@arcis/node 1.4.4 → 1.5.0

package/dist/validation/index.mjs

@@ -1,3 +1,4 @@
+import * as dns from 'dns';
 import { promises } from 'dns';
 
 // src/core/constants.ts
@@ -31,8 +32,8 @@ var XSS_REMOVE_PATTERNS = [
   /** javascript: and vbscript: protocols (allow optional spaces before colon) */
   /javascript\s*:/gi,
   /vbscript\s*:/gi,
-  /** data: URIs with HTML/script content */
-  /data\s*:\s*text\/html[^>\s]*/gi,
+  /** data: URIs with HTML or SVG content (SVG can run JS via inline event handlers) */
+  /data\s*:\s*(?:text\/html|image\/svg)[^>\s]*/gi,
   /** form tag injection — phishing via action= redirection */
   /<form[\s>][^>]*/gi,
   /** meta tag injection — http-equiv refresh or CSP bypass */
@@ -116,10 +117,11 @@ var VALIDATION = {
   EMAIL: /^[^\s@.][^\s@]*(?:\.[^\s@.][^\s@]*)*@[^\s@]+\.[^\s@]+$/,
   /**
    * URL regex pattern.
-   * Only allows http:// and https:// — explicitly rejects javascript:,
-   * data:, vbscript:, and other dangerous URI schemes.
+   * Only allows http:// and https:// (case-insensitive scheme per
+   * RFC 3986); explicitly rejects javascript:, data:, vbscript:, and
+   * other dangerous URI schemes.
    */
-  URL: /^https?:\/\/[^\s/$.?#][^\s]*$/,
+  URL: /^https?:\/\/[^\s/$.?#][^\s]*$/i,
   /** UUID regex pattern (v4) */
   UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
 };
@@ -400,7 +402,12 @@ function validate(schema, source = "body") {
       res.status(400).json({ errors });
       return;
     }
-    req[source] = validated;
+    Object.defineProperty(req, source, {
+      value: validated,
+      writable: true,
+      configurable: true,
+      enumerable: true
+    });
     next();
   };
 }
@@ -897,6 +904,99 @@ function checkOctalIp(hostname, allowLocalhost, allowPrivate) {
   }
   return null;
 }
+var defaultLookup = (hostname) => new Promise((resolve, reject) => {
+  dns.lookup(hostname, { all: true }, (err, addresses) => {
+    if (err) reject(err);
+    else resolve(addresses);
+  });
+});
+function checkResolvedIp(ip, options) {
+  const isIpv6 = ip.includes(":");
+  const host = isIpv6 ? `[${ip}]` : ip;
+  const { allowedProtocols, allowLocalhost, allowPrivate } = options;
+  return validateUrl(`http://${host}/`, {
+    allowedProtocols,
+    allowLocalhost,
+    allowPrivate
+  });
+}
+async function validateUrlAsync(url, options = {}) {
+  const sync = validateUrl(url, options);
+  if (!sync.safe) return sync;
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    return { safe: false, reason: "invalid URL: failed to parse" };
+  }
+  const host = parsed.hostname.replace(/^\[|\]$/g, "");
+  if (isLiteralIp(host)) return { safe: true };
+  if (options.allowedHosts?.some((h) => host.toLowerCase() === h.toLowerCase())) {
+    return { safe: true };
+  }
+  const lookup2 = options.lookup ?? defaultLookup;
+  let addresses;
+  try {
+    addresses = await lookup2(host);
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return { safe: false, reason: `DNS lookup failed: ${msg}` };
+  }
+  if (addresses.length === 0) {
+    return { safe: false, reason: "DNS returned no addresses" };
+  }
+  const ips = addresses.map((a) => a.address);
+  const acceptFirstPublic = options.acceptFirstPublic === true;
+  let firstPublic;
+  for (const ip of ips) {
+    const ipResult = checkResolvedIp(ip, options);
+    if (ipResult.safe) {
+      if (firstPublic === void 0) firstPublic = ip;
+    } else if (!acceptFirstPublic) {
+      return {
+        safe: false,
+        reason: `resolved IP ${ip} is unsafe: ${ipResult.reason}`,
+        resolvedIps: ips
+      };
+    }
+  }
+  if (firstPublic === void 0) {
+    return {
+      safe: false,
+      reason: "all resolved IPs are private/loopback",
+      resolvedIps: ips
+    };
+  }
+  return { safe: true, resolvedIp: firstPublic, resolvedIps: ips };
+}
+function pinnedDnsLookup(ip) {
+  if (typeof ip !== "string" || ip.trim() === "") {
+    throw new TypeError("pinnedDnsLookup: ip must be a non-empty string");
+  }
+  const family = ip.includes(":") ? 6 : 4;
+  return (_hostname, _options, callback) => {
+    callback(null, ip, family);
+  };
+}
+async function safeFollowRedirect(prev, location, options = {}) {
+  if (typeof location !== "string" || location.trim() === "") {
+    return { safe: false, reason: "redirect Location is empty" };
+  }
+  let absolute;
+  try {
+    absolute = new URL(location, prev);
+  } catch {
+    return { safe: false, reason: "invalid redirect URL" };
+  }
+  return validateUrlAsync(absolute.toString(), options);
+}
+function isLiteralIp(host) {
+  if (/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(host)) return true;
+  if (/^\d+$/.test(host)) return true;
+  if (/^0[0-7x]/.test(host) && /^[0-9a-fx.]+$/i.test(host) && host.includes(".")) return true;
+  if (host.includes(":") && !/[/\s]/.test(host)) return true;
+  return false;
+}
 
 // src/validation/redirect.ts
 var DANGEROUS_PROTOCOLS = /^(javascript|data|vbscript|blob):/i;
@@ -911,8 +1011,8 @@ function validateRedirect(url, options = {}) {
     return { safe: false, reason: "invalid redirect: empty or not a string" };
   }
   const cleaned = url.replace(CONTROL_CHARS, "");
-  if (DANGEROUS_PROTOCOLS.test(cleaned)) {
-    const proto = cleaned.match(DANGEROUS_PROTOCOLS);
+  const proto = cleaned.match(DANGEROUS_PROTOCOLS);
+  if (proto) {
     return { safe: false, reason: `dangerous protocol: ${proto[0]}` };
   }
   if (cleaned.startsWith("\\")) {
@@ -942,11 +1042,12 @@ function validateRedirect(url, options = {}) {
     return { safe: false, reason: `disallowed protocol: ${parsed.protocol}` };
   }
   const hostname = parsed.hostname.toLowerCase();
+  const hostWithPort = parsed.port ? `${hostname}:${parsed.port}` : hostname;
   if (allowedHosts.length === 0) {
     return { safe: false, reason: "absolute URL not in allowed hosts" };
   }
-  if (!allowedHosts.some((h) => hostname === h.toLowerCase())) {
-    return { safe: false, reason: `host not allowed: ${hostname}` };
+  if (!allowedHosts.some((h) => h.toLowerCase() === hostWithPort)) {
+    return { safe: false, reason: `host not allowed: ${hostWithPort}` };
   }
   return { safe: true };
 }
@@ -954,8 +1055,10 @@ function isRedirectSafe(url, options = {}) {
   return validateRedirect(url, options).safe;
 }
 function extractHost(url) {
-  const match = url.match(/^\/\/([^/:?#]+)/);
-  return match ? match[1].toLowerCase() : null;
+  const match = url.match(/^\/\/([^/?#]+)/);
+  if (!match) return null;
+  const authority = match[1].includes("@") ? match[1].slice(match[1].indexOf("@") + 1) : match[1];
+  return authority.toLowerCase();
 }
 var MAX_EMAIL_LENGTH = 254;
 var MAX_LOCAL_LENGTH = 64;
@@ -1209,6 +1312,6 @@ function isValidEmailSyntax(email) {
   return EMAIL_SYNTAX.test(normalized);
 }
 
-export { createValidator, isDangerousExtension, isRedirectSafe, isUrlSafe, isValidEmailSyntax, sanitizeFilename, validate, validateEmail, validateFile, validateRedirect, validateUrl, verifyEmailMx };
+export { createValidator, isDangerousExtension, isRedirectSafe, isUrlSafe, isValidEmailSyntax, pinnedDnsLookup, safeFollowRedirect, sanitizeFilename, validate, validateEmail, validateFile, validateRedirect, validateUrl, validateUrlAsync, verifyEmailMx };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map