@arcis/node 1.6.1 → 1.6.3

package/dist/middleware/index.js

@@ -945,9 +945,10 @@ function detectXxe(input) {
 // src/sanitizers/ldap.ts
 var LDAP_DETECT_PATTERN = /[*()\\\x00]/;
 var LDAP_INJECTION_PATTERN = /\)\s*\(|\*\s*\)\s*\(/;
+var LDAP_NOT_BYPASS_PATTERN = /\)\s*\(\s*!|&\s*\(\s*!|\|\s*\(\s*!/;
 function detectLdapInjection(input) {
   if (typeof input !== "string") return false;
-  return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input);
+  return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input) || LDAP_NOT_BYPASS_PATTERN.test(input);
 }
 
 // src/sanitizers/xpath.ts
@@ -8274,6 +8275,411 @@ var bot_patterns_default = [
       "ZuperlistBot\\/"
     ],
     forbidden: []
+  },
+  {
+    id: "ext-ahrefsbotsiteaudit",
+    name: "ahrefsbotsiteaudit",
+    category: "SEO",
+    patterns: [
+      "Ahrefs(Bot|SiteAudit)"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-amazonproductdiscovery",
+    name: "amazonproductdiscovery",
+    category: "SEARCH_ENGINE",
+    patterns: [
+      "AmazonProductDiscovery"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-amazonsellerinitiatedlisting",
+    name: "amazonsellerinitiatedlisting",
+    category: "SEARCH_ENGINE",
+    patterns: [
+      "AmazonSellerInitiatedListing"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-cclaudebbot",
+    name: "cclaudebbot",
+    category: "GENERIC",
+    patterns: [
+      "[cC]laude[bB]ot"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-meta-externalagent",
+    name: "meta-externalagent",
+    category: "GENERIC",
+    patterns: [
+      "meta-externalagent\\/"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-meta-externalfetcher",
+    name: "meta-externalfetcher",
+    category: "GENERIC",
+    patterns: [
+      "meta-externalfetcher\\/"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-hydrozenio",
+    name: "hydrozenio",
+    category: "MONITORING",
+    patterns: [
+      "Hydrozen\\.io"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-yextbot",
+    name: "yextbot",
+    category: "SEO",
+    patterns: [
+      "YextBot\\/"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-datadogsynthetics",
+    name: "datadogsynthetics",
+    category: "MONITORING",
+    patterns: [
+      "DatadogSynthetics"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-observepoint",
+    name: "observepoint",
+    category: "MONITORING",
+    patterns: [
+      "ObservePoint"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-checkly",
+    name: "checkly",
+    category: "MONITORING",
+    patterns: [
+      "Checkly"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-alittleclient",
+    name: "alittleclient",
+    category: "GENERIC",
+    patterns: [
+      "ALittle Client"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-aliyunsecbot",
+    name: "aliyunsecbot",
+    category: "GENERIC",
+    patterns: [
+      "AliyunSecBot"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-claude-web",
+    name: "claude-web",
+    category: "GENERIC",
+    patterns: [
+      "Claude-Web"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-google-extended",
+    name: "google-extended",
+    category: "GENERIC",
+    patterns: [
+      "Google-Extended"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-serankingbacklinksbot",
+    name: "serankingbacklinksbot",
+    category: "SEO",
+    patterns: [
+      "SERankingBacklinksBot"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-cmschecker",
+    name: "cmschecker",
+    category: "SEO",
+    patterns: [
+      "CMSChecker"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-wayback",
+    name: "wayback",
+    category: "GENERIC",
+    patterns: [
+      "Wayback"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-playwright",
+    name: "playwright",
+    category: "GENERIC",
+    patterns: [
+      "Playwright"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-puppeteer",
+    name: "puppeteer",
+    category: "GENERIC",
+    patterns: [
+      "Puppeteer"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-selenium",
+    name: "selenium",
+    category: "GENERIC",
+    patterns: [
+      "Selenium"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-nikto",
+    name: "nikto",
+    category: "GENERIC",
+    patterns: [
+      "Nikto"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-sqlmap",
+    name: "sqlmap",
+    category: "GENERIC",
+    patterns: [
+      "sqlmap"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-zmeu",
+    name: "zmeu",
+    category: "GENERIC",
+    patterns: [
+      "ZmEu"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-masscan",
+    name: "masscan",
+    category: "GENERIC",
+    patterns: [
+      "masscan"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-wpscan",
+    name: "wpscan",
+    category: "GENERIC",
+    patterns: [
+      "WPScan"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-aacunetix",
+    name: "aacunetix",
+    category: "GENERIC",
+    patterns: [
+      "[aA]cunetix"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-nessus",
+    name: "nessus",
+    category: "GENERIC",
+    patterns: [
+      "Nessus"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-ddirbbuster",
+    name: "ddirbbuster",
+    category: "GENERIC",
+    patterns: [
+      "[dD]ir[Bb]uster"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-colly",
+    name: "colly",
+    category: "GENERIC",
+    patterns: [
+      "colly"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-mmechanize",
+    name: "mmechanize",
+    category: "GENERIC",
+    patterns: [
+      "[mM]echanize"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-airaiscanning",
+    name: "airaiscanning",
+    category: "GENERIC",
+    patterns: [
+      "air\\.ai\\/scanning"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-asnriskscorer",
+    name: "asnriskscorer",
+    category: "GENERIC",
+    patterns: [
+      "asnriskscorer"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-oicrawler",
+    name: "oicrawler",
+    category: "SEARCH_ENGINE",
+    patterns: [
+      "OICrawler"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-l9scan",
+    name: "l9scan",
+    category: "GENERIC",
+    patterns: [
+      "l9scan"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-slaccalebot",
+    name: "slaccalebot",
+    category: "SEO",
+    patterns: [
+      "SlaccaleBot"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-customasynchttpclient",
+    name: "customasynchttpclient",
+    category: "GENERIC",
+    patterns: [
+      "CustomAsyncHttpClient"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-gemini-deep-research",
+    name: "gemini-deep-research",
+    category: "SEARCH_ENGINE",
+    patterns: [
+      "Gemini-Deep-Research"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-perplexity-user",
+    name: "perplexity-user",
+    category: "SEARCH_ENGINE",
+    patterns: [
+      "Perplexity-User"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-perplexityuser",
+    name: "perplexityuser",
+    category: "SEARCH_ENGINE",
+    patterns: [
+      "PerplexityUser"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-meta-webindexer",
+    name: "meta-webindexer",
+    category: "GENERIC",
+    patterns: [
+      "meta-webindexer"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-duckassistbot",
+    name: "duckassistbot",
+    category: "SEARCH_ENGINE",
+    patterns: [
+      "DuckAssistBot"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-mistralai-user",
+    name: "mistralai-user",
+    category: "GENERIC",
+    patterns: [
+      "MistralAI-User"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-webzio",
+    name: "webzio",
+    category: "SEO",
+    patterns: [
+      "webzio"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-newsai",
+    name: "newsai",
+    category: "GENERIC",
+    patterns: [
+      "newsai\\/"
+    ],
+    forbidden: []
   }
 ];
 
@@ -8810,6 +9216,297 @@ function massAssign(options) {
   };
 }
 
+// src/_third_party/rate-limit/abstract.ts
+var AbstractLimiter = class {
+  constructor(opts) {
+    if (!Number.isFinite(opts.points)) {
+      throw new Error("points must be a finite number");
+    }
+    if (!Number.isFinite(opts.duration) || opts.duration < 0) {
+      throw new Error("duration must be a finite, non-negative number");
+    }
+    this._points = opts.points;
+    this._duration = opts.duration;
+    this._blockDuration = typeof opts.blockDuration === "undefined" ? 0 : opts.blockDuration;
+    this._execEvenly = Boolean(opts.execEvenly);
+    this._execEvenlyMinDelayMs = typeof opts.execEvenlyMinDelayMs === "undefined" ? Math.ceil(this._duration * 1e3 / Math.max(this._points, 1)) : opts.execEvenlyMinDelayMs;
+    if (typeof opts.keyPrefix === "undefined") {
+      this._keyPrefix = "arcis";
+    } else if (typeof opts.keyPrefix !== "string") {
+      throw new Error("keyPrefix must be a string");
+    } else {
+      this._keyPrefix = opts.keyPrefix;
+    }
+  }
+  get points() {
+    return this._points;
+  }
+  get duration() {
+    return this._duration;
+  }
+  get msDuration() {
+    return this._duration * 1e3;
+  }
+  get blockDuration() {
+    return this._blockDuration;
+  }
+  get msBlockDuration() {
+    return this._blockDuration * 1e3;
+  }
+  get execEvenly() {
+    return this._execEvenly;
+  }
+  get execEvenlyMinDelayMs() {
+    return this._execEvenlyMinDelayMs;
+  }
+  get keyPrefix() {
+    return this._keyPrefix;
+  }
+  _getKeySecDuration(options = {}) {
+    return typeof options.customDuration === "number" && options.customDuration >= 0 ? options.customDuration : this._duration;
+  }
+  _getKey(key) {
+    return this._keyPrefix.length > 0 ? `${this._keyPrefix}:${key}` : key;
+  }
+};
+
+// src/_third_party/rate-limit/types.ts
+var LimiterResult = class {
+  constructor(remainingPoints = 0, msBeforeNext = 0, consumedPoints = 0, isFirstInDuration = false) {
+    this.remainingPoints = remainingPoints;
+    this.msBeforeNext = msBeforeNext;
+    this.consumedPoints = consumedPoints;
+    this.isFirstInDuration = isFirstInDuration;
+  }
+};
+
+// src/_third_party/rate-limit/record.ts
+var StorageRecord = class {
+  constructor(value, expiresAt, timeoutId = null) {
+    this.value = Math.trunc(value);
+    this.expiresAt = expiresAt;
+    this.timeoutId = timeoutId;
+  }
+};
+
+// src/_third_party/rate-limit/memory-storage.ts
+var MemoryStorage = class {
+  constructor() {
+    this._storage = /* @__PURE__ */ new Map();
+  }
+  /**
+   * Increment the counter for `key` by `value`. If the key has no record
+   * (or its TTL has expired), a new record is created with `durationSec`
+   * lifetime.
+   */
+  incrby(key, value, durationSec) {
+    const record = this._storage.get(key);
+    if (record) {
+      const msBeforeExpires = record.expiresAt ? record.expiresAt - Date.now() : -1;
+      if (!record.expiresAt || msBeforeExpires > 0) {
+        record.value = record.value + value;
+        return new LimiterResult(0, msBeforeExpires, record.value, false);
+      }
+      return this.set(key, value, durationSec);
+    }
+    return this.set(key, value, durationSec);
+  }
+  /**
+   * Write the counter for `key` to `value`, replacing any existing
+   * record. `durationSec` of 0 means "never expires".
+   */
+  set(key, value, durationSec) {
+    const durationMs = durationSec * 1e3;
+    const existing = this._storage.get(key);
+    if (existing && existing.timeoutId) {
+      clearTimeout(existing.timeoutId);
+    }
+    const record = new StorageRecord(value, durationMs > 0 ? Date.now() + durationMs : null);
+    this._storage.set(key, record);
+    if (durationMs > 0) {
+      record.timeoutId = setTimeout(() => {
+        this._storage.delete(key);
+      }, durationMs);
+      if (typeof record.timeoutId.unref === "function") {
+        record.timeoutId.unref();
+      }
+    }
+    return new LimiterResult(0, durationMs === 0 ? -1 : durationMs, record.value, true);
+  }
+  get(key) {
+    const record = this._storage.get(key);
+    if (!record) return null;
+    const msBeforeExpires = record.expiresAt ? record.expiresAt - Date.now() : -1;
+    return new LimiterResult(0, msBeforeExpires, record.value, false);
+  }
+  delete(key) {
+    const record = this._storage.get(key);
+    if (!record) return false;
+    if (record.timeoutId) {
+      clearTimeout(record.timeoutId);
+    }
+    this._storage.delete(key);
+    return true;
+  }
+  /** Inspect the underlying map. Test-only and not part of the public API. */
+  _dump() {
+    return this._storage.entries();
+  }
+  /** Clear all records. Used by tests and by `Limiter.dispose()`. */
+  clear() {
+    for (const record of this._storage.values()) {
+      if (record.timeoutId) clearTimeout(record.timeoutId);
+    }
+    this._storage.clear();
+  }
+};
+
+// src/_third_party/rate-limit/memory.ts
+var MemoryLimiter = class extends AbstractLimiter {
+  constructor(opts) {
+    super(opts);
+    this._storage = new MemoryStorage();
+  }
+  consume(key, pointsToConsume = 1, options = {}) {
+    return new Promise((resolve2, reject) => {
+      const rlKey = this._getKey(key);
+      const secDuration = this._getKeySecDuration(options);
+      let res = this._storage.incrby(rlKey, pointsToConsume, secDuration);
+      res.remainingPoints = Math.max(this._points - res.consumedPoints, 0);
+      if (res.consumedPoints > this._points) {
+        if (this._blockDuration > 0 && res.consumedPoints <= this._points + pointsToConsume) {
+          res = this._storage.set(rlKey, res.consumedPoints, this._blockDuration);
+        }
+        reject(res);
+        return;
+      }
+      if (this._execEvenly && res.msBeforeNext > 0 && !res.isFirstInDuration) {
+        let delay = Math.ceil(res.msBeforeNext / (res.remainingPoints + 2));
+        if (delay < this._execEvenlyMinDelayMs) {
+          delay = res.consumedPoints * this._execEvenlyMinDelayMs;
+        }
+        res.msBeforeNext = Math.max(res.msBeforeNext - delay, 0);
+        setTimeout(resolve2, delay, res);
+        return;
+      }
+      resolve2(res);
+    });
+  }
+  penalty(key, points = 1, options = {}) {
+    const rlKey = this._getKey(key);
+    const secDuration = this._getKeySecDuration(options);
+    const res = this._storage.incrby(rlKey, points, secDuration);
+    res.remainingPoints = Math.max(this._points - res.consumedPoints, 0);
+    return Promise.resolve(res);
+  }
+  reward(key, points = 1, options = {}) {
+    const rlKey = this._getKey(key);
+    const secDuration = this._getKeySecDuration(options);
+    const res = this._storage.incrby(rlKey, -points, secDuration);
+    res.remainingPoints = Math.max(this._points - res.consumedPoints, 0);
+    return Promise.resolve(res);
+  }
+  block(key, secDuration) {
+    const msDuration = secDuration * 1e3;
+    const initPoints = this._points + 1;
+    this._storage.set(this._getKey(key), initPoints, secDuration);
+    return Promise.resolve(new LimiterResult(0, msDuration === 0 ? -1 : msDuration, initPoints, false));
+  }
+  get(key) {
+    const res = this._storage.get(this._getKey(key));
+    if (res !== null) {
+      res.remainingPoints = Math.max(this._points - res.consumedPoints, 0);
+    }
+    return Promise.resolve(res);
+  }
+  delete(key) {
+    return Promise.resolve(this._storage.delete(this._getKey(key)));
+  }
+  /** Test/teardown helper. Drops every key and clears timers. */
+  dispose() {
+    this._storage.clear();
+  }
+};
+
+// src/middleware/brute-force.ts
+function defaultKeyGenerator(req) {
+  const xff = req.headers["x-forwarded-for"];
+  if (typeof xff === "string" && xff.length > 0) {
+    const first = xff.split(",")[0]?.trim();
+    if (first) return first;
+  }
+  if (typeof req.ip === "string" && req.ip.length > 0) return req.ip;
+  const remote = req.socket?.remoteAddress;
+  return typeof remote === "string" && remote.length > 0 ? remote : "unknown";
+}
+function bruteForceProtection(options = {}) {
+  const fastPoints = options.fastPoints ?? 5;
+  const fastDuration = options.fastDuration ?? 60;
+  const slowPoints = options.slowPoints ?? 20;
+  const slowDuration = options.slowDuration ?? 900;
+  const blockDuration = options.blockDuration ?? 900;
+  const keyGenerator = options.keyGenerator ?? defaultKeyGenerator;
+  const statusCode = options.statusCode ?? 429;
+  const message = options.message ?? "Too many login attempts. Please try again later.";
+  const skip = options.skip;
+  const fast = new MemoryLimiter({
+    points: fastPoints,
+    duration: fastDuration,
+    keyPrefix: "arcis:bf:fast"
+  });
+  const slow = new MemoryLimiter({
+    points: slowPoints,
+    duration: slowDuration,
+    blockDuration,
+    keyPrefix: "arcis:bf:slow"
+  });
+  const controller = {
+    reward: (key, points = 1) => slow.reward(key, points),
+    delete: async (key) => {
+      const a = await fast.delete(key);
+      const b = await slow.delete(key);
+      return a || b;
+    },
+    get: (key) => slow.get(key),
+    block: (key, secDuration) => slow.block(key, secDuration)
+  };
+  const handler = async (req, res, next) => {
+    try {
+      if (skip?.(req)) return next();
+      const key = keyGenerator(req);
+      req.arcisBruteForce = controller;
+      const slowRes = await slow.consume(key, 1);
+      const fastRes = await fast.consume(key, 1);
+      res.setHeader("X-RateLimit-Limit", String(slowPoints));
+      res.setHeader(
+        "X-RateLimit-Remaining",
+        String(Math.min(fastRes.remainingPoints, slowRes.remainingPoints))
+      );
+      res.setHeader(
+        "X-RateLimit-Reset",
+        String(Math.ceil(Math.max(slowRes.msBeforeNext, fastRes.msBeforeNext) / 1e3))
+      );
+      next();
+    } catch (rejection) {
+      if (rejection instanceof LimiterResult || isLimiterResultShape(rejection)) {
+        const retryAfter = Math.ceil(rejection.msBeforeNext / 1e3);
+        res.setHeader("X-RateLimit-Limit", String(slowPoints));
+        res.setHeader("X-RateLimit-Remaining", "0");
+        res.setHeader("X-RateLimit-Reset", String(retryAfter));
+        res.setHeader("Retry-After", String(retryAfter));
+        res.status(statusCode).json({ error: message, retryAfter });
+        return;
+      }
+      console.error("[arcis] brute-force middleware error:", rejection);
+      next();
+    }
+  };
+  return Object.assign(handler, { controller });
+}
+function isLimiterResultShape(x) {
+  return typeof x === "object" && x !== null && typeof x.consumedPoints === "number" && typeof x.msBeforeNext === "number";
+}
+
 // src/middleware/protect.ts
 function getClientIp(req) {
   const xff = req?.headers?.["x-forwarded-for"] ?? req?.headers?.["X-Forwarded-For"];
@@ -8860,6 +9557,10 @@ function protectLogin(options = {}) {
   const middlewares = [];
   const rl = resolve(options.rateLimit, { max: 5, windowMs: 6e4 });
   if (rl) middlewares.push(createRateLimiter(rl));
+  if (options.bruteForce) {
+    const bfOpts = options.bruteForce === true ? {} : options.bruteForce;
+    middlewares.push(bruteForceProtection(bfOpts));
+  }
   const bot = resolve(options.bot, {
     deny: ["AUTOMATED"],
     statusCode: 403,