@arcis/node 1.6.4 → 1.6.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (49) hide show
  1. package/dist/astro/index.js.map +1 -1
  2. package/dist/astro/index.mjs.map +1 -1
  3. package/dist/bun/index.js.map +1 -1
  4. package/dist/bun/index.mjs.map +1 -1
  5. package/dist/core/constants.d.ts +1 -1
  6. package/dist/core/constants.d.ts.map +1 -1
  7. package/dist/core/index.js +51 -5
  8. package/dist/core/index.js.map +1 -1
  9. package/dist/core/index.mjs +51 -5
  10. package/dist/core/index.mjs.map +1 -1
  11. package/dist/fastify/index.js.map +1 -1
  12. package/dist/fastify/index.mjs.map +1 -1
  13. package/dist/hono/index.js.map +1 -1
  14. package/dist/hono/index.mjs.map +1 -1
  15. package/dist/index.js +54 -7
  16. package/dist/index.js.map +1 -1
  17. package/dist/index.mjs +54 -7
  18. package/dist/index.mjs.map +1 -1
  19. package/dist/koa/index.js.map +1 -1
  20. package/dist/koa/index.mjs.map +1 -1
  21. package/dist/logging/index.js.map +1 -1
  22. package/dist/logging/index.mjs.map +1 -1
  23. package/dist/middleware/index.js +54 -7
  24. package/dist/middleware/index.js.map +1 -1
  25. package/dist/middleware/index.mjs +54 -7
  26. package/dist/middleware/index.mjs.map +1 -1
  27. package/dist/nestjs/index.js +54 -7
  28. package/dist/nestjs/index.js.map +1 -1
  29. package/dist/nestjs/index.mjs +54 -7
  30. package/dist/nestjs/index.mjs.map +1 -1
  31. package/dist/nextjs/index.js.map +1 -1
  32. package/dist/nextjs/index.mjs.map +1 -1
  33. package/dist/nuxt/index.js.map +1 -1
  34. package/dist/nuxt/index.mjs.map +1 -1
  35. package/dist/sanitizers/index.js +54 -7
  36. package/dist/sanitizers/index.js.map +1 -1
  37. package/dist/sanitizers/index.mjs +54 -7
  38. package/dist/sanitizers/index.mjs.map +1 -1
  39. package/dist/sanitizers/ldap.d.ts +13 -1
  40. package/dist/sanitizers/ldap.d.ts.map +1 -1
  41. package/dist/stores/index.js.map +1 -1
  42. package/dist/stores/index.mjs.map +1 -1
  43. package/dist/sveltekit/index.js.map +1 -1
  44. package/dist/sveltekit/index.mjs.map +1 -1
  45. package/dist/validation/index.js +51 -5
  46. package/dist/validation/index.js.map +1 -1
  47. package/dist/validation/index.mjs +51 -5
  48. package/dist/validation/index.mjs.map +1 -1
  49. package/package.json +6 -6
package/dist/sanitizers/index.js CHANGED
@@ -79,10 +79,37 @@ var XSS_REMOVE_PATTERNS = [
79
79
  /<link[\s>][^>]*/gi
80
80
  ];
81
81
  var SQL_PATTERNS = [
82
- /** SQL keywords */
83
- /(\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\b)/gi,
84
- /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */
85
- /(--|\/\*|\*\/|#)/g,
82
+ /**
83
+ * Multi-token SQL attack shapes that never appear in normal English.
84
+ * Replaces the older bare-keyword pattern `\b(SELECT|INSERT|...)\b`
85
+ * which false-positived on natural language ("please select an option",
86
+ * "I'll update you tomorrow", "delete this file"). Each shape below
87
+ * is a token combination that real attackers use and benign users
88
+ * essentially never type. Matches `sqli-keywords` in
89
+ * packages/core/patterns.json. Benchmark FP class B3, 2026-06-07.
90
+ *
91
+ * Catches:
92
+ * UNION SELECT / UNION ALL SELECT (data exfiltration)
93
+ * DROP|TRUNCATE TABLE|DATABASE|INDEX|... (DDL destruction)
94
+ * INTO OUTFILE / INTO DUMPFILE (MySQL file write RCE)
95
+ * ATTACH DATABASE (SQLite hijack)
96
+ * CREATE USER|FUNCTION|TRIGGER|PROCEDURE (privilege escalation)
97
+ * GRANT ALL|SELECT|INSERT|... (privilege grant)
98
+ * xp_cmdshell / sp_executesql (SQL Server RCE)
99
+ * SHUTDOWN (DoS)
100
+ */
101
+ /(\bUNION\s+(?:ALL\s+)?SELECT\b)|(\b(?:DROP|TRUNCATE)\s+(?:TABLE|DATABASE|INDEX|VIEW|SCHEMA)\b)|(\bINTO\s+(?:OUTFILE|DUMPFILE)\b)|(\bATTACH\s+DATABASE\b)|(\bCREATE\s+(?:USER|FUNCTION|TRIGGER|PROCEDURE)\b)|(\bGRANT\s+(?:ALL|SELECT|INSERT|UPDATE|DELETE)\b)|(\bSHUTDOWN\b)|(\bxp_cmdshell\b)|(\bsp_executesql\b)/gi,
102
+ /**
103
+ * SQL comments: ANSI (--), C-style (slash-star ... star-slash).
104
+ * MySQL `#` line comment intentionally excluded: a bare `#` matches
105
+ * every hex color (#FF5300), hashtag (#trending), issue ref (#123),
106
+ * markdown heading (# Title). Real `admin' #`-style injections are
107
+ * already caught by the quote/semicolon + keyword/boolean patterns
108
+ * below — `#` adds nothing as a primary signal and a lot of FP noise.
109
+ * Matches `sqli-comments` rule in packages/core/patterns.json (which
110
+ * also excludes `#`). Benchmark FP class B1, found 2026-06-07.
111
+ */
112
+ /(--|\/\*|\*\/)/g,
86
113
  /** SQL statement separators */
87
114
  /(;|\|\||&&)/g,
88
115
  /** Boolean injection: OR 1=1 */
@@ -134,7 +161,26 @@ var PATH_PATTERNS = [
134
161
  /** Dotdotslash bypass: ....// or ....\\ */
135
162
  /\.{2,}[/\\]{2,}/g,
136
163
  /** Null byte injection in paths */
137
- /\0/g
164
+ /\0/g,
165
+ /**
166
+ * Mixed encoding: literal `..` + URL-encoded slash (`..%2F`).
167
+ * Existed in old Node SQL_PATTERNS history; restated explicitly here
168
+ * for parity with patterns.json `path-mixed-encoded`. Benchmark B6.
169
+ */
170
+ /\.\.%2[fF]/g,
171
+ /**
172
+ * Overlong UTF-8 encoding of `.` (`%C0%AE`). Historic IIS/Apache
173
+ * decoder bypass — legitimate `.` is always `%2E`; overlong-form
174
+ * encoding only appears in evasion attempts. Benchmark B6 gap that
175
+ * neither SDK caught before 2026-06-07.
176
+ */
177
+ /%[Cc]0%[Aa][Ee]/g,
178
+ /**
179
+ * Windows UNC paths (`\\server\share`) in user input. Legitimate
180
+ * web-app inputs never contain UNC references; attacker UNC
181
+ * payloads leak SMB auth or pull remote payloads. Benchmark B6.
182
+ */
183
+ /\\\\[A-Za-z0-9_.-]+\\/g
138
184
  ];
139
185
  var COMMAND_PATTERNS = [
140
186
  /**
@@ -614,7 +660,8 @@ function detectXxe(input) {
614
660
  // src/sanitizers/ldap.ts
615
661
  var LDAP_FILTER_CHARS = /[*()\\\x00]/g;
616
662
  var LDAP_DN_CHARS = /[,+<>;"=\/\\\x00*()\x00]/g;
617
- var LDAP_DETECT_PATTERN = /[*()\\\x00]/;
663
+ var LDAP_WILDCARD_VALUE_PATTERN = /=\s*\*/;
664
+ var LDAP_NUL_PATTERN = /\x00/;
618
665
  var LDAP_INJECTION_PATTERN = /\)\s*\(|\*\s*\)\s*\(/;
619
666
  var LDAP_NOT_BYPASS_PATTERN = /\)\s*\(\s*!|&\s*\(\s*!|\|\s*\(\s*!/;
620
667
  var escapeChar = (char) => "\\" + char.charCodeAt(0).toString(16).padStart(2, "0");
@@ -628,7 +675,7 @@ function sanitizeLdapDn(input) {
628
675
  }
629
676
  function detectLdapInjection(input) {
630
677
  if (typeof input !== "string") return false;
631
- return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input) || LDAP_NOT_BYPASS_PATTERN.test(input);
678
+ return LDAP_INJECTION_PATTERN.test(input) || LDAP_NOT_BYPASS_PATTERN.test(input) || LDAP_WILDCARD_VALUE_PATTERN.test(input) || LDAP_NUL_PATTERN.test(input);
632
679
  }
633
680
 
634
681
  // src/sanitizers/xpath.ts