@arcis/node 1.4.3 → 1.5.0

package/dist/sanitizers/index.mjs

@@ -33,7 +33,10 @@ var XSS_PATTERNS = [
   /** base href hijacking — redirects all relative URLs to attacker domain */
   /<base[\s>]/gi,
   /** link tag injection — stylesheet or preload CSRF attacks */
-  /<link[\s>]/gi
+  /<link[\s>]/gi,
+  /** style tag — CSS expression() / behavior: / IE-era attacks. Mirrors
+   *  Python's xss-style-tag from packages/core/patterns.json. */
+  /<style[\s>]/gi
 ];
 var XSS_REMOVE_PATTERNS = [
   /** Full script blocks (content + tags) */
@@ -62,8 +65,8 @@ var XSS_REMOVE_PATTERNS = [
   /** javascript: and vbscript: protocols (allow optional spaces before colon) */
   /javascript\s*:/gi,
   /vbscript\s*:/gi,
-  /** data: URIs with HTML/script content */
-  /data\s*:\s*text\/html[^>\s]*/gi,
+  /** data: URIs with HTML or SVG content (SVG can run JS via inline event handlers) */
+  /data\s*:\s*(?:text\/html|image\/svg)[^>\s]*/gi,
   /** form tag injection — phishing via action= redirection */
   /<form[\s>][^>]*/gi,
   /** meta tag injection — http-equiv refresh or CSP bypass */
@@ -426,150 +429,6 @@ function detectCommandInjection(input) {
   return false;
 }
 
-// src/sanitizers/sanitize.ts
-function sanitizeString(value, options = {}) {
-  if (typeof value !== "string") return value;
-  const maxSize = options.maxSize ?? INPUT.DEFAULT_MAX_SIZE;
-  if (value.length > maxSize) {
-    throw new InputTooLargeError(maxSize, value.length);
-  }
-  const reject = options.mode === "reject";
-  let result = value;
-  if (options.sql !== false) {
-    if (reject) {
-      if (detectSql(result)) {
-        throw new SecurityThreatError("sql_injection", "SQL pattern detected in input");
-      }
-    } else {
-      result = sanitizeSql(result);
-    }
-  }
-  if (options.path !== false) {
-    result = sanitizePath(result);
-  }
-  if (options.command !== false) {
-    if (reject) {
-      if (detectCommandInjection(result)) {
-        throw new SecurityThreatError("command_injection", "Shell metacharacter detected in input");
-      }
-    } else {
-      result = sanitizeCommand(result);
-    }
-  }
-  if (options.xss !== false) {
-    result = sanitizeXss(result, false, options.htmlEncode ?? false);
-  }
-  return result;
-}
-function sanitizeObject(obj, options = {}) {
-  if (obj === null || obj === void 0) return obj;
-  if (typeof obj === "string") return sanitizeString(obj, options);
-  if (typeof obj !== "object") return obj;
-  if (Array.isArray(obj)) return obj.map((item) => sanitizeObject(item, options));
-  const result = sanitizeObjectDepth(obj, options, 0);
-  return options.freeze ? Object.freeze(result) : result;
-}
-function sanitizeObjectDepth(obj, options, depth) {
-  if (depth >= INPUT.MAX_RECURSION_DEPTH) return obj;
-  const result = {};
-  for (const key of Object.keys(obj)) {
-    if (options.proto !== false && DANGEROUS_PROTO_KEYS.has(key.toLowerCase())) {
-      continue;
-    }
-    if (options.nosql !== false && NOSQL_DANGEROUS_KEYS.has(key)) {
-      continue;
-    }
-    const sanitizedKey = sanitizeString(key, options);
-    const value = obj[key];
-    if (value === null || value === void 0) {
-      result[sanitizedKey] = value;
-    } else if (typeof value === "string") {
-      result[sanitizedKey] = sanitizeString(value, options);
-    } else if (Array.isArray(value)) {
-      result[sanitizedKey] = value.map((item) => sanitizeObject(item, options));
-    } else if (typeof value === "object") {
-      result[sanitizedKey] = sanitizeObjectDepth(value, options, depth + 1);
-    } else {
-      result[sanitizedKey] = value;
-    }
-  }
-  return result;
-}
-function createSanitizer(options = {}) {
-  return (req, _res, next) => {
-    try {
-      if (req.body && typeof req.body === "object") {
-        req.body = sanitizeObject(req.body, options);
-      }
-      if (req.query && typeof req.query === "object") {
-        const sanitizedQuery = sanitizeObject(req.query, options);
-        Object.defineProperty(req, "query", { value: sanitizedQuery, writable: true, configurable: true });
-      }
-      if (req.params && typeof req.params === "object") {
-        const sanitizedParams = sanitizeObject(req.params, options);
-        Object.defineProperty(req, "params", { value: sanitizedParams, writable: true, configurable: true });
-      }
-      next();
-    } catch (err) {
-      next(err);
-    }
-  };
-}
-
-// src/sanitizers/nosql.ts
-function isDangerousNoSqlKey(key) {
-  return NOSQL_DANGEROUS_KEYS.has(key);
-}
-function detectNoSqlInjection(obj, maxDepth = 10) {
-  if (maxDepth <= 0) return false;
-  if (obj === null || typeof obj !== "object") return false;
-  if (Array.isArray(obj)) {
-    return obj.some((item) => detectNoSqlInjection(item, maxDepth - 1));
-  }
-  for (const key of Object.keys(obj)) {
-    if (isDangerousNoSqlKey(key)) {
-      return true;
-    }
-    const value = obj[key];
-    if (typeof value === "object" && value !== null) {
-      if (detectNoSqlInjection(value, maxDepth - 1)) {
-        return true;
-      }
-    }
-  }
-  return false;
-}
-function getDangerousOperators() {
-  return Array.from(NOSQL_DANGEROUS_KEYS);
-}
-
-// src/sanitizers/prototype.ts
-function isDangerousProtoKey(key) {
-  return DANGEROUS_PROTO_KEYS.has(key.toLowerCase());
-}
-function detectPrototypePollution(obj, maxDepth = 10) {
-  if (maxDepth <= 0) return false;
-  if (obj === null || typeof obj !== "object") return false;
-  if (Array.isArray(obj)) {
-    return obj.some((item) => detectPrototypePollution(item, maxDepth - 1));
-  }
-  for (const key of Object.keys(obj)) {
-    if (DANGEROUS_PROTO_KEYS.has(key.toLowerCase())) {
-      return true;
-    }
-    const value = obj[key];
-    if (typeof value === "object" && value !== null) {
-      if (detectPrototypePollution(value, maxDepth - 1)) {
-        return true;
-      }
-    }
-  }
-  return false;
-}
-function getDangerousProtoKeys() {
-  return Array.from(DANGEROUS_PROTO_KEYS);
-}
-
 // src/sanitizers/ssti.ts
 var SSTI_DETECT_PATTERNS = [
   /** Jinja2 / Twig / Nunjucks: {{ ... }} */
@@ -732,42 +591,36 @@ function detectXxe(input) {
   return false;
 }
 
-// src/sanitizers/jsonp.ts
-var SAFE_CALLBACK_PATTERN = /^[a-zA-Z_$][a-zA-Z0-9_$.]*$/;
-var DANGEROUS_CALLBACK_PATTERNS = [
-  /\.\./
-  // prototype chain traversal
-];
-function sanitizeJsonpCallback(callback, maxLength = 128) {
-  if (typeof callback !== "string" || callback.length === 0) {
-    return null;
-  }
-  if (callback.length > maxLength) {
-    return null;
-  }
-  if (!SAFE_CALLBACK_PATTERN.test(callback)) {
-    return null;
-  }
-  for (const pattern of DANGEROUS_CALLBACK_PATTERNS) {
-    if (pattern.test(callback)) {
-      return null;
-    }
-  }
-  return callback;
+// src/sanitizers/ldap.ts
+var LDAP_FILTER_CHARS = /[*()\\\x00]/g;
+var LDAP_DN_CHARS = /[,+<>;"=\/\\\x00*()\x00]/g;
+var LDAP_DETECT_PATTERN = /[*()\\\x00]/;
+var LDAP_INJECTION_PATTERN = /\)\s*\(|\*\s*\)\s*\(/;
+var escapeChar = (char) => "\\" + char.charCodeAt(0).toString(16).padStart(2, "0");
+function sanitizeLdapFilter(input) {
+  if (typeof input !== "string") return String(input);
+  return input.replace(LDAP_FILTER_CHARS, escapeChar);
 }
-function detectJsonpInjection(callback) {
-  if (typeof callback !== "string" || callback.length === 0) {
-    return false;
-  }
-  if (!SAFE_CALLBACK_PATTERN.test(callback)) {
-    return true;
-  }
-  for (const pattern of DANGEROUS_CALLBACK_PATTERNS) {
-    if (pattern.test(callback)) {
-      return true;
-    }
-  }
-  return false;
+function sanitizeLdapDn(input) {
+  if (typeof input !== "string") return String(input);
+  return input.replace(LDAP_DN_CHARS, escapeChar);
+}
+function detectLdapInjection(input) {
+  if (typeof input !== "string") return false;
+  return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input);
+}
+
+// src/sanitizers/xpath.ts
+var XPATH_INJECTION_CHARS = /['"|,()]/;
+var XPATH_INJECTION_PATTERN = /('\s*(or|and)\s*'|"\s*(or|and)\s*"|\)\s*(or|and)\s*\(|\|\s*\/)/i;
+function detectXpathInjection(input) {
+  if (typeof input !== "string" || input.length === 0) return false;
+  if (!XPATH_INJECTION_CHARS.test(input)) return false;
+  return XPATH_INJECTION_PATTERN.test(input);
+}
+function sanitizeXpath(input) {
+  if (typeof input !== "string") return String(input);
+  return input.replace(/['"|,]/g, "");
 }
 
 // src/sanitizers/headers.ts
@@ -818,6 +671,263 @@ function detectHeaderInjection(input) {
   HEADER_INJECTION_PATTERN.lastIndex = 0;
   return HEADER_INJECTION_PATTERN.test(input);
 }
+var sanitizeEmailHeader = sanitizeHeaderValue;
+var detectEmailHeaderInjection = detectHeaderInjection;
+
+// src/sanitizers/sanitize.ts
+function sanitizeString(value, options = {}) {
+  if (typeof value !== "string") return value;
+  const maxSize = options.maxSize ?? INPUT.DEFAULT_MAX_SIZE;
+  if (value.length > maxSize) {
+    throw new InputTooLargeError(maxSize, value.length);
+  }
+  const reject = options.mode === "reject";
+  let result = value;
+  if (options.sql !== false) {
+    if (reject) {
+      if (detectSql(result)) {
+        throw new SecurityThreatError("sql_injection", "SQL pattern detected in input");
+      }
+    } else {
+      result = sanitizeSql(result);
+    }
+  }
+  if (options.path !== false) {
+    result = sanitizePath(result);
+  }
+  if (options.command !== false) {
+    if (reject) {
+      if (detectCommandInjection(result)) {
+        throw new SecurityThreatError("command_injection", "Shell metacharacter detected in input");
+      }
+    } else {
+      result = sanitizeCommand(result);
+    }
+  }
+  if (options.xss !== false) {
+    result = sanitizeXss(result, false, options.htmlEncode ?? false);
+  }
+  return result;
+}
+function sanitizeObject(obj, options = {}) {
+  if (obj === null || obj === void 0) return obj;
+  if (typeof obj === "string") return sanitizeString(obj, options);
+  if (typeof obj !== "object") return obj;
+  if (Array.isArray(obj)) return obj.map((item) => sanitizeObject(item, options));
+  const result = sanitizeObjectDepth(obj, options, 0);
+  return options.freeze ? Object.freeze(result) : result;
+}
+function sanitizeObjectDepth(obj, options, depth) {
+  if (depth >= INPUT.MAX_RECURSION_DEPTH) return obj;
+  const result = {};
+  for (const key of Object.keys(obj)) {
+    if (options.proto !== false && DANGEROUS_PROTO_KEYS.has(key.toLowerCase())) {
+      continue;
+    }
+    if (options.nosql !== false && NOSQL_DANGEROUS_KEYS.has(key)) {
+      continue;
+    }
+    const sanitizedKey = sanitizeString(key, options);
+    const value = obj[key];
+    if (value === null || value === void 0) {
+      result[sanitizedKey] = value;
+    } else if (typeof value === "string") {
+      result[sanitizedKey] = sanitizeString(value, options);
+    } else if (Array.isArray(value)) {
+      result[sanitizedKey] = value.map((item) => sanitizeObject(item, options));
+    } else if (typeof value === "object") {
+      result[sanitizedKey] = sanitizeObjectDepth(value, options, depth + 1);
+    } else {
+      result[sanitizedKey] = value;
+    }
+  }
+  return result;
+}
+function scanThreats(data, depth = 0) {
+  if (depth > INPUT.MAX_RECURSION_DEPTH) return null;
+  if (data && typeof data === "object" && !Array.isArray(data)) {
+    for (const key of Object.keys(data)) {
+      const lower = key.toLowerCase();
+      if (DANGEROUS_PROTO_KEYS.has(lower)) {
+        return { vector: "prototype", rule: "prototype/match", matchedPattern: key };
+      }
+      if (NOSQL_DANGEROUS_KEYS.has(key)) {
+        return { vector: "nosql", rule: "nosql/match", matchedPattern: key };
+      }
+      const inner = scanThreats(data[key], depth + 1);
+      if (inner) return inner;
+    }
+    return null;
+  }
+  if (Array.isArray(data)) {
+    for (const item of data) {
+      const inner = scanThreats(item, depth + 1);
+      if (inner) return inner;
+    }
+    return null;
+  }
+  if (typeof data !== "string") return null;
+  const sample = data.slice(0, 80);
+  if (detectXss(data)) {
+    return { vector: "xss", rule: "xss/match", matchedPattern: sample };
+  }
+  if (detectSsti(data)) {
+    return { vector: "ssti", rule: "ssti/match", matchedPattern: sample };
+  }
+  if (detectXxe(data)) {
+    return { vector: "xxe", rule: "xxe/match", matchedPattern: sample };
+  }
+  if (detectSql(data)) {
+    return { vector: "sql", rule: "sql/match", matchedPattern: sample };
+  }
+  if (detectPathTraversal(data)) {
+    return { vector: "path", rule: "path/match", matchedPattern: sample };
+  }
+  if (detectCommandInjection(data)) {
+    return { vector: "command", rule: "command/match", matchedPattern: sample };
+  }
+  if (detectLdapInjection(data)) {
+    return { vector: "ldap", rule: "ldap/match", matchedPattern: sample };
+  }
+  if (detectXpathInjection(data)) {
+    return { vector: "xpath", rule: "xpath/match", matchedPattern: sample };
+  }
+  if (detectHeaderInjection(data)) {
+    return { vector: "header", rule: "header/match", matchedPattern: sample };
+  }
+  return null;
+}
+function createSanitizer(options = {}) {
+  return (req, res, next) => {
+    try {
+      if (options.block) {
+        const hit = scanThreats(req.body) || scanThreats(req.query) || scanThreats(req.params) || scanThreats(req.path);
+        if (hit) {
+          req.__arcis = {
+            vector: hit.vector,
+            rule: hit.rule,
+            severity: "high",
+            matchedPattern: hit.matchedPattern,
+            reason: `${hit.vector} pattern detected in request`,
+            decision: "deny"
+          };
+          res.status(403).json({
+            error: "Request blocked for security reasons",
+            code: "SECURITY_THREAT",
+            vector: hit.vector
+          });
+          return;
+        }
+      }
+      if (req.body && typeof req.body === "object") {
+        req.body = sanitizeObject(req.body, options);
+      }
+      if (req.query && typeof req.query === "object") {
+        const sanitizedQuery = sanitizeObject(req.query, options);
+        Object.defineProperty(req, "query", { value: sanitizedQuery, writable: true, configurable: true });
+      }
+      if (req.params && typeof req.params === "object") {
+        const sanitizedParams = sanitizeObject(req.params, options);
+        Object.defineProperty(req, "params", { value: sanitizedParams, writable: true, configurable: true });
+      }
+      next();
+    } catch (err) {
+      next(err);
+    }
+  };
+}
+
+// src/sanitizers/nosql.ts
+function isDangerousNoSqlKey(key) {
+  return NOSQL_DANGEROUS_KEYS.has(key);
+}
+function detectNoSqlInjection(obj, maxDepth = 10) {
+  if (maxDepth <= 0) return false;
+  if (obj === null || typeof obj !== "object") return false;
+  if (Array.isArray(obj)) {
+    return obj.some((item) => detectNoSqlInjection(item, maxDepth - 1));
+  }
+  for (const key of Object.keys(obj)) {
+    if (isDangerousNoSqlKey(key)) {
+      return true;
+    }
+    const value = obj[key];
+    if (typeof value === "object" && value !== null) {
+      if (detectNoSqlInjection(value, maxDepth - 1)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+function getDangerousOperators() {
+  return Array.from(NOSQL_DANGEROUS_KEYS);
+}
+
+// src/sanitizers/prototype.ts
+function isDangerousProtoKey(key) {
+  return DANGEROUS_PROTO_KEYS.has(key.toLowerCase());
+}
+function detectPrototypePollution(obj, maxDepth = 10) {
+  if (maxDepth <= 0) return false;
+  if (obj === null || typeof obj !== "object") return false;
+  if (Array.isArray(obj)) {
+    return obj.some((item) => detectPrototypePollution(item, maxDepth - 1));
+  }
+  for (const key of Object.keys(obj)) {
+    if (DANGEROUS_PROTO_KEYS.has(key.toLowerCase())) {
+      return true;
+    }
+    const value = obj[key];
+    if (typeof value === "object" && value !== null) {
+      if (detectPrototypePollution(value, maxDepth - 1)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+function getDangerousProtoKeys() {
+  return Array.from(DANGEROUS_PROTO_KEYS);
+}
+
+// src/sanitizers/jsonp.ts
+var SAFE_CALLBACK_PATTERN = /^[a-zA-Z_$][a-zA-Z0-9_$.]*$/;
+var DANGEROUS_CALLBACK_PATTERNS = [
+  /\.\./
+  // prototype chain traversal
+];
+function sanitizeJsonpCallback(callback, maxLength = 128) {
+  if (typeof callback !== "string" || callback.length === 0) {
+    return null;
+  }
+  if (callback.length > maxLength) {
+    return null;
+  }
+  if (!SAFE_CALLBACK_PATTERN.test(callback)) {
+    return null;
+  }
+  for (const pattern of DANGEROUS_CALLBACK_PATTERNS) {
+    if (pattern.test(callback)) {
+      return null;
+    }
+  }
+  return callback;
+}
+function detectJsonpInjection(callback) {
+  if (typeof callback !== "string" || callback.length === 0) {
+    return false;
+  }
+  if (!SAFE_CALLBACK_PATTERN.test(callback)) {
+    return true;
+  }
+  for (const pattern of DANGEROUS_CALLBACK_PATTERNS) {
+    if (pattern.test(callback)) {
+      return true;
+    }
+  }
+  return false;
+}
 
 // src/sanitizers/pii.ts
 var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z]{2,})+/g;
@@ -984,6 +1094,7 @@ function encodeForJs(value) {
   let result = "";
   for (const char of value) {
     const cp = char.codePointAt(0);
+    if (cp === void 0) continue;
     if (cp >= 48 && cp <= 57 || // 0-9
     cp >= 65 && cp <= 90 || // A-Z
     cp >= 97 && cp <= 122) {
@@ -1020,25 +1131,49 @@ function encodeForCss(value) {
   return result;
 }
 
-// src/sanitizers/ldap.ts
-var LDAP_FILTER_CHARS = /[*()\\\x00]/g;
-var LDAP_DN_CHARS = /[,+<>;"=\/\\\x00*()\x00]/g;
-var LDAP_DETECT_PATTERN = /[*()\\\x00]/;
-var LDAP_INJECTION_PATTERN = /\)\s*\(|\*\s*\)\s*\(/;
-var escapeChar = (char) => "\\" + char.charCodeAt(0).toString(16).padStart(2, "0");
-function sanitizeLdapFilter(input) {
-  if (typeof input !== "string") return String(input);
-  return input.replace(LDAP_FILTER_CHARS, escapeChar);
+// src/sanitizers/graphql.ts
+var DEFAULTS = {
+  maxDepth: 10,
+  maxLength: 1e4,
+  blockIntrospection: true
+};
+var INTROSPECTION_PATTERN = /\b__(schema|type|typeKind|directive)\b/;
+function computeDepth(query) {
+  let depth = 0;
+  let max = 0;
+  for (let i = 0; i < query.length; i++) {
+    const c = query.charCodeAt(i);
+    if (c === 123) {
+      depth++;
+      if (depth > max) max = depth;
+    } else if (c === 125) {
+      if (depth > 0) depth--;
+    }
+  }
+  return max;
 }
-function sanitizeLdapDn(input) {
-  if (typeof input !== "string") return String(input);
-  return input.replace(LDAP_DN_CHARS, escapeChar);
+function inspectGraphqlQuery(query, options = {}) {
+  const maxDepth = options.maxDepth ?? DEFAULTS.maxDepth;
+  const maxLength = options.maxLength ?? DEFAULTS.maxLength;
+  const blockIntrospection = options.blockIntrospection ?? DEFAULTS.blockIntrospection;
+  const length = query.length;
+  const depth = computeDepth(query);
+  if (depth > maxDepth) {
+    return { blocked: true, reason: "depth", depth, length };
+  }
+  if (blockIntrospection && INTROSPECTION_PATTERN.test(query)) {
+    return { blocked: true, reason: "introspection", depth, length };
+  }
+  if (length > maxLength) {
+    return { blocked: true, reason: "length", depth, length };
+  }
+  return { blocked: false, depth, length };
 }
-function detectLdapInjection(input) {
-  if (typeof input !== "string") return false;
-  return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input);
+function detectGraphqlAbuse(query, options) {
+  if (typeof query !== "string" || query.length === 0) return false;
+  return inspectGraphqlQuery(query, options).blocked;
 }
 
-export { createSanitizer, detectCommandInjection, detectHeaderInjection, detectJsonpInjection, detectLdapInjection, detectNoSqlInjection, detectPathTraversal, detectPii, detectPrototypePollution, detectSql, detectSsti, detectXss, detectXxe, encodeForAttribute, encodeForCss, encodeForHtml, encodeForJs, encodeForUrl, encodeHtmlEntities, getDangerousOperators, getDangerousProtoKeys, isDangerousNoSqlKey, isDangerousProtoKey, isPlainObject, redactObjectPii, redactPii, sanitizeCommand, sanitizeHeaderValue, sanitizeHeaders, sanitizeJsonpCallback, sanitizeLdapDn, sanitizeLdapFilter, sanitizeObject, sanitizePath, sanitizeSql, sanitizeSsti, sanitizeString, sanitizeXss, sanitizeXxe, scanObjectPii, scanPii };
+export { createSanitizer, detectCommandInjection, detectEmailHeaderInjection, detectGraphqlAbuse, detectHeaderInjection, detectJsonpInjection, detectLdapInjection, detectNoSqlInjection, detectPathTraversal, detectPii, detectPrototypePollution, detectSql, detectSsti, detectXpathInjection, detectXss, detectXxe, encodeForAttribute, encodeForCss, encodeForHtml, encodeForJs, encodeForUrl, encodeHtmlEntities, getDangerousOperators, getDangerousProtoKeys, inspectGraphqlQuery, isDangerousNoSqlKey, isDangerousProtoKey, isPlainObject, redactObjectPii, redactPii, sanitizeCommand, sanitizeEmailHeader, sanitizeHeaderValue, sanitizeHeaders, sanitizeJsonpCallback, sanitizeLdapDn, sanitizeLdapFilter, sanitizeObject, sanitizePath, sanitizeSql, sanitizeSsti, sanitizeString, sanitizeXpath, sanitizeXss, sanitizeXxe, scanObjectPii, scanPii, scanThreats };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map