@defai.digital/ax-cli 3.5.2 → 3.6.0

package/dist/utils/input-sanitizer.d.ts

@@ -0,0 +1,210 @@
+/**
+ * Input Sanitization Framework (REQ-SEC-007)
+ *
+ * Provides comprehensive input validation and sanitization to prevent:
+ * - ReDoS (Regular Expression Denial of Service)
+ * - Command injection
+ * - Path traversal
+ * - Unicode attacks
+ * - Buffer overflow
+ *
+ * Security: CVSS 7.3 (High Priority)
+ */
+/**
+ * Sanitization result with validation and cleaned value
+ */
+export interface SanitizationResult {
+    /**
+     * Whether the input passed validation
+     */
+    valid: boolean;
+    /**
+     * Sanitized/cleaned value (only if valid)
+     */
+    value?: string;
+    /**
+     * Error message if validation failed
+     */
+    error?: string;
+    /**
+     * Warning messages (non-fatal issues)
+     */
+    warnings?: string[];
+}
+/**
+ * Configuration for input sanitization
+ */
+export interface SanitizerOptions {
+    /**
+     * Maximum allowed length (default: 10,000 characters)
+     */
+    maxLength?: number;
+    /**
+     * Whether to normalize Unicode (default: true)
+     */
+    normalizeUnicode?: boolean;
+    /**
+     * Character whitelist pattern (regex)
+     */
+    allowedPattern?: RegExp;
+    /**
+     * Whether to trim whitespace (default: true)
+     */
+    trim?: boolean;
+    /**
+     * Whether to allow empty strings (default: false)
+     */
+    allowEmpty?: boolean;
+}
+/**
+ * Default maximum input lengths for different contexts
+ */
+export declare const MAX_INPUT_LENGTHS: {
+    readonly COMMAND: 10000;
+    readonly FILE_PATH: 4096;
+    readonly USER_INPUT: 50000;
+    readonly SEARCH_QUERY: 1000;
+    readonly ENV_VALUE: 10000;
+    readonly CONFIG_VALUE: 10000;
+};
+/**
+ * Safe characters for different contexts
+ */
+export declare const SAFE_PATTERNS: {
+    /**
+     * Alphanumeric, spaces, and common punctuation
+     */
+    readonly BASIC: RegExp;
+    /**
+     * Safe for file paths (no directory traversal)
+     */
+    readonly FILE_PATH: RegExp;
+    /**
+     * Safe for environment variable values
+     */
+    readonly ENV_VALUE: RegExp;
+    /**
+     * Printable ASCII only (most restrictive)
+     */
+    readonly ASCII_PRINTABLE: RegExp;
+};
+/**
+ * Normalize Unicode string to prevent homograph attacks
+ *
+ * Uses NFC (Canonical Decomposition, followed by Canonical Composition)
+ * which is the recommended normalization form for most use cases
+ *
+ * @param input - String to normalize
+ * @returns Normalized string
+ */
+export declare function normalizeUnicode(input: string): string;
+/**
+ * Check for dangerous patterns in input
+ *
+ * @param input - String to check
+ * @returns Array of detected dangerous patterns
+ */
+export declare function detectDangerousPatterns(input: string): string[];
+/**
+ * Sanitize general user input with configurable options
+ *
+ * @param input - Raw input string
+ * @param options - Sanitization options
+ * @returns Sanitization result
+ *
+ * @example
+ * ```typescript
+ * const result = sanitizeInput('User input here', {
+ *   maxLength: 1000,
+ *   normalizeUnicode: true,
+ *   allowedPattern: SAFE_PATTERNS.BASIC,
+ * });
+ *
+ * if (result.valid) {
+ *   // Use result.value safely
+ * } else {
+ *   console.error(result.error);
+ * }
+ * ```
+ */
+export declare function sanitizeInput(input: string, options?: SanitizerOptions): SanitizationResult;
+/**
+ * Sanitize file path input to prevent path traversal
+ *
+ * @param path - File path to sanitize
+ * @returns Sanitization result
+ *
+ * @example
+ * ```typescript
+ * const result = sanitizeFilePath('../../../etc/passwd');
+ * if (!result.valid) {
+ *   console.error('Invalid path:', result.error);
+ * }
+ * ```
+ */
+export declare function sanitizeFilePath(path: string): SanitizationResult;
+/**
+ * Sanitize shell command input
+ *
+ * NOTE: This is a last line of defense. Prefer execFile over exec
+ * and use argument arrays instead of concatenating commands.
+ *
+ * @param command - Command string to sanitize
+ * @returns Sanitization result
+ *
+ * @example
+ * ```typescript
+ * const result = sanitizeCommand('ls -la');
+ * if (result.valid) {
+ *   // Still prefer execFile with args array
+ *   execFile(result.value.split(' ')[0], result.value.split(' ').slice(1));
+ * }
+ * ```
+ */
+export declare function sanitizeCommand(command: string): SanitizationResult;
+/**
+ * Sanitize search query input
+ *
+ * @param query - Search query to sanitize
+ * @returns Sanitization result
+ */
+export declare function sanitizeSearchQuery(query: string): SanitizationResult;
+/**
+ * Sanitize environment variable value
+ *
+ * @param value - Environment variable value to sanitize
+ * @returns Sanitization result
+ */
+export declare function sanitizeEnvValue(value: string): SanitizationResult;
+/**
+ * Escape shell arguments for safe execution
+ *
+ * NOTE: This is a defense-in-depth measure. Always prefer:
+ * 1. execFile with argument array over exec
+ * 2. Argument validation/whitelisting
+ * 3. This escaping function as a last resort
+ *
+ * @param arg - Argument to escape
+ * @returns Safely escaped argument
+ */
+export declare function escapeShellArg(arg: string): string;
+/**
+ * Validate regex pattern for ReDoS protection
+ *
+ * Checks for common ReDoS patterns:
+ * - Nested quantifiers (e.g., (a+)+)
+ * - Alternation with overlapping patterns
+ * - Excessive backtracking potential
+ *
+ * @param pattern - Regex pattern to validate
+ * @returns Validation result
+ *
+ * @example
+ * ```typescript
+ * const result = validateRegexPattern('(a+)+b');
+ * if (!result.valid) {
+ *   console.error('Unsafe regex:', result.error);
+ * }
+ * ```
+ */
+export declare function validateRegexPattern(pattern: string): SanitizationResult;

package/dist/utils/input-sanitizer.js

@@ -0,0 +1,362 @@
+/**
+ * Input Sanitization Framework (REQ-SEC-007)
+ *
+ * Provides comprehensive input validation and sanitization to prevent:
+ * - ReDoS (Regular Expression Denial of Service)
+ * - Command injection
+ * - Path traversal
+ * - Unicode attacks
+ * - Buffer overflow
+ *
+ * Security: CVSS 7.3 (High Priority)
+ */
+/**
+ * Default maximum input lengths for different contexts
+ */
+export const MAX_INPUT_LENGTHS = {
+    COMMAND: 10_000, // Shell commands
+    FILE_PATH: 4_096, // File system paths
+    USER_INPUT: 50_000, // General user input (prompts, etc.)
+    SEARCH_QUERY: 1_000, // Search queries
+    ENV_VALUE: 10_000, // Environment variable values
+    CONFIG_VALUE: 10_000, // Configuration values
+};
+/**
+ * Dangerous patterns that indicate potential attacks
+ * These patterns are designed to be fast and avoid ReDoS
+ */
+const DANGEROUS_PATTERNS = {
+    // Null bytes (path traversal, command injection)
+    NULL_BYTE: /\0/,
+    // Excessive repetition (ReDoS indicator)
+    // Using fixed quantifier to prevent ReDoS
+    EXCESSIVE_REPETITION: /(.)\1{100,}/,
+    // Control characters (except common ones like \n, \t)
+    CONTROL_CHARS: /[\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]/,
+    // Unicode direction override (used in homograph attacks)
+    UNICODE_OVERRIDE: /[\u202A-\u202E\u2066-\u2069]/,
+};
+/**
+ * Safe characters for different contexts
+ */
+export const SAFE_PATTERNS = {
+    /**
+     * Alphanumeric, spaces, and common punctuation
+     */
+    BASIC: /^[a-zA-Z0-9\s.,!?'"()\-_]+$/,
+    /**
+     * Safe for file paths (no directory traversal)
+     */
+    FILE_PATH: /^[a-zA-Z0-9/._\-]+$/,
+    /**
+     * Safe for environment variable values
+     */
+    ENV_VALUE: /^[a-zA-Z0-9._\-:/=]+$/,
+    /**
+     * Printable ASCII only (most restrictive)
+     */
+    ASCII_PRINTABLE: /^[\x20-\x7E]+$/,
+};
+/**
+ * Normalize Unicode string to prevent homograph attacks
+ *
+ * Uses NFC (Canonical Decomposition, followed by Canonical Composition)
+ * which is the recommended normalization form for most use cases
+ *
+ * @param input - String to normalize
+ * @returns Normalized string
+ */
+export function normalizeUnicode(input) {
+    return input.normalize('NFC');
+}
+/**
+ * Check for dangerous patterns in input
+ *
+ * @param input - String to check
+ * @returns Array of detected dangerous patterns
+ */
+export function detectDangerousPatterns(input) {
+    const detected = [];
+    if (DANGEROUS_PATTERNS.NULL_BYTE.test(input)) {
+        detected.push('Null byte detected');
+    }
+    if (DANGEROUS_PATTERNS.EXCESSIVE_REPETITION.test(input)) {
+        detected.push('Excessive character repetition detected');
+    }
+    if (DANGEROUS_PATTERNS.CONTROL_CHARS.test(input)) {
+        detected.push('Control characters detected');
+    }
+    if (DANGEROUS_PATTERNS.UNICODE_OVERRIDE.test(input)) {
+        detected.push('Unicode direction override detected');
+    }
+    return detected;
+}
+/**
+ * Sanitize general user input with configurable options
+ *
+ * @param input - Raw input string
+ * @param options - Sanitization options
+ * @returns Sanitization result
+ *
+ * @example
+ * ```typescript
+ * const result = sanitizeInput('User input here', {
+ *   maxLength: 1000,
+ *   normalizeUnicode: true,
+ *   allowedPattern: SAFE_PATTERNS.BASIC,
+ * });
+ *
+ * if (result.valid) {
+ *   // Use result.value safely
+ * } else {
+ *   console.error(result.error);
+ * }
+ * ```
+ */
+export function sanitizeInput(input, options = {}) {
+    const { maxLength = MAX_INPUT_LENGTHS.USER_INPUT, normalizeUnicode: shouldNormalize = true, allowedPattern, trim = true, allowEmpty = false, } = options;
+    const warnings = [];
+    let value = input;
+    // 1. Trim if requested
+    if (trim) {
+        value = value.trim();
+    }
+    // 2. Check if empty
+    if (!allowEmpty && value.length === 0) {
+        return {
+            valid: false,
+            error: 'Input cannot be empty',
+        };
+    }
+    // 3. Check length BEFORE normalization (prevent DoS via normalization)
+    if (value.length > maxLength) {
+        return {
+            valid: false,
+            error: `Input exceeds maximum length of ${maxLength} characters (got ${value.length})`,
+        };
+    }
+    // 4. Unicode normalization (prevent homograph attacks)
+    if (shouldNormalize) {
+        const normalized = normalizeUnicode(value);
+        if (normalized !== value) {
+            warnings.push('Input was normalized (Unicode)');
+            value = normalized;
+        }
+    }
+    // 5. Check for dangerous patterns
+    const dangerous = detectDangerousPatterns(value);
+    if (dangerous.length > 0) {
+        return {
+            valid: false,
+            error: `Dangerous patterns detected: ${dangerous.join(', ')}`,
+        };
+    }
+    // 6. Apply character whitelist if provided
+    if (allowedPattern && !allowedPattern.test(value)) {
+        return {
+            valid: false,
+            error: 'Input contains disallowed characters',
+        };
+    }
+    return {
+        valid: true,
+        value,
+        warnings: warnings.length > 0 ? warnings : undefined,
+    };
+}
+/**
+ * Sanitize file path input to prevent path traversal
+ *
+ * @param path - File path to sanitize
+ * @returns Sanitization result
+ *
+ * @example
+ * ```typescript
+ * const result = sanitizeFilePath('../../../etc/passwd');
+ * if (!result.valid) {
+ *   console.error('Invalid path:', result.error);
+ * }
+ * ```
+ */
+export function sanitizeFilePath(path) {
+    const result = sanitizeInput(path, {
+        maxLength: MAX_INPUT_LENGTHS.FILE_PATH,
+        trim: true,
+        allowEmpty: false,
+    });
+    if (!result.valid) {
+        return result;
+    }
+    const value = result.value;
+    // Additional path-specific checks
+    const warnings = result.warnings || [];
+    // Check for path traversal patterns
+    if (value.includes('..')) {
+        warnings.push('Path contains parent directory references (..)');
+    }
+    // Check for absolute paths (may be intentional, so just warn)
+    if (value.startsWith('/') || /^[A-Z]:/i.test(value)) {
+        warnings.push('Absolute path detected');
+    }
+    // Check for hidden files (Unix)
+    if (value.split('/').some(part => part.startsWith('.'))) {
+        warnings.push('Path contains hidden file/directory');
+    }
+    return {
+        valid: true,
+        value,
+        warnings: warnings.length > 0 ? warnings : undefined,
+    };
+}
+/**
+ * Sanitize shell command input
+ *
+ * NOTE: This is a last line of defense. Prefer execFile over exec
+ * and use argument arrays instead of concatenating commands.
+ *
+ * @param command - Command string to sanitize
+ * @returns Sanitization result
+ *
+ * @example
+ * ```typescript
+ * const result = sanitizeCommand('ls -la');
+ * if (result.valid) {
+ *   // Still prefer execFile with args array
+ *   execFile(result.value.split(' ')[0], result.value.split(' ').slice(1));
+ * }
+ * ```
+ */
+export function sanitizeCommand(command) {
+    const result = sanitizeInput(command, {
+        maxLength: MAX_INPUT_LENGTHS.COMMAND,
+        trim: true,
+        allowEmpty: false,
+    });
+    if (!result.valid) {
+        return result;
+    }
+    const value = result.value;
+    // Check for shell metacharacters that could enable injection
+    const shellMetaChars = /[;&|`$()<>\\]/;
+    if (shellMetaChars.test(value)) {
+        return {
+            valid: false,
+            error: 'Command contains dangerous shell metacharacters',
+        };
+    }
+    return {
+        valid: true,
+        value,
+        warnings: result.warnings,
+    };
+}
+/**
+ * Sanitize search query input
+ *
+ * @param query - Search query to sanitize
+ * @returns Sanitization result
+ */
+export function sanitizeSearchQuery(query) {
+    return sanitizeInput(query, {
+        maxLength: MAX_INPUT_LENGTHS.SEARCH_QUERY,
+        trim: true,
+        allowEmpty: false,
+    });
+}
+/**
+ * Sanitize environment variable value
+ *
+ * @param value - Environment variable value to sanitize
+ * @returns Sanitization result
+ */
+export function sanitizeEnvValue(value) {
+    return sanitizeInput(value, {
+        maxLength: MAX_INPUT_LENGTHS.ENV_VALUE,
+        trim: true,
+        allowEmpty: true, // Empty env vars are valid
+    });
+}
+/**
+ * Escape shell arguments for safe execution
+ *
+ * NOTE: This is a defense-in-depth measure. Always prefer:
+ * 1. execFile with argument array over exec
+ * 2. Argument validation/whitelisting
+ * 3. This escaping function as a last resort
+ *
+ * @param arg - Argument to escape
+ * @returns Safely escaped argument
+ */
+export function escapeShellArg(arg) {
+    // On Windows, use double quotes
+    if (process.platform === 'win32') {
+        // Escape double quotes and backslashes
+        return `"${arg.replace(/\\/g, '\\\\').replace(/"/g, '\\"')}"`;
+    }
+    // On Unix, use single quotes (safest - no interpolation)
+    // To include a single quote, end the quote, add escaped quote, resume quote
+    return `'${arg.replace(/'/g, "'\\''")}'`;
+}
+/**
+ * Validate regex pattern for ReDoS protection
+ *
+ * Checks for common ReDoS patterns:
+ * - Nested quantifiers (e.g., (a+)+)
+ * - Alternation with overlapping patterns
+ * - Excessive backtracking potential
+ *
+ * @param pattern - Regex pattern to validate
+ * @returns Validation result
+ *
+ * @example
+ * ```typescript
+ * const result = validateRegexPattern('(a+)+b');
+ * if (!result.valid) {
+ *   console.error('Unsafe regex:', result.error);
+ * }
+ * ```
+ */
+export function validateRegexPattern(pattern) {
+    // Check length first
+    if (pattern.length > 1000) {
+        return {
+            valid: false,
+            error: 'Regex pattern too long (max 1000 characters)',
+        };
+    }
+    const warnings = [];
+    // Check for nested quantifiers (major ReDoS risk)
+    // Pattern: quantifier inside a group that is itself quantified
+    const nestedQuantifiers = /\([^)]*[*+?{][^)]*\)[*+?{]/;
+    if (nestedQuantifiers.test(pattern)) {
+        return {
+            valid: false,
+            error: 'Regex contains nested quantifiers (ReDoS risk)',
+        };
+    }
+    // Check for excessive alternation
+    const alternations = pattern.split('|');
+    if (alternations.length > 20) {
+        warnings.push('Regex has many alternations (may be slow)');
+    }
+    // Check for backreferences (can cause exponential backtracking)
+    if (/\\[1-9]/.test(pattern)) {
+        warnings.push('Regex contains backreferences (may be slow)');
+    }
+    // Try to compile the regex to catch syntax errors
+    try {
+        new RegExp(pattern);
+    }
+    catch (error) {
+        return {
+            valid: false,
+            error: `Invalid regex: ${error instanceof Error ? error.message : 'Unknown error'}`,
+        };
+    }
+    return {
+        valid: true,
+        value: pattern,
+        warnings: warnings.length > 0 ? warnings : undefined,
+    };
+}
+//# sourceMappingURL=input-sanitizer.js.map

package/dist/utils/input-sanitizer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"input-sanitizer.js","sourceRoot":"","sources":["../../src/utils/input-sanitizer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAyDH;;GAEG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,OAAO,EAAE,MAAM,EAAE,iBAAiB;IAClC,SAAS,EAAE,KAAK,EAAE,oBAAoB;IACtC,UAAU,EAAE,MAAM,EAAE,qCAAqC;IACzD,YAAY,EAAE,KAAK,EAAE,iBAAiB;IACtC,SAAS,EAAE,MAAM,EAAE,8BAA8B;IACjD,YAAY,EAAE,MAAM,EAAE,uBAAuB;CACrC,CAAC;AAEX;;;GAGG;AACH,MAAM,kBAAkB,GAAG;IACzB,iDAAiD;IACjD,SAAS,EAAE,IAAI;IAEf,yCAAyC;IACzC,0CAA0C;IAC1C,oBAAoB,EAAE,aAAa;IAEnC,sDAAsD;IACtD,aAAa,EAAE,mCAAmC;IAElD,yDAAyD;IACzD,gBAAgB,EAAE,8BAA8B;CACxC,CAAC;AAEX;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B;;OAEG;IACH,KAAK,EAAE,6BAA6B;IAEpC;;OAEG;IACH,SAAS,EAAE,qBAAqB;IAEhC;;OAEG;IACH,SAAS,EAAE,uBAAuB;IAElC;;OAEG;IACH,eAAe,EAAE,gBAAgB;CACzB,CAAC;AAEX;;;;;;;;GAQG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAa;IAC5C,OAAO,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;AAChC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,uBAAuB,CAAC,KAAa;IACnD,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,IAAI,kBAAkB,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7C,QAAQ,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACtC,CAAC;IAED,IAAI,kBAAkB,CAAC,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACxD,QAAQ,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;IAC3D,CAAC;IAED,IAAI,kBAAkB,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACjD,QAAQ,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;IAC/C,CAAC;IAED,IAAI,kBAAkB,CAAC,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACpD,QAAQ,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;IACvD,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,UAAU,aAAa,CAC3B,KAAa,EACb,UAA4B,EAAE;IAE9B,MAAM,EACJ,SAAS,GAAG,iBAAiB,CAAC,UAAU,EACxC,gBAAgB,EAAE,eAAe,GAAG,IAAI,EACxC,cAAc,EACd,IAAI,GAAG,IAAI,EACX,UAAU,GAAG,KAAK,GACnB,GAAG,OAAO,CAAC;IAEZ,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,IAAI,KAAK,GAAG,KAAK,CAAC;IAElB,uBAAuB;IACvB,IAAI,IAAI,EAAE,CAAC;QACT,KAAK,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IACvB,CAAC;IAED,oBAAoB;IACpB,IAAI,CAAC,UAAU,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,uBAAuB;SAC/B,CAAC;IACJ,CAAC;IAED,uEAAuE;IACvE,IAAI,KAAK,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;QAC7B,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,mCAAmC,SAAS,oBAAoB,KAAK,CAAC,MAAM,GAAG;SACvF,CAAC;IACJ,CAAC;IAED,uDAAuD;IACvD,IAAI,eAAe,EAAE,CAAC;QACpB,MAAM,UAAU,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;QAC3C,IAAI,UAAU,KAAK,KAAK,EAAE,CAAC;YACzB,QAAQ,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;YAChD,KAAK,GAAG,UAAU,CAAC;QACrB,CAAC;IACH,CAAC;IAED,kCAAkC;IAClC,MAAM,SAAS,GAAG,uBAAuB,CAAC,KAAK,CAAC,CAAC;IACjD,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,gCAAgC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;SAC9D,CAAC;IACJ,CAAC;IAED,2CAA2C;IAC3C,IAAI,cAAc,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAClD,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,sCAAsC;SAC9C,CAAC;IACJ,CAAC;IAED,OAAO;QACL,KAAK,EAAE,IAAI;QACX,KAAK;QACL,QAAQ,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;KACrD,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAAY;IAC3C,MAAM,MAAM,GAAG,aAAa,CAAC,IAAI,EAAE;QACjC,SAAS,EAAE,iBAAiB,CAAC,SAAS;QACtC,IAAI,EAAE,IAAI;QACV,UAAU,EAAE,KAAK;KAClB,CAAC,CAAC;IAEH,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QAClB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,CAAC,KAAM,CAAC;IAE5B,kCAAkC;IAClC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;IAEvC,oCAAoC;IACpC,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,QAAQ,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;IAClE,CAAC;IAED,8DAA8D;IAC9D,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACpD,QAAQ,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;IAC1C,CAAC;IAED,gCAAgC;IAChC,IAAI,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QACxD,QAAQ,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;IACvD,CAAC;IAED,OAAO;QACL,KAAK,EAAE,IAAI;QACX,KAAK;QACL,QAAQ,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;KACrD,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,eAAe,CAAC,OAAe;IAC7C,MAAM,MAAM,GAAG,aAAa,CAAC,OAAO,EAAE;QACpC,SAAS,EAAE,iBAAiB,CAAC,OAAO;QACpC,IAAI,EAAE,IAAI;QACV,UAAU,EAAE,KAAK;KAClB,CAAC,CAAC;IAEH,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QAClB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,CAAC,KAAM,CAAC;IAE5B,6DAA6D;IAC7D,MAAM,cAAc,GAAG,eAAe,CAAC;IACvC,IAAI,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,iDAAiD;SACzD,CAAC;IACJ,CAAC;IAED,OAAO;QACL,KAAK,EAAE,IAAI;QACX,KAAK;QACL,QAAQ,EAAE,MAAM,CAAC,QAAQ;KAC1B,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAa;IAC/C,OAAO,aAAa,CAAC,KAAK,EAAE;QAC1B,SAAS,EAAE,iBAAiB,CAAC,YAAY;QACzC,IAAI,EAAE,IAAI;QACV,UAAU,EAAE,KAAK;KAClB,CAAC,CAAC;AACL,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAa;IAC5C,OAAO,aAAa,CAAC,KAAK,EAAE;QAC1B,SAAS,EAAE,iBAAiB,CAAC,SAAS;QACtC,IAAI,EAAE,IAAI;QACV,UAAU,EAAE,IAAI,EAAE,2BAA2B;KAC9C,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,cAAc,CAAC,GAAW;IACxC,gCAAgC;IAChC,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACjC,uCAAuC;QACvC,OAAO,IAAI,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,CAAC;IAChE,CAAC;IAED,yDAAyD;IACzD,4EAA4E;IAC5E,OAAO,IAAI,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC;AAC3C,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAe;IAClD,qBAAqB;IACrB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC;QAC1B,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,8CAA8C;SACtD,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,kDAAkD;IAClD,+DAA+D;IAC/D,MAAM,iBAAiB,GAAG,4BAA4B,CAAC;IACvD,IAAI,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACpC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,gDAAgD;SACxD,CAAC;IACJ,CAAC;IAED,kCAAkC;IAClC,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACxC,IAAI,YAAY,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC7B,QAAQ,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;IAC7D,CAAC;IAED,gEAAgE;IAChE,IAAI,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,QAAQ,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;IAC/D,CAAC;IAED,kDAAkD;IAClD,IAAI,CAAC;QACH,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC;IACtB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,kBAAkB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE;SACpF,CAAC;IACJ,CAAC;IAED,OAAO;QACL,KAAK,EAAE,IAAI;QACX,KAAK,EAAE,OAAO;QACd,QAAQ,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;KACrD,CAAC;AACJ,CAAC"}

package/dist/utils/json-utils.d.ts

@@ -1,6 +1,11 @@
 /**
  * JSON Parsing Utilities
  * Centralized JSON operations with validation and error handling
+ *
+ * Security: REQ-SEC-005 - Prototype Pollution Prevention
+ * - Sanitizes dangerous keys (__proto__, constructor, prototype)
+ * - Validates JSON structure before use
+ * - Prevents object property injection attacks
  */
 import { z } from 'zod';
 /**
@@ -57,3 +62,11 @@ export declare function parseJsonWithFallback<T>(jsonString: string, fallback: T
  * Parse JSON file with fallback value on error
  */
 export declare function parseJsonFileWithFallback<T>(filePath: string, fallback: T, schema?: z.ZodSchema<T>): T;
+/**
+ * Sanitize an object to prevent prototype pollution
+ * Exported for testing purposes
+ *
+ * @param obj - Object to sanitize
+ * @returns Sanitized object
+ */
+export declare function sanitizeJson<T>(obj: T): T;

package/dist/utils/json-utils.js

@@ -1,15 +1,59 @@
 /**
  * JSON Parsing Utilities
  * Centralized JSON operations with validation and error handling
+ *
+ * Security: REQ-SEC-005 - Prototype Pollution Prevention
+ * - Sanitizes dangerous keys (__proto__, constructor, prototype)
+ * - Validates JSON structure before use
+ * - Prevents object property injection attacks
  */
 import { readFileSync, writeFileSync, renameSync, unlinkSync, existsSync, copyFileSync, mkdirSync } from 'fs';
 import { dirname } from 'path';
+/**
+ * Dangerous keys that can cause prototype pollution
+ * These keys should never be allowed in parsed JSON
+ */
+const DANGEROUS_KEYS = ['__proto__', 'constructor', 'prototype'];
+/**
+ * Sanitize parsed JSON by removing dangerous keys
+ * Prevents prototype pollution attacks (REQ-SEC-005)
+ *
+ * @param obj - Object to sanitize (recursively)
+ * @returns Sanitized object with dangerous keys removed
+ */
+function sanitizeObject(obj) {
+    if (obj === null || typeof obj !== 'object') {
+        return obj;
+    }
+    // Handle arrays
+    if (Array.isArray(obj)) {
+        return obj.map(item => sanitizeObject(item));
+    }
+    // Handle objects
+    const sanitized = {};
+    for (const key in obj) {
+        // Skip dangerous keys
+        if (DANGEROUS_KEYS.includes(key)) {
+            continue;
+        }
+        // Skip inherited properties
+        if (!Object.prototype.hasOwnProperty.call(obj, key)) {
+            continue;
+        }
+        // Recursively sanitize nested objects
+        const value = obj[key];
+        sanitized[key] = sanitizeObject(value);
+    }
+    return sanitized;
+}
 /**
  * Parse JSON string with Zod schema validation
  */
 export function parseJson(jsonString, schema) {
     try {
-        const data = JSON.parse(jsonString);
+        const rawData = JSON.parse(jsonString);
+        // SECURITY: Sanitize to prevent prototype pollution (REQ-SEC-005)
+        const data = sanitizeObject(rawData);
         if (schema) {
             const result = schema.safeParse(data);
             if (!result.success) {
@@ -169,4 +213,14 @@ export function parseJsonFileWithFallback(filePath, fallback, schema) {
     const result = parseJsonFile(filePath, schema);
     return result.success ? result.data : fallback;
 }
+/**
+ * Sanitize an object to prevent prototype pollution
+ * Exported for testing purposes
+ *
+ * @param obj - Object to sanitize
+ * @returns Sanitized object
+ */
+export function sanitizeJson(obj) {
+    return sanitizeObject(obj);
+}
 //# sourceMappingURL=json-utils.js.map