npm - @arcis/node - Versions diffs - 1.5.1 → 1.6.0 - Mend

@arcis/node 1.5.1 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (66) hide show

package/README.md +48 -7
package/dist/astro/index.js.map +1 -1
package/dist/astro/index.mjs.map +1 -1
package/dist/bun/index.js.map +1 -1
package/dist/bun/index.mjs.map +1 -1
package/dist/core/constants.d.ts +2 -2
package/dist/core/constants.d.ts.map +1 -1
package/dist/core/index.js +19 -1
package/dist/core/index.js.map +1 -1
package/dist/core/index.mjs +19 -1
package/dist/core/index.mjs.map +1 -1
package/dist/fastify/index.js.map +1 -1
package/dist/fastify/index.mjs.map +1 -1
package/dist/hono/index.js.map +1 -1
package/dist/hono/index.mjs.map +1 -1
package/dist/index.d.ts +3 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +407 -8
package/dist/index.js.map +1 -1
package/dist/index.mjs +407 -9
package/dist/index.mjs.map +1 -1
package/dist/koa/index.js.map +1 -1
package/dist/koa/index.mjs.map +1 -1
package/dist/logging/index.js.map +1 -1
package/dist/logging/index.mjs.map +1 -1
package/dist/middleware/correlation.d.ts +87 -0
package/dist/middleware/correlation.d.ts.map +1 -0
package/dist/middleware/graphql.d.ts.map +1 -1
package/dist/middleware/index.d.ts +3 -1
package/dist/middleware/index.d.ts.map +1 -1
package/dist/middleware/index.js +366 -8
package/dist/middleware/index.js.map +1 -1
package/dist/middleware/index.mjs +366 -9
package/dist/middleware/index.mjs.map +1 -1
package/dist/middleware/protect.d.ts +32 -0
package/dist/middleware/protect.d.ts.map +1 -1
package/dist/nestjs/index.js +55 -2
package/dist/nestjs/index.js.map +1 -1
package/dist/nestjs/index.mjs +55 -2
package/dist/nestjs/index.mjs.map +1 -1
package/dist/nextjs/index.js.map +1 -1
package/dist/nextjs/index.mjs.map +1 -1
package/dist/nuxt/index.js.map +1 -1
package/dist/nuxt/index.mjs.map +1 -1
package/dist/sanitizers/deserialization.d.ts +30 -0
package/dist/sanitizers/deserialization.d.ts.map +1 -0
package/dist/sanitizers/graphql.d.ts +20 -3
package/dist/sanitizers/graphql.d.ts.map +1 -1
package/dist/sanitizers/index.d.ts +2 -0
package/dist/sanitizers/index.d.ts.map +1 -1
package/dist/sanitizers/index.js +150 -7
package/dist/sanitizers/index.js.map +1 -1
package/dist/sanitizers/index.mjs +149 -8
package/dist/sanitizers/index.mjs.map +1 -1
package/dist/sanitizers/prompt-injection.d.ts.map +1 -1
package/dist/sanitizers/sanitize.d.ts +0 -20
package/dist/sanitizers/sanitize.d.ts.map +1 -1
package/dist/stores/index.js.map +1 -1
package/dist/stores/index.mjs.map +1 -1
package/dist/sveltekit/index.js.map +1 -1
package/dist/sveltekit/index.mjs.map +1 -1
package/dist/validation/index.js +55 -2
package/dist/validation/index.js.map +1 -1
package/dist/validation/index.mjs +55 -2
package/dist/validation/index.mjs.map +1 -1
package/package.json +2 -2

package/dist/middleware/index.js CHANGED Viewed

@@ -140,7 +140,16 @@ var SQL_PATTERNS = [
   /** Time-based blind: PostgreSQL pg_sleep() */
   /\bpg_sleep\s*\(/gi,
   /** Time-based blind: MSSQL WAITFOR DELAY */
-  /\bWAITFOR\s+DELAY\b/gi
+  /\bWAITFOR\s+DELAY\b/gi,
+  /**
+   * Oracle DBMS_* stdlib packages used for time-based blind SQLi
+   * (DBMS_LOCK.SLEEP, DBMS_PIPE.RECEIVE_MESSAGE) and other Oracle
+   * abuse paths. No legitimate user input contains these. Mirrors
+   * `sqli-oracle-dbms-packages` in packages/core/patterns.json —
+   * improvements.md §1.1.e Q3. Must stay in sync until Node
+   * migrates to patterns.json-at-runtime (planned v1.7).
+   */
+  /\bDBMS_(?:LOCK|PIPE|UTILITY|XSLPROCESSOR|JAVA|OUTPUT|SCHEDULER)\b/gi
 ];
 var PATH_PATTERNS = [
   /** Unix path traversal */
@@ -178,6 +187,15 @@ var COMMAND_PATTERNS = [
   /[;&|`]/g,
   /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
   /\$\(/g,
+  /**
+   * POSIX shell IFS-substitution: ${IFS} or ${IFS%??}.
+   * Attackers use this to inject spaces past metacharacter filters
+   * in payloads like `;cat${IFS}/etc/passwd`. Mirrors
+   * `cmdi-ifs-bypass` in packages/core/patterns.json — improvements.md
+   * §1.1.e Q5. Must stay in sync until Node migrates to
+   * patterns.json-at-runtime (planned v1.7).
+   */
+  /\$\{IFS(?:%[^}]*)?\}/g,
   /** URL-encoded control characters (%00-%0F): null, tab, vtab, formfeed, LF, CR */
   /%0[0-9a-f]/gi
 ];
@@ -979,6 +997,40 @@ function detectHeaderInjection(input) {
 }
 // src/sanitizers/sanitize.ts
+function multiDecode(value, maxPasses = 4) {
+  for (let i = 0; i < maxPasses; i++) {
+    const prev = value;
+    try {
+      value = decodeURIComponent(value);
+    } catch {
+    }
+    value = htmlEntityDecode(value);
+    if (value === prev) break;
+  }
+  return value;
+}
+function htmlEntityDecode(s) {
+  s = s.replace(/&#(\d+);/g, (_m, n) => {
+    const code = parseInt(n, 10);
+    return Number.isFinite(code) && code >= 0 && code <= 1114111 ? String.fromCodePoint(code) : _m;
+  });
+  s = s.replace(/&#x([0-9a-fA-F]+);/g, (_m, h) => {
+    const code = parseInt(h, 16);
+    return Number.isFinite(code) && code >= 0 && code <= 1114111 ? String.fromCodePoint(code) : _m;
+  });
+  const named = {
+    "&lt;": "<",
+    "&gt;": ">",
+    "&amp;": "&",
+    "&quot;": '"',
+    "&apos;": "'",
+    "&nbsp;": " "
+  };
+  for (const [entity, ch] of Object.entries(named)) {
+    s = s.split(entity).join(ch);
+  }
+  return s;
+}
 function sanitizeString(value, options = {}) {
   if (typeof value !== "string") return value;
   const maxSize = options.maxSize ?? INPUT.DEFAULT_MAX_SIZE;
@@ -986,7 +1038,8 @@ function sanitizeString(value, options = {}) {
     throw new InputTooLargeError(maxSize, value.length);
   }
   const reject = options.mode === "reject";
-  let result = value;
+  let result = value.normalize("NFKC");
+  result = multiDecode(result);
   if (options.sql !== false) {
     if (reject) {
       if (detectSql(result)) {
@@ -1145,7 +1198,9 @@ function createSanitizer(options = {}) {
 var DEFAULTS = {
   maxDepth: 10,
   maxLength: 1e4,
-  blockIntrospection: true
+  blockIntrospection: true,
+  maxAliases: 50,
+  blockFragmentCycles: true
 };
 var INTROSPECTION_PATTERN = /\b__(schema|type|typeKind|directive)\b/;
 function computeDepth(query) {
@@ -1162,22 +1217,87 @@ function computeDepth(query) {
   }
   return max;
 }
+var ALIAS_PATTERN = /\b([a-zA-Z_][a-zA-Z0-9_]*)\s*:\s*([a-zA-Z_][a-zA-Z0-9_]*)\b/g;
+var FRAGMENT_DEF_PATTERN = /\bfragment\s+([a-zA-Z_][a-zA-Z0-9_]*)\s+on\s+[a-zA-Z_][a-zA-Z0-9_]*\s*\{/g;
+var FRAGMENT_SPREAD_PATTERN = /\.\.\.\s*([a-zA-Z_][a-zA-Z0-9_]*)\b/g;
+function countAliases(query) {
+  let n = 0;
+  ALIAS_PATTERN.lastIndex = 0;
+  while (ALIAS_PATTERN.exec(query) !== null) n++;
+  return n;
+}
+function hasFragmentCycle(query) {
+  const deps = /* @__PURE__ */ new Map();
+  FRAGMENT_DEF_PATTERN.lastIndex = 0;
+  let match;
+  while ((match = FRAGMENT_DEF_PATTERN.exec(query)) !== null) {
+    const name = match[1];
+    const bodyStart = match.index + match[0].length;
+    let depth = 1;
+    let i = bodyStart;
+    while (i < query.length && depth > 0) {
+      const ch = query[i];
+      if (ch === "{") depth++;
+      else if (ch === "}") depth--;
+      i++;
+    }
+    const bodyEnd = depth === 0 ? i - 1 : i;
+    const body = query.slice(bodyStart, bodyEnd);
+    const spreads = /* @__PURE__ */ new Set();
+    FRAGMENT_SPREAD_PATTERN.lastIndex = 0;
+    let sm;
+    while ((sm = FRAGMENT_SPREAD_PATTERN.exec(body)) !== null) {
+      spreads.add(sm[1]);
+    }
+    deps.set(name, spreads);
+  }
+  if (deps.size === 0) return false;
+  const WHITE = 0;
+  const GRAY = 1;
+  const BLACK = 2;
+  const color = /* @__PURE__ */ new Map();
+  for (const name of deps.keys()) color.set(name, WHITE);
+  function visit(name) {
+    if (color.get(name) === GRAY) return true;
+    if (color.get(name) === BLACK) return false;
+    if (!deps.has(name)) return false;
+    color.set(name, GRAY);
+    for (const child of deps.get(name)) {
+      if (visit(child)) return true;
+    }
+    color.set(name, BLACK);
+    return false;
+  }
+  for (const name of deps.keys()) {
+    if (visit(name)) return true;
+  }
+  return false;
+}
 function inspectGraphqlQuery(query, options = {}) {
   const maxDepth = options.maxDepth ?? DEFAULTS.maxDepth;
   const maxLength = options.maxLength ?? DEFAULTS.maxLength;
   const blockIntrospection = options.blockIntrospection ?? DEFAULTS.blockIntrospection;
+  const maxAliases = options.maxAliases ?? DEFAULTS.maxAliases;
+  const blockFragmentCycles = options.blockFragmentCycles ?? DEFAULTS.blockFragmentCycles;
   const length = query.length;
   const depth = computeDepth(query);
+  const aliases = countAliases(query);
   if (depth > maxDepth) {
-    return { blocked: true, reason: "depth", depth, length };
+    return { blocked: true, reason: "depth", depth, length, aliases };
   }
   if (blockIntrospection && INTROSPECTION_PATTERN.test(query)) {
-    return { blocked: true, reason: "introspection", depth, length };
+    return { blocked: true, reason: "introspection", depth, length, aliases };
+  }
+  if (aliases > maxAliases) {
+    return { blocked: true, reason: "aliases", depth, length, aliases };
+  }
+  if (blockFragmentCycles && hasFragmentCycle(query)) {
+    return { blocked: true, reason: "fragment_cycle", depth, length, aliases };
   }
   if (length > maxLength) {
-    return { blocked: true, reason: "length", depth, length };
+    return { blocked: true, reason: "length", depth, length, aliases };
   }
-  return { blocked: false, depth, length };
+  return { blocked: false, depth, length, aliases };
 }
 // src/validation/schema.ts
@@ -8691,6 +8811,46 @@ function massAssign(options) {
 }
 // src/middleware/protect.ts
+function getClientIp(req) {
+  const xff = req?.headers?.["x-forwarded-for"] ?? req?.headers?.["X-Forwarded-For"];
+  if (typeof xff === "string" && xff.length > 0) {
+    const first = xff.split(",")[0]?.trim();
+    if (first) return first;
+  }
+  if (typeof req?.ip === "string") return req.ip;
+  const remote = req?.socket?.remoteAddress;
+  return typeof remote === "string" ? remote : "";
+}
+function correlationMiddleware(opts) {
+  const vector = opts.vector ?? "request";
+  const usernameField = opts.usernameField ?? "username";
+  const statusCode = opts.statusCode ?? 429;
+  const message = opts.message ?? "Suspicious request pattern detected.";
+  return function(req, res, next) {
+    const ip = getClientIp(req);
+    if (!ip) return next();
+    const route = opts.route ?? (req.path || req.url || "/");
+    const username = req?.body?.[usernameField];
+    const distinctValue = typeof username === "string" && username.length > 0 ? username : void 0;
+    const detections = opts.window.record(
+      ip,
+      vector,
+      route,
+      req.method || "GET",
+      distinctValue
+    );
+    if (detections.scanner || detections.credentialStuffing || detections.raceWindow) {
+      res.status(statusCode).json({
+        error: message,
+        scanner: detections.scanner,
+        credential_stuffing: detections.credentialStuffing,
+        race_window: detections.raceWindow
+      });
+      return;
+    }
+    next();
+  };
+}
 function resolve(override, defaults) {
   if (override === false) return null;
   if (override === void 0) return defaults;
@@ -8710,6 +8870,11 @@ function protectLogin(options = {}) {
   if (csrf) middlewares.push(csrfProtection(csrf));
   const sanitize = resolve(options.sanitize, {});
   if (sanitize) middlewares.push(createSanitizer(sanitize));
+  if (options.correlation) {
+    middlewares.push(
+      correlationMiddleware({ vector: "login", ...options.correlation })
+    );
+  }
   return middlewares;
 }
 function protectSignup(options = {}) {
@@ -8726,6 +8891,11 @@ function protectSignup(options = {}) {
   if (sanitize) middlewares.push(createSanitizer(sanitize));
   const signup = resolve(options.signup, {});
   if (signup) middlewares.push(signupProtection(signup));
+  if (options.correlation) {
+    middlewares.push(
+      correlationMiddleware({ vector: "signup", ...options.correlation })
+    );
+  }
   return middlewares;
 }
 function protectApi(options = {}) {
@@ -8736,6 +8906,11 @@ function protectApi(options = {}) {
   if (cors) middlewares.push(safeCors(cors));
   const sanitize = resolve(options.sanitize, {});
   if (sanitize) middlewares.push(createSanitizer(sanitize));
+  if (options.correlation) {
+    middlewares.push(
+      correlationMiddleware({ vector: "api", ...options.correlation })
+    );
+  }
   return middlewares;
 }
@@ -8743,7 +8918,9 @@ function protectApi(options = {}) {
 var DEFAULT_MESSAGES = {
   depth: "Query exceeds maximum nesting depth",
   length: "Query exceeds maximum length",
-  introspection: "Introspection queries are disabled"
+  introspection: "Introspection queries are disabled",
+  aliases: "Query exceeds maximum alias count (alias-bomb protection)",
+  fragment_cycle: "Query contains a cyclic fragment definition"
 };
 function extractQuery(req) {
   const bodyQuery = typeof req.body === "object" && req.body !== null ? req.body.query : void 0;
@@ -8882,6 +9059,187 @@ function responseSplittingGuard(options = {}) {
   };
 }
+// src/middleware/correlation.ts
+var EMPTY_DETECTIONS = Object.freeze({
+  scanner: false,
+  credentialStuffing: false,
+  raceWindow: false,
+  distinctVectors: 0,
+  distinctValues: 0,
+  requestsInWindow: 0
+});
+function normalizePair(a, b) {
+  return a < b ? `${a}${b}` : `${b}${a}`;
+}
+var CorrelationWindow = class {
+  constructor(options = {}) {
+    // Map iteration order in JS is insertion order, so re-inserting on
+    // access gives us LRU behaviour without a separate linked list.
+    this.buckets = /* @__PURE__ */ new Map();
+    const {
+      windowSeconds = 60,
+      maxIps = 1e4,
+      maxEventsPerIp = 200,
+      scannerDistinctVectors = 3,
+      scannerMinRequests = 20,
+      credentialStuffingDistinctValues = 10,
+      raceWindowMs = 200,
+      racePairs
+    } = options;
+    if (windowSeconds <= 0) throw new Error("windowSeconds must be > 0");
+    if (maxIps < 1) throw new Error("maxIps must be >= 1");
+    if (maxEventsPerIp < 1) throw new Error("maxEventsPerIp must be >= 1");
+    this.windowSeconds = windowSeconds;
+    this.maxIps = maxIps;
+    this.maxEventsPerIp = maxEventsPerIp;
+    this.scannerDistinctVectors = scannerDistinctVectors;
+    this.scannerMinRequests = scannerMinRequests;
+    this.csDistinctValues = credentialStuffingDistinctValues;
+    this.raceWindowSeconds = raceWindowMs / 1e3;
+    this.racePairKeys = /* @__PURE__ */ new Set();
+    this.racePairTuples = [];
+    if (racePairs) {
+      for (const [a, b] of racePairs) {
+        const key = normalizePair(a, b);
+        if (!this.racePairKeys.has(key)) {
+          this.racePairKeys.add(key);
+          const sorted = a < b ? [a, b] : [b, a];
+          this.racePairTuples.push(sorted);
+        }
+      }
+    }
+  }
+  record(ip, vector, route, method = "GET", distinctValue, now) {
+    if (!ip) return EMPTY_DETECTIONS;
+    const ts = now ?? Date.now() / 1e3;
+    const event = {
+      timestamp: ts,
+      vector,
+      route,
+      method,
+      distinctValue
+    };
+    let bucket = this.buckets.get(ip);
+    if (bucket === void 0) {
+      bucket = { events: [] };
+      this.buckets.set(ip, bucket);
+      while (this.buckets.size > this.maxIps) {
+        const oldest = this.buckets.keys().next().value;
+        if (oldest === void 0) break;
+        this.buckets.delete(oldest);
+      }
+    } else {
+      this.buckets.delete(ip);
+      this.buckets.set(ip, bucket);
+    }
+    bucket.events.push(event);
+    this.evictStale(bucket, ts);
+    return this.evaluate(bucket, route);
+  }
+  detectScanner(ip, now) {
+    const bucket = this.buckets.get(ip);
+    if (bucket === void 0) return false;
+    this.evictStale(bucket, now ?? Date.now() / 1e3);
+    return this.isScanner(bucket);
+  }
+  detectCredentialStuffing(ip, route, now) {
+    const bucket = this.buckets.get(ip);
+    if (bucket === void 0) return false;
+    this.evictStale(bucket, now ?? Date.now() / 1e3);
+    return this.isCredentialStuffing(bucket, route);
+  }
+  detectRaceWindow(ip, routePair, now) {
+    const bucket = this.buckets.get(ip);
+    if (bucket === void 0) return false;
+    this.evictStale(bucket, now ?? Date.now() / 1e3);
+    const sorted = routePair[0] < routePair[1] ? routePair : [routePair[1], routePair[0]];
+    return this.racePairInBucket(bucket, sorted);
+  }
+  reset(ip) {
+    if (ip === void 0) {
+      this.buckets.clear();
+    } else {
+      this.buckets.delete(ip);
+    }
+  }
+  stats() {
+    let events = 0;
+    for (const b of this.buckets.values()) events += b.events.length;
+    return { trackedIps: this.buckets.size, eventsInWindow: events };
+  }
+  // -------------------------------------------------------- internals
+  evictStale(bucket, now) {
+    const cutoff = now - this.windowSeconds;
+    let drop = 0;
+    while (drop < bucket.events.length && bucket.events[drop].timestamp < cutoff) {
+      drop++;
+    }
+    if (drop > 0) bucket.events.splice(0, drop);
+    if (bucket.events.length > this.maxEventsPerIp) {
+      bucket.events.splice(0, bucket.events.length - this.maxEventsPerIp);
+    }
+  }
+  evaluate(bucket, route) {
+    const vectors = /* @__PURE__ */ new Set();
+    const values = /* @__PURE__ */ new Set();
+    for (const e of bucket.events) {
+      vectors.add(e.vector);
+      if (e.route === route && e.distinctValue !== void 0) {
+        values.add(e.distinctValue);
+      }
+    }
+    return {
+      scanner: this.isScanner(bucket),
+      credentialStuffing: this.isCredentialStuffing(bucket, route),
+      raceWindow: this.isRaceAny(bucket),
+      distinctVectors: vectors.size,
+      distinctValues: values.size,
+      requestsInWindow: bucket.events.length
+    };
+  }
+  isScanner(bucket) {
+    if (bucket.events.length < this.scannerMinRequests) return false;
+    const vectors = /* @__PURE__ */ new Set();
+    for (const e of bucket.events) vectors.add(e.vector);
+    return vectors.size >= this.scannerDistinctVectors;
+  }
+  isCredentialStuffing(bucket, route) {
+    const values = /* @__PURE__ */ new Set();
+    for (const e of bucket.events) {
+      if (e.route === route && e.distinctValue !== void 0) {
+        values.add(e.distinctValue);
+      }
+    }
+    return values.size >= this.csDistinctValues;
+  }
+  racePairInBucket(bucket, sorted) {
+    const [a, b] = sorted;
+    const aTs = [];
+    const bTs = [];
+    for (const e of bucket.events) {
+      if (e.route === a) aTs.push(e.timestamp);
+      else if (e.route === b) bTs.push(e.timestamp);
+    }
+    if (aTs.length === 0 || bTs.length === 0) return false;
+    let ai = 0;
+    let bi = 0;
+    while (ai < aTs.length && bi < bTs.length) {
+      const diff = aTs[ai] - bTs[bi];
+      if (Math.abs(diff) <= this.raceWindowSeconds) return true;
+      if (diff < 0) ai++;
+      else bi++;
+    }
+    return false;
+  }
+  isRaceAny(bucket) {
+    for (const pair of this.racePairTuples) {
+      if (this.racePairInBucket(bucket, pair)) return true;
+    }
+    return false;
+  }
+};
+exports.CorrelationWindow = CorrelationWindow;
 exports.ResponseSplittingError = ResponseSplittingError;
 exports.arcis = arcis;
 exports.arcisFunction = arcisWithMethods;