npm - @arcis/node - Versions diffs - 1.1.0 → 1.3.0 - Mend

@arcis/node 1.1.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (50) hide show

package/README.md +156 -211
package/dist/core/index.d.mts +4 -4
package/dist/core/index.d.ts +4 -4
package/dist/core/index.js +13 -2
package/dist/core/index.js.map +1 -1
package/dist/core/index.mjs +13 -2
package/dist/core/index.mjs.map +1 -1
package/dist/{headers-DBQedhrb.d.mts → encode-CrQCGlBq.d.mts} +202 -2
package/dist/{headers-BJq2OA0i.d.ts → encode-jl9sOwmA.d.ts} +202 -2
package/dist/{index-BvcFpoR3.d.ts → index-BAhgn9V2.d.ts} +96 -2
package/dist/{index-iCOw8Fcg.d.ts → index-BGNKspqH.d.ts} +1 -1
package/dist/{index-CslcoZUN.d.mts → index-Cd02z-0j.d.mts} +1 -1
package/dist/{index-CCcPuTBo.d.mts → index-DgJtWMSj.d.mts} +96 -2
package/dist/index.d.mts +4 -4
package/dist/index.d.ts +4 -4
package/dist/index.js +647 -7
package/dist/index.js.map +1 -1
package/dist/index.mjs +629 -9
package/dist/index.mjs.map +1 -1
package/dist/logging/index.d.mts +1 -1
package/dist/logging/index.d.ts +1 -1
package/dist/logging/index.js +12 -1
package/dist/logging/index.js.map +1 -1
package/dist/logging/index.mjs +12 -1
package/dist/logging/index.mjs.map +1 -1
package/dist/middleware/index.d.mts +2 -2
package/dist/middleware/index.d.ts +2 -2
package/dist/middleware/index.js +168 -6
package/dist/middleware/index.js.map +1 -1
package/dist/middleware/index.mjs +165 -7
package/dist/middleware/index.mjs.map +1 -1
package/dist/sanitizers/index.d.mts +2 -2
package/dist/sanitizers/index.d.ts +2 -2
package/dist/sanitizers/index.js +403 -3
package/dist/sanitizers/index.js.map +1 -1
package/dist/sanitizers/index.mjs +388 -4
package/dist/sanitizers/index.mjs.map +1 -1
package/dist/stores/index.d.mts +1 -1
package/dist/stores/index.d.ts +1 -1
package/dist/stores/index.js.map +1 -1
package/dist/stores/index.mjs.map +1 -1
package/dist/{types-BOdL3ZWo.d.mts → types-BOkx5YJc.d.mts} +17 -2
package/dist/{types-BOdL3ZWo.d.ts → types-BOkx5YJc.d.ts} +17 -2
package/dist/validation/index.d.mts +2 -2
package/dist/validation/index.d.ts +2 -2
package/dist/validation/index.js +105 -3
package/dist/validation/index.js.map +1 -1
package/dist/validation/index.mjs +105 -3
package/dist/validation/index.mjs.map +1 -1
package/package.json +114 -114

package/dist/validation/index.mjs CHANGED Viewed

@@ -51,7 +51,11 @@ var SQL_PATTERNS = [
   /** Time-based blind: SLEEP() */
   /\bSLEEP\s*\(\s*\d+\s*\)/gi,
   /** Time-based blind: BENCHMARK() */
-  /\bBENCHMARK\s*\(/gi
+  /\bBENCHMARK\s*\(/gi,
+  /** Time-based blind: PostgreSQL pg_sleep() */
+  /\bpg_sleep\s*\(/gi,
+  /** Time-based blind: MSSQL WAITFOR DELAY */
+  /\bWAITFOR\s+DELAY\b/gi
 ];
 var PATH_PATTERNS = [
   /** Unix path traversal */
@@ -69,6 +73,10 @@ var PATH_PATTERNS = [
   /\.%2e[\\/]/gi,
   /** Fully URL-encoded: %2e%2e%2f */
   /%2e%2e%2f/gi,
+  /** Double URL-encoded forward slash: %252f */
+  /%252f/gi,
+  /** Dotdotslash bypass: ....// or ....\\ */
+  /\.{2,}[/\\]{2,}/g,
   /** Null byte injection in paths */
   /\0/g
 ];
@@ -84,7 +92,9 @@ var COMMAND_PATTERNS = [
    */
   /[;&|`]/g,
   /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
-  /\$\(/g
+  /\$\(/g,
+  /** URL-encoded newline/carriage-return injection (%0a, %0d) */
+  /%0[ad]/gi
 ];
 var VALIDATION = {
   /**
@@ -735,6 +745,18 @@ function validateUrl(url, options = {}) {
       return { safe: false, reason: "loopback address" };
     }
   }
+  if (!allowLocalhost || !allowPrivate) {
+    const decimalCheck = checkDecimalIp(hostname, allowLocalhost, allowPrivate);
+    if (decimalCheck) {
+      return { safe: false, reason: decimalCheck };
+    }
+  }
+  if (!allowLocalhost || !allowPrivate) {
+    const octalCheck = checkOctalIp(hostname, allowLocalhost, allowPrivate);
+    if (octalCheck) {
+      return { safe: false, reason: octalCheck };
+    }
+  }
   if (!allowPrivate) {
     const privateCheck = checkPrivateIp(hostname);
     if (privateCheck) {
@@ -766,13 +788,93 @@ function checkPrivateIp(hostname) {
   if (/^0\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(hostname)) {
     return "current network address (0.0.0.0/8)";
   }
-  if (hostname === "metadata.google.internal" || hostname === "metadata.internal") {
+  if (hostname === "metadata.google.internal" || hostname === "metadata.internal" || hostname === "metadata.azure.internal") {
     return "cloud metadata endpoint";
   }
   const ipv6 = hostname.replace(/^\[|\]$/g, "");
   if (ipv6 === "::1" || ipv6 === "::" || ipv6.startsWith("fc") || ipv6.startsWith("fd") || ipv6.startsWith("fe80")) {
     return "private IPv6 address";
   }
+  const mappedDotted = ipv6.match(/^::ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/i);
+  if (mappedDotted) {
+    const mappedIp = mappedDotted[1];
+    if (/^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(mappedIp)) {
+      return "IPv6-mapped loopback address";
+    }
+    const mappedCheck = checkPrivateIp(mappedIp);
+    if (mappedCheck) {
+      return `IPv6-mapped ${mappedCheck}`;
+    }
+  }
+  const mappedHex = ipv6.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i);
+  if (mappedHex) {
+    const hi = parseInt(mappedHex[1], 16);
+    const lo = parseInt(mappedHex[2], 16);
+    const a = hi >> 8 & 255;
+    const b = hi & 255;
+    const c = lo >> 8 & 255;
+    const d = lo & 255;
+    const dotted = `${a}.${b}.${c}.${d}`;
+    if (a === 127) {
+      return "IPv6-mapped loopback address";
+    }
+    const hexCheck = checkPrivateIp(dotted);
+    if (hexCheck) {
+      return `IPv6-mapped ${hexCheck}`;
+    }
+  }
+  return null;
+}
+function checkDecimalIp(hostname, allowLocalhost, allowPrivate) {
+  if (!/^\d+$/.test(hostname)) return null;
+  const num = parseInt(hostname, 10);
+  if (isNaN(num) || num < 0 || num > 4294967295) return null;
+  const a = num >>> 24 & 255;
+  const b = num >>> 16 & 255;
+  const c = num >>> 8 & 255;
+  const d = num & 255;
+  const dotted = `${a}.${b}.${c}.${d}`;
+  if (!allowLocalhost && a === 127) {
+    return `loopback address (decimal IP: ${dotted})`;
+  }
+  if (!allowPrivate) {
+    const privateCheck = checkPrivateIp(dotted);
+    if (privateCheck) {
+      return `${privateCheck} (decimal IP: ${dotted})`;
+    }
+  }
+  return null;
+}
+function checkOctalIp(hostname, allowLocalhost, allowPrivate) {
+  const parts = hostname.split(".");
+  if (parts.length !== 4) return null;
+  const hasAlternateNotation = parts.some((p) => /^0[0-7]+$/.test(p) || /^0x[0-9a-fA-F]+$/i.test(p));
+  if (!hasAlternateNotation) return null;
+  const octets = [];
+  for (const part of parts) {
+    let val;
+    if (/^0x[0-9a-fA-F]+$/i.test(part)) {
+      val = parseInt(part, 16);
+    } else if (/^0[0-7]*$/.test(part)) {
+      val = parseInt(part, 8);
+    } else if (/^\d+$/.test(part)) {
+      val = parseInt(part, 10);
+    } else {
+      return null;
+    }
+    if (val < 0 || val > 255) return null;
+    octets.push(val);
+  }
+  const dotted = octets.join(".");
+  if (!allowLocalhost && octets[0] === 127) {
+    return `loopback address (octal IP: ${dotted})`;
+  }
+  if (!allowPrivate) {
+    const privateCheck = checkPrivateIp(dotted);
+    if (privateCheck) {
+      return `${privateCheck} (octal IP: ${dotted})`;
+    }
+  }
   return null;
 }