@arcis/node 1.5.1 → 1.6.0

package/dist/middleware/index.mjs

@@ -136,7 +136,16 @@ var SQL_PATTERNS = [
   /** Time-based blind: PostgreSQL pg_sleep() */
   /\bpg_sleep\s*\(/gi,
   /** Time-based blind: MSSQL WAITFOR DELAY */
-  /\bWAITFOR\s+DELAY\b/gi
+  /\bWAITFOR\s+DELAY\b/gi,
+  /**
+   * Oracle DBMS_* stdlib packages used for time-based blind SQLi
+   * (DBMS_LOCK.SLEEP, DBMS_PIPE.RECEIVE_MESSAGE) and other Oracle
+   * abuse paths. No legitimate user input contains these. Mirrors
+   * `sqli-oracle-dbms-packages` in packages/core/patterns.json —
+   * improvements.md §1.1.e Q3. Must stay in sync until Node
+   * migrates to patterns.json-at-runtime (planned v1.7).
+   */
+  /\bDBMS_(?:LOCK|PIPE|UTILITY|XSLPROCESSOR|JAVA|OUTPUT|SCHEDULER)\b/gi
 ];
 var PATH_PATTERNS = [
   /** Unix path traversal */
@@ -174,6 +183,15 @@ var COMMAND_PATTERNS = [
   /[;&|`]/g,
   /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
   /\$\(/g,
+  /**
+   * POSIX shell IFS-substitution: ${IFS} or ${IFS%??}.
+   * Attackers use this to inject spaces past metacharacter filters
+   * in payloads like `;cat${IFS}/etc/passwd`. Mirrors
+   * `cmdi-ifs-bypass` in packages/core/patterns.json — improvements.md
+   * §1.1.e Q5. Must stay in sync until Node migrates to
+   * patterns.json-at-runtime (planned v1.7).
+   */
+  /\$\{IFS(?:%[^}]*)?\}/g,
   /** URL-encoded control characters (%00-%0F): null, tab, vtab, formfeed, LF, CR */
   /%0[0-9a-f]/gi
 ];
@@ -975,6 +993,40 @@ function detectHeaderInjection(input) {
 }
 
 // src/sanitizers/sanitize.ts
+function multiDecode(value, maxPasses = 4) {
+  for (let i = 0; i < maxPasses; i++) {
+    const prev = value;
+    try {
+      value = decodeURIComponent(value);
+    } catch {
+    }
+    value = htmlEntityDecode(value);
+    if (value === prev) break;
+  }
+  return value;
+}
+function htmlEntityDecode(s) {
+  s = s.replace(/&#(\d+);/g, (_m, n) => {
+    const code = parseInt(n, 10);
+    return Number.isFinite(code) && code >= 0 && code <= 1114111 ? String.fromCodePoint(code) : _m;
+  });
+  s = s.replace(/&#x([0-9a-fA-F]+);/g, (_m, h) => {
+    const code = parseInt(h, 16);
+    return Number.isFinite(code) && code >= 0 && code <= 1114111 ? String.fromCodePoint(code) : _m;
+  });
+  const named = {
+    "&lt;": "<",
+    "&gt;": ">",
+    "&amp;": "&",
+    "&quot;": '"',
+    "&apos;": "'",
+    "&nbsp;": " "
+  };
+  for (const [entity, ch] of Object.entries(named)) {
+    s = s.split(entity).join(ch);
+  }
+  return s;
+}
 function sanitizeString(value, options = {}) {
   if (typeof value !== "string") return value;
   const maxSize = options.maxSize ?? INPUT.DEFAULT_MAX_SIZE;
@@ -982,7 +1034,8 @@ function sanitizeString(value, options = {}) {
     throw new InputTooLargeError(maxSize, value.length);
   }
   const reject = options.mode === "reject";
-  let result = value;
+  let result = value.normalize("NFKC");
+  result = multiDecode(result);
   if (options.sql !== false) {
     if (reject) {
       if (detectSql(result)) {
@@ -1141,7 +1194,9 @@ function createSanitizer(options = {}) {
 var DEFAULTS = {
   maxDepth: 10,
   maxLength: 1e4,
-  blockIntrospection: true
+  blockIntrospection: true,
+  maxAliases: 50,
+  blockFragmentCycles: true
 };
 var INTROSPECTION_PATTERN = /\b__(schema|type|typeKind|directive)\b/;
 function computeDepth(query) {
@@ -1158,22 +1213,87 @@ function computeDepth(query) {
   }
   return max;
 }
+var ALIAS_PATTERN = /\b([a-zA-Z_][a-zA-Z0-9_]*)\s*:\s*([a-zA-Z_][a-zA-Z0-9_]*)\b/g;
+var FRAGMENT_DEF_PATTERN = /\bfragment\s+([a-zA-Z_][a-zA-Z0-9_]*)\s+on\s+[a-zA-Z_][a-zA-Z0-9_]*\s*\{/g;
+var FRAGMENT_SPREAD_PATTERN = /\.\.\.\s*([a-zA-Z_][a-zA-Z0-9_]*)\b/g;
+function countAliases(query) {
+  let n = 0;
+  ALIAS_PATTERN.lastIndex = 0;
+  while (ALIAS_PATTERN.exec(query) !== null) n++;
+  return n;
+}
+function hasFragmentCycle(query) {
+  const deps = /* @__PURE__ */ new Map();
+  FRAGMENT_DEF_PATTERN.lastIndex = 0;
+  let match;
+  while ((match = FRAGMENT_DEF_PATTERN.exec(query)) !== null) {
+    const name = match[1];
+    const bodyStart = match.index + match[0].length;
+    let depth = 1;
+    let i = bodyStart;
+    while (i < query.length && depth > 0) {
+      const ch = query[i];
+      if (ch === "{") depth++;
+      else if (ch === "}") depth--;
+      i++;
+    }
+    const bodyEnd = depth === 0 ? i - 1 : i;
+    const body = query.slice(bodyStart, bodyEnd);
+    const spreads = /* @__PURE__ */ new Set();
+    FRAGMENT_SPREAD_PATTERN.lastIndex = 0;
+    let sm;
+    while ((sm = FRAGMENT_SPREAD_PATTERN.exec(body)) !== null) {
+      spreads.add(sm[1]);
+    }
+    deps.set(name, spreads);
+  }
+  if (deps.size === 0) return false;
+  const WHITE = 0;
+  const GRAY = 1;
+  const BLACK = 2;
+  const color = /* @__PURE__ */ new Map();
+  for (const name of deps.keys()) color.set(name, WHITE);
+  function visit(name) {
+    if (color.get(name) === GRAY) return true;
+    if (color.get(name) === BLACK) return false;
+    if (!deps.has(name)) return false;
+    color.set(name, GRAY);
+    for (const child of deps.get(name)) {
+      if (visit(child)) return true;
+    }
+    color.set(name, BLACK);
+    return false;
+  }
+  for (const name of deps.keys()) {
+    if (visit(name)) return true;
+  }
+  return false;
+}
 function inspectGraphqlQuery(query, options = {}) {
   const maxDepth = options.maxDepth ?? DEFAULTS.maxDepth;
   const maxLength = options.maxLength ?? DEFAULTS.maxLength;
   const blockIntrospection = options.blockIntrospection ?? DEFAULTS.blockIntrospection;
+  const maxAliases = options.maxAliases ?? DEFAULTS.maxAliases;
+  const blockFragmentCycles = options.blockFragmentCycles ?? DEFAULTS.blockFragmentCycles;
   const length = query.length;
   const depth = computeDepth(query);
+  const aliases = countAliases(query);
   if (depth > maxDepth) {
-    return { blocked: true, reason: "depth", depth, length };
+    return { blocked: true, reason: "depth", depth, length, aliases };
   }
   if (blockIntrospection && INTROSPECTION_PATTERN.test(query)) {
-    return { blocked: true, reason: "introspection", depth, length };
+    return { blocked: true, reason: "introspection", depth, length, aliases };
+  }
+  if (aliases > maxAliases) {
+    return { blocked: true, reason: "aliases", depth, length, aliases };
+  }
+  if (blockFragmentCycles && hasFragmentCycle(query)) {
+    return { blocked: true, reason: "fragment_cycle", depth, length, aliases };
   }
   if (length > maxLength) {
-    return { blocked: true, reason: "length", depth, length };
+    return { blocked: true, reason: "length", depth, length, aliases };
   }
-  return { blocked: false, depth, length };
+  return { blocked: false, depth, length, aliases };
 }
 
 // src/validation/schema.ts
@@ -8687,6 +8807,46 @@ function massAssign(options) {
 }
 
 // src/middleware/protect.ts
+function getClientIp(req) {
+  const xff = req?.headers?.["x-forwarded-for"] ?? req?.headers?.["X-Forwarded-For"];
+  if (typeof xff === "string" && xff.length > 0) {
+    const first = xff.split(",")[0]?.trim();
+    if (first) return first;
+  }
+  if (typeof req?.ip === "string") return req.ip;
+  const remote = req?.socket?.remoteAddress;
+  return typeof remote === "string" ? remote : "";
+}
+function correlationMiddleware(opts) {
+  const vector = opts.vector ?? "request";
+  const usernameField = opts.usernameField ?? "username";
+  const statusCode = opts.statusCode ?? 429;
+  const message = opts.message ?? "Suspicious request pattern detected.";
+  return function(req, res, next) {
+    const ip = getClientIp(req);
+    if (!ip) return next();
+    const route = opts.route ?? (req.path || req.url || "/");
+    const username = req?.body?.[usernameField];
+    const distinctValue = typeof username === "string" && username.length > 0 ? username : void 0;
+    const detections = opts.window.record(
+      ip,
+      vector,
+      route,
+      req.method || "GET",
+      distinctValue
+    );
+    if (detections.scanner || detections.credentialStuffing || detections.raceWindow) {
+      res.status(statusCode).json({
+        error: message,
+        scanner: detections.scanner,
+        credential_stuffing: detections.credentialStuffing,
+        race_window: detections.raceWindow
+      });
+      return;
+    }
+    next();
+  };
+}
 function resolve(override, defaults) {
   if (override === false) return null;
   if (override === void 0) return defaults;
@@ -8706,6 +8866,11 @@ function protectLogin(options = {}) {
   if (csrf) middlewares.push(csrfProtection(csrf));
   const sanitize = resolve(options.sanitize, {});
   if (sanitize) middlewares.push(createSanitizer(sanitize));
+  if (options.correlation) {
+    middlewares.push(
+      correlationMiddleware({ vector: "login", ...options.correlation })
+    );
+  }
   return middlewares;
 }
 function protectSignup(options = {}) {
@@ -8722,6 +8887,11 @@ function protectSignup(options = {}) {
   if (sanitize) middlewares.push(createSanitizer(sanitize));
   const signup = resolve(options.signup, {});
   if (signup) middlewares.push(signupProtection(signup));
+  if (options.correlation) {
+    middlewares.push(
+      correlationMiddleware({ vector: "signup", ...options.correlation })
+    );
+  }
   return middlewares;
 }
 function protectApi(options = {}) {
@@ -8732,6 +8902,11 @@ function protectApi(options = {}) {
   if (cors) middlewares.push(safeCors(cors));
   const sanitize = resolve(options.sanitize, {});
   if (sanitize) middlewares.push(createSanitizer(sanitize));
+  if (options.correlation) {
+    middlewares.push(
+      correlationMiddleware({ vector: "api", ...options.correlation })
+    );
+  }
   return middlewares;
 }
 
@@ -8739,7 +8914,9 @@ function protectApi(options = {}) {
 var DEFAULT_MESSAGES = {
   depth: "Query exceeds maximum nesting depth",
   length: "Query exceeds maximum length",
-  introspection: "Introspection queries are disabled"
+  introspection: "Introspection queries are disabled",
+  aliases: "Query exceeds maximum alias count (alias-bomb protection)",
+  fragment_cycle: "Query contains a cyclic fragment definition"
 };
 function extractQuery(req) {
   const bodyQuery = typeof req.body === "object" && req.body !== null ? req.body.query : void 0;
@@ -8878,6 +9055,186 @@ function responseSplittingGuard(options = {}) {
   };
 }
 
-export { ResponseSplittingError, arcis, arcisWithMethods as arcisFunction, botProtection, checkSignup, createCors, createCsrf, createErrorHandler, createHeaders, createRateLimiter, createSecureCookies, createSlidingWindowLimiter, createTokenBucketLimiter, csrfProtection, main_default as default, detectBot, detectResponseSplitting, enforceSecureCookie, errorHandler, eventLoopProtection, generateCsrfToken, graphqlGuard, massAssign, methodAllowlist, protectApi, protectLogin, protectSignup, rateLimit, responseSplittingGuard, safeCors, sanitizeResponseHeader, secureCookieDefaults, securityHeaders, signupProtection, validateCsrfToken };
+// src/middleware/correlation.ts
+var EMPTY_DETECTIONS = Object.freeze({
+  scanner: false,
+  credentialStuffing: false,
+  raceWindow: false,
+  distinctVectors: 0,
+  distinctValues: 0,
+  requestsInWindow: 0
+});
+function normalizePair(a, b) {
+  return a < b ? `${a}
${b}` : `${b}
${a}`;
+}
+var CorrelationWindow = class {
+  constructor(options = {}) {
+    // Map iteration order in JS is insertion order, so re-inserting on
+    // access gives us LRU behaviour without a separate linked list.
+    this.buckets = /* @__PURE__ */ new Map();
+    const {
+      windowSeconds = 60,
+      maxIps = 1e4,
+      maxEventsPerIp = 200,
+      scannerDistinctVectors = 3,
+      scannerMinRequests = 20,
+      credentialStuffingDistinctValues = 10,
+      raceWindowMs = 200,
+      racePairs
+    } = options;
+    if (windowSeconds <= 0) throw new Error("windowSeconds must be > 0");
+    if (maxIps < 1) throw new Error("maxIps must be >= 1");
+    if (maxEventsPerIp < 1) throw new Error("maxEventsPerIp must be >= 1");
+    this.windowSeconds = windowSeconds;
+    this.maxIps = maxIps;
+    this.maxEventsPerIp = maxEventsPerIp;
+    this.scannerDistinctVectors = scannerDistinctVectors;
+    this.scannerMinRequests = scannerMinRequests;
+    this.csDistinctValues = credentialStuffingDistinctValues;
+    this.raceWindowSeconds = raceWindowMs / 1e3;
+    this.racePairKeys = /* @__PURE__ */ new Set();
+    this.racePairTuples = [];
+    if (racePairs) {
+      for (const [a, b] of racePairs) {
+        const key = normalizePair(a, b);
+        if (!this.racePairKeys.has(key)) {
+          this.racePairKeys.add(key);
+          const sorted = a < b ? [a, b] : [b, a];
+          this.racePairTuples.push(sorted);
+        }
+      }
+    }
+  }
+  record(ip, vector, route, method = "GET", distinctValue, now) {
+    if (!ip) return EMPTY_DETECTIONS;
+    const ts = now ?? Date.now() / 1e3;
+    const event = {
+      timestamp: ts,
+      vector,
+      route,
+      method,
+      distinctValue
+    };
+    let bucket = this.buckets.get(ip);
+    if (bucket === void 0) {
+      bucket = { events: [] };
+      this.buckets.set(ip, bucket);
+      while (this.buckets.size > this.maxIps) {
+        const oldest = this.buckets.keys().next().value;
+        if (oldest === void 0) break;
+        this.buckets.delete(oldest);
+      }
+    } else {
+      this.buckets.delete(ip);
+      this.buckets.set(ip, bucket);
+    }
+    bucket.events.push(event);
+    this.evictStale(bucket, ts);
+    return this.evaluate(bucket, route);
+  }
+  detectScanner(ip, now) {
+    const bucket = this.buckets.get(ip);
+    if (bucket === void 0) return false;
+    this.evictStale(bucket, now ?? Date.now() / 1e3);
+    return this.isScanner(bucket);
+  }
+  detectCredentialStuffing(ip, route, now) {
+    const bucket = this.buckets.get(ip);
+    if (bucket === void 0) return false;
+    this.evictStale(bucket, now ?? Date.now() / 1e3);
+    return this.isCredentialStuffing(bucket, route);
+  }
+  detectRaceWindow(ip, routePair, now) {
+    const bucket = this.buckets.get(ip);
+    if (bucket === void 0) return false;
+    this.evictStale(bucket, now ?? Date.now() / 1e3);
+    const sorted = routePair[0] < routePair[1] ? routePair : [routePair[1], routePair[0]];
+    return this.racePairInBucket(bucket, sorted);
+  }
+  reset(ip) {
+    if (ip === void 0) {
+      this.buckets.clear();
+    } else {
+      this.buckets.delete(ip);
+    }
+  }
+  stats() {
+    let events = 0;
+    for (const b of this.buckets.values()) events += b.events.length;
+    return { trackedIps: this.buckets.size, eventsInWindow: events };
+  }
+  // -------------------------------------------------------- internals
+  evictStale(bucket, now) {
+    const cutoff = now - this.windowSeconds;
+    let drop = 0;
+    while (drop < bucket.events.length && bucket.events[drop].timestamp < cutoff) {
+      drop++;
+    }
+    if (drop > 0) bucket.events.splice(0, drop);
+    if (bucket.events.length > this.maxEventsPerIp) {
+      bucket.events.splice(0, bucket.events.length - this.maxEventsPerIp);
+    }
+  }
+  evaluate(bucket, route) {
+    const vectors = /* @__PURE__ */ new Set();
+    const values = /* @__PURE__ */ new Set();
+    for (const e of bucket.events) {
+      vectors.add(e.vector);
+      if (e.route === route && e.distinctValue !== void 0) {
+        values.add(e.distinctValue);
+      }
+    }
+    return {
+      scanner: this.isScanner(bucket),
+      credentialStuffing: this.isCredentialStuffing(bucket, route),
+      raceWindow: this.isRaceAny(bucket),
+      distinctVectors: vectors.size,
+      distinctValues: values.size,
+      requestsInWindow: bucket.events.length
+    };
+  }
+  isScanner(bucket) {
+    if (bucket.events.length < this.scannerMinRequests) return false;
+    const vectors = /* @__PURE__ */ new Set();
+    for (const e of bucket.events) vectors.add(e.vector);
+    return vectors.size >= this.scannerDistinctVectors;
+  }
+  isCredentialStuffing(bucket, route) {
+    const values = /* @__PURE__ */ new Set();
+    for (const e of bucket.events) {
+      if (e.route === route && e.distinctValue !== void 0) {
+        values.add(e.distinctValue);
+      }
+    }
+    return values.size >= this.csDistinctValues;
+  }
+  racePairInBucket(bucket, sorted) {
+    const [a, b] = sorted;
+    const aTs = [];
+    const bTs = [];
+    for (const e of bucket.events) {
+      if (e.route === a) aTs.push(e.timestamp);
+      else if (e.route === b) bTs.push(e.timestamp);
+    }
+    if (aTs.length === 0 || bTs.length === 0) return false;
+    let ai = 0;
+    let bi = 0;
+    while (ai < aTs.length && bi < bTs.length) {
+      const diff = aTs[ai] - bTs[bi];
+      if (Math.abs(diff) <= this.raceWindowSeconds) return true;
+      if (diff < 0) ai++;
+      else bi++;
+    }
+    return false;
+  }
+  isRaceAny(bucket) {
+    for (const pair of this.racePairTuples) {
+      if (this.racePairInBucket(bucket, pair)) return true;
+    }
+    return false;
+  }
+};
+
+export { CorrelationWindow, ResponseSplittingError, arcis, arcisWithMethods as arcisFunction, botProtection, checkSignup, createCors, createCsrf, createErrorHandler, createHeaders, createRateLimiter, createSecureCookies, createSlidingWindowLimiter, createTokenBucketLimiter, csrfProtection, main_default as default, detectBot, detectResponseSplitting, enforceSecureCookie, errorHandler, eventLoopProtection, generateCsrfToken, graphqlGuard, massAssign, methodAllowlist, protectApi, protectLogin, protectSignup, rateLimit, responseSplittingGuard, safeCors, sanitizeResponseHeader, secureCookieDefaults, securityHeaders, signupProtection, validateCsrfToken };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map