@arcis/node 1.4.3 → 1.4.4

package/dist/sanitizers/index.mjs

@@ -33,7 +33,10 @@ var XSS_PATTERNS = [
   /** base href hijacking — redirects all relative URLs to attacker domain */
   /<base[\s>]/gi,
   /** link tag injection — stylesheet or preload CSRF attacks */
-  /<link[\s>]/gi
+  /<link[\s>]/gi,
+  /** style tag — CSS expression() / behavior: / IE-era attacks. Mirrors
+   *  Python's xss-style-tag from packages/core/patterns.json. */
+  /<style[\s>]/gi
 ];
 var XSS_REMOVE_PATTERNS = [
   /** Full script blocks (content + tags) */
@@ -426,150 +429,6 @@ function detectCommandInjection(input) {
   return false;
 }
 
-// src/sanitizers/sanitize.ts
-function sanitizeString(value, options = {}) {
-  if (typeof value !== "string") return value;
-  const maxSize = options.maxSize ?? INPUT.DEFAULT_MAX_SIZE;
-  if (value.length > maxSize) {
-    throw new InputTooLargeError(maxSize, value.length);
-  }
-  const reject = options.mode === "reject";
-  let result = value;
-  if (options.sql !== false) {
-    if (reject) {
-      if (detectSql(result)) {
-        throw new SecurityThreatError("sql_injection", "SQL pattern detected in input");
-      }
-    } else {
-      result = sanitizeSql(result);
-    }
-  }
-  if (options.path !== false) {
-    result = sanitizePath(result);
-  }
-  if (options.command !== false) {
-    if (reject) {
-      if (detectCommandInjection(result)) {
-        throw new SecurityThreatError("command_injection", "Shell metacharacter detected in input");
-      }
-    } else {
-      result = sanitizeCommand(result);
-    }
-  }
-  if (options.xss !== false) {
-    result = sanitizeXss(result, false, options.htmlEncode ?? false);
-  }
-  return result;
-}
-function sanitizeObject(obj, options = {}) {
-  if (obj === null || obj === void 0) return obj;
-  if (typeof obj === "string") return sanitizeString(obj, options);
-  if (typeof obj !== "object") return obj;
-  if (Array.isArray(obj)) return obj.map((item) => sanitizeObject(item, options));
-  const result = sanitizeObjectDepth(obj, options, 0);
-  return options.freeze ? Object.freeze(result) : result;
-}
-function sanitizeObjectDepth(obj, options, depth) {
-  if (depth >= INPUT.MAX_RECURSION_DEPTH) return obj;
-  const result = {};
-  for (const key of Object.keys(obj)) {
-    if (options.proto !== false && DANGEROUS_PROTO_KEYS.has(key.toLowerCase())) {
-      continue;
-    }
-    if (options.nosql !== false && NOSQL_DANGEROUS_KEYS.has(key)) {
-      continue;
-    }
-    const sanitizedKey = sanitizeString(key, options);
-    const value = obj[key];
-    if (value === null || value === void 0) {
-      result[sanitizedKey] = value;
-    } else if (typeof value === "string") {
-      result[sanitizedKey] = sanitizeString(value, options);
-    } else if (Array.isArray(value)) {
-      result[sanitizedKey] = value.map((item) => sanitizeObject(item, options));
-    } else if (typeof value === "object") {
-      result[sanitizedKey] = sanitizeObjectDepth(value, options, depth + 1);
-    } else {
-      result[sanitizedKey] = value;
-    }
-  }
-  return result;
-}
-function createSanitizer(options = {}) {
-  return (req, _res, next) => {
-    try {
-      if (req.body && typeof req.body === "object") {
-        req.body = sanitizeObject(req.body, options);
-      }
-      if (req.query && typeof req.query === "object") {
-        const sanitizedQuery = sanitizeObject(req.query, options);
-        Object.defineProperty(req, "query", { value: sanitizedQuery, writable: true, configurable: true });
-      }
-      if (req.params && typeof req.params === "object") {
-        const sanitizedParams = sanitizeObject(req.params, options);
-        Object.defineProperty(req, "params", { value: sanitizedParams, writable: true, configurable: true });
-      }
-      next();
-    } catch (err) {
-      next(err);
-    }
-  };
-}
-
-// src/sanitizers/nosql.ts
-function isDangerousNoSqlKey(key) {
-  return NOSQL_DANGEROUS_KEYS.has(key);
-}
-function detectNoSqlInjection(obj, maxDepth = 10) {
-  if (maxDepth <= 0) return false;
-  if (obj === null || typeof obj !== "object") return false;
-  if (Array.isArray(obj)) {
-    return obj.some((item) => detectNoSqlInjection(item, maxDepth - 1));
-  }
-  for (const key of Object.keys(obj)) {
-    if (isDangerousNoSqlKey(key)) {
-      return true;
-    }
-    const value = obj[key];
-    if (typeof value === "object" && value !== null) {
-      if (detectNoSqlInjection(value, maxDepth - 1)) {
-        return true;
-      }
-    }
-  }
-  return false;
-}
-function getDangerousOperators() {
-  return Array.from(NOSQL_DANGEROUS_KEYS);
-}
-
-// src/sanitizers/prototype.ts
-function isDangerousProtoKey(key) {
-  return DANGEROUS_PROTO_KEYS.has(key.toLowerCase());
-}
-function detectPrototypePollution(obj, maxDepth = 10) {
-  if (maxDepth <= 0) return false;
-  if (obj === null || typeof obj !== "object") return false;
-  if (Array.isArray(obj)) {
-    return obj.some((item) => detectPrototypePollution(item, maxDepth - 1));
-  }
-  for (const key of Object.keys(obj)) {
-    if (DANGEROUS_PROTO_KEYS.has(key.toLowerCase())) {
-      return true;
-    }
-    const value = obj[key];
-    if (typeof value === "object" && value !== null) {
-      if (detectPrototypePollution(value, maxDepth - 1)) {
-        return true;
-      }
-    }
-  }
-  return false;
-}
-function getDangerousProtoKeys() {
-  return Array.from(DANGEROUS_PROTO_KEYS);
-}
-
 // src/sanitizers/ssti.ts
 var SSTI_DETECT_PATTERNS = [
   /** Jinja2 / Twig / Nunjucks: {{ ... }} */
@@ -732,6 +591,214 @@ function detectXxe(input) {
   return false;
 }
 
+// src/sanitizers/sanitize.ts
+function sanitizeString(value, options = {}) {
+  if (typeof value !== "string") return value;
+  const maxSize = options.maxSize ?? INPUT.DEFAULT_MAX_SIZE;
+  if (value.length > maxSize) {
+    throw new InputTooLargeError(maxSize, value.length);
+  }
+  const reject = options.mode === "reject";
+  let result = value;
+  if (options.sql !== false) {
+    if (reject) {
+      if (detectSql(result)) {
+        throw new SecurityThreatError("sql_injection", "SQL pattern detected in input");
+      }
+    } else {
+      result = sanitizeSql(result);
+    }
+  }
+  if (options.path !== false) {
+    result = sanitizePath(result);
+  }
+  if (options.command !== false) {
+    if (reject) {
+      if (detectCommandInjection(result)) {
+        throw new SecurityThreatError("command_injection", "Shell metacharacter detected in input");
+      }
+    } else {
+      result = sanitizeCommand(result);
+    }
+  }
+  if (options.xss !== false) {
+    result = sanitizeXss(result, false, options.htmlEncode ?? false);
+  }
+  return result;
+}
+function sanitizeObject(obj, options = {}) {
+  if (obj === null || obj === void 0) return obj;
+  if (typeof obj === "string") return sanitizeString(obj, options);
+  if (typeof obj !== "object") return obj;
+  if (Array.isArray(obj)) return obj.map((item) => sanitizeObject(item, options));
+  const result = sanitizeObjectDepth(obj, options, 0);
+  return options.freeze ? Object.freeze(result) : result;
+}
+function sanitizeObjectDepth(obj, options, depth) {
+  if (depth >= INPUT.MAX_RECURSION_DEPTH) return obj;
+  const result = {};
+  for (const key of Object.keys(obj)) {
+    if (options.proto !== false && DANGEROUS_PROTO_KEYS.has(key.toLowerCase())) {
+      continue;
+    }
+    if (options.nosql !== false && NOSQL_DANGEROUS_KEYS.has(key)) {
+      continue;
+    }
+    const sanitizedKey = sanitizeString(key, options);
+    const value = obj[key];
+    if (value === null || value === void 0) {
+      result[sanitizedKey] = value;
+    } else if (typeof value === "string") {
+      result[sanitizedKey] = sanitizeString(value, options);
+    } else if (Array.isArray(value)) {
+      result[sanitizedKey] = value.map((item) => sanitizeObject(item, options));
+    } else if (typeof value === "object") {
+      result[sanitizedKey] = sanitizeObjectDepth(value, options, depth + 1);
+    } else {
+      result[sanitizedKey] = value;
+    }
+  }
+  return result;
+}
+function scanThreats(data, depth = 0) {
+  if (depth > INPUT.MAX_RECURSION_DEPTH) return null;
+  if (data && typeof data === "object" && !Array.isArray(data)) {
+    for (const key of Object.keys(data)) {
+      const lower = key.toLowerCase();
+      if (DANGEROUS_PROTO_KEYS.has(lower)) {
+        return { vector: "prototype", rule: "prototype/match", matchedPattern: key };
+      }
+      if (NOSQL_DANGEROUS_KEYS.has(key)) {
+        return { vector: "nosql", rule: "nosql/match", matchedPattern: key };
+      }
+      const inner = scanThreats(data[key], depth + 1);
+      if (inner) return inner;
+    }
+    return null;
+  }
+  if (Array.isArray(data)) {
+    for (const item of data) {
+      const inner = scanThreats(item, depth + 1);
+      if (inner) return inner;
+    }
+    return null;
+  }
+  if (typeof data !== "string") return null;
+  const sample = data.slice(0, 80);
+  if (detectXss(data)) {
+    return { vector: "xss", rule: "xss/match", matchedPattern: sample };
+  }
+  if (detectSsti(data)) {
+    return { vector: "ssti", rule: "ssti/match", matchedPattern: sample };
+  }
+  if (detectXxe(data)) {
+    return { vector: "xxe", rule: "xxe/match", matchedPattern: sample };
+  }
+  if (detectSql(data)) {
+    return { vector: "sql", rule: "sql/match", matchedPattern: sample };
+  }
+  if (detectPathTraversal(data)) {
+    return { vector: "path", rule: "path/match", matchedPattern: sample };
+  }
+  if (detectCommandInjection(data)) {
+    return { vector: "command", rule: "command/match", matchedPattern: sample };
+  }
+  return null;
+}
+function createSanitizer(options = {}) {
+  return (req, res, next) => {
+    try {
+      if (options.block) {
+        const hit = scanThreats(req.body) || scanThreats(req.query) || scanThreats(req.params) || scanThreats(req.path);
+        if (hit) {
+          req.__arcis = {
+            vector: hit.vector,
+            rule: hit.rule,
+            severity: "high",
+            matchedPattern: hit.matchedPattern,
+            reason: `${hit.vector} pattern detected in request`,
+            decision: "deny"
+          };
+          res.status(403).json({
+            error: "Request blocked for security reasons",
+            code: "SECURITY_THREAT",
+            vector: hit.vector
+          });
+          return;
+        }
+      }
+      if (req.body && typeof req.body === "object") {
+        req.body = sanitizeObject(req.body, options);
+      }
+      if (req.query && typeof req.query === "object") {
+        const sanitizedQuery = sanitizeObject(req.query, options);
+        Object.defineProperty(req, "query", { value: sanitizedQuery, writable: true, configurable: true });
+      }
+      if (req.params && typeof req.params === "object") {
+        const sanitizedParams = sanitizeObject(req.params, options);
+        Object.defineProperty(req, "params", { value: sanitizedParams, writable: true, configurable: true });
+      }
+      next();
+    } catch (err) {
+      next(err);
+    }
+  };
+}
+
+// src/sanitizers/nosql.ts
+function isDangerousNoSqlKey(key) {
+  return NOSQL_DANGEROUS_KEYS.has(key);
+}
+function detectNoSqlInjection(obj, maxDepth = 10) {
+  if (maxDepth <= 0) return false;
+  if (obj === null || typeof obj !== "object") return false;
+  if (Array.isArray(obj)) {
+    return obj.some((item) => detectNoSqlInjection(item, maxDepth - 1));
+  }
+  for (const key of Object.keys(obj)) {
+    if (isDangerousNoSqlKey(key)) {
+      return true;
+    }
+    const value = obj[key];
+    if (typeof value === "object" && value !== null) {
+      if (detectNoSqlInjection(value, maxDepth - 1)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+function getDangerousOperators() {
+  return Array.from(NOSQL_DANGEROUS_KEYS);
+}
+
+// src/sanitizers/prototype.ts
+function isDangerousProtoKey(key) {
+  return DANGEROUS_PROTO_KEYS.has(key.toLowerCase());
+}
+function detectPrototypePollution(obj, maxDepth = 10) {
+  if (maxDepth <= 0) return false;
+  if (obj === null || typeof obj !== "object") return false;
+  if (Array.isArray(obj)) {
+    return obj.some((item) => detectPrototypePollution(item, maxDepth - 1));
+  }
+  for (const key of Object.keys(obj)) {
+    if (DANGEROUS_PROTO_KEYS.has(key.toLowerCase())) {
+      return true;
+    }
+    const value = obj[key];
+    if (typeof value === "object" && value !== null) {
+      if (detectPrototypePollution(value, maxDepth - 1)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+function getDangerousProtoKeys() {
+  return Array.from(DANGEROUS_PROTO_KEYS);
+}
+
 // src/sanitizers/jsonp.ts
 var SAFE_CALLBACK_PATTERN = /^[a-zA-Z_$][a-zA-Z0-9_$.]*$/;
 var DANGEROUS_CALLBACK_PATTERNS = [
@@ -1039,6 +1106,6 @@ function detectLdapInjection(input) {
   return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input);
 }
 
-export { createSanitizer, detectCommandInjection, detectHeaderInjection, detectJsonpInjection, detectLdapInjection, detectNoSqlInjection, detectPathTraversal, detectPii, detectPrototypePollution, detectSql, detectSsti, detectXss, detectXxe, encodeForAttribute, encodeForCss, encodeForHtml, encodeForJs, encodeForUrl, encodeHtmlEntities, getDangerousOperators, getDangerousProtoKeys, isDangerousNoSqlKey, isDangerousProtoKey, isPlainObject, redactObjectPii, redactPii, sanitizeCommand, sanitizeHeaderValue, sanitizeHeaders, sanitizeJsonpCallback, sanitizeLdapDn, sanitizeLdapFilter, sanitizeObject, sanitizePath, sanitizeSql, sanitizeSsti, sanitizeString, sanitizeXss, sanitizeXxe, scanObjectPii, scanPii };
+export { createSanitizer, detectCommandInjection, detectHeaderInjection, detectJsonpInjection, detectLdapInjection, detectNoSqlInjection, detectPathTraversal, detectPii, detectPrototypePollution, detectSql, detectSsti, detectXss, detectXxe, encodeForAttribute, encodeForCss, encodeForHtml, encodeForJs, encodeForUrl, encodeHtmlEntities, getDangerousOperators, getDangerousProtoKeys, isDangerousNoSqlKey, isDangerousProtoKey, isPlainObject, redactObjectPii, redactPii, sanitizeCommand, sanitizeHeaderValue, sanitizeHeaders, sanitizeJsonpCallback, sanitizeLdapDn, sanitizeLdapFilter, sanitizeObject, sanitizePath, sanitizeSql, sanitizeSsti, sanitizeString, sanitizeXss, sanitizeXxe, scanObjectPii, scanPii, scanThreats };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map