@blazedpath/commons 0.3.1 → 0.4.0

package/blz-security/sqlInjectionGuard.js

@@ -0,0 +1,162 @@
+const { z } = require('zod');
+module.exports = class SqlInjectionGuard {
+    constructor(logger = console) {
+        this.logger = logger;    
+        this._initialized = false;        
+    }
+
+    _initialize() {
+        if (this._initialized) return;
+        this._initialized = true;
+        const allowedPatternsEnv = process.env.blz_securityApiSanitizeAllowedSqlInputPatterns;            
+        const paramPatternsEnv = process.env.blz_securityApiSanitizeDangerousParamPatterns;
+        const sqlPatternsEnv = process.env.blz_securityApiSanitizeDangerousSqlPatterns;        
+        this.onlyLog = process.env.blz_securityApiSanitizeOnlyLog === 'true';        
+        const parseRegexArray = (input) => {
+            try {
+                if (input == undefined || input == null) return null
+                const rawList = JSON.parse(input); // must be an array of strings type ["--", "\\bselect\\b.+\\bfrom\\b"]
+                return rawList.map(pattern => new RegExp(pattern, 'i'));
+            } catch {
+                return null;
+            }
+        };
+        this.dangerousParamPatterns =
+            parseRegexArray(paramPatternsEnv) || [
+                /--/i,
+                /\/\*/i,
+                /\*\//i,
+                /\bor\b\s+\w+\s*=/i,
+                /\bor\b\s+.*?=.*?/i,
+                /\bor\b\s+'.*?'\s*=\s*'.*?'/i,                
+                /\bor\b\s+\w+\s*like/i,
+                /\band\b\s+\w+\s*=/i,
+                /\band\b\s+\w+\s*like/i,
+                /\bselect\b[\s\S]+?\bfrom\b/i,
+                /\bunion\s+select\b/i,
+                /\bdrop\s+table\b/i,
+                /\binsert\s+into\b/i,
+                /\bupdate\b\s+\w+\s+\bset\b[\s\S]*?=/i,
+                /\bdelete\s+from\b/i,
+                /\bpg_sleep\s*\(/i,
+                /\bdbms_lock\.sleep\s*\(/i,
+                /\bexec\s*\(/i,
+                /\bexecute\s*\(/i
+            ];
+
+        this.dangerousSqlPatterns =
+            parseRegexArray(sqlPatternsEnv) || [
+                /;\s*drop\b/i,
+                /;\s*truncate\b/i,
+                /\bpg_sleep\s*\(/i,
+                /\bdbms_lock\.sleep\s*\(/i,
+                /\bexec(ute)?\s*(\(|\s)/i,
+                /\binformation_schema\b/i,
+                /\bpg_catalog\b/i,
+            ];
+        
+        this.allowedInputPatterns =
+            parseRegexArray(allowedPatternsEnv) || [
+                new RegExp('^[^<>]*<$', 'i'),
+                new RegExp('^>[^<>]*$', 'i')
+            ]; 
+            
+        
+        // Define a schema for each param object
+        this.paramSchema = z.object({
+            name: z.string(),
+            value: z.any(), // value can be string, number, etc.
+        });
+
+        // Schema for the full list
+        this.paramsSchema = z.array(this.paramSchema);
+    }
+
+    isAllowedByWhitelist(value) {
+        return this.allowedInputPatterns.some(pattern => pattern.test(value));
+    }
+
+    validateParamValue(name, value) {
+        this. _initialize()
+        if (typeof value !== 'string') return;
+        const trimmed = value.trim();
+        if (this.isAllowedByWhitelist(trimmed)) return
+        // Always check for dangerous SQL injection patterns
+        for (const pattern of this.dangerousParamPatterns) {            
+            if (pattern.test(trimmed)) {
+                const message = `Potential SQL injection in parameter "${name}": ${value}`;
+                if (this.onlyLog) {
+                    this.logger?.warn?.(`[SQLInjectionGuard] ${message}`);
+                } else {
+                    const err = new Error('Potential SQL injection');
+                    err.code = 'SQLInjection';
+                    err.data = message;
+                    throw err;
+                }
+            }
+        }
+    }
+   
+    validateParamList(params) {
+        this. _initialize()
+        this.paramsSchema.parse(params); // Validate structure with Zod
+        for (const param of params) {
+            this.validateParamValue(param.name, param.value);
+        }
+        return params;
+    }
+
+    validateRawSql(sql) {
+        this. _initialize()
+        if (typeof sql !== 'string') return false;
+        for (const pattern of this.dangerousSqlPatterns) {
+            if (pattern.test(sql.toLowerCase())) {
+                const message = `Potential SQL injection in "${sql}" pattern:${pattern}`;
+                if (this.onlyLog) {
+                    this.logger.warn(`[SQLInjectionGuard] ${message}`);
+                } else {
+                    const err = new Error('Potential SQL injection');
+                    err.code = 'SQLInjection';
+                    err.data = message;
+                    throw err;
+                }
+            }
+        }
+        return sql
+    }
+
+    validateObject(obj) {
+        this. _initialize()
+        const checkValue = (value) => {
+            if (typeof value === 'string') {
+                const trimmed = value.trim();
+                if (!this.isAllowedByWhitelist(trimmed)) {
+                    for (const pattern of this.dangerousParamPatterns) {
+                        if (pattern.test(trimmed)) {
+                            const message = `Value "${value}" violates SQL injection policy.`;
+                            if (this.onlyLog) {
+                                this.logger.warn(`[SQLInjectionGuard] ${message}`);
+                            } else {
+                                const err = new Error('Potential SQL injection');
+                                err.code = 'BadRequest';
+                                err.data = message;
+                                throw err;
+                            }
+                        }
+                    }
+                }
+            } else if (Array.isArray(value)) {
+                for (const item of value) checkValue(item);
+            } else if (typeof value === 'object' && value !== null) {
+                for (const key in value) {
+                    if (Object.hasOwn(value, key)) {
+                        checkValue(value[key]);
+                    }
+                }
+            }
+        };
+
+        checkValue(obj);
+        return obj;
+    }
+}

package/blz-security/templates/session-iframe-azure-ad.html

@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html>
+  <body>
+    <div>sessionIframe</div>
+    <script src="/session-check-azuread.js"></script>
+  </body>
+</html>

package/blz-security/templates/session-iframe.html

@@ -0,0 +1,73 @@
+<!DOCTYPE html>
+<html>
+  <body onload="javascript:startChecking()">
+    <iframe id="iframeOP" title="Session Iframe" src="{{sessionIframeUrl}}" style="display: none"></iframe>
+  </body>
+  <script>
+    let targetRP = new URL('{{sessionIframeUrl}}');
+    let previousState = '';
+
+    function startChecking() {
+      previousState = getCookieValue('{{sessionCookiesPrefix}}session_state');
+      setInterval(checkStatus, 15e3);
+      setInterval(checkSessionStatus, 15e3);
+    }
+    async function checkSessionStatus() {
+      try {
+        const response = await fetch('/check-session', {
+          method: 'GET',
+          credentials: 'include' // Include cookies in the request
+        });
+        const data = await response.json();
+        if (data.expired) {
+          if (data.redirectUrl) {
+            parent.location.href = data.redirectUrl; // redirect sentence
+          } else {
+            parent.location.reload(); // Reload the parent page instead of just the iframe
+          }
+        }
+      } catch (error) {
+        console.error('Error validating token:', error);
+        // Optionally handle the error
+      }
+    }
+    function getCookieValue(cookieName) {
+      let name = cookieName + '=';
+      let cookies = document.cookie.split(';');
+      if (!cookies) {
+        return null;
+      }
+      for (let i = 0; i < cookies.length; i++) {
+        let cookie = cookies[i].trim();
+        if (cookie.indexOf(name) == 0) {
+          return cookie.substring(name.length, cookie.length);
+        }
+      }
+      return null;
+    }
+
+    function checkStatus() {
+      let client = '{{clientId}}';
+      const prefix = '{{sessionCookiesPrefix}}'
+      let sessionState = getCookieValue(prefix + 'session_state');
+      let message = client + ' ' + sessionState;
+      const iframe = document.getElementById('iframeOP');
+      iframe.contentWindow.postMessage(message, '{{sessionIframeUrl}}');
+      //window.frames['iframeOP'].contentWindow.postMessage(message, '{{sessionIframeUrl}}');
+    }
+
+    window.addEventListener('message', receiveMessage, false);
+
+    function receiveMessage(event) {
+      if (event.origin !== targetRP.origin) return;
+      // To avoid endless reloads, only do a reload when the session state changed
+      let currentState = getCookieValue('{{sessionCookiesPrefix}}session_state');
+
+      if (event.data === 'changed' && previousState !== currentState) {
+        previousState = currentState;
+        document.cookie = 'session_state' + '=; Max-Age=0; SameSite=None; Secure';
+        parent.location.reload();
+      }
+    }
+  </script>
+</html>

package/blz-security/templates/unauthorized.html

@@ -0,0 +1 @@
+

package/blz-security/xssGuard.js

@@ -0,0 +1,87 @@
+const { JSDOM } = require('jsdom');
+const createDOMPurify = require('dompurify');
+
+module.exports = class XssGuard {
+    constructor(logger = console) {
+        this.logger = logger;
+        const window = new JSDOM('').window;
+        this.DOMPurify = createDOMPurify(window);
+        this.sanitizeOptions = {
+            ALLOWED_TAGS: [], // Does not allow any HTML tags
+            ALLOWED_ATTR: []  // No attributes
+        };
+    }
+
+    isZipString(str) {
+       return  str.startsWith('PK\x03\x04');
+    }
+
+    isAllowedBlocklyXml(str) {
+        const blocklyPatterns = [
+            /^<xml[\s\S]*<\/xml>$/i,
+            /^<block[\s\S]*<\/block>$/i,
+            /^<field name="[\w\-:]+">[\s\S]*<\/field>$/i,
+            /^<value name="[\w\-:]+">[\s\S]*<\/value>$/i
+        ];
+        return blocklyPatterns.some((re) => re.test(str));
+    }
+
+    sanitizeObject(obj) {
+        const sanitizeValue = (value, path = '') => {
+            if (value === null)
+			    return null;
+            if (value === undefined )
+                return undefined
+
+		    const valueType = toString.call(value);	
+            if (valueType === '[object String]') {
+
+                if(this.isZipString(value)){
+                    return value
+                }
+
+                let decoded;
+                try {
+                    decoded = decodeURIComponent(value);
+                } catch {
+                    decoded = value;
+                }
+                const trimmed = decoded.trim();
+                // ⚠️ Skip DOMPurify for valid Blockly XML
+                if (this.isAllowedBlocklyXml(trimmed)) {
+                    return trimmed;
+                }
+
+
+                const cleaned = this.DOMPurify.sanitize(trimmed, this.sanitizeOptions);
+
+                if (cleaned !== trimmed) {
+                    const message = `Sanitized input at path "${path}". Original: "${trimmed}", Cleaned: "${cleaned}".`;
+                    this.logger.warn(message);
+                }
+                return cleaned;
+            } else if (valueType === '[object Number]') {
+                return value
+            } else if (valueType === '[object Boolean]') {
+                return value
+            } else if (valueType === '[object Date]') {
+                return value
+            } else if (valueType === '[object Object]' && value.type === 'Buffer' && value.data) {
+                return value             
+            } else if (Array.isArray(value)) {
+                return value.map((item, index) => sanitizeValue(item, `${path}[${index}]`));
+            } else if (typeof value === 'object' && value !== null) {
+                const sanitizedObj = {};
+                for (const key in value) {
+                    if (Object.hasOwn(value, key)) {
+                        const childPath = path ? `${path}.${key}` : key;
+                        sanitizedObj[key] = sanitizeValue(value[key], childPath);
+                    }
+                }
+                return sanitizedObj;
+            }
+            return value;
+        };
+        return sanitizeValue(obj);
+    }
+};

package/blz-strings/index.js

@@ -0,0 +1,167 @@
+module.exports = {
+    _internal_: {
+        htmlUnescapes: {
+            '&': '&',
+            '&lt;': '<',
+            '&gt;': '>',
+            '&quot;': '"',
+            '&#39;': "'"
+        },
+        reEscapedHtml: /&(?:amp|lt|gt|quot|#(0+)?39);/g,
+        reHasEscapedHtml: RegExp('&(?:amp|lt|gt|quot|#(0+)?39);'),
+        htmlEscapes: {
+            '&': '&amp;',
+            '<': '&lt;',
+            '>': '&gt;',
+            '"': '&quot;',
+            "'": '&#39;'
+        },
+        reUnescapedHtml: /[&<>"']/g,
+        reHasUnescapedHtml: RegExp(`[&<>"']`),
+    },
+    concat: function () {
+        let result = '';
+        for (let i = 0; i < arguments.length; i++) {
+            let argument = arguments[i];
+            if (argument !== null)
+                result += argument;
+        }
+        return result;
+    },
+    contains: function (target, value) {
+        if (target === null || target === undefined)
+            return false;
+        if (value === null || value === undefined)
+            return false;
+        return target.indexOf(value) !== -1;
+    },
+    endsWith: function (target, value) {
+        if (target === null || target === undefined)
+            return false;
+        if (value === null || value === undefined)
+            return false;
+        return target.substring(target.length - value.length, target.length) === value;
+    },
+    escapeHtml: function (value) {
+        return (value && this._internal_.reHasUnescapedHtml.test(value))
+            ? value.replace(this._internal_.reUnescapedHtml, (chr) => this._internal_.htmlEscapes[chr])
+            : (value || '')
+    },
+    indexOf: function (target, value) {
+        if (target === null || target === undefined)
+            return -1;
+        if (value === null || value === undefined)
+            return -1;
+        return target.indexOf(value);
+    },
+    isNullOrEmpty: function (target) {
+        if (target === null || target === undefined)
+            return true;
+        return (target === '');
+    },
+    isNullOrWhiteSpace: function (target) {
+        if (target === null || target === undefined)
+            return true;
+        return (target === '' || target.replace(/\s/g, '').length < 1);
+    },
+    join: function (target, delimiter) {
+        if (target === null || target === undefined)
+            return null;
+        if (delimiter)
+            return target.join(delimiter);
+        else
+            return target.join('');
+    },
+    lastIndexOf: function (target, value) {
+        if (target === null || target === undefined)
+            return -1;
+        if (value === null || value === undefined)
+            return -1;
+        return target.lastIndexOf(value);
+    },
+    length: function (target) {
+        if (target === null || target === undefined)
+            return 0;
+        return target.length;
+    },
+    padLeft: function (target, totalWidth, padding) {
+        if (target === null || target === undefined)
+            return null;
+        if (totalWidth === null || totalWidth === undefined)
+            return target;
+        if (padding)
+            return target.padStart(totalWidth, padding);
+        else
+            return target.padStart(totalWidth);
+    },
+    padRight: function (target, totalWidth, padding) {
+        if (target === null || target === undefined)
+            return null;
+        if (totalWidth === null || totalWidth === undefined)
+            return target;
+        if (padding)
+            return target.padEnd(totalWidth, padding);
+        else
+            return target.padEnd(totalWidth);
+    },
+    replace: function (target, oldValue, newValue) {
+        if (target === null || target === undefined)
+            return null;
+        if (oldValue === null || oldValue === undefined)
+            return target;
+        if (newValue === null || newValue === undefined)
+            return target;
+        return target.replace(new RegExp(oldValue, 'g'), newValue);
+    },
+    split: function (target, delimiter) {
+        if (target === null || target === undefined)
+            return [];
+        return target.split(delimiter);
+    },
+    startsWith: function (target, value) {
+        if (target === null || target === undefined)
+            return false;
+        if (value === null || value === undefined)
+            return false;
+        return target.substring(0, value.length) === value;
+    },
+    substring: function (target, startIndex, length) {
+        if (target === null || target === undefined)
+            return null;
+        if (startIndex === null || startIndex === undefined)
+            return null;
+        if (length === null || length === undefined)
+            return null;
+        return target.substring(startIndex, startIndex + length);
+    },
+    toLower: function (target) {
+        if (target === null || target === undefined)
+            return null;
+        return target.toLowerCase();
+    },
+    toUpper: function (target) {
+        if (target === null || target === undefined)
+            return null;
+        return target.toUpperCase();
+    },
+    trim: function (target) {
+        if (target === null || target === undefined)
+            return null;
+        return target.trim();
+    },
+    trimEnd: function (target) {
+        if (target === null || target === undefined)
+            return null;
+        return target.trimEnd();
+    },
+    trimStart: function (target) {
+        if (target === null || target === undefined)
+            return null;
+        return target.trimStart();
+    },
+    unescapeHtml: function (value) {
+        return (value && this._internal_.reHasEscapedHtml.test(value))
+            ? value.replace(this._internal_.reEscapedHtml, (entity) => (this._internal_.htmlUnescapes[entity] || "'"))
+            : (value || '')
+    },
+};

package/blz-uuid/index.js

@@ -0,0 +1,7 @@
+const Uuid = require('uuid');
+
+module.exports = {
+    uuid: function () {
+        return Uuid.v4();
+    }
+};

package/blz-yaml/index.js

@@ -0,0 +1,19 @@
+const jsyaml = require('js-yaml')
+
+module.exports = {
+    yamlParse: function (value) {
+        if (value === undefined)
+            throw new Error('value undefined')
+        if (value === null)
+            return null
+        return jsyaml.load(value)
+    },
+    yamlStringify: function (value) {
+        if (value === undefined)
+            throw new Error('value undefined')
+        if (value === null)
+            return null
+        else
+            return jsyaml.dump(value)
+    },
+};

package/index.js

@@ -0,0 +1,84 @@
+const BlzBase = require('./blz-base');
+const BlzConfig = require('./blz-config');
+const BlzSecurity = require('./blz-security');
+const FileScanner = require('./blz-security/filescanner/index.js');
+const ProcessManagers = require('./process-managers');
+const { Exception } = require('./blz-security/helpers/utils');
+const BlzCache = require('./blz-cache');
+const BlzCore = require('./blz-core');
+const BlzCryptography = require('./blz-cryptography');
+const BlzDatetimes = require('./blz-datetimes');
+const BlzFile = require('./blz-file');
+const BlzHazelcast = require('./blz-hazelcast');
+const BlzIterable = require('./blz-iterable');
+const BlzJsonSchema = require('./blz-json-schema');
+const BlzJwt = require('./blz-jwt');
+const BlzKafka = require('./blz-kafka');
+const BlzMath = require('./blz-math');
+const BlzMongodb = require('./blz-mongodb');
+// const BlzProcesses = require('./blz-processes');
+const BlzRds = require('./blz-rds');
+const BlzRdsMysql = require('./blz-rds-mysql');
+const BlzRdsMysqlx = require('./blz-rds-mysqlx');
+const BlzRdsOracle = require('./blz-rds-oracle');
+const BlzRdsPostgres = require('./blz-rds-postgres');
+const BlzRedis = require('./blz-redis');
+const BlzRegex = require('./blz-regex');
+const BlzStrings = require('./blz-strings/index.js');
+const BlzUuid = require('./blz-uuid');
+const BlzYaml = require('./blz-yaml');
+const { getHealthStatus } = require('./blz-base/health/index.js');
+
+const rdsProvider = function(providerName){
+  return require('./blz-rds-' + providerName.toLowerCase() + '/index.js')
+}
+const getModulesNames = () => {
+  return [
+    'blz-base', 'blz-cache', 'blz-config', 'blz-core',
+    'blz-cryptography', 'blz-datetimes', 'blz-file',
+    'blz-hazelcast', 'blz-iterable', 'blz-json-schema',
+    'blz-jwt', 'blz-kafka', 'blz-math', 'blz-mongodb',
+    'blz-rds', 'blz-rds-mysql', 'blz-rds-mysqlx', 'blz-rds-oracle',
+    'blz-rds-postgres', 'blz-redis', 'blz-regex', 'blz-security',
+    'blz-strings', 'blz-uuid', 'blz-yaml'
+  ];
+}
+const getVersion = () => {
+  const pkg = require('./package.json');
+  return pkg.version || 'unknown';
+}
+module.exports = {
+  BlzBase,
+  BlzConfig,
+  BlzSecurity,
+  ProcessManagers,
+  Exception,
+  BlzCache,
+  BlzCore,
+  BlzCryptography,
+  BlzDatetimes,
+  BlzFile,
+  BlzHazelcast,
+  BlzIterable,
+  BlzJsonSchema,
+  BlzJwt,
+  BlzKafka,
+  BlzMath,
+  BlzMongodb,
+  // BlzProcesses,
+  BlzRds,
+  BlzRdsMysql,
+  BlzRdsMysqlx,
+  BlzRdsOracle,
+  BlzRdsPostgres,
+  BlzRedis,
+  BlzRegex,
+  BlzStrings,
+  BlzUuid,
+  BlzYaml,
+  getHealthStatus,
+  FileScanner,
+  rdsProvider,
+  getModulesNames,
+  getVersion
+};