@arcis/node 1.4.0 → 1.4.2

package/dist/middleware/rate-limit.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/middleware/rate-limit.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EAAE,gBAAgB,EAAE,qBAAqB,EAAkB,MAAM,eAAe,CAAC;AAO7F;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,GAAE,gBAAqB,GAAG,qBAAqB,CAiHvF;AAED;;;GAGG;AACH,eAAO,MAAM,SAAS,0BAAoB,CAAC"}
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/middleware/rate-limit.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EAAE,gBAAgB,EAAE,qBAAqB,EAAkB,MAAM,eAAe,CAAC;AAO7F;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,GAAE,gBAAqB,GAAG,qBAAqB,CAoIvF;AAED;;;GAGG;AACH,eAAO,MAAM,SAAS,0BAAoB,CAAC"}

package/dist/sanitizers/encode.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"encode.d.ts","sourceRoot":"","sources":["../../src/sanitizers/encode.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAaH;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAGnD;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAiBxD;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAmBjD;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAOlD;AAED;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAkBlD"}
+{"version":3,"file":"encode.d.ts","sourceRoot":"","sources":["../../src/sanitizers/encode.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAaH;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAGnD;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAiBxD;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAwBjD;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAOlD;AAED;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAkBlD"}

package/dist/sanitizers/index.d.ts

@@ -15,5 +15,6 @@ export { sanitizeJsonpCallback, detectJsonpInjection } from './jsonp';
 export { sanitizeHeaderValue, sanitizeHeaders, detectHeaderInjection } from './headers';
 export { scanPii, detectPii, redactPii, scanObjectPii, redactObjectPii } from './pii';
 export { encodeForHtml, encodeForAttribute, encodeForJs, encodeForUrl, encodeForCss } from './encode';
+export { sanitizeLdapFilter, sanitizeLdapDn, detectLdapInjection } from './ldap';
 export { encodeHtmlEntities, isPlainObject } from './utils';
 //# sourceMappingURL=index.d.ts.map

package/dist/sanitizers/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sanitizers/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAG7E,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,QAAQ,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,WAAW,CAAC;AAGpE,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAC;AAG3F,OAAO,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGnG,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAGlD,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAG/C,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,SAAS,CAAC;AAGtE,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,WAAW,CAAC;AAGxF,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,OAAO,CAAC;AAGtF,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAGtG,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sanitizers/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAG7E,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,QAAQ,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,WAAW,CAAC;AAGpE,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAC;AAG3F,OAAO,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGnG,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAGlD,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAG/C,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,SAAS,CAAC;AAGtE,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,WAAW,CAAC;AAGxF,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,OAAO,CAAC;AAGtF,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAGtG,OAAO,EAAE,kBAAkB,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,QAAQ,CAAC;AAGjF,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC"}

package/dist/sanitizers/index.js

@@ -27,7 +27,15 @@ var XSS_PATTERNS = [
   /** URL-encoded script tags */
   /%3Cscript/gi,
   /** SVG with onload */
-  /<svg[^>]*onload/gi
+  /<svg[^>]*onload/gi,
+  /** form tags — phishing/credential harvesting via action= redirection */
+  /<form[\s>]/gi,
+  /** meta tags — http-equiv refresh redirects or CSP bypass */
+  /<meta[\s>]/gi,
+  /** base href hijacking — redirects all relative URLs to attacker domain */
+  /<base[\s>]/gi,
+  /** link tag injection — stylesheet or preload CSRF attacks */
+  /<link[\s>]/gi
 ];
 var XSS_REMOVE_PATTERNS = [
   /** Full script blocks (content + tags) */
@@ -54,7 +62,15 @@ var XSS_REMOVE_PATTERNS = [
   /javascript\s*:/gi,
   /vbscript\s*:/gi,
   /** data: URIs with HTML/script content */
-  /data\s*:\s*text\/html[^>\s]*/gi
+  /data\s*:\s*text\/html[^>\s]*/gi,
+  /** form tag injection — phishing via action= redirection */
+  /<form[\s>][^>]*/gi,
+  /** meta tag injection — http-equiv refresh or CSP bypass */
+  /<meta[\s>][^>]*/gi,
+  /** base href hijacking */
+  /<base[\s>][^>]*/gi,
+  /** link tag injection — stylesheet or preload attacks */
+  /<link[\s>][^>]*/gi
 ];
 var SQL_PATTERNS = [
   /** SQL keywords */
@@ -118,8 +134,8 @@ var COMMAND_PATTERNS = [
   /[;&|`]/g,
   /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
   /\$\(/g,
-  /** URL-encoded newline/carriage-return injection (%0a, %0d) */
-  /%0[ad]/gi
+  /** URL-encoded control characters (%00-%0F): null, tab, vtab, formfeed, LF, CR */
+  /%0[0-9a-f]/gi
 ];
 var DANGEROUS_PROTO_KEYS = /* @__PURE__ */ new Set([
   "__proto__",
@@ -323,26 +339,31 @@ function sanitizePath(input, collectThreats = false) {
   const threats = [];
   let value = input;
   let wasSanitized = false;
-  for (const pattern of PATH_PATTERNS) {
-    pattern.lastIndex = 0;
-    if (pattern.test(value)) {
+  value = value.normalize("NFKC");
+  let prev;
+  do {
+    prev = value;
+    for (const pattern of PATH_PATTERNS) {
       pattern.lastIndex = 0;
-      if (collectThreats) {
-        const matches = value.match(pattern);
-        if (matches) {
-          for (const match of matches) {
-            threats.push({
-              type: "path_traversal",
-              pattern: pattern.source,
-              original: match
-            });
+      if (pattern.test(value)) {
+        pattern.lastIndex = 0;
+        if (collectThreats) {
+          const matches = value.match(pattern);
+          if (matches) {
+            for (const match of matches) {
+              threats.push({
+                type: "path_traversal",
+                pattern: pattern.source,
+                original: match
+              });
+            }
           }
         }
+        value = value.replace(pattern, "");
+        wasSanitized = true;
       }
-      value = value.replace(pattern, "");
-      wasSanitized = true;
     }
-  }
+  } while (value !== prev);
   if (collectThreats) {
     return { value, wasSanitized, threats };
   }
@@ -350,9 +371,10 @@ function sanitizePath(input, collectThreats = false) {
 }
 function detectPathTraversal(input) {
   if (typeof input !== "string") return false;
+  const normalized = input.normalize("NFKC");
   for (const pattern of PATH_PATTERNS) {
     pattern.lastIndex = 0;
-    if (pattern.test(input)) {
+    if (pattern.test(normalized)) {
       return true;
     }
   }
@@ -410,7 +432,7 @@ function sanitizeString(value, options = {}) {
   if (value.length > maxSize) {
     throw new InputTooLargeError(maxSize, value.length);
   }
-  const reject = options.mode !== "sanitize";
+  const reject = options.mode === "reject";
   let result = value;
   if (options.sql !== false) {
     if (reject) {
@@ -565,10 +587,22 @@ var SSTI_DETECT_PATTERNS = [
   /\{\{\s*(?:self|request|lipsum|cycler|joiner|namespace|range)\b/gi
 ];
 var SSTI_REMOVE_PATTERNS = [
+  /** Jinja2 / Twig: {{ ... }} — always strip (not valid in any JS context) */
   /\{\{.*?\}\}/g,
-  /\$\{.*?\}/g,
+  /**
+   * Freemarker / Spring EL: ${...} — only strip when the expression contains
+   * operators (?!*+-/), method calls (), or known-dangerous prefixes.
+   * Bare ${name} and ${user.name} are left intact (JS template literal syntax).
+   */
+  /\$\{[^}]*[?!()*+\-/][^}]*\}/g,
+  /** ERB / EJS: <%= ... %> */
   /<%[=\-]?.*?%>/gs,
-  /#\{.*?\}/g,
+  /**
+   * Pug / Jade: #{...} — same narrowing as ${ above.
+   * #{name} output expressions are left intact.
+   */
+  /#\{[^}]*[?!()*+\-/][^}]*\}/g,
+  /** Python dunder sandbox escape — always strip */
   /__(?:class|mro|subclasses|globals|builtins|import)__/gi
 ];
 function sanitizeSsti(input, collectThreats = false) {
@@ -932,16 +966,18 @@ function encodeForAttribute(value) {
 function encodeForJs(value) {
   if (!value) return "";
   let result = "";
-  for (let i = 0; i < value.length; i++) {
-    const ch = value.charCodeAt(i);
-    if (ch >= 48 && ch <= 57 || // 0-9
-    ch >= 65 && ch <= 90 || // A-Z
-    ch >= 97 && ch <= 122) {
-      result += value[i];
-    } else if (ch < 256) {
-      result += `\\x${ch.toString(16).toUpperCase().padStart(2, "0")}`;
+  for (const char of value) {
+    const cp = char.codePointAt(0);
+    if (cp >= 48 && cp <= 57 || // 0-9
+    cp >= 65 && cp <= 90 || // A-Z
+    cp >= 97 && cp <= 122) {
+      result += char;
+    } else if (cp < 256) {
+      result += `\\x${cp.toString(16).toUpperCase().padStart(2, "0")}`;
+    } else if (cp <= 65535) {
+      result += `\\u${cp.toString(16).toUpperCase().padStart(4, "0")}`;
     } else {
-      result += `\\u${ch.toString(16).toUpperCase().padStart(4, "0")}`;
+      result += `\\u{${cp.toString(16).toUpperCase()}}`;
     }
   }
   return result;
@@ -968,10 +1004,30 @@ function encodeForCss(value) {
   return result;
 }
 
+// src/sanitizers/ldap.ts
+var LDAP_FILTER_CHARS = /[*()\\\x00]/g;
+var LDAP_DN_CHARS = /[,+<>;"=\/\\\x00*()\x00]/g;
+var LDAP_DETECT_PATTERN = /[*()\\\x00]/;
+var LDAP_INJECTION_PATTERN = /\)\s*\(|\*\s*\)\s*\(/;
+var escapeChar = (char) => "\\" + char.charCodeAt(0).toString(16).padStart(2, "0");
+function sanitizeLdapFilter(input) {
+  if (typeof input !== "string") return String(input);
+  return input.replace(LDAP_FILTER_CHARS, escapeChar);
+}
+function sanitizeLdapDn(input) {
+  if (typeof input !== "string") return String(input);
+  return input.replace(LDAP_DN_CHARS, escapeChar);
+}
+function detectLdapInjection(input) {
+  if (typeof input !== "string") return false;
+  return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input);
+}
+
 exports.createSanitizer = createSanitizer;
 exports.detectCommandInjection = detectCommandInjection;
 exports.detectHeaderInjection = detectHeaderInjection;
 exports.detectJsonpInjection = detectJsonpInjection;
+exports.detectLdapInjection = detectLdapInjection;
 exports.detectNoSqlInjection = detectNoSqlInjection;
 exports.detectPathTraversal = detectPathTraversal;
 exports.detectPii = detectPii;
@@ -997,6 +1053,8 @@ exports.sanitizeCommand = sanitizeCommand;
 exports.sanitizeHeaderValue = sanitizeHeaderValue;
 exports.sanitizeHeaders = sanitizeHeaders;
 exports.sanitizeJsonpCallback = sanitizeJsonpCallback;
+exports.sanitizeLdapDn = sanitizeLdapDn;
+exports.sanitizeLdapFilter = sanitizeLdapFilter;
 exports.sanitizeObject = sanitizeObject;
 exports.sanitizePath = sanitizePath;
 exports.sanitizeSql = sanitizeSql;