@nahisaho/musubix-security 2.0.1 → 2.1.0

package/dist/analysis/sanitizers/path-sanitizers.js

@@ -0,0 +1,163 @@
+/**
+ * @fileoverview Path traversal sanitizer definitions
+ * @module @nahisaho/musubix-security/analysis/sanitizers/path-sanitizers
+ * @trace REQ-SEC-001
+ */
+/**
+ * Path traversal sanitizers
+ * @trace REQ-SEC-001
+ */
+export const PATH_SANITIZERS = [
+    // path.basename - removes directory components
+    {
+        id: 'SAN-PATH-001',
+        name: 'basename',
+        package: 'path',
+        protects: ['file-read', 'file-write'],
+        completeness: 'partial',
+        returnsClean: true,
+        description: 'path.basename - removes directory components',
+        caveats: 'Only removes directory path, does not prevent all traversal',
+        enabled: true,
+        tags: ['path', 'basename', 'traversal'],
+    },
+    // path.normalize
+    {
+        id: 'SAN-PATH-010',
+        name: 'normalize',
+        package: 'path',
+        protects: ['file-read', 'file-write'],
+        completeness: 'partial',
+        returnsClean: true,
+        description: 'path.normalize - resolves . and .. segments',
+        caveats: 'Resolves .. but does not prevent traversal outside base',
+        enabled: true,
+        tags: ['path', 'normalize', 'traversal'],
+    },
+    // path.resolve
+    {
+        id: 'SAN-PATH-020',
+        name: 'resolve',
+        package: 'path',
+        protects: ['file-read', 'file-write'],
+        completeness: 'partial',
+        returnsClean: true,
+        description: 'path.resolve - resolves to absolute path',
+        caveats: 'Creates absolute path but does not prevent traversal',
+        enabled: true,
+        tags: ['path', 'resolve', 'traversal'],
+    },
+    // Custom path validation
+    {
+        id: 'SAN-PATH-030',
+        name: 'validatePath',
+        aliases: ['isValidPath', 'checkPath', 'sanitizePath'],
+        protects: ['file-read', 'file-write'],
+        completeness: 'complete',
+        returnsClean: true,
+        description: 'Custom path validation function',
+        enabled: true,
+        tags: ['path', 'validate', 'traversal'],
+    },
+    // startsWith check pattern
+    {
+        id: 'SAN-PATH-040',
+        name: 'startsWith',
+        protects: ['file-read', 'file-write'],
+        completeness: 'conditional',
+        returnsClean: false,
+        description: 'Path prefix check with startsWith',
+        caveats: 'Must be combined with resolve/normalize to be effective',
+        enabled: true,
+        tags: ['path', 'startsWith', 'check'],
+    },
+    // within base directory check
+    {
+        id: 'SAN-PATH-050',
+        name: 'isWithinBase',
+        aliases: ['isInsideDirectory', 'isSubPath', 'isInside'],
+        protects: ['file-read', 'file-write'],
+        completeness: 'complete',
+        returnsClean: true,
+        description: 'Check if path is within allowed base directory',
+        enabled: true,
+        tags: ['path', 'base', 'check'],
+    },
+    // realpath
+    {
+        id: 'SAN-PATH-060',
+        name: 'realpath',
+        aliases: ['realpathSync'],
+        package: 'fs',
+        protects: ['file-read', 'file-write'],
+        completeness: 'partial',
+        returnsClean: true,
+        description: 'fs.realpath - resolves symlinks',
+        caveats: 'Resolves symlinks but should be combined with base check',
+        enabled: true,
+        tags: ['path', 'realpath', 'symlink'],
+    },
+    // path-is-inside package
+    {
+        id: 'SAN-PATH-070',
+        name: 'pathIsInside',
+        package: 'path-is-inside',
+        protects: ['file-read', 'file-write'],
+        completeness: 'complete',
+        returnsClean: true,
+        description: 'path-is-inside package',
+        enabled: true,
+        tags: ['path', 'inside', 'check'],
+    },
+    // sanitize-filename package
+    {
+        id: 'SAN-PATH-080',
+        name: 'sanitize',
+        aliases: ['sanitizeFilename'],
+        package: 'sanitize-filename',
+        protects: ['file-read', 'file-write'],
+        completeness: 'complete',
+        returnsClean: true,
+        description: 'sanitize-filename - removes dangerous characters',
+        enabled: true,
+        tags: ['path', 'filename', 'sanitize'],
+    },
+    // filenamify package
+    {
+        id: 'SAN-PATH-090',
+        name: 'filenamify',
+        package: 'filenamify',
+        protects: ['file-read', 'file-write'],
+        completeness: 'complete',
+        returnsClean: true,
+        description: 'filenamify - converts string to safe filename',
+        enabled: true,
+        tags: ['path', 'filename', 'sanitize'],
+    },
+    // Extension validation
+    {
+        id: 'SAN-PATH-100',
+        name: 'validateExtension',
+        aliases: ['checkExtension', 'allowedExtensions'],
+        protects: ['file-read', 'file-write'],
+        completeness: 'partial',
+        returnsClean: true,
+        description: 'File extension whitelist validation',
+        caveats: 'Only validates extension, not path traversal',
+        enabled: true,
+        tags: ['path', 'extension', 'validate'],
+    },
+    // Zip Slip protection
+    {
+        id: 'SAN-PATH-110',
+        name: 'checkZipSlip',
+        aliases: ['validateZipEntry', 'preventZipSlip'],
+        protects: ['file-write'],
+        completeness: 'complete',
+        returnsClean: true,
+        description: 'Zip Slip vulnerability protection',
+        enabled: true,
+        tags: ['path', 'zip', 'slip'],
+    },
+];
+//# sourceMappingURL=path-sanitizers.js.map

package/dist/analysis/sanitizers/path-sanitizers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-sanitizers.js","sourceRoot":"","sources":["../../../src/analysis/sanitizers/path-sanitizers.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAAmC;IAC7D,+CAA+C;IAC/C;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,MAAM;QACf,QAAQ,EAAE,CAAC,WAAW,EAAE,YAAY,CAAC;QACrC,YAAY,EAAE,SAAS;QACvB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,8CAA8C;QAC3D,OAAO,EAAE,6DAA6D;QACtE,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,MAAM,EAAE,UAAU,EAAE,WAAW,CAAC;KACxC;IAED,iBAAiB;IACjB;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,MAAM;QACf,QAAQ,EAAE,CAAC,WAAW,EAAE,YAAY,CAAC;QACrC,YAAY,EAAE,SAAS;QACvB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,6CAA6C;QAC1D,OAAO,EAAE,yDAAyD;QAClE,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,MAAM,EAAE,WAAW,EAAE,WAAW,CAAC;KACzC;IAED,eAAe;IACf;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,SAAS;QACf,OAAO,EAAE,MAAM;QACf,QAAQ,EAAE,CAAC,WAAW,EAAE,YAAY,CAAC;QACrC,YAAY,EAAE,SAAS;QACvB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,0CAA0C;QACvD,OAAO,EAAE,sDAAsD;QAC/D,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,MAAM,EAAE,SAAS,EAAE,WAAW,CAAC;KACvC;IAED,yBAAyB;IACzB;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,CAAC,aAAa,EAAE,WAAW,EAAE,cAAc,CAAC;QACrD,QAAQ,EAAE,CAAC,WAAW,EAAE,YAAY,CAAC;QACrC,YAAY,EAAE,UAAU;QACxB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,iCAAiC;QAC9C,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,MAAM,EAAE,UAAU,EAAE,WAAW,CAAC;KACxC;IAED,2BAA2B;IAC3B;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,CAAC,WAAW,EAAE,YAAY,CAAC;QACrC,YAAY,EAAE,aAAa;QAC3B,YAAY,EAAE,KAAK;QACnB,WAAW,EAAE,mCAAmC;QAChD,OAAO,EAAE,yDAAyD;QAClE,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,MAAM,EAAE,YAAY,EAAE,OAAO,CAAC;KACtC;IAED,8BAA8B;IAC9B;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,CAAC,mBAAmB,EAAE,WAAW,EAAE,UAAU,CAAC;QACvD,QAAQ,EAAE,CAAC,WAAW,EAAE,YAAY,CAAC;QACrC,YAAY,EAAE,UAAU;QACxB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,gDAAgD;QAC7D,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC;KAChC;IAED,WAAW;IACX;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,CAAC,cAAc,CAAC;QACzB,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,CAAC,WAAW,EAAE,YAAY,CAAC;QACrC,YAAY,EAAE,SAAS;QACvB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,iCAAiC;QAC9C,OAAO,EAAE,0DAA0D;QACnE,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,MAAM,EAAE,UAAU,EAAE,SAAS,CAAC;KACtC;IAED,yBAAyB;IACzB;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,gBAAgB;QACzB,QAAQ,EAAE,CAAC,WAAW,EAAE,YAAY,CAAC;QACrC,YAAY,EAAE,UAAU;QACxB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,wBAAwB;QACrC,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC;KAClC;IAED,4BAA4B;IAC5B;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,CAAC,kBAAkB,CAAC;QAC7B,OAAO,EAAE,mBAAmB;QAC5B,QAAQ,EAAE,CAAC,WAAW,EAAE,YAAY,CAAC;QACrC,YAAY,EAAE,UAAU;QACxB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,kDAAkD;QAC/D,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,MAAM,EAAE,UAAU,EAAE,UAAU,CAAC;KACvC;IAED,qBAAqB;IACrB;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,YAAY;QACrB,QAAQ,EAAE,CAAC,WAAW,EAAE,YAAY,CAAC;QACrC,YAAY,EAAE,UAAU;QACxB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,+CAA+C;QAC5D,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,MAAM,EAAE,UAAU,EAAE,UAAU,CAAC;KACvC;IAED,uBAAuB;IACvB;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,CAAC,gBAAgB,EAAE,mBAAmB,CAAC;QAChD,QAAQ,EAAE,CAAC,WAAW,EAAE,YAAY,CAAC;QACrC,YAAY,EAAE,SAAS;QACvB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,qCAAqC;QAClD,OAAO,EAAE,8CAA8C;QACvD,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,MAAM,EAAE,WAAW,EAAE,UAAU,CAAC;KACxC;IAED,sBAAsB;IACtB;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,CAAC,kBAAkB,EAAE,gBAAgB,CAAC;QAC/C,QAAQ,EAAE,CAAC,YAAY,CAAC;QACxB,YAAY,EAAE,UAAU;QACxB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,mCAAmC;QAChD,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC;KAC9B;CACO,CAAC"}

package/dist/analysis/sanitizers/sql-sanitizers.d.ts

@@ -0,0 +1,12 @@
+/**
+ * @fileoverview SQL sanitizer definitions
+ * @module @nahisaho/musubix-security/analysis/sanitizers/sql-sanitizers
+ * @trace REQ-SEC-001
+ */
+import type { SanitizerDefinition } from './types.js';
+/**
+ * SQL injection sanitizers
+ * @trace REQ-SEC-001
+ */
+export declare const SQL_SANITIZERS: readonly SanitizerDefinition[];
+//# sourceMappingURL=sql-sanitizers.d.ts.map

package/dist/analysis/sanitizers/sql-sanitizers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sql-sanitizers.d.ts","sourceRoot":"","sources":["../../../src/analysis/sanitizers/sql-sanitizers.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAEtD;;;GAGG;AACH,eAAO,MAAM,cAAc,EAAE,SAAS,mBAAmB,EAqN/C,CAAC"}

package/dist/analysis/sanitizers/sql-sanitizers.js

@@ -0,0 +1,216 @@
+/**
+ * @fileoverview SQL sanitizer definitions
+ * @module @nahisaho/musubix-security/analysis/sanitizers/sql-sanitizers
+ * @trace REQ-SEC-001
+ */
+/**
+ * SQL injection sanitizers
+ * @trace REQ-SEC-001
+ */
+export const SQL_SANITIZERS = [
+    // MySQL escape
+    {
+        id: 'SAN-SQL-001',
+        name: 'escape',
+        package: 'mysql',
+        protects: ['sql-query'],
+        completeness: 'complete',
+        returnsClean: true,
+        description: 'MySQL escape function - escapes special characters',
+        enabled: true,
+        tags: ['sql', 'mysql', 'escape'],
+    },
+    {
+        id: 'SAN-SQL-002',
+        name: 'escape',
+        package: 'mysql2',
+        protects: ['sql-query'],
+        completeness: 'complete',
+        returnsClean: true,
+        description: 'MySQL2 escape function',
+        enabled: true,
+        tags: ['sql', 'mysql2', 'escape'],
+    },
+    {
+        id: 'SAN-SQL-003',
+        name: 'escapeId',
+        aliases: ['escapeIdentifier'],
+        package: 'mysql',
+        protects: ['sql-query'],
+        completeness: 'complete',
+        returnsClean: true,
+        description: 'MySQL identifier escape (for column/table names)',
+        enabled: true,
+        tags: ['sql', 'mysql', 'escape', 'identifier'],
+    },
+    {
+        id: 'SAN-SQL-004',
+        name: 'format',
+        package: 'mysql',
+        protects: ['sql-query'],
+        completeness: 'complete',
+        returnsClean: true,
+        description: 'MySQL format function - parameterized queries',
+        enabled: true,
+        tags: ['sql', 'mysql', 'format', 'parameterized'],
+    },
+    // PostgreSQL escape
+    {
+        id: 'SAN-SQL-010',
+        name: 'escapeLiteral',
+        package: 'pg',
+        protects: ['sql-query'],
+        completeness: 'complete',
+        returnsClean: true,
+        description: 'PostgreSQL literal escape',
+        enabled: true,
+        tags: ['sql', 'postgresql', 'escape'],
+    },
+    {
+        id: 'SAN-SQL-011',
+        name: 'escapeIdentifier',
+        package: 'pg',
+        protects: ['sql-query'],
+        completeness: 'complete',
+        returnsClean: true,
+        description: 'PostgreSQL identifier escape',
+        enabled: true,
+        tags: ['sql', 'postgresql', 'escape', 'identifier'],
+    },
+    // Parameterized queries (generic)
+    {
+        id: 'SAN-SQL-020',
+        name: 'parameterize',
+        protects: ['sql-query', 'nosql-query'],
+        completeness: 'complete',
+        returnsClean: true,
+        description: 'Generic parameterized query pattern',
+        enabled: true,
+        tags: ['sql', 'parameterized', 'generic'],
+    },
+    {
+        id: 'SAN-SQL-021',
+        name: 'prepare',
+        aliases: ['prepareStatement', 'prepared'],
+        protects: ['sql-query'],
+        completeness: 'complete',
+        returnsClean: true,
+        description: 'Prepared statement pattern',
+        enabled: true,
+        tags: ['sql', 'prepared', 'statement'],
+    },
+    {
+        id: 'SAN-SQL-022',
+        name: 'bind',
+        aliases: ['binding', 'bindings'],
+        protects: ['sql-query'],
+        completeness: 'complete',
+        returnsClean: true,
+        description: 'Parameter binding pattern',
+        enabled: true,
+        tags: ['sql', 'bind', 'parameterized'],
+    },
+    // Knex.js
+    {
+        id: 'SAN-SQL-030',
+        name: 'raw',
+        namePattern: '^knex\\.raw\\(.*\\?',
+        package: 'knex',
+        protects: ['sql-query'],
+        completeness: 'conditional',
+        returnsClean: true,
+        description: 'Knex raw with placeholders - safe if placeholders used',
+        caveats: 'Only safe when using ? placeholders for values',
+        enabled: true,
+        tags: ['sql', 'knex', 'raw'],
+    },
+    // Prisma
+    {
+        id: 'SAN-SQL-040',
+        name: 'sql',
+        aliases: ['Prisma.sql'],
+        package: '@prisma/client',
+        protects: ['sql-query'],
+        completeness: 'complete',
+        returnsClean: true,
+        description: 'Prisma.sql template literal - safe parameterization',
+        enabled: true,
+        tags: ['sql', 'prisma', 'template'],
+    },
+    // Sequelize
+    {
+        id: 'SAN-SQL-050',
+        name: 'literal',
+        aliases: ['Sequelize.literal'],
+        package: 'sequelize',
+        protects: ['sql-query'],
+        completeness: 'partial',
+        returnsClean: true,
+        description: 'Sequelize literal - should be used carefully',
+        caveats: 'Does not escape, only marks as literal',
+        enabled: true,
+        tags: ['sql', 'sequelize', 'literal'],
+    },
+    {
+        id: 'SAN-SQL-051',
+        name: 'escape',
+        package: 'sequelize',
+        protects: ['sql-query'],
+        completeness: 'complete',
+        returnsClean: true,
+        description: 'Sequelize escape function',
+        enabled: true,
+        tags: ['sql', 'sequelize', 'escape'],
+    },
+    // SQLite
+    {
+        id: 'SAN-SQL-060',
+        name: 'pluck',
+        package: 'better-sqlite3',
+        protects: ['sql-query'],
+        completeness: 'complete',
+        returnsClean: true,
+        description: 'better-sqlite3 pluck - uses prepared statements',
+        enabled: true,
+        tags: ['sql', 'sqlite', 'prepared'],
+    },
+    // Generic SQL escape
+    {
+        id: 'SAN-SQL-070',
+        name: 'sqlstring',
+        aliases: ['SqlString.escape'],
+        package: 'sqlstring',
+        protects: ['sql-query'],
+        completeness: 'complete',
+        returnsClean: true,
+        description: 'sqlstring escape function',
+        enabled: true,
+        tags: ['sql', 'escape', 'generic'],
+    },
+    // MongoDB sanitization
+    {
+        id: 'SAN-SQL-080',
+        name: 'sanitize',
+        aliases: ['mongo-sanitize'],
+        package: 'mongo-sanitize',
+        protects: ['nosql-query'],
+        completeness: 'complete',
+        returnsClean: true,
+        description: 'MongoDB query sanitization',
+        enabled: true,
+        tags: ['nosql', 'mongodb', 'sanitize'],
+    },
+    {
+        id: 'SAN-SQL-081',
+        name: 'ObjectId',
+        aliases: ['mongoose.Types.ObjectId'],
+        package: 'mongodb',
+        protects: ['nosql-query'],
+        completeness: 'complete',
+        returnsClean: true,
+        description: 'MongoDB ObjectId validation',
+        enabled: true,
+        tags: ['nosql', 'mongodb', 'objectid'],
+    },
+];
+//# sourceMappingURL=sql-sanitizers.js.map

package/dist/analysis/sanitizers/sql-sanitizers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sql-sanitizers.js","sourceRoot":"","sources":["../../../src/analysis/sanitizers/sql-sanitizers.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;GAGG;AACH,MAAM,CAAC,MAAM,cAAc,GAAmC;IAC5D,eAAe;IACf;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,QAAQ;QACd,OAAO,EAAE,OAAO;QAChB,QAAQ,EAAE,CAAC,WAAW,CAAC;QACvB,YAAY,EAAE,UAAU;QACxB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,oDAAoD;QACjE,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC;KACjC;IACD;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,QAAQ;QACd,OAAO,EAAE,QAAQ;QACjB,QAAQ,EAAE,CAAC,WAAW,CAAC;QACvB,YAAY,EAAE,UAAU;QACxB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,wBAAwB;QACrC,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,KAAK,EAAE,QAAQ,EAAE,QAAQ,CAAC;KAClC;IACD;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,CAAC,kBAAkB,CAAC;QAC7B,OAAO,EAAE,OAAO;QAChB,QAAQ,EAAE,CAAC,WAAW,CAAC;QACvB,YAAY,EAAE,UAAU;QACxB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,kDAAkD;QAC/D,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,QAAQ;QACd,OAAO,EAAE,OAAO;QAChB,QAAQ,EAAE,CAAC,WAAW,CAAC;QACvB,YAAY,EAAE,UAAU;QACxB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,+CAA+C;QAC5D,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,eAAe,CAAC;KAClD;IAED,oBAAoB;IACpB;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,eAAe;QACrB,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,CAAC,WAAW,CAAC;QACvB,YAAY,EAAE,UAAU;QACxB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,KAAK,EAAE,YAAY,EAAE,QAAQ,CAAC;KACtC;IACD;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,CAAC,WAAW,CAAC;QACvB,YAAY,EAAE,UAAU;QACxB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,8BAA8B;QAC3C,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,KAAK,EAAE,YAAY,EAAE,QAAQ,EAAE,YAAY,CAAC;KACpD;IAED,kCAAkC;IAClC;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,CAAC,WAAW,EAAE,aAAa,CAAC;QACtC,YAAY,EAAE,UAAU;QACxB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,qCAAqC;QAClD,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,KAAK,EAAE,eAAe,EAAE,SAAS,CAAC;KAC1C;IACD;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,SAAS;QACf,OAAO,EAAE,CAAC,kBAAkB,EAAE,UAAU,CAAC;QACzC,QAAQ,EAAE,CAAC,WAAW,CAAC;QACvB,YAAY,EAAE,UAAU;QACxB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,4BAA4B;QACzC,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,KAAK,EAAE,UAAU,EAAE,WAAW,CAAC;KACvC;IACD;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,CAAC,SAAS,EAAE,UAAU,CAAC;QAChC,QAAQ,EAAE,CAAC,WAAW,CAAC;QACvB,YAAY,EAAE,UAAU;QACxB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,eAAe,CAAC;KACvC;IAED,UAAU;IACV;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,KAAK;QACX,WAAW,EAAE,qBAAqB;QAClC,OAAO,EAAE,MAAM;QACf,QAAQ,EAAE,CAAC,WAAW,CAAC;QACvB,YAAY,EAAE,aAAa;QAC3B,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,wDAAwD;QACrE,OAAO,EAAE,gDAAgD;QACzD,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC;KAC7B;IAED,SAAS;IACT;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,KAAK;QACX,OAAO,EAAE,CAAC,YAAY,CAAC;QACvB,OAAO,EAAE,gBAAgB;QACzB,QAAQ,EAAE,CAAC,WAAW,CAAC;QACvB,YAAY,EAAE,UAAU;QACxB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,qDAAqD;QAClE,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,KAAK,EAAE,QAAQ,EAAE,UAAU,CAAC;KACpC;IAED,YAAY;IACZ;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,SAAS;QACf,OAAO,EAAE,CAAC,mBAAmB,CAAC;QAC9B,OAAO,EAAE,WAAW;QACpB,QAAQ,EAAE,CAAC,WAAW,CAAC;QACvB,YAAY,EAAE,SAAS;QACvB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,8CAA8C;QAC3D,OAAO,EAAE,wCAAwC;QACjD,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,KAAK,EAAE,WAAW,EAAE,SAAS,CAAC;KACtC;IACD;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,QAAQ;QACd,OAAO,EAAE,WAAW;QACpB,QAAQ,EAAE,CAAC,WAAW,CAAC;QACvB,YAAY,EAAE,UAAU;QACxB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,KAAK,EAAE,WAAW,EAAE,QAAQ,CAAC;KACrC;IAED,SAAS;IACT;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,OAAO;QACb,OAAO,EAAE,gBAAgB;QACzB,QAAQ,EAAE,CAAC,WAAW,CAAC;QACvB,YAAY,EAAE,UAAU;QACxB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,iDAAiD;QAC9D,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,KAAK,EAAE,QAAQ,EAAE,UAAU,CAAC;KACpC;IAED,qBAAqB;IACrB;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,CAAC,kBAAkB,CAAC;QAC7B,OAAO,EAAE,WAAW;QACpB,QAAQ,EAAE,CAAC,WAAW,CAAC;QACvB,YAAY,EAAE,UAAU;QACxB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,KAAK,EAAE,QAAQ,EAAE,SAAS,CAAC;KACnC;IAED,uBAAuB;IACvB;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,CAAC,gBAAgB,CAAC;QAC3B,OAAO,EAAE,gBAAgB;QACzB,QAAQ,EAAE,CAAC,aAAa,CAAC;QACzB,YAAY,EAAE,UAAU;QACxB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,4BAA4B;QACzC,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,OAAO,EAAE,SAAS,EAAE,UAAU,CAAC;KACvC;IACD;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,CAAC,yBAAyB,CAAC;QACpC,OAAO,EAAE,SAAS;QAClB,QAAQ,EAAE,CAAC,aAAa,CAAC;QACzB,YAAY,EAAE,UAAU;QACxB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,6BAA6B;QAC1C,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,OAAO,EAAE,SAAS,EAAE,UAAU,CAAC;KACvC;CACO,CAAC"}

package/dist/analysis/sanitizers/types.d.ts

@@ -0,0 +1,78 @@
+/**
+ * @fileoverview Sanitizer type definitions
+ * @module @nahisaho/musubix-security/analysis/sanitizers/types
+ * @trace REQ-SEC-001
+ */
+import type { TaintSinkCategory } from '../../types/taint.js';
+/**
+ * Sanitizer completeness level
+ */
+export type SanitizerCompleteness = 'complete' | 'partial' | 'conditional';
+/**
+ * Sanitizer definition for taint analysis
+ * @trace REQ-SEC-001
+ */
+export interface SanitizerDefinition {
+    /** Unique sanitizer ID */
+    id: string;
+    /** Function/method name */
+    name: string;
+    /** Alternative names for this sanitizer */
+    aliases?: string[];
+    /** Regex pattern for matching function names */
+    namePattern?: string;
+    /** Package/module containing the sanitizer */
+    package?: string;
+    /** Sink categories this sanitizer protects against */
+    protects: TaintSinkCategory[];
+    /** Whether sanitization is complete, partial, or conditional */
+    completeness: SanitizerCompleteness;
+    /** Argument index that gets sanitized (for transform functions) */
+    sanitizedArg?: number;
+    /** Whether the sanitizer returns sanitized data */
+    returnsClean: boolean;
+    /** Description of the sanitizer */
+    description: string;
+    /** Caveats or limitations */
+    caveats?: string;
+    /** Whether this sanitizer is enabled by default */
+    enabled: boolean;
+    /** Tags for filtering */
+    tags: string[];
+}
+/**
+ * Sanitizer match result
+ */
+export interface SanitizerMatchResult {
+    /** Definition that matched */
+    definition: SanitizerDefinition;
+    /** Function name that matched */
+    functionName: string;
+    /** Whether sanitization is complete */
+    isComplete: boolean;
+    /** Any caveats to consider */
+    caveats?: string;
+}
+/**
+ * Sanitizer detector interface
+ */
+export interface ISanitizerDetector {
+    /** Check if an expression is sanitized for a given sink category */
+    isSanitized(expression: string, sinkCategory: TaintSinkCategory): SanitizerMatchResult | undefined;
+    /** Register custom sanitizer definition */
+    registerSanitizer(definition: SanitizerDefinition): void;
+    /** Get all registered sanitizers */
+    getSanitizers(): readonly SanitizerDefinition[];
+}
+/**
+ * Sanitizer detector options
+ */
+export interface SanitizerDetectorOptions {
+    /** Custom sanitizers to add */
+    customSanitizers?: SanitizerDefinition[];
+    /** Packages to include */
+    packages?: string[];
+    /** Whether to include partial sanitizers */
+    includePartial?: boolean;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/analysis/sanitizers/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/analysis/sanitizers/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAE9D;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAAG,UAAU,GAAG,SAAS,GAAG,aAAa,CAAC;AAE3E;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC,0BAA0B;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,2BAA2B;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,2CAA2C;IAC3C,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,gDAAgD;IAChD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,8CAA8C;IAC9C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,sDAAsD;IACtD,QAAQ,EAAE,iBAAiB,EAAE,CAAC;IAC9B,gEAAgE;IAChE,YAAY,EAAE,qBAAqB,CAAC;IACpC,mEAAmE;IACnE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,mDAAmD;IACnD,YAAY,EAAE,OAAO,CAAC;IACtB,mCAAmC;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,6BAA6B;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mDAAmD;IACnD,OAAO,EAAE,OAAO,CAAC;IACjB,yBAAyB;IACzB,IAAI,EAAE,MAAM,EAAE,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,8BAA8B;IAC9B,UAAU,EAAE,mBAAmB,CAAC;IAChC,iCAAiC;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,uCAAuC;IACvC,UAAU,EAAE,OAAO,CAAC;IACpB,8BAA8B;IAC9B,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,oEAAoE;IACpE,WAAW,CACT,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,iBAAiB,GAC9B,oBAAoB,GAAG,SAAS,CAAC;IAEpC,2CAA2C;IAC3C,iBAAiB,CAAC,UAAU,EAAE,mBAAmB,GAAG,IAAI,CAAC;IAEzD,oCAAoC;IACpC,aAAa,IAAI,SAAS,mBAAmB,EAAE,CAAC;CACjD;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,+BAA+B;IAC/B,gBAAgB,CAAC,EAAE,mBAAmB,EAAE,CAAC;IACzC,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,4CAA4C;IAC5C,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B"}

package/dist/analysis/sanitizers/types.js

@@ -0,0 +1,7 @@
+/**
+ * @fileoverview Sanitizer type definitions
+ * @module @nahisaho/musubix-security/analysis/sanitizers/types
+ * @trace REQ-SEC-001
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/analysis/sanitizers/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/analysis/sanitizers/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG"}

package/dist/analysis/sanitizers/validation-sanitizers.d.ts

@@ -0,0 +1,12 @@
+/**
+ * @fileoverview Input validation sanitizer definitions
+ * @module @nahisaho/musubix-security/analysis/sanitizers/validation-sanitizers
+ * @trace REQ-SEC-001
+ */
+import type { SanitizerDefinition } from './types.js';
+/**
+ * Input validation sanitizers
+ * @trace REQ-SEC-001
+ */
+export declare const VALIDATION_SANITIZERS: readonly SanitizerDefinition[];
+//# sourceMappingURL=validation-sanitizers.d.ts.map

package/dist/analysis/sanitizers/validation-sanitizers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation-sanitizers.d.ts","sourceRoot":"","sources":["../../../src/analysis/sanitizers/validation-sanitizers.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAEtD;;;GAGG;AACH,eAAO,MAAM,qBAAqB,EAAE,SAAS,mBAAmB,EAoRtD,CAAC"}