@arcis/node 1.6.4 → 1.6.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (49) hide show
  1. package/dist/astro/index.js.map +1 -1
  2. package/dist/astro/index.mjs.map +1 -1
  3. package/dist/bun/index.js.map +1 -1
  4. package/dist/bun/index.mjs.map +1 -1
  5. package/dist/core/constants.d.ts +1 -1
  6. package/dist/core/constants.d.ts.map +1 -1
  7. package/dist/core/index.js +51 -5
  8. package/dist/core/index.js.map +1 -1
  9. package/dist/core/index.mjs +51 -5
  10. package/dist/core/index.mjs.map +1 -1
  11. package/dist/fastify/index.js.map +1 -1
  12. package/dist/fastify/index.mjs.map +1 -1
  13. package/dist/hono/index.js.map +1 -1
  14. package/dist/hono/index.mjs.map +1 -1
  15. package/dist/index.js +54 -7
  16. package/dist/index.js.map +1 -1
  17. package/dist/index.mjs +54 -7
  18. package/dist/index.mjs.map +1 -1
  19. package/dist/koa/index.js.map +1 -1
  20. package/dist/koa/index.mjs.map +1 -1
  21. package/dist/logging/index.js.map +1 -1
  22. package/dist/logging/index.mjs.map +1 -1
  23. package/dist/middleware/index.js +54 -7
  24. package/dist/middleware/index.js.map +1 -1
  25. package/dist/middleware/index.mjs +54 -7
  26. package/dist/middleware/index.mjs.map +1 -1
  27. package/dist/nestjs/index.js +54 -7
  28. package/dist/nestjs/index.js.map +1 -1
  29. package/dist/nestjs/index.mjs +54 -7
  30. package/dist/nestjs/index.mjs.map +1 -1
  31. package/dist/nextjs/index.js.map +1 -1
  32. package/dist/nextjs/index.mjs.map +1 -1
  33. package/dist/nuxt/index.js.map +1 -1
  34. package/dist/nuxt/index.mjs.map +1 -1
  35. package/dist/sanitizers/index.js +54 -7
  36. package/dist/sanitizers/index.js.map +1 -1
  37. package/dist/sanitizers/index.mjs +54 -7
  38. package/dist/sanitizers/index.mjs.map +1 -1
  39. package/dist/sanitizers/ldap.d.ts +13 -1
  40. package/dist/sanitizers/ldap.d.ts.map +1 -1
  41. package/dist/stores/index.js.map +1 -1
  42. package/dist/stores/index.mjs.map +1 -1
  43. package/dist/sveltekit/index.js.map +1 -1
  44. package/dist/sveltekit/index.mjs.map +1 -1
  45. package/dist/validation/index.js +51 -5
  46. package/dist/validation/index.js.map +1 -1
  47. package/dist/validation/index.mjs +51 -5
  48. package/dist/validation/index.mjs.map +1 -1
  49. package/package.json +6 -6
package/dist/nestjs/index.mjs CHANGED
@@ -112,10 +112,37 @@ var XSS_REMOVE_PATTERNS = [
112
112
  /<link[\s>][^>]*/gi
113
113
  ];
114
114
  var SQL_PATTERNS = [
115
- /** SQL keywords */
116
- /(\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\b)/gi,
117
- /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */
118
- /(--|\/\*|\*\/|#)/g,
115
+ /**
116
+ * Multi-token SQL attack shapes that never appear in normal English.
117
+ * Replaces the older bare-keyword pattern `\b(SELECT|INSERT|...)\b`
118
+ * which false-positived on natural language ("please select an option",
119
+ * "I'll update you tomorrow", "delete this file"). Each shape below
120
+ * is a token combination that real attackers use and benign users
121
+ * essentially never type. Matches `sqli-keywords` in
122
+ * packages/core/patterns.json. Benchmark FP class B3, 2026-06-07.
123
+ *
124
+ * Catches:
125
+ * UNION SELECT / UNION ALL SELECT (data exfiltration)
126
+ * DROP|TRUNCATE TABLE|DATABASE|INDEX|... (DDL destruction)
127
+ * INTO OUTFILE / INTO DUMPFILE (MySQL file write RCE)
128
+ * ATTACH DATABASE (SQLite hijack)
129
+ * CREATE USER|FUNCTION|TRIGGER|PROCEDURE (privilege escalation)
130
+ * GRANT ALL|SELECT|INSERT|... (privilege grant)
131
+ * xp_cmdshell / sp_executesql (SQL Server RCE)
132
+ * SHUTDOWN (DoS)
133
+ */
134
+ /(\bUNION\s+(?:ALL\s+)?SELECT\b)|(\b(?:DROP|TRUNCATE)\s+(?:TABLE|DATABASE|INDEX|VIEW|SCHEMA)\b)|(\bINTO\s+(?:OUTFILE|DUMPFILE)\b)|(\bATTACH\s+DATABASE\b)|(\bCREATE\s+(?:USER|FUNCTION|TRIGGER|PROCEDURE)\b)|(\bGRANT\s+(?:ALL|SELECT|INSERT|UPDATE|DELETE)\b)|(\bSHUTDOWN\b)|(\bxp_cmdshell\b)|(\bsp_executesql\b)/gi,
135
+ /**
136
+ * SQL comments: ANSI (--), C-style (slash-star ... star-slash).
137
+ * MySQL `#` line comment intentionally excluded: a bare `#` matches
138
+ * every hex color (#FF5300), hashtag (#trending), issue ref (#123),
139
+ * markdown heading (# Title). Real `admin' #`-style injections are
140
+ * already caught by the quote/semicolon + keyword/boolean patterns
141
+ * below — `#` adds nothing as a primary signal and a lot of FP noise.
142
+ * Matches `sqli-comments` rule in packages/core/patterns.json (which
143
+ * also excludes `#`). Benchmark FP class B1, found 2026-06-07.
144
+ */
145
+ /(--|\/\*|\*\/)/g,
119
146
  /** SQL statement separators */
120
147
  /(;|\|\||&&)/g,
121
148
  /** Boolean injection: OR 1=1 */
@@ -167,7 +194,26 @@ var PATH_PATTERNS = [
167
194
  /** Dotdotslash bypass: ....// or ....\\ */
168
195
  /\.{2,}[/\\]{2,}/g,
169
196
  /** Null byte injection in paths */
170
- /\0/g
197
+ /\0/g,
198
+ /**
199
+ * Mixed encoding: literal `..` + URL-encoded slash (`..%2F`).
200
+ * Existed in old Node SQL_PATTERNS history; restated explicitly here
201
+ * for parity with patterns.json `path-mixed-encoded`. Benchmark B6.
202
+ */
203
+ /\.\.%2[fF]/g,
204
+ /**
205
+ * Overlong UTF-8 encoding of `.` (`%C0%AE`). Historic IIS/Apache
206
+ * decoder bypass — legitimate `.` is always `%2E`; overlong-form
207
+ * encoding only appears in evasion attempts. Benchmark B6 gap that
208
+ * neither SDK caught before 2026-06-07.
209
+ */
210
+ /%[Cc]0%[Aa][Ee]/g,
211
+ /**
212
+ * Windows UNC paths (`\\server\share`) in user input. Legitimate
213
+ * web-app inputs never contain UNC references; attacker UNC
214
+ * payloads leak SMB auth or pull remote payloads. Benchmark B6.
215
+ */
216
+ /\\\\[A-Za-z0-9_.-]+\\/g
171
217
  ];
172
218
  var COMMAND_PATTERNS = [
173
219
  /**
@@ -936,12 +982,13 @@ function detectXxe(input) {
936
982
  }
937
983
 
938
984
  // src/sanitizers/ldap.ts
939
- var LDAP_DETECT_PATTERN = /[*()\\\x00]/;
985
+ var LDAP_WILDCARD_VALUE_PATTERN = /=\s*\*/;
986
+ var LDAP_NUL_PATTERN = /\x00/;
940
987
  var LDAP_INJECTION_PATTERN = /\)\s*\(|\*\s*\)\s*\(/;
941
988
  var LDAP_NOT_BYPASS_PATTERN = /\)\s*\(\s*!|&\s*\(\s*!|\|\s*\(\s*!/;
942
989
  function detectLdapInjection(input) {
943
990
  if (typeof input !== "string") return false;
944
- return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input) || LDAP_NOT_BYPASS_PATTERN.test(input);
991
+ return LDAP_INJECTION_PATTERN.test(input) || LDAP_NOT_BYPASS_PATTERN.test(input) || LDAP_WILDCARD_VALUE_PATTERN.test(input) || LDAP_NUL_PATTERN.test(input);
945
992
  }
946
993
 
947
994
  // src/sanitizers/xpath.ts