npm - @arcis/node - Versions diffs - 1.5.2 → 1.6.0 - Mend

@arcis/node 1.5.2 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (66) hide show

package/README.md +48 -7
package/dist/astro/index.js.map +1 -1
package/dist/astro/index.mjs.map +1 -1
package/dist/bun/index.js.map +1 -1
package/dist/bun/index.mjs.map +1 -1
package/dist/core/constants.d.ts +2 -2
package/dist/core/constants.d.ts.map +1 -1
package/dist/core/index.js +19 -1
package/dist/core/index.js.map +1 -1
package/dist/core/index.mjs +19 -1
package/dist/core/index.mjs.map +1 -1
package/dist/fastify/index.js.map +1 -1
package/dist/fastify/index.mjs.map +1 -1
package/dist/hono/index.js.map +1 -1
package/dist/hono/index.mjs.map +1 -1
package/dist/index.d.ts +3 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +407 -8
package/dist/index.js.map +1 -1
package/dist/index.mjs +407 -9
package/dist/index.mjs.map +1 -1
package/dist/koa/index.js.map +1 -1
package/dist/koa/index.mjs.map +1 -1
package/dist/logging/index.js.map +1 -1
package/dist/logging/index.mjs.map +1 -1
package/dist/middleware/correlation.d.ts +87 -0
package/dist/middleware/correlation.d.ts.map +1 -0
package/dist/middleware/graphql.d.ts.map +1 -1
package/dist/middleware/index.d.ts +3 -1
package/dist/middleware/index.d.ts.map +1 -1
package/dist/middleware/index.js +366 -8
package/dist/middleware/index.js.map +1 -1
package/dist/middleware/index.mjs +366 -9
package/dist/middleware/index.mjs.map +1 -1
package/dist/middleware/protect.d.ts +32 -0
package/dist/middleware/protect.d.ts.map +1 -1
package/dist/nestjs/index.js +55 -2
package/dist/nestjs/index.js.map +1 -1
package/dist/nestjs/index.mjs +55 -2
package/dist/nestjs/index.mjs.map +1 -1
package/dist/nextjs/index.js.map +1 -1
package/dist/nextjs/index.mjs.map +1 -1
package/dist/nuxt/index.js.map +1 -1
package/dist/nuxt/index.mjs.map +1 -1
package/dist/sanitizers/deserialization.d.ts +30 -0
package/dist/sanitizers/deserialization.d.ts.map +1 -0
package/dist/sanitizers/graphql.d.ts +20 -3
package/dist/sanitizers/graphql.d.ts.map +1 -1
package/dist/sanitizers/index.d.ts +2 -0
package/dist/sanitizers/index.d.ts.map +1 -1
package/dist/sanitizers/index.js +150 -7
package/dist/sanitizers/index.js.map +1 -1
package/dist/sanitizers/index.mjs +149 -8
package/dist/sanitizers/index.mjs.map +1 -1
package/dist/sanitizers/prompt-injection.d.ts.map +1 -1
package/dist/sanitizers/sanitize.d.ts +0 -20
package/dist/sanitizers/sanitize.d.ts.map +1 -1
package/dist/stores/index.js.map +1 -1
package/dist/stores/index.mjs.map +1 -1
package/dist/sveltekit/index.js.map +1 -1
package/dist/sveltekit/index.mjs.map +1 -1
package/dist/validation/index.js +55 -2
package/dist/validation/index.js.map +1 -1
package/dist/validation/index.mjs +55 -2
package/dist/validation/index.mjs.map +1 -1
package/package.json +2 -2

package/dist/validation/index.mjs CHANGED Viewed

@@ -67,7 +67,16 @@ var SQL_PATTERNS = [
   /** Time-based blind: PostgreSQL pg_sleep() */
   /\bpg_sleep\s*\(/gi,
   /** Time-based blind: MSSQL WAITFOR DELAY */
-  /\bWAITFOR\s+DELAY\b/gi
+  /\bWAITFOR\s+DELAY\b/gi,
+  /**
+   * Oracle DBMS_* stdlib packages used for time-based blind SQLi
+   * (DBMS_LOCK.SLEEP, DBMS_PIPE.RECEIVE_MESSAGE) and other Oracle
+   * abuse paths. No legitimate user input contains these. Mirrors
+   * `sqli-oracle-dbms-packages` in packages/core/patterns.json —
+   * improvements.md §1.1.e Q3. Must stay in sync until Node
+   * migrates to patterns.json-at-runtime (planned v1.7).
+   */
+  /\bDBMS_(?:LOCK|PIPE|UTILITY|XSLPROCESSOR|JAVA|OUTPUT|SCHEDULER)\b/gi
 ];
 var PATH_PATTERNS = [
   /** Unix path traversal */
@@ -105,6 +114,15 @@ var COMMAND_PATTERNS = [
   /[;&|`]/g,
   /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
   /\$\(/g,
+  /**
+   * POSIX shell IFS-substitution: ${IFS} or ${IFS%??}.
+   * Attackers use this to inject spaces past metacharacter filters
+   * in payloads like `;cat${IFS}/etc/passwd`. Mirrors
+   * `cmdi-ifs-bypass` in packages/core/patterns.json — improvements.md
+   * §1.1.e Q5. Must stay in sync until Node migrates to
+   * patterns.json-at-runtime (planned v1.7).
+   */
+  /\$\{IFS(?:%[^}]*)?\}/g,
   /** URL-encoded control characters (%00-%0F): null, tab, vtab, formfeed, LF, CR */
   /%0[0-9a-f]/gi
 ];
@@ -348,6 +366,40 @@ function detectCommandInjection(input) {
 }
 // src/sanitizers/sanitize.ts
+function multiDecode(value, maxPasses = 4) {
+  for (let i = 0; i < maxPasses; i++) {
+    const prev = value;
+    try {
+      value = decodeURIComponent(value);
+    } catch {
+    }
+    value = htmlEntityDecode(value);
+    if (value === prev) break;
+  }
+  return value;
+}
+function htmlEntityDecode(s) {
+  s = s.replace(/&#(\d+);/g, (_m, n) => {
+    const code = parseInt(n, 10);
+    return Number.isFinite(code) && code >= 0 && code <= 1114111 ? String.fromCodePoint(code) : _m;
+  });
+  s = s.replace(/&#x([0-9a-fA-F]+);/g, (_m, h) => {
+    const code = parseInt(h, 16);
+    return Number.isFinite(code) && code >= 0 && code <= 1114111 ? String.fromCodePoint(code) : _m;
+  });
+  const named = {
+    "&lt;": "<",
+    "&gt;": ">",
+    "&amp;": "&",
+    "&quot;": '"',
+    "&apos;": "'",
+    "&nbsp;": " "
+  };
+  for (const [entity, ch] of Object.entries(named)) {
+    s = s.split(entity).join(ch);
+  }
+  return s;
+}
 function sanitizeString(value, options = {}) {
   if (typeof value !== "string") return value;
   const maxSize = options.maxSize ?? INPUT.DEFAULT_MAX_SIZE;
@@ -355,7 +407,8 @@ function sanitizeString(value, options = {}) {
     throw new InputTooLargeError(maxSize, value.length);
   }
   const reject = options.mode === "reject";
-  let result = value;
+  let result = value.normalize("NFKC");
+  result = multiDecode(result);
   if (options.sql !== false) {
     if (reject) {
       if (detectSql(result)) {