@arcis/node 1.6.3 → 1.6.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (51) hide show
  1. package/README.md +4 -4
  2. package/dist/astro/index.js.map +1 -1
  3. package/dist/astro/index.mjs.map +1 -1
  4. package/dist/bun/index.js.map +1 -1
  5. package/dist/bun/index.mjs.map +1 -1
  6. package/dist/core/constants.d.ts +1 -1
  7. package/dist/core/constants.d.ts.map +1 -1
  8. package/dist/core/index.js +51 -5
  9. package/dist/core/index.js.map +1 -1
  10. package/dist/core/index.mjs +51 -5
  11. package/dist/core/index.mjs.map +1 -1
  12. package/dist/fastify/index.js.map +1 -1
  13. package/dist/fastify/index.mjs.map +1 -1
  14. package/dist/hono/index.js.map +1 -1
  15. package/dist/hono/index.mjs.map +1 -1
  16. package/dist/index.js +54 -7
  17. package/dist/index.js.map +1 -1
  18. package/dist/index.mjs +54 -7
  19. package/dist/index.mjs.map +1 -1
  20. package/dist/koa/index.js.map +1 -1
  21. package/dist/koa/index.mjs.map +1 -1
  22. package/dist/logging/index.js.map +1 -1
  23. package/dist/logging/index.mjs.map +1 -1
  24. package/dist/middleware/index.js +54 -7
  25. package/dist/middleware/index.js.map +1 -1
  26. package/dist/middleware/index.mjs +54 -7
  27. package/dist/middleware/index.mjs.map +1 -1
  28. package/dist/nestjs/index.js +54 -7
  29. package/dist/nestjs/index.js.map +1 -1
  30. package/dist/nestjs/index.mjs +54 -7
  31. package/dist/nestjs/index.mjs.map +1 -1
  32. package/dist/nextjs/index.js.map +1 -1
  33. package/dist/nextjs/index.mjs.map +1 -1
  34. package/dist/nuxt/index.js.map +1 -1
  35. package/dist/nuxt/index.mjs.map +1 -1
  36. package/dist/sanitizers/index.js +54 -7
  37. package/dist/sanitizers/index.js.map +1 -1
  38. package/dist/sanitizers/index.mjs +54 -7
  39. package/dist/sanitizers/index.mjs.map +1 -1
  40. package/dist/sanitizers/ldap.d.ts +13 -1
  41. package/dist/sanitizers/ldap.d.ts.map +1 -1
  42. package/dist/stores/index.js.map +1 -1
  43. package/dist/stores/index.mjs.map +1 -1
  44. package/dist/sveltekit/index.js.map +1 -1
  45. package/dist/sveltekit/index.mjs.map +1 -1
  46. package/dist/validation/index.js +51 -5
  47. package/dist/validation/index.js.map +1 -1
  48. package/dist/validation/index.mjs +51 -5
  49. package/dist/validation/index.mjs.map +1 -1
  50. package/package.json +9 -9
  51. package/scripts/postinstall.cjs +1 -1
package/dist/sanitizers/index.mjs CHANGED
@@ -77,10 +77,37 @@ var XSS_REMOVE_PATTERNS = [
77
77
  /<link[\s>][^>]*/gi
78
78
  ];
79
79
  var SQL_PATTERNS = [
80
- /** SQL keywords */
81
- /(\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\b)/gi,
82
- /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */
83
- /(--|\/\*|\*\/|#)/g,
80
+ /**
81
+ * Multi-token SQL attack shapes that never appear in normal English.
82
+ * Replaces the older bare-keyword pattern `\b(SELECT|INSERT|...)\b`
83
+ * which false-positived on natural language ("please select an option",
84
+ * "I'll update you tomorrow", "delete this file"). Each shape below
85
+ * is a token combination that real attackers use and benign users
86
+ * essentially never type. Matches `sqli-keywords` in
87
+ * packages/core/patterns.json. Benchmark FP class B3, 2026-06-07.
88
+ *
89
+ * Catches:
90
+ * UNION SELECT / UNION ALL SELECT (data exfiltration)
91
+ * DROP|TRUNCATE TABLE|DATABASE|INDEX|... (DDL destruction)
92
+ * INTO OUTFILE / INTO DUMPFILE (MySQL file write RCE)
93
+ * ATTACH DATABASE (SQLite hijack)
94
+ * CREATE USER|FUNCTION|TRIGGER|PROCEDURE (privilege escalation)
95
+ * GRANT ALL|SELECT|INSERT|... (privilege grant)
96
+ * xp_cmdshell / sp_executesql (SQL Server RCE)
97
+ * SHUTDOWN (DoS)
98
+ */
99
+ /(\bUNION\s+(?:ALL\s+)?SELECT\b)|(\b(?:DROP|TRUNCATE)\s+(?:TABLE|DATABASE|INDEX|VIEW|SCHEMA)\b)|(\bINTO\s+(?:OUTFILE|DUMPFILE)\b)|(\bATTACH\s+DATABASE\b)|(\bCREATE\s+(?:USER|FUNCTION|TRIGGER|PROCEDURE)\b)|(\bGRANT\s+(?:ALL|SELECT|INSERT|UPDATE|DELETE)\b)|(\bSHUTDOWN\b)|(\bxp_cmdshell\b)|(\bsp_executesql\b)/gi,
100
+ /**
101
+ * SQL comments: ANSI (--), C-style (slash-star ... star-slash).
102
+ * MySQL `#` line comment intentionally excluded: a bare `#` matches
103
+ * every hex color (#FF5300), hashtag (#trending), issue ref (#123),
104
+ * markdown heading (# Title). Real `admin' #`-style injections are
105
+ * already caught by the quote/semicolon + keyword/boolean patterns
106
+ * below — `#` adds nothing as a primary signal and a lot of FP noise.
107
+ * Matches `sqli-comments` rule in packages/core/patterns.json (which
108
+ * also excludes `#`). Benchmark FP class B1, found 2026-06-07.
109
+ */
110
+ /(--|\/\*|\*\/)/g,
84
111
  /** SQL statement separators */
85
112
  /(;|\|\||&&)/g,
86
113
  /** Boolean injection: OR 1=1 */
@@ -132,7 +159,26 @@ var PATH_PATTERNS = [
132
159
  /** Dotdotslash bypass: ....// or ....\\ */
133
160
  /\.{2,}[/\\]{2,}/g,
134
161
  /** Null byte injection in paths */
135
- /\0/g
162
+ /\0/g,
163
+ /**
164
+ * Mixed encoding: literal `..` + URL-encoded slash (`..%2F`).
165
+ * Existed in old Node SQL_PATTERNS history; restated explicitly here
166
+ * for parity with patterns.json `path-mixed-encoded`. Benchmark B6.
167
+ */
168
+ /\.\.%2[fF]/g,
169
+ /**
170
+ * Overlong UTF-8 encoding of `.` (`%C0%AE`). Historic IIS/Apache
171
+ * decoder bypass — legitimate `.` is always `%2E`; overlong-form
172
+ * encoding only appears in evasion attempts. Benchmark B6 gap that
173
+ * neither SDK caught before 2026-06-07.
174
+ */
175
+ /%[Cc]0%[Aa][Ee]/g,
176
+ /**
177
+ * Windows UNC paths (`\\server\share`) in user input. Legitimate
178
+ * web-app inputs never contain UNC references; attacker UNC
179
+ * payloads leak SMB auth or pull remote payloads. Benchmark B6.
180
+ */
181
+ /\\\\[A-Za-z0-9_.-]+\\/g
136
182
  ];
137
183
  var COMMAND_PATTERNS = [
138
184
  /**
@@ -612,7 +658,8 @@ function detectXxe(input) {
612
658
  // src/sanitizers/ldap.ts
613
659
  var LDAP_FILTER_CHARS = /[*()\\\x00]/g;
614
660
  var LDAP_DN_CHARS = /[,+<>;"=\/\\\x00*()\x00]/g;
615
- var LDAP_DETECT_PATTERN = /[*()\\\x00]/;
661
+ var LDAP_WILDCARD_VALUE_PATTERN = /=\s*\*/;
662
+ var LDAP_NUL_PATTERN = /\x00/;
616
663
  var LDAP_INJECTION_PATTERN = /\)\s*\(|\*\s*\)\s*\(/;
617
664
  var LDAP_NOT_BYPASS_PATTERN = /\)\s*\(\s*!|&\s*\(\s*!|\|\s*\(\s*!/;
618
665
  var escapeChar = (char) => "\\" + char.charCodeAt(0).toString(16).padStart(2, "0");
@@ -626,7 +673,7 @@ function sanitizeLdapDn(input) {
626
673
  }
627
674
  function detectLdapInjection(input) {
628
675
  if (typeof input !== "string") return false;
629
- return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input) || LDAP_NOT_BYPASS_PATTERN.test(input);
676
+ return LDAP_INJECTION_PATTERN.test(input) || LDAP_NOT_BYPASS_PATTERN.test(input) || LDAP_WILDCARD_VALUE_PATTERN.test(input) || LDAP_NUL_PATTERN.test(input);
630
677
  }
631
678
 
632
679
  // src/sanitizers/xpath.ts