@jmruthers/pace-core 0.5.135 → 0.5.137

package/src/utils/validation/htmlSanitization.ts

@@ -0,0 +1,184 @@
+/**
+ * @file HTML Sanitization Utilities
+ * @package @jmruthers/pace-core
+ * @module Utils/Validation/HTMLSanitization
+ * @since 0.4.36
+ * 
+ * Utilities for safely rendering HTML content.
+ * Provides sanitization and validation for basic HTML elements.
+ */
+
+/**
+ * Allowed HTML tags for safe rendering
+ */
+const ALLOWED_TAGS = [
+  'p', 'div', 'span', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
+  'strong', 'em', 'b', 'i', 'u', 's', 'mark', 'small', 'sub', 'sup',
+  'ul', 'ol', 'li', 'dl', 'dt', 'dd',
+  'blockquote', 'pre', 'code', 'kbd', 'samp',
+  'a', 'br', 'hr',
+  'table', 'thead', 'tbody', 'tfoot', 'tr', 'th', 'td',
+  'img', 'figure', 'figcaption',
+  'section', 'article', 'aside', 'header', 'footer', 'main', 'nav',
+  'details', 'summary'
+] as const;
+
+/**
+ * Allowed HTML attributes for safe rendering
+ */
+const ALLOWED_ATTRIBUTES = [
+  'id', 'class', 'style', 'title', 'lang', 'dir',
+  'href', 'target', 'rel', 'download',
+  'src', 'alt', 'width', 'height', 'loading',
+  'colspan', 'rowspan', 'scope', 'headers',
+  'open', 'datetime', 'cite'
+] as const;
+
+/**
+ * Basic HTML sanitization function using regex-based approach
+ * Removes potentially dangerous elements and attributes while preserving basic formatting
+ * This approach is more reliable in SSR environments and doesn't require DOM manipulation
+ * 
+ * @param html - The HTML string to sanitize
+ * @returns Sanitized HTML string safe for rendering
+ * 
+ * @example
+ * ```tsx
+ * const safeHtml = sanitizeHtml('<p>Hello <strong>world</strong>!</p>');
+ * // Returns: '<p>Hello <strong>world</strong>!</p>'
+ * 
+ * const dangerousHtml = sanitizeHtml('<script>alert("xss")</script><p>Safe content</p>');
+ * // Returns: '<p>Safe content</p>'
+ * ```
+ */
+export function sanitizeHtml(html: string): string {
+  if (!html || typeof html !== 'string') {
+    return '';
+  }
+
+  // Basic safety: just remove script tags and dangerous attributes
+  let sanitized = html
+    // Remove script tags (including self-closing and malformed)
+    .replace(/<script\b[^>]*>.*?<\/script>/gi, '')
+    .replace(/<script\b[^>]*\/>/gi, '')
+    // Remove iframe tags (including self-closing and malformed)
+    .replace(/<iframe\b[^>]*>.*?<\/iframe>/gi, '')
+    .replace(/<iframe\b[^>]*\/>/gi, '')
+    // Remove object tags (including self-closing and malformed)
+    .replace(/<object\b[^>]*>.*?<\/object>/gi, '')
+    .replace(/<object\b[^>]*\/>/gi, '')
+    // Remove embed tags (including self-closing)
+    .replace(/<embed\b[^>]*\/?>/gi, '')
+    // Remove form tags (including self-closing and malformed)
+    .replace(/<form\b[^>]*>.*?<\/form>/gi, '')
+    .replace(/<form\b[^>]*\/>/gi, '')
+    // Remove input tags (including self-closing)
+    .replace(/<input\b[^>]*\/?>/gi, '')
+    // Remove button tags (including self-closing and malformed)
+    .replace(/<button\b[^>]*>.*?<\/button>/gi, '')
+    .replace(/<button\b[^>]*\/>/gi, '')
+    // Remove event handlers from any remaining tags - correct pattern
+    .replace(/\s*on\w+\s*=\s*["'][^"']*["']/gi, '')
+    // Remove javascript: protocols - correct pattern
+    .replace(/javascript:[^"'\s>]*/gi, '')
+    // Remove data: protocols - correct pattern
+    .replace(/data:[^"'\s>]*/gi, '');
+
+  return sanitized;
+}
+
+/**
+ * Validates if HTML content is safe for rendering
+ * 
+ * @param html - The HTML string to validate
+ * @returns Object with validation result and any warnings
+ * 
+ * @example
+ * ```tsx
+ * const validation = validateHtml('<p>Safe content</p>');
+ * console.log(validation.isValid); // true
+ * console.log(validation.warnings); // []
+ * ```
+ */
+export function validateHtml(html: string): { isValid: boolean; warnings: string[] } {
+  const warnings: string[] = [];
+  
+  if (!html || typeof html !== 'string') {
+    return { isValid: false, warnings: ['HTML content must be a non-empty string'] };
+  }
+
+  // Check for potentially dangerous patterns
+  const dangerousPatterns = [
+    { pattern: /<script\b[^>]*>.*?<\/script>/gi, message: 'Script tags are not allowed' },
+    { pattern: /<script\b[^>]*\/>/gi, message: 'Script tags are not allowed' },
+    { pattern: /<iframe\b[^>]*>.*?<\/iframe>/gi, message: 'Iframe tags are not allowed' },
+    { pattern: /<iframe\b[^>]*\/>/gi, message: 'Iframe tags are not allowed' },
+    { pattern: /<object\b[^>]*>.*?<\/object>/gi, message: 'Object tags are not allowed' },
+    { pattern: /<object\b[^>]*\/>/gi, message: 'Object tags are not allowed' },
+    { pattern: /<embed\b[^>]*\/?>/gi, message: 'Embed tags are not allowed' },
+    { pattern: /<form\b[^>]*>.*?<\/form>/gi, message: 'Form tags are not allowed' },
+    { pattern: /<form\b[^>]*\/>/gi, message: 'Form tags are not allowed' },
+    { pattern: /<input\b[^>]*\/?>/gi, message: 'Input tags are not allowed' },
+    { pattern: /<button\b[^>]*>.*?<\/button>/gi, message: 'Button tags are not allowed' },
+    { pattern: /<button\b[^>]*\/>/gi, message: 'Button tags are not allowed' },
+    { pattern: /on\w+\s*=/gi, message: 'Event handlers are not allowed' },
+    { pattern: /javascript:/gi, message: 'JavaScript protocols are not allowed' },
+    { pattern: /data:/gi, message: 'Data protocols are not allowed' }
+  ];
+
+  dangerousPatterns.forEach(({ pattern, message }) => {
+    if (pattern.test(html)) {
+      warnings.push(message);
+    }
+  });
+
+  return {
+    isValid: warnings.length === 0,
+    warnings
+  };
+}
+
+/**
+ * Safely renders HTML content with sanitization
+ * 
+ * @param html - The HTML string to render
+ * @param options - Rendering options
+ * @returns Object with sanitized HTML and validation info
+ * 
+ * @example
+ * ```tsx
+ * const result = renderSafeHtml('<p>Hello <strong>world</strong>!</p>');
+ * console.log(result.html); // Sanitized HTML
+ * console.log(result.isValid); // true
+ * ```
+ */
+export function renderSafeHtml(
+  html: string, 
+  options: { 
+    strict?: boolean; 
+    logWarnings?: boolean;
+  } = {}
+): { 
+  html: string; 
+  isValid: boolean; 
+  warnings: string[] 
+} {
+  const { strict = true, logWarnings = false } = options;
+  
+  const validation = validateHtml(html);
+  const sanitizedHtml = sanitizeHtml(html);
+  
+  if (logWarnings && validation.warnings.length > 0) {
+    // Use logger if needed, but this is controlled by logWarnings option
+    // For now, keep console.warn as it's only called when explicitly requested
+    // via logWarnings option, which is typically for debugging
+    console.warn('HTML content warnings:', validation.warnings);
+  }
+  
+  return {
+    html: sanitizedHtml,
+    isValid: validation.isValid,
+    warnings: validation.warnings
+  };
+}
+

package/src/utils/validation/index.ts

@@ -0,0 +1,79 @@
+/**
+ * @file Validation Module Exports
+ * @package @jmruthers/pace-core
+ * @module Utils/Validation
+ * @since 0.1.0
+ * 
+ * Consolidated validation utilities and schemas for the PACE Core library.
+ */
+
+// Schema utilities
+export { pickSchema, combineSchemas } from './schema';
+
+// Common validation functions
+export {
+  isValidEmail,
+  isEmpty,
+  isStrongPassword,
+  isValidUrl,
+  isValidDate,
+  isWithinRange,
+  matchesPattern,
+  deepMerge,
+  isObject
+} from './validation';
+
+// Enhanced validation with sanitization
+export {
+  validateUserInput,
+  sanitizeUserInput_deprecated,
+  emailSchema as enhancedEmailSchema,
+  passwordSchema as enhancedPasswordSchema,
+  usernameSchema,
+  nameSchema as enhancedNameSchema,
+  phoneSchema as enhancedPhoneSchema,
+  urlSchema as enhancedUrlSchema
+} from './validationUtils';
+
+// Sanitization utilities
+export {
+  sanitizeUserInput,
+  sanitizeFormData,
+  sanitizeHtml,
+  type SanitizationOptions
+} from './sanitization';
+
+// HTML sanitization utilities (allows safe HTML tags)
+export {
+  sanitizeHtml as sanitizeHtmlAdvanced,
+  validateHtml,
+  renderSafeHtml
+} from './htmlSanitization';
+
+// Common validation schemas
+export {
+  emailSchema,
+  nameSchema,
+  phoneSchema,
+  urlSchema,
+  dateSchema
+} from './common';
+
+// Security validation
+export * from './csrf';
+export * from './sqlInjectionProtection';
+export * from './passwordSchema';
+export * from './user';
+
+// Re-export schemas from types for convenience (these are the canonical schemas)
+export {
+  loginSchema,
+  registrationSchema,
+  secureLoginSchema,
+  passwordResetSchema,
+  changePasswordSchema,
+  userProfileSchema,
+  contactFormSchema,
+  securePasswordSchema
+} from '../../types/validation';
+

package/src/utils/validation/sanitization.ts

@@ -0,0 +1,333 @@
+/**
+ * @file Input Sanitization Layer
+ * @package @jmruthers/pace-core
+ * @module Utils/Validation/Sanitization
+ * @since 0.1.0
+ * 
+ * Comprehensive input sanitization utilities to prevent XSS, injection attacks,
+ * and other security vulnerabilities.
+ */
+
+import { z } from 'zod';
+
+/**
+ * Sanitization options for different contexts
+ */
+export interface SanitizationOptions {
+  allowHtml?: boolean;
+  allowedTags?: string[];
+  maxLength?: number;
+  trim?: boolean;
+  removeScripts?: boolean;
+  removeEvents?: boolean;
+}
+
+/**
+ * Default sanitization options
+ */
+const DEFAULT_OPTIONS: SanitizationOptions = {
+  allowHtml: false,
+  allowedTags: [],
+  maxLength: 1000,
+  trim: true,
+  removeScripts: true,
+  removeEvents: true
+};
+
+/**
+ * Sanitizes user input by removing potentially dangerous characters and patterns
+ */
+export function sanitizeUserInput(input: string, options: SanitizationOptions = {}): string {
+  if (typeof input !== 'string') {
+    return '';
+  }
+
+  const opts = { ...DEFAULT_OPTIONS, ...options };
+  let sanitized = input;
+
+  // Trim whitespace if requested
+  if (opts.trim) {
+    sanitized = sanitized.trim();
+  }
+
+  // Enforce maximum length
+  if (opts.maxLength && sanitized.length > opts.maxLength) {
+    sanitized = sanitized.substring(0, opts.maxLength);
+  }
+
+  // Remove or escape HTML if not allowed
+  if (!opts.allowHtml) {
+    sanitized = sanitized
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;')
+      .replace(/"/g, '&quot;')
+      .replace(/'/g, '&#x27;')
+      .replace(/\//g, '&#x2F;');
+  } else if (opts.allowedTags && opts.allowedTags.length > 0) {
+    // If HTML is allowed, only permit specific tags
+    const allowedTagsRegex = new RegExp(`<(?!\/?(?:${opts.allowedTags.join('|')})\s*\/?>)[^>]+>`, 'gi');
+    sanitized = sanitized.replace(allowedTagsRegex, '');
+  }
+
+  // Remove script tags and javascript: protocols
+  if (opts.removeScripts) {
+    sanitized = sanitized
+      .replace(/<script[^>]*>.*?<\/script>/gi, '')
+      .replace(/javascript:/gi, '')
+      .replace(/vbscript:/gi, '')
+      .replace(/data:/gi, '');
+  }
+
+  // Remove event handlers
+  if (opts.removeEvents) {
+    sanitized = sanitized.replace(/on\w+\s*=/gi, '');
+  }
+
+  return sanitized;
+}
+
+/**
+ * Sanitizes email addresses
+ */
+export function sanitizeEmail(email: string): string {
+  if (typeof email !== 'string') {
+    return '';
+  }
+
+  return email
+    .trim()
+    .toLowerCase()
+    .replace(/[^\w@.-]/g, ''); // Only allow word characters, @, ., and -
+}
+
+/**
+ * Sanitizes phone numbers
+ */
+export function sanitizePhoneNumber(phone: string): string {
+  if (typeof phone !== 'string') {
+    return '';
+  }
+
+  return phone.replace(/[^\d+\-\s()]/g, '').trim();
+}
+
+/**
+ * Sanitizes URLs
+ */
+export function sanitizeUrl(url: string): string {
+  if (typeof url !== 'string') {
+    return '';
+  }
+
+  const sanitized = url.trim();
+  
+  // Only allow http(s) and ftp protocols
+  if (!/^https?:\/\/|^ftp:\/\//i.test(sanitized)) {
+    return '';
+  }
+
+  // Remove javascript: and other dangerous protocols
+  if (/javascript:|data:|vbscript:/i.test(sanitized)) {
+    return '';
+  }
+
+  return sanitized;
+}
+
+/**
+ * Sanitizes file names
+ */
+export function sanitizeFileName(fileName: string): string {
+  if (typeof fileName !== 'string') {
+    return '';
+  }
+
+  return fileName
+    .trim()
+    .replace(/[<>:"/\\|?*]/g, '') // Remove invalid file name characters
+    .replace(/\.\./g, '') // Remove directory traversal attempts
+    .substring(0, 255); // Limit length
+}
+
+/**
+ * Sanitizes SQL input to prevent injection
+ */
+export function sanitizeSqlInput(input: string): string {
+  if (typeof input !== 'string') {
+    return '';
+  }
+
+  return input
+    .replace(/['";\\]/g, '') // Remove SQL special characters
+    .replace(/--.*$/gm, '') // Remove SQL comments
+    .replace(/\/\*.*?\*\//g, '') // Remove SQL block comments
+    .trim();
+}
+
+/**
+ * Validates and sanitizes form data using Zod schemas
+ */
+export function sanitizeFormData<T>(
+  data: unknown,
+  schema: z.ZodSchema<T>,
+  sanitizationRules?: Record<string, SanitizationOptions>
+): { success: boolean; data?: T; error?: string } {
+  try {
+    // First, sanitize string fields if rules are provided
+    if (sanitizationRules && typeof data === 'object' && data !== null) {
+      const sanitizedData = { ...data } as Record<string, unknown>;
+      
+      Object.entries(sanitizationRules).forEach(([field, options]) => {
+        if (typeof sanitizedData[field] === 'string') {
+          sanitizedData[field] = sanitizeUserInput(sanitizedData[field] as string, options);
+        }
+      });
+      
+      data = sanitizedData;
+    }
+
+    // Then validate with Zod schema
+    const result = schema.parse(data);
+    return { success: true, data: result };
+  } catch (error) {
+    if (error instanceof z.ZodError) {
+      return { 
+        success: false, 
+        error: error.errors.map(e => e.message).join(', ') 
+      };
+    }
+    return { 
+      success: false, 
+      error: 'Validation failed' 
+    };
+  }
+}
+
+// Re-export HTML sanitization from the consolidated module
+// The new implementation allows safe HTML tags while removing dangerous ones
+export { sanitizeHtml } from './htmlSanitization';
+
+/**
+ * Content Security Policy (CSP) utilities
+ */
+export const CSP_DIRECTIVES = {
+  default: "default-src 'self'",
+  script: "script-src 'self' 'unsafe-inline'",
+  style: "style-src 'self' 'unsafe-inline'",
+  img: "img-src 'self' data: https:",
+  font: "font-src 'self'",
+  connect: "connect-src 'self'",
+  frame: "frame-src 'none'"
+};
+
+export function generateCSPHeader(customDirectives?: Partial<typeof CSP_DIRECTIVES>): string {
+  const directives = { ...CSP_DIRECTIVES, ...customDirectives };
+  return Object.values(directives).join('; ');
+}
+
+/**
+ * Rate limiting utilities
+ */
+export class RateLimiter {
+  private attempts: Map<string, { count: number; resetTime: number }> = new Map();
+
+  constructor(
+    private maxAttempts: number = 5,
+    private windowMs: number = 15 * 60 * 1000 // 15 minutes
+  ) {}
+
+  isAllowed(identifier: string): boolean {
+    const now = Date.now();
+    const record = this.attempts.get(identifier);
+
+    if (!record || now > record.resetTime) {
+      this.attempts.set(identifier, { count: 1, resetTime: now + this.windowMs });
+      return true;
+    }
+
+    if (record.count >= this.maxAttempts) {
+      return false;
+    }
+
+    record.count++;
+    return true;
+  }
+
+  getRemainingAttempts(identifier: string): number {
+    const record = this.attempts.get(identifier);
+    if (!record || Date.now() > record.resetTime) {
+      return this.maxAttempts;
+    }
+    return Math.max(0, this.maxAttempts - record.count);
+  }
+
+  reset(identifier: string): void {
+    this.attempts.delete(identifier);
+  }
+}
+
+// Validation schemas (kept from previous version)
+/**
+ * Enhanced email schema with security checks
+ */
+export const secureEmailSchema = z
+  .string()
+  .min(1, 'Email is required')
+  .email('Invalid email format')
+  .max(254, 'Email too long')
+  .refine(
+    (email) => {
+      if (!email || typeof email !== 'string') return false;
+      // Basic domain validation
+      const domain = email.split('@')[1];
+      return domain && domain.includes('.') && domain.length > 3;
+    },
+    'Invalid email domain'
+  )
+  .transform((email) => sanitizeEmail(email));
+
+/**
+ * Basic email schema for common use
+ */
+export const emailSchema = z
+  .string()
+  .min(1, 'Email is required')
+  .email('Invalid email format');
+
+/**
+ * Name validation schema
+ */
+export const nameSchema = z
+  .string()
+  .min(1, 'Name is required')
+  .max(100, 'Name too long')
+  .regex(/^[a-zA-Z\s'-]+$/, 'Name contains invalid characters');
+
+/**
+ * Phone validation schema
+ */
+export const phoneSchema = z
+  .string()
+  .regex(/^[\+]?[1-9][\d]{0,15}$/, 'Invalid phone number format');
+
+/**
+ * URL validation schema
+ */
+export const urlSchema = z
+  .string()
+  .url('Invalid URL format');
+
+/**
+ * Date validation schema
+ */
+export const dateSchema = z
+  .string()
+  .regex(/^\d{4}-\d{2}-\d{2}$/, 'Invalid date format (YYYY-MM-DD)');
+
+/**
+ * Secure login schema
+ */
+export const secureLoginSchema = z.object({
+  email: secureEmailSchema,
+  password: z.string().min(1, 'Password is required'),
+});

package/src/{validation/schemaUtils.ts → utils/validation/schema.ts}

@@ -1,6 +1,10 @@
-
 /**
  * @file Schema utility functions
+ * @package @jmruthers/pace-core
+ * @module Utils/Validation/Schema
+ * @since 0.1.0
+ * 
+ * Utility functions for working with Zod schemas.
  */
 
 import { z } from 'zod';
@@ -15,15 +19,15 @@ import { z } from 'zod';
 export function pickSchema<T extends z.ZodObject<any, any, any>, K extends keyof z.infer<T>>(
   schema: T,
   keys: K[]
-): z.ZodObject<any> {
+): z.ZodObject<Pick<z.infer<T>, K>> {
   const shape = Object.entries(schema.shape)
     .filter(([key]) => keys.includes(key as K))
     .reduce((acc, [key, value]) => {
-      acc[key] = value as z.ZodTypeAny;
+      (acc as Record<string, unknown>)[key] = value as unknown;
       return acc;
-    }, {} as Record<string, z.ZodTypeAny>);
+    }, {} as Record<string, unknown>);
 
-  return z.object(shape);
+  return z.object(shape as Record<string, z.ZodTypeAny>) as z.ZodObject<Pick<z.infer<T>, K>>;
 }
 
 /**
@@ -34,9 +38,10 @@ export function pickSchema<T extends z.ZodObject<any, any, any>, K extends keyof
  */
 export function combineSchemas<T extends z.ZodObject<any, any, any>[]>(
   schemas: T
-): z.ZodObject<any> {
+): z.ZodObject<any, any, any> {
   return schemas.reduce(
     (merged, schema) => merged.merge(schema),
     z.object({})
   );
 }
+

package/src/{validation → utils/validation}/sqlInjectionProtection.ts

@@ -110,6 +110,8 @@ export function sanitizeFilters(filters: Record<string, unknown>): Record<string
     const keyValidation = sqlIdentifierSchema.safeParse(key);
     if (!keyValidation.success) {
       // Log warning for invalid filter keys
+      // Note: Using console.warn here is intentional for security events
+      // This should eventually use the security audit system
       console.warn(`[SECURITY] Invalid filter key detected and removed: ${key}`);
       continue;
     }