@arcis/node 1.1.0 → 1.3.0

package/dist/index.js

@@ -119,7 +119,11 @@ var SQL_PATTERNS = [
   /** Time-based blind: SLEEP() */
   /\bSLEEP\s*\(\s*\d+\s*\)/gi,
   /** Time-based blind: BENCHMARK() */
-  /\bBENCHMARK\s*\(/gi
+  /\bBENCHMARK\s*\(/gi,
+  /** Time-based blind: PostgreSQL pg_sleep() */
+  /\bpg_sleep\s*\(/gi,
+  /** Time-based blind: MSSQL WAITFOR DELAY */
+  /\bWAITFOR\s+DELAY\b/gi
 ];
 var PATH_PATTERNS = [
   /** Unix path traversal */
@@ -137,6 +141,10 @@ var PATH_PATTERNS = [
   /\.%2e[\\/]/gi,
   /** Fully URL-encoded: %2e%2e%2f */
   /%2e%2e%2f/gi,
+  /** Double URL-encoded forward slash: %252f */
+  /%252f/gi,
+  /** Dotdotslash bypass: ....// or ....\\ */
+  /\.{2,}[/\\]{2,}/g,
   /** Null byte injection in paths */
   /\0/g
 ];
@@ -152,7 +160,9 @@ var COMMAND_PATTERNS = [
    */
   /[;&|`]/g,
   /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
-  /\$\(/g
+  /\$\(/g,
+  /** URL-encoded newline/carriage-return injection (%0a, %0d) */
+  /%0[ad]/gi
 ];
 var DANGEROUS_PROTO_KEYS = /* @__PURE__ */ new Set([
   "__proto__",
@@ -186,6 +196,7 @@ var NOSQL_DANGEROUS_KEYS = /* @__PURE__ */ new Set([
   "$expr",
   "$mod",
   "$text",
+  "$jsonSchema",
   // Array
   "$elemMatch",
   "$all",
@@ -296,7 +307,12 @@ function createHeaders(options = {}) {
     hsts = true,
     referrerPolicy = HEADERS.REFERRER_POLICY,
     permissionsPolicy = HEADERS.PERMISSIONS_POLICY,
-    cacheControl = true
+    cacheControl = true,
+    crossOriginOpenerPolicy = "same-origin",
+    crossOriginResourcePolicy = "same-origin",
+    crossOriginEmbedderPolicy = "require-corp",
+    originAgentCluster = true,
+    dnsPrefetchControl = true
   } = options;
   return (req, res, next) => {
     if (contentSecurityPolicy) {
@@ -304,7 +320,7 @@ function createHeaders(options = {}) {
       res.setHeader("Content-Security-Policy", csp);
     }
     if (xssFilter) {
-      res.setHeader("X-XSS-Protection", "1; mode=block");
+      res.setHeader("X-XSS-Protection", "0");
     }
     if (noSniff) {
       res.setHeader("X-Content-Type-Options", HEADERS.CONTENT_TYPE_OPTIONS);
@@ -331,6 +347,21 @@ function createHeaders(options = {}) {
     if (permissionsPolicy) {
       res.setHeader("Permissions-Policy", permissionsPolicy);
     }
+    if (crossOriginOpenerPolicy) {
+      res.setHeader("Cross-Origin-Opener-Policy", crossOriginOpenerPolicy);
+    }
+    if (crossOriginResourcePolicy) {
+      res.setHeader("Cross-Origin-Resource-Policy", crossOriginResourcePolicy);
+    }
+    if (crossOriginEmbedderPolicy) {
+      res.setHeader("Cross-Origin-Embedder-Policy", crossOriginEmbedderPolicy);
+    }
+    if (originAgentCluster) {
+      res.setHeader("Origin-Agent-Cluster", "?1");
+    }
+    if (dnsPrefetchControl) {
+      res.setHeader("X-DNS-Prefetch-Control", "off");
+    }
     res.setHeader("X-Permitted-Cross-Domain-Policies", "none");
     if (cacheControl) {
       const cacheControlValue = typeof cacheControl === "string" ? cacheControl : HEADERS.CACHE_CONTROL;
@@ -786,7 +817,8 @@ function sanitizeObject(obj, options = {}) {
   if (typeof obj === "string") return sanitizeString(obj, options);
   if (typeof obj !== "object") return obj;
   if (Array.isArray(obj)) return obj.map((item) => sanitizeObject(item, options));
-  return sanitizeObjectDepth(obj, options, 0);
+  const result = sanitizeObjectDepth(obj, options, 0);
+  return options.freeze ? Object.freeze(result) : result;
 }
 function sanitizeObjectDepth(obj, options, depth) {
   if (depth >= INPUT.MAX_RECURSION_DEPTH) return obj;
@@ -883,6 +915,179 @@ function detectPrototypePollution(obj, maxDepth = 10) {
   return false;
 }
 
+// src/sanitizers/ssti.ts
+var SSTI_DETECT_PATTERNS = [
+  /** Jinja2 / Twig / Nunjucks: {{ ... }} */
+  /\{\{.*?\}\}/g,
+  /** Freemarker / Thymeleaf / Spring EL: ${ ... } */
+  /\$\{.*?\}/g,
+  /** ERB / EJS: <%= ... %> or <% ... %> */
+  /<%[=\-]?.*?%>/gs,
+  /** Pug / Jade / Slim: #{ ... } */
+  /#\{.*?\}/g,
+  /** Python dunder sandbox escape */
+  /__(?:class|mro|subclasses|globals|builtins|import)__/gi,
+  /** Jinja2 config leak: {{config.X}} or {{config['X']}} */
+  /\{\{\s*config[.\[]/gi,
+  /** Jinja2 built-in objects */
+  /\{\{\s*(?:self|request|lipsum|cycler|joiner|namespace|range)\b/gi
+];
+var SSTI_REMOVE_PATTERNS = [
+  /\{\{.*?\}\}/g,
+  /\$\{.*?\}/g,
+  /<%[=\-]?.*?%>/gs,
+  /#\{.*?\}/g,
+  /__(?:class|mro|subclasses|globals|builtins|import)__/gi
+];
+function sanitizeSsti(input, collectThreats = false) {
+  if (typeof input !== "string") {
+    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
+  }
+  const threats = [];
+  let value = input;
+  let wasSanitized = false;
+  for (const pattern of SSTI_REMOVE_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(value)) {
+      pattern.lastIndex = 0;
+      if (collectThreats) {
+        const matches = value.match(pattern);
+        if (matches) {
+          for (const match of matches) {
+            threats.push({
+              type: "ssti",
+              pattern: pattern.source,
+              original: match
+            });
+          }
+        }
+      }
+      value = value.replace(pattern, "");
+      wasSanitized = true;
+    }
+  }
+  if (collectThreats) {
+    return { value, wasSanitized, threats };
+  }
+  return value;
+}
+function detectSsti(input) {
+  if (typeof input !== "string") return false;
+  for (const pattern of SSTI_DETECT_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(input)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/sanitizers/xxe.ts
+var XXE_DETECT_PATTERNS = [
+  /** DOCTYPE declaration */
+  /<!DOCTYPE\b/gi,
+  /** ENTITY declaration */
+  /<!ENTITY\b/gi,
+  /** SYSTEM keyword with URI */
+  /\bSYSTEM\s+["']/gi,
+  /** PUBLIC keyword with URI */
+  /\bPUBLIC\s+["']/gi,
+  /** Parameter entity reference (%entity;) */
+  /%\s*\w+\s*;/g,
+  /** CDATA section (often used to smuggle payloads) */
+  /<!\[CDATA\[/gi
+];
+var XXE_REMOVE_PATTERNS = [
+  /** Full DOCTYPE block with optional internal subset: <!DOCTYPE ... [...]> */
+  /<!DOCTYPE\s[^[>]*(?:\[[^\]]*\]\s*)?>|<!DOCTYPE\s[^>]*>/gi,
+  /** Full ENTITY declaration: <!ENTITY ... > */
+  /<!ENTITY[^>]*>/gi,
+  /** CDATA sections: <![CDATA[ ... ]]> */
+  /<!\[CDATA\[[\s\S]*?\]\]>/gi
+];
+function sanitizeXxe(input, collectThreats = false) {
+  if (typeof input !== "string") {
+    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
+  }
+  const threats = [];
+  let value = input;
+  let wasSanitized = false;
+  for (const pattern of XXE_REMOVE_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(value)) {
+      pattern.lastIndex = 0;
+      if (collectThreats) {
+        const matches = value.match(pattern);
+        if (matches) {
+          for (const match of matches) {
+            threats.push({
+              type: "xxe",
+              pattern: pattern.source,
+              original: match
+            });
+          }
+        }
+      }
+      value = value.replace(pattern, "");
+      wasSanitized = true;
+    }
+  }
+  if (collectThreats) {
+    return { value, wasSanitized, threats };
+  }
+  return value;
+}
+function detectXxe(input) {
+  if (typeof input !== "string") return false;
+  for (const pattern of XXE_DETECT_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(input)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/sanitizers/jsonp.ts
+var SAFE_CALLBACK_PATTERN = /^[a-zA-Z_$][a-zA-Z0-9_$.[\]]*$/;
+var DANGEROUS_CALLBACK_PATTERNS = [
+  /\.\./,
+  // prototype chain traversal
+  /\[\s*\]/
+  // empty bracket access
+];
+function sanitizeJsonpCallback(callback, maxLength = 128) {
+  if (typeof callback !== "string" || callback.length === 0) {
+    return null;
+  }
+  if (callback.length > maxLength) {
+    return null;
+  }
+  if (!SAFE_CALLBACK_PATTERN.test(callback)) {
+    return null;
+  }
+  for (const pattern of DANGEROUS_CALLBACK_PATTERNS) {
+    if (pattern.test(callback)) {
+      return null;
+    }
+  }
+  return callback;
+}
+function detectJsonpInjection(callback) {
+  if (typeof callback !== "string" || callback.length === 0) {
+    return false;
+  }
+  if (!SAFE_CALLBACK_PATTERN.test(callback)) {
+    return true;
+  }
+  for (const pattern of DANGEROUS_CALLBACK_PATTERNS) {
+    if (pattern.test(callback)) {
+      return true;
+    }
+  }
+  return false;
+}
+
 // src/sanitizers/headers.ts
 var HEADER_INJECTION_PATTERN = /\r\n|\r|\n|\0/g;
 function sanitizeHeaderValue(input, collectThreats = false) {
@@ -932,6 +1137,205 @@ function detectHeaderInjection(input) {
   return HEADER_INJECTION_PATTERN.test(input);
 }
 
+// src/sanitizers/pii.ts
+var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z]{2,})+/g;
+var PHONE_RE = /(?:\+?1[-.\s]?)?\(?[2-9]\d{2}\)?[-.\s]?\d{3}[-.\s]?\d{4}/g;
+var CREDIT_CARD_RE = /\b(?:\d[ -]*?){13,19}\b/g;
+var SSN_RE = /\b\d{3}[-\s]\d{2}[-\s]\d{4}\b/g;
+var IPV4_RE = /\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\b/g;
+var IPV6_RE = /\b(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}\b|\b(?:[0-9a-fA-F]{1,4}:){1,7}:|::(?:[0-9a-fA-F]{1,4}:){0,5}[0-9a-fA-F]{1,4}\b/g;
+var PATTERN_MAP = {
+  email: [EMAIL_RE],
+  phone: [PHONE_RE],
+  credit_card: [CREDIT_CARD_RE],
+  ssn: [SSN_RE],
+  ip_address: [IPV4_RE, IPV6_RE]
+};
+var ALL_TYPES = ["email", "phone", "credit_card", "ssn", "ip_address"];
+var TYPE_LABELS = {
+  email: "[EMAIL]",
+  phone: "[PHONE]",
+  credit_card: "[CREDIT_CARD]",
+  ssn: "[SSN]",
+  ip_address: "[IP_ADDRESS]"
+};
+function luhnCheck(value) {
+  const digits = value.replace(/[\s-]/g, "");
+  if (!/^\d{13,19}$/.test(digits)) return false;
+  let sum = 0;
+  let alternate = false;
+  for (let i = digits.length - 1; i >= 0; i--) {
+    let n = parseInt(digits[i], 10);
+    if (alternate) {
+      n *= 2;
+      if (n > 9) n -= 9;
+    }
+    sum += n;
+    alternate = !alternate;
+  }
+  return sum % 10 === 0;
+}
+function scanPii(input, options = {}) {
+  if (!input || typeof input !== "string") return [];
+  const types = options.types ?? ALL_TYPES;
+  const matches = [];
+  for (const type of types) {
+    const patterns = PATTERN_MAP[type];
+    if (!patterns) continue;
+    for (const pattern of patterns) {
+      const re = new RegExp(pattern.source, pattern.flags);
+      let match;
+      while ((match = re.exec(input)) !== null) {
+        const value = match[0];
+        if (type === "credit_card" && !luhnCheck(value)) continue;
+        if (type === "ssn") {
+          const area = parseInt(value.substring(0, 3), 10);
+          if (area === 0 || area === 666 || area >= 900) continue;
+        }
+        matches.push({
+          type,
+          value,
+          start: match.index,
+          end: match.index + value.length
+        });
+      }
+    }
+  }
+  matches.sort((a, b) => a.start - b.start);
+  return matches;
+}
+function detectPii(input, options = {}) {
+  return scanPii(input, options).length > 0;
+}
+function redactPii(input, options = {}) {
+  if (!input || typeof input !== "string") return input;
+  const matches = scanPii(input, options);
+  if (matches.length === 0) return input;
+  const replacement = options.replacement ?? "[REDACTED]";
+  let result = input;
+  for (let i = matches.length - 1; i >= 0; i--) {
+    const m = matches[i];
+    const label = options.typeLabels ? TYPE_LABELS[m.type] : replacement;
+    result = result.substring(0, m.start) + label + result.substring(m.end);
+  }
+  return result;
+}
+function scanObjectPii(obj, options = {}, path = "") {
+  const results = [];
+  if (!obj || typeof obj !== "object") return results;
+  for (const [key, value] of Object.entries(obj)) {
+    const fieldPath = path ? `${path}.${key}` : key;
+    if (typeof value === "string") {
+      const matches = scanPii(value, options);
+      for (const m of matches) {
+        results.push({ ...m, field: fieldPath });
+      }
+    } else if (value && typeof value === "object" && !Array.isArray(value)) {
+      results.push(...scanObjectPii(value, options, fieldPath));
+    } else if (Array.isArray(value)) {
+      for (let i = 0; i < value.length; i++) {
+        const item = value[i];
+        if (typeof item === "string") {
+          const matches = scanPii(item, options);
+          for (const m of matches) {
+            results.push({ ...m, field: `${fieldPath}[${i}]` });
+          }
+        } else if (item && typeof item === "object") {
+          results.push(...scanObjectPii(item, options, `${fieldPath}[${i}]`));
+        }
+      }
+    }
+  }
+  return results;
+}
+function redactObjectPii(obj, options = {}) {
+  if (!obj || typeof obj !== "object") return obj;
+  const result = {};
+  for (const [key, value] of Object.entries(obj)) {
+    if (typeof value === "string") {
+      result[key] = redactPii(value, options);
+    } else if (Array.isArray(value)) {
+      result[key] = value.map((item) => {
+        if (typeof item === "string") return redactPii(item, options);
+        if (item && typeof item === "object") return redactObjectPii(item, options);
+        return item;
+      });
+    } else if (value && typeof value === "object") {
+      result[key] = redactObjectPii(value, options);
+    } else {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+
+// src/sanitizers/encode.ts
+var HTML_ENTITIES = {
+  "&": "&amp;",
+  "<": "&lt;",
+  ">": "&gt;",
+  '"': "&quot;",
+  "'": "&#x27;"
+};
+var HTML_ENCODE_RE = /[&<>"']/g;
+function encodeForHtml(value) {
+  if (!value) return "";
+  return value.replace(HTML_ENCODE_RE, (ch) => HTML_ENTITIES[ch]);
+}
+function encodeForAttribute(value) {
+  if (!value) return "";
+  let result = "";
+  for (let i = 0; i < value.length; i++) {
+    const ch = value.charCodeAt(i);
+    if (ch >= 48 && ch <= 57 || // 0-9
+    ch >= 65 && ch <= 90 || // A-Z
+    ch >= 97 && ch <= 122) {
+      result += value[i];
+    } else {
+      result += `&#x${ch.toString(16).toUpperCase()};`;
+    }
+  }
+  return result;
+}
+function encodeForJs(value) {
+  if (!value) return "";
+  let result = "";
+  for (let i = 0; i < value.length; i++) {
+    const ch = value.charCodeAt(i);
+    if (ch >= 48 && ch <= 57 || // 0-9
+    ch >= 65 && ch <= 90 || // A-Z
+    ch >= 97 && ch <= 122) {
+      result += value[i];
+    } else if (ch < 256) {
+      result += `\\x${ch.toString(16).toUpperCase().padStart(2, "0")}`;
+    } else {
+      result += `\\u${ch.toString(16).toUpperCase().padStart(4, "0")}`;
+    }
+  }
+  return result;
+}
+function encodeForUrl(value) {
+  if (!value) return "";
+  return encodeURIComponent(value).replace(/[!'()*]/g, (ch) => {
+    return `%${ch.charCodeAt(0).toString(16).toUpperCase()}`;
+  });
+}
+function encodeForCss(value) {
+  if (!value) return "";
+  let result = "";
+  for (let i = 0; i < value.length; i++) {
+    const ch = value.charCodeAt(i);
+    if (ch >= 48 && ch <= 57 || // 0-9
+    ch >= 65 && ch <= 90 || // A-Z
+    ch >= 97 && ch <= 122) {
+      result += value[i];
+    } else {
+      result += `\\${ch.toString(16).toUpperCase()} `;
+    }
+  }
+  return result;
+}
+
 // src/validation/schema.ts
 function validate(schema, source = "body") {
   return (req, res, next) => {
@@ -1312,6 +1716,18 @@ function validateUrl(url, options = {}) {
       return { safe: false, reason: "loopback address" };
     }
   }
+  if (!allowLocalhost || !allowPrivate) {
+    const decimalCheck = checkDecimalIp(hostname, allowLocalhost, allowPrivate);
+    if (decimalCheck) {
+      return { safe: false, reason: decimalCheck };
+    }
+  }
+  if (!allowLocalhost || !allowPrivate) {
+    const octalCheck = checkOctalIp(hostname, allowLocalhost, allowPrivate);
+    if (octalCheck) {
+      return { safe: false, reason: octalCheck };
+    }
+  }
   if (!allowPrivate) {
     const privateCheck = checkPrivateIp(hostname);
     if (privateCheck) {
@@ -1343,13 +1759,93 @@ function checkPrivateIp(hostname) {
   if (/^0\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(hostname)) {
     return "current network address (0.0.0.0/8)";
   }
-  if (hostname === "metadata.google.internal" || hostname === "metadata.internal") {
+  if (hostname === "metadata.google.internal" || hostname === "metadata.internal" || hostname === "metadata.azure.internal") {
     return "cloud metadata endpoint";
   }
   const ipv6 = hostname.replace(/^\[|\]$/g, "");
   if (ipv6 === "::1" || ipv6 === "::" || ipv6.startsWith("fc") || ipv6.startsWith("fd") || ipv6.startsWith("fe80")) {
     return "private IPv6 address";
   }
+  const mappedDotted = ipv6.match(/^::ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/i);
+  if (mappedDotted) {
+    const mappedIp = mappedDotted[1];
+    if (/^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(mappedIp)) {
+      return "IPv6-mapped loopback address";
+    }
+    const mappedCheck = checkPrivateIp(mappedIp);
+    if (mappedCheck) {
+      return `IPv6-mapped ${mappedCheck}`;
+    }
+  }
+  const mappedHex = ipv6.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i);
+  if (mappedHex) {
+    const hi = parseInt(mappedHex[1], 16);
+    const lo = parseInt(mappedHex[2], 16);
+    const a = hi >> 8 & 255;
+    const b = hi & 255;
+    const c = lo >> 8 & 255;
+    const d = lo & 255;
+    const dotted = `${a}.${b}.${c}.${d}`;
+    if (a === 127) {
+      return "IPv6-mapped loopback address";
+    }
+    const hexCheck = checkPrivateIp(dotted);
+    if (hexCheck) {
+      return `IPv6-mapped ${hexCheck}`;
+    }
+  }
+  return null;
+}
+function checkDecimalIp(hostname, allowLocalhost, allowPrivate) {
+  if (!/^\d+$/.test(hostname)) return null;
+  const num = parseInt(hostname, 10);
+  if (isNaN(num) || num < 0 || num > 4294967295) return null;
+  const a = num >>> 24 & 255;
+  const b = num >>> 16 & 255;
+  const c = num >>> 8 & 255;
+  const d = num & 255;
+  const dotted = `${a}.${b}.${c}.${d}`;
+  if (!allowLocalhost && a === 127) {
+    return `loopback address (decimal IP: ${dotted})`;
+  }
+  if (!allowPrivate) {
+    const privateCheck = checkPrivateIp(dotted);
+    if (privateCheck) {
+      return `${privateCheck} (decimal IP: ${dotted})`;
+    }
+  }
+  return null;
+}
+function checkOctalIp(hostname, allowLocalhost, allowPrivate) {
+  const parts = hostname.split(".");
+  if (parts.length !== 4) return null;
+  const hasAlternateNotation = parts.some((p) => /^0[0-7]+$/.test(p) || /^0x[0-9a-fA-F]+$/i.test(p));
+  if (!hasAlternateNotation) return null;
+  const octets = [];
+  for (const part of parts) {
+    let val;
+    if (/^0x[0-9a-fA-F]+$/i.test(part)) {
+      val = parseInt(part, 16);
+    } else if (/^0[0-7]*$/.test(part)) {
+      val = parseInt(part, 8);
+    } else if (/^\d+$/.test(part)) {
+      val = parseInt(part, 10);
+    } else {
+      return null;
+    }
+    if (val < 0 || val > 255) return null;
+    octets.push(val);
+  }
+  const dotted = octets.join(".");
+  if (!allowLocalhost && octets[0] === 127) {
+    return `loopback address (octal IP: ${dotted})`;
+  }
+  if (!allowPrivate) {
+    const privateCheck = checkPrivateIp(dotted);
+    if (privateCheck) {
+      return `${privateCheck} (octal IP: ${dotted})`;
+    }
+  }
   return null;
 }
 
@@ -1665,12 +2161,21 @@ function isValidEmailSyntax(email) {
 }
 
 // src/logging/redactor.ts
+var LOG_LEVELS = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3,
+  silent: 4
+};
 function createSafeLogger(options = {}) {
   const {
     redactKeys = [],
     maxLength = REDACTION.DEFAULT_MAX_LENGTH,
-    redactPatterns = []
+    redactPatterns = [],
+    level: minLevel = "debug"
   } = options;
+  const minLevelNum = LOG_LEVELS[minLevel] ?? 0;
   const allRedactKeys = /* @__PURE__ */ new Set([
     ...Array.from(REDACTION.SENSITIVE_KEYS),
     ...redactKeys.map((k) => k.toLowerCase())
@@ -1696,6 +2201,8 @@ function createSafeLogger(options = {}) {
     return result;
   }
   function log(level, message, data) {
+    const levelNum = LOG_LEVELS[level] ?? 0;
+    if (levelNum < minLevelNum) return;
     const entry = {
       timestamp: (/* @__PURE__ */ new Date()).toISOString(),
       level,
@@ -2302,6 +2809,119 @@ function botProtection(options = {}) {
     next();
   };
 }
+var DEFAULTS = {
+  cookieName: "_csrf",
+  headerName: "x-csrf-token",
+  fieldName: "_csrf",
+  tokenLength: 32,
+  protectedMethods: ["POST", "PUT", "PATCH", "DELETE"]
+};
+function generateCsrfToken(length = 32) {
+  return crypto.randomBytes(length).toString("hex");
+}
+function validateCsrfToken(cookieToken, requestToken) {
+  if (!cookieToken || !requestToken) return false;
+  if (cookieToken.length !== requestToken.length) return false;
+  let result = 0;
+  for (let i = 0; i < cookieToken.length; i++) {
+    result |= cookieToken.charCodeAt(i) ^ requestToken.charCodeAt(i);
+  }
+  return result === 0;
+}
+function getRequestToken(req, headerName, fieldName) {
+  const headerToken = req.headers[headerName.toLowerCase()];
+  if (typeof headerToken === "string" && headerToken) return headerToken;
+  if (req.body && typeof req.body === "object" && fieldName in req.body) {
+    const bodyToken = req.body[fieldName];
+    if (typeof bodyToken === "string" && bodyToken) return bodyToken;
+  }
+  if (req.query && fieldName in req.query) {
+    const queryToken = req.query[fieldName];
+    if (typeof queryToken === "string" && queryToken) return queryToken;
+  }
+  return void 0;
+}
+function csrfProtection(options = {}) {
+  const cookieName = options.cookieName ?? DEFAULTS.cookieName;
+  const headerName = options.headerName ?? DEFAULTS.headerName;
+  const fieldName = options.fieldName ?? DEFAULTS.fieldName;
+  const tokenLength = options.tokenLength ?? DEFAULTS.tokenLength;
+  const protectedMethods = options.protectedMethods ?? [...DEFAULTS.protectedMethods];
+  const excludePaths = options.excludePaths ?? [];
+  const isProduction = process.env.NODE_ENV === "production";
+  const cookieOpts = {
+    path: options.cookie?.path ?? "/",
+    httpOnly: options.cookie?.httpOnly ?? false,
+    // Must be readable by client JS
+    secure: options.cookie?.secure ?? isProduction,
+    sameSite: options.cookie?.sameSite ?? "Lax",
+    domain: options.cookie?.domain
+  };
+  const defaultOnError = (_req, res, _next) => {
+    res.status(403).json({
+      error: "CSRF token validation failed",
+      message: "Invalid or missing CSRF token. Include the token from the cookie in the X-CSRF-Token header."
+    });
+  };
+  const onError = options.onError ?? defaultOnError;
+  const protectedSet = new Set(protectedMethods.map((m) => m.toUpperCase()));
+  return (req, res, next) => {
+    const method = req.method.toUpperCase();
+    const requestPath = req.path || req.url;
+    if (excludePaths.some((p) => requestPath === p || requestPath.startsWith(p + "/"))) {
+      return next();
+    }
+    req.csrfToken = () => {
+      const existing = getCookieValue(req, cookieName);
+      if (existing) return existing;
+      const token = generateCsrfToken(tokenLength);
+      setCsrfCookie(res, cookieName, token, cookieOpts);
+      return token;
+    };
+    if (!protectedSet.has(method)) {
+      const existing = getCookieValue(req, cookieName);
+      if (!existing) {
+        const token = generateCsrfToken(tokenLength);
+        setCsrfCookie(res, cookieName, token, cookieOpts);
+      }
+      return next();
+    }
+    const cookieToken = getCookieValue(req, cookieName);
+    if (!cookieToken) {
+      return onError(req, res, next);
+    }
+    const requestToken = getRequestToken(req, headerName, fieldName);
+    if (!requestToken) {
+      return onError(req, res, next);
+    }
+    if (!validateCsrfToken(cookieToken, requestToken)) {
+      return onError(req, res, next);
+    }
+    next();
+  };
+}
+function getCookieValue(req, name) {
+  if (req.cookies && typeof req.cookies === "object" && name in req.cookies) {
+    return req.cookies[name];
+  }
+  const cookieHeader = req.headers.cookie;
+  if (!cookieHeader) return void 0;
+  const match = cookieHeader.match(new RegExp(`(?:^|;\\s*)${escapeRegex(name)}=([^;]*)`));
+  return match ? decodeURIComponent(match[1]) : void 0;
+}
+function setCsrfCookie(res, name, token, opts) {
+  const parts = [`${name}=${token}`];
+  parts.push(`Path=${opts.path}`);
+  if (opts.httpOnly) parts.push("HttpOnly");
+  if (opts.secure) parts.push("Secure");
+  parts.push(`SameSite=${opts.sameSite}`);
+  if (opts.domain) parts.push(`Domain=${opts.domain}`);
+  res.setHeader("Set-Cookie", parts.join("; "));
+}
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+var createCsrf = csrfProtection;
 
 // src/utils/ip.ts
 var PLATFORM_HEADERS = {
@@ -2585,6 +3205,7 @@ exports.arcis = arcis;
 exports.arcisFunction = arcisWithMethods;
 exports.botProtection = botProtection;
 exports.createCors = createCors;
+exports.createCsrf = createCsrf;
 exports.createErrorHandler = createErrorHandler;
 exports.createHeaders = createHeaders;
 exports.createRateLimiter = createRateLimiter;
@@ -2596,20 +3217,31 @@ exports.createSecureCookies = createSecureCookies;
 exports.createSlidingWindowLimiter = createSlidingWindowLimiter;
 exports.createTokenBucketLimiter = createTokenBucketLimiter;
 exports.createValidator = createValidator;
+exports.csrfProtection = csrfProtection;
 exports.default = main_default;
 exports.detectBot = detectBot;
 exports.detectClientIp = detectClientIp;
 exports.detectCommandInjection = detectCommandInjection;
 exports.detectHeaderInjection = detectHeaderInjection;
+exports.detectJsonpInjection = detectJsonpInjection;
 exports.detectNoSqlInjection = detectNoSqlInjection;
 exports.detectPathTraversal = detectPathTraversal;
+exports.detectPii = detectPii;
 exports.detectPrototypePollution = detectPrototypePollution;
 exports.detectSql = detectSql;
+exports.detectSsti = detectSsti;
 exports.detectXss = detectXss;
+exports.detectXxe = detectXxe;
+exports.encodeForAttribute = encodeForAttribute;
+exports.encodeForCss = encodeForCss;
+exports.encodeForHtml = encodeForHtml;
+exports.encodeForJs = encodeForJs;
+exports.encodeForUrl = encodeForUrl;
 exports.enforceSecureCookie = enforceSecureCookie;
 exports.errorHandler = errorHandler;
 exports.fingerprint = fingerprint;
 exports.formatDuration = formatDuration;
+exports.generateCsrfToken = generateCsrfToken;
 exports.isDangerousExtension = isDangerousExtension;
 exports.isDangerousNoSqlKey = isDangerousNoSqlKey;
 exports.isDangerousProtoKey = isDangerousProtoKey;
@@ -2619,20 +3251,28 @@ exports.isUrlSafe = isUrlSafe;
 exports.isValidEmailSyntax = isValidEmailSyntax;
 exports.parseDuration = parseDuration;
 exports.rateLimit = rateLimit;
+exports.redactObjectPii = redactObjectPii;
+exports.redactPii = redactPii;
 exports.safeCors = safeCors;
 exports.safeLog = safeLog;
 exports.sanitizeCommand = sanitizeCommand;
 exports.sanitizeFilename = sanitizeFilename;
 exports.sanitizeHeaderValue = sanitizeHeaderValue;
 exports.sanitizeHeaders = sanitizeHeaders;
+exports.sanitizeJsonpCallback = sanitizeJsonpCallback;
 exports.sanitizeObject = sanitizeObject;
 exports.sanitizePath = sanitizePath;
 exports.sanitizeSql = sanitizeSql;
+exports.sanitizeSsti = sanitizeSsti;
 exports.sanitizeString = sanitizeString;
 exports.sanitizeXss = sanitizeXss;
+exports.sanitizeXxe = sanitizeXxe;
+exports.scanObjectPii = scanObjectPii;
+exports.scanPii = scanPii;
 exports.secureCookieDefaults = secureCookieDefaults;
 exports.securityHeaders = securityHeaders;
 exports.validate = validate;
+exports.validateCsrfToken = validateCsrfToken;
 exports.validateEmail = validateEmail;
 exports.validateFile = validateFile;
 exports.validateRedirect = validateRedirect;