@emeryld/rrroutes-server 2.4.8 → 2.5.0

package/dist/index.js

@@ -8,6 +8,140 @@ import {
   lowProfileParse
 } from "@emeryld/rrroutes-contract";
 import multer from "multer";
+
+// src/routesV3.server.sanitize.ts
+var defaultTargets = ["params", "query", "body"];
+var defaultBlockedKeys = ["__proto__", "prototype", "constructor"];
+var defaultMaxDepth = 20;
+var nullBytePattern = /\u0000/g;
+var isPlainObject = (value) => {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return false;
+  const proto = Object.getPrototypeOf(value);
+  return proto === Object.prototype || proto === null;
+};
+var normalizeOptions = (options) => {
+  return {
+    targets: new Set(options.targets ?? defaultTargets),
+    trimStrings: options.trimStrings ?? false,
+    stripNullBytes: options.stripNullBytes ?? true,
+    stripPrototypePollutionKeys: options.stripPrototypePollutionKeys ?? true,
+    blockedKeys: new Set(options.blockedKeys ?? defaultBlockedKeys),
+    maxDepth: options.maxDepth ?? defaultMaxDepth,
+    customSanitizer: options.customSanitizer
+  };
+};
+var applyCustomSanitizer = (value, options, context) => {
+  if (!options.customSanitizer) return value;
+  return options.customSanitizer(value, context);
+};
+var sanitizeString = (value, options) => {
+  let next = value;
+  if (options.stripNullBytes && next.includes("\0")) {
+    next = next.replace(nullBytePattern, "");
+  }
+  if (options.trimStrings) {
+    next = next.trim();
+  }
+  return next;
+};
+var sanitizeValue = (value, options, depth, seen, req, target, path) => {
+  const context = {
+    req,
+    target,
+    path,
+    depth
+  };
+  if (depth > options.maxDepth) {
+    return applyCustomSanitizer(value, options, context);
+  }
+  if (typeof value === "string") {
+    const sanitized = sanitizeString(value, options);
+    return applyCustomSanitizer(sanitized, options, context);
+  }
+  if (value && typeof value === "object" && seen.has(value)) {
+    return applyCustomSanitizer(value, options, context);
+  }
+  if (Array.isArray(value)) {
+    seen.add(value);
+    const next = value.map(
+      (entry, index) => sanitizeValue(entry, options, depth + 1, seen, req, target, [
+        ...path,
+        index
+      ])
+    );
+    seen.delete(value);
+    return applyCustomSanitizer(next, options, context);
+  }
+  if (!isPlainObject(value)) {
+    return applyCustomSanitizer(value, options, context);
+  }
+  seen.add(value);
+  const source = value;
+  const objectTarget = Object.getPrototypeOf(source) === null ? /* @__PURE__ */ Object.create(null) : {};
+  for (const [key, entry] of Object.entries(source)) {
+    if (options.stripPrototypePollutionKeys && options.blockedKeys.has(key)) {
+      continue;
+    }
+    ;
+    objectTarget[key] = sanitizeValue(
+      entry,
+      options,
+      depth + 1,
+      seen,
+      req,
+      context.target,
+      [...path, key]
+    );
+  }
+  seen.delete(value);
+  return applyCustomSanitizer(objectTarget, options, context);
+};
+var createRequestSanitizationMiddleware = (options = {}) => {
+  const normalized = normalizeOptions(options);
+  return (req, _res, next) => {
+    try {
+      if (normalized.targets.has("params") && req.params) {
+        req.params = sanitizeValue(
+          req.params,
+          normalized,
+          0,
+          /* @__PURE__ */ new WeakSet(),
+          req,
+          "params",
+          []
+        );
+      }
+      if (normalized.targets.has("query") && req.query) {
+        req.query = sanitizeValue(
+          req.query,
+          normalized,
+          0,
+          /* @__PURE__ */ new WeakSet(),
+          req,
+          "query",
+          []
+        );
+      }
+      if (normalized.targets.has("body") && req.body !== void 0) {
+        req.body = sanitizeValue(
+          req.body,
+          normalized,
+          0,
+          /* @__PURE__ */ new WeakSet(),
+          req,
+          "body",
+          []
+        );
+      }
+      next();
+    } catch (err) {
+      next(err);
+    }
+  };
+};
+var requestSanitizationMiddleware = createRequestSanitizationMiddleware();
+
+// src/routesV3.server.ts
 var serverDebugEventTypes = [
   "register",
   "request",
@@ -41,12 +175,12 @@ function createServerDebugEmitter(option) {
   }
   return disabled;
 }
-var isPlainObject = (value) => typeof value === "object" && value !== null && !Array.isArray(value);
+var isPlainObject2 = (value) => typeof value === "object" && value !== null && !Array.isArray(value);
 var decodeJsonLikeQueryValue = (value) => {
   if (Array.isArray(value)) {
     return value.map((entry) => decodeJsonLikeQueryValue(entry));
   }
-  if (isPlainObject(value)) {
+  if (isPlainObject2(value)) {
     const next = {};
     for (const [key, child] of Object.entries(value)) {
       next[key] = decodeJsonLikeQueryValue(child);
@@ -70,7 +204,7 @@ var REQUEST_PAYLOAD_SYMBOL = /* @__PURE__ */ Symbol.for(
   "typedLeaves.requestPayload"
 );
 function isMulterFile(value) {
-  if (!isPlainObject(value)) return false;
+  if (!isPlainObject2(value)) return false;
   const candidate = value;
   return typeof candidate.fieldname === "string";
 }
@@ -86,7 +220,7 @@ function collectMulterFiles(req) {
       files.push(value);
       return;
     }
-    if (isPlainObject(value)) {
+    if (isPlainObject2(value)) {
       Object.values(value).forEach(pushValue);
     }
   };
@@ -212,9 +346,12 @@ function createRRRoute(router, config) {
     if (!isVerbose || !details) return event;
     return { ...event, ...details };
   };
-  const globalBeforeMws = [...config.globalMiddleware ?? []].map(
+  const middlewareConfig = config.middleware ?? {};
+  const postCtxMws = [...middlewareConfig.postCtx ?? []].map(
     (mw) => adaptCtxMw(mw)
   );
+  const preCtxMws = [...middlewareConfig.preCtx ?? []];
+  const sanitizerMw = middlewareConfig.sanitizer === void 0 ? void 0 : typeof middlewareConfig.sanitizer === "function" ? middlewareConfig.sanitizer : createRequestSanitizationMiddleware(middlewareConfig.sanitizer);
   const registered = getRegisteredRouteStore(router);
   const getMulterOptions = (fields) => {
     if (!fields || fields.length === 0) return void 0;
@@ -376,9 +513,11 @@ function createRRRoute(router, config) {
       }
     };
     const before = [
+      ...sanitizerMw ? [sanitizerMw] : [],
+      ...preCtxMws,
       resolvePayloadMw,
       ctxMw,
-      ...globalBeforeMws,
+      ...postCtxMws,
       ...routeSpecific
     ];
     const wrapped = async (req, res, next) => {
@@ -1080,7 +1219,10 @@ function createSocketConnections(io, events, opts) {
   });
   io.on("connection", builtInConnectionListener);
   const conn = {
-    on(eventName, handler) {
+    on({
+      eventName,
+      handler
+    }) {
       const socketListeners = /* @__PURE__ */ new WeakMap();
       const connectionListener = (socket) => {
         const wrapped = async (raw) => {
@@ -1189,7 +1331,12 @@ function createSocketConnections(io, events, opts) {
     off(eventName) {
       removeAllForEvent(String(eventName));
     },
-    emitAny(eventName, payload, rooms, metadata) {
+    emitAny({
+      eventName,
+      payload,
+      rooms,
+      metadata
+    }) {
       const targets = toArray2(rooms);
       if (Object.prototype.hasOwnProperty.call(events, eventName)) {
         emitToTargets(
@@ -1385,9 +1532,11 @@ export {
   keyOf2 as contractKeyOf,
   createConnectionLoggingMiddleware,
   createRRRoute,
+  createRequestSanitizationMiddleware,
   createSocketConnections,
   defineControllers,
   getCtx,
+  requestSanitizationMiddleware,
   warnMissingControllers
 };
 //# sourceMappingURL=index.js.map