@arcis/node 1.6.4 → 1.6.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (49) hide show
  1. package/dist/astro/index.js.map +1 -1
  2. package/dist/astro/index.mjs.map +1 -1
  3. package/dist/bun/index.js.map +1 -1
  4. package/dist/bun/index.mjs.map +1 -1
  5. package/dist/core/constants.d.ts +1 -1
  6. package/dist/core/constants.d.ts.map +1 -1
  7. package/dist/core/index.js +51 -5
  8. package/dist/core/index.js.map +1 -1
  9. package/dist/core/index.mjs +51 -5
  10. package/dist/core/index.mjs.map +1 -1
  11. package/dist/fastify/index.js.map +1 -1
  12. package/dist/fastify/index.mjs.map +1 -1
  13. package/dist/hono/index.js.map +1 -1
  14. package/dist/hono/index.mjs.map +1 -1
  15. package/dist/index.js +54 -7
  16. package/dist/index.js.map +1 -1
  17. package/dist/index.mjs +54 -7
  18. package/dist/index.mjs.map +1 -1
  19. package/dist/koa/index.js.map +1 -1
  20. package/dist/koa/index.mjs.map +1 -1
  21. package/dist/logging/index.js.map +1 -1
  22. package/dist/logging/index.mjs.map +1 -1
  23. package/dist/middleware/index.js +54 -7
  24. package/dist/middleware/index.js.map +1 -1
  25. package/dist/middleware/index.mjs +54 -7
  26. package/dist/middleware/index.mjs.map +1 -1
  27. package/dist/nestjs/index.js +54 -7
  28. package/dist/nestjs/index.js.map +1 -1
  29. package/dist/nestjs/index.mjs +54 -7
  30. package/dist/nestjs/index.mjs.map +1 -1
  31. package/dist/nextjs/index.js.map +1 -1
  32. package/dist/nextjs/index.mjs.map +1 -1
  33. package/dist/nuxt/index.js.map +1 -1
  34. package/dist/nuxt/index.mjs.map +1 -1
  35. package/dist/sanitizers/index.js +54 -7
  36. package/dist/sanitizers/index.js.map +1 -1
  37. package/dist/sanitizers/index.mjs +54 -7
  38. package/dist/sanitizers/index.mjs.map +1 -1
  39. package/dist/sanitizers/ldap.d.ts +13 -1
  40. package/dist/sanitizers/ldap.d.ts.map +1 -1
  41. package/dist/stores/index.js.map +1 -1
  42. package/dist/stores/index.mjs.map +1 -1
  43. package/dist/sveltekit/index.js.map +1 -1
  44. package/dist/sveltekit/index.mjs.map +1 -1
  45. package/dist/validation/index.js +51 -5
  46. package/dist/validation/index.js.map +1 -1
  47. package/dist/validation/index.mjs +51 -5
  48. package/dist/validation/index.mjs.map +1 -1
  49. package/package.json +6 -6
package/dist/validation/index.mjs CHANGED
@@ -44,10 +44,37 @@ var XSS_REMOVE_PATTERNS = [
44
44
  /<link[\s>][^>]*/gi
45
45
  ];
46
46
  var SQL_PATTERNS = [
47
- /** SQL keywords */
48
- /(\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\b)/gi,
49
- /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */
50
- /(--|\/\*|\*\/|#)/g,
47
+ /**
48
+ * Multi-token SQL attack shapes that never appear in normal English.
49
+ * Replaces the older bare-keyword pattern `\b(SELECT|INSERT|...)\b`
50
+ * which false-positived on natural language ("please select an option",
51
+ * "I'll update you tomorrow", "delete this file"). Each shape below
52
+ * is a token combination that real attackers use and benign users
53
+ * essentially never type. Matches `sqli-keywords` in
54
+ * packages/core/patterns.json. Benchmark FP class B3, 2026-06-07.
55
+ *
56
+ * Catches:
57
+ * UNION SELECT / UNION ALL SELECT (data exfiltration)
58
+ * DROP|TRUNCATE TABLE|DATABASE|INDEX|... (DDL destruction)
59
+ * INTO OUTFILE / INTO DUMPFILE (MySQL file write RCE)
60
+ * ATTACH DATABASE (SQLite hijack)
61
+ * CREATE USER|FUNCTION|TRIGGER|PROCEDURE (privilege escalation)
62
+ * GRANT ALL|SELECT|INSERT|... (privilege grant)
63
+ * xp_cmdshell / sp_executesql (SQL Server RCE)
64
+ * SHUTDOWN (DoS)
65
+ */
66
+ /(\bUNION\s+(?:ALL\s+)?SELECT\b)|(\b(?:DROP|TRUNCATE)\s+(?:TABLE|DATABASE|INDEX|VIEW|SCHEMA)\b)|(\bINTO\s+(?:OUTFILE|DUMPFILE)\b)|(\bATTACH\s+DATABASE\b)|(\bCREATE\s+(?:USER|FUNCTION|TRIGGER|PROCEDURE)\b)|(\bGRANT\s+(?:ALL|SELECT|INSERT|UPDATE|DELETE)\b)|(\bSHUTDOWN\b)|(\bxp_cmdshell\b)|(\bsp_executesql\b)/gi,
67
+ /**
68
+ * SQL comments: ANSI (--), C-style (slash-star ... star-slash).
69
+ * MySQL `#` line comment intentionally excluded: a bare `#` matches
70
+ * every hex color (#FF5300), hashtag (#trending), issue ref (#123),
71
+ * markdown heading (# Title). Real `admin' #`-style injections are
72
+ * already caught by the quote/semicolon + keyword/boolean patterns
73
+ * below — `#` adds nothing as a primary signal and a lot of FP noise.
74
+ * Matches `sqli-comments` rule in packages/core/patterns.json (which
75
+ * also excludes `#`). Benchmark FP class B1, found 2026-06-07.
76
+ */
77
+ /(--|\/\*|\*\/)/g,
51
78
  /** SQL statement separators */
52
79
  /(;|\|\||&&)/g,
53
80
  /** Boolean injection: OR 1=1 */
@@ -99,7 +126,26 @@ var PATH_PATTERNS = [
99
126
  /** Dotdotslash bypass: ....// or ....\\ */
100
127
  /\.{2,}[/\\]{2,}/g,
101
128
  /** Null byte injection in paths */
102
- /\0/g
129
+ /\0/g,
130
+ /**
131
+ * Mixed encoding: literal `..` + URL-encoded slash (`..%2F`).
132
+ * Existed in old Node SQL_PATTERNS history; restated explicitly here
133
+ * for parity with patterns.json `path-mixed-encoded`. Benchmark B6.
134
+ */
135
+ /\.\.%2[fF]/g,
136
+ /**
137
+ * Overlong UTF-8 encoding of `.` (`%C0%AE`). Historic IIS/Apache
138
+ * decoder bypass — legitimate `.` is always `%2E`; overlong-form
139
+ * encoding only appears in evasion attempts. Benchmark B6 gap that
140
+ * neither SDK caught before 2026-06-07.
141
+ */
142
+ /%[Cc]0%[Aa][Ee]/g,
143
+ /**
144
+ * Windows UNC paths (`\\server\share`) in user input. Legitimate
145
+ * web-app inputs never contain UNC references; attacker UNC
146
+ * payloads leak SMB auth or pull remote payloads. Benchmark B6.
147
+ */
148
+ /\\\\[A-Za-z0-9_.-]+\\/g
103
149
  ];
104
150
  var COMMAND_PATTERNS = [
105
151
  /**