@forcecalendar/core 2.1.19 → 2.1.21

package/README.md

@@ -3,7 +3,7 @@
 [![Tests](https://github.com/forceCalendar/core/actions/workflows/test.yml/badge.svg)](https://github.com/forceCalendar/core/actions/workflows/test.yml)
 [![Code Quality](https://github.com/forceCalendar/core/actions/workflows/code-quality.yml/badge.svg)](https://github.com/forceCalendar/core/actions/workflows/code-quality.yml)
 [![npm version](https://img.shields.io/npm/v/@forcecalendar/core.svg)](https://www.npmjs.com/package/@forcecalendar/core)
-[![npm downloads](https://img.shields.io/npm/dw/@forcecalendar/core.svg)](https://www.npmjs.com/package/@forcecalendar/core)
+[![npm downloads](https://img.shields.io/npm/dt/@forcecalendar/core.svg)](https://www.npmjs.com/package/@forcecalendar/core)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
 A modern, lightweight, framework-agnostic calendar engine optimized for Salesforce.

package/core/events/Event.js

@@ -7,6 +7,15 @@
 import { TimezoneManager } from '../timezone/TimezoneManager.js';
 
 export class Event {
+  // Field size limits
+  static FIELD_LIMITS = {
+    id: 256,
+    title: 1000,
+    description: 10000,
+    location: 500
+  };
+  static MAX_METADATA_SIZE = 50 * 1024; // 50KB
+
   /**
    * Normalize event data
    * @param {import('../../types.js').EventData} data - Raw event data
@@ -37,11 +46,15 @@ export class Event {
       }
     }
 
-    // Normalize string fields
-    normalized.id = String(normalized.id || '').trim();
-    normalized.title = String(normalized.title || '').trim();
-    normalized.description = String(normalized.description || '').trim();
-    normalized.location = String(normalized.location || '').trim();
+    // Normalize string fields with size limits
+    normalized.id = String(normalized.id || '').trim().slice(0, Event.FIELD_LIMITS.id);
+    normalized.title = String(normalized.title || '').trim().slice(0, Event.FIELD_LIMITS.title);
+    normalized.description = String(normalized.description || '')
+      .trim()
+      .slice(0, Event.FIELD_LIMITS.description);
+    normalized.location = String(normalized.location || '')
+      .trim()
+      .slice(0, Event.FIELD_LIMITS.location);
 
     // Normalize arrays
     normalized.attendees = Array.isArray(normalized.attendees) ? normalized.attendees : [];
@@ -295,8 +308,8 @@ export class Event {
     // Conference/Virtual meeting
     this.conferenceData = normalized.conferenceData;
 
-    // Custom metadata for extensibility
-    this.metadata = { ...normalized.metadata };
+    // Custom metadata for extensibility (with size/type validation)
+    this.metadata = Event._sanitizeMetadata(normalized.metadata);
 
     // Computed properties cache
     this._cache = {};
@@ -816,6 +829,46 @@ export class Event {
     return categories.every(category => this.hasCategory(category));
   }
 
+  // ============ Metadata Sanitization ============
+
+  /**
+   * Sanitize metadata to enforce size limits and reject unsafe types
+   * @param {Object} metadata - Raw metadata object
+   * @returns {Object} Sanitized metadata
+   * @private
+   */
+  static _sanitizeMetadata(metadata) {
+    if (!metadata || typeof metadata !== 'object') {
+      return {};
+    }
+
+    const sanitized = {};
+    for (const [key, value] of Object.entries(metadata)) {
+      // Reject functions and symbols
+      if (typeof value === 'function' || typeof value === 'symbol') {
+        continue;
+      }
+      sanitized[key] = value;
+    }
+
+    // Enforce serialized size limit
+    let serialized;
+    try {
+      serialized = JSON.stringify(sanitized);
+    } catch {
+      // If metadata can't be serialized (circular refs, etc.), return empty
+      return {};
+    }
+
+    if (serialized.length > Event.MAX_METADATA_SIZE) {
+      throw new Error(
+        `Event metadata exceeds maximum size of ${Event.MAX_METADATA_SIZE / 1024}KB when serialized`
+      );
+    }
+
+    return sanitized;
+  }
+
   // ============ Validation Methods ============
 
   /**

package/core/events/RRuleParser.js

@@ -63,7 +63,10 @@ export class RRuleParser {
           break;
 
         case 'BYWEEKNO':
-          rule.byWeekNo = this.parseIntList(value);
+          // RFC 5545: valid range is 1-53 or -53 to -1 (no zero)
+          rule.byWeekNo = this.parseIntList(value).filter(
+            v => v !== 0 && v >= -53 && v <= 53
+          );
           break;
 
         case 'BYMONTH':
@@ -242,6 +245,7 @@ export class RRuleParser {
     rule.byMonth = validateArray(rule.byMonth || [], 1, 12);
     rule.byMonthDay = validateArray(rule.byMonthDay || [], -31, 31).filter(v => v !== 0);
     rule.byYearDay = validateArray(rule.byYearDay || [], -366, 366).filter(v => v !== 0);
+    // RFC 5545: BYWEEKNO valid range is 1-53 or -53 to -1
     rule.byWeekNo = validateArray(rule.byWeekNo || [], -53, 53).filter(v => v !== 0);
     rule.byHour = validateArray(rule.byHour || [], 0, 23);
     rule.byMinute = validateArray(rule.byMinute || [], 0, 59);

package/core/events/RecurrenceEngine.js

@@ -7,6 +7,9 @@ import { RRuleParser } from './RRuleParser.js';
  * Full support for RFC 5545 (iCalendar) RRULE specification
  */
 export class RecurrenceEngine {
+  // Hard limit to prevent resource exhaustion regardless of caller input
+  static MAX_OCCURRENCES_HARD_LIMIT = 10000;
+
   /**
    * Expand a recurring event into individual occurrences
    * @param {import('./Event.js').Event} event - The recurring event
@@ -17,6 +20,8 @@ export class RecurrenceEngine {
    * @returns {import('../../types.js').EventOccurrence[]} Array of occurrence objects with start/end dates
    */
   static expandEvent(event, rangeStart, rangeEnd, maxOccurrences = 365, timezone = null) {
+    // Enforce hard limit regardless of caller-provided value
+    maxOccurrences = Math.min(maxOccurrences, RecurrenceEngine.MAX_OCCURRENCES_HARD_LIMIT);
     if (!event.recurring || !event.recurrenceRule) {
       return [{ start: event.start, end: event.end, timezone: event.timeZone }];
     }

package/core/events/RecurrenceEngineV2.js

@@ -7,6 +7,9 @@ import { TimezoneManager } from '../timezone/TimezoneManager.js';
 import { RRuleParser } from './RRuleParser.js';
 
 export class RecurrenceEngineV2 {
+  // Hard limit to prevent resource exhaustion regardless of caller input
+  static MAX_OCCURRENCES_HARD_LIMIT = 10000;
+
   constructor() {
     // Use singleton to share cache across all components
     this.tzManager = TimezoneManager.getInstance();
@@ -32,13 +35,16 @@ export class RecurrenceEngineV2 {
    */
   expandEvent(event, rangeStart, rangeEnd, options = {}) {
     const {
-      maxOccurrences = 365,
+      maxOccurrences: requestedMax = 365,
       includeModified = true,
       includeCancelled = false,
       timezone = event.timeZone || 'UTC',
       handleDST = true
     } = options;
 
+    // Enforce hard limit regardless of caller-provided value
+    const maxOccurrences = Math.min(requestedMax, RecurrenceEngineV2.MAX_OCCURRENCES_HARD_LIMIT);
+
     // Check cache
     const cacheKey = this.getCacheKey(event.id, rangeStart, rangeEnd, options);
     if (this.occurrenceCache.has(cacheKey)) {

package/core/ics/ICSHandler.js

@@ -31,6 +31,13 @@ export class ICSHandler {
       // Get ICS string from input
       const icsString = await this.getICSString(input);
 
+      // Enforce input size limit before parsing
+      if (typeof icsString === 'string' && icsString.length > ICSParser.MAX_INPUT_SIZE) {
+        throw new Error(
+          `ICS input exceeds maximum size of ${ICSParser.MAX_INPUT_SIZE / (1024 * 1024)}MB`
+        );
+      }
+
       // Parse ICS to events
       const parsedEvents = this.parser.parse(icsString);
 
@@ -172,18 +179,86 @@ export class ICSHandler {
    * @returns {Promise<Object>} Import results
    */
   async importFromURL(url, options = {}) {
+    // Validate URL before fetching to prevent SSRF
+    ICSHandler.validateURL(url);
+
     try {
-      const response = await fetch(url);
+      const controller = new AbortController();
+      const timeout = setTimeout(() => controller.abort(), 30000); // 30s timeout
+
+      const response = await fetch(url, { signal: controller.signal });
+      clearTimeout(timeout);
+
       if (!response.ok) {
         throw new Error(`Failed to fetch ICS: ${response.statusText}`);
       }
+
+      // Validate Content-Type header
+      const contentType = response.headers.get('content-type') || '';
+      const allowedTypes = ['text/calendar', 'text/plain', 'application/octet-stream'];
+      const typeMatch = allowedTypes.some(t => contentType.toLowerCase().includes(t));
+      if (contentType && !typeMatch) {
+        throw new Error(
+          `Unexpected Content-Type: ${contentType}. Expected text/calendar or text/plain`
+        );
+      }
+
       const icsString = await response.text();
       return this.import(icsString, options);
     } catch (error) {
+      if (error.name === 'AbortError') {
+        throw new Error('Failed to import from URL: request timed out after 30 seconds');
+      }
       throw new Error(`Failed to import from URL: ${error.message}`);
     }
   }
 
+  /**
+   * Validate a URL for safety (prevent SSRF attacks)
+   * @param {string} url - URL to validate
+   * @throws {Error} If URL is not safe
+   */
+  static validateURL(url) {
+    let parsed;
+    try {
+      parsed = new URL(url);
+    } catch {
+      throw new Error('Invalid URL');
+    }
+
+    // Only allow http and https schemes
+    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+      throw new Error(`URL scheme "${parsed.protocol}" is not allowed. Only http and https are permitted`);
+    }
+
+    const hostname = parsed.hostname.toLowerCase();
+
+    // Block localhost
+    if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '::1') {
+      throw new Error('URLs pointing to localhost are not allowed');
+    }
+
+    // Block private/internal IP ranges
+    const privatePatterns = [
+      /^127\./, // 127.0.0.0/8
+      /^10\./, // 10.0.0.0/8
+      /^192\.168\./, // 192.168.0.0/16
+      /^172\.(1[6-9]|2\d|3[01])\./, // 172.16.0.0/12
+      /^169\.254\./, // 169.254.0.0/16 (link-local)
+      /^0\./, // 0.0.0.0/8
+      /^\[?fe80:/i, // IPv6 link-local
+      /^\[?fc00:/i, // IPv6 unique local
+      /^\[?fd/i, // IPv6 unique local
+      /^\[?::1\]?$/ // IPv6 loopback
+    ];
+
+    for (const pattern of privatePatterns) {
+      if (pattern.test(hostname)) {
+        throw new Error('URLs pointing to private/internal networks are not allowed');
+      }
+    }
+  }
+
   /**
    * Subscribe to calendar feed
    * @param {string} url - URL to ICS feed
@@ -191,6 +266,9 @@ export class ICSHandler {
    * @returns {Object} Subscription object
    */
   subscribe(url, options = {}) {
+    // Validate URL before subscribing to prevent SSRF
+    ICSHandler.validateURL(url);
+
     const {
       refreshInterval = 3600000, // 1 hour default
       autoRefresh = true,

package/core/ics/ICSParser.js

@@ -5,6 +5,11 @@
  */
 
 export class ICSParser {
+  // Size limits to prevent DoS attacks
+  static MAX_INPUT_SIZE = 50 * 1024 * 1024; // 50MB
+  static MAX_LINES = 100000; // 100k lines
+  static MAX_EVENTS = 10000; // 10k events
+
   constructor() {
     // ICS line folding max width
     this.maxLineLength = 75;
@@ -33,8 +38,21 @@ export class ICSParser {
    * @returns {Array} Array of event objects
    */
   parse(icsString) {
+    // Enforce input size limit
+    if (typeof icsString === 'string' && icsString.length > ICSParser.MAX_INPUT_SIZE) {
+      throw new Error(
+        `ICS input exceeds maximum size of ${ICSParser.MAX_INPUT_SIZE / (1024 * 1024)}MB`
+      );
+    }
+
     const events = [];
     const lines = this.unfoldLines(icsString);
+
+    // Enforce line count limit
+    if (lines.length > ICSParser.MAX_LINES) {
+      throw new Error(`ICS input exceeds maximum of ${ICSParser.MAX_LINES} lines`);
+    }
+
     let currentEvent = null;
     let inEvent = false;
     let inAlarm = false;
@@ -57,6 +75,10 @@ export class ICSParser {
       // Handle component boundaries
       if (property === 'BEGIN') {
         if (value === 'VEVENT') {
+          // Enforce event count limit
+          if (events.length >= ICSParser.MAX_EVENTS) {
+            throw new Error(`ICS input exceeds maximum of ${ICSParser.MAX_EVENTS} events`);
+          }
           inEvent = true;
           currentEvent = this.createEmptyEvent();
         } else if (value === 'VALARM') {

package/core/performance/AdaptiveMemoryManager.js

@@ -119,22 +119,14 @@ export class AdaptiveMemoryManager {
       }
     }
 
-    // Node.js environment - use fully indirect access to avoid LWC static analysis
-    // Salesforce Locker Service blocks any reference to process.memoryUsage
+    // Node.js environment
     try {
-      const g = typeof globalThis !== 'undefined' ? globalThis : {};
-      const procKey = 'proc' + 'ess';
-      const memKey = 'mem' + 'oryUsage';
-      const p = g[procKey];
-      if (p && typeof p === 'object') {
-        const memFn = p[memKey];
-        if (typeof memFn === 'function') {
-          const usage = memFn.call(p);
-          return usage.heapUsed / usage.heapTotal;
-        }
+      if (typeof process !== 'undefined' && typeof process.memoryUsage === 'function') {
+        const usage = process.memoryUsage();
+        return usage.heapUsed / usage.heapTotal;
       }
     } catch (e) {
-      // Ignore - not in Node.js environment
+      // Ignore - not available in this environment (e.g., Salesforce Locker Service)
     }
 
     // Fallback - estimate based on cache sizes

package/core/state/StateManager.js

@@ -102,23 +102,25 @@ export class StateManager {
       updates = updates(oldState);
     }
 
-    // Sanitize keys to prevent prototype pollution
+    // Deep sanitize to prevent prototype pollution
     if (updates && typeof updates === 'object') {
-      delete updates.__proto__;
-      delete updates.constructor;
-      delete updates.prototype;
+      updates = StateManager._deepSanitize(updates);
     }
 
     // Create new state with updates
     const newState = {
       ...oldState,
       ...updates,
-      // Preserve nested objects
-      filters: updates.filters ? { ...oldState.filters, ...updates.filters } : oldState.filters,
+      // Preserve nested objects (sanitization already applied to updates)
+      filters: updates.filters
+        ? { ...oldState.filters, ...StateManager._deepSanitize(updates.filters) }
+        : oldState.filters,
       businessHours: updates.businessHours
-        ? { ...oldState.businessHours, ...updates.businessHours }
+        ? { ...oldState.businessHours, ...StateManager._deepSanitize(updates.businessHours) }
         : oldState.businessHours,
-      metadata: updates.metadata ? { ...oldState.metadata, ...updates.metadata } : oldState.metadata
+      metadata: updates.metadata
+        ? { ...oldState.metadata, ...StateManager._deepSanitize(updates.metadata) }
+        : oldState.metadata
     };
 
     // Check if state actually changed
@@ -406,6 +408,51 @@ export class StateManager {
     this.historyIndex = 0;
   }
 
+  /**
+   * Recursively sanitize an object to prevent prototype pollution
+   * Removes dangerous keys (__proto__, constructor, prototype) at all levels
+   * @param {*} obj - Object to sanitize
+   * @param {number} depth - Current recursion depth
+   * @returns {*} Sanitized object
+   * @private
+   */
+  static _deepSanitize(obj, depth = 0) {
+    // Prevent recursion attacks
+    if (depth > 10) {
+      return {};
+    }
+
+    if (obj === null || typeof obj !== 'object') {
+      return obj;
+    }
+
+    // Don't sanitize Date objects or arrays of primitives
+    if (obj instanceof Date) {
+      return obj;
+    }
+
+    if (Array.isArray(obj)) {
+      return obj.map(item => StateManager._deepSanitize(item, depth + 1));
+    }
+
+    const sanitized = {};
+    const dangerousKeys = new Set(['__proto__', 'constructor', 'prototype']);
+
+    for (const key of Object.keys(obj)) {
+      if (dangerousKeys.has(key)) {
+        continue;
+      }
+      const value = obj[key];
+      if (value !== null && typeof value === 'object' && !(value instanceof Date)) {
+        sanitized[key] = StateManager._deepSanitize(value, depth + 1);
+      } else {
+        sanitized[key] = value;
+      }
+    }
+
+    return sanitized;
+  }
+
   /**
    * Check if state has changed
    * @private

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@forcecalendar/core",
-  "version": "2.1.19",
+  "version": "2.1.21",
   "type": "module",
   "private": false,
   "description": "A modern, lightweight, framework-agnostic calendar engine optimized for Salesforce",