@arcis/node 1.6.4 → 1.6.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (49) hide show
  1. package/dist/astro/index.js.map +1 -1
  2. package/dist/astro/index.mjs.map +1 -1
  3. package/dist/bun/index.js.map +1 -1
  4. package/dist/bun/index.mjs.map +1 -1
  5. package/dist/core/constants.d.ts +1 -1
  6. package/dist/core/constants.d.ts.map +1 -1
  7. package/dist/core/index.js +51 -5
  8. package/dist/core/index.js.map +1 -1
  9. package/dist/core/index.mjs +51 -5
  10. package/dist/core/index.mjs.map +1 -1
  11. package/dist/fastify/index.js.map +1 -1
  12. package/dist/fastify/index.mjs.map +1 -1
  13. package/dist/hono/index.js.map +1 -1
  14. package/dist/hono/index.mjs.map +1 -1
  15. package/dist/index.js +54 -7
  16. package/dist/index.js.map +1 -1
  17. package/dist/index.mjs +54 -7
  18. package/dist/index.mjs.map +1 -1
  19. package/dist/koa/index.js.map +1 -1
  20. package/dist/koa/index.mjs.map +1 -1
  21. package/dist/logging/index.js.map +1 -1
  22. package/dist/logging/index.mjs.map +1 -1
  23. package/dist/middleware/index.js +54 -7
  24. package/dist/middleware/index.js.map +1 -1
  25. package/dist/middleware/index.mjs +54 -7
  26. package/dist/middleware/index.mjs.map +1 -1
  27. package/dist/nestjs/index.js +54 -7
  28. package/dist/nestjs/index.js.map +1 -1
  29. package/dist/nestjs/index.mjs +54 -7
  30. package/dist/nestjs/index.mjs.map +1 -1
  31. package/dist/nextjs/index.js.map +1 -1
  32. package/dist/nextjs/index.mjs.map +1 -1
  33. package/dist/nuxt/index.js.map +1 -1
  34. package/dist/nuxt/index.mjs.map +1 -1
  35. package/dist/sanitizers/index.js +54 -7
  36. package/dist/sanitizers/index.js.map +1 -1
  37. package/dist/sanitizers/index.mjs +54 -7
  38. package/dist/sanitizers/index.mjs.map +1 -1
  39. package/dist/sanitizers/ldap.d.ts +13 -1
  40. package/dist/sanitizers/ldap.d.ts.map +1 -1
  41. package/dist/stores/index.js.map +1 -1
  42. package/dist/stores/index.mjs.map +1 -1
  43. package/dist/sveltekit/index.js.map +1 -1
  44. package/dist/sveltekit/index.mjs.map +1 -1
  45. package/dist/validation/index.js +51 -5
  46. package/dist/validation/index.js.map +1 -1
  47. package/dist/validation/index.mjs +51 -5
  48. package/dist/validation/index.mjs.map +1 -1
  49. package/package.json +6 -6
package/dist/index.js CHANGED
@@ -142,10 +142,37 @@ var XSS_REMOVE_PATTERNS = [
142
142
  /<link[\s>][^>]*/gi
143
143
  ];
144
144
  var SQL_PATTERNS = [
145
- /** SQL keywords */
146
- /(\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\b)/gi,
147
- /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */
148
- /(--|\/\*|\*\/|#)/g,
145
+ /**
146
+ * Multi-token SQL attack shapes that never appear in normal English.
147
+ * Replaces the older bare-keyword pattern `\b(SELECT|INSERT|...)\b`
148
+ * which false-positived on natural language ("please select an option",
149
+ * "I'll update you tomorrow", "delete this file"). Each shape below
150
+ * is a token combination that real attackers use and benign users
151
+ * essentially never type. Matches `sqli-keywords` in
152
+ * packages/core/patterns.json. Benchmark FP class B3, 2026-06-07.
153
+ *
154
+ * Catches:
155
+ * UNION SELECT / UNION ALL SELECT (data exfiltration)
156
+ * DROP|TRUNCATE TABLE|DATABASE|INDEX|... (DDL destruction)
157
+ * INTO OUTFILE / INTO DUMPFILE (MySQL file write RCE)
158
+ * ATTACH DATABASE (SQLite hijack)
159
+ * CREATE USER|FUNCTION|TRIGGER|PROCEDURE (privilege escalation)
160
+ * GRANT ALL|SELECT|INSERT|... (privilege grant)
161
+ * xp_cmdshell / sp_executesql (SQL Server RCE)
162
+ * SHUTDOWN (DoS)
163
+ */
164
+ /(\bUNION\s+(?:ALL\s+)?SELECT\b)|(\b(?:DROP|TRUNCATE)\s+(?:TABLE|DATABASE|INDEX|VIEW|SCHEMA)\b)|(\bINTO\s+(?:OUTFILE|DUMPFILE)\b)|(\bATTACH\s+DATABASE\b)|(\bCREATE\s+(?:USER|FUNCTION|TRIGGER|PROCEDURE)\b)|(\bGRANT\s+(?:ALL|SELECT|INSERT|UPDATE|DELETE)\b)|(\bSHUTDOWN\b)|(\bxp_cmdshell\b)|(\bsp_executesql\b)/gi,
165
+ /**
166
+ * SQL comments: ANSI (--), C-style (slash-star ... star-slash).
167
+ * MySQL `#` line comment intentionally excluded: a bare `#` matches
168
+ * every hex color (#FF5300), hashtag (#trending), issue ref (#123),
169
+ * markdown heading (# Title). Real `admin' #`-style injections are
170
+ * already caught by the quote/semicolon + keyword/boolean patterns
171
+ * below — `#` adds nothing as a primary signal and a lot of FP noise.
172
+ * Matches `sqli-comments` rule in packages/core/patterns.json (which
173
+ * also excludes `#`). Benchmark FP class B1, found 2026-06-07.
174
+ */
175
+ /(--|\/\*|\*\/)/g,
149
176
  /** SQL statement separators */
150
177
  /(;|\|\||&&)/g,
151
178
  /** Boolean injection: OR 1=1 */
@@ -197,7 +224,26 @@ var PATH_PATTERNS = [
197
224
  /** Dotdotslash bypass: ....// or ....\\ */
198
225
  /\.{2,}[/\\]{2,}/g,
199
226
  /** Null byte injection in paths */
200
- /\0/g
227
+ /\0/g,
228
+ /**
229
+ * Mixed encoding: literal `..` + URL-encoded slash (`..%2F`).
230
+ * Existed in old Node SQL_PATTERNS history; restated explicitly here
231
+ * for parity with patterns.json `path-mixed-encoded`. Benchmark B6.
232
+ */
233
+ /\.\.%2[fF]/g,
234
+ /**
235
+ * Overlong UTF-8 encoding of `.` (`%C0%AE`). Historic IIS/Apache
236
+ * decoder bypass — legitimate `.` is always `%2E`; overlong-form
237
+ * encoding only appears in evasion attempts. Benchmark B6 gap that
238
+ * neither SDK caught before 2026-06-07.
239
+ */
240
+ /%[Cc]0%[Aa][Ee]/g,
241
+ /**
242
+ * Windows UNC paths (`\\server\share`) in user input. Legitimate
243
+ * web-app inputs never contain UNC references; attacker UNC
244
+ * payloads leak SMB auth or pull remote payloads. Benchmark B6.
245
+ */
246
+ /\\\\[A-Za-z0-9_.-]+\\/g
201
247
  ];
202
248
  var COMMAND_PATTERNS = [
203
249
  /**
@@ -1099,12 +1145,13 @@ function detectXxe(input) {
1099
1145
  }
1100
1146
 
1101
1147
  // src/sanitizers/ldap.ts
1102
- var LDAP_DETECT_PATTERN = /[*()\\\x00]/;
1148
+ var LDAP_WILDCARD_VALUE_PATTERN = /=\s*\*/;
1149
+ var LDAP_NUL_PATTERN = /\x00/;
1103
1150
  var LDAP_INJECTION_PATTERN = /\)\s*\(|\*\s*\)\s*\(/;
1104
1151
  var LDAP_NOT_BYPASS_PATTERN = /\)\s*\(\s*!|&\s*\(\s*!|\|\s*\(\s*!/;
1105
1152
  function detectLdapInjection(input) {
1106
1153
  if (typeof input !== "string") return false;
1107
- return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input) || LDAP_NOT_BYPASS_PATTERN.test(input);
1154
+ return LDAP_INJECTION_PATTERN.test(input) || LDAP_NOT_BYPASS_PATTERN.test(input) || LDAP_WILDCARD_VALUE_PATTERN.test(input) || LDAP_NUL_PATTERN.test(input);
1108
1155
  }
1109
1156
 
1110
1157
  // src/sanitizers/xpath.ts