@arcis/node 1.5.2 → 1.6.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +48 -7
- package/dist/astro/index.js.map +1 -1
- package/dist/astro/index.mjs.map +1 -1
- package/dist/bun/index.js.map +1 -1
- package/dist/bun/index.mjs.map +1 -1
- package/dist/core/constants.d.ts +2 -2
- package/dist/core/constants.d.ts.map +1 -1
- package/dist/core/index.js +19 -1
- package/dist/core/index.js.map +1 -1
- package/dist/core/index.mjs +19 -1
- package/dist/core/index.mjs.map +1 -1
- package/dist/fastify/index.js.map +1 -1
- package/dist/fastify/index.mjs.map +1 -1
- package/dist/hono/index.js.map +1 -1
- package/dist/hono/index.mjs.map +1 -1
- package/dist/index.d.ts +3 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +407 -8
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +407 -9
- package/dist/index.mjs.map +1 -1
- package/dist/koa/index.js.map +1 -1
- package/dist/koa/index.mjs.map +1 -1
- package/dist/logging/index.js.map +1 -1
- package/dist/logging/index.mjs.map +1 -1
- package/dist/middleware/astro.d.ts +6 -1
- package/dist/middleware/astro.d.ts.map +1 -1
- package/dist/middleware/bun.d.ts +8 -1
- package/dist/middleware/bun.d.ts.map +1 -1
- package/dist/middleware/correlation.d.ts +87 -0
- package/dist/middleware/correlation.d.ts.map +1 -0
- package/dist/middleware/graphql.d.ts.map +1 -1
- package/dist/middleware/hono.d.ts +6 -0
- package/dist/middleware/hono.d.ts.map +1 -1
- package/dist/middleware/index.d.ts +3 -1
- package/dist/middleware/index.d.ts.map +1 -1
- package/dist/middleware/index.js +366 -8
- package/dist/middleware/index.js.map +1 -1
- package/dist/middleware/index.mjs +366 -9
- package/dist/middleware/index.mjs.map +1 -1
- package/dist/middleware/koa.d.ts +5 -0
- package/dist/middleware/koa.d.ts.map +1 -1
- package/dist/middleware/nextjs.d.ts +9 -1
- package/dist/middleware/nextjs.d.ts.map +1 -1
- package/dist/middleware/nuxt.d.ts +6 -1
- package/dist/middleware/nuxt.d.ts.map +1 -1
- package/dist/middleware/protect.d.ts +32 -0
- package/dist/middleware/protect.d.ts.map +1 -1
- package/dist/middleware/sveltekit.d.ts +6 -1
- package/dist/middleware/sveltekit.d.ts.map +1 -1
- package/dist/nestjs/index.js +55 -2
- package/dist/nestjs/index.js.map +1 -1
- package/dist/nestjs/index.mjs +55 -2
- package/dist/nestjs/index.mjs.map +1 -1
- package/dist/nextjs/index.js.map +1 -1
- package/dist/nextjs/index.mjs.map +1 -1
- package/dist/nuxt/index.js.map +1 -1
- package/dist/nuxt/index.mjs.map +1 -1
- package/dist/sanitizers/deserialization.d.ts +30 -0
- package/dist/sanitizers/deserialization.d.ts.map +1 -0
- package/dist/sanitizers/graphql.d.ts +20 -3
- package/dist/sanitizers/graphql.d.ts.map +1 -1
- package/dist/sanitizers/index.d.ts +2 -0
- package/dist/sanitizers/index.d.ts.map +1 -1
- package/dist/sanitizers/index.js +150 -7
- package/dist/sanitizers/index.js.map +1 -1
- package/dist/sanitizers/index.mjs +149 -8
- package/dist/sanitizers/index.mjs.map +1 -1
- package/dist/sanitizers/prompt-injection.d.ts.map +1 -1
- package/dist/sanitizers/sanitize.d.ts +0 -20
- package/dist/sanitizers/sanitize.d.ts.map +1 -1
- package/dist/stores/index.js.map +1 -1
- package/dist/stores/index.mjs.map +1 -1
- package/dist/sveltekit/index.js.map +1 -1
- package/dist/sveltekit/index.mjs.map +1 -1
- package/dist/validation/index.js +55 -2
- package/dist/validation/index.js.map +1 -1
- package/dist/validation/index.mjs +55 -2
- package/dist/validation/index.mjs.map +1 -1
- package/package.json +11 -11
package/dist/validation/index.js
CHANGED
|
@@ -88,7 +88,16 @@ var SQL_PATTERNS = [
|
|
|
88
88
|
/** Time-based blind: PostgreSQL pg_sleep() */
|
|
89
89
|
/\bpg_sleep\s*\(/gi,
|
|
90
90
|
/** Time-based blind: MSSQL WAITFOR DELAY */
|
|
91
|
-
/\bWAITFOR\s+DELAY\b/gi
|
|
91
|
+
/\bWAITFOR\s+DELAY\b/gi,
|
|
92
|
+
/**
|
|
93
|
+
* Oracle DBMS_* stdlib packages used for time-based blind SQLi
|
|
94
|
+
* (DBMS_LOCK.SLEEP, DBMS_PIPE.RECEIVE_MESSAGE) and other Oracle
|
|
95
|
+
* abuse paths. No legitimate user input contains these. Mirrors
|
|
96
|
+
* `sqli-oracle-dbms-packages` in packages/core/patterns.json —
|
|
97
|
+
* improvements.md §1.1.e Q3. Must stay in sync until Node
|
|
98
|
+
* migrates to patterns.json-at-runtime (planned v1.7).
|
|
99
|
+
*/
|
|
100
|
+
/\bDBMS_(?:LOCK|PIPE|UTILITY|XSLPROCESSOR|JAVA|OUTPUT|SCHEDULER)\b/gi
|
|
92
101
|
];
|
|
93
102
|
var PATH_PATTERNS = [
|
|
94
103
|
/** Unix path traversal */
|
|
@@ -126,6 +135,15 @@ var COMMAND_PATTERNS = [
|
|
|
126
135
|
/[;&|`]/g,
|
|
127
136
|
/** Command substitution: $( ... ) — matched as a pair to reduce false positives */
|
|
128
137
|
/\$\(/g,
|
|
138
|
+
/**
|
|
139
|
+
* POSIX shell IFS-substitution: ${IFS} or ${IFS%??}.
|
|
140
|
+
* Attackers use this to inject spaces past metacharacter filters
|
|
141
|
+
* in payloads like `;cat${IFS}/etc/passwd`. Mirrors
|
|
142
|
+
* `cmdi-ifs-bypass` in packages/core/patterns.json — improvements.md
|
|
143
|
+
* §1.1.e Q5. Must stay in sync until Node migrates to
|
|
144
|
+
* patterns.json-at-runtime (planned v1.7).
|
|
145
|
+
*/
|
|
146
|
+
/\$\{IFS(?:%[^}]*)?\}/g,
|
|
129
147
|
/** URL-encoded control characters (%00-%0F): null, tab, vtab, formfeed, LF, CR */
|
|
130
148
|
/%0[0-9a-f]/gi
|
|
131
149
|
];
|
|
@@ -369,6 +387,40 @@ function detectCommandInjection(input) {
|
|
|
369
387
|
}
|
|
370
388
|
|
|
371
389
|
// src/sanitizers/sanitize.ts
|
|
390
|
+
function multiDecode(value, maxPasses = 4) {
|
|
391
|
+
for (let i = 0; i < maxPasses; i++) {
|
|
392
|
+
const prev = value;
|
|
393
|
+
try {
|
|
394
|
+
value = decodeURIComponent(value);
|
|
395
|
+
} catch {
|
|
396
|
+
}
|
|
397
|
+
value = htmlEntityDecode(value);
|
|
398
|
+
if (value === prev) break;
|
|
399
|
+
}
|
|
400
|
+
return value;
|
|
401
|
+
}
|
|
402
|
+
function htmlEntityDecode(s) {
|
|
403
|
+
s = s.replace(/&#(\d+);/g, (_m, n) => {
|
|
404
|
+
const code = parseInt(n, 10);
|
|
405
|
+
return Number.isFinite(code) && code >= 0 && code <= 1114111 ? String.fromCodePoint(code) : _m;
|
|
406
|
+
});
|
|
407
|
+
s = s.replace(/&#x([0-9a-fA-F]+);/g, (_m, h) => {
|
|
408
|
+
const code = parseInt(h, 16);
|
|
409
|
+
return Number.isFinite(code) && code >= 0 && code <= 1114111 ? String.fromCodePoint(code) : _m;
|
|
410
|
+
});
|
|
411
|
+
const named = {
|
|
412
|
+
"<": "<",
|
|
413
|
+
">": ">",
|
|
414
|
+
"&": "&",
|
|
415
|
+
""": '"',
|
|
416
|
+
"'": "'",
|
|
417
|
+
" ": " "
|
|
418
|
+
};
|
|
419
|
+
for (const [entity, ch] of Object.entries(named)) {
|
|
420
|
+
s = s.split(entity).join(ch);
|
|
421
|
+
}
|
|
422
|
+
return s;
|
|
423
|
+
}
|
|
372
424
|
function sanitizeString(value, options = {}) {
|
|
373
425
|
if (typeof value !== "string") return value;
|
|
374
426
|
const maxSize = options.maxSize ?? INPUT.DEFAULT_MAX_SIZE;
|
|
@@ -376,7 +428,8 @@ function sanitizeString(value, options = {}) {
|
|
|
376
428
|
throw new InputTooLargeError(maxSize, value.length);
|
|
377
429
|
}
|
|
378
430
|
const reject = options.mode === "reject";
|
|
379
|
-
let result = value;
|
|
431
|
+
let result = value.normalize("NFKC");
|
|
432
|
+
result = multiDecode(result);
|
|
380
433
|
if (options.sql !== false) {
|
|
381
434
|
if (reject) {
|
|
382
435
|
if (detectSql(result)) {
|