npm - @arcis/node - Versions diffs - 1.4.2 → 1.4.3 - Mend

@arcis/node 1.4.2 → 1.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (51) hide show

package/dist/core/constants.d.ts +1 -1
package/dist/core/constants.d.ts.map +1 -1
package/dist/core/index.js.map +1 -1
package/dist/core/index.mjs.map +1 -1
package/dist/core/types.d.ts +6 -0
package/dist/core/types.d.ts.map +1 -1
package/dist/index.d.ts +4 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +405 -20
package/dist/index.js.map +1 -1
package/dist/index.mjs +402 -21
package/dist/index.mjs.map +1 -1
package/dist/logging/index.js.map +1 -1
package/dist/logging/index.mjs.map +1 -1
package/dist/middleware/bot-detection.d.ts.map +1 -1
package/dist/middleware/cookies.d.ts.map +1 -1
package/dist/middleware/csrf.d.ts +10 -0
package/dist/middleware/csrf.d.ts.map +1 -1
package/dist/middleware/hpp.d.ts.map +1 -1
package/dist/middleware/index.d.ts +2 -0
package/dist/middleware/index.d.ts.map +1 -1
package/dist/middleware/index.js +609 -9
package/dist/middleware/index.js.map +1 -1
package/dist/middleware/index.mjs +608 -10
package/dist/middleware/index.mjs.map +1 -1
package/dist/middleware/main.d.ts.map +1 -1
package/dist/middleware/rate-limit.d.ts.map +1 -1
package/dist/middleware/signup-protection.d.ts +65 -0
package/dist/middleware/signup-protection.d.ts.map +1 -0
package/dist/middleware/telemetry.d.ts +36 -0
package/dist/middleware/telemetry.d.ts.map +1 -0
package/dist/sanitizers/index.js +26 -8
package/dist/sanitizers/index.js.map +1 -1
package/dist/sanitizers/index.mjs +26 -8
package/dist/sanitizers/index.mjs.map +1 -1
package/dist/sanitizers/pii.d.ts.map +1 -1
package/dist/sanitizers/ssti.d.ts.map +1 -1
package/dist/sanitizers/xxe.d.ts.map +1 -1
package/dist/stores/index.js.map +1 -1
package/dist/stores/index.mjs.map +1 -1
package/dist/telemetry/client.d.ts +60 -0
package/dist/telemetry/client.d.ts.map +1 -0
package/dist/telemetry/index.d.ts +3 -0
package/dist/telemetry/index.d.ts.map +1 -0
package/dist/telemetry/types.d.ts +59 -0
package/dist/telemetry/types.d.ts.map +1 -0
package/dist/validation/index.js +3 -0
package/dist/validation/index.js.map +1 -1
package/dist/validation/index.mjs +3 -0
package/dist/validation/index.mjs.map +1 -1
package/package.json +7 -1

package/dist/middleware/main.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"main.d.ts","sourceRoot":"","sources":["../../src/middleware/main.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EACV,YAAY,EACZ,aAAa,EACb,oBAAoB,EAIrB,MAAM,eAAe,CAAC;~~AAQvB~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAgB,KAAK,CAAC,OAAO,GAAE,YAAiB,GAAG,oBAAoB,~~CAuCtE~~;AAGD,QAAA,MAAM,gBAAgB,EAAY,aAAa,CAAC;AAQhD,OAAO,EAAE,gBAAgB,IAAI,aAAa,EAAE,CAAC;AAC7C,eAAe,gBAAgB,CAAC"}
1	+ {"version":3,"file":"main.d.ts","sourceRoot":"","sources":["../../src/middleware/main.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EACV,YAAY,EACZ,aAAa,EACb,oBAAoB,EAIrB,MAAM,eAAe,CAAC;AAwCvB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAgB,KAAK,CAAC,OAAO,GAAE,YAAiB,GAAG,oBAAoB,CAyDtE;AAGD,QAAA,MAAM,gBAAgB,EAAY,aAAa,CAAC;AAQhD,OAAO,EAAE,gBAAgB,IAAI,aAAa,EAAE,CAAC;AAC7C,eAAe,gBAAgB,CAAC"}

package/dist/middleware/rate-limit.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/middleware/rate-limit.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EAAE,gBAAgB,EAAE,qBAAqB,EAAkB,MAAM,eAAe,CAAC;AAO7F;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,GAAE,gBAAqB,GAAG,qBAAqB,~~CAoIvF~~;AAED;;;GAGG;AACH,eAAO,MAAM,SAAS,0BAAoB,CAAC"}
1	+ {"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/middleware/rate-limit.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EAAE,gBAAgB,EAAE,qBAAqB,EAAkB,MAAM,eAAe,CAAC;AAO7F;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,GAAE,gBAAqB,GAAG,qBAAqB,CAuIvF;AAED;;;GAGG;AACH,eAAO,MAAM,SAAS,0BAAoB,CAAC"}

package/dist/middleware/signup-protection.d.ts ADDED Viewed

@@ -0,0 +1,65 @@
+/**
+ * @module @arcis/node/middleware/signup-protection
+ *
+ * Composite signup-form protection: one middleware that combines email
+ * validation (syntax + disposable), bot detection, and a dedicated
+ * per-IP rate limit. Matches the Arcjet `protectSignup` convenience
+ * primitive but stays fully local — no cloud lookups.
+ *
+ * @example
+ *   app.post('/signup', signupProtection(), handler);
+ *
+ * @example
+ *   app.post('/signup', signupProtection({
+ *     emailField: 'email',
+ *     rateLimit: { max: 5, windowMs: 60_000 },
+ *     blockDisposable: true,
+ *   }), handler);
+ */
+import type { Request, RequestHandler } from 'express';
+import { type BotCategory } from './bot-detection';
+export type SignupBlockReason = 'missing_email' | 'invalid_email' | 'disposable_email' | 'bot' | 'rate_limited';
+export interface SignupCheckResult {
+    allowed: boolean;
+    reason: SignupBlockReason | 'ok';
+    details?: Record<string, unknown>;
+}
+export interface SignupProtectionOptions {
+    /** Request body field holding the email address. Default: 'email' */
+    emailField?: string;
+    /** Run email validation. Default: true */
+    checkEmail?: boolean;
+    /** Reject disposable email domains. Default: true */
+    blockDisposable?: boolean;
+    /** Run bot detection. Default: true */
+    checkBot?: boolean;
+    /** Bot categories allowed through (e.g. test harnesses). Default: [] — all bots blocked */
+    allowedBotCategories?: BotCategory[];
+    /** Per-IP rate limit on signup endpoint. Set to `false` to disable. Default: 5 requests / 60s */
+    rateLimit?: {
+        max?: number;
+        windowMs?: number;
+    } | false;
+    /** Extra email domains to allow (bypasses disposable check) */
+    allowedEmailDomains?: string[];
+    /** Extra email domains to block */
+    blockedEmailDomains?: string[];
+    /** Called when a request is blocked — for telemetry/logging */
+    onBlocked?: (req: Request, result: SignupCheckResult) => void;
+}
+export interface SignupProtectionMiddleware extends RequestHandler {
+    /** Release the rate-limiter cleanup interval */
+    close: () => void;
+}
+/**
+ * Pure signup check — no rate-limit mutation, no response writes.
+ * Useful for framework adapters or custom control flow.
+ */
+export declare function checkSignup(req: Request, options?: SignupProtectionOptions): SignupCheckResult;
+/**
+ * Express middleware: applies bot + email + rate-limit checks to a signup
+ * endpoint. Responds 400/403/429 with a JSON body on block; otherwise
+ * calls `next()`.
+ */
+export declare function signupProtection(options?: SignupProtectionOptions): SignupProtectionMiddleware;
+//# sourceMappingURL=signup-protection.d.ts.map

package/dist/middleware/signup-protection.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"signup-protection.d.ts","sourceRoot":"","sources":["../../src/middleware/signup-protection.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,KAAK,EAAE,OAAO,EAA0B,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,OAAO,EAAa,KAAK,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAG9D,MAAM,MAAM,iBAAiB,GACzB,eAAe,GACf,eAAe,GACf,kBAAkB,GAClB,KAAK,GACL,cAAc,CAAC;AAEnB,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,iBAAiB,GAAG,IAAI,CAAC;IACjC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED,MAAM,WAAW,uBAAuB;IACtC,qEAAqE;IACrE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,0CAA0C;IAC1C,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,qDAAqD;IACrD,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,uCAAuC;IACvC,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,2FAA2F;IAC3F,oBAAoB,CAAC,EAAE,WAAW,EAAE,CAAC;IACrC,iGAAiG;IACjG,SAAS,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,KAAK,CAAC;IACxD,+DAA+D;IAC/D,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,mCAAmC;IACnC,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,+DAA+D;IAC/D,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,iBAAiB,KAAK,IAAI,CAAC;CAC/D;AAED,MAAM,WAAW,0BAA2B,SAAQ,cAAc;IAChE,gDAAgD;IAChD,KAAK,EAAE,MAAM,IAAI,CAAC;CACnB;AAED;;;GAGG;AACH,wBAAgB,WAAW,CACzB,GAAG,EAAE,OAAO,EACZ,OAAO,GAAE,uBAA4B,GACpC,iBAAiB,CAwCnB;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,GAAE,uBAA4B,GACpC,0BAA0B,CAiD5B"}

package/dist/middleware/telemetry.d.ts ADDED Viewed

@@ -0,0 +1,36 @@
+/**
+ * @module @arcis/node/middleware/telemetry
+ * Bridges Arcis middleware decisions to a TelemetryClient.
+ * Pattern 3 (two-layer): the client owns transport; this layer owns Express plumbing.
+ */
+import type { RequestHandler } from 'express';
+import type { TelemetryClient } from '../telemetry/client';
+import type { TelemetryDecision, TelemetrySeverity } from '../telemetry/types';
+/** Marker that inner middleware writes to and the emitter reads from. */
+export interface ArcisTelemetryMarker {
+    vector?: string;
+    rule?: string;
+    severity?: TelemetrySeverity;
+    matchedPattern?: string;
+    reason?: string;
+    /** Pre-decided decision. If absent, the emitter infers from response status. */
+    decision?: TelemetryDecision;
+}
+declare module 'express-serve-static-core' {
+    interface Request {
+        /** Per-request marker populated by Arcis middlewares for telemetry attribution. */
+        __arcis?: ArcisTelemetryMarker;
+    }
+}
+/**
+ * Express middleware that records a telemetry event for every request.
+ * Captures latency from entry, hooks `res.on('finish')`, and infers the
+ * final decision from response status + any `req.__arcis` marker.
+ */
+export declare function createTelemetryEmitter(client: TelemetryClient): RequestHandler;
+/**
+ * Wraps the sanitizer middleware so SecurityThreatError → req.__arcis marker.
+ * The emitter on `finish` will then have vector/rule/severity attribution.
+ */
+export declare function tapSanitizerThreats(handler: RequestHandler): RequestHandler;
+//# sourceMappingURL=telemetry.d.ts.map

package/dist/middleware/telemetry.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"telemetry.d.ts","sourceRoot":"","sources":["../../src/middleware/telemetry.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAW,cAAc,EAAE,MAAM,SAAS,CAAC;AACvD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,KAAK,EAAkB,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAG/F,yEAAyE;AACzE,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,iBAAiB,CAAC;IAC7B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,gFAAgF;IAChF,QAAQ,CAAC,EAAE,iBAAiB,CAAC;CAC9B;AAED,OAAO,QAAQ,2BAA2B,CAAC;IACzC,UAAU,OAAO;QACf,mFAAmF;QACnF,OAAO,CAAC,EAAE,oBAAoB,CAAC;KAChC;CACF;AAcD;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,eAAe,GAAG,cAAc,CAe9E;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,cAAc,GAAG,cAAc,CAiB3E"}

package/dist/sanitizers/index.js CHANGED Viewed

@@ -42,6 +42,9 @@ var XSS_REMOVE_PATTERNS = [
   /<script[^>]*>[\s\S]*?<\/script>/gi,
   /** Standalone/unclosed script tags */
   /<script[^>]*>/gi,
+  /** style — CSS expression() and behavior: attacks (IE-era but still relevant) */
+  /<style[^>]*>[\s\S]*?<\/style>/gi,
+  /<style[^>]*/gi,
   /** iframe — full block and partial/unclosed */
   /<iframe[^>]*>[\s\S]*?<\/iframe>/gi,
   /<iframe[^>]*/gi,
@@ -590,17 +593,19 @@ var SSTI_REMOVE_PATTERNS = [
   /** Jinja2 / Twig: {{ ... }} — always strip (not valid in any JS context) */
   /\{\{.*?\}\}/g,
   /**
-   * Freemarker / Spring EL: ${...} — only strip when the expression contains
-   * operators (?!*+-/), method calls (), or known-dangerous prefixes.
+   * Freemarker / Spring EL: ${...} — strip when expression contains operators,
+   * method calls, or Python dunder patterns (sandbox escape).
    * Bare ${name} and ${user.name} are left intact (JS template literal syntax).
    */
+  /\$\{[^}]*__\w+__[^}]*\}/g,
   /\$\{[^}]*[?!()*+\-/][^}]*\}/g,
   /** ERB / EJS: <%= ... %> */
   /<%[=\-]?.*?%>/gs,
   /**
-   * Pug / Jade: #{...} — same narrowing as ${ above.
+   * Pug / Jade: #{...} — same narrowing as ${ above, plus dunder detection.
    * #{name} output expressions are left intact.
    */
+  /#\{[^}]*__\w+__[^}]*\}/g,
   /#\{[^}]*[?!()*+\-/][^}]*\}/g,
   /** Python dunder sandbox escape — always strip */
   /__(?:class|mro|subclasses|globals|builtins|import)__/gi
@@ -649,6 +654,8 @@ function detectSsti(input) {
 }
 // src/sanitizers/xxe.ts
+var MAX_XXE_INPUT_BYTES = 1e6;
+var MAX_ENTITY_REFERENCES = 64;
 var XXE_DETECT_PATTERNS = [
   /** DOCTYPE declaration */
   /<!DOCTYPE\b/gi,
@@ -678,6 +685,19 @@ function sanitizeXxe(input, collectThreats = false) {
   const threats = [];
   let value = input;
   let wasSanitized = false;
+  if (value.length > MAX_XXE_INPUT_BYTES) {
+    if (collectThreats) {
+      threats.push({ type: "xxe", pattern: "oversize_input", original: `length=${value.length}` });
+    }
+    return collectThreats ? { value: "", wasSanitized: true, threats } : "";
+  }
+  const entityRefs = value.match(/&\w+;/g);
+  if (entityRefs && entityRefs.length > MAX_ENTITY_REFERENCES) {
+    if (collectThreats) {
+      threats.push({ type: "xxe", pattern: "entity_expansion", original: `count=${entityRefs.length}` });
+    }
+    return collectThreats ? { value: "", wasSanitized: true, threats } : "";
+  }
   for (const pattern of XXE_REMOVE_PATTERNS) {
     pattern.lastIndex = 0;
     if (pattern.test(value)) {
@@ -715,12 +735,10 @@ function detectXxe(input) {
 }
 // src/sanitizers/jsonp.ts
-var SAFE_CALLBACK_PATTERN = /^[a-zA-Z_$][a-zA-Z0-9_$.[\]]*$/;
+var SAFE_CALLBACK_PATTERN = /^[a-zA-Z_$][a-zA-Z0-9_$.]*$/;
 var DANGEROUS_CALLBACK_PATTERNS = [
-  /\.\./,
+  /\.\./
   // prototype chain traversal
-  /\[\s*\]/
-  // empty bracket access
 ];
 function sanitizeJsonpCallback(callback, maxLength = 128) {
   if (typeof callback !== "string" || callback.length === 0) {
@@ -805,7 +823,7 @@ function detectHeaderInjection(input) {
 // src/sanitizers/pii.ts
 var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z]{2,})+/g;
-var PHONE_RE = /(?:\+?1[-.\s]?)?\(?[2-9]\d{2}\)?[-.\s]?\d{3}[-.\s]?\d{4}/g;
+var PHONE_RE = /(?<!\d)(?:\+?1[-.\s]?)?\(?[2-9]\d{2}\)?[-.\s]?\d{3}[-.\s]?\d{4}(?!\d)/g;
 var CREDIT_CARD_RE = /\b(?:\d[ -]*?){13,19}\b/g;
 var SSN_RE = /\b\d{3}[-\s]\d{2}[-\s]\d{4}\b/g;
 var IPV4_RE = /\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\b/g;