@arcis/node 1.6.4 → 1.6.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (49) hide show
  1. package/dist/astro/index.js.map +1 -1
  2. package/dist/astro/index.mjs.map +1 -1
  3. package/dist/bun/index.js.map +1 -1
  4. package/dist/bun/index.mjs.map +1 -1
  5. package/dist/core/constants.d.ts +1 -1
  6. package/dist/core/constants.d.ts.map +1 -1
  7. package/dist/core/index.js +51 -5
  8. package/dist/core/index.js.map +1 -1
  9. package/dist/core/index.mjs +51 -5
  10. package/dist/core/index.mjs.map +1 -1
  11. package/dist/fastify/index.js.map +1 -1
  12. package/dist/fastify/index.mjs.map +1 -1
  13. package/dist/hono/index.js.map +1 -1
  14. package/dist/hono/index.mjs.map +1 -1
  15. package/dist/index.js +54 -7
  16. package/dist/index.js.map +1 -1
  17. package/dist/index.mjs +54 -7
  18. package/dist/index.mjs.map +1 -1
  19. package/dist/koa/index.js.map +1 -1
  20. package/dist/koa/index.mjs.map +1 -1
  21. package/dist/logging/index.js.map +1 -1
  22. package/dist/logging/index.mjs.map +1 -1
  23. package/dist/middleware/index.js +54 -7
  24. package/dist/middleware/index.js.map +1 -1
  25. package/dist/middleware/index.mjs +54 -7
  26. package/dist/middleware/index.mjs.map +1 -1
  27. package/dist/nestjs/index.js +54 -7
  28. package/dist/nestjs/index.js.map +1 -1
  29. package/dist/nestjs/index.mjs +54 -7
  30. package/dist/nestjs/index.mjs.map +1 -1
  31. package/dist/nextjs/index.js.map +1 -1
  32. package/dist/nextjs/index.mjs.map +1 -1
  33. package/dist/nuxt/index.js.map +1 -1
  34. package/dist/nuxt/index.mjs.map +1 -1
  35. package/dist/sanitizers/index.js +54 -7
  36. package/dist/sanitizers/index.js.map +1 -1
  37. package/dist/sanitizers/index.mjs +54 -7
  38. package/dist/sanitizers/index.mjs.map +1 -1
  39. package/dist/sanitizers/ldap.d.ts +13 -1
  40. package/dist/sanitizers/ldap.d.ts.map +1 -1
  41. package/dist/stores/index.js.map +1 -1
  42. package/dist/stores/index.mjs.map +1 -1
  43. package/dist/sveltekit/index.js.map +1 -1
  44. package/dist/sveltekit/index.mjs.map +1 -1
  45. package/dist/validation/index.js +51 -5
  46. package/dist/validation/index.js.map +1 -1
  47. package/dist/validation/index.mjs +51 -5
  48. package/dist/validation/index.mjs.map +1 -1
  49. package/package.json +6 -6
package/dist/middleware/index.mjs CHANGED
@@ -113,10 +113,37 @@ var XSS_REMOVE_PATTERNS = [
113
113
  /<link[\s>][^>]*/gi
114
114
  ];
115
115
  var SQL_PATTERNS = [
116
- /** SQL keywords */
117
- /(\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\b)/gi,
118
- /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */
119
- /(--|\/\*|\*\/|#)/g,
116
+ /**
117
+ * Multi-token SQL attack shapes that never appear in normal English.
118
+ * Replaces the older bare-keyword pattern `\b(SELECT|INSERT|...)\b`
119
+ * which false-positived on natural language ("please select an option",
120
+ * "I'll update you tomorrow", "delete this file"). Each shape below
121
+ * is a token combination that real attackers use and benign users
122
+ * essentially never type. Matches `sqli-keywords` in
123
+ * packages/core/patterns.json. Benchmark FP class B3, 2026-06-07.
124
+ *
125
+ * Catches:
126
+ * UNION SELECT / UNION ALL SELECT (data exfiltration)
127
+ * DROP|TRUNCATE TABLE|DATABASE|INDEX|... (DDL destruction)
128
+ * INTO OUTFILE / INTO DUMPFILE (MySQL file write RCE)
129
+ * ATTACH DATABASE (SQLite hijack)
130
+ * CREATE USER|FUNCTION|TRIGGER|PROCEDURE (privilege escalation)
131
+ * GRANT ALL|SELECT|INSERT|... (privilege grant)
132
+ * xp_cmdshell / sp_executesql (SQL Server RCE)
133
+ * SHUTDOWN (DoS)
134
+ */
135
+ /(\bUNION\s+(?:ALL\s+)?SELECT\b)|(\b(?:DROP|TRUNCATE)\s+(?:TABLE|DATABASE|INDEX|VIEW|SCHEMA)\b)|(\bINTO\s+(?:OUTFILE|DUMPFILE)\b)|(\bATTACH\s+DATABASE\b)|(\bCREATE\s+(?:USER|FUNCTION|TRIGGER|PROCEDURE)\b)|(\bGRANT\s+(?:ALL|SELECT|INSERT|UPDATE|DELETE)\b)|(\bSHUTDOWN\b)|(\bxp_cmdshell\b)|(\bsp_executesql\b)/gi,
136
+ /**
137
+ * SQL comments: ANSI (--), C-style (slash-star ... star-slash).
138
+ * MySQL `#` line comment intentionally excluded: a bare `#` matches
139
+ * every hex color (#FF5300), hashtag (#trending), issue ref (#123),
140
+ * markdown heading (# Title). Real `admin' #`-style injections are
141
+ * already caught by the quote/semicolon + keyword/boolean patterns
142
+ * below — `#` adds nothing as a primary signal and a lot of FP noise.
143
+ * Matches `sqli-comments` rule in packages/core/patterns.json (which
144
+ * also excludes `#`). Benchmark FP class B1, found 2026-06-07.
145
+ */
146
+ /(--|\/\*|\*\/)/g,
120
147
  /** SQL statement separators */
121
148
  /(;|\|\||&&)/g,
122
149
  /** Boolean injection: OR 1=1 */
@@ -168,7 +195,26 @@ var PATH_PATTERNS = [
168
195
  /** Dotdotslash bypass: ....// or ....\\ */
169
196
  /\.{2,}[/\\]{2,}/g,
170
197
  /** Null byte injection in paths */
171
- /\0/g
198
+ /\0/g,
199
+ /**
200
+ * Mixed encoding: literal `..` + URL-encoded slash (`..%2F`).
201
+ * Existed in old Node SQL_PATTERNS history; restated explicitly here
202
+ * for parity with patterns.json `path-mixed-encoded`. Benchmark B6.
203
+ */
204
+ /\.\.%2[fF]/g,
205
+ /**
206
+ * Overlong UTF-8 encoding of `.` (`%C0%AE`). Historic IIS/Apache
207
+ * decoder bypass — legitimate `.` is always `%2E`; overlong-form
208
+ * encoding only appears in evasion attempts. Benchmark B6 gap that
209
+ * neither SDK caught before 2026-06-07.
210
+ */
211
+ /%[Cc]0%[Aa][Ee]/g,
212
+ /**
213
+ * Windows UNC paths (`\\server\share`) in user input. Legitimate
214
+ * web-app inputs never contain UNC references; attacker UNC
215
+ * payloads leak SMB auth or pull remote payloads. Benchmark B6.
216
+ */
217
+ /\\\\[A-Za-z0-9_.-]+\\/g
172
218
  ];
173
219
  var COMMAND_PATTERNS = [
174
220
  /**
@@ -939,12 +985,13 @@ function detectXxe(input) {
939
985
  }
940
986
 
941
987
  // src/sanitizers/ldap.ts
942
- var LDAP_DETECT_PATTERN = /[*()\\\x00]/;
988
+ var LDAP_WILDCARD_VALUE_PATTERN = /=\s*\*/;
989
+ var LDAP_NUL_PATTERN = /\x00/;
943
990
  var LDAP_INJECTION_PATTERN = /\)\s*\(|\*\s*\)\s*\(/;
944
991
  var LDAP_NOT_BYPASS_PATTERN = /\)\s*\(\s*!|&\s*\(\s*!|\|\s*\(\s*!/;
945
992
  function detectLdapInjection(input) {
946
993
  if (typeof input !== "string") return false;
947
- return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input) || LDAP_NOT_BYPASS_PATTERN.test(input);
994
+ return LDAP_INJECTION_PATTERN.test(input) || LDAP_NOT_BYPASS_PATTERN.test(input) || LDAP_WILDCARD_VALUE_PATTERN.test(input) || LDAP_NUL_PATTERN.test(input);
948
995
  }
949
996
 
950
997
  // src/sanitizers/xpath.ts