@arcis/node 1.6.4 → 1.6.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (49) hide show
  1. package/dist/astro/index.js.map +1 -1
  2. package/dist/astro/index.mjs.map +1 -1
  3. package/dist/bun/index.js.map +1 -1
  4. package/dist/bun/index.mjs.map +1 -1
  5. package/dist/core/constants.d.ts +1 -1
  6. package/dist/core/constants.d.ts.map +1 -1
  7. package/dist/core/index.js +51 -5
  8. package/dist/core/index.js.map +1 -1
  9. package/dist/core/index.mjs +51 -5
  10. package/dist/core/index.mjs.map +1 -1
  11. package/dist/fastify/index.js.map +1 -1
  12. package/dist/fastify/index.mjs.map +1 -1
  13. package/dist/hono/index.js.map +1 -1
  14. package/dist/hono/index.mjs.map +1 -1
  15. package/dist/index.js +54 -7
  16. package/dist/index.js.map +1 -1
  17. package/dist/index.mjs +54 -7
  18. package/dist/index.mjs.map +1 -1
  19. package/dist/koa/index.js.map +1 -1
  20. package/dist/koa/index.mjs.map +1 -1
  21. package/dist/logging/index.js.map +1 -1
  22. package/dist/logging/index.mjs.map +1 -1
  23. package/dist/middleware/index.js +54 -7
  24. package/dist/middleware/index.js.map +1 -1
  25. package/dist/middleware/index.mjs +54 -7
  26. package/dist/middleware/index.mjs.map +1 -1
  27. package/dist/nestjs/index.js +54 -7
  28. package/dist/nestjs/index.js.map +1 -1
  29. package/dist/nestjs/index.mjs +54 -7
  30. package/dist/nestjs/index.mjs.map +1 -1
  31. package/dist/nextjs/index.js.map +1 -1
  32. package/dist/nextjs/index.mjs.map +1 -1
  33. package/dist/nuxt/index.js.map +1 -1
  34. package/dist/nuxt/index.mjs.map +1 -1
  35. package/dist/sanitizers/index.js +54 -7
  36. package/dist/sanitizers/index.js.map +1 -1
  37. package/dist/sanitizers/index.mjs +54 -7
  38. package/dist/sanitizers/index.mjs.map +1 -1
  39. package/dist/sanitizers/ldap.d.ts +13 -1
  40. package/dist/sanitizers/ldap.d.ts.map +1 -1
  41. package/dist/stores/index.js.map +1 -1
  42. package/dist/stores/index.mjs.map +1 -1
  43. package/dist/sveltekit/index.js.map +1 -1
  44. package/dist/sveltekit/index.mjs.map +1 -1
  45. package/dist/validation/index.js +51 -5
  46. package/dist/validation/index.js.map +1 -1
  47. package/dist/validation/index.mjs +51 -5
  48. package/dist/validation/index.mjs.map +1 -1
  49. package/package.json +6 -6
package/dist/nestjs/index.js CHANGED
@@ -116,10 +116,37 @@ var XSS_REMOVE_PATTERNS = [
116
116
  /<link[\s>][^>]*/gi
117
117
  ];
118
118
  var SQL_PATTERNS = [
119
- /** SQL keywords */
120
- /(\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\b)/gi,
121
- /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */
122
- /(--|\/\*|\*\/|#)/g,
119
+ /**
120
+ * Multi-token SQL attack shapes that never appear in normal English.
121
+ * Replaces the older bare-keyword pattern `\b(SELECT|INSERT|...)\b`
122
+ * which false-positived on natural language ("please select an option",
123
+ * "I'll update you tomorrow", "delete this file"). Each shape below
124
+ * is a token combination that real attackers use and benign users
125
+ * essentially never type. Matches `sqli-keywords` in
126
+ * packages/core/patterns.json. Benchmark FP class B3, 2026-06-07.
127
+ *
128
+ * Catches:
129
+ * UNION SELECT / UNION ALL SELECT (data exfiltration)
130
+ * DROP|TRUNCATE TABLE|DATABASE|INDEX|... (DDL destruction)
131
+ * INTO OUTFILE / INTO DUMPFILE (MySQL file write RCE)
132
+ * ATTACH DATABASE (SQLite hijack)
133
+ * CREATE USER|FUNCTION|TRIGGER|PROCEDURE (privilege escalation)
134
+ * GRANT ALL|SELECT|INSERT|... (privilege grant)
135
+ * xp_cmdshell / sp_executesql (SQL Server RCE)
136
+ * SHUTDOWN (DoS)
137
+ */
138
+ /(\bUNION\s+(?:ALL\s+)?SELECT\b)|(\b(?:DROP|TRUNCATE)\s+(?:TABLE|DATABASE|INDEX|VIEW|SCHEMA)\b)|(\bINTO\s+(?:OUTFILE|DUMPFILE)\b)|(\bATTACH\s+DATABASE\b)|(\bCREATE\s+(?:USER|FUNCTION|TRIGGER|PROCEDURE)\b)|(\bGRANT\s+(?:ALL|SELECT|INSERT|UPDATE|DELETE)\b)|(\bSHUTDOWN\b)|(\bxp_cmdshell\b)|(\bsp_executesql\b)/gi,
139
+ /**
140
+ * SQL comments: ANSI (--), C-style (slash-star ... star-slash).
141
+ * MySQL `#` line comment intentionally excluded: a bare `#` matches
142
+ * every hex color (#FF5300), hashtag (#trending), issue ref (#123),
143
+ * markdown heading (# Title). Real `admin' #`-style injections are
144
+ * already caught by the quote/semicolon + keyword/boolean patterns
145
+ * below — `#` adds nothing as a primary signal and a lot of FP noise.
146
+ * Matches `sqli-comments` rule in packages/core/patterns.json (which
147
+ * also excludes `#`). Benchmark FP class B1, found 2026-06-07.
148
+ */
149
+ /(--|\/\*|\*\/)/g,
123
150
  /** SQL statement separators */
124
151
  /(;|\|\||&&)/g,
125
152
  /** Boolean injection: OR 1=1 */
@@ -171,7 +198,26 @@ var PATH_PATTERNS = [
171
198
  /** Dotdotslash bypass: ....// or ....\\ */
172
199
  /\.{2,}[/\\]{2,}/g,
173
200
  /** Null byte injection in paths */
174
- /\0/g
201
+ /\0/g,
202
+ /**
203
+ * Mixed encoding: literal `..` + URL-encoded slash (`..%2F`).
204
+ * Existed in old Node SQL_PATTERNS history; restated explicitly here
205
+ * for parity with patterns.json `path-mixed-encoded`. Benchmark B6.
206
+ */
207
+ /\.\.%2[fF]/g,
208
+ /**
209
+ * Overlong UTF-8 encoding of `.` (`%C0%AE`). Historic IIS/Apache
210
+ * decoder bypass — legitimate `.` is always `%2E`; overlong-form
211
+ * encoding only appears in evasion attempts. Benchmark B6 gap that
212
+ * neither SDK caught before 2026-06-07.
213
+ */
214
+ /%[Cc]0%[Aa][Ee]/g,
215
+ /**
216
+ * Windows UNC paths (`\\server\share`) in user input. Legitimate
217
+ * web-app inputs never contain UNC references; attacker UNC
218
+ * payloads leak SMB auth or pull remote payloads. Benchmark B6.
219
+ */
220
+ /\\\\[A-Za-z0-9_.-]+\\/g
175
221
  ];
176
222
  var COMMAND_PATTERNS = [
177
223
  /**
@@ -940,12 +986,13 @@ function detectXxe(input) {
940
986
  }
941
987
 
942
988
  // src/sanitizers/ldap.ts
943
- var LDAP_DETECT_PATTERN = /[*()\\\x00]/;
989
+ var LDAP_WILDCARD_VALUE_PATTERN = /=\s*\*/;
990
+ var LDAP_NUL_PATTERN = /\x00/;
944
991
  var LDAP_INJECTION_PATTERN = /\)\s*\(|\*\s*\)\s*\(/;
945
992
  var LDAP_NOT_BYPASS_PATTERN = /\)\s*\(\s*!|&\s*\(\s*!|\|\s*\(\s*!/;
946
993
  function detectLdapInjection(input) {
947
994
  if (typeof input !== "string") return false;
948
- return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input) || LDAP_NOT_BYPASS_PATTERN.test(input);
995
+ return LDAP_INJECTION_PATTERN.test(input) || LDAP_NOT_BYPASS_PATTERN.test(input) || LDAP_WILDCARD_VALUE_PATTERN.test(input) || LDAP_NUL_PATTERN.test(input);
949
996
  }
950
997
 
951
998
  // src/sanitizers/xpath.ts