@arcis/node 1.4.3 → 1.4.4

package/dist/middleware/index.mjs

@@ -40,6 +40,39 @@ var HEADERS = {
   /** Default Cache-Control value for security */
   CACHE_CONTROL: "no-store, no-cache, must-revalidate, proxy-revalidate"
 };
+var XSS_PATTERNS = [
+  /** Script tags (ReDoS-safe version) */
+  /<script[^>]*>[\s\S]*?<\/script>/gi,
+  /** javascript: protocol (allow optional spaces before colon) */
+  /javascript\s*:/gi,
+  /** vbscript: protocol */
+  /vbscript\s*:/gi,
+  /** Event handlers (onclick, onerror, etc.) — any separator before attribute */
+  /(?:[\s/])on\w+\s*=/gi,
+  /** iframe tags */
+  /<iframe/gi,
+  /** object tags */
+  /<object/gi,
+  /** embed tags */
+  /<embed/gi,
+  /** data: URIs (only dangerous ones, avoid false positives) */
+  /(?:^|[\s"'=])data:/gi,
+  /** URL-encoded script tags */
+  /%3Cscript/gi,
+  /** SVG with onload */
+  /<svg[^>]*onload/gi,
+  /** form tags — phishing/credential harvesting via action= redirection */
+  /<form[\s>]/gi,
+  /** meta tags — http-equiv refresh redirects or CSP bypass */
+  /<meta[\s>]/gi,
+  /** base href hijacking — redirects all relative URLs to attacker domain */
+  /<base[\s>]/gi,
+  /** link tag injection — stylesheet or preload CSRF attacks */
+  /<link[\s>]/gi,
+  /** style tag — CSS expression() / behavior: / IE-era attacks. Mirrors
+   *  Python's xss-style-tag from packages/core/patterns.json. */
+  /<style[\s>]/gi
+];
 var XSS_REMOVE_PATTERNS = [
   /** Full script blocks (content + tags) */
   /<script[^>]*>[\s\S]*?<\/script>/gi,
@@ -677,6 +710,20 @@ function sanitizeXss(input, collectThreats = false, htmlEncode = false) {
   }
   return value;
 }
+function detectXss(input) {
+  if (typeof input !== "string") return false;
+  if (/\s+on\w+\s*=/i.test(input)) return true;
+  if (/javascript\s*:/i.test(input)) return true;
+  if (/vbscript\s*:/i.test(input)) return true;
+  if (/data\s*:\s*text\/html/i.test(input)) return true;
+  for (const pattern of XSS_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(input)) {
+      return true;
+    }
+  }
+  return false;
+}
 
 // src/sanitizers/sql.ts
 function sanitizeSql(input, collectThreats = false) {
@@ -760,6 +807,17 @@ function sanitizePath(input, collectThreats = false) {
   }
   return value;
 }
+function detectPathTraversal(input) {
+  if (typeof input !== "string") return false;
+  const normalized = input.normalize("NFKC");
+  for (const pattern of PATH_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(normalized)) {
+      return true;
+    }
+  }
+  return false;
+}
 
 // src/sanitizers/command.ts
 function sanitizeCommand(input, collectThreats = false) {
@@ -805,6 +863,60 @@ function detectCommandInjection(input) {
   return false;
 }
 
+// src/sanitizers/ssti.ts
+var SSTI_DETECT_PATTERNS = [
+  /** Jinja2 / Twig / Nunjucks: {{ ... }} */
+  /\{\{.*?\}\}/g,
+  /** Freemarker / Thymeleaf / Spring EL: ${ ... } */
+  /\$\{.*?\}/g,
+  /** ERB / EJS: <%= ... %> or <% ... %> */
+  /<%[=\-]?.*?%>/gs,
+  /** Pug / Jade / Slim: #{ ... } */
+  /#\{.*?\}/g,
+  /** Python dunder sandbox escape */
+  /__(?:class|mro|subclasses|globals|builtins|import)__/gi,
+  /** Jinja2 config leak: {{config.X}} or {{config['X']}} */
+  /\{\{\s*config[.\[]/gi,
+  /** Jinja2 built-in objects */
+  /\{\{\s*(?:self|request|lipsum|cycler|joiner|namespace|range)\b/gi
+];
+function detectSsti(input) {
+  if (typeof input !== "string") return false;
+  for (const pattern of SSTI_DETECT_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(input)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/sanitizers/xxe.ts
+var XXE_DETECT_PATTERNS = [
+  /** DOCTYPE declaration */
+  /<!DOCTYPE\b/gi,
+  /** ENTITY declaration */
+  /<!ENTITY\b/gi,
+  /** SYSTEM keyword with URI */
+  /\bSYSTEM\s+["']/gi,
+  /** PUBLIC keyword with URI */
+  /\bPUBLIC\s+["']/gi,
+  /** Parameter entity reference (%entity;) */
+  /%\s*\w+\s*;/g,
+  /** CDATA section (often used to smuggle payloads) */
+  /<!\[CDATA\[/gi
+];
+function detectXxe(input) {
+  if (typeof input !== "string") return false;
+  for (const pattern of XXE_DETECT_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(input)) {
+      return true;
+    }
+  }
+  return false;
+}
+
 // src/sanitizers/sanitize.ts
 function sanitizeString(value, options = {}) {
   if (typeof value !== "string") return value;
@@ -874,9 +986,73 @@ function sanitizeObjectDepth(obj, options, depth) {
   }
   return result;
 }
+function scanThreats(data, depth = 0) {
+  if (depth > INPUT.MAX_RECURSION_DEPTH) return null;
+  if (data && typeof data === "object" && !Array.isArray(data)) {
+    for (const key of Object.keys(data)) {
+      const lower = key.toLowerCase();
+      if (DANGEROUS_PROTO_KEYS.has(lower)) {
+        return { vector: "prototype", rule: "prototype/match", matchedPattern: key };
+      }
+      if (NOSQL_DANGEROUS_KEYS.has(key)) {
+        return { vector: "nosql", rule: "nosql/match", matchedPattern: key };
+      }
+      const inner = scanThreats(data[key], depth + 1);
+      if (inner) return inner;
+    }
+    return null;
+  }
+  if (Array.isArray(data)) {
+    for (const item of data) {
+      const inner = scanThreats(item, depth + 1);
+      if (inner) return inner;
+    }
+    return null;
+  }
+  if (typeof data !== "string") return null;
+  const sample = data.slice(0, 80);
+  if (detectXss(data)) {
+    return { vector: "xss", rule: "xss/match", matchedPattern: sample };
+  }
+  if (detectSsti(data)) {
+    return { vector: "ssti", rule: "ssti/match", matchedPattern: sample };
+  }
+  if (detectXxe(data)) {
+    return { vector: "xxe", rule: "xxe/match", matchedPattern: sample };
+  }
+  if (detectSql(data)) {
+    return { vector: "sql", rule: "sql/match", matchedPattern: sample };
+  }
+  if (detectPathTraversal(data)) {
+    return { vector: "path", rule: "path/match", matchedPattern: sample };
+  }
+  if (detectCommandInjection(data)) {
+    return { vector: "command", rule: "command/match", matchedPattern: sample };
+  }
+  return null;
+}
 function createSanitizer(options = {}) {
-  return (req, _res, next) => {
+  return (req, res, next) => {
     try {
+      if (options.block) {
+        const hit = scanThreats(req.body) || scanThreats(req.query) || scanThreats(req.params) || scanThreats(req.path);
+        if (hit) {
+          req.__arcis = {
+            vector: hit.vector,
+            rule: hit.rule,
+            severity: "high",
+            matchedPattern: hit.matchedPattern,
+            reason: `${hit.vector} pattern detected in request`,
+            decision: "deny"
+          };
+          res.status(403).json({
+            error: "Request blocked for security reasons",
+            code: "SECURITY_THREAT",
+            vector: hit.vector
+          });
+          return;
+        }
+      }
       if (req.body && typeof req.body === "object") {
         req.body = sanitizeObject(req.body, options);
       }
@@ -1376,11 +1552,16 @@ var MAX_BATCH_SIZE = 500;
 var DEFAULT_FLUSH_INTERVAL_MS = 5e3;
 var MIN_FLUSH_INTERVAL_MS = 500;
 var FLUSH_TIMEOUT_MS = 1e4;
+var DEFAULT_MAX_QUEUE_SIZE = 1e4;
 var TelemetryClient = class {
   constructor(options) {
     this.queue = [];
     this.flushing = false;
     this.closed = false;
+    // Counts events dropped since the last successful flush. Resets to 0
+    // each flush so onQueueOverflow callbacks see "drops in this window"
+    // rather than a monotonic lifetime counter.
+    this.droppedSinceLastFlush = 0;
     if (!options.endpoint || typeof options.endpoint !== "string") {
       throw new TypeError("TelemetryClient: `endpoint` is required");
     }
@@ -1396,8 +1577,14 @@ var TelemetryClient = class {
       options.flushIntervalMs ?? DEFAULT_FLUSH_INTERVAL_MS,
       MIN_FLUSH_INTERVAL_MS
     );
+    this.maxQueueSize = Math.max(
+      options.maxQueueSize ?? DEFAULT_MAX_QUEUE_SIZE,
+      this.batchSize
+    );
     this.onError = options.onError ?? (() => {
     });
+    this.onQueueOverflow = options.onQueueOverflow ?? (() => {
+    });
     this.startTimer();
   }
   /**
@@ -1407,6 +1594,15 @@ var TelemetryClient = class {
   record(event) {
     if (this.closed) return;
     this.queue.push(event);
+    if (this.queue.length > this.maxQueueSize) {
+      const drop = this.queue.length - this.maxQueueSize;
+      this.queue.splice(0, drop);
+      this.droppedSinceLastFlush += drop;
+      try {
+        this.onQueueOverflow(this.droppedSinceLastFlush);
+      } catch {
+      }
+    }
     if (this.queue.length >= this.batchSize) {
       void this.flush();
     }
@@ -1423,6 +1619,7 @@ var TelemetryClient = class {
     try {
       const batch = this.queue.splice(0, this.batchSize);
       await this.send(batch);
+      this.droppedSinceLastFlush = 0;
     } catch (err) {
       this.safeNotify(err);
     } finally {
@@ -1567,7 +1764,10 @@ function arcis(options = {}) {
     cleanupFns.push(() => rateLimiter.close());
   }
   if (options.sanitize !== false) {
-    const sanitizeOpts = typeof options.sanitize === "object" ? options.sanitize : {};
+    const sanitizeOpts = typeof options.sanitize === "object" ? { ...options.sanitize } : {};
+    if (options.block && sanitizeOpts.block === void 0) {
+      sanitizeOpts.block = true;
+    }
     const sanitizer = createSanitizer(sanitizeOpts);
     middlewares.push(telemetryClient ? tapSanitizerThreats(sanitizer) : sanitizer);
   }
@@ -2094,6 +2294,13 @@ function botProtection(options = {}) {
       return next();
     }
     if (denySet.has(result.category)) {
+      req.__arcis = {
+        vector: "bot",
+        rule: `bot/${result.category.toLowerCase()}`,
+        severity: "medium",
+        reason: result.name ? `Bot detected: ${result.name}` : "Bot detected",
+        decision: "deny"
+      };
       if (onDetected) {
         return onDetected(req, res, result);
       }
@@ -2101,6 +2308,13 @@ function botProtection(options = {}) {
       return;
     }
     if (defaultAction === "deny") {
+      req.__arcis = {
+        vector: "bot",
+        rule: "bot/uncategorized",
+        severity: "medium",
+        reason: "Uncategorized bot under defaultAction=deny",
+        decision: "deny"
+      };
       if (onDetected) {
         return onDetected(req, res, result);
       }
@@ -2154,7 +2368,14 @@ function csrfProtection(options = {}) {
     sameSite: options.cookie?.sameSite ?? "Lax",
     domain: options.cookie?.domain
   };
-  const defaultOnError = (_req, res, _next) => {
+  const defaultOnError = (req, res, _next) => {
+    req.__arcis = {
+      vector: "csrf",
+      rule: "csrf/token-mismatch",
+      severity: "high",
+      reason: "CSRF token missing or invalid",
+      decision: "deny"
+    };
     res.status(403).json({
       error: "CSRF token validation failed",
       message: "Invalid or missing CSRF token. Include the token from the cookie in the X-CSRF-Token header."