@arcis/node 1.6.4 → 1.6.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (49) hide show
  1. package/dist/astro/index.js.map +1 -1
  2. package/dist/astro/index.mjs.map +1 -1
  3. package/dist/bun/index.js.map +1 -1
  4. package/dist/bun/index.mjs.map +1 -1
  5. package/dist/core/constants.d.ts +1 -1
  6. package/dist/core/constants.d.ts.map +1 -1
  7. package/dist/core/index.js +51 -5
  8. package/dist/core/index.js.map +1 -1
  9. package/dist/core/index.mjs +51 -5
  10. package/dist/core/index.mjs.map +1 -1
  11. package/dist/fastify/index.js.map +1 -1
  12. package/dist/fastify/index.mjs.map +1 -1
  13. package/dist/hono/index.js.map +1 -1
  14. package/dist/hono/index.mjs.map +1 -1
  15. package/dist/index.js +54 -7
  16. package/dist/index.js.map +1 -1
  17. package/dist/index.mjs +54 -7
  18. package/dist/index.mjs.map +1 -1
  19. package/dist/koa/index.js.map +1 -1
  20. package/dist/koa/index.mjs.map +1 -1
  21. package/dist/logging/index.js.map +1 -1
  22. package/dist/logging/index.mjs.map +1 -1
  23. package/dist/middleware/index.js +54 -7
  24. package/dist/middleware/index.js.map +1 -1
  25. package/dist/middleware/index.mjs +54 -7
  26. package/dist/middleware/index.mjs.map +1 -1
  27. package/dist/nestjs/index.js +54 -7
  28. package/dist/nestjs/index.js.map +1 -1
  29. package/dist/nestjs/index.mjs +54 -7
  30. package/dist/nestjs/index.mjs.map +1 -1
  31. package/dist/nextjs/index.js.map +1 -1
  32. package/dist/nextjs/index.mjs.map +1 -1
  33. package/dist/nuxt/index.js.map +1 -1
  34. package/dist/nuxt/index.mjs.map +1 -1
  35. package/dist/sanitizers/index.js +54 -7
  36. package/dist/sanitizers/index.js.map +1 -1
  37. package/dist/sanitizers/index.mjs +54 -7
  38. package/dist/sanitizers/index.mjs.map +1 -1
  39. package/dist/sanitizers/ldap.d.ts +13 -1
  40. package/dist/sanitizers/ldap.d.ts.map +1 -1
  41. package/dist/stores/index.js.map +1 -1
  42. package/dist/stores/index.mjs.map +1 -1
  43. package/dist/sveltekit/index.js.map +1 -1
  44. package/dist/sveltekit/index.mjs.map +1 -1
  45. package/dist/validation/index.js +51 -5
  46. package/dist/validation/index.js.map +1 -1
  47. package/dist/validation/index.mjs +51 -5
  48. package/dist/validation/index.mjs.map +1 -1
  49. package/package.json +6 -6
package/dist/index.mjs CHANGED
@@ -119,10 +119,37 @@ var XSS_REMOVE_PATTERNS = [
119
119
  /<link[\s>][^>]*/gi
120
120
  ];
121
121
  var SQL_PATTERNS = [
122
- /** SQL keywords */
123
- /(\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\b)/gi,
124
- /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */
125
- /(--|\/\*|\*\/|#)/g,
122
+ /**
123
+ * Multi-token SQL attack shapes that never appear in normal English.
124
+ * Replaces the older bare-keyword pattern `\b(SELECT|INSERT|...)\b`
125
+ * which false-positived on natural language ("please select an option",
126
+ * "I'll update you tomorrow", "delete this file"). Each shape below
127
+ * is a token combination that real attackers use and benign users
128
+ * essentially never type. Matches `sqli-keywords` in
129
+ * packages/core/patterns.json. Benchmark FP class B3, 2026-06-07.
130
+ *
131
+ * Catches:
132
+ * UNION SELECT / UNION ALL SELECT (data exfiltration)
133
+ * DROP|TRUNCATE TABLE|DATABASE|INDEX|... (DDL destruction)
134
+ * INTO OUTFILE / INTO DUMPFILE (MySQL file write RCE)
135
+ * ATTACH DATABASE (SQLite hijack)
136
+ * CREATE USER|FUNCTION|TRIGGER|PROCEDURE (privilege escalation)
137
+ * GRANT ALL|SELECT|INSERT|... (privilege grant)
138
+ * xp_cmdshell / sp_executesql (SQL Server RCE)
139
+ * SHUTDOWN (DoS)
140
+ */
141
+ /(\bUNION\s+(?:ALL\s+)?SELECT\b)|(\b(?:DROP|TRUNCATE)\s+(?:TABLE|DATABASE|INDEX|VIEW|SCHEMA)\b)|(\bINTO\s+(?:OUTFILE|DUMPFILE)\b)|(\bATTACH\s+DATABASE\b)|(\bCREATE\s+(?:USER|FUNCTION|TRIGGER|PROCEDURE)\b)|(\bGRANT\s+(?:ALL|SELECT|INSERT|UPDATE|DELETE)\b)|(\bSHUTDOWN\b)|(\bxp_cmdshell\b)|(\bsp_executesql\b)/gi,
142
+ /**
143
+ * SQL comments: ANSI (--), C-style (slash-star ... star-slash).
144
+ * MySQL `#` line comment intentionally excluded: a bare `#` matches
145
+ * every hex color (#FF5300), hashtag (#trending), issue ref (#123),
146
+ * markdown heading (# Title). Real `admin' #`-style injections are
147
+ * already caught by the quote/semicolon + keyword/boolean patterns
148
+ * below — `#` adds nothing as a primary signal and a lot of FP noise.
149
+ * Matches `sqli-comments` rule in packages/core/patterns.json (which
150
+ * also excludes `#`). Benchmark FP class B1, found 2026-06-07.
151
+ */
152
+ /(--|\/\*|\*\/)/g,
126
153
  /** SQL statement separators */
127
154
  /(;|\|\||&&)/g,
128
155
  /** Boolean injection: OR 1=1 */
@@ -174,7 +201,26 @@ var PATH_PATTERNS = [
174
201
  /** Dotdotslash bypass: ....// or ....\\ */
175
202
  /\.{2,}[/\\]{2,}/g,
176
203
  /** Null byte injection in paths */
177
- /\0/g
204
+ /\0/g,
205
+ /**
206
+ * Mixed encoding: literal `..` + URL-encoded slash (`..%2F`).
207
+ * Existed in old Node SQL_PATTERNS history; restated explicitly here
208
+ * for parity with patterns.json `path-mixed-encoded`. Benchmark B6.
209
+ */
210
+ /\.\.%2[fF]/g,
211
+ /**
212
+ * Overlong UTF-8 encoding of `.` (`%C0%AE`). Historic IIS/Apache
213
+ * decoder bypass — legitimate `.` is always `%2E`; overlong-form
214
+ * encoding only appears in evasion attempts. Benchmark B6 gap that
215
+ * neither SDK caught before 2026-06-07.
216
+ */
217
+ /%[Cc]0%[Aa][Ee]/g,
218
+ /**
219
+ * Windows UNC paths (`\\server\share`) in user input. Legitimate
220
+ * web-app inputs never contain UNC references; attacker UNC
221
+ * payloads leak SMB auth or pull remote payloads. Benchmark B6.
222
+ */
223
+ /\\\\[A-Za-z0-9_.-]+\\/g
178
224
  ];
179
225
  var COMMAND_PATTERNS = [
180
226
  /**
@@ -1076,12 +1122,13 @@ function detectXxe(input) {
1076
1122
  }
1077
1123
 
1078
1124
  // src/sanitizers/ldap.ts
1079
- var LDAP_DETECT_PATTERN = /[*()\\\x00]/;
1125
+ var LDAP_WILDCARD_VALUE_PATTERN = /=\s*\*/;
1126
+ var LDAP_NUL_PATTERN = /\x00/;
1080
1127
  var LDAP_INJECTION_PATTERN = /\)\s*\(|\*\s*\)\s*\(/;
1081
1128
  var LDAP_NOT_BYPASS_PATTERN = /\)\s*\(\s*!|&\s*\(\s*!|\|\s*\(\s*!/;
1082
1129
  function detectLdapInjection(input) {
1083
1130
  if (typeof input !== "string") return false;
1084
- return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input) || LDAP_NOT_BYPASS_PATTERN.test(input);
1131
+ return LDAP_INJECTION_PATTERN.test(input) || LDAP_NOT_BYPASS_PATTERN.test(input) || LDAP_WILDCARD_VALUE_PATTERN.test(input) || LDAP_NUL_PATTERN.test(input);
1085
1132
  }
1086
1133
 
1087
1134
  // src/sanitizers/xpath.ts