npm - @schalkneethling/toolkit - Versions diffs - 0.5.1 → 0.5.3 - Mend

@schalkneethling/toolkit 0.5.1 → 0.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/skills/frontend-security/references/file-upload-security.md CHANGED Viewed

@@ -18,9 +18,9 @@
 ```javascript
 const ALLOWED_EXTENSIONS = {
-  images: ['.jpg', '.jpeg', '.png', '.gif', '.webp'],
-  documents: ['.pdf', '.docx', '.xlsx'],
-  data: ['.csv', '.json']
+  images: [".jpg", ".jpeg", ".png", ".gif", ".webp"],
+  documents: [".pdf", ".docx", ".xlsx"],
+  data: [".csv", ".json"],
 };
 function validateExtension(filename, category) {
@@ -34,22 +34,50 @@ function validateExtension(filename, category) {
 ```javascript
 const DANGEROUS_EXTENSIONS = [
   // Server-side execution
-  '.php', '.php3', '.php4', '.php5', '.phtml',
-  '.asp', '.aspx', '.ascx', '.ashx',
-  '.jsp', '.jspx', '.jspa',
-  '.cgi', '.pl', '.py', '.rb',
+  ".php",
+  ".php3",
+  ".php4",
+  ".php5",
+  ".phtml",
+  ".asp",
+  ".aspx",
+  ".ascx",
+  ".ashx",
+  ".jsp",
+  ".jspx",
+  ".jspa",
+  ".cgi",
+  ".pl",
+  ".py",
+  ".rb",
   // Windows executable
-  '.exe', '.dll', '.bat', '.cmd', '.com', '.msi', '.ps1',
+  ".exe",
+  ".dll",
+  ".bat",
+  ".cmd",
+  ".com",
+  ".msi",
+  ".ps1",
   // Script files
-  '.js', '.vbs', '.wsf', '.hta',
+  ".js",
+  ".vbs",
+  ".wsf",
+  ".hta",
   // Config files
-  '.htaccess', '.htpasswd', '.config', '.ini',
+  ".htaccess",
+  ".htpasswd",
+  ".config",
+  ".ini",
   // Archive (can contain malicious files)
-  '.zip', '.tar', '.gz', '.rar', '.7z'
+  ".zip",
+  ".tar",
+  ".gz",
+  ".rar",
+  ".7z",
 ];
 ```
@@ -58,7 +86,7 @@ const DANGEROUS_EXTENSIONS = [
 ```javascript
 function sanitizeFilename(filename) {
   // Remove all extensions except the last
-  const parts = filename.split('.');
+  const parts = filename.split(".");
   if (parts.length > 2) {
     return `${parts[0]}.${parts[parts.length - 1]}`;
   }
@@ -74,13 +102,13 @@ function sanitizeFilename(filename) {
 ```javascript
 const ALLOWED_MIME_TYPES = {
-  '.jpg': ['image/jpeg'],
-  '.jpeg': ['image/jpeg'],
-  '.png': ['image/png'],
-  '.gif': ['image/gif'],
-  '.webp': ['image/webp'],
-  '.pdf': ['application/pdf'],
-  '.docx': ['application/vnd.openxmlformats-officedocument.wordprocessingml.document']
+  ".jpg": ["image/jpeg"],
+  ".jpeg": ["image/jpeg"],
+  ".png": ["image/png"],
+  ".gif": ["image/gif"],
+  ".webp": ["image/webp"],
+  ".pdf": ["application/pdf"],
+  ".docx": ["application/vnd.openxmlformats-officedocument.wordprocessingml.document"],
 };
 function validateMimeType(file) {
@@ -96,18 +124,21 @@ function validateMimeType(file) {
 ```javascript
 const FILE_SIGNATURES = {
-  jpg: Buffer.from([0xFF, 0xD8, 0xFF]),
-  png: Buffer.from([0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A]),
+  jpg: Buffer.from([0xff, 0xd8, 0xff]),
+  png: Buffer.from([0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a]),
   gif: Buffer.from([0x47, 0x49, 0x46, 0x38]),
   pdf: Buffer.from([0x25, 0x50, 0x44, 0x46]),
-  zip: Buffer.from([0x50, 0x4B, 0x03, 0x04])
+  zip: Buffer.from([0x50, 0x4b, 0x03, 0x04]),
 };
 async function validateFileSignature(filePath, expectedType) {
   const buffer = Buffer.alloc(8);
-  const fd = await fs.open(filePath, 'r');
-  await fd.read(buffer, 0, 8, 0);
-  await fd.close();
+  const fd = await fs.open(filePath, "r");
+  try {
+    await fd.read(buffer, 0, 8, 0);
+  } finally {
+    await fd.close();
+  }
   const signature = FILE_SIGNATURES[expectedType];
   if (!signature) return false;
@@ -119,17 +150,17 @@ async function validateFileSignature(filePath, expectedType) {
 ## Safe Storage
 ```javascript
-const multer = require('multer');
-const path = require('path');
-const crypto = require('crypto');
+const multer = require("multer");
+const path = require("path");
+const crypto = require("crypto");
 // Store OUTSIDE webroot
-const UPLOAD_DIR = '/var/app/uploads';  // Not in /public/
+const UPLOAD_DIR = "/var/app/uploads"; // Not in /public/
 const storage = multer.diskStorage({
   destination: (req, file, cb) => {
     // Organize by date
-    const date = new Date().toISOString().split('T')[0];
+    const date = new Date().toISOString().split("T")[0];
     const dir = path.join(UPLOAD_DIR, date);
     fs.mkdirSync(dir, { recursive: true });
     cb(null, dir);
@@ -137,24 +168,24 @@ const storage = multer.diskStorage({
   filename: (req, file, cb) => {
     // Generate random filename
     const ext = path.extname(file.originalname).toLowerCase();
-    const name = crypto.randomBytes(16).toString('hex');
+    const name = crypto.randomBytes(16).toString("hex");
     cb(null, `${name}${ext}`);
-  }
+  },
 });
 const upload = multer({
   storage,
   limits: {
-    fileSize: 5 * 1024 * 1024,  // 5MB
-    files: 1
+    fileSize: 5 * 1024 * 1024, // 5MB
+    files: 1,
   },
   fileFilter: (req, file, cb) => {
     if (!validateMimeType(file)) {
-      cb(new Error('Invalid file type'));
+      cb(new Error("Invalid file type"));
       return;
     }
     cb(null, true);
-  }
+  },
 });
 ```
@@ -162,20 +193,20 @@ const upload = multer({
 ```javascript
 // Serve files through application, not directly
-app.get('/files/:id', async (req, res) => {
+app.get("/files/:id", async (req, res) => {
   // Verify user authorization
   if (!req.user || !canAccessFile(req.user, req.params.id)) {
-    return res.status(403).send('Forbidden');
+    return res.status(403).send("Forbidden");
   }
   // Get file from database (not from user input)
   const fileRecord = await db.getFile(req.params.id);
-  if (!fileRecord) return res.status(404).send('Not found');
+  if (!fileRecord) return res.status(404).send("Not found");
   // Set safe headers
-  res.setHeader('Content-Type', fileRecord.mimeType);
-  res.setHeader('Content-Disposition', `attachment; filename="${fileRecord.safeName}"`);
-  res.setHeader('X-Content-Type-Options', 'nosniff');
+  res.setHeader("Content-Type", fileRecord.mimeType);
+  res.setHeader("Content-Disposition", `attachment; filename="${fileRecord.safeName}"`);
+  res.setHeader("X-Content-Type-Options", "nosniff");
   // Stream file
   const stream = fs.createReadStream(fileRecord.path);
@@ -188,12 +219,12 @@ app.get('/files/:id', async (req, res) => {
 Destroy potential malicious content by re-encoding images:
 ```javascript
-const sharp = require('sharp');
+const sharp = require("sharp");
 async function sanitizeImage(inputPath, outputPath) {
   await sharp(inputPath)
-    .rotate()  // Apply EXIF orientation
-    .toFormat('jpeg', { quality: 90 })  // Re-encode
+    .rotate() // Apply EXIF orientation
+    .toFormat("jpeg", { quality: 90 }) // Re-encode
     .toFile(outputPath);
 }
 ```
@@ -201,8 +232,8 @@ async function sanitizeImage(inputPath, outputPath) {
 ## ZIP File Handling
 ```javascript
-const AdmZip = require('adm-zip');
-const path = require('path');
+const AdmZip = require("adm-zip");
+const path = require("path");
 function safeExtractZip(zipPath, destDir, maxSize = 100 * 1024 * 1024) {
   const zip = new AdmZip(zipPath);
@@ -216,20 +247,20 @@ function safeExtractZip(zipPath, destDir, maxSize = 100 * 1024 * 1024) {
     const resolvedEntry = path.resolve(destDir, entry.entryName);
     const relativeEntry = path.relative(resolvedDest, resolvedEntry);
-    if (relativeEntry.startsWith('..') || path.isAbsolute(relativeEntry)) {
-      throw new Error('Path traversal detected');
+    if (relativeEntry.startsWith("..") || path.isAbsolute(relativeEntry)) {
+      throw new Error("Path traversal detected");
     }
     // Check for zip bomb
     totalSize += entry.header.size;
     if (totalSize > maxSize) {
-      throw new Error('Extracted size exceeds limit');
+      throw new Error("Extracted size exceeds limit");
     }
     // Check compression ratio (zip bomb indicator)
     const ratio = entry.header.size / entry.header.compressedSize;
     if (ratio > 100) {
-      throw new Error('Suspicious compression ratio');
+      throw new Error("Suspicious compression ratio");
     }
   }
@@ -240,18 +271,18 @@ function safeExtractZip(zipPath, destDir, maxSize = 100 * 1024 * 1024) {
 ## Express.js Complete Example
 ```javascript
-const express = require('express');
-const multer = require('multer');
-const path = require('path');
-const crypto = require('crypto');
-const fs = require('fs').promises;
+const express = require("express");
+const multer = require("multer");
+const path = require("path");
+const crypto = require("crypto");
+const fs = require("fs").promises;
 const app = express();
 // Configuration
-const UPLOAD_DIR = '/var/app/uploads';
+const UPLOAD_DIR = "/var/app/uploads";
 const MAX_FILE_SIZE = 5 * 1024 * 1024;
-const ALLOWED_TYPES = ['image/jpeg', 'image/png', 'image/gif'];
+const ALLOWED_TYPES = ["image/jpeg", "image/png", "image/gif"];
 // Multer setup
 const upload = multer({
@@ -259,26 +290,27 @@ const upload = multer({
   limits: { fileSize: MAX_FILE_SIZE },
   fileFilter: (req, file, cb) => {
     if (!ALLOWED_TYPES.includes(file.mimetype)) {
-      cb(new multer.MulterError('LIMIT_UNEXPECTED_FILE'));
+      cb(new multer.MulterError("LIMIT_UNEXPECTED_FILE"));
       return;
     }
     cb(null, true);
-  }
+  },
 });
 // Upload endpoint
-app.post('/upload',
-  requireAuth,           // Authentication
-  verifyToken,           // CSRF token
-  upload.single('file'), // File handling
+app.post(
+  "/upload",
+  requireAuth, // Authentication
+  verifyToken, // CSRF token
+  upload.single("file"), // File handling
   async (req, res) => {
     try {
       const file = req.file;
-      if (!file) return res.status(400).json({ error: 'No file' });
+      if (!file) return res.status(400).json({ error: "No file" });
       // Validate magic bytes
       if (!validateMagicBytes(file.buffer, file.mimetype)) {
-        return res.status(400).json({ error: 'Invalid file' });
+        return res.status(400).json({ error: "Invalid file" });
       }
       // Generate safe filename
@@ -295,15 +327,15 @@ app.post('/upload',
         filename,
         originalName: file.originalname,
         mimeType: file.mimetype,
-        size: file.size
+        size: file.size,
       });
       res.json({ id: fileRecord.id });
     } catch (error) {
       console.error(error);
-      res.status(500).json({ error: 'Upload failed' });
+      res.status(500).json({ error: "Upload failed" });
     }
-  }
+  },
 );
 ```

package/skills/frontend-security/references/framework-patterns.md CHANGED Viewed

@@ -20,18 +20,18 @@ import DOMPurify from 'dompurify';
 ```jsx
 // DANGEROUS - javascript: URLs in href
-<a href={userInput}>Link</a>
+<a href={userInput}>Link</a>;
 // SAFE - validate URL protocol
 function SafeLink({ href, children }) {
   const safeHref = useMemo(() => {
     try {
       const url = new URL(href, window.location.origin);
-      if (['http:', 'https:', 'mailto:'].includes(url.protocol)) {
+      if (["http:", "https:", "mailto:"].includes(url.protocol)) {
         return href;
       }
     } catch {}
-    return '#';
+    return "#";
   }, [href]);
   return <a href={safeHref}>{children}</a>;
@@ -55,17 +55,15 @@ function SafeLink({ href, children }) {
 ```jsx
 // DANGEROUS - injecting user data into SSR without escaping
-<script>
-  window.__INITIAL_STATE__ = {JSON.stringify(userControlledData)}
-</script>
+<script>window.__INITIAL_STATE__ = {JSON.stringify(userControlledData)}</script>;
 // SAFE - serialize with escaping
-import serialize from 'serialize-javascript';
+import serialize from "serialize-javascript";
 <script
   dangerouslySetInnerHTML={{
-    __html: `window.__INITIAL_STATE__ = ${serialize(data, { isJSON: true })}`
+    __html: `window.__INITIAL_STATE__ = ${serialize(data, { isJSON: true })}`,
   }}
-/>
+/>;
 ```
 ## Astro Security
@@ -116,20 +114,20 @@ const Component = await loadComponent();
 // src/pages/api/data.js
 export async function POST({ request }) {
   // Validate Content-Type
-  const contentType = request.headers.get('content-type');
-  if (!contentType?.includes('application/json')) {
-    return new Response('Invalid content type', { status: 415 });
+  const contentType = request.headers.get("content-type");
+  if (!contentType?.includes("application/json")) {
+    return new Response("Invalid content type", { status: 415 });
   }
   // Validate and sanitize input
   const body = await request.json();
   if (!validateInput(body)) {
-    return new Response('Invalid input', { status: 400 });
+    return new Response("Invalid input", { status: 400 });
   }
   // Process request
   return new Response(JSON.stringify(result), {
-    headers: { 'Content-Type': 'application/json' }
+    headers: { "Content-Type": "application/json" },
   });
 }
 ```
@@ -177,12 +175,12 @@ export async function POST({ request }) {
 twig:
   sandbox:
     policy:
-      tags: ['if', 'for', 'set']
-      filters: ['escape', 'upper', 'lower']
+      tags: ["if", "for", "set"]
+      filters: ["escape", "upper", "lower"]
       methods:
-        Symfony\Component\Routing\Generator\UrlGeneratorInterface: ['generate']
+        Symfony\Component\Routing\Generator\UrlGeneratorInterface: ["generate"]
       properties: []
-      functions: ['path', 'url']
+      functions: ["path", "url"]
 ```
 ### CSRF in Forms
@@ -207,31 +205,35 @@ Bun.serve({
     const url = new URL(req.url);
     // Validate origin for CORS
-    const origin = req.headers.get('origin');
+    const origin = req.headers.get("origin");
     if (origin && !isAllowedOrigin(origin)) {
-      return new Response('Forbidden', { status: 403 });
+      return new Response("Forbidden", { status: 403 });
     }
     // Rate limiting
     if (isRateLimited(req)) {
-      return new Response('Too Many Requests', { status: 429 });
+      return new Response("Too Many Requests", { status: 429 });
     }
     return handleRequest(req);
-  }
+  },
 });
 ```
 ### File Handling
 ```javascript
+const path = require("path");
 // Validate file paths
 function safeReadFile(userPath) {
-  const baseDir = '/app/public';
-  const resolved = Bun.resolveSync(userPath, baseDir);
+  const baseDir = "/app/public";
+  const safeBaseDir = path.resolve(baseDir);
+  const resolved = path.resolve(safeBaseDir, userPath);
+  const relativePath = path.relative(safeBaseDir, resolved);
-  if (!resolved.startsWith(baseDir)) {
-    throw new Error('Path traversal detected');
+  if (relativePath.startsWith("..") || path.isAbsolute(relativePath)) {
+    throw new Error("Path traversal detected");
   }
   return Bun.file(resolved).text();
@@ -244,34 +246,34 @@ function safeReadFile(userPath) {
 ```javascript
 // NEVER store sensitive data in localStorage
-localStorage.setItem('token', jwt);  // DANGEROUS
+localStorage.setItem("token", jwt); // DANGEROUS
 // Use httpOnly cookies for tokens instead
 // Or store in memory with short expiration
 // If localStorage is necessary, encrypt
-import { encrypt, decrypt } from './crypto';
-localStorage.setItem('data', encrypt(sensitiveData, key));
+import { encrypt, decrypt } from "./crypto";
+localStorage.setItem("data", encrypt(sensitiveData, key));
 ```
 ### postMessage
 ```javascript
 // Always validate origin and data
-window.addEventListener('message', (event) => {
+window.addEventListener("message", (event) => {
   // Validate origin
-  const allowedOrigins = ['https://trusted.com'];
+  const allowedOrigins = ["https://trusted.com"];
   if (!allowedOrigins.includes(event.origin)) return;
   // Validate data structure
-  if (typeof event.data !== 'object') return;
-  if (!['action1', 'action2'].includes(event.data.type)) return;
+  if (typeof event.data !== "object") return;
+  if (!["action1", "action2"].includes(event.data.type)) return;
   handleMessage(event.data);
 });
 // Always specify target origin when sending
-iframe.contentWindow.postMessage(data, 'https://specific-origin.com');
+iframe.contentWindow.postMessage(data, "https://specific-origin.com");
 // NEVER use '*' for sensitive data
 ```
@@ -282,23 +284,23 @@ iframe.contentWindow.postMessage(data, 'https://specific-origin.com');
 const wss = new WebSocket.Server({
   server,
   verifyClient: ({ origin, req }, callback) => {
-    const allowed = ['https://myapp.com'];
+    const allowed = ["https://myapp.com"];
     callback(allowed.includes(origin));
-  }
+  },
 });
 // Validate messages
-wss.on('connection', (ws) => {
-  ws.on('message', (data) => {
+wss.on("connection", (ws) => {
+  ws.on("message", (data) => {
     try {
       const msg = JSON.parse(data);
       if (!isValidMessage(msg)) {
-        ws.close(1008, 'Invalid message');
+        ws.close(1008, "Invalid message");
         return;
       }
       handleMessage(msg);
     } catch {
-      ws.close(1008, 'Invalid JSON');
+      ws.close(1008, "Invalid JSON");
     }
   });
 });