npm - @arcis/node - Versions diffs - 1.4.4 → 1.5.0 - Mend

@arcis/node 1.4.4 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (144) hide show

package/LICENSE +21 -0
package/README.md +36 -6
package/dist/astro/index.js +6141 -0
package/dist/astro/index.js.map +1 -0
package/dist/astro/index.mjs +6136 -0
package/dist/astro/index.mjs.map +1 -0
package/dist/bun/index.js +6195 -0
package/dist/bun/index.js.map +1 -0
package/dist/bun/index.mjs +6189 -0
package/dist/bun/index.mjs.map +1 -0
package/dist/core/constants.d.ts +3 -2
package/dist/core/constants.d.ts.map +1 -1
package/dist/core/index.js +4 -3
package/dist/core/index.js.map +1 -1
package/dist/core/index.mjs +4 -3
package/dist/core/index.mjs.map +1 -1
package/dist/core/types.d.ts +32 -0
package/dist/core/types.d.ts.map +1 -1
package/dist/fastify/index.js +6160 -0
package/dist/fastify/index.js.map +1 -0
package/dist/fastify/index.mjs +6155 -0
package/dist/fastify/index.mjs.map +1 -0
package/dist/guards.d.ts +156 -0
package/dist/guards.d.ts.map +1 -0
package/dist/hono/index.js +6159 -0
package/dist/hono/index.js.map +1 -0
package/dist/hono/index.mjs +6154 -0
package/dist/hono/index.mjs.map +1 -0
package/dist/index.d.ts +23 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +7126 -178
package/dist/index.js.map +1 -1
package/dist/index.mjs +7088 -179
package/dist/index.mjs.map +1 -1
package/dist/koa/index.js +6158 -0
package/dist/koa/index.js.map +1 -0
package/dist/koa/index.mjs +6153 -0
package/dist/koa/index.mjs.map +1 -0
package/dist/logging/index.js.map +1 -1
package/dist/logging/index.mjs.map +1 -1
package/dist/logging/redactor.d.ts.map +1 -1
package/dist/middleware/astro.d.ts +64 -0
package/dist/middleware/astro.d.ts.map +1 -0
package/dist/middleware/bot-detection.d.ts.map +1 -1
package/dist/middleware/bun.d.ts +75 -0
package/dist/middleware/bun.d.ts.map +1 -0
package/dist/middleware/csrf.d.ts.map +1 -1
package/dist/middleware/error-handler.d.ts.map +1 -1
package/dist/middleware/fastify.d.ts +89 -0
package/dist/middleware/fastify.d.ts.map +1 -0
package/dist/middleware/graphql.d.ts +35 -0
package/dist/middleware/graphql.d.ts.map +1 -0
package/dist/middleware/hono.d.ts +63 -0
package/dist/middleware/hono.d.ts.map +1 -0
package/dist/middleware/index.d.ts +12 -0
package/dist/middleware/index.d.ts.map +1 -1
package/dist/middleware/index.js +6469 -119
package/dist/middleware/index.js.map +1 -1
package/dist/middleware/index.mjs +6459 -120
package/dist/middleware/index.mjs.map +1 -1
package/dist/middleware/koa.d.ts +84 -0
package/dist/middleware/koa.d.ts.map +1 -0
package/dist/middleware/main.d.ts +0 -30
package/dist/middleware/main.d.ts.map +1 -1
package/dist/middleware/mass-assign.d.ts +81 -0
package/dist/middleware/mass-assign.d.ts.map +1 -0
package/dist/middleware/method-allowlist.d.ts +66 -0
package/dist/middleware/method-allowlist.d.ts.map +1 -0
package/dist/middleware/nestjs.d.ts +62 -0
package/dist/middleware/nestjs.d.ts.map +1 -0
package/dist/middleware/nextjs.d.ts +102 -0
package/dist/middleware/nextjs.d.ts.map +1 -0
package/dist/middleware/nuxt.d.ts +61 -0
package/dist/middleware/nuxt.d.ts.map +1 -0
package/dist/middleware/overload.d.ts +92 -0
package/dist/middleware/overload.d.ts.map +1 -0
package/dist/middleware/protect.d.ts +91 -0
package/dist/middleware/protect.d.ts.map +1 -0
package/dist/middleware/rate-limit-sliding.d.ts.map +1 -1
package/dist/middleware/rate-limit-token.d.ts.map +1 -1
package/dist/middleware/rate-limit.d.ts.map +1 -1
package/dist/middleware/response-splitting.d.ts +83 -0
package/dist/middleware/response-splitting.d.ts.map +1 -0
package/dist/middleware/sveltekit.d.ts +68 -0
package/dist/middleware/sveltekit.d.ts.map +1 -0
package/dist/middleware/token-budget.d.ts +75 -0
package/dist/middleware/token-budget.d.ts.map +1 -0
package/dist/nestjs/index.js +1724 -0
package/dist/nestjs/index.js.map +1 -0
package/dist/nestjs/index.mjs +1717 -0
package/dist/nestjs/index.mjs.map +1 -0
package/dist/nextjs/index.js +6184 -0
package/dist/nextjs/index.js.map +1 -0
package/dist/nextjs/index.mjs +6178 -0
package/dist/nextjs/index.mjs.map +1 -0
package/dist/nuxt/index.js +6141 -0
package/dist/nuxt/index.js.map +1 -0
package/dist/nuxt/index.mjs +6136 -0
package/dist/nuxt/index.mjs.map +1 -0
package/dist/sanitizers/encode.d.ts.map +1 -1
package/dist/sanitizers/graphql.d.ts +72 -0
package/dist/sanitizers/graphql.d.ts.map +1 -0
package/dist/sanitizers/headers.d.ts +18 -0
package/dist/sanitizers/headers.d.ts.map +1 -1
package/dist/sanitizers/index.d.ts +4 -1
package/dist/sanitizers/index.d.ts.map +1 -1
package/dist/sanitizers/index.js +140 -66
package/dist/sanitizers/index.js.map +1 -1
package/dist/sanitizers/index.mjs +135 -67
package/dist/sanitizers/index.mjs.map +1 -1
package/dist/sanitizers/prompt-injection.d.ts +62 -0
package/dist/sanitizers/prompt-injection.d.ts.map +1 -0
package/dist/sanitizers/sanitize.d.ts +1 -1
package/dist/sanitizers/sanitize.d.ts.map +1 -1
package/dist/sanitizers/xpath.d.ts +37 -0
package/dist/sanitizers/xpath.d.ts.map +1 -0
package/dist/stores/index.js +4 -4
package/dist/stores/index.js.map +1 -1
package/dist/stores/index.mjs +4 -4
package/dist/stores/index.mjs.map +1 -1
package/dist/stores/redis.d.ts +7 -1
package/dist/stores/redis.d.ts.map +1 -1
package/dist/sveltekit/index.js +6142 -0
package/dist/sveltekit/index.js.map +1 -0
package/dist/sveltekit/index.mjs +6137 -0
package/dist/sveltekit/index.mjs.map +1 -0
package/dist/validation/index.d.ts +2 -0
package/dist/validation/index.d.ts.map +1 -1
package/dist/validation/index.js +137 -12
package/dist/validation/index.js.map +1 -1
package/dist/validation/index.mjs +116 -13
package/dist/validation/index.mjs.map +1 -1
package/dist/validation/redirect.d.ts.map +1 -1
package/dist/validation/schema.d.ts.map +1 -1
package/dist/validation/url-async.d.ts +137 -0
package/dist/validation/url-async.d.ts.map +1 -0
package/package.json +52 -7
package/scripts/postinstall.cjs +26 -0
package/dist/cli/arcis.d.ts +0 -23
package/dist/cli/arcis.d.ts.map +0 -1
package/dist/cli/arcis.js +0 -312
package/dist/cli/arcis.js.map +0 -1
package/dist/cli/arcis.mjs +0 -309
package/dist/cli/arcis.mjs.map +0 -1

package/dist/sanitizers/encode.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"encode.d.ts","sourceRoot":"","sources":["../../src/sanitizers/encode.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAaH;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAGnD;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAiBxD;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,~~CAwBjD~~;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAOlD;AAED;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAkBlD"}
1	+ {"version":3,"file":"encode.d.ts","sourceRoot":"","sources":["../../src/sanitizers/encode.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAaH;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAGnD;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAiBxD;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAyBjD;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAOlD;AAED;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAkBlD"}

package/dist/sanitizers/graphql.d.ts ADDED Viewed

@@ -0,0 +1,72 @@
+/**
+ * @module @arcis/node/sanitizers/graphql
+ * GraphQL injection prevention (sdk-vectors.md tier 1 #21).
+ *
+ * Two threats covered:
+ *
+ * 1. **Depth-bomb DoS** — nested-query payloads like
+ *    `query { x { x { x { ... } } } }` to ridiculous depth that explode
+ *    resolver work (each `{` typically maps to a database round-trip).
+ *    Even a 50-deep query against a real schema can hammer the
+ *    backend; 1000-deep crashes the resolver entirely.
+ *
+ * 2. **Introspection abuse** — `__schema` / `__type` / `__typename`
+ *    queries that let an attacker enumerate the entire schema, then
+ *    use that map to find sensitive fields, deprecated mutations,
+ *    or unprotected admin paths. Production GraphQL endpoints should
+ *    disable introspection by default.
+ *
+ * v1 is regex-based: count `{` / `}` for nesting depth (no escape
+ * handling — strings inside the query that contain `{` will
+ * over-count). False positives are an acceptable tradeoff for v1
+ * because (a) the depth threshold is well above legitimate query
+ * shapes, (b) a real GraphQL parser pulls in `graphql` as a runtime
+ * dep — significant for a sanitizer that ships in every Arcis
+ * install. Customers running queries near the threshold can either
+ * raise `maxDepth` or bring their own AST pre-pass.
+ *
+ * NOT included in v1:
+ * - Field-count limit (some servers have this; orthogonal to depth)
+ * - Alias-bomb detection (`q { f1: foo, f2: foo, ...}` — easier as
+ *   a length-check than a parse)
+ * - Variable rebinding attacks
+ *
+ * Each is a follow-up if customers ask. Documented inline.
+ */
+export interface GraphqlGuardOptions {
+    /** Maximum allowed nesting depth. Default: 10. Most legit queries are <8. */
+    maxDepth?: number;
+    /** Maximum query string length in characters. Default: 10000. */
+    maxLength?: number;
+    /**
+     * Block introspection queries (`__schema`, `__type`). Default: true.
+     * Set `false` in development if you rely on GraphiQL / Apollo
+     * Studio. Production should leave this on.
+     */
+    blockIntrospection?: boolean;
+}
+export type GraphqlViolation = 'depth' | 'length' | 'introspection';
+export interface GraphqlGuardResult {
+    /** True if the query violated any configured limit. */
+    blocked: boolean;
+    /** Which limit fired first (depth → introspection → length precedence). */
+    reason?: GraphqlViolation;
+    /** Observed nesting depth. Always returned, even on clean queries. */
+    depth: number;
+    /** Observed length. Always returned. */
+    length: number;
+}
+/**
+ * Inspect a GraphQL query against the configured limits. Returns a
+ * structured result; the middleware below uses this directly. Pure
+ * function — no I/O, no res handle.
+ */
+export declare function inspectGraphqlQuery(query: string, options?: GraphqlGuardOptions): GraphqlGuardResult;
+/**
+ * Detect-only API matching the rest of the sanitizer module surface
+ * (`detectXss` / `detectSql` / `detectXxe` / etc.). Returns a boolean
+ * for callers that just want a yes/no — use `inspectGraphqlQuery` if
+ * you need the structured reason.
+ */
+export declare function detectGraphqlAbuse(query: string, options?: GraphqlGuardOptions): boolean;
+//# sourceMappingURL=graphql.d.ts.map

package/dist/sanitizers/graphql.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"graphql.d.ts","sourceRoot":"","sources":["../../src/sanitizers/graphql.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAEH,MAAM,WAAW,mBAAmB;IAClC,6EAA6E;IAC7E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iEAAiE;IACjE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAED,MAAM,MAAM,gBAAgB,GAAG,OAAO,GAAG,QAAQ,GAAG,eAAe,CAAC;AAEpE,MAAM,WAAW,kBAAkB;IACjC,uDAAuD;IACvD,OAAO,EAAE,OAAO,CAAC;IACjB,2EAA2E;IAC3E,MAAM,CAAC,EAAE,gBAAgB,CAAC;IAC1B,sEAAsE;IACtE,KAAK,EAAE,MAAM,CAAC;IACd,wCAAwC;IACxC,MAAM,EAAE,MAAM,CAAC;CAChB;AA2CD;;;;GAIG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,mBAAwB,GAChC,kBAAkB,CAwBpB;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAGT"}

package/dist/sanitizers/headers.d.ts CHANGED Viewed

@@ -43,4 +43,22 @@ export declare function sanitizeHeaders(headers: Record<string, string>): Record
  * @returns True if header injection patterns detected
  */
 export declare function detectHeaderInjection(input: string): boolean;
+/**
+ * Email-header injection prevention. Same byte-level threat as HTTP
+ * header injection — `\r\n` in a user-controlled email field
+ * (`To`, `From`, `Subject`, etc.) lets an attacker inject extra headers
+ * (most commonly Bcc) and pivot a contact form into a spam relay.
+ *
+ * Aliased to the HTTP-header sanitizers because the wire-level fix is
+ * identical: strip CRLF + null bytes from the value before
+ * concatenating into the header. Use these in form-to-email handlers:
+ *
+ * ```ts
+ * const subject = sanitizeEmailHeader(req.body.subject);
+ * const to = sanitizeEmailHeader(req.body.to);
+ * if (detectEmailHeaderInjection(req.body.to)) reject(...);
+ * ```
+ */
+export declare const sanitizeEmailHeader: typeof sanitizeHeaderValue;
+export declare const detectEmailHeaderInjection: typeof detectHeaderInjection;
 //# sourceMappingURL=headers.d.ts.map

package/dist/sanitizers/headers.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../../src/sanitizers/headers.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAc,MAAM,eAAe,CAAC;AAUhE;;;;;;;;;;;;;GAaG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,cAAc,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC;AACnF,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,IAAI,GAAG,cAAc,CAAC;AAuCzF;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAcvF;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAK5D"}
1	+ {"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../../src/sanitizers/headers.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAc,MAAM,eAAe,CAAC;AAUhE;;;;;;;;;;;;;GAaG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,cAAc,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC;AACnF,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,IAAI,GAAG,cAAc,CAAC;AAuCzF;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAcvF;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAK5D;AAED;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,mBAAmB,4BAAsB,CAAC;AACvD,eAAO,MAAM,0BAA0B,8BAAwB,CAAC"}

package/dist/sanitizers/index.d.ts CHANGED Viewed

@@ -13,9 +13,12 @@ export { isDangerousProtoKey, detectPrototypePollution, getDangerousProtoKeys }
 export { sanitizeSsti, detectSsti } from './ssti';
 export { sanitizeXxe, detectXxe } from './xxe';
 export { sanitizeJsonpCallback, detectJsonpInjection } from './jsonp';
-export { sanitizeHeaderValue, sanitizeHeaders, detectHeaderInjection } from './headers';
+export { sanitizeHeaderValue, sanitizeHeaders, detectHeaderInjection, sanitizeEmailHeader, detectEmailHeaderInjection, } from './headers';
 export { scanPii, detectPii, redactPii, scanObjectPii, redactObjectPii } from './pii';
 export { encodeForHtml, encodeForAttribute, encodeForJs, encodeForUrl, encodeForCss } from './encode';
 export { sanitizeLdapFilter, sanitizeLdapDn, detectLdapInjection } from './ldap';
+export { sanitizeXpath, detectXpathInjection } from './xpath';
+export { inspectGraphqlQuery, detectGraphqlAbuse, } from './graphql';
+export type { GraphqlGuardOptions, GraphqlGuardResult, GraphqlViolation, } from './graphql';
 export { encodeHtmlEntities, isPlainObject } from './utils';
 //# sourceMappingURL=index.d.ts.map

package/dist/sanitizers/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sanitizers/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAC1F,YAAY,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAG5C,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,QAAQ,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,WAAW,CAAC;AAGpE,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAC;AAG3F,OAAO,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGnG,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAGlD,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAG/C,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,SAAS,CAAC;AAGtE,OAAO,~~EAAE~~,mBAAmB,~~EAAE~~,eAAe,~~EAAE~~,qBAAqB,~~EAAE~~,MAAM,WAAW,CAAC;~~AAGxF~~,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,OAAO,CAAC;AAGtF,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAGtG,OAAO,EAAE,kBAAkB,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,QAAQ,CAAC;AAGjF,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sanitizers/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAC1F,YAAY,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAG5C,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,QAAQ,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,WAAW,CAAC;AAGpE,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAC;AAG3F,OAAO,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGnG,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAGlD,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAG/C,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,SAAS,CAAC;AAGtE,OAAO,EACL,mBAAmB,EACnB,eAAe,EACf,qBAAqB,EACrB,mBAAmB,EACnB,0BAA0B,GAC3B,MAAM,WAAW,CAAC;AAGnB,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,OAAO,CAAC;AAGtF,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAGtG,OAAO,EAAE,kBAAkB,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,QAAQ,CAAC;AAGjF,OAAO,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,SAAS,CAAC;AAG9D,OAAO,EACL,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,WAAW,CAAC;AACnB,YAAY,EACV,mBAAmB,EACnB,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,WAAW,CAAC;AAGnB,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC"}

package/dist/sanitizers/index.js CHANGED Viewed

@@ -67,8 +67,8 @@ var XSS_REMOVE_PATTERNS = [
   /** javascript: and vbscript: protocols (allow optional spaces before colon) */
   /javascript\s*:/gi,
   /vbscript\s*:/gi,
-  /** data: URIs with HTML/script content */
-  /data\s*:\s*text\/html[^>\s]*/gi,
+  /** data: URIs with HTML or SVG content (SVG can run JS via inline event handlers) */
+  /data\s*:\s*(?:text\/html|image\/svg)[^>\s]*/gi,
   /** form tag injection — phishing via action= redirection */
   /<form[\s>][^>]*/gi,
   /** meta tag injection — http-equiv refresh or CSP bypass */
@@ -593,6 +593,89 @@ function detectXxe(input) {
   return false;
 }
+// src/sanitizers/ldap.ts
+var LDAP_FILTER_CHARS = /[*()\\\x00]/g;
+var LDAP_DN_CHARS = /[,+<>;"=\/\\\x00*()\x00]/g;
+var LDAP_DETECT_PATTERN = /[*()\\\x00]/;
+var LDAP_INJECTION_PATTERN = /\)\s*\(|\*\s*\)\s*\(/;
+var escapeChar = (char) => "\\" + char.charCodeAt(0).toString(16).padStart(2, "0");
+function sanitizeLdapFilter(input) {
+  if (typeof input !== "string") return String(input);
+  return input.replace(LDAP_FILTER_CHARS, escapeChar);
+}
+function sanitizeLdapDn(input) {
+  if (typeof input !== "string") return String(input);
+  return input.replace(LDAP_DN_CHARS, escapeChar);
+}
+function detectLdapInjection(input) {
+  if (typeof input !== "string") return false;
+  return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input);
+}
+// src/sanitizers/xpath.ts
+var XPATH_INJECTION_CHARS = /['"|,()]/;
+var XPATH_INJECTION_PATTERN = /('\s*(or|and)\s*'|"\s*(or|and)\s*"|\)\s*(or|and)\s*\(|\|\s*\/)/i;
+function detectXpathInjection(input) {
+  if (typeof input !== "string" || input.length === 0) return false;
+  if (!XPATH_INJECTION_CHARS.test(input)) return false;
+  return XPATH_INJECTION_PATTERN.test(input);
+}
+function sanitizeXpath(input) {
+  if (typeof input !== "string") return String(input);
+  return input.replace(/['"|,]/g, "");
+}
+// src/sanitizers/headers.ts
+var HEADER_INJECTION_PATTERN = /\r\n|\r|\n|\0/g;
+function sanitizeHeaderValue(input, collectThreats = false) {
+  if (typeof input !== "string") {
+    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
+  }
+  const threats = [];
+  let wasSanitized = false;
+  if (HEADER_INJECTION_PATTERN.test(input)) {
+    HEADER_INJECTION_PATTERN.lastIndex = 0;
+    wasSanitized = true;
+    if (collectThreats) {
+      const matches = input.match(HEADER_INJECTION_PATTERN);
+      if (matches) {
+        for (const match of matches) {
+          threats.push({
+            type: "header_injection",
+            pattern: HEADER_INJECTION_PATTERN.source,
+            original: match
+          });
+        }
+      }
+    }
+  }
+  HEADER_INJECTION_PATTERN.lastIndex = 0;
+  const value = input.replace(HEADER_INJECTION_PATTERN, "");
+  if (collectThreats) {
+    return { value, wasSanitized, threats };
+  }
+  return value;
+}
+function sanitizeHeaders(headers) {
+  if (!headers || typeof headers !== "object") {
+    return {};
+  }
+  const result = {};
+  for (const [key, value] of Object.entries(headers)) {
+    const sanitizedKey = sanitizeHeaderValue(String(key));
+    const sanitizedValue = sanitizeHeaderValue(String(value));
+    result[sanitizedKey] = sanitizedValue;
+  }
+  return result;
+}
+function detectHeaderInjection(input) {
+  if (typeof input !== "string") return false;
+  HEADER_INJECTION_PATTERN.lastIndex = 0;
+  return HEADER_INJECTION_PATTERN.test(input);
+}
+var sanitizeEmailHeader = sanitizeHeaderValue;
+var detectEmailHeaderInjection = detectHeaderInjection;
 // src/sanitizers/sanitize.ts
 function sanitizeString(value, options = {}) {
   if (typeof value !== "string") return value;
@@ -705,6 +788,15 @@ function scanThreats(data, depth = 0) {
   if (detectCommandInjection(data)) {
     return { vector: "command", rule: "command/match", matchedPattern: sample };
   }
+  if (detectLdapInjection(data)) {
+    return { vector: "ldap", rule: "ldap/match", matchedPattern: sample };
+  }
+  if (detectXpathInjection(data)) {
+    return { vector: "xpath", rule: "xpath/match", matchedPattern: sample };
+  }
+  if (detectHeaderInjection(data)) {
+    return { vector: "header", rule: "header/match", matchedPattern: sample };
+  }
   return null;
 }
 function createSanitizer(options = {}) {
@@ -839,55 +931,6 @@ function detectJsonpInjection(callback) {
   return false;
 }
-// src/sanitizers/headers.ts
-var HEADER_INJECTION_PATTERN = /\r\n|\r|\n|\0/g;
-function sanitizeHeaderValue(input, collectThreats = false) {
-  if (typeof input !== "string") {
-    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
-  }
-  const threats = [];
-  let wasSanitized = false;
-  if (HEADER_INJECTION_PATTERN.test(input)) {
-    HEADER_INJECTION_PATTERN.lastIndex = 0;
-    wasSanitized = true;
-    if (collectThreats) {
-      const matches = input.match(HEADER_INJECTION_PATTERN);
-      if (matches) {
-        for (const match of matches) {
-          threats.push({
-            type: "header_injection",
-            pattern: HEADER_INJECTION_PATTERN.source,
-            original: match
-          });
-        }
-      }
-    }
-  }
-  HEADER_INJECTION_PATTERN.lastIndex = 0;
-  const value = input.replace(HEADER_INJECTION_PATTERN, "");
-  if (collectThreats) {
-    return { value, wasSanitized, threats };
-  }
-  return value;
-}
-function sanitizeHeaders(headers) {
-  if (!headers || typeof headers !== "object") {
-    return {};
-  }
-  const result = {};
-  for (const [key, value] of Object.entries(headers)) {
-    const sanitizedKey = sanitizeHeaderValue(String(key));
-    const sanitizedValue = sanitizeHeaderValue(String(value));
-    result[sanitizedKey] = sanitizedValue;
-  }
-  return result;
-}
-function detectHeaderInjection(input) {
-  if (typeof input !== "string") return false;
-  HEADER_INJECTION_PATTERN.lastIndex = 0;
-  return HEADER_INJECTION_PATTERN.test(input);
-}
 // src/sanitizers/pii.ts
 var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z]{2,})+/g;
 var PHONE_RE = /(?<!\d)(?:\+?1[-.\s]?)?\(?[2-9]\d{2}\)?[-.\s]?\d{3}[-.\s]?\d{4}(?!\d)/g;
@@ -1053,6 +1096,7 @@ function encodeForJs(value) {
   let result = "";
   for (const char of value) {
     const cp = char.codePointAt(0);
+    if (cp === void 0) continue;
     if (cp >= 48 && cp <= 57 || // 0-9
     cp >= 65 && cp <= 90 || // A-Z
     cp >= 97 && cp <= 122) {
@@ -1089,27 +1133,53 @@ function encodeForCss(value) {
   return result;
 }
-// src/sanitizers/ldap.ts
-var LDAP_FILTER_CHARS = /[*()\\\x00]/g;
-var LDAP_DN_CHARS = /[,+<>;"=\/\\\x00*()\x00]/g;
-var LDAP_DETECT_PATTERN = /[*()\\\x00]/;
-var LDAP_INJECTION_PATTERN = /\)\s*\(|\*\s*\)\s*\(/;
-var escapeChar = (char) => "\\" + char.charCodeAt(0).toString(16).padStart(2, "0");
-function sanitizeLdapFilter(input) {
-  if (typeof input !== "string") return String(input);
-  return input.replace(LDAP_FILTER_CHARS, escapeChar);
+// src/sanitizers/graphql.ts
+var DEFAULTS = {
+  maxDepth: 10,
+  maxLength: 1e4,
+  blockIntrospection: true
+};
+var INTROSPECTION_PATTERN = /\b__(schema|type|typeKind|directive)\b/;
+function computeDepth(query) {
+  let depth = 0;
+  let max = 0;
+  for (let i = 0; i < query.length; i++) {
+    const c = query.charCodeAt(i);
+    if (c === 123) {
+      depth++;
+      if (depth > max) max = depth;
+    } else if (c === 125) {
+      if (depth > 0) depth--;
+    }
+  }
+  return max;
 }
-function sanitizeLdapDn(input) {
-  if (typeof input !== "string") return String(input);
-  return input.replace(LDAP_DN_CHARS, escapeChar);
+function inspectGraphqlQuery(query, options = {}) {
+  const maxDepth = options.maxDepth ?? DEFAULTS.maxDepth;
+  const maxLength = options.maxLength ?? DEFAULTS.maxLength;
+  const blockIntrospection = options.blockIntrospection ?? DEFAULTS.blockIntrospection;
+  const length = query.length;
+  const depth = computeDepth(query);
+  if (depth > maxDepth) {
+    return { blocked: true, reason: "depth", depth, length };
+  }
+  if (blockIntrospection && INTROSPECTION_PATTERN.test(query)) {
+    return { blocked: true, reason: "introspection", depth, length };
+  }
+  if (length > maxLength) {
+    return { blocked: true, reason: "length", depth, length };
+  }
+  return { blocked: false, depth, length };
 }
-function detectLdapInjection(input) {
-  if (typeof input !== "string") return false;
-  return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input);
+function detectGraphqlAbuse(query, options) {
+  if (typeof query !== "string" || query.length === 0) return false;
+  return inspectGraphqlQuery(query, options).blocked;
 }
 exports.createSanitizer = createSanitizer;
 exports.detectCommandInjection = detectCommandInjection;
+exports.detectEmailHeaderInjection = detectEmailHeaderInjection;
+exports.detectGraphqlAbuse = detectGraphqlAbuse;
 exports.detectHeaderInjection = detectHeaderInjection;
 exports.detectJsonpInjection = detectJsonpInjection;
 exports.detectLdapInjection = detectLdapInjection;
@@ -1119,6 +1189,7 @@ exports.detectPii = detectPii;
 exports.detectPrototypePollution = detectPrototypePollution;
 exports.detectSql = detectSql;
 exports.detectSsti = detectSsti;
+exports.detectXpathInjection = detectXpathInjection;
 exports.detectXss = detectXss;
 exports.detectXxe = detectXxe;
 exports.encodeForAttribute = encodeForAttribute;
@@ -1129,12 +1200,14 @@ exports.encodeForUrl = encodeForUrl;
 exports.encodeHtmlEntities = encodeHtmlEntities;
 exports.getDangerousOperators = getDangerousOperators;
 exports.getDangerousProtoKeys = getDangerousProtoKeys;
+exports.inspectGraphqlQuery = inspectGraphqlQuery;
 exports.isDangerousNoSqlKey = isDangerousNoSqlKey;
 exports.isDangerousProtoKey = isDangerousProtoKey;
 exports.isPlainObject = isPlainObject;
 exports.redactObjectPii = redactObjectPii;
 exports.redactPii = redactPii;
 exports.sanitizeCommand = sanitizeCommand;
+exports.sanitizeEmailHeader = sanitizeEmailHeader;
 exports.sanitizeHeaderValue = sanitizeHeaderValue;
 exports.sanitizeHeaders = sanitizeHeaders;
 exports.sanitizeJsonpCallback = sanitizeJsonpCallback;
@@ -1145,6 +1218,7 @@ exports.sanitizePath = sanitizePath;
 exports.sanitizeSql = sanitizeSql;
 exports.sanitizeSsti = sanitizeSsti;
 exports.sanitizeString = sanitizeString;
+exports.sanitizeXpath = sanitizeXpath;
 exports.sanitizeXss = sanitizeXss;
 exports.sanitizeXxe = sanitizeXxe;
 exports.scanObjectPii = scanObjectPii;