@arcis/node 1.4.0 → 1.4.2

package/dist/index.mjs

@@ -1,5 +1,5 @@
 import { promises } from 'dns';
-import { randomBytes, createHash } from 'crypto';
+import { randomBytes, timingSafeEqual, createHash } from 'crypto';
 
 // src/core/constants.ts
 var INPUT = {
@@ -66,7 +66,15 @@ var XSS_PATTERNS = [
   /** URL-encoded script tags */
   /%3Cscript/gi,
   /** SVG with onload */
-  /<svg[^>]*onload/gi
+  /<svg[^>]*onload/gi,
+  /** form tags — phishing/credential harvesting via action= redirection */
+  /<form[\s>]/gi,
+  /** meta tags — http-equiv refresh redirects or CSP bypass */
+  /<meta[\s>]/gi,
+  /** base href hijacking — redirects all relative URLs to attacker domain */
+  /<base[\s>]/gi,
+  /** link tag injection — stylesheet or preload CSRF attacks */
+  /<link[\s>]/gi
 ];
 var XSS_REMOVE_PATTERNS = [
   /** Full script blocks (content + tags) */
@@ -93,7 +101,15 @@ var XSS_REMOVE_PATTERNS = [
   /javascript\s*:/gi,
   /vbscript\s*:/gi,
   /** data: URIs with HTML/script content */
-  /data\s*:\s*text\/html[^>\s]*/gi
+  /data\s*:\s*text\/html[^>\s]*/gi,
+  /** form tag injection — phishing via action= redirection */
+  /<form[\s>][^>]*/gi,
+  /** meta tag injection — http-equiv refresh or CSP bypass */
+  /<meta[\s>][^>]*/gi,
+  /** base href hijacking */
+  /<base[\s>][^>]*/gi,
+  /** link tag injection — stylesheet or preload attacks */
+  /<link[\s>][^>]*/gi
 ];
 var SQL_PATTERNS = [
   /** SQL keywords */
@@ -157,8 +173,8 @@ var COMMAND_PATTERNS = [
   /[;&|`]/g,
   /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
   /\$\(/g,
-  /** URL-encoded newline/carriage-return injection (%0a, %0d) */
-  /%0[ad]/gi
+  /** URL-encoded control characters (%00-%0F): null, tab, vtab, formfeed, LF, CR */
+  /%0[0-9a-f]/gi
 ];
 var DANGEROUS_PROTO_KEYS = /* @__PURE__ */ new Set([
   "__proto__",
@@ -449,7 +465,24 @@ function createRateLimiter(options = {}) {
       }
       next();
     } catch (error) {
-      console.error("[arcis] Rate limiter error:", error);
+      console.error("[arcis] Rate limiter store error, using in-memory fallback:", error);
+      try {
+        const key = keyGenerator(req);
+        const now = Date.now();
+        if (!inMemoryStore[key] || inMemoryStore[key].resetTime < now) {
+          inMemoryStore[key] = { count: 1, resetTime: now + windowMs };
+        } else {
+          inMemoryStore[key].count++;
+        }
+        const count = inMemoryStore[key].count;
+        if (count > max) {
+          const resetSeconds = Math.ceil((inMemoryStore[key].resetTime - now) / 1e3);
+          res.setHeader("Retry-After", resetSeconds.toString());
+          res.status(statusCode).json({ error: message, retryAfter: resetSeconds });
+          return;
+        }
+      } catch {
+      }
       next();
     }
   };
@@ -693,26 +726,31 @@ function sanitizePath(input, collectThreats = false) {
   const threats = [];
   let value = input;
   let wasSanitized = false;
-  for (const pattern of PATH_PATTERNS) {
-    pattern.lastIndex = 0;
-    if (pattern.test(value)) {
+  value = value.normalize("NFKC");
+  let prev;
+  do {
+    prev = value;
+    for (const pattern of PATH_PATTERNS) {
       pattern.lastIndex = 0;
-      if (collectThreats) {
-        const matches = value.match(pattern);
-        if (matches) {
-          for (const match of matches) {
-            threats.push({
-              type: "path_traversal",
-              pattern: pattern.source,
-              original: match
-            });
+      if (pattern.test(value)) {
+        pattern.lastIndex = 0;
+        if (collectThreats) {
+          const matches = value.match(pattern);
+          if (matches) {
+            for (const match of matches) {
+              threats.push({
+                type: "path_traversal",
+                pattern: pattern.source,
+                original: match
+              });
+            }
           }
         }
+        value = value.replace(pattern, "");
+        wasSanitized = true;
       }
-      value = value.replace(pattern, "");
-      wasSanitized = true;
     }
-  }
+  } while (value !== prev);
   if (collectThreats) {
     return { value, wasSanitized, threats };
   }
@@ -720,9 +758,10 @@ function sanitizePath(input, collectThreats = false) {
 }
 function detectPathTraversal(input) {
   if (typeof input !== "string") return false;
+  const normalized = input.normalize("NFKC");
   for (const pattern of PATH_PATTERNS) {
     pattern.lastIndex = 0;
-    if (pattern.test(input)) {
+    if (pattern.test(normalized)) {
       return true;
     }
   }
@@ -780,7 +819,7 @@ function sanitizeString(value, options = {}) {
   if (value.length > maxSize) {
     throw new InputTooLargeError(maxSize, value.length);
   }
-  const reject = options.mode !== "sanitize";
+  const reject = options.mode === "reject";
   let result = value;
   if (options.sql !== false) {
     if (reject) {
@@ -929,10 +968,22 @@ var SSTI_DETECT_PATTERNS = [
   /\{\{\s*(?:self|request|lipsum|cycler|joiner|namespace|range)\b/gi
 ];
 var SSTI_REMOVE_PATTERNS = [
+  /** Jinja2 / Twig: {{ ... }} — always strip (not valid in any JS context) */
   /\{\{.*?\}\}/g,
-  /\$\{.*?\}/g,
+  /**
+   * Freemarker / Spring EL: ${...} — only strip when the expression contains
+   * operators (?!*+-/), method calls (), or known-dangerous prefixes.
+   * Bare ${name} and ${user.name} are left intact (JS template literal syntax).
+   */
+  /\$\{[^}]*[?!()*+\-/][^}]*\}/g,
+  /** ERB / EJS: <%= ... %> */
   /<%[=\-]?.*?%>/gs,
-  /#\{.*?\}/g,
+  /**
+   * Pug / Jade: #{...} — same narrowing as ${ above.
+   * #{name} output expressions are left intact.
+   */
+  /#\{[^}]*[?!()*+\-/][^}]*\}/g,
+  /** Python dunder sandbox escape — always strip */
   /__(?:class|mro|subclasses|globals|builtins|import)__/gi
 ];
 function sanitizeSsti(input, collectThreats = false) {
@@ -1296,16 +1347,18 @@ function encodeForAttribute(value) {
 function encodeForJs(value) {
   if (!value) return "";
   let result = "";
-  for (let i = 0; i < value.length; i++) {
-    const ch = value.charCodeAt(i);
-    if (ch >= 48 && ch <= 57 || // 0-9
-    ch >= 65 && ch <= 90 || // A-Z
-    ch >= 97 && ch <= 122) {
-      result += value[i];
-    } else if (ch < 256) {
-      result += `\\x${ch.toString(16).toUpperCase().padStart(2, "0")}`;
+  for (const char of value) {
+    const cp = char.codePointAt(0);
+    if (cp >= 48 && cp <= 57 || // 0-9
+    cp >= 65 && cp <= 90 || // A-Z
+    cp >= 97 && cp <= 122) {
+      result += char;
+    } else if (cp < 256) {
+      result += `\\x${cp.toString(16).toUpperCase().padStart(2, "0")}`;
+    } else if (cp <= 65535) {
+      result += `\\u${cp.toString(16).toUpperCase().padStart(4, "0")}`;
     } else {
-      result += `\\u${ch.toString(16).toUpperCase().padStart(4, "0")}`;
+      result += `\\u{${cp.toString(16).toUpperCase()}}`;
     }
   }
   return result;
@@ -1758,8 +1811,12 @@ function checkPrivateIp(hostname) {
   if (hostname === "metadata.google.internal" || hostname === "metadata.internal" || hostname === "metadata.azure.internal") {
     return "cloud metadata endpoint";
   }
-  const ipv6 = hostname.replace(/^\[|\]$/g, "");
-  if (ipv6 === "::1" || ipv6 === "::" || ipv6.startsWith("fc") || ipv6.startsWith("fd") || ipv6.startsWith("fe80")) {
+  let ipv6 = hostname.replace(/^\[|\]$/g, "");
+  const zoneIdx = ipv6.indexOf("%");
+  if (zoneIdx !== -1) {
+    ipv6 = ipv6.slice(0, zoneIdx);
+  }
+  if (ipv6 === "::1" || ipv6 === "::" || /^fc[0-9a-f]{2}:/i.test(ipv6) || /^fd[0-9a-f]{2}:/i.test(ipv6) || /^fe80:/i.test(ipv6) || /^ff[0-9a-f]{2}:/i.test(ipv6)) {
     return "private IPv6 address";
   }
   const mappedDotted = ipv6.match(/^::ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/i);
@@ -2818,11 +2875,9 @@ function generateCsrfToken(length = 32) {
 function validateCsrfToken(cookieToken, requestToken) {
   if (!cookieToken || !requestToken) return false;
   if (cookieToken.length !== requestToken.length) return false;
-  let result = 0;
-  for (let i = 0; i < cookieToken.length; i++) {
-    result |= cookieToken.charCodeAt(i) ^ requestToken.charCodeAt(i);
-  }
-  return result === 0;
+  const a = Buffer.from(cookieToken);
+  const b = Buffer.from(requestToken);
+  return timingSafeEqual(a, b);
 }
 function getRequestToken(req, headerName, fieldName) {
   const headerToken = req.headers[headerName.toLowerCase()];
@@ -2831,10 +2886,6 @@ function getRequestToken(req, headerName, fieldName) {
     const bodyToken = req.body[fieldName];
     if (typeof bodyToken === "string" && bodyToken) return bodyToken;
   }
-  if (req.query && fieldName in req.query) {
-    const queryToken = req.query[fieldName];
-    if (typeof queryToken === "string" && queryToken) return queryToken;
-  }
   return void 0;
 }
 function csrfProtection(options = {}) {
@@ -2917,7 +2968,15 @@ function setCsrfCookie(res, name, token, opts) {
   if (opts.secure) parts.push("Secure");
   parts.push(`SameSite=${opts.sameSite}`);
   if (opts.domain) parts.push(`Domain=${opts.domain}`);
-  res.setHeader("Set-Cookie", parts.join("; "));
+  const newCookie = parts.join("; ");
+  const existing = res.getHeader("Set-Cookie");
+  if (existing === void 0) {
+    res.setHeader("Set-Cookie", newCookie);
+  } else if (Array.isArray(existing)) {
+    res.setHeader("Set-Cookie", [...existing, newCookie]);
+  } else {
+    res.setHeader("Set-Cookie", [existing, newCookie]);
+  }
 }
 function escapeRegex(str) {
   return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
@@ -3101,8 +3160,9 @@ function fingerprint(req, options = {}) {
 }
 
 // src/stores/memory.ts
+var DEFAULT_MAX_SIZE2 = 1e4;
 var MemoryStore = class {
-  constructor(windowMs = RATE_LIMIT.DEFAULT_WINDOW_MS) {
+  constructor(windowMs = RATE_LIMIT.DEFAULT_WINDOW_MS, maxSize = DEFAULT_MAX_SIZE2) {
     this.store = /* @__PURE__ */ new Map();
     this.cleanupInterval = null;
     if (!Number.isFinite(windowMs) || windowMs < RATE_LIMIT.MIN_WINDOW_MS) {
@@ -3110,7 +3170,11 @@ var MemoryStore = class {
         `MemoryStore: windowMs must be a finite number >= ${RATE_LIMIT.MIN_WINDOW_MS} (got ${windowMs})`
       );
     }
+    if (!Number.isFinite(maxSize) || maxSize < 1) {
+      throw new RangeError(`MemoryStore: maxSize must be >= 1 (got ${maxSize})`);
+    }
     this.windowMs = windowMs;
+    this.maxSize = maxSize;
     this.startCleanup();
   }
   /**
@@ -3142,18 +3206,33 @@ var MemoryStore = class {
     return entry;
   }
   async set(key, entry) {
+    if (!this.store.has(key) && this.store.size >= this.maxSize) {
+      this.evictExpired();
+      if (this.store.size >= this.maxSize) return;
+    }
     this.store.set(key, entry);
   }
   async increment(key) {
     const now = Date.now();
     const entry = this.store.get(key);
     if (!entry || entry.resetTime < now) {
+      if (this.store.size >= this.maxSize) {
+        this.evictExpired();
+        if (this.store.size >= this.maxSize) return 1;
+      }
       this.store.set(key, { count: 1, resetTime: now + this.windowMs });
       return 1;
     }
     entry.count++;
     return entry.count;
   }
+  /** Eagerly remove expired entries to reclaim capacity. */
+  evictExpired() {
+    const now = Date.now();
+    for (const [key, entry] of this.store.entries()) {
+      if (entry.resetTime < now) this.store.delete(key);
+    }
+  }
   async decrement(key) {
     const entry = this.store.get(key);
     if (entry && entry.count > 0) {