@arcis/node 1.5.2 → 1.6.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +48 -7
- package/dist/astro/index.js.map +1 -1
- package/dist/astro/index.mjs.map +1 -1
- package/dist/bun/index.js.map +1 -1
- package/dist/bun/index.mjs.map +1 -1
- package/dist/core/constants.d.ts +2 -2
- package/dist/core/constants.d.ts.map +1 -1
- package/dist/core/index.js +19 -1
- package/dist/core/index.js.map +1 -1
- package/dist/core/index.mjs +19 -1
- package/dist/core/index.mjs.map +1 -1
- package/dist/fastify/index.js.map +1 -1
- package/dist/fastify/index.mjs.map +1 -1
- package/dist/hono/index.js.map +1 -1
- package/dist/hono/index.mjs.map +1 -1
- package/dist/index.d.ts +3 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +407 -8
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +407 -9
- package/dist/index.mjs.map +1 -1
- package/dist/koa/index.js.map +1 -1
- package/dist/koa/index.mjs.map +1 -1
- package/dist/logging/index.js.map +1 -1
- package/dist/logging/index.mjs.map +1 -1
- package/dist/middleware/astro.d.ts +6 -1
- package/dist/middleware/astro.d.ts.map +1 -1
- package/dist/middleware/bun.d.ts +8 -1
- package/dist/middleware/bun.d.ts.map +1 -1
- package/dist/middleware/correlation.d.ts +87 -0
- package/dist/middleware/correlation.d.ts.map +1 -0
- package/dist/middleware/graphql.d.ts.map +1 -1
- package/dist/middleware/hono.d.ts +6 -0
- package/dist/middleware/hono.d.ts.map +1 -1
- package/dist/middleware/index.d.ts +3 -1
- package/dist/middleware/index.d.ts.map +1 -1
- package/dist/middleware/index.js +366 -8
- package/dist/middleware/index.js.map +1 -1
- package/dist/middleware/index.mjs +366 -9
- package/dist/middleware/index.mjs.map +1 -1
- package/dist/middleware/koa.d.ts +5 -0
- package/dist/middleware/koa.d.ts.map +1 -1
- package/dist/middleware/nextjs.d.ts +9 -1
- package/dist/middleware/nextjs.d.ts.map +1 -1
- package/dist/middleware/nuxt.d.ts +6 -1
- package/dist/middleware/nuxt.d.ts.map +1 -1
- package/dist/middleware/protect.d.ts +32 -0
- package/dist/middleware/protect.d.ts.map +1 -1
- package/dist/middleware/sveltekit.d.ts +6 -1
- package/dist/middleware/sveltekit.d.ts.map +1 -1
- package/dist/nestjs/index.js +55 -2
- package/dist/nestjs/index.js.map +1 -1
- package/dist/nestjs/index.mjs +55 -2
- package/dist/nestjs/index.mjs.map +1 -1
- package/dist/nextjs/index.js.map +1 -1
- package/dist/nextjs/index.mjs.map +1 -1
- package/dist/nuxt/index.js.map +1 -1
- package/dist/nuxt/index.mjs.map +1 -1
- package/dist/sanitizers/deserialization.d.ts +30 -0
- package/dist/sanitizers/deserialization.d.ts.map +1 -0
- package/dist/sanitizers/graphql.d.ts +20 -3
- package/dist/sanitizers/graphql.d.ts.map +1 -1
- package/dist/sanitizers/index.d.ts +2 -0
- package/dist/sanitizers/index.d.ts.map +1 -1
- package/dist/sanitizers/index.js +150 -7
- package/dist/sanitizers/index.js.map +1 -1
- package/dist/sanitizers/index.mjs +149 -8
- package/dist/sanitizers/index.mjs.map +1 -1
- package/dist/sanitizers/prompt-injection.d.ts.map +1 -1
- package/dist/sanitizers/sanitize.d.ts +0 -20
- package/dist/sanitizers/sanitize.d.ts.map +1 -1
- package/dist/stores/index.js.map +1 -1
- package/dist/stores/index.mjs.map +1 -1
- package/dist/sveltekit/index.js.map +1 -1
- package/dist/sveltekit/index.mjs.map +1 -1
- package/dist/validation/index.js +55 -2
- package/dist/validation/index.js.map +1 -1
- package/dist/validation/index.mjs +55 -2
- package/dist/validation/index.mjs.map +1 -1
- package/package.json +11 -11
|
@@ -67,7 +67,16 @@ var SQL_PATTERNS = [
|
|
|
67
67
|
/** Time-based blind: PostgreSQL pg_sleep() */
|
|
68
68
|
/\bpg_sleep\s*\(/gi,
|
|
69
69
|
/** Time-based blind: MSSQL WAITFOR DELAY */
|
|
70
|
-
/\bWAITFOR\s+DELAY\b/gi
|
|
70
|
+
/\bWAITFOR\s+DELAY\b/gi,
|
|
71
|
+
/**
|
|
72
|
+
* Oracle DBMS_* stdlib packages used for time-based blind SQLi
|
|
73
|
+
* (DBMS_LOCK.SLEEP, DBMS_PIPE.RECEIVE_MESSAGE) and other Oracle
|
|
74
|
+
* abuse paths. No legitimate user input contains these. Mirrors
|
|
75
|
+
* `sqli-oracle-dbms-packages` in packages/core/patterns.json —
|
|
76
|
+
* improvements.md §1.1.e Q3. Must stay in sync until Node
|
|
77
|
+
* migrates to patterns.json-at-runtime (planned v1.7).
|
|
78
|
+
*/
|
|
79
|
+
/\bDBMS_(?:LOCK|PIPE|UTILITY|XSLPROCESSOR|JAVA|OUTPUT|SCHEDULER)\b/gi
|
|
71
80
|
];
|
|
72
81
|
var PATH_PATTERNS = [
|
|
73
82
|
/** Unix path traversal */
|
|
@@ -105,6 +114,15 @@ var COMMAND_PATTERNS = [
|
|
|
105
114
|
/[;&|`]/g,
|
|
106
115
|
/** Command substitution: $( ... ) — matched as a pair to reduce false positives */
|
|
107
116
|
/\$\(/g,
|
|
117
|
+
/**
|
|
118
|
+
* POSIX shell IFS-substitution: ${IFS} or ${IFS%??}.
|
|
119
|
+
* Attackers use this to inject spaces past metacharacter filters
|
|
120
|
+
* in payloads like `;cat${IFS}/etc/passwd`. Mirrors
|
|
121
|
+
* `cmdi-ifs-bypass` in packages/core/patterns.json — improvements.md
|
|
122
|
+
* §1.1.e Q5. Must stay in sync until Node migrates to
|
|
123
|
+
* patterns.json-at-runtime (planned v1.7).
|
|
124
|
+
*/
|
|
125
|
+
/\$\{IFS(?:%[^}]*)?\}/g,
|
|
108
126
|
/** URL-encoded control characters (%00-%0F): null, tab, vtab, formfeed, LF, CR */
|
|
109
127
|
/%0[0-9a-f]/gi
|
|
110
128
|
];
|
|
@@ -348,6 +366,40 @@ function detectCommandInjection(input) {
|
|
|
348
366
|
}
|
|
349
367
|
|
|
350
368
|
// src/sanitizers/sanitize.ts
|
|
369
|
+
function multiDecode(value, maxPasses = 4) {
|
|
370
|
+
for (let i = 0; i < maxPasses; i++) {
|
|
371
|
+
const prev = value;
|
|
372
|
+
try {
|
|
373
|
+
value = decodeURIComponent(value);
|
|
374
|
+
} catch {
|
|
375
|
+
}
|
|
376
|
+
value = htmlEntityDecode(value);
|
|
377
|
+
if (value === prev) break;
|
|
378
|
+
}
|
|
379
|
+
return value;
|
|
380
|
+
}
|
|
381
|
+
function htmlEntityDecode(s) {
|
|
382
|
+
s = s.replace(/&#(\d+);/g, (_m, n) => {
|
|
383
|
+
const code = parseInt(n, 10);
|
|
384
|
+
return Number.isFinite(code) && code >= 0 && code <= 1114111 ? String.fromCodePoint(code) : _m;
|
|
385
|
+
});
|
|
386
|
+
s = s.replace(/&#x([0-9a-fA-F]+);/g, (_m, h) => {
|
|
387
|
+
const code = parseInt(h, 16);
|
|
388
|
+
return Number.isFinite(code) && code >= 0 && code <= 1114111 ? String.fromCodePoint(code) : _m;
|
|
389
|
+
});
|
|
390
|
+
const named = {
|
|
391
|
+
"<": "<",
|
|
392
|
+
">": ">",
|
|
393
|
+
"&": "&",
|
|
394
|
+
""": '"',
|
|
395
|
+
"'": "'",
|
|
396
|
+
" ": " "
|
|
397
|
+
};
|
|
398
|
+
for (const [entity, ch] of Object.entries(named)) {
|
|
399
|
+
s = s.split(entity).join(ch);
|
|
400
|
+
}
|
|
401
|
+
return s;
|
|
402
|
+
}
|
|
351
403
|
function sanitizeString(value, options = {}) {
|
|
352
404
|
if (typeof value !== "string") return value;
|
|
353
405
|
const maxSize = options.maxSize ?? INPUT.DEFAULT_MAX_SIZE;
|
|
@@ -355,7 +407,8 @@ function sanitizeString(value, options = {}) {
|
|
|
355
407
|
throw new InputTooLargeError(maxSize, value.length);
|
|
356
408
|
}
|
|
357
409
|
const reject = options.mode === "reject";
|
|
358
|
-
let result = value;
|
|
410
|
+
let result = value.normalize("NFKC");
|
|
411
|
+
result = multiDecode(result);
|
|
359
412
|
if (options.sql !== false) {
|
|
360
413
|
if (reject) {
|
|
361
414
|
if (detectSql(result)) {
|