npm - @arcis/node - Versions diffs - 1.4.4 → 1.5.1 - Mend

@arcis/node 1.4.4 → 1.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (144) hide show

package/LICENSE +21 -0
package/README.md +36 -6
package/dist/astro/index.js +6141 -0
package/dist/astro/index.js.map +1 -0
package/dist/astro/index.mjs +6136 -0
package/dist/astro/index.mjs.map +1 -0
package/dist/bun/index.js +6195 -0
package/dist/bun/index.js.map +1 -0
package/dist/bun/index.mjs +6189 -0
package/dist/bun/index.mjs.map +1 -0
package/dist/core/constants.d.ts +3 -2
package/dist/core/constants.d.ts.map +1 -1
package/dist/core/index.js +4 -3
package/dist/core/index.js.map +1 -1
package/dist/core/index.mjs +4 -3
package/dist/core/index.mjs.map +1 -1
package/dist/core/types.d.ts +32 -0
package/dist/core/types.d.ts.map +1 -1
package/dist/fastify/index.js +6160 -0
package/dist/fastify/index.js.map +1 -0
package/dist/fastify/index.mjs +6155 -0
package/dist/fastify/index.mjs.map +1 -0
package/dist/guards.d.ts +156 -0
package/dist/guards.d.ts.map +1 -0
package/dist/hono/index.js +6159 -0
package/dist/hono/index.js.map +1 -0
package/dist/hono/index.mjs +6154 -0
package/dist/hono/index.mjs.map +1 -0
package/dist/index.d.ts +23 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +7126 -178
package/dist/index.js.map +1 -1
package/dist/index.mjs +7088 -179
package/dist/index.mjs.map +1 -1
package/dist/koa/index.js +6158 -0
package/dist/koa/index.js.map +1 -0
package/dist/koa/index.mjs +6153 -0
package/dist/koa/index.mjs.map +1 -0
package/dist/logging/index.js.map +1 -1
package/dist/logging/index.mjs.map +1 -1
package/dist/logging/redactor.d.ts.map +1 -1
package/dist/middleware/astro.d.ts +64 -0
package/dist/middleware/astro.d.ts.map +1 -0
package/dist/middleware/bot-detection.d.ts.map +1 -1
package/dist/middleware/bun.d.ts +75 -0
package/dist/middleware/bun.d.ts.map +1 -0
package/dist/middleware/csrf.d.ts.map +1 -1
package/dist/middleware/error-handler.d.ts.map +1 -1
package/dist/middleware/fastify.d.ts +89 -0
package/dist/middleware/fastify.d.ts.map +1 -0
package/dist/middleware/graphql.d.ts +35 -0
package/dist/middleware/graphql.d.ts.map +1 -0
package/dist/middleware/hono.d.ts +63 -0
package/dist/middleware/hono.d.ts.map +1 -0
package/dist/middleware/index.d.ts +12 -0
package/dist/middleware/index.d.ts.map +1 -1
package/dist/middleware/index.js +6469 -119
package/dist/middleware/index.js.map +1 -1
package/dist/middleware/index.mjs +6459 -120
package/dist/middleware/index.mjs.map +1 -1
package/dist/middleware/koa.d.ts +84 -0
package/dist/middleware/koa.d.ts.map +1 -0
package/dist/middleware/main.d.ts +0 -30
package/dist/middleware/main.d.ts.map +1 -1
package/dist/middleware/mass-assign.d.ts +81 -0
package/dist/middleware/mass-assign.d.ts.map +1 -0
package/dist/middleware/method-allowlist.d.ts +66 -0
package/dist/middleware/method-allowlist.d.ts.map +1 -0
package/dist/middleware/nestjs.d.ts +62 -0
package/dist/middleware/nestjs.d.ts.map +1 -0
package/dist/middleware/nextjs.d.ts +102 -0
package/dist/middleware/nextjs.d.ts.map +1 -0
package/dist/middleware/nuxt.d.ts +61 -0
package/dist/middleware/nuxt.d.ts.map +1 -0
package/dist/middleware/overload.d.ts +92 -0
package/dist/middleware/overload.d.ts.map +1 -0
package/dist/middleware/protect.d.ts +91 -0
package/dist/middleware/protect.d.ts.map +1 -0
package/dist/middleware/rate-limit-sliding.d.ts.map +1 -1
package/dist/middleware/rate-limit-token.d.ts.map +1 -1
package/dist/middleware/rate-limit.d.ts.map +1 -1
package/dist/middleware/response-splitting.d.ts +83 -0
package/dist/middleware/response-splitting.d.ts.map +1 -0
package/dist/middleware/sveltekit.d.ts +68 -0
package/dist/middleware/sveltekit.d.ts.map +1 -0
package/dist/middleware/token-budget.d.ts +75 -0
package/dist/middleware/token-budget.d.ts.map +1 -0
package/dist/nestjs/index.js +1724 -0
package/dist/nestjs/index.js.map +1 -0
package/dist/nestjs/index.mjs +1717 -0
package/dist/nestjs/index.mjs.map +1 -0
package/dist/nextjs/index.js +6184 -0
package/dist/nextjs/index.js.map +1 -0
package/dist/nextjs/index.mjs +6178 -0
package/dist/nextjs/index.mjs.map +1 -0
package/dist/nuxt/index.js +6141 -0
package/dist/nuxt/index.js.map +1 -0
package/dist/nuxt/index.mjs +6136 -0
package/dist/nuxt/index.mjs.map +1 -0
package/dist/sanitizers/encode.d.ts.map +1 -1
package/dist/sanitizers/graphql.d.ts +72 -0
package/dist/sanitizers/graphql.d.ts.map +1 -0
package/dist/sanitizers/headers.d.ts +18 -0
package/dist/sanitizers/headers.d.ts.map +1 -1
package/dist/sanitizers/index.d.ts +4 -1
package/dist/sanitizers/index.d.ts.map +1 -1
package/dist/sanitizers/index.js +140 -66
package/dist/sanitizers/index.js.map +1 -1
package/dist/sanitizers/index.mjs +135 -67
package/dist/sanitizers/index.mjs.map +1 -1
package/dist/sanitizers/prompt-injection.d.ts +62 -0
package/dist/sanitizers/prompt-injection.d.ts.map +1 -0
package/dist/sanitizers/sanitize.d.ts +1 -1
package/dist/sanitizers/sanitize.d.ts.map +1 -1
package/dist/sanitizers/xpath.d.ts +37 -0
package/dist/sanitizers/xpath.d.ts.map +1 -0
package/dist/stores/index.js +4 -4
package/dist/stores/index.js.map +1 -1
package/dist/stores/index.mjs +4 -4
package/dist/stores/index.mjs.map +1 -1
package/dist/stores/redis.d.ts +7 -1
package/dist/stores/redis.d.ts.map +1 -1
package/dist/sveltekit/index.js +6142 -0
package/dist/sveltekit/index.js.map +1 -0
package/dist/sveltekit/index.mjs +6137 -0
package/dist/sveltekit/index.mjs.map +1 -0
package/dist/validation/index.d.ts +2 -0
package/dist/validation/index.d.ts.map +1 -1
package/dist/validation/index.js +137 -12
package/dist/validation/index.js.map +1 -1
package/dist/validation/index.mjs +116 -13
package/dist/validation/index.mjs.map +1 -1
package/dist/validation/redirect.d.ts.map +1 -1
package/dist/validation/schema.d.ts.map +1 -1
package/dist/validation/url-async.d.ts +137 -0
package/dist/validation/url-async.d.ts.map +1 -0
package/package.json +57 -12
package/scripts/postinstall.cjs +26 -0
package/dist/cli/arcis.d.ts +0 -23
package/dist/cli/arcis.d.ts.map +0 -1
package/dist/cli/arcis.js +0 -312
package/dist/cli/arcis.js.map +0 -1
package/dist/cli/arcis.mjs +0 -309
package/dist/cli/arcis.mjs.map +0 -1

package/dist/sanitizers/index.mjs CHANGED Viewed

@@ -65,8 +65,8 @@ var XSS_REMOVE_PATTERNS = [
   /** javascript: and vbscript: protocols (allow optional spaces before colon) */
   /javascript\s*:/gi,
   /vbscript\s*:/gi,
-  /** data: URIs with HTML/script content */
-  /data\s*:\s*text\/html[^>\s]*/gi,
+  /** data: URIs with HTML or SVG content (SVG can run JS via inline event handlers) */
+  /data\s*:\s*(?:text\/html|image\/svg)[^>\s]*/gi,
   /** form tag injection — phishing via action= redirection */
   /<form[\s>][^>]*/gi,
   /** meta tag injection — http-equiv refresh or CSP bypass */
@@ -591,6 +591,89 @@ function detectXxe(input) {
   return false;
 }
+// src/sanitizers/ldap.ts
+var LDAP_FILTER_CHARS = /[*()\\\x00]/g;
+var LDAP_DN_CHARS = /[,+<>;"=\/\\\x00*()\x00]/g;
+var LDAP_DETECT_PATTERN = /[*()\\\x00]/;
+var LDAP_INJECTION_PATTERN = /\)\s*\(|\*\s*\)\s*\(/;
+var escapeChar = (char) => "\\" + char.charCodeAt(0).toString(16).padStart(2, "0");
+function sanitizeLdapFilter(input) {
+  if (typeof input !== "string") return String(input);
+  return input.replace(LDAP_FILTER_CHARS, escapeChar);
+}
+function sanitizeLdapDn(input) {
+  if (typeof input !== "string") return String(input);
+  return input.replace(LDAP_DN_CHARS, escapeChar);
+}
+function detectLdapInjection(input) {
+  if (typeof input !== "string") return false;
+  return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input);
+}
+// src/sanitizers/xpath.ts
+var XPATH_INJECTION_CHARS = /['"|,()]/;
+var XPATH_INJECTION_PATTERN = /('\s*(or|and)\s*'|"\s*(or|and)\s*"|\)\s*(or|and)\s*\(|\|\s*\/)/i;
+function detectXpathInjection(input) {
+  if (typeof input !== "string" || input.length === 0) return false;
+  if (!XPATH_INJECTION_CHARS.test(input)) return false;
+  return XPATH_INJECTION_PATTERN.test(input);
+}
+function sanitizeXpath(input) {
+  if (typeof input !== "string") return String(input);
+  return input.replace(/['"|,]/g, "");
+}
+// src/sanitizers/headers.ts
+var HEADER_INJECTION_PATTERN = /\r\n|\r|\n|\0/g;
+function sanitizeHeaderValue(input, collectThreats = false) {
+  if (typeof input !== "string") {
+    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
+  }
+  const threats = [];
+  let wasSanitized = false;
+  if (HEADER_INJECTION_PATTERN.test(input)) {
+    HEADER_INJECTION_PATTERN.lastIndex = 0;
+    wasSanitized = true;
+    if (collectThreats) {
+      const matches = input.match(HEADER_INJECTION_PATTERN);
+      if (matches) {
+        for (const match of matches) {
+          threats.push({
+            type: "header_injection",
+            pattern: HEADER_INJECTION_PATTERN.source,
+            original: match
+          });
+        }
+      }
+    }
+  }
+  HEADER_INJECTION_PATTERN.lastIndex = 0;
+  const value = input.replace(HEADER_INJECTION_PATTERN, "");
+  if (collectThreats) {
+    return { value, wasSanitized, threats };
+  }
+  return value;
+}
+function sanitizeHeaders(headers) {
+  if (!headers || typeof headers !== "object") {
+    return {};
+  }
+  const result = {};
+  for (const [key, value] of Object.entries(headers)) {
+    const sanitizedKey = sanitizeHeaderValue(String(key));
+    const sanitizedValue = sanitizeHeaderValue(String(value));
+    result[sanitizedKey] = sanitizedValue;
+  }
+  return result;
+}
+function detectHeaderInjection(input) {
+  if (typeof input !== "string") return false;
+  HEADER_INJECTION_PATTERN.lastIndex = 0;
+  return HEADER_INJECTION_PATTERN.test(input);
+}
+var sanitizeEmailHeader = sanitizeHeaderValue;
+var detectEmailHeaderInjection = detectHeaderInjection;
 // src/sanitizers/sanitize.ts
 function sanitizeString(value, options = {}) {
   if (typeof value !== "string") return value;
@@ -703,6 +786,15 @@ function scanThreats(data, depth = 0) {
   if (detectCommandInjection(data)) {
     return { vector: "command", rule: "command/match", matchedPattern: sample };
   }
+  if (detectLdapInjection(data)) {
+    return { vector: "ldap", rule: "ldap/match", matchedPattern: sample };
+  }
+  if (detectXpathInjection(data)) {
+    return { vector: "xpath", rule: "xpath/match", matchedPattern: sample };
+  }
+  if (detectHeaderInjection(data)) {
+    return { vector: "header", rule: "header/match", matchedPattern: sample };
+  }
   return null;
 }
 function createSanitizer(options = {}) {
@@ -837,55 +929,6 @@ function detectJsonpInjection(callback) {
   return false;
 }
-// src/sanitizers/headers.ts
-var HEADER_INJECTION_PATTERN = /\r\n|\r|\n|\0/g;
-function sanitizeHeaderValue(input, collectThreats = false) {
-  if (typeof input !== "string") {
-    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
-  }
-  const threats = [];
-  let wasSanitized = false;
-  if (HEADER_INJECTION_PATTERN.test(input)) {
-    HEADER_INJECTION_PATTERN.lastIndex = 0;
-    wasSanitized = true;
-    if (collectThreats) {
-      const matches = input.match(HEADER_INJECTION_PATTERN);
-      if (matches) {
-        for (const match of matches) {
-          threats.push({
-            type: "header_injection",
-            pattern: HEADER_INJECTION_PATTERN.source,
-            original: match
-          });
-        }
-      }
-    }
-  }
-  HEADER_INJECTION_PATTERN.lastIndex = 0;
-  const value = input.replace(HEADER_INJECTION_PATTERN, "");
-  if (collectThreats) {
-    return { value, wasSanitized, threats };
-  }
-  return value;
-}
-function sanitizeHeaders(headers) {
-  if (!headers || typeof headers !== "object") {
-    return {};
-  }
-  const result = {};
-  for (const [key, value] of Object.entries(headers)) {
-    const sanitizedKey = sanitizeHeaderValue(String(key));
-    const sanitizedValue = sanitizeHeaderValue(String(value));
-    result[sanitizedKey] = sanitizedValue;
-  }
-  return result;
-}
-function detectHeaderInjection(input) {
-  if (typeof input !== "string") return false;
-  HEADER_INJECTION_PATTERN.lastIndex = 0;
-  return HEADER_INJECTION_PATTERN.test(input);
-}
 // src/sanitizers/pii.ts
 var EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z]{2,})+/g;
 var PHONE_RE = /(?<!\d)(?:\+?1[-.\s]?)?\(?[2-9]\d{2}\)?[-.\s]?\d{3}[-.\s]?\d{4}(?!\d)/g;
@@ -1051,6 +1094,7 @@ function encodeForJs(value) {
   let result = "";
   for (const char of value) {
     const cp = char.codePointAt(0);
+    if (cp === void 0) continue;
     if (cp >= 48 && cp <= 57 || // 0-9
     cp >= 65 && cp <= 90 || // A-Z
     cp >= 97 && cp <= 122) {
@@ -1087,25 +1131,49 @@ function encodeForCss(value) {
   return result;
 }
-// src/sanitizers/ldap.ts
-var LDAP_FILTER_CHARS = /[*()\\\x00]/g;
-var LDAP_DN_CHARS = /[,+<>;"=\/\\\x00*()\x00]/g;
-var LDAP_DETECT_PATTERN = /[*()\\\x00]/;
-var LDAP_INJECTION_PATTERN = /\)\s*\(|\*\s*\)\s*\(/;
-var escapeChar = (char) => "\\" + char.charCodeAt(0).toString(16).padStart(2, "0");
-function sanitizeLdapFilter(input) {
-  if (typeof input !== "string") return String(input);
-  return input.replace(LDAP_FILTER_CHARS, escapeChar);
+// src/sanitizers/graphql.ts
+var DEFAULTS = {
+  maxDepth: 10,
+  maxLength: 1e4,
+  blockIntrospection: true
+};
+var INTROSPECTION_PATTERN = /\b__(schema|type|typeKind|directive)\b/;
+function computeDepth(query) {
+  let depth = 0;
+  let max = 0;
+  for (let i = 0; i < query.length; i++) {
+    const c = query.charCodeAt(i);
+    if (c === 123) {
+      depth++;
+      if (depth > max) max = depth;
+    } else if (c === 125) {
+      if (depth > 0) depth--;
+    }
+  }
+  return max;
 }
-function sanitizeLdapDn(input) {
-  if (typeof input !== "string") return String(input);
-  return input.replace(LDAP_DN_CHARS, escapeChar);
+function inspectGraphqlQuery(query, options = {}) {
+  const maxDepth = options.maxDepth ?? DEFAULTS.maxDepth;
+  const maxLength = options.maxLength ?? DEFAULTS.maxLength;
+  const blockIntrospection = options.blockIntrospection ?? DEFAULTS.blockIntrospection;
+  const length = query.length;
+  const depth = computeDepth(query);
+  if (depth > maxDepth) {
+    return { blocked: true, reason: "depth", depth, length };
+  }
+  if (blockIntrospection && INTROSPECTION_PATTERN.test(query)) {
+    return { blocked: true, reason: "introspection", depth, length };
+  }
+  if (length > maxLength) {
+    return { blocked: true, reason: "length", depth, length };
+  }
+  return { blocked: false, depth, length };
 }
-function detectLdapInjection(input) {
-  if (typeof input !== "string") return false;
-  return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input);
+function detectGraphqlAbuse(query, options) {
+  if (typeof query !== "string" || query.length === 0) return false;
+  return inspectGraphqlQuery(query, options).blocked;
 }
-export { createSanitizer, detectCommandInjection, detectHeaderInjection, detectJsonpInjection, detectLdapInjection, detectNoSqlInjection, detectPathTraversal, detectPii, detectPrototypePollution, detectSql, detectSsti, detectXss, detectXxe, encodeForAttribute, encodeForCss, encodeForHtml, encodeForJs, encodeForUrl, encodeHtmlEntities, getDangerousOperators, getDangerousProtoKeys, isDangerousNoSqlKey, isDangerousProtoKey, isPlainObject, redactObjectPii, redactPii, sanitizeCommand, sanitizeHeaderValue, sanitizeHeaders, sanitizeJsonpCallback, sanitizeLdapDn, sanitizeLdapFilter, sanitizeObject, sanitizePath, sanitizeSql, sanitizeSsti, sanitizeString, sanitizeXss, sanitizeXxe, scanObjectPii, scanPii, scanThreats };
+export { createSanitizer, detectCommandInjection, detectEmailHeaderInjection, detectGraphqlAbuse, detectHeaderInjection, detectJsonpInjection, detectLdapInjection, detectNoSqlInjection, detectPathTraversal, detectPii, detectPrototypePollution, detectSql, detectSsti, detectXpathInjection, detectXss, detectXxe, encodeForAttribute, encodeForCss, encodeForHtml, encodeForJs, encodeForUrl, encodeHtmlEntities, getDangerousOperators, getDangerousProtoKeys, inspectGraphqlQuery, isDangerousNoSqlKey, isDangerousProtoKey, isPlainObject, redactObjectPii, redactPii, sanitizeCommand, sanitizeEmailHeader, sanitizeHeaderValue, sanitizeHeaders, sanitizeJsonpCallback, sanitizeLdapDn, sanitizeLdapFilter, sanitizeObject, sanitizePath, sanitizeSql, sanitizeSsti, sanitizeString, sanitizeXpath, sanitizeXss, sanitizeXxe, scanObjectPii, scanPii, scanThreats };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map