npm - @arcis/node - Versions diffs - 1.6.1 → 1.6.3 - Mend

@arcis/node 1.6.1 → 1.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (75) hide show

package/README.md +5 -3
package/dist/_third_party/rate-limit/abstract.d.ts +36 -0
package/dist/_third_party/rate-limit/abstract.d.ts.map +1 -0
package/dist/_third_party/rate-limit/bursty.d.ts +21 -0
package/dist/_third_party/rate-limit/bursty.d.ts.map +1 -0
package/dist/_third_party/rate-limit/index.d.ts +12 -0
package/dist/_third_party/rate-limit/index.d.ts.map +1 -0
package/dist/_third_party/rate-limit/memory-storage.d.ts +28 -0
package/dist/_third_party/rate-limit/memory-storage.d.ts.map +1 -0
package/dist/_third_party/rate-limit/memory.d.ts +23 -0
package/dist/_third_party/rate-limit/memory.d.ts.map +1 -0
package/dist/_third_party/rate-limit/record.d.ts +11 -0
package/dist/_third_party/rate-limit/record.d.ts.map +1 -0
package/dist/_third_party/rate-limit/types.d.ts +39 -0
package/dist/_third_party/rate-limit/types.d.ts.map +1 -0
package/dist/astro/index.js +405 -0
package/dist/astro/index.js.map +1 -1
package/dist/astro/index.mjs +405 -0
package/dist/astro/index.mjs.map +1 -1
package/dist/bun/index.js +405 -0
package/dist/bun/index.js.map +1 -1
package/dist/bun/index.mjs +405 -0
package/dist/bun/index.mjs.map +1 -1
package/dist/fastify/index.js +405 -0
package/dist/fastify/index.js.map +1 -1
package/dist/fastify/index.mjs +405 -0
package/dist/fastify/index.mjs.map +1 -1
package/dist/hono/index.js +405 -0
package/dist/hono/index.js.map +1 -1
package/dist/hono/index.mjs +405 -0
package/dist/hono/index.mjs.map +1 -1
package/dist/index.d.ts +2 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +754 -5
package/dist/index.js.map +1 -1
package/dist/index.mjs +754 -6
package/dist/index.mjs.map +1 -1
package/dist/koa/index.js +405 -0
package/dist/koa/index.js.map +1 -1
package/dist/koa/index.mjs +405 -0
package/dist/koa/index.mjs.map +1 -1
package/dist/middleware/brute-force.d.ts +69 -0
package/dist/middleware/brute-force.d.ts.map +1 -0
package/dist/middleware/index.js +702 -1
package/dist/middleware/index.js.map +1 -1
package/dist/middleware/index.mjs +702 -1
package/dist/middleware/index.mjs.map +1 -1
package/dist/middleware/nestjs.d.ts +50 -1
package/dist/middleware/nestjs.d.ts.map +1 -1
package/dist/middleware/protect.d.ts +9 -0
package/dist/middleware/protect.d.ts.map +1 -1
package/dist/nestjs/index.js +57 -2
package/dist/nestjs/index.js.map +1 -1
package/dist/nestjs/index.mjs +57 -3
package/dist/nestjs/index.mjs.map +1 -1
package/dist/nextjs/index.js +405 -0
package/dist/nextjs/index.js.map +1 -1
package/dist/nextjs/index.mjs +405 -0
package/dist/nextjs/index.mjs.map +1 -1
package/dist/nuxt/index.js +405 -0
package/dist/nuxt/index.js.map +1 -1
package/dist/nuxt/index.mjs +405 -0
package/dist/nuxt/index.mjs.map +1 -1
package/dist/sanitizers/index.js +2 -1
package/dist/sanitizers/index.js.map +1 -1
package/dist/sanitizers/index.mjs +2 -1
package/dist/sanitizers/index.mjs.map +1 -1
package/dist/sanitizers/ldap.d.ts.map +1 -1
package/dist/sanitizers/prompt-injection.d.ts +3 -3
package/dist/sanitizers/prompt-injection.d.ts.map +1 -1
package/dist/sveltekit/index.js +405 -0
package/dist/sveltekit/index.js.map +1 -1
package/dist/sveltekit/index.mjs +405 -0
package/dist/sveltekit/index.mjs.map +1 -1
package/package.json +2 -2

package/dist/middleware/nestjs.d.ts CHANGED Viewed

@@ -33,7 +33,7 @@
  * `@nestjs/common` installed; non-NestJS users pay nothing.
  */
 import type { Request, Response, NextFunction } from 'express';
-import type { DynamicModule } from '@nestjs/common';
+import type { CanActivate, DynamicModule, ExecutionContext } from '@nestjs/common';
 import type { ArcisOptions } from '../core/types';
 /** Injection token for `ArcisOptions` consumed by `ArcisMiddleware`'s factory. */
 export declare const ARCIS_OPTIONS: unique symbol;
@@ -50,10 +50,59 @@ export declare class ArcisMiddleware {
     /** Release rate-limiter intervals etc. Call from `OnApplicationShutdown`. */
     close(): void;
 }
+/**
+ * NestJS Guard implementation of the Arcis stack.
+ *
+ * Class-middleware applied via `MiddlewareConsumer.apply().forRoutes()` does
+ * not reliably short-circuit NestJS's controller pipeline when an inner
+ * handler writes `res.status(403).end()` without calling Express's `next`.
+ * The controller resolution path runs anyway and the controller's return
+ * value overwrites the deny response. CI surfaced this with 0-of-8 attacks
+ * blocked on the NestJS example using the `MiddlewareConsumer` pattern.
+ *
+ * `CanActivate` runs in the correct NestJS lifecycle slot (after body-parse,
+ * before controller resolution) and is designed to deny via `return false`
+ * or by writing the response directly. When an Arcis handler writes a 403,
+ * the guard sees `res.headersSent === true` after it runs and returns
+ * `false`, which NestJS treats as a denial without re-running the
+ * controller. Successful traversal (no threats found) returns `true` and
+ * NestJS proceeds to the controller with the mutated (sanitized) req.
+ *
+ * Recommended over `ArcisMiddleware` for NestJS apps that want deny-on-
+ * detect behavior. `ArcisMiddleware` is retained for backward compat but
+ * is best suited for sanitize-only / observation-only usage.
+ *
+ * Register globally via the `APP_GUARD` token:
+ *
+ * ```ts
+ * import { APP_GUARD } from '@nestjs/core';
+ * import { ArcisGuard } from '@arcis/node/nestjs';
+ *
+ * @Module({
+ *   providers: [
+ *     {
+ *       provide: APP_GUARD,
+ *       useFactory: () => new ArcisGuard({ block: true }),
+ *     },
+ *   ],
+ * })
+ * export class AppModule {}
+ * ```
+ */
+export declare class ArcisGuard implements CanActivate {
+    private readonly handlers;
+    constructor(options?: ArcisOptions);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+    /** Release rate-limiter intervals etc. Call from `OnApplicationShutdown`. */
+    close(): void;
+}
 /**
  * NestJS dynamic module. `ArcisModule.forRoot(options)` is the entry point.
  * Returns a plain `DynamicModule` literal so `@Module({})` is unnecessary on
  * `ArcisModule` itself; this keeps `@nestjs/common` purely a type-only import.
+ *
+ * Exports both `ArcisMiddleware` (for legacy `MiddlewareConsumer` consumers)
+ * and `ArcisGuard` (recommended; actually denies attacks on detect).
  */
 export declare class ArcisModule {
     static forRoot(options?: ArcisOptions): DynamicModule;

package/dist/middleware/nestjs.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"nestjs.d.ts","sourceRoot":"","sources":["../../src/middleware/nestjs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAkB,MAAM,SAAS,CAAC;AAC/E,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;~~AAEpD~~,OAAO,KAAK,EAAE,YAAY,EAAwB,MAAM,eAAe,CAAC;AAExE,kFAAkF;AAClF,eAAO,MAAM,aAAa,eAA0B,CAAC;AAErD;;;;;GAKG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAuB;gBAEpC,OAAO,GAAE,YAAiB;IAItC,GAAG,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,IAAI;IAsB1D,6EAA6E;IAC7E,KAAK,IAAI,IAAI;CAGd;AAED~~;;;;GAIG~~;AACH,qBAAa,WAAW;IACtB,MAAM,CAAC,OAAO,CAAC,OAAO,GAAE,YAAiB,GAAG,aAAa;~~CAc1D~~;AAED,eAAe,WAAW,CAAC"}
1	+ {"version":3,"file":"nestjs.d.ts","sourceRoot":"","sources":["../../src/middleware/nestjs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAkB,MAAM,SAAS,CAAC;AAC/E,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAEnF,OAAO,KAAK,EAAE,YAAY,EAAwB,MAAM,eAAe,CAAC;AAExE,kFAAkF;AAClF,eAAO,MAAM,aAAa,eAA0B,CAAC;AAErD;;;;;GAKG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAuB;gBAEpC,OAAO,GAAE,YAAiB;IAItC,GAAG,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,IAAI;IAsB1D,6EAA6E;IAC7E,KAAK,IAAI,IAAI;CAGd;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,qBAAa,UAAW,YAAW,WAAW;IAC5C,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAuB;gBAEpC,OAAO,GAAE,YAAiB;IAItC,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;IAoDxD,6EAA6E;IAC7E,KAAK,IAAI,IAAI;CAGd;AAED;;;;;;;GAOG;AACH,qBAAa,WAAW;IACtB,MAAM,CAAC,OAAO,CAAC,OAAO,GAAE,YAAiB,GAAG,aAAa;CAmB1D;AAED,eAAe,WAAW,CAAC"}

package/dist/middleware/protect.d.ts CHANGED Viewed

@@ -35,6 +35,7 @@ import { type BotProtectionOptions } from './bot-detection';
 import { type CsrfOptions } from './csrf';
 import type { CorsOptions } from './cors';
 import { type SignupProtectionOptions } from './signup-protection';
+import { type BruteForceOptions } from './brute-force';
 import type { RateLimitOptions, SanitizeOptions } from '../core/types';
 import { CorrelationWindow } from './correlation';
 /**
@@ -75,6 +76,14 @@ export interface ProtectLoginOptions {
     sanitize?: LayerOverride<SanitizeOptions>;
     /** Optional correlation-window wiring (improvements.md §1.4). */
     correlation?: CorrelationOptions;
+    /**
+     * Optional brute-force layer. When enabled, layers a bursty limiter
+     * on top of the fast rate-limit window: N attempts in `slowDuration`
+     * seconds trips a `blockDuration`-second semi-permanent block.
+     * Defaults to disabled (preserves existing behavior); pass `true`
+     * for safe defaults or an options object to customize.
+     */
+    bruteForce?: boolean | BruteForceOptions;
 }
 export interface ProtectSignupOptions {
     rateLimit?: LayerOverride<RateLimitOptions>;

package/dist/middleware/protect.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"protect.d.ts","sourceRoot":"","sources":["../../src/middleware/protect.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAE9C,OAAO,EAAiB,KAAK,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAC3E,OAAO,EAAkB,KAAK,WAAW,EAAE,MAAM,QAAQ,CAAC;AAE1D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAC1C,OAAO,EAAoB,KAAK,uBAAuB,EAAE,MAAM,qBAAqB,CAAC;~~AAErF~~,OAAO,KAAK,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AACvE,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAElD;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,iBAAiB,CAAC;IAC1B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAmDD;;;;GAIG;AACH,KAAK,aAAa,CAAC,CAAC,IAAI,KAAK,GAAG,CAAC,GAAG,SAAS,CAAC;AAE9C,MAAM,WAAW,mBAAmB;IAClC,SAAS,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;IAC5C,GAAG,CAAC,EAAE,aAAa,CAAC,oBAAoB,CAAC,CAAC;IAC1C,IAAI,CAAC,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC;IAClC,QAAQ,CAAC,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAC1C,iEAAiE;IACjE,WAAW,CAAC,EAAE,kBAAkB,CAAC;~~CAClC~~;AAED,MAAM,WAAW,oBAAoB;IACnC,SAAS,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;IAC5C,GAAG,CAAC,EAAE,aAAa,CAAC,oBAAoB,CAAC,CAAC;IAC1C,QAAQ,CAAC,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAC1C,sFAAsF;IACtF,MAAM,CAAC,EAAE,aAAa,CAAC,uBAAuB,CAAC,CAAC;IAChD,iEAAiE;IACjE,WAAW,CAAC,EAAE,kBAAkB,CAAC;CAClC;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;IAC5C,6EAA6E;IAC7E,IAAI,CAAC,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC;IAClC,QAAQ,CAAC,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAC1C,iEAAiE;IACjE,WAAW,CAAC,EAAE,kBAAkB,CAAC;CAClC;AAaD;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,OAAO,GAAE,mBAAwB,GAAG,cAAc,EAAE,~~CA0BhF~~;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,OAAO,GAAE,oBAAyB,GAAG,cAAc,EAAE,CA0BlF;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,UAAU,CAAC,OAAO,GAAE,iBAAsB,GAAG,cAAc,EAAE,CAsB5E"}
1	+ {"version":3,"file":"protect.d.ts","sourceRoot":"","sources":["../../src/middleware/protect.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAE9C,OAAO,EAAiB,KAAK,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAC3E,OAAO,EAAkB,KAAK,WAAW,EAAE,MAAM,QAAQ,CAAC;AAE1D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAC1C,OAAO,EAAoB,KAAK,uBAAuB,EAAE,MAAM,qBAAqB,CAAC;AACrF,OAAO,EAAwB,KAAK,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAE7E,OAAO,KAAK,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AACvE,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAElD;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,iBAAiB,CAAC;IAC1B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAmDD;;;;GAIG;AACH,KAAK,aAAa,CAAC,CAAC,IAAI,KAAK,GAAG,CAAC,GAAG,SAAS,CAAC;AAE9C,MAAM,WAAW,mBAAmB;IAClC,SAAS,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;IAC5C,GAAG,CAAC,EAAE,aAAa,CAAC,oBAAoB,CAAC,CAAC;IAC1C,IAAI,CAAC,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC;IAClC,QAAQ,CAAC,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAC1C,iEAAiE;IACjE,WAAW,CAAC,EAAE,kBAAkB,CAAC;IACjC;;;;;;OAMG;IACH,UAAU,CAAC,EAAE,OAAO,GAAG,iBAAiB,CAAC;CAC1C;AAED,MAAM,WAAW,oBAAoB;IACnC,SAAS,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;IAC5C,GAAG,CAAC,EAAE,aAAa,CAAC,oBAAoB,CAAC,CAAC;IAC1C,QAAQ,CAAC,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAC1C,sFAAsF;IACtF,MAAM,CAAC,EAAE,aAAa,CAAC,uBAAuB,CAAC,CAAC;IAChD,iEAAiE;IACjE,WAAW,CAAC,EAAE,kBAAkB,CAAC;CAClC;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;IAC5C,6EAA6E;IAC7E,IAAI,CAAC,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC;IAClC,QAAQ,CAAC,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAC1C,iEAAiE;IACjE,WAAW,CAAC,EAAE,kBAAkB,CAAC;CAClC;AAaD;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,OAAO,GAAE,mBAAwB,GAAG,cAAc,EAAE,CAgChF;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,OAAO,GAAE,oBAAyB,GAAG,cAAc,EAAE,CA0BlF;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,UAAU,CAAC,OAAO,GAAE,iBAAsB,GAAG,cAAc,EAAE,CAsB5E"}

package/dist/nestjs/index.js CHANGED Viewed

@@ -942,9 +942,10 @@ function detectXxe(input) {
 // src/sanitizers/ldap.ts
 var LDAP_DETECT_PATTERN = /[*()\\\x00]/;
 var LDAP_INJECTION_PATTERN = /\)\s*\(|\*\s*\)\s*\(/;
+var LDAP_NOT_BYPASS_PATTERN = /\)\s*\(\s*!|&\s*\(\s*!|\|\s*\(\s*!/;
 function detectLdapInjection(input) {
   if (typeof input !== "string") return false;
-  return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input);
+  return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input) || LDAP_NOT_BYPASS_PATTERN.test(input);
 }
 // src/sanitizers/xpath.ts
@@ -1751,6 +1752,54 @@ var ArcisMiddleware = class {
     this.handlers.close();
   }
 };
+var ArcisGuard = class {
+  constructor(options = {}) {
+    this.handlers = arcis(options);
+  }
+  canActivate(context) {
+    const http = context.switchToHttp();
+    const req = http.getRequest();
+    const res = http.getResponse();
+    return new Promise((resolve, reject) => {
+      const handlers = this.handlers;
+      let i = 0;
+      const run = (err) => {
+        if (err !== void 0) {
+          reject(err);
+          return;
+        }
+        if (res.headersSent) {
+          resolve(false);
+          return;
+        }
+        const handler = handlers[i++];
+        if (!handler) {
+          resolve(!res.headersSent);
+          return;
+        }
+        let advanced = false;
+        const wrappedNext = (innerErr) => {
+          advanced = true;
+          run(innerErr);
+        };
+        try {
+          handler(req, res, wrappedNext);
+        } catch (caught) {
+          reject(caught);
+          return;
+        }
+        if (!advanced && res.headersSent) {
+          resolve(false);
+        }
+      };
+      run();
+    });
+  }
+  /** Release rate-limiter intervals etc. Call from `OnApplicationShutdown`. */
+  close() {
+    this.handlers.close();
+  }
+};
 var ArcisModule = class _ArcisModule {
   static forRoot(options = {}) {
     return {
@@ -1761,15 +1810,21 @@ var ArcisModule = class _ArcisModule {
           provide: ArcisMiddleware,
           useFactory: (opts) => new ArcisMiddleware(opts),
           inject: [ARCIS_OPTIONS]
+        },
+        {
+          provide: ArcisGuard,
+          useFactory: (opts) => new ArcisGuard(opts),
+          inject: [ARCIS_OPTIONS]
         }
       ],
-      exports: [ArcisMiddleware]
+      exports: [ArcisMiddleware, ArcisGuard]
     };
   }
 };
 var nestjs_default = ArcisModule;
 exports.ARCIS_OPTIONS = ARCIS_OPTIONS;
+exports.ArcisGuard = ArcisGuard;
 exports.ArcisMiddleware = ArcisMiddleware;
 exports.ArcisModule = ArcisModule;
 exports.default = nestjs_default;