@arcis/node 1.5.1 → 1.6.0

package/dist/sanitizers/deserialization.d.ts

@@ -0,0 +1,30 @@
+/**
+ * @module @arcis/node/sanitizers/deserialization
+ *
+ * V33 — Modern deserialization marker detection (improvements.md §1.2).
+ *
+ * Detect input that LOOKS like a serialized-object payload for
+ * runtimes where deserialization equals code execution: Python
+ * pickle, Java FastJSON, PHP unserialize, Ruby Marshal, .NET
+ * BinaryFormatter.
+ *
+ * Detection-only — the right response to a hit is "refuse the
+ * request" not "strip the bytes and pass through" (a forgiving
+ * parser might still deserialize the remainder to something
+ * dangerous). Caller decides.
+ *
+ * Mirrors `arcis-python/arcis/sanitizers/deserialization.py`. Both
+ * SDKs must accept the same base corpus per Pattern 7.
+ */
+export type DeserializeRuntime = 'python_pickle' | 'java_fastjson' | 'php_unserialize' | 'ruby_marshal' | 'dotnet_binary_formatter';
+/**
+ * Detect a serialized-object marker for any known runtime.
+ *
+ * Returns the runtime tag if a marker matches, or null if the input
+ * looks safe. Precedence: head-byte markers (pickle / Ruby / .NET)
+ * before embedded markers (FastJSON / PHP).
+ */
+export declare function detectDeserialization(payload: string): DeserializeRuntime | null;
+/** Convenience boolean wrapper around `detectDeserialization`. */
+export declare function isSerializedPayload(payload: string): boolean;
+//# sourceMappingURL=deserialization.d.ts.map

package/dist/sanitizers/deserialization.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"deserialization.d.ts","sourceRoot":"","sources":["../../src/sanitizers/deserialization.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,MAAM,MAAM,kBAAkB,GAC1B,eAAe,GACf,eAAe,GACf,iBAAiB,GACjB,cAAc,GACd,yBAAyB,CAAC;AAiB9B;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,MAAM,GACd,kBAAkB,GAAG,IAAI,CAU3B;AAED,kEAAkE;AAClE,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAE5D"}

package/dist/sanitizers/graphql.d.ts

@@ -44,17 +44,34 @@ export interface GraphqlGuardOptions {
      * Studio. Production should leave this on.
      */
     blockIntrospection?: boolean;
+    /**
+     * Maximum number of field aliases per query (`label: field`).
+     * Default: 50. Alias-bomb attacks repeat the same expensive field
+     * under many labels to multiply backend cost. Real queries rarely
+     * use more than 20 aliases. improvements.md §1.2 V34.
+     */
+    maxAliases?: number;
+    /**
+     * Reject queries whose fragment definitions form a cycle (direct
+     * self-reference `fragment A on T { ...A }` or indirect
+     * `A → B → A`). Such cycles either infinite-loop a naive resolver
+     * or get rejected by `graphql-core` with a 500. Default: true.
+     * improvements.md §1.2 V34.
+     */
+    blockFragmentCycles?: boolean;
 }
-export type GraphqlViolation = 'depth' | 'length' | 'introspection';
+export type GraphqlViolation = 'depth' | 'length' | 'introspection' | 'aliases' | 'fragment_cycle';
 export interface GraphqlGuardResult {
     /** True if the query violated any configured limit. */
     blocked: boolean;
-    /** Which limit fired first (depth → introspection → length precedence). */
+    /** Which limit fired first. Precedence: depth → introspection → aliases → fragment_cycle → length. */
     reason?: GraphqlViolation;
-    /** Observed nesting depth. Always returned, even on clean queries. */
+    /** Observed nesting depth. Always returned. */
     depth: number;
     /** Observed length. Always returned. */
     length: number;
+    /** Observed alias count (improvements.md §1.2 V34). Always returned. */
+    aliases: number;
 }
 /**
  * Inspect a GraphQL query against the configured limits. Returns a

package/dist/sanitizers/graphql.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"graphql.d.ts","sourceRoot":"","sources":["../../src/sanitizers/graphql.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAEH,MAAM,WAAW,mBAAmB;IAClC,6EAA6E;IAC7E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iEAAiE;IACjE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAED,MAAM,MAAM,gBAAgB,GAAG,OAAO,GAAG,QAAQ,GAAG,eAAe,CAAC;AAEpE,MAAM,WAAW,kBAAkB;IACjC,uDAAuD;IACvD,OAAO,EAAE,OAAO,CAAC;IACjB,2EAA2E;IAC3E,MAAM,CAAC,EAAE,gBAAgB,CAAC;IAC1B,sEAAsE;IACtE,KAAK,EAAE,MAAM,CAAC;IACd,wCAAwC;IACxC,MAAM,EAAE,MAAM,CAAC;CAChB;AA2CD;;;;GAIG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,mBAAwB,GAChC,kBAAkB,CAwBpB;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAGT"}
+{"version":3,"file":"graphql.d.ts","sourceRoot":"","sources":["../../src/sanitizers/graphql.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAEH,MAAM,WAAW,mBAAmB;IAClC,6EAA6E;IAC7E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iEAAiE;IACjE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;;;;OAMG;IACH,mBAAmB,CAAC,EAAE,OAAO,CAAC;CAC/B;AAED,MAAM,MAAM,gBAAgB,GACxB,OAAO,GACP,QAAQ,GACR,eAAe,GACf,SAAS,GACT,gBAAgB,CAAC;AAErB,MAAM,WAAW,kBAAkB;IACjC,uDAAuD;IACvD,OAAO,EAAE,OAAO,CAAC;IACjB,sGAAsG;IACtG,MAAM,CAAC,EAAE,gBAAgB,CAAC;IAC1B,+CAA+C;IAC/C,KAAK,EAAE,MAAM,CAAC;IACd,wCAAwC;IACxC,MAAM,EAAE,MAAM,CAAC;IACf,wEAAwE;IACxE,OAAO,EAAE,MAAM,CAAC;CACjB;AA8HD;;;;GAIG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,mBAAwB,GAChC,kBAAkB,CAiCpB;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAGT"}

package/dist/sanitizers/index.d.ts

@@ -20,5 +20,7 @@ export { sanitizeLdapFilter, sanitizeLdapDn, detectLdapInjection } from './ldap'
 export { sanitizeXpath, detectXpathInjection } from './xpath';
 export { inspectGraphqlQuery, detectGraphqlAbuse, } from './graphql';
 export type { GraphqlGuardOptions, GraphqlGuardResult, GraphqlViolation, } from './graphql';
+export { detectDeserialization, isSerializedPayload } from './deserialization';
+export type { DeserializeRuntime } from './deserialization';
 export { encodeHtmlEntities, isPlainObject } from './utils';
 //# sourceMappingURL=index.d.ts.map

package/dist/sanitizers/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sanitizers/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAC1F,YAAY,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAG5C,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,QAAQ,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,WAAW,CAAC;AAGpE,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAC;AAG3F,OAAO,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGnG,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAGlD,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAG/C,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,SAAS,CAAC;AAGtE,OAAO,EACL,mBAAmB,EACnB,eAAe,EACf,qBAAqB,EACrB,mBAAmB,EACnB,0BAA0B,GAC3B,MAAM,WAAW,CAAC;AAGnB,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,OAAO,CAAC;AAGtF,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAGtG,OAAO,EAAE,kBAAkB,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,QAAQ,CAAC;AAGjF,OAAO,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,SAAS,CAAC;AAG9D,OAAO,EACL,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,WAAW,CAAC;AACnB,YAAY,EACV,mBAAmB,EACnB,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,WAAW,CAAC;AAGnB,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sanitizers/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAC1F,YAAY,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAG5C,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,QAAQ,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,WAAW,CAAC;AAGpE,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAC;AAG3F,OAAO,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGnG,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAGlD,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAG/C,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,SAAS,CAAC;AAGtE,OAAO,EACL,mBAAmB,EACnB,eAAe,EACf,qBAAqB,EACrB,mBAAmB,EACnB,0BAA0B,GAC3B,MAAM,WAAW,CAAC;AAGnB,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,OAAO,CAAC;AAGtF,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAGtG,OAAO,EAAE,kBAAkB,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,QAAQ,CAAC;AAGjF,OAAO,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,SAAS,CAAC;AAG9D,OAAO,EACL,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,WAAW,CAAC;AACnB,YAAY,EACV,mBAAmB,EACnB,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,WAAW,CAAC;AAGnB,OAAO,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAC/E,YAAY,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAG5D,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC"}

package/dist/sanitizers/index.js

@@ -102,7 +102,16 @@ var SQL_PATTERNS = [
   /** Time-based blind: PostgreSQL pg_sleep() */
   /\bpg_sleep\s*\(/gi,
   /** Time-based blind: MSSQL WAITFOR DELAY */
-  /\bWAITFOR\s+DELAY\b/gi
+  /\bWAITFOR\s+DELAY\b/gi,
+  /**
+   * Oracle DBMS_* stdlib packages used for time-based blind SQLi
+   * (DBMS_LOCK.SLEEP, DBMS_PIPE.RECEIVE_MESSAGE) and other Oracle
+   * abuse paths. No legitimate user input contains these. Mirrors
+   * `sqli-oracle-dbms-packages` in packages/core/patterns.json —
+   * improvements.md §1.1.e Q3. Must stay in sync until Node
+   * migrates to patterns.json-at-runtime (planned v1.7).
+   */
+  /\bDBMS_(?:LOCK|PIPE|UTILITY|XSLPROCESSOR|JAVA|OUTPUT|SCHEDULER)\b/gi
 ];
 var PATH_PATTERNS = [
   /** Unix path traversal */
@@ -140,6 +149,15 @@ var COMMAND_PATTERNS = [
   /[;&|`]/g,
   /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
   /\$\(/g,
+  /**
+   * POSIX shell IFS-substitution: ${IFS} or ${IFS%??}.
+   * Attackers use this to inject spaces past metacharacter filters
+   * in payloads like `;cat${IFS}/etc/passwd`. Mirrors
+   * `cmdi-ifs-bypass` in packages/core/patterns.json — improvements.md
+   * §1.1.e Q5. Must stay in sync until Node migrates to
+   * patterns.json-at-runtime (planned v1.7).
+   */
+  /\$\{IFS(?:%[^}]*)?\}/g,
   /** URL-encoded control characters (%00-%0F): null, tab, vtab, formfeed, LF, CR */
   /%0[0-9a-f]/gi
 ];
@@ -677,6 +695,40 @@ var sanitizeEmailHeader = sanitizeHeaderValue;
 var detectEmailHeaderInjection = detectHeaderInjection;
 
 // src/sanitizers/sanitize.ts
+function multiDecode(value, maxPasses = 4) {
+  for (let i = 0; i < maxPasses; i++) {
+    const prev = value;
+    try {
+      value = decodeURIComponent(value);
+    } catch {
+    }
+    value = htmlEntityDecode(value);
+    if (value === prev) break;
+  }
+  return value;
+}
+function htmlEntityDecode(s) {
+  s = s.replace(/&#(\d+);/g, (_m, n) => {
+    const code = parseInt(n, 10);
+    return Number.isFinite(code) && code >= 0 && code <= 1114111 ? String.fromCodePoint(code) : _m;
+  });
+  s = s.replace(/&#x([0-9a-fA-F]+);/g, (_m, h) => {
+    const code = parseInt(h, 16);
+    return Number.isFinite(code) && code >= 0 && code <= 1114111 ? String.fromCodePoint(code) : _m;
+  });
+  const named = {
+    "&lt;": "<",
+    "&gt;": ">",
+    "&amp;": "&",
+    "&quot;": '"',
+    "&apos;": "'",
+    "&nbsp;": " "
+  };
+  for (const [entity, ch] of Object.entries(named)) {
+    s = s.split(entity).join(ch);
+  }
+  return s;
+}
 function sanitizeString(value, options = {}) {
   if (typeof value !== "string") return value;
   const maxSize = options.maxSize ?? INPUT.DEFAULT_MAX_SIZE;
@@ -684,7 +736,8 @@ function sanitizeString(value, options = {}) {
     throw new InputTooLargeError(maxSize, value.length);
   }
   const reject = options.mode === "reject";
-  let result = value;
+  let result = value.normalize("NFKC");
+  result = multiDecode(result);
   if (options.sql !== false) {
     if (reject) {
       if (detectSql(result)) {
@@ -1137,7 +1190,9 @@ function encodeForCss(value) {
 var DEFAULTS = {
   maxDepth: 10,
   maxLength: 1e4,
-  blockIntrospection: true
+  blockIntrospection: true,
+  maxAliases: 50,
+  blockFragmentCycles: true
 };
 var INTROSPECTION_PATTERN = /\b__(schema|type|typeKind|directive)\b/;
 function computeDepth(query) {
@@ -1154,30 +1209,117 @@ function computeDepth(query) {
   }
   return max;
 }
+var ALIAS_PATTERN = /\b([a-zA-Z_][a-zA-Z0-9_]*)\s*:\s*([a-zA-Z_][a-zA-Z0-9_]*)\b/g;
+var FRAGMENT_DEF_PATTERN = /\bfragment\s+([a-zA-Z_][a-zA-Z0-9_]*)\s+on\s+[a-zA-Z_][a-zA-Z0-9_]*\s*\{/g;
+var FRAGMENT_SPREAD_PATTERN = /\.\.\.\s*([a-zA-Z_][a-zA-Z0-9_]*)\b/g;
+function countAliases(query) {
+  let n = 0;
+  ALIAS_PATTERN.lastIndex = 0;
+  while (ALIAS_PATTERN.exec(query) !== null) n++;
+  return n;
+}
+function hasFragmentCycle(query) {
+  const deps = /* @__PURE__ */ new Map();
+  FRAGMENT_DEF_PATTERN.lastIndex = 0;
+  let match;
+  while ((match = FRAGMENT_DEF_PATTERN.exec(query)) !== null) {
+    const name = match[1];
+    const bodyStart = match.index + match[0].length;
+    let depth = 1;
+    let i = bodyStart;
+    while (i < query.length && depth > 0) {
+      const ch = query[i];
+      if (ch === "{") depth++;
+      else if (ch === "}") depth--;
+      i++;
+    }
+    const bodyEnd = depth === 0 ? i - 1 : i;
+    const body = query.slice(bodyStart, bodyEnd);
+    const spreads = /* @__PURE__ */ new Set();
+    FRAGMENT_SPREAD_PATTERN.lastIndex = 0;
+    let sm;
+    while ((sm = FRAGMENT_SPREAD_PATTERN.exec(body)) !== null) {
+      spreads.add(sm[1]);
+    }
+    deps.set(name, spreads);
+  }
+  if (deps.size === 0) return false;
+  const WHITE = 0;
+  const GRAY = 1;
+  const BLACK = 2;
+  const color = /* @__PURE__ */ new Map();
+  for (const name of deps.keys()) color.set(name, WHITE);
+  function visit(name) {
+    if (color.get(name) === GRAY) return true;
+    if (color.get(name) === BLACK) return false;
+    if (!deps.has(name)) return false;
+    color.set(name, GRAY);
+    for (const child of deps.get(name)) {
+      if (visit(child)) return true;
+    }
+    color.set(name, BLACK);
+    return false;
+  }
+  for (const name of deps.keys()) {
+    if (visit(name)) return true;
+  }
+  return false;
+}
 function inspectGraphqlQuery(query, options = {}) {
   const maxDepth = options.maxDepth ?? DEFAULTS.maxDepth;
   const maxLength = options.maxLength ?? DEFAULTS.maxLength;
   const blockIntrospection = options.blockIntrospection ?? DEFAULTS.blockIntrospection;
+  const maxAliases = options.maxAliases ?? DEFAULTS.maxAliases;
+  const blockFragmentCycles = options.blockFragmentCycles ?? DEFAULTS.blockFragmentCycles;
   const length = query.length;
   const depth = computeDepth(query);
+  const aliases = countAliases(query);
   if (depth > maxDepth) {
-    return { blocked: true, reason: "depth", depth, length };
+    return { blocked: true, reason: "depth", depth, length, aliases };
   }
   if (blockIntrospection && INTROSPECTION_PATTERN.test(query)) {
-    return { blocked: true, reason: "introspection", depth, length };
+    return { blocked: true, reason: "introspection", depth, length, aliases };
+  }
+  if (aliases > maxAliases) {
+    return { blocked: true, reason: "aliases", depth, length, aliases };
+  }
+  if (blockFragmentCycles && hasFragmentCycle(query)) {
+    return { blocked: true, reason: "fragment_cycle", depth, length, aliases };
   }
   if (length > maxLength) {
-    return { blocked: true, reason: "length", depth, length };
+    return { blocked: true, reason: "length", depth, length, aliases };
   }
-  return { blocked: false, depth, length };
+  return { blocked: false, depth, length, aliases };
 }
 function detectGraphqlAbuse(query, options) {
   if (typeof query !== "string" || query.length === 0) return false;
   return inspectGraphqlQuery(query, options).blocked;
 }
 
+// src/sanitizers/deserialization.ts
+var PICKLE_HEAD = /^\x80[\x02-\x05]/;
+var RUBY_MARSHAL_HEAD = /^\x04\x08/;
+var DOTNET_BINFMT_HEAD = /^\x00\x01\x00\x00\x00/;
+var FASTJSON_AUTOTYPE = /"@type"\s*:\s*"[a-zA-Z_$][\w$.]*"/;
+var PHP_UNSERIALIZE = /O:\d+:"[a-zA-Z_\\][\w\\]*":\d+:\{/;
+function detectDeserialization(payload) {
+  if (typeof payload !== "string" || payload.length === 0) {
+    return null;
+  }
+  if (PICKLE_HEAD.test(payload)) return "python_pickle";
+  if (RUBY_MARSHAL_HEAD.test(payload)) return "ruby_marshal";
+  if (DOTNET_BINFMT_HEAD.test(payload)) return "dotnet_binary_formatter";
+  if (FASTJSON_AUTOTYPE.test(payload)) return "java_fastjson";
+  if (PHP_UNSERIALIZE.test(payload)) return "php_unserialize";
+  return null;
+}
+function isSerializedPayload(payload) {
+  return detectDeserialization(payload) !== null;
+}
+
 exports.createSanitizer = createSanitizer;
 exports.detectCommandInjection = detectCommandInjection;
+exports.detectDeserialization = detectDeserialization;
 exports.detectEmailHeaderInjection = detectEmailHeaderInjection;
 exports.detectGraphqlAbuse = detectGraphqlAbuse;
 exports.detectHeaderInjection = detectHeaderInjection;
@@ -1204,6 +1346,7 @@ exports.inspectGraphqlQuery = inspectGraphqlQuery;
 exports.isDangerousNoSqlKey = isDangerousNoSqlKey;
 exports.isDangerousProtoKey = isDangerousProtoKey;
 exports.isPlainObject = isPlainObject;
+exports.isSerializedPayload = isSerializedPayload;
 exports.redactObjectPii = redactObjectPii;
 exports.redactPii = redactPii;
 exports.sanitizeCommand = sanitizeCommand;