@defai.digital/guard 13.4.7 → 13.4.8

package/dist/gates/path.d.ts

@@ -8,6 +8,7 @@
  * - INV-GUARD-PATH-001: Exact Match - modified files checked against exact resolved paths
  * - INV-GUARD-PATH-002: Glob Semantics - ** for recursive, * for single level
  * - INV-GUARD-PATH-003: Forbidden Wins - if path matches both allowed and forbidden, treat as forbidden
+ * - INV-GUARD-PATH-005: ReDoS Protection - limit recursive wildcards and pattern length
  */
 import type { GovernanceContext, GateResult } from '../types.js';
 /**

package/dist/gates/path.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"path.d.ts","sourceRoot":"","sources":["../../src/gates/path.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AA2BjE;;;;GAIG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,iBAAiB,EAC1B,YAAY,EAAE,MAAM,EAAE,GACrB,OAAO,CAAC,UAAU,CAAC,CA4CrB"}
+{"version":3,"file":"path.d.ts","sourceRoot":"","sources":["../../src/gates/path.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAiEjE;;;;GAIG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,iBAAiB,EAC1B,YAAY,EAAE,MAAM,EAAE,GACrB,OAAO,CAAC,UAAU,CAAC,CA4CrB"}

package/dist/gates/path.js

@@ -8,13 +8,43 @@
  * - INV-GUARD-PATH-001: Exact Match - modified files checked against exact resolved paths
  * - INV-GUARD-PATH-002: Glob Semantics - ** for recursive, * for single level
  * - INV-GUARD-PATH-003: Forbidden Wins - if path matches both allowed and forbidden, treat as forbidden
+ * - INV-GUARD-PATH-005: ReDoS Protection - limit recursive wildcards and pattern length
  */
+/**
+ * Maximum number of ** wildcards allowed in a pattern
+ * INV-GUARD-PATH-005: Prevents ReDoS from overlapping quantifiers
+ */
+const MAX_GLOBSTAR_COUNT = 3;
+/**
+ * Maximum pattern length to prevent abuse
+ * INV-GUARD-PATH-005: Prevents excessively long patterns
+ */
+const MAX_PATTERN_LENGTH = 500;
+/**
+ * Validates a glob pattern for ReDoS safety
+ * INV-GUARD-PATH-005: Rejects patterns that could cause catastrophic backtracking
+ * @throws Error if pattern is unsafe
+ */
+function validateGlobPattern(pattern) {
+    // Check pattern length
+    if (pattern.length > MAX_PATTERN_LENGTH) {
+        throw new Error(`Glob pattern exceeds maximum length of ${MAX_PATTERN_LENGTH} characters`);
+    }
+    // Count ** occurrences to prevent overlapping quantifiers
+    const globstarCount = (pattern.match(/\*\*/g) ?? []).length;
+    if (globstarCount > MAX_GLOBSTAR_COUNT) {
+        throw new Error(`Glob pattern contains ${globstarCount} recursive wildcards (**), maximum is ${MAX_GLOBSTAR_COUNT}`);
+    }
+}
 /**
  * Converts a glob pattern to a regex
  * INV-GUARD-PATH-002: ** for recursive, * for single level
  * INV-GUARD-PATH-004: Escape all regex special chars including ?
+ * INV-GUARD-PATH-005: Validates pattern safety before conversion
  */
 function globToRegex(pattern) {
+    // Validate pattern for ReDoS safety
+    validateGlobPattern(pattern);
     const escaped = pattern
         .replace(/[.+?^${}()|[\]\\]/g, '\\$&') // Escape special regex chars (including ?)
         .replace(/\*\*/g, '{{GLOBSTAR}}') // Temp placeholder for **

package/dist/gates/path.js.map

@@ -1 +1 @@
-{"version":3,"file":"path.js","sourceRoot":"","sources":["../../src/gates/path.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH;;;;GAIG;AACH,SAAS,WAAW,CAAC,OAAe;IAClC,MAAM,OAAO,GAAG,OAAO;SACpB,OAAO,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC,2CAA2C;SACjF,OAAO,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC,0BAA0B;SAC3D,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,8BAA8B;SACtD,OAAO,CAAC,mBAAmB,EAAE,IAAI,CAAC,CAAC,CAAC,kCAAkC;IAEzE,OAAO,IAAI,MAAM,CAAC,IAAI,OAAO,GAAG,CAAC,CAAC;AACpC,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,QAAgB,EAAE,QAAkB;IAC7D,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE;QAC/B,MAAM,KAAK,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;QACnC,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAC/B,OAA0B,EAC1B,YAAsB;IAEtB,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,MAAM,UAAU,GAAa,EAAE,CAAC;IAEhC,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;QAChC,0CAA0C;QAC1C,IAAI,iBAAiB,CAAC,IAAI,EAAE,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;YACpD,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtB,SAAS;QACX,CAAC;QAED,oCAAoC;QACpC,IACE,OAAO,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC;YAC/B,CAAC,iBAAiB,CAAC,IAAI,EAAE,OAAO,CAAC,YAAY,CAAC,EAC9C,CAAC;YACD,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxB,CAAC;IACH,CAAC;IAED,MAAM,aAAa,GAAG,CAAC,GAAG,UAAU,EAAE,GAAG,UAAU,CAAC,CAAC;IAErD,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO,OAAO,CAAC,OAAO,CAAC;YACrB,IAAI,EAAE,gBAAgB;YACtB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,OAAO,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,0CAA0C;SACtF,CAAC,CAAC;IACL,CAAC;IAED,MAAM,OAAO,GAA4B,EAAE,CAAC;IAC5C,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,uBAAuB,GAAG,UAAU,CAAC;IAC/C,CAAC;IACD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,mBAAmB,GAAG,UAAU,CAAC;IAC3C,CAAC;IAED,OAAO,OAAO,CAAC,OAAO,CAAC;QACrB,IAAI,EAAE,gBAAgB;QACtB,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,GAAG,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,oCAAoC;QAC5E,OAAO;KACR,CAAC,CAAC;AACL,CAAC"}
+{"version":3,"file":"path.js","sourceRoot":"","sources":["../../src/gates/path.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH;;;GAGG;AACH,MAAM,kBAAkB,GAAG,CAAC,CAAC;AAE7B;;;GAGG;AACH,MAAM,kBAAkB,GAAG,GAAG,CAAC;AAE/B;;;;GAIG;AACH,SAAS,mBAAmB,CAAC,OAAe;IAC1C,uBAAuB;IACvB,IAAI,OAAO,CAAC,MAAM,GAAG,kBAAkB,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CACb,0CAA0C,kBAAkB,aAAa,CAC1E,CAAC;IACJ,CAAC;IAED,0DAA0D;IAC1D,MAAM,aAAa,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;IAC5D,IAAI,aAAa,GAAG,kBAAkB,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CACb,yBAAyB,aAAa,yCAAyC,kBAAkB,EAAE,CACpG,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAS,WAAW,CAAC,OAAe;IAClC,oCAAoC;IACpC,mBAAmB,CAAC,OAAO,CAAC,CAAC;IAE7B,MAAM,OAAO,GAAG,OAAO;SACpB,OAAO,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC,2CAA2C;SACjF,OAAO,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC,0BAA0B;SAC3D,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,8BAA8B;SACtD,OAAO,CAAC,mBAAmB,EAAE,IAAI,CAAC,CAAC,CAAC,kCAAkC;IAEzE,OAAO,IAAI,MAAM,CAAC,IAAI,OAAO,GAAG,CAAC,CAAC;AACpC,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,QAAgB,EAAE,QAAkB;IAC7D,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE;QAC/B,MAAM,KAAK,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;QACnC,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAC/B,OAA0B,EAC1B,YAAsB;IAEtB,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,MAAM,UAAU,GAAa,EAAE,CAAC;IAEhC,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;QAChC,0CAA0C;QAC1C,IAAI,iBAAiB,CAAC,IAAI,EAAE,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;YACpD,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtB,SAAS;QACX,CAAC;QAED,oCAAoC;QACpC,IACE,OAAO,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC;YAC/B,CAAC,iBAAiB,CAAC,IAAI,EAAE,OAAO,CAAC,YAAY,CAAC,EAC9C,CAAC;YACD,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxB,CAAC;IACH,CAAC;IAED,MAAM,aAAa,GAAG,CAAC,GAAG,UAAU,EAAE,GAAG,UAAU,CAAC,CAAC;IAErD,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO,OAAO,CAAC,OAAO,CAAC;YACrB,IAAI,EAAE,gBAAgB;YACtB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,OAAO,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,0CAA0C;SACtF,CAAC,CAAC;IACL,CAAC;IAED,MAAM,OAAO,GAA4B,EAAE,CAAC;IAC5C,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,uBAAuB,GAAG,UAAU,CAAC;IAC/C,CAAC;IACD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,mBAAmB,GAAG,UAAU,CAAC;IAC3C,CAAC;IAED,OAAO,OAAO,CAAC,OAAO,CAAC;QACrB,IAAI,EAAE,gBAAgB;QACtB,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,GAAG,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,oCAAoC;QAC5E,OAAO;KACR,CAAC,CAAC;AACL,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@defai.digital/guard",
-  "version": "13.4.7",
+  "version": "13.4.8",
   "type": "module",
   "description": "Post-check AI coding governance engine for AutomatosX",
   "license": "BUSL-1.1",
@@ -32,8 +32,8 @@
     "access": "public"
   },
   "dependencies": {
-    "@defai.digital/contracts": "13.4.7",
-    "@defai.digital/trace-domain": "13.4.7"
+    "@defai.digital/contracts": "13.4.8",
+    "@defai.digital/trace-domain": "13.4.8"
   },
   "scripts": {
     "build": "tsc --build",