npm - @arcis/node - Versions diffs - 1.4.0 → 1.4.3 - Mend

@arcis/node 1.4.0 → 1.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (65) hide show

package/README.md +1 -1
package/dist/core/constants.d.ts +2 -2
package/dist/core/constants.d.ts.map +1 -1
package/dist/core/index.js +11 -3
package/dist/core/index.js.map +1 -1
package/dist/core/index.mjs +11 -3
package/dist/core/index.mjs.map +1 -1
package/dist/core/types.d.ts +6 -0
package/dist/core/types.d.ts.map +1 -1
package/dist/index.d.ts +4 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +527 -63
package/dist/index.js.map +1 -1
package/dist/index.mjs +525 -65
package/dist/index.mjs.map +1 -1
package/dist/logging/index.js.map +1 -1
package/dist/logging/index.mjs.map +1 -1
package/dist/middleware/bot-detection.d.ts.map +1 -1
package/dist/middleware/cookies.d.ts.map +1 -1
package/dist/middleware/csrf.d.ts +10 -0
package/dist/middleware/csrf.d.ts.map +1 -1
package/dist/middleware/hpp.d.ts.map +1 -1
package/dist/middleware/index.d.ts +2 -0
package/dist/middleware/index.d.ts.map +1 -1
package/dist/middleware/index.js +671 -39
package/dist/middleware/index.js.map +1 -1
package/dist/middleware/index.mjs +671 -41
package/dist/middleware/index.mjs.map +1 -1
package/dist/middleware/main.d.ts.map +1 -1
package/dist/middleware/rate-limit.d.ts.map +1 -1
package/dist/middleware/signup-protection.d.ts +65 -0
package/dist/middleware/signup-protection.d.ts.map +1 -0
package/dist/middleware/telemetry.d.ts +36 -0
package/dist/middleware/telemetry.d.ts.map +1 -0
package/dist/sanitizers/encode.d.ts.map +1 -1
package/dist/sanitizers/index.d.ts +1 -0
package/dist/sanitizers/index.d.ts.map +1 -1
package/dist/sanitizers/index.js +113 -37
package/dist/sanitizers/index.js.map +1 -1
package/dist/sanitizers/index.mjs +111 -38
package/dist/sanitizers/index.mjs.map +1 -1
package/dist/sanitizers/ldap.d.ts +42 -0
package/dist/sanitizers/ldap.d.ts.map +1 -0
package/dist/sanitizers/path.d.ts.map +1 -1
package/dist/sanitizers/pii.d.ts.map +1 -1
package/dist/sanitizers/sanitize.d.ts.map +1 -1
package/dist/sanitizers/ssti.d.ts.map +1 -1
package/dist/sanitizers/xxe.d.ts.map +1 -1
package/dist/stores/index.js +21 -1
package/dist/stores/index.js.map +1 -1
package/dist/stores/index.mjs +21 -1
package/dist/stores/index.mjs.map +1 -1
package/dist/stores/memory.d.ts +4 -10
package/dist/stores/memory.d.ts.map +1 -1
package/dist/telemetry/client.d.ts +60 -0
package/dist/telemetry/client.d.ts.map +1 -0
package/dist/telemetry/index.d.ts +3 -0
package/dist/telemetry/index.d.ts.map +1 -0
package/dist/telemetry/types.d.ts +59 -0
package/dist/telemetry/types.d.ts.map +1 -0
package/dist/validation/index.js +41 -21
package/dist/validation/index.js.map +1 -1
package/dist/validation/index.mjs +41 -21
package/dist/validation/index.mjs.map +1 -1
package/package.json +8 -2

package/dist/sanitizers/index.mjs CHANGED Viewed

@@ -25,13 +25,24 @@ var XSS_PATTERNS = [
   /** URL-encoded script tags */
   /%3Cscript/gi,
   /** SVG with onload */
-  /<svg[^>]*onload/gi
+  /<svg[^>]*onload/gi,
+  /** form tags — phishing/credential harvesting via action= redirection */
+  /<form[\s>]/gi,
+  /** meta tags — http-equiv refresh redirects or CSP bypass */
+  /<meta[\s>]/gi,
+  /** base href hijacking — redirects all relative URLs to attacker domain */
+  /<base[\s>]/gi,
+  /** link tag injection — stylesheet or preload CSRF attacks */
+  /<link[\s>]/gi
 ];
 var XSS_REMOVE_PATTERNS = [
   /** Full script blocks (content + tags) */
   /<script[^>]*>[\s\S]*?<\/script>/gi,
   /** Standalone/unclosed script tags */
   /<script[^>]*>/gi,
+  /** style — CSS expression() and behavior: attacks (IE-era but still relevant) */
+  /<style[^>]*>[\s\S]*?<\/style>/gi,
+  /<style[^>]*/gi,
   /** iframe — full block and partial/unclosed */
   /<iframe[^>]*>[\s\S]*?<\/iframe>/gi,
   /<iframe[^>]*/gi,
@@ -52,7 +63,15 @@ var XSS_REMOVE_PATTERNS = [
   /javascript\s*:/gi,
   /vbscript\s*:/gi,
   /** data: URIs with HTML/script content */
-  /data\s*:\s*text\/html[^>\s]*/gi
+  /data\s*:\s*text\/html[^>\s]*/gi,
+  /** form tag injection — phishing via action= redirection */
+  /<form[\s>][^>]*/gi,
+  /** meta tag injection — http-equiv refresh or CSP bypass */
+  /<meta[\s>][^>]*/gi,
+  /** base href hijacking */
+  /<base[\s>][^>]*/gi,
+  /** link tag injection — stylesheet or preload attacks */
+  /<link[\s>][^>]*/gi
 ];
 var SQL_PATTERNS = [
   /** SQL keywords */
@@ -116,8 +135,8 @@ var COMMAND_PATTERNS = [
   /[;&|`]/g,
   /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
   /\$\(/g,
-  /** URL-encoded newline/carriage-return injection (%0a, %0d) */
-  /%0[ad]/gi
+  /** URL-encoded control characters (%00-%0F): null, tab, vtab, formfeed, LF, CR */
+  /%0[0-9a-f]/gi
 ];
 var DANGEROUS_PROTO_KEYS = /* @__PURE__ */ new Set([
   "__proto__",
@@ -321,26 +340,31 @@ function sanitizePath(input, collectThreats = false) {
   const threats = [];
   let value = input;
   let wasSanitized = false;
-  for (const pattern of PATH_PATTERNS) {
-    pattern.lastIndex = 0;
-    if (pattern.test(value)) {
+  value = value.normalize("NFKC");
+  let prev;
+  do {
+    prev = value;
+    for (const pattern of PATH_PATTERNS) {
       pattern.lastIndex = 0;
-      if (collectThreats) {
-        const matches = value.match(pattern);
-        if (matches) {
-          for (const match of matches) {
-            threats.push({
-              type: "path_traversal",
-              pattern: pattern.source,
-              original: match
-            });
+      if (pattern.test(value)) {
+        pattern.lastIndex = 0;
+        if (collectThreats) {
+          const matches = value.match(pattern);
+          if (matches) {
+            for (const match of matches) {
+              threats.push({
+                type: "path_traversal",
+                pattern: pattern.source,
+                original: match
+              });
+            }
           }
         }
+        value = value.replace(pattern, "");
+        wasSanitized = true;
       }
-      value = value.replace(pattern, "");
-      wasSanitized = true;
     }
-  }
+  } while (value !== prev);
   if (collectThreats) {
     return { value, wasSanitized, threats };
   }
@@ -348,9 +372,10 @@ function sanitizePath(input, collectThreats = false) {
 }
 function detectPathTraversal(input) {
   if (typeof input !== "string") return false;
+  const normalized = input.normalize("NFKC");
   for (const pattern of PATH_PATTERNS) {
     pattern.lastIndex = 0;
-    if (pattern.test(input)) {
+    if (pattern.test(normalized)) {
       return true;
     }
   }
@@ -408,7 +433,7 @@ function sanitizeString(value, options = {}) {
   if (value.length > maxSize) {
     throw new InputTooLargeError(maxSize, value.length);
   }
-  const reject = options.mode !== "sanitize";
+  const reject = options.mode === "reject";
   let result = value;
   if (options.sql !== false) {
     if (reject) {
@@ -563,10 +588,24 @@ var SSTI_DETECT_PATTERNS = [
   /\{\{\s*(?:self|request|lipsum|cycler|joiner|namespace|range)\b/gi
 ];
 var SSTI_REMOVE_PATTERNS = [
+  /** Jinja2 / Twig: {{ ... }} — always strip (not valid in any JS context) */
   /\{\{.*?\}\}/g,
-  /\$\{.*?\}/g,
+  /**
+   * Freemarker / Spring EL: ${...} — strip when expression contains operators,
+   * method calls, or Python dunder patterns (sandbox escape).
+   * Bare ${name} and ${user.name} are left intact (JS template literal syntax).
+   */
+  /\$\{[^}]*__\w+__[^}]*\}/g,
+  /\$\{[^}]*[?!()*+\-/][^}]*\}/g,
+  /** ERB / EJS: <%= ... %> */
   /<%[=\-]?.*?%>/gs,
-  /#\{.*?\}/g,
+  /**
+   * Pug / Jade: #{...} — same narrowing as ${ above, plus dunder detection.
+   * #{name} output expressions are left intact.
+   */
+  /#\{[^}]*__\w+__[^}]*\}/g,
+  /#\{[^}]*[?!()*+\-/][^}]*\}/g,
+  /** Python dunder sandbox escape — always strip */
   /__(?:class|mro|subclasses|globals|builtins|import)__/gi
 ];
 function sanitizeSsti(input, collectThreats = false) {
@@ -613,6 +652,8 @@ function detectSsti(input) {
 }
 // src/sanitizers/xxe.ts
+var MAX_XXE_INPUT_BYTES = 1e6;
+var MAX_ENTITY_REFERENCES = 64;
 var XXE_DETECT_PATTERNS = [
   /** DOCTYPE declaration */
   /<!DOCTYPE\b/gi,
@@ -642,6 +683,19 @@ function sanitizeXxe(input, collectThreats = false) {
   const threats = [];
   let value = input;
   let wasSanitized = false;
+  if (value.length > MAX_XXE_INPUT_BYTES) {
+    if (collectThreats) {
+      threats.push({ type: "xxe", pattern: "oversize_input", original: `length=${value.length}` });
+    }
+    return collectThreats ? { value: "", wasSanitized: true, threats } : "";
+  }
+  const entityRefs = value.match(/&\w+;/g);
+  if (entityRefs && entityRefs.length > MAX_ENTITY_REFERENCES) {
+    if (collectThreats) {
+      threats.push({ type: "xxe", pattern: "entity_expansion", original: `count=${entityRefs.length}` });
+    }
+    return collectThreats ? { value: "", wasSanitized: true, threats } : "";
+  }
   for (const pattern of XXE_REMOVE_PATTERNS) {
     pattern.lastIndex = 0;
     if (pattern.test(value)) {
@@ -679,12 +733,10 @@ function detectXxe(input) {
 }
 // src/sanitizers/jsonp.ts
-var SAFE_CALLBACK_PATTERN = /^[a-zA-Z_$][a-zA-Z0-9_$.[\]]*$/;
+var SAFE_CALLBACK_PATTERN = /^[a-zA-Z_$][a-zA-Z0-9_$.]*$/;
 var DANGEROUS_CALLBACK_PATTERNS = [
-  /\.\./,
+  /\.\./
   // prototype chain traversal
-  /\[\s*\]/
-  // empty bracket access
 ];
 function sanitizeJsonpCallback(callback, maxLength = 128) {
   if (typeof callback !== "string" || callback.length === 0) {
@@ -769,7 +821,7 @@ function detectHeaderInjection(input) {
 // src/sanitizers/pii.ts
 var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z]{2,})+/g;
-var PHONE_RE = /(?:\+?1[-.\s]?)?\(?[2-9]\d{2}\)?[-.\s]?\d{3}[-.\s]?\d{4}/g;
+var PHONE_RE = /(?<!\d)(?:\+?1[-.\s]?)?\(?[2-9]\d{2}\)?[-.\s]?\d{3}[-.\s]?\d{4}(?!\d)/g;
 var CREDIT_CARD_RE = /\b(?:\d[ -]*?){13,19}\b/g;
 var SSN_RE = /\b\d{3}[-\s]\d{2}[-\s]\d{4}\b/g;
 var IPV4_RE = /\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\b/g;
@@ -930,16 +982,18 @@ function encodeForAttribute(value) {
 function encodeForJs(value) {
   if (!value) return "";
   let result = "";
-  for (let i = 0; i < value.length; i++) {
-    const ch = value.charCodeAt(i);
-    if (ch >= 48 && ch <= 57 || // 0-9
-    ch >= 65 && ch <= 90 || // A-Z
-    ch >= 97 && ch <= 122) {
-      result += value[i];
-    } else if (ch < 256) {
-      result += `\\x${ch.toString(16).toUpperCase().padStart(2, "0")}`;
+  for (const char of value) {
+    const cp = char.codePointAt(0);
+    if (cp >= 48 && cp <= 57 || // 0-9
+    cp >= 65 && cp <= 90 || // A-Z
+    cp >= 97 && cp <= 122) {
+      result += char;
+    } else if (cp < 256) {
+      result += `\\x${cp.toString(16).toUpperCase().padStart(2, "0")}`;
+    } else if (cp <= 65535) {
+      result += `\\u${cp.toString(16).toUpperCase().padStart(4, "0")}`;
     } else {
-      result += `\\u${ch.toString(16).toUpperCase().padStart(4, "0")}`;
+      result += `\\u{${cp.toString(16).toUpperCase()}}`;
     }
   }
   return result;
@@ -966,6 +1020,25 @@ function encodeForCss(value) {
   return result;
 }
-export { createSanitizer, detectCommandInjection, detectHeaderInjection, detectJsonpInjection, detectNoSqlInjection, detectPathTraversal, detectPii, detectPrototypePollution, detectSql, detectSsti, detectXss, detectXxe, encodeForAttribute, encodeForCss, encodeForHtml, encodeForJs, encodeForUrl, encodeHtmlEntities, getDangerousOperators, getDangerousProtoKeys, isDangerousNoSqlKey, isDangerousProtoKey, isPlainObject, redactObjectPii, redactPii, sanitizeCommand, sanitizeHeaderValue, sanitizeHeaders, sanitizeJsonpCallback, sanitizeObject, sanitizePath, sanitizeSql, sanitizeSsti, sanitizeString, sanitizeXss, sanitizeXxe, scanObjectPii, scanPii };
+// src/sanitizers/ldap.ts
+var LDAP_FILTER_CHARS = /[*()\\\x00]/g;
+var LDAP_DN_CHARS = /[,+<>;"=\/\\\x00*()\x00]/g;
+var LDAP_DETECT_PATTERN = /[*()\\\x00]/;
+var LDAP_INJECTION_PATTERN = /\)\s*\(|\*\s*\)\s*\(/;
+var escapeChar = (char) => "\\" + char.charCodeAt(0).toString(16).padStart(2, "0");
+function sanitizeLdapFilter(input) {
+  if (typeof input !== "string") return String(input);
+  return input.replace(LDAP_FILTER_CHARS, escapeChar);
+}
+function sanitizeLdapDn(input) {
+  if (typeof input !== "string") return String(input);
+  return input.replace(LDAP_DN_CHARS, escapeChar);
+}
+function detectLdapInjection(input) {
+  if (typeof input !== "string") return false;
+  return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input);
+}
+export { createSanitizer, detectCommandInjection, detectHeaderInjection, detectJsonpInjection, detectLdapInjection, detectNoSqlInjection, detectPathTraversal, detectPii, detectPrototypePollution, detectSql, detectSsti, detectXss, detectXxe, encodeForAttribute, encodeForCss, encodeForHtml, encodeForJs, encodeForUrl, encodeHtmlEntities, getDangerousOperators, getDangerousProtoKeys, isDangerousNoSqlKey, isDangerousProtoKey, isPlainObject, redactObjectPii, redactPii, sanitizeCommand, sanitizeHeaderValue, sanitizeHeaders, sanitizeJsonpCallback, sanitizeLdapDn, sanitizeLdapFilter, sanitizeObject, sanitizePath, sanitizeSql, sanitizeSsti, sanitizeString, sanitizeXss, sanitizeXxe, scanObjectPii, scanPii };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map