@arcis/node 1.4.2 → 1.4.4

package/dist/sanitizers/index.mjs

@@ -33,13 +33,19 @@ var XSS_PATTERNS = [
   /** base href hijacking — redirects all relative URLs to attacker domain */
   /<base[\s>]/gi,
   /** link tag injection — stylesheet or preload CSRF attacks */
-  /<link[\s>]/gi
+  /<link[\s>]/gi,
+  /** style tag — CSS expression() / behavior: / IE-era attacks. Mirrors
+   *  Python's xss-style-tag from packages/core/patterns.json. */
+  /<style[\s>]/gi
 ];
 var XSS_REMOVE_PATTERNS = [
   /** Full script blocks (content + tags) */
   /<script[^>]*>[\s\S]*?<\/script>/gi,
   /** Standalone/unclosed script tags */
   /<script[^>]*>/gi,
+  /** style — CSS expression() and behavior: attacks (IE-era but still relevant) */
+  /<style[^>]*>[\s\S]*?<\/style>/gi,
+  /<style[^>]*/gi,
   /** iframe — full block and partial/unclosed */
   /<iframe[^>]*>[\s\S]*?<\/iframe>/gi,
   /<iframe[^>]*/gi,
@@ -423,6 +429,168 @@ function detectCommandInjection(input) {
   return false;
 }
 
+// src/sanitizers/ssti.ts
+var SSTI_DETECT_PATTERNS = [
+  /** Jinja2 / Twig / Nunjucks: {{ ... }} */
+  /\{\{.*?\}\}/g,
+  /** Freemarker / Thymeleaf / Spring EL: ${ ... } */
+  /\$\{.*?\}/g,
+  /** ERB / EJS: <%= ... %> or <% ... %> */
+  /<%[=\-]?.*?%>/gs,
+  /** Pug / Jade / Slim: #{ ... } */
+  /#\{.*?\}/g,
+  /** Python dunder sandbox escape */
+  /__(?:class|mro|subclasses|globals|builtins|import)__/gi,
+  /** Jinja2 config leak: {{config.X}} or {{config['X']}} */
+  /\{\{\s*config[.\[]/gi,
+  /** Jinja2 built-in objects */
+  /\{\{\s*(?:self|request|lipsum|cycler|joiner|namespace|range)\b/gi
+];
+var SSTI_REMOVE_PATTERNS = [
+  /** Jinja2 / Twig: {{ ... }} — always strip (not valid in any JS context) */
+  /\{\{.*?\}\}/g,
+  /**
+   * Freemarker / Spring EL: ${...} — strip when expression contains operators,
+   * method calls, or Python dunder patterns (sandbox escape).
+   * Bare ${name} and ${user.name} are left intact (JS template literal syntax).
+   */
+  /\$\{[^}]*__\w+__[^}]*\}/g,
+  /\$\{[^}]*[?!()*+\-/][^}]*\}/g,
+  /** ERB / EJS: <%= ... %> */
+  /<%[=\-]?.*?%>/gs,
+  /**
+   * Pug / Jade: #{...} — same narrowing as ${ above, plus dunder detection.
+   * #{name} output expressions are left intact.
+   */
+  /#\{[^}]*__\w+__[^}]*\}/g,
+  /#\{[^}]*[?!()*+\-/][^}]*\}/g,
+  /** Python dunder sandbox escape — always strip */
+  /__(?:class|mro|subclasses|globals|builtins|import)__/gi
+];
+function sanitizeSsti(input, collectThreats = false) {
+  if (typeof input !== "string") {
+    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
+  }
+  const threats = [];
+  let value = input;
+  let wasSanitized = false;
+  for (const pattern of SSTI_REMOVE_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(value)) {
+      pattern.lastIndex = 0;
+      if (collectThreats) {
+        const matches = value.match(pattern);
+        if (matches) {
+          for (const match of matches) {
+            threats.push({
+              type: "ssti",
+              pattern: pattern.source,
+              original: match
+            });
+          }
+        }
+      }
+      value = value.replace(pattern, "");
+      wasSanitized = true;
+    }
+  }
+  if (collectThreats) {
+    return { value, wasSanitized, threats };
+  }
+  return value;
+}
+function detectSsti(input) {
+  if (typeof input !== "string") return false;
+  for (const pattern of SSTI_DETECT_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(input)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/sanitizers/xxe.ts
+var MAX_XXE_INPUT_BYTES = 1e6;
+var MAX_ENTITY_REFERENCES = 64;
+var XXE_DETECT_PATTERNS = [
+  /** DOCTYPE declaration */
+  /<!DOCTYPE\b/gi,
+  /** ENTITY declaration */
+  /<!ENTITY\b/gi,
+  /** SYSTEM keyword with URI */
+  /\bSYSTEM\s+["']/gi,
+  /** PUBLIC keyword with URI */
+  /\bPUBLIC\s+["']/gi,
+  /** Parameter entity reference (%entity;) */
+  /%\s*\w+\s*;/g,
+  /** CDATA section (often used to smuggle payloads) */
+  /<!\[CDATA\[/gi
+];
+var XXE_REMOVE_PATTERNS = [
+  /** Full DOCTYPE block with optional internal subset: <!DOCTYPE ... [...]> */
+  /<!DOCTYPE\s[^[>]*(?:\[[^\]]*\]\s*)?>|<!DOCTYPE\s[^>]*>/gi,
+  /** Full ENTITY declaration: <!ENTITY ... > */
+  /<!ENTITY[^>]*>/gi,
+  /** CDATA sections: <![CDATA[ ... ]]> */
+  /<!\[CDATA\[[\s\S]*?\]\]>/gi
+];
+function sanitizeXxe(input, collectThreats = false) {
+  if (typeof input !== "string") {
+    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
+  }
+  const threats = [];
+  let value = input;
+  let wasSanitized = false;
+  if (value.length > MAX_XXE_INPUT_BYTES) {
+    if (collectThreats) {
+      threats.push({ type: "xxe", pattern: "oversize_input", original: `length=${value.length}` });
+    }
+    return collectThreats ? { value: "", wasSanitized: true, threats } : "";
+  }
+  const entityRefs = value.match(/&\w+;/g);
+  if (entityRefs && entityRefs.length > MAX_ENTITY_REFERENCES) {
+    if (collectThreats) {
+      threats.push({ type: "xxe", pattern: "entity_expansion", original: `count=${entityRefs.length}` });
+    }
+    return collectThreats ? { value: "", wasSanitized: true, threats } : "";
+  }
+  for (const pattern of XXE_REMOVE_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(value)) {
+      pattern.lastIndex = 0;
+      if (collectThreats) {
+        const matches = value.match(pattern);
+        if (matches) {
+          for (const match of matches) {
+            threats.push({
+              type: "xxe",
+              pattern: pattern.source,
+              original: match
+            });
+          }
+        }
+      }
+      value = value.replace(pattern, "");
+      wasSanitized = true;
+    }
+  }
+  if (collectThreats) {
+    return { value, wasSanitized, threats };
+  }
+  return value;
+}
+function detectXxe(input) {
+  if (typeof input !== "string") return false;
+  for (const pattern of XXE_DETECT_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(input)) {
+      return true;
+    }
+  }
+  return false;
+}
+
 // src/sanitizers/sanitize.ts
 function sanitizeString(value, options = {}) {
   if (typeof value !== "string") return value;
@@ -492,9 +660,73 @@ function sanitizeObjectDepth(obj, options, depth) {
   }
   return result;
 }
+function scanThreats(data, depth = 0) {
+  if (depth > INPUT.MAX_RECURSION_DEPTH) return null;
+  if (data && typeof data === "object" && !Array.isArray(data)) {
+    for (const key of Object.keys(data)) {
+      const lower = key.toLowerCase();
+      if (DANGEROUS_PROTO_KEYS.has(lower)) {
+        return { vector: "prototype", rule: "prototype/match", matchedPattern: key };
+      }
+      if (NOSQL_DANGEROUS_KEYS.has(key)) {
+        return { vector: "nosql", rule: "nosql/match", matchedPattern: key };
+      }
+      const inner = scanThreats(data[key], depth + 1);
+      if (inner) return inner;
+    }
+    return null;
+  }
+  if (Array.isArray(data)) {
+    for (const item of data) {
+      const inner = scanThreats(item, depth + 1);
+      if (inner) return inner;
+    }
+    return null;
+  }
+  if (typeof data !== "string") return null;
+  const sample = data.slice(0, 80);
+  if (detectXss(data)) {
+    return { vector: "xss", rule: "xss/match", matchedPattern: sample };
+  }
+  if (detectSsti(data)) {
+    return { vector: "ssti", rule: "ssti/match", matchedPattern: sample };
+  }
+  if (detectXxe(data)) {
+    return { vector: "xxe", rule: "xxe/match", matchedPattern: sample };
+  }
+  if (detectSql(data)) {
+    return { vector: "sql", rule: "sql/match", matchedPattern: sample };
+  }
+  if (detectPathTraversal(data)) {
+    return { vector: "path", rule: "path/match", matchedPattern: sample };
+  }
+  if (detectCommandInjection(data)) {
+    return { vector: "command", rule: "command/match", matchedPattern: sample };
+  }
+  return null;
+}
 function createSanitizer(options = {}) {
-  return (req, _res, next) => {
+  return (req, res, next) => {
     try {
+      if (options.block) {
+        const hit = scanThreats(req.body) || scanThreats(req.query) || scanThreats(req.params) || scanThreats(req.path);
+        if (hit) {
+          req.__arcis = {
+            vector: hit.vector,
+            rule: hit.rule,
+            severity: "high",
+            matchedPattern: hit.matchedPattern,
+            reason: `${hit.vector} pattern detected in request`,
+            decision: "deny"
+          };
+          res.status(403).json({
+            error: "Request blocked for security reasons",
+            code: "SECURITY_THREAT",
+            vector: hit.vector
+          });
+          return;
+        }
+      }
       if (req.body && typeof req.body === "object") {
         req.body = sanitizeObject(req.body, options);
       }
@@ -567,158 +799,11 @@ function getDangerousProtoKeys() {
   return Array.from(DANGEROUS_PROTO_KEYS);
 }
 
-// src/sanitizers/ssti.ts
-var SSTI_DETECT_PATTERNS = [
-  /** Jinja2 / Twig / Nunjucks: {{ ... }} */
-  /\{\{.*?\}\}/g,
-  /** Freemarker / Thymeleaf / Spring EL: ${ ... } */
-  /\$\{.*?\}/g,
-  /** ERB / EJS: <%= ... %> or <% ... %> */
-  /<%[=\-]?.*?%>/gs,
-  /** Pug / Jade / Slim: #{ ... } */
-  /#\{.*?\}/g,
-  /** Python dunder sandbox escape */
-  /__(?:class|mro|subclasses|globals|builtins|import)__/gi,
-  /** Jinja2 config leak: {{config.X}} or {{config['X']}} */
-  /\{\{\s*config[.\[]/gi,
-  /** Jinja2 built-in objects */
-  /\{\{\s*(?:self|request|lipsum|cycler|joiner|namespace|range)\b/gi
-];
-var SSTI_REMOVE_PATTERNS = [
-  /** Jinja2 / Twig: {{ ... }} — always strip (not valid in any JS context) */
-  /\{\{.*?\}\}/g,
-  /**
-   * Freemarker / Spring EL: ${...} — only strip when the expression contains
-   * operators (?!*+-/), method calls (), or known-dangerous prefixes.
-   * Bare ${name} and ${user.name} are left intact (JS template literal syntax).
-   */
-  /\$\{[^}]*[?!()*+\-/][^}]*\}/g,
-  /** ERB / EJS: <%= ... %> */
-  /<%[=\-]?.*?%>/gs,
-  /**
-   * Pug / Jade: #{...} — same narrowing as ${ above.
-   * #{name} output expressions are left intact.
-   */
-  /#\{[^}]*[?!()*+\-/][^}]*\}/g,
-  /** Python dunder sandbox escape — always strip */
-  /__(?:class|mro|subclasses|globals|builtins|import)__/gi
-];
-function sanitizeSsti(input, collectThreats = false) {
-  if (typeof input !== "string") {
-    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
-  }
-  const threats = [];
-  let value = input;
-  let wasSanitized = false;
-  for (const pattern of SSTI_REMOVE_PATTERNS) {
-    pattern.lastIndex = 0;
-    if (pattern.test(value)) {
-      pattern.lastIndex = 0;
-      if (collectThreats) {
-        const matches = value.match(pattern);
-        if (matches) {
-          for (const match of matches) {
-            threats.push({
-              type: "ssti",
-              pattern: pattern.source,
-              original: match
-            });
-          }
-        }
-      }
-      value = value.replace(pattern, "");
-      wasSanitized = true;
-    }
-  }
-  if (collectThreats) {
-    return { value, wasSanitized, threats };
-  }
-  return value;
-}
-function detectSsti(input) {
-  if (typeof input !== "string") return false;
-  for (const pattern of SSTI_DETECT_PATTERNS) {
-    pattern.lastIndex = 0;
-    if (pattern.test(input)) {
-      return true;
-    }
-  }
-  return false;
-}
-
-// src/sanitizers/xxe.ts
-var XXE_DETECT_PATTERNS = [
-  /** DOCTYPE declaration */
-  /<!DOCTYPE\b/gi,
-  /** ENTITY declaration */
-  /<!ENTITY\b/gi,
-  /** SYSTEM keyword with URI */
-  /\bSYSTEM\s+["']/gi,
-  /** PUBLIC keyword with URI */
-  /\bPUBLIC\s+["']/gi,
-  /** Parameter entity reference (%entity;) */
-  /%\s*\w+\s*;/g,
-  /** CDATA section (often used to smuggle payloads) */
-  /<!\[CDATA\[/gi
-];
-var XXE_REMOVE_PATTERNS = [
-  /** Full DOCTYPE block with optional internal subset: <!DOCTYPE ... [...]> */
-  /<!DOCTYPE\s[^[>]*(?:\[[^\]]*\]\s*)?>|<!DOCTYPE\s[^>]*>/gi,
-  /** Full ENTITY declaration: <!ENTITY ... > */
-  /<!ENTITY[^>]*>/gi,
-  /** CDATA sections: <![CDATA[ ... ]]> */
-  /<!\[CDATA\[[\s\S]*?\]\]>/gi
-];
-function sanitizeXxe(input, collectThreats = false) {
-  if (typeof input !== "string") {
-    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
-  }
-  const threats = [];
-  let value = input;
-  let wasSanitized = false;
-  for (const pattern of XXE_REMOVE_PATTERNS) {
-    pattern.lastIndex = 0;
-    if (pattern.test(value)) {
-      pattern.lastIndex = 0;
-      if (collectThreats) {
-        const matches = value.match(pattern);
-        if (matches) {
-          for (const match of matches) {
-            threats.push({
-              type: "xxe",
-              pattern: pattern.source,
-              original: match
-            });
-          }
-        }
-      }
-      value = value.replace(pattern, "");
-      wasSanitized = true;
-    }
-  }
-  if (collectThreats) {
-    return { value, wasSanitized, threats };
-  }
-  return value;
-}
-function detectXxe(input) {
-  if (typeof input !== "string") return false;
-  for (const pattern of XXE_DETECT_PATTERNS) {
-    pattern.lastIndex = 0;
-    if (pattern.test(input)) {
-      return true;
-    }
-  }
-  return false;
-}
-
 // src/sanitizers/jsonp.ts
-var SAFE_CALLBACK_PATTERN = /^[a-zA-Z_$][a-zA-Z0-9_$.[\]]*$/;
+var SAFE_CALLBACK_PATTERN = /^[a-zA-Z_$][a-zA-Z0-9_$.]*$/;
 var DANGEROUS_CALLBACK_PATTERNS = [
-  /\.\./,
+  /\.\./
   // prototype chain traversal
-  /\[\s*\]/
-  // empty bracket access
 ];
 function sanitizeJsonpCallback(callback, maxLength = 128) {
   if (typeof callback !== "string" || callback.length === 0) {
@@ -803,7 +888,7 @@ function detectHeaderInjection(input) {
 
 // src/sanitizers/pii.ts
 var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z]{2,})+/g;
-var PHONE_RE = /(?:\+?1[-.\s]?)?\(?[2-9]\d{2}\)?[-.\s]?\d{3}[-.\s]?\d{4}/g;
+var PHONE_RE = /(?<!\d)(?:\+?1[-.\s]?)?\(?[2-9]\d{2}\)?[-.\s]?\d{3}[-.\s]?\d{4}(?!\d)/g;
 var CREDIT_CARD_RE = /\b(?:\d[ -]*?){13,19}\b/g;
 var SSN_RE = /\b\d{3}[-\s]\d{2}[-\s]\d{4}\b/g;
 var IPV4_RE = /\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\b/g;
@@ -1021,6 +1106,6 @@ function detectLdapInjection(input) {
   return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input);
 }
 
-export { createSanitizer, detectCommandInjection, detectHeaderInjection, detectJsonpInjection, detectLdapInjection, detectNoSqlInjection, detectPathTraversal, detectPii, detectPrototypePollution, detectSql, detectSsti, detectXss, detectXxe, encodeForAttribute, encodeForCss, encodeForHtml, encodeForJs, encodeForUrl, encodeHtmlEntities, getDangerousOperators, getDangerousProtoKeys, isDangerousNoSqlKey, isDangerousProtoKey, isPlainObject, redactObjectPii, redactPii, sanitizeCommand, sanitizeHeaderValue, sanitizeHeaders, sanitizeJsonpCallback, sanitizeLdapDn, sanitizeLdapFilter, sanitizeObject, sanitizePath, sanitizeSql, sanitizeSsti, sanitizeString, sanitizeXss, sanitizeXxe, scanObjectPii, scanPii };
+export { createSanitizer, detectCommandInjection, detectHeaderInjection, detectJsonpInjection, detectLdapInjection, detectNoSqlInjection, detectPathTraversal, detectPii, detectPrototypePollution, detectSql, detectSsti, detectXss, detectXxe, encodeForAttribute, encodeForCss, encodeForHtml, encodeForJs, encodeForUrl, encodeHtmlEntities, getDangerousOperators, getDangerousProtoKeys, isDangerousNoSqlKey, isDangerousProtoKey, isPlainObject, redactObjectPii, redactPii, sanitizeCommand, sanitizeHeaderValue, sanitizeHeaders, sanitizeJsonpCallback, sanitizeLdapDn, sanitizeLdapFilter, sanitizeObject, sanitizePath, sanitizeSql, sanitizeSsti, sanitizeString, sanitizeXss, sanitizeXxe, scanObjectPii, scanPii, scanThreats };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map