@arcis/node 1.4.4 → 1.5.1

package/dist/validation/index.d.ts

@@ -5,6 +5,8 @@
 export { validate, createValidator } from './schema';
 export { validateFile, sanitizeFilename, isDangerousExtension } from './file';
 export { validateUrl, isUrlSafe } from './url';
+export { validateUrlAsync, pinnedDnsLookup, safeFollowRedirect } from './url-async';
+export type { ValidateUrlAsyncOptions, ValidateUrlAsyncResult, DnsLookup, LookupAddress, } from './url-async';
 export { validateRedirect, isRedirectSafe } from './redirect';
 export { validateEmail, verifyEmailMx, isValidEmailSyntax } from './email';
 //# sourceMappingURL=index.d.ts.map

package/dist/validation/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/validation/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,QAAQ,CAAC;AAC9E,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/validation/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,QAAQ,CAAC;AAC9E,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACpF,YAAY,EACV,uBAAuB,EACvB,sBAAsB,EACtB,SAAS,EACT,aAAa,GACd,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC"}

package/dist/validation/index.js

@@ -2,6 +2,26 @@
 
 var dns = require('dns');
 
+function _interopNamespace(e) {
+  if (e && e.__esModule) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+
+var dns__namespace = /*#__PURE__*/_interopNamespace(dns);
+
 // src/core/constants.ts
 var INPUT = {
   /** Default maximum input size (1MB) */
@@ -33,8 +53,8 @@ var XSS_REMOVE_PATTERNS = [
   /** javascript: and vbscript: protocols (allow optional spaces before colon) */
   /javascript\s*:/gi,
   /vbscript\s*:/gi,
-  /** data: URIs with HTML/script content */
-  /data\s*:\s*text\/html[^>\s]*/gi,
+  /** data: URIs with HTML or SVG content (SVG can run JS via inline event handlers) */
+  /data\s*:\s*(?:text\/html|image\/svg)[^>\s]*/gi,
   /** form tag injection — phishing via action= redirection */
   /<form[\s>][^>]*/gi,
   /** meta tag injection — http-equiv refresh or CSP bypass */
@@ -118,10 +138,11 @@ var VALIDATION = {
   EMAIL: /^[^\s@.][^\s@]*(?:\.[^\s@.][^\s@]*)*@[^\s@]+\.[^\s@]+$/,
   /**
    * URL regex pattern.
-   * Only allows http:// and https:// — explicitly rejects javascript:,
-   * data:, vbscript:, and other dangerous URI schemes.
+   * Only allows http:// and https:// (case-insensitive scheme per
+   * RFC 3986); explicitly rejects javascript:, data:, vbscript:, and
+   * other dangerous URI schemes.
    */
-  URL: /^https?:\/\/[^\s/$.?#][^\s]*$/,
+  URL: /^https?:\/\/[^\s/$.?#][^\s]*$/i,
   /** UUID regex pattern (v4) */
   UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
 };
@@ -402,7 +423,12 @@ function validate(schema, source = "body") {
       res.status(400).json({ errors });
       return;
     }
-    req[source] = validated;
+    Object.defineProperty(req, source, {
+      value: validated,
+      writable: true,
+      configurable: true,
+      enumerable: true
+    });
     next();
   };
 }
@@ -899,6 +925,99 @@ function checkOctalIp(hostname, allowLocalhost, allowPrivate) {
   }
   return null;
 }
+var defaultLookup = (hostname) => new Promise((resolve, reject) => {
+  dns__namespace.lookup(hostname, { all: true }, (err, addresses) => {
+    if (err) reject(err);
+    else resolve(addresses);
+  });
+});
+function checkResolvedIp(ip, options) {
+  const isIpv6 = ip.includes(":");
+  const host = isIpv6 ? `[${ip}]` : ip;
+  const { allowedProtocols, allowLocalhost, allowPrivate } = options;
+  return validateUrl(`http://${host}/`, {
+    allowedProtocols,
+    allowLocalhost,
+    allowPrivate
+  });
+}
+async function validateUrlAsync(url, options = {}) {
+  const sync = validateUrl(url, options);
+  if (!sync.safe) return sync;
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    return { safe: false, reason: "invalid URL: failed to parse" };
+  }
+  const host = parsed.hostname.replace(/^\[|\]$/g, "");
+  if (isLiteralIp(host)) return { safe: true };
+  if (options.allowedHosts?.some((h) => host.toLowerCase() === h.toLowerCase())) {
+    return { safe: true };
+  }
+  const lookup2 = options.lookup ?? defaultLookup;
+  let addresses;
+  try {
+    addresses = await lookup2(host);
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return { safe: false, reason: `DNS lookup failed: ${msg}` };
+  }
+  if (addresses.length === 0) {
+    return { safe: false, reason: "DNS returned no addresses" };
+  }
+  const ips = addresses.map((a) => a.address);
+  const acceptFirstPublic = options.acceptFirstPublic === true;
+  let firstPublic;
+  for (const ip of ips) {
+    const ipResult = checkResolvedIp(ip, options);
+    if (ipResult.safe) {
+      if (firstPublic === void 0) firstPublic = ip;
+    } else if (!acceptFirstPublic) {
+      return {
+        safe: false,
+        reason: `resolved IP ${ip} is unsafe: ${ipResult.reason}`,
+        resolvedIps: ips
+      };
+    }
+  }
+  if (firstPublic === void 0) {
+    return {
+      safe: false,
+      reason: "all resolved IPs are private/loopback",
+      resolvedIps: ips
+    };
+  }
+  return { safe: true, resolvedIp: firstPublic, resolvedIps: ips };
+}
+function pinnedDnsLookup(ip) {
+  if (typeof ip !== "string" || ip.trim() === "") {
+    throw new TypeError("pinnedDnsLookup: ip must be a non-empty string");
+  }
+  const family = ip.includes(":") ? 6 : 4;
+  return (_hostname, _options, callback) => {
+    callback(null, ip, family);
+  };
+}
+async function safeFollowRedirect(prev, location, options = {}) {
+  if (typeof location !== "string" || location.trim() === "") {
+    return { safe: false, reason: "redirect Location is empty" };
+  }
+  let absolute;
+  try {
+    absolute = new URL(location, prev);
+  } catch {
+    return { safe: false, reason: "invalid redirect URL" };
+  }
+  return validateUrlAsync(absolute.toString(), options);
+}
+function isLiteralIp(host) {
+  if (/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(host)) return true;
+  if (/^\d+$/.test(host)) return true;
+  if (/^0[0-7x]/.test(host) && /^[0-9a-fx.]+$/i.test(host) && host.includes(".")) return true;
+  if (host.includes(":") && !/[/\s]/.test(host)) return true;
+  return false;
+}
 
 // src/validation/redirect.ts
 var DANGEROUS_PROTOCOLS = /^(javascript|data|vbscript|blob):/i;
@@ -913,8 +1032,8 @@ function validateRedirect(url, options = {}) {
     return { safe: false, reason: "invalid redirect: empty or not a string" };
   }
   const cleaned = url.replace(CONTROL_CHARS, "");
-  if (DANGEROUS_PROTOCOLS.test(cleaned)) {
-    const proto = cleaned.match(DANGEROUS_PROTOCOLS);
+  const proto = cleaned.match(DANGEROUS_PROTOCOLS);
+  if (proto) {
     return { safe: false, reason: `dangerous protocol: ${proto[0]}` };
   }
   if (cleaned.startsWith("\\")) {
@@ -944,11 +1063,12 @@ function validateRedirect(url, options = {}) {
     return { safe: false, reason: `disallowed protocol: ${parsed.protocol}` };
   }
   const hostname = parsed.hostname.toLowerCase();
+  const hostWithPort = parsed.port ? `${hostname}:${parsed.port}` : hostname;
   if (allowedHosts.length === 0) {
     return { safe: false, reason: "absolute URL not in allowed hosts" };
   }
-  if (!allowedHosts.some((h) => hostname === h.toLowerCase())) {
-    return { safe: false, reason: `host not allowed: ${hostname}` };
+  if (!allowedHosts.some((h) => h.toLowerCase() === hostWithPort)) {
+    return { safe: false, reason: `host not allowed: ${hostWithPort}` };
   }
   return { safe: true };
 }
@@ -956,8 +1076,10 @@ function isRedirectSafe(url, options = {}) {
   return validateRedirect(url, options).safe;
 }
 function extractHost(url) {
-  const match = url.match(/^\/\/([^/:?#]+)/);
-  return match ? match[1].toLowerCase() : null;
+  const match = url.match(/^\/\/([^/?#]+)/);
+  if (!match) return null;
+  const authority = match[1].includes("@") ? match[1].slice(match[1].indexOf("@") + 1) : match[1];
+  return authority.toLowerCase();
 }
 var MAX_EMAIL_LENGTH = 254;
 var MAX_LOCAL_LENGTH = 64;
@@ -1216,12 +1338,15 @@ exports.isDangerousExtension = isDangerousExtension;
 exports.isRedirectSafe = isRedirectSafe;
 exports.isUrlSafe = isUrlSafe;
 exports.isValidEmailSyntax = isValidEmailSyntax;
+exports.pinnedDnsLookup = pinnedDnsLookup;
+exports.safeFollowRedirect = safeFollowRedirect;
 exports.sanitizeFilename = sanitizeFilename;
 exports.validate = validate;
 exports.validateEmail = validateEmail;
 exports.validateFile = validateFile;
 exports.validateRedirect = validateRedirect;
 exports.validateUrl = validateUrl;
+exports.validateUrlAsync = validateUrlAsync;
 exports.verifyEmailMx = verifyEmailMx;
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map