (collectThreats) {
+    return { value, wasSanitized, threats };
+  }
+  return value;
+}
+function detectXxe(input) {
+  if (typeof input !== "string") return false;
+  for (const pattern of XXE_DETECT_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(input)) {
+      return true;
+    }
+  }
+  return false;
+}
+// src/sanitizers/jsonp.ts
+var SAFE_CALLBACK_PATTERN = /^[a-zA-Z_$][a-zA-Z0-9_$.[\]]*$/;
+var DANGEROUS_CALLBACK_PATTERNS = [
+  /\.\./,
+  // prototype chain traversal
+  /\[\s*\]/
+  // empty bracket access
+];
+function sanitizeJsonpCallback(callback, maxLength = 128) {
+  if (typeof callback !== "string" || callback.length === 0) {
+    return null;
+  }
+  if (callback.length > maxLength) {
+    return null;
+  }
+  if (!SAFE_CALLBACK_PATTERN.test(callback)) {
+    return null;
+  }
+  for (const pattern of DANGEROUS_CALLBACK_PATTERNS) {
+    if (pattern.test(callback)) {
+      return null;
+    }
+  }
+  return callback;
+}
+function detectJsonpInjection(callback) {
+  if (typeof callback !== "string" || callback.length === 0) {
+    return false;
+  }
+  if (!SAFE_CALLBACK_PATTERN.test(callback)) {
+    return true;
+  }
+  for (const pattern of DANGEROUS_CALLBACK_PATTERNS) {
+    if (pattern.test(callback)) {
+      return true;
+    }
+  }
+  return false;
+}
 // src/sanitizers/headers.ts
 var HEADER_INJECTION_PATTERN = /\r\n|\r|\n|\0/g;
 function sanitizeHeaderValue(input, collectThreats = false) {
@@ -584,27 +769,170 @@ function detectHeaderInjection(input) {
   return HEADER_INJECTION_PATTERN.test(input);
 }
+// src/sanitizers/pii.ts
+var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z]{2,})+/g;
+var PHONE_RE = /(?:\+?1[-.\s]?)?\(?[2-9]\d{2}\)?[-.\s]?\d{3}[-.\s]?\d{4}/g;
+var CREDIT_CARD_RE = /\b(?:\d[ -]*?){13,19}\b/g;
+var SSN_RE = /\b\d{3}[-\s]\d{2}[-\s]\d{4}\b/g;
+var IPV4_RE = /\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\b/g;
+var IPV6_RE = /\b(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}\b|\b(?:[0-9a-fA-F]{1,4}:){1,7}:|::(?:[0-9a-fA-F]{1,4}:){0,5}[0-9a-fA-F]{1,4}\b/g;
+var PATTERN_MAP = {
+  email: [EMAIL_RE],
+  phone: [PHONE_RE],
+  credit_card: [CREDIT_CARD_RE],
+  ssn: [SSN_RE],
+  ip_address: [IPV4_RE, IPV6_RE]
+};
+var ALL_TYPES = ["email", "phone", "credit_card", "ssn", "ip_address"];
+var TYPE_LABELS = {
+  email: "[EMAIL]",
+  phone: "[PHONE]",
+  credit_card: "[CREDIT_CARD]",
+  ssn: "[SSN]",
+  ip_address: "[IP_ADDRESS]"
+};
+function luhnCheck(value) {
+  const digits = value.replace(/[\s-]/g, "");
+  if (!/^\d{13,19}$/.test(digits)) return false;
+  let sum = 0;
+  let alternate = false;
+  for (let i = digits.length - 1; i >= 0; i--) {
+    let n = parseInt(digits[i], 10);
+    if (alternate) {
+      n *= 2;
+      if (n > 9) n -= 9;
+    }
+    sum += n;
+    alternate = !alternate;
+  }
+  return sum % 10 === 0;
+}
+function scanPii(input, options = {}) {
+  if (!input || typeof input !== "string") return [];
+  const types = options.types ?? ALL_TYPES;
+  const matches = [];
+  for (const type of types) {
+    const patterns = PATTERN_MAP[type];
+    if (!patterns) continue;
+    for (const pattern of patterns) {
+      const re = new RegExp(pattern.source, pattern.flags);
+      let match;
+      while ((match = re.exec(input)) !== null) {
+        const value = match[0];
+        if (type === "credit_card" && !luhnCheck(value)) continue;
+        if (type === "ssn") {
+          const area = parseInt(value.substring(0, 3), 10);
+          if (area === 0 || area === 666 || area >= 900) continue;
+        }
+        matches.push({
+          type,
+          value,
+          start: match.index,
+          end: match.index + value.length
+        });
+      }
+    }
+  }
+  matches.sort((a, b) => a.start - b.start);
+  return matches;
+}
+function detectPii(input, options = {}) {
+  return scanPii(input, options).length > 0;
+}
+function redactPii(input, options = {}) {
+  if (!input || typeof input !== "string") return input;
+  const matches = scanPii(input, options);
+  if (matches.length === 0) return input;
+  const replacement = options.replacement ?? "[REDACTED]";
+  let result = input;
+  for (let i = matches.length - 1; i >= 0; i--) {
+    const m = matches[i];
+    const label = options.typeLabels ? TYPE_LABELS[m.type] : replacement;
+    result = result.substring(0, m.start) + label + result.substring(m.end);
+  }
+  return result;
+}
+function scanObjectPii(obj, options = {}, path = "") {
+  const results = [];
+  if (!obj || typeof obj !== "object") return results;
+  for (const [key, value] of Object.entries(obj)) {
+    const fieldPath = path ? `${path}.${key}` : key;
+    if (typeof value === "string") {
+      const matches = scanPii(value, options);
+      for (const m of matches) {
+        results.push({ ...m, field: fieldPath });
+      }
+    } else if (value && typeof value === "object" && !Array.isArray(value)) {
+      results.push(...scanObjectPii(value, options, fieldPath));
+    } else if (Array.isArray(value)) {
+      for (let i = 0; i < value.length; i++) {
+        const item = value[i];
+        if (typeof item === "string") {
+          const matches = scanPii(item, options);
+          for (const m of matches) {
+            results.push({ ...m, field: `${fieldPath}[${i}]` });
+          }
+        } else if (item && typeof item === "object") {
+          results.push(...scanObjectPii(item, options, `${fieldPath}[${i}]`));
+        }
+      }
+    }
+  }
+  return results;
+}
+function redactObjectPii(obj, options = {}) {
+  if (!obj || typeof obj !== "object") return obj;
+  const result = {};
+  for (const [key, value] of Object.entries(obj)) {
+    if (typeof value === "string") {
+      result[key] = redactPii(value, options);
+    } else if (Array.isArray(value)) {
+      result[key] = value.map((item) => {
+        if (typeof item === "string") return redactPii(item, options);
+        if (item && typeof item === "object") return redactObjectPii(item, options);
+        return item;
+      });
+    } else if (value && typeof value === "object") {
+      result[key] = redactObjectPii(value, options);
+    } else {
+      result[key] = value;
+    }
+  }
+  return result;
+}
 exports.createSanitizer = createSanitizer;
 exports.detectCommandInjection = detectCommandInjection;
 exports.detectHeaderInjection = detectHeaderInjection;
+exports.detectJsonpInjection = detectJsonpInjection;
 exports.detectNoSqlInjection = detectNoSqlInjection;
 exports.detectPathTraversal = detectPathTraversal;
+exports.detectPii = detectPii;
 exports.detectPrototypePollution = detectPrototypePollution;
 exports.detectSql = detectSql;
+exports.detectSsti = detectSsti;
 exports.detectXss = detectXss;
+exports.detectXxe = detectXxe;
 exports.encodeHtmlEntities = encodeHtmlEntities;
 exports.getDangerousOperators = getDangerousOperators;
 exports.getDangerousProtoKeys = getDangerousProtoKeys;
 exports.isDangerousNoSqlKey = isDangerousNoSqlKey;
 exports.isDangerousProtoKey = isDangerousProtoKey;
 exports.isPlainObject = isPlainObject;
+exports.redactObjectPii = redactObjectPii;
+exports.redactPii = redactPii;
 exports.sanitizeCommand = sanitizeCommand;
 exports.sanitizeHeaderValue = sanitizeHeaderValue;
 exports.sanitizeHeaders = sanitizeHeaders;
+exports.sanitizeJsonpCallback = sanitizeJsonpCallback;
 exports.sanitizeObject = sanitizeObject;
 exports.sanitizePath = sanitizePath;
 exports.sanitizeSql = sanitizeSql;
+exports.sanitizeSsti = sanitizeSsti;
 exports.sanitizeString = sanitizeString;
 exports.sanitizeXss = sanitizeXss;
+exports.sanitizeXxe = sanitizeXxe;
+exports.scanObjectPii = scanObjectPii;
+exports.scanPii = scanPii;
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map