npm - @arcis/node - Versions diffs - 1.3.0 → 1.4.2 - Mend

@arcis/node 1.3.0 → 1.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (139) hide show

package/README.md +1 -1
package/dist/core/{index.d.mts → constants.d.ts} +21 -70
package/dist/core/constants.d.ts.map +1 -0
package/dist/core/errors.d.ts +53 -0
package/dist/core/errors.d.ts.map +1 -0
package/dist/core/index.d.ts +6 -168
package/dist/core/index.d.ts.map +1 -0
package/dist/core/index.js +11 -3
package/dist/core/index.js.map +1 -1
package/dist/core/index.mjs +11 -3
package/dist/core/index.mjs.map +1 -1
package/dist/{types-BOkx5YJc.d.mts → core/types.d.ts} +27 -30
package/dist/core/types.d.ts.map +1 -0
package/dist/index.d.ts +71 -166
package/dist/index.d.ts.map +1 -0
package/dist/index.js +182 -48
package/dist/index.js.map +1 -1
package/dist/index.mjs +182 -50
package/dist/index.mjs.map +1 -1
package/dist/logging/index.d.ts +4 -36
package/dist/logging/index.d.ts.map +1 -0
package/dist/logging/index.js.map +1 -1
package/dist/logging/index.mjs.map +1 -1
package/dist/logging/{index.d.mts → redactor.d.ts} +5 -9
package/dist/logging/redactor.d.ts.map +1 -0
package/dist/middleware/bot-detection.d.ts +86 -0
package/dist/middleware/bot-detection.d.ts.map +1 -0
package/dist/middleware/cookies.d.ts +48 -0
package/dist/middleware/cookies.d.ts.map +1 -0
package/dist/middleware/cors.d.ts +65 -0
package/dist/middleware/cors.d.ts.map +1 -0
package/dist/middleware/csrf.d.ts +109 -0
package/dist/middleware/csrf.d.ts.map +1 -0
package/dist/middleware/error-handler.d.ts +43 -0
package/dist/middleware/error-handler.d.ts.map +1 -0
package/dist/middleware/headers.d.ts +29 -0
package/dist/middleware/headers.d.ts.map +1 -0
package/dist/middleware/hpp.d.ts +56 -0
package/dist/middleware/hpp.d.ts.map +1 -0
package/dist/middleware/index.d.ts +16 -3
package/dist/middleware/index.d.ts.map +1 -0
package/dist/middleware/index.js +68 -31
package/dist/middleware/index.js.map +1 -1
package/dist/middleware/index.mjs +69 -32
package/dist/middleware/index.mjs.map +1 -1
package/dist/middleware/main.d.ts +40 -0
package/dist/middleware/main.d.ts.map +1 -0
package/dist/middleware/rate-limit-sliding.d.ts +46 -0
package/dist/middleware/rate-limit-sliding.d.ts.map +1 -0
package/dist/middleware/rate-limit-token.d.ts +51 -0
package/dist/middleware/rate-limit-token.d.ts.map +1 -0
package/dist/middleware/rate-limit.d.ts +34 -0
package/dist/middleware/rate-limit.d.ts.map +1 -0
package/dist/sanitizers/command.d.ts +28 -0
package/dist/sanitizers/command.d.ts.map +1 -0
package/dist/sanitizers/encode.d.ts +46 -0
package/dist/sanitizers/encode.d.ts.map +1 -0
package/dist/sanitizers/headers.d.ts +46 -0
package/dist/sanitizers/headers.d.ts.map +1 -0
package/dist/sanitizers/index.d.ts +18 -22
package/dist/sanitizers/index.d.ts.map +1 -0
package/dist/sanitizers/index.js +90 -32
package/dist/sanitizers/index.js.map +1 -1
package/dist/sanitizers/index.mjs +88 -33
package/dist/sanitizers/index.mjs.map +1 -1
package/dist/sanitizers/jsonp.d.ts +34 -0
package/dist/sanitizers/jsonp.d.ts.map +1 -0
package/dist/sanitizers/ldap.d.ts +42 -0
package/dist/sanitizers/ldap.d.ts.map +1 -0
package/dist/sanitizers/nosql.d.ts +31 -0
package/dist/sanitizers/nosql.d.ts.map +1 -0
package/dist/sanitizers/path.d.ts +28 -0
package/dist/sanitizers/path.d.ts.map +1 -0
package/dist/sanitizers/pii.d.ts +80 -0
package/dist/sanitizers/pii.d.ts.map +1 -0
package/dist/sanitizers/prototype.d.ts +34 -0
package/dist/sanitizers/prototype.d.ts.map +1 -0
package/dist/sanitizers/sanitize.d.ts +51 -0
package/dist/sanitizers/sanitize.d.ts.map +1 -0
package/dist/sanitizers/sql.d.ts +28 -0
package/dist/sanitizers/sql.d.ts.map +1 -0
package/dist/sanitizers/ssti.d.ts +20 -0
package/dist/sanitizers/ssti.d.ts.map +1 -0
package/dist/sanitizers/utils.d.ts +19 -0
package/dist/sanitizers/utils.d.ts.map +1 -0
package/dist/sanitizers/xss.d.ts +35 -0
package/dist/sanitizers/xss.d.ts.map +1 -0
package/dist/sanitizers/xxe.d.ts +20 -0
package/dist/sanitizers/xxe.d.ts.map +1 -0
package/dist/stores/index.d.ts +6 -104
package/dist/stores/index.d.ts.map +1 -0
package/dist/stores/index.js +21 -1
package/dist/stores/index.js.map +1 -1
package/dist/stores/index.mjs +21 -1
package/dist/stores/index.mjs.map +1 -1
package/dist/stores/memory.d.ts +29 -0
package/dist/stores/memory.d.ts.map +1 -0
package/dist/stores/{index.d.mts → redis.d.ts} +6 -45
package/dist/stores/redis.d.ts.map +1 -0
package/dist/utils/duration.d.ts +34 -0
package/dist/utils/duration.d.ts.map +1 -0
package/dist/utils/fingerprint.d.ts +64 -0
package/dist/utils/fingerprint.d.ts.map +1 -0
package/dist/utils/index.d.ts +10 -0
package/dist/utils/index.d.ts.map +1 -0
package/dist/utils/index.js +188 -0
package/dist/utils/index.js.map +1 -0
package/dist/utils/index.mjs +182 -0
package/dist/utils/index.mjs.map +1 -0
package/dist/utils/ip.d.ts +70 -0
package/dist/utils/ip.d.ts.map +1 -0
package/dist/validation/email.d.ts +82 -0
package/dist/validation/email.d.ts.map +1 -0
package/dist/validation/file.d.ts +90 -0
package/dist/validation/file.d.ts.map +1 -0
package/dist/validation/index.d.ts +10 -3
package/dist/validation/index.d.ts.map +1 -0
package/dist/validation/index.js +38 -21
package/dist/validation/index.js.map +1 -1
package/dist/validation/index.mjs +38 -21
package/dist/validation/index.mjs.map +1 -1
package/dist/validation/redirect.d.ts +64 -0
package/dist/validation/redirect.d.ts.map +1 -0
package/dist/validation/schema.d.ts +36 -0
package/dist/validation/schema.d.ts.map +1 -0
package/dist/validation/url.d.ts +65 -0
package/dist/validation/url.d.ts.map +1 -0
package/package.json +8 -6
package/dist/encode-CrQCGlBq.d.mts +0 -484
package/dist/encode-jl9sOwmA.d.ts +0 -484
package/dist/index-BAhgn9V2.d.ts +0 -532
package/dist/index-BGNKspqH.d.ts +0 -340
package/dist/index-Cd02z-0j.d.mts +0 -340
package/dist/index-DgJtWMSj.d.mts +0 -532
package/dist/index.d.mts +0 -175
package/dist/middleware/index.d.mts +0 -3
package/dist/sanitizers/index.d.mts +0 -24
package/dist/types-BOkx5YJc.d.ts +0 -279
package/dist/validation/index.d.mts +0 -3

package/dist/middleware/main.d.ts ADDED Viewed

@@ -0,0 +1,40 @@
+/**
+ * @module @arcis/node/middleware/main
+ * Main arcis() middleware factory
+ */
+import type { ArcisOptions, ArcisFunction, ArcisMiddlewareStack } from '../core/types';
+/**
+ * Create Arcis middleware with all protections enabled.
+ *
+ * @param options - Configuration options
+ * @returns Array of Express middleware
+ *
+ * @example
+ * // Full protection (recommended)
+ * app.use(arcis());
+ *
+ * @example
+ * // Custom configuration
+ * app.use(arcis({
+ *   rateLimit: { max: 50 },
+ *   headers: { frameOptions: 'SAMEORIGIN' }
+ * }));
+ *
+ * @example
+ * // Disable specific features
+ * app.use(arcis({
+ *   rateLimit: false,
+ *   sanitize: { sql: false }
+ * }));
+ *
+ * @example
+ * // Cleanup on shutdown
+ * const middleware = arcis();
+ * app.use(middleware);
+ * process.on('SIGTERM', () => middleware.close());
+ */
+export declare function arcis(options?: ArcisOptions): ArcisMiddlewareStack;
+declare const arcisWithMethods: ArcisFunction;
+export { arcisWithMethods as arcisFunction };
+export default arcisWithMethods;
+//# sourceMappingURL=main.d.ts.map

package/dist/middleware/main.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"main.d.ts","sourceRoot":"","sources":["../../src/middleware/main.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EACV,YAAY,EACZ,aAAa,EACb,oBAAoB,EAIrB,MAAM,eAAe,CAAC;AAQvB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAgB,KAAK,CAAC,OAAO,GAAE,YAAiB,GAAG,oBAAoB,CAuCtE;AAGD,QAAA,MAAM,gBAAgB,EAAY,aAAa,CAAC;AAQhD,OAAO,EAAE,gBAAgB,IAAI,aAAa,EAAE,CAAC;AAC7C,eAAe,gBAAgB,CAAC"}

package/dist/middleware/rate-limit-sliding.d.ts ADDED Viewed

@@ -0,0 +1,46 @@
+/**
+ * @module @arcis/node/middleware/rate-limit-sliding
+ * Sliding window rate limiting middleware.
+ *
+ * More accurate than fixed window — uses a weighted sum of the previous
+ * and current window to approximate a true sliding window.
+ *
+ * Algorithm:
+ *   weight = (windowMs - elapsed) / windowMs
+ *   count = (prevWindow * weight) + currentWindow
+ *   allow = count < limit
+ *
+ * @example
+ * app.use(createSlidingWindowLimiter({ max: 100, window: '15m' }));
+ */
+import type { Request, RequestHandler } from 'express';
+export interface SlidingWindowOptions {
+    /** Maximum requests per window. Default: 100 */
+    max?: number;
+    /** Window size in ms or duration string. Default: '1m' */
+    window?: string | number;
+    /** Error message when limit exceeded */
+    message?: string;
+    /** HTTP status code for rate limited responses. Default: 429 */
+    statusCode?: number;
+    /** Function to generate rate limit key from request */
+    keyGenerator?: (req: Request) => string;
+    /** Function to skip rate limiting for certain requests */
+    skip?: (req: Request) => boolean;
+}
+export interface SlidingWindowMiddleware extends RequestHandler {
+    close: () => void;
+}
+/**
+ * Create sliding window rate limiter middleware.
+ *
+ * @example
+ * // 100 requests per 15 minutes
+ * app.use(createSlidingWindowLimiter({ max: 100, window: '15m' }));
+ *
+ * @example
+ * // Strict API limit
+ * app.use('/api', createSlidingWindowLimiter({ max: 30, window: '1m' }));
+ */
+export declare function createSlidingWindowLimiter(options?: SlidingWindowOptions): SlidingWindowMiddleware;
+//# sourceMappingURL=rate-limit-sliding.d.ts.map

package/dist/middleware/rate-limit-sliding.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rate-limit-sliding.d.ts","sourceRoot":"","sources":["../../src/middleware/rate-limit-sliding.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,OAAO,EAA0B,cAAc,EAAE,MAAM,SAAS,CAAC;AAI/E,MAAM,WAAW,oBAAoB;IACnC,gDAAgD;IAChD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,0DAA0D;IAC1D,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACzB,wCAAwC;IACxC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gEAAgE;IAChE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,uDAAuD;IACvD,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,MAAM,CAAC;IACxC,0DAA0D;IAC1D,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;CAClC;AAOD,MAAM,WAAW,uBAAwB,SAAQ,cAAc;IAC7D,KAAK,EAAE,MAAM,IAAI,CAAC;CACnB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,GAAE,oBAAyB,GAAG,uBAAuB,CAiGtG"}

package/dist/middleware/rate-limit-token.d.ts ADDED Viewed

@@ -0,0 +1,51 @@
+/**
+ * @module @arcis/node/middleware/rate-limit-token
+ * Token bucket rate limiting middleware.
+ *
+ * Allows burst traffic while enforcing an average rate.
+ * Tokens refill at a steady rate. Each request costs 1 token.
+ *
+ * Algorithm:
+ *   tokens = min(capacity, tokens + elapsed * refillRate)
+ *   if tokens >= cost: allow, subtract cost
+ *   else: deny
+ *
+ * @example
+ * app.use(createTokenBucketLimiter({ capacity: 50, refillRate: 10 }));
+ */
+import type { Request, RequestHandler } from 'express';
+export interface TokenBucketOptions {
+    /** Maximum tokens (burst size). Default: 100 */
+    capacity?: number;
+    /** Tokens added per second. Default: 10 */
+    refillRate?: number;
+    /** Tokens consumed per request. Default: 1 */
+    cost?: number;
+    /** Error message when limit exceeded */
+    message?: string;
+    /** HTTP status code for rate limited responses. Default: 429 */
+    statusCode?: number;
+    /** Function to generate rate limit key from request */
+    keyGenerator?: (req: Request) => string;
+    /** Function to skip rate limiting for certain requests */
+    skip?: (req: Request) => boolean;
+}
+export interface TokenBucketMiddleware extends RequestHandler {
+    close: () => void;
+}
+/**
+ * Create token bucket rate limiter middleware.
+ *
+ * @example
+ * // Allow bursts of 50, sustained rate of 10/sec
+ * app.use(createTokenBucketLimiter({ capacity: 50, refillRate: 10 }));
+ *
+ * @example
+ * // Strict API: 5 requests burst, 1/sec sustained
+ * app.use('/api/expensive', createTokenBucketLimiter({
+ *   capacity: 5,
+ *   refillRate: 1,
+ * }));
+ */
+export declare function createTokenBucketLimiter(options?: TokenBucketOptions): TokenBucketMiddleware;
+//# sourceMappingURL=rate-limit-token.d.ts.map

package/dist/middleware/rate-limit-token.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rate-limit-token.d.ts","sourceRoot":"","sources":["../../src/middleware/rate-limit-token.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,OAAO,EAA0B,cAAc,EAAE,MAAM,SAAS,CAAC;AAG/E,MAAM,WAAW,kBAAkB;IACjC,gDAAgD;IAChD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,2CAA2C;IAC3C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8CAA8C;IAC9C,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,wCAAwC;IACxC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gEAAgE;IAChE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,uDAAuD;IACvD,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,MAAM,CAAC;IACxC,0DAA0D;IAC1D,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;CAClC;AAOD,MAAM,WAAW,qBAAsB,SAAQ,cAAc;IAC3D,KAAK,EAAE,MAAM,IAAI,CAAC;CACnB;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,GAAE,kBAAuB,GAAG,qBAAqB,CA2FhG"}

package/dist/middleware/rate-limit.d.ts ADDED Viewed

@@ -0,0 +1,34 @@
+/**
+ * @module @arcis/node/middleware/rate-limit
+ * Rate limiting middleware
+ */
+import type { RateLimitOptions, RateLimiterMiddleware } from '../core/types';
+/**
+ * Create Express middleware for rate limiting.
+ *
+ * @param options - Rate limit configuration
+ * @returns Express middleware with cleanup method
+ *
+ * @example
+ * app.use(createRateLimiter({ max: 100, windowMs: 60000 }));
+ *
+ * @example
+ * // Skip rate limiting for certain routes
+ * app.use(createRateLimiter({
+ *   max: 50,
+ *   skip: (req) => req.path === '/health'
+ * }));
+ *
+ * @example
+ * // Cleanup on shutdown
+ * const limiter = createRateLimiter();
+ * app.use(limiter);
+ * process.on('SIGTERM', () => limiter.close());
+ */
+export declare function createRateLimiter(options?: RateLimitOptions): RateLimiterMiddleware;
+/**
+ * Alias for createRateLimiter
+ * @see createRateLimiter
+ */
+export declare const rateLimit: typeof createRateLimiter;
+//# sourceMappingURL=rate-limit.d.ts.map

package/dist/middleware/rate-limit.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/middleware/rate-limit.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EAAE,gBAAgB,EAAE,qBAAqB,EAAkB,MAAM,eAAe,CAAC;AAO7F;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,GAAE,gBAAqB,GAAG,qBAAqB,CAoIvF;AAED;;;GAGG;AACH,eAAO,MAAM,SAAS,0BAAoB,CAAC"}

package/dist/sanitizers/command.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+/**
+ * @module @arcis/node/sanitizers/command
+ * Command injection prevention
+ */
+import type { SanitizeResult } from '../core/types';
+/**
+ * Sanitizes a string to prevent command injection attacks.
+ * Replaces shell metacharacters and dangerous commands with [BLOCKED].
+ *
+ * @param input - The string to sanitize
+ * @param collectThreats - Whether to collect threat information (default: false for performance)
+ * @returns Sanitized string or SanitizeResult if collectThreats is true
+ *
+ * @example
+ * sanitizeCommand("file.txt; rm -rf /")
+ * // Returns: "file.txt  rm -rf /"
+ */
+export declare function sanitizeCommand(input: string, collectThreats?: false): string;
+export declare function sanitizeCommand(input: string, collectThreats: true): SanitizeResult;
+/**
+ * Checks if a string contains command injection patterns.
+ * Does not sanitize — use sanitizeCommand() for that.
+ *
+ * @param input - The string to check
+ * @returns True if command injection patterns detected
+ */
+export declare function detectCommandInjection(input: string): boolean;
+//# sourceMappingURL=command.d.ts.map

package/dist/sanitizers/command.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"command.d.ts","sourceRoot":"","sources":["../../src/sanitizers/command.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,cAAc,EAAc,MAAM,eAAe,CAAC;AAEhE;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,cAAc,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC;AAC/E,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,IAAI,GAAG,cAAc,CAAC;AA4CrF;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAW7D"}

package/dist/sanitizers/encode.d.ts ADDED Viewed

@@ -0,0 +1,46 @@
+/**
+ * @module @arcis/node/sanitizers/encode
+ * Context-aware output encoding for XSS prevention.
+ *
+ * Wrong-context encoding is the #1 cause of XSS bypasses in "protected" apps.
+ * A single sanitize() is not enough when output goes to JS, CSS, or attribute contexts.
+ */
+/**
+ * Encodes for HTML body context. Entity-encodes & < > " '
+ *
+ * Use when outputting to HTML element content:
+ *   `<p>${encodeForHtml(userInput)}</p>`
+ */
+export declare function encodeForHtml(value: string): string;
+/**
+ * Encodes for HTML attribute context.
+ * All non-alphanumeric characters are encoded as `&#xHH;` hex entities.
+ *
+ * Use when outputting to HTML attributes:
+ *   `<div title="${encodeForAttribute(userInput)}">`
+ */
+export declare function encodeForAttribute(value: string): string;
+/**
+ * Encodes for JavaScript string context.
+ * Non-alphanumeric characters are escaped as `\xHH` (ASCII) or `\uHHHH` (Unicode).
+ *
+ * Use when embedding in JS string literals:
+ *   `var x = '${encodeForJs(userInput)}';`
+ */
+export declare function encodeForJs(value: string): string;
+/**
+ * Encodes for URL parameter context. Percent-encodes all non-unreserved chars.
+ *
+ * Use when building query strings:
+ *   `?q=${encodeForUrl(userInput)}`
+ */
+export declare function encodeForUrl(value: string): string;
+/**
+ * Encodes for CSS value context.
+ * Non-alphanumeric characters are hex-escaped as `\HH ` (trailing space per CSS spec).
+ *
+ * Use when embedding in CSS values:
+ *   `content: '${encodeForCss(userInput)}';`
+ */
+export declare function encodeForCss(value: string): string;
+//# sourceMappingURL=encode.d.ts.map

package/dist/sanitizers/encode.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"encode.d.ts","sourceRoot":"","sources":["../../src/sanitizers/encode.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAaH;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAGnD;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAiBxD;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAwBjD;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAOlD;AAED;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAkBlD"}

package/dist/sanitizers/headers.d.ts ADDED Viewed

@@ -0,0 +1,46 @@
+/**
+ * @module @arcis/node/sanitizers/headers
+ * HTTP Header Injection & CRLF Injection prevention
+ *
+ * Prevents attackers from injecting newline characters (\r\n) into HTTP header
+ * values, which can lead to response splitting, session fixation, XSS via
+ * injected headers, and cache poisoning.
+ */
+import type { SanitizeResult } from '../core/types';
+/**
+ * Sanitizes a header value by stripping CRLF sequences, bare CR/LF, and null bytes.
+ *
+ * @param input - The header value to sanitize
+ * @param collectThreats - Whether to collect threat information (default: false)
+ * @returns Sanitized string or SanitizeResult if collectThreats is true
+ *
+ * @example
+ * sanitizeHeaderValue("safe-value")
+ * // Returns: "safe-value"
+ *
+ * sanitizeHeaderValue("value\r\nX-Injected: evil")
+ * // Returns: "valueX-Injected: evil"
+ */
+export declare function sanitizeHeaderValue(input: string, collectThreats?: false): string;
+export declare function sanitizeHeaderValue(input: string, collectThreats: true): SanitizeResult;
+/**
+ * Sanitizes an object of header key-value pairs.
+ * Strips CRLF/null bytes from both keys and values.
+ *
+ * @param headers - Object with header names as keys and header values as values
+ * @returns New object with sanitized header names and values
+ *
+ * @example
+ * sanitizeHeaders({ "X-Custom": "safe", "X-Bad\r\n": "value\r\ninjected" })
+ * // Returns: { "X-Custom": "safe", "X-Bad": "valueinjected" }
+ */
+export declare function sanitizeHeaders(headers: Record<string, string>): Record<string, string>;
+/**
+ * Checks if a string contains HTTP header injection patterns (CRLF, null bytes).
+ * Does not sanitize — use sanitizeHeaderValue() for that.
+ *
+ * @param input - The string to check
+ * @returns True if header injection patterns detected
+ */
+export declare function detectHeaderInjection(input: string): boolean;
+//# sourceMappingURL=headers.d.ts.map

package/dist/sanitizers/headers.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../../src/sanitizers/headers.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAc,MAAM,eAAe,CAAC;AAUhE;;;;;;;;;;;;;GAaG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,cAAc,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC;AACnF,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,IAAI,GAAG,cAAc,CAAC;AAuCzF;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAcvF;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAK5D"}

package/dist/sanitizers/index.d.ts CHANGED Viewed

@@ -1,24 +1,20 @@
-export { c as createSanitizer, d as detectCommandInjection, a as detectHeaderInjection, b as detectJsonpInjection, e as detectNoSqlInjection, f as detectPathTraversal, g as detectPii, h as detectPrototypePollution, i as detectSql, j as detectSsti, k as detectXss, l as detectXxe, m as encodeForAttribute, n as encodeForCss, o as encodeForHtml, p as encodeForJs, q as encodeForUrl, r as getDangerousOperators, s as getDangerousProtoKeys, t as isDangerousNoSqlKey, u as isDangerousProtoKey, v as redactObjectPii, w as redactPii, x as sanitizeCommand, y as sanitizeHeaderValue, z as sanitizeHeaders, A as sanitizeJsonpCallback, B as sanitizeObject, C as sanitizePath, D as sanitizeSql, E as sanitizeSsti, F as sanitizeString, G as sanitizeXss, H as sanitizeXxe, I as scanObjectPii, J as scanPii } from '../encode-jl9sOwmA.js';
-import 'express';
-import '../types-BOkx5YJc.js';
 /**
- * @module @arcis/node/sanitizers/utils
- * Shared utilities for sanitizers
+ * @module @arcis/node/sanitizers
+ * All sanitization functions for Arcis
  */
-/**
- * Encodes HTML entities to prevent interpretation as markup.
- *
- * @param str - The string to encode
- * @returns The encoded string
- */
-declare function encodeHtmlEntities(str: string): string;
-/**
- * Checks if a value is a plain object (not null, array, Date, etc.)
- *
- * @param value - Value to check
- * @returns True if plain object
- */
-declare function isPlainObject(value: unknown): value is Record<string, unknown>;
-export { encodeHtmlEntities, isPlainObject };
+export { sanitizeString, sanitizeObject, createSanitizer } from './sanitize';
+export { sanitizeXss, detectXss } from './xss';
+export { sanitizeSql, detectSql } from './sql';
+export { sanitizePath, detectPathTraversal } from './path';
+export { sanitizeCommand, detectCommandInjection } from './command';
+export { isDangerousNoSqlKey, detectNoSqlInjection, getDangerousOperators } from './nosql';
+export { isDangerousProtoKey, detectPrototypePollution, getDangerousProtoKeys } from './prototype';
+export { sanitizeSsti, detectSsti } from './ssti';
+export { sanitizeXxe, detectXxe } from './xxe';
+export { sanitizeJsonpCallback, detectJsonpInjection } from './jsonp';
+export { sanitizeHeaderValue, sanitizeHeaders, detectHeaderInjection } from './headers';
+export { scanPii, detectPii, redactPii, scanObjectPii, redactObjectPii } from './pii';
+export { encodeForHtml, encodeForAttribute, encodeForJs, encodeForUrl, encodeForCss } from './encode';
+export { sanitizeLdapFilter, sanitizeLdapDn, detectLdapInjection } from './ldap';
+export { encodeHtmlEntities, isPlainObject } from './utils';
+//# sourceMappingURL=index.d.ts.map

package/dist/sanitizers/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sanitizers/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAG7E,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,QAAQ,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,WAAW,CAAC;AAGpE,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAC;AAG3F,OAAO,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGnG,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAGlD,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAG/C,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,SAAS,CAAC;AAGtE,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,WAAW,CAAC;AAGxF,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,OAAO,CAAC;AAGtF,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAGtG,OAAO,EAAE,kBAAkB,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,QAAQ,CAAC;AAGjF,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC"}

package/dist/sanitizers/index.js CHANGED Viewed

@@ -27,7 +27,15 @@ var XSS_PATTERNS = [
   /** URL-encoded script tags */
   /%3Cscript/gi,
   /** SVG with onload */
-  /<svg[^>]*onload/gi
+  /<svg[^>]*onload/gi,
+  /** form tags — phishing/credential harvesting via action= redirection */
+  /<form[\s>]/gi,
+  /** meta tags — http-equiv refresh redirects or CSP bypass */
+  /<meta[\s>]/gi,
+  /** base href hijacking — redirects all relative URLs to attacker domain */
+  /<base[\s>]/gi,
+  /** link tag injection — stylesheet or preload CSRF attacks */
+  /<link[\s>]/gi
 ];
 var XSS_REMOVE_PATTERNS = [
   /** Full script blocks (content + tags) */
@@ -54,7 +62,15 @@ var XSS_REMOVE_PATTERNS = [
   /javascript\s*:/gi,
   /vbscript\s*:/gi,
   /** data: URIs with HTML/script content */
-  /data\s*:\s*text\/html[^>\s]*/gi
+  /data\s*:\s*text\/html[^>\s]*/gi,
+  /** form tag injection — phishing via action= redirection */
+  /<form[\s>][^>]*/gi,
+  /** meta tag injection — http-equiv refresh or CSP bypass */
+  /<meta[\s>][^>]*/gi,
+  /** base href hijacking */
+  /<base[\s>][^>]*/gi,
+  /** link tag injection — stylesheet or preload attacks */
+  /<link[\s>][^>]*/gi
 ];
 var SQL_PATTERNS = [
   /** SQL keywords */
@@ -118,8 +134,8 @@ var COMMAND_PATTERNS = [
   /[;&|`]/g,
   /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
   /\$\(/g,
-  /** URL-encoded newline/carriage-return injection (%0a, %0d) */
-  /%0[ad]/gi
+  /** URL-encoded control characters (%00-%0F): null, tab, vtab, formfeed, LF, CR */
+  /%0[0-9a-f]/gi
 ];
 var DANGEROUS_PROTO_KEYS = /* @__PURE__ */ new Set([
   "__proto__",
@@ -323,26 +339,31 @@ function sanitizePath(input, collectThreats = false) {
   const threats = [];
   let value = input;
   let wasSanitized = false;
-  for (const pattern of PATH_PATTERNS) {
-    pattern.lastIndex = 0;
-    if (pattern.test(value)) {
+  value = value.normalize("NFKC");
+  let prev;
+  do {
+    prev = value;
+    for (const pattern of PATH_PATTERNS) {
       pattern.lastIndex = 0;
-      if (collectThreats) {
-        const matches = value.match(pattern);
-        if (matches) {
-          for (const match of matches) {
-            threats.push({
-              type: "path_traversal",
-              pattern: pattern.source,
-              original: match
-            });
+      if (pattern.test(value)) {
+        pattern.lastIndex = 0;
+        if (collectThreats) {
+          const matches = value.match(pattern);
+          if (matches) {
+            for (const match of matches) {
+              threats.push({
+                type: "path_traversal",
+                pattern: pattern.source,
+                original: match
+              });
+            }
           }
         }
+        value = value.replace(pattern, "");
+        wasSanitized = true;
       }
-      value = value.replace(pattern, "");
-      wasSanitized = true;
     }
-  }
+  } while (value !== prev);
   if (collectThreats) {
     return { value, wasSanitized, threats };
   }
@@ -350,9 +371,10 @@ function sanitizePath(input, collectThreats = false) {
 }
 function detectPathTraversal(input) {
   if (typeof input !== "string") return false;
+  const normalized = input.normalize("NFKC");
   for (const pattern of PATH_PATTERNS) {
     pattern.lastIndex = 0;
-    if (pattern.test(input)) {
+    if (pattern.test(normalized)) {
       return true;
     }
   }
@@ -410,7 +432,7 @@ function sanitizeString(value, options = {}) {
   if (value.length > maxSize) {
     throw new InputTooLargeError(maxSize, value.length);
   }
-  const reject = options.mode !== "sanitize";
+  const reject = options.mode === "reject";
   let result = value;
   if (options.sql !== false) {
     if (reject) {
@@ -565,10 +587,22 @@ var SSTI_DETECT_PATTERNS = [
   /\{\{\s*(?:self|request|lipsum|cycler|joiner|namespace|range)\b/gi
 ];
 var SSTI_REMOVE_PATTERNS = [
+  /** Jinja2 / Twig: {{ ... }} — always strip (not valid in any JS context) */
   /\{\{.*?\}\}/g,
-  /\$\{.*?\}/g,
+  /**
+   * Freemarker / Spring EL: ${...} — only strip when the expression contains
+   * operators (?!*+-/), method calls (), or known-dangerous prefixes.
+   * Bare ${name} and ${user.name} are left intact (JS template literal syntax).
+   */
+  /\$\{[^}]*[?!()*+\-/][^}]*\}/g,
+  /** ERB / EJS: <%= ... %> */
   /<%[=\-]?.*?%>/gs,
-  /#\{.*?\}/g,
+  /**
+   * Pug / Jade: #{...} — same narrowing as ${ above.
+   * #{name} output expressions are left intact.
+   */
+  /#\{[^}]*[?!()*+\-/][^}]*\}/g,
+  /** Python dunder sandbox escape — always strip */
   /__(?:class|mro|subclasses|globals|builtins|import)__/gi
 ];
 function sanitizeSsti(input, collectThreats = false) {
@@ -932,16 +966,18 @@ function encodeForAttribute(value) {
 function encodeForJs(value) {
   if (!value) return "";
   let result = "";
-  for (let i = 0; i < value.length; i++) {
-    const ch = value.charCodeAt(i);
-    if (ch >= 48 && ch <= 57 || // 0-9
-    ch >= 65 && ch <= 90 || // A-Z
-    ch >= 97 && ch <= 122) {
-      result += value[i];
-    } else if (ch < 256) {
-      result += `\\x${ch.toString(16).toUpperCase().padStart(2, "0")}`;
+  for (const char of value) {
+    const cp = char.codePointAt(0);
+    if (cp >= 48 && cp <= 57 || // 0-9
+    cp >= 65 && cp <= 90 || // A-Z
+    cp >= 97 && cp <= 122) {
+      result += char;
+    } else if (cp < 256) {
+      result += `\\x${cp.toString(16).toUpperCase().padStart(2, "0")}`;
+    } else if (cp <= 65535) {
+      result += `\\u${cp.toString(16).toUpperCase().padStart(4, "0")}`;
     } else {
-      result += `\\u${ch.toString(16).toUpperCase().padStart(4, "0")}`;
+      result += `\\u{${cp.toString(16).toUpperCase()}}`;
     }
   }
   return result;
@@ -968,10 +1004,30 @@ function encodeForCss(value) {
   return result;
 }
+// src/sanitizers/ldap.ts
+var LDAP_FILTER_CHARS = /[*()\\\x00]/g;
+var LDAP_DN_CHARS = /[,+<>;"=\/\\\x00*()\x00]/g;
+var LDAP_DETECT_PATTERN = /[*()\\\x00]/;
+var LDAP_INJECTION_PATTERN = /\)\s*\(|\*\s*\)\s*\(/;
+var escapeChar = (char) => "\\" + char.charCodeAt(0).toString(16).padStart(2, "0");
+function sanitizeLdapFilter(input) {
+  if (typeof input !== "string") return String(input);
+  return input.replace(LDAP_FILTER_CHARS, escapeChar);
+}
+function sanitizeLdapDn(input) {
+  if (typeof input !== "string") return String(input);
+  return input.replace(LDAP_DN_CHARS, escapeChar);
+}
+function detectLdapInjection(input) {
+  if (typeof input !== "string") return false;
+  return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input);
+}
 exports.createSanitizer = createSanitizer;
 exports.detectCommandInjection = detectCommandInjection;
 exports.detectHeaderInjection = detectHeaderInjection;
 exports.detectJsonpInjection = detectJsonpInjection;
+exports.detectLdapInjection = detectLdapInjection;
 exports.detectNoSqlInjection = detectNoSqlInjection;
 exports.detectPathTraversal = detectPathTraversal;
 exports.detectPii = detectPii;
@@ -997,6 +1053,8 @@ exports.sanitizeCommand = sanitizeCommand;
 exports.sanitizeHeaderValue = sanitizeHeaderValue;
 exports.sanitizeHeaders = sanitizeHeaders;
 exports.sanitizeJsonpCallback = sanitizeJsonpCallback;
+exports.sanitizeLdapDn = sanitizeLdapDn;
+exports.sanitizeLdapFilter = sanitizeLdapFilter;
 exports.sanitizeObject = sanitizeObject;
 exports.sanitizePath = sanitizePath;
 exports.sanitizeSql = sanitizeSql;