@sparkleideas/security 3.0.0-alpha.22 → 3.0.0-alpha.29

package/dist/password-hasher.js

@@ -0,0 +1,183 @@
+/**
+ * Password Hasher - CVE-2 Remediation
+ *
+ * Fixes weak password hashing by replacing SHA-256 with hardcoded salt
+ * with bcrypt using 12 rounds (configurable).
+ *
+ * Security Properties:
+ * - bcrypt with adaptive cost factor (12 rounds)
+ * - Automatic salt generation per password
+ * - Timing-safe comparison
+ * - Minimum password length enforcement
+ *
+ * @module v3/security/password-hasher
+ */
+import * as bcrypt from 'bcrypt';
+export class PasswordHashError extends Error {
+    code;
+    constructor(message, code) {
+        super(message);
+        this.code = code;
+        this.name = 'PasswordHashError';
+    }
+}
+/**
+ * Secure password hasher using bcrypt.
+ *
+ * This class replaces the vulnerable SHA-256 + hardcoded salt implementation
+ * with industry-standard bcrypt hashing.
+ *
+ * @example
+ * ```typescript
+ * const hasher = new PasswordHasher({ rounds: 12 });
+ * const hash = await hasher.hash('securePassword123');
+ * const isValid = await hasher.verify('securePassword123', hash);
+ * ```
+ */
+export class PasswordHasher {
+    config;
+    constructor(config = {}) {
+        this.config = {
+            rounds: config.rounds ?? 12,
+            minLength: config.minLength ?? 8,
+            maxLength: config.maxLength ?? 128,
+            requireUppercase: config.requireUppercase ?? true,
+            requireLowercase: config.requireLowercase ?? true,
+            requireDigit: config.requireDigit ?? true,
+            requireSpecial: config.requireSpecial ?? false,
+        };
+        // Validate configuration
+        if (this.config.rounds < 10 || this.config.rounds > 20) {
+            throw new PasswordHashError('Bcrypt rounds must be between 10 and 20 for security and performance balance', 'INVALID_ROUNDS');
+        }
+        if (this.config.minLength < 8) {
+            throw new PasswordHashError('Minimum password length must be at least 8 characters', 'INVALID_MIN_LENGTH');
+        }
+    }
+    /**
+     * Validates password against configured requirements.
+     *
+     * @param password - The password to validate
+     * @returns Validation result with errors if any
+     */
+    validate(password) {
+        const errors = [];
+        if (!password) {
+            errors.push('Password is required');
+            return { isValid: false, errors };
+        }
+        if (password.length < this.config.minLength) {
+            errors.push(`Password must be at least ${this.config.minLength} characters`);
+        }
+        if (password.length > this.config.maxLength) {
+            errors.push(`Password must not exceed ${this.config.maxLength} characters`);
+        }
+        if (this.config.requireUppercase && !/[A-Z]/.test(password)) {
+            errors.push('Password must contain at least one uppercase letter');
+        }
+        if (this.config.requireLowercase && !/[a-z]/.test(password)) {
+            errors.push('Password must contain at least one lowercase letter');
+        }
+        if (this.config.requireDigit && !/\d/.test(password)) {
+            errors.push('Password must contain at least one digit');
+        }
+        if (this.config.requireSpecial && !/[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]/.test(password)) {
+            errors.push('Password must contain at least one special character');
+        }
+        return {
+            isValid: errors.length === 0,
+            errors,
+        };
+    }
+    /**
+     * Hashes a password using bcrypt.
+     *
+     * @param password - The plaintext password to hash
+     * @returns The bcrypt hash
+     * @throws PasswordHashError if password is invalid
+     */
+    async hash(password) {
+        const validation = this.validate(password);
+        if (!validation.isValid) {
+            throw new PasswordHashError(validation.errors.join('; '), 'VALIDATION_FAILED');
+        }
+        try {
+            // bcrypt automatically generates a random salt per hash
+            return await bcrypt.hash(password, this.config.rounds);
+        }
+        catch (error) {
+            throw new PasswordHashError('Failed to hash password', 'HASH_FAILED');
+        }
+    }
+    /**
+     * Verifies a password against a bcrypt hash.
+     * Uses timing-safe comparison internally.
+     *
+     * @param password - The plaintext password to verify
+     * @param hash - The bcrypt hash to compare against
+     * @returns True if password matches, false otherwise
+     */
+    async verify(password, hash) {
+        if (!password || !hash) {
+            return false;
+        }
+        // Validate hash format (bcrypt hashes start with $2a$, $2b$, or $2y$)
+        if (!this.isValidBcryptHash(hash)) {
+            return false;
+        }
+        try {
+            // bcrypt.compare uses timing-safe comparison
+            return await bcrypt.compare(password, hash);
+        }
+        catch (error) {
+            // Return false on any error to prevent timing attacks
+            return false;
+        }
+    }
+    /**
+     * Checks if a hash needs to be rehashed with updated parameters.
+     * Useful for upgrading hash strength over time.
+     *
+     * @param hash - The bcrypt hash to check
+     * @returns True if hash should be updated
+     */
+    needsRehash(hash) {
+        if (!this.isValidBcryptHash(hash)) {
+            return true;
+        }
+        // Extract rounds from hash (format: $2b$XX$...)
+        const match = hash.match(/^\$2[aby]\$(\d{2})\$/);
+        if (!match) {
+            return true;
+        }
+        const hashRounds = parseInt(match[1], 10);
+        return hashRounds < this.config.rounds;
+    }
+    /**
+     * Validates bcrypt hash format.
+     *
+     * @param hash - The hash to validate
+     * @returns True if valid bcrypt hash format
+     */
+    isValidBcryptHash(hash) {
+        // bcrypt hash format: $2a$XX$22charsSalt31charsHash
+        // Total length: 60 characters
+        return /^\$2[aby]\$\d{2}\$[./A-Za-z0-9]{53}$/.test(hash);
+    }
+    /**
+     * Returns current configuration (without sensitive defaults).
+     */
+    getConfig() {
+        return { ...this.config };
+    }
+}
+/**
+ * Factory function to create a production-ready password hasher.
+ *
+ * @param rounds - Bcrypt rounds (default: 12)
+ * @returns Configured PasswordHasher instance
+ */
+export function createPasswordHasher(rounds = 12) {
+    return new PasswordHasher({ rounds });
+}
+//# sourceMappingURL=password-hasher.js.map

package/dist/password-hasher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-hasher.js","sourceRoot":"","sources":["../src/password-hasher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AAoDjC,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAGxB;IAFlB,YACE,OAAe,EACC,IAAY;QAE5B,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,SAAI,GAAJ,IAAI,CAAQ;QAG5B,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,OAAO,cAAc;IACR,MAAM,CAAiC;IAExD,YAAY,SAA+B,EAAE;QAC3C,IAAI,CAAC,MAAM,GAAG;YACZ,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,EAAE;YAC3B,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,CAAC;YAChC,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,GAAG;YAClC,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,IAAI,IAAI;YACjD,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,IAAI,IAAI;YACjD,YAAY,EAAE,MAAM,CAAC,YAAY,IAAI,IAAI;YACzC,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,KAAK;SAC/C,CAAC;QAEF,yBAAyB;QACzB,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YACvD,MAAM,IAAI,iBAAiB,CACzB,8EAA8E,EAC9E,gBAAgB,CACjB,CAAC;QACJ,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,iBAAiB,CACzB,uDAAuD,EACvD,oBAAoB,CACrB,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,QAAQ,CAAC,QAAgB;QACvB,MAAM,MAAM,GAAa,EAAE,CAAC;QAE5B,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;YACpC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QACpC,CAAC;QAED,IAAI,QAAQ,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YAC5C,MAAM,CAAC,IAAI,CAAC,6BAA6B,IAAI,CAAC,MAAM,CAAC,SAAS,aAAa,CAAC,CAAC;QAC/E,CAAC;QAED,IAAI,QAAQ,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YAC5C,MAAM,CAAC,IAAI,CAAC,4BAA4B,IAAI,CAAC,MAAM,CAAC,SAAS,aAAa,CAAC,CAAC;QAC9E,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5D,MAAM,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;QACrE,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5D,MAAM,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;QACrE,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACrD,MAAM,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;QAC1D,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc,IAAI,CAAC,uCAAuC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC1F,MAAM,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;QACtE,CAAC;QAED,OAAO;YACL,OAAO,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;YAC5B,MAAM;SACP,CAAC;IACJ,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,IAAI,CAAC,QAAgB;QACzB,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAE3C,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;YACxB,MAAM,IAAI,iBAAiB,CACzB,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAC5B,mBAAmB,CACpB,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,wDAAwD;YACxD,OAAO,MAAM,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACzD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,iBAAiB,CACzB,yBAAyB,EACzB,aAAa,CACd,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,MAAM,CAAC,QAAgB,EAAE,IAAY;QACzC,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,EAAE,CAAC;YACvB,OAAO,KAAK,CAAC;QACf,CAAC;QAED,sEAAsE;QACtE,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;YAClC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC;YACH,6CAA6C;YAC7C,OAAO,MAAM,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAC9C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,sDAAsD;YACtD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,WAAW,CAAC,IAAY;QACtB,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;YAClC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,gDAAgD;QAChD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACjD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC1C,OAAO,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;IACzC,CAAC;IAED;;;;;OAKG;IACK,iBAAiB,CAAC,IAAY;QACpC,oDAAoD;QACpD,8BAA8B;QAC9B,OAAO,sCAAsC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3D,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;IAC5B,CAAC;CACF;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAM,GAAG,EAAE;IAC9C,OAAO,IAAI,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;AACxC,CAAC"}

package/dist/path-validator.d.ts

@@ -0,0 +1,148 @@
+/**
+ * Path Validator - HIGH-2 Remediation
+ *
+ * Fixes path traversal vulnerabilities by:
+ * - Validating all file paths against allowed prefixes
+ * - Using path.resolve() for canonicalization
+ * - Blocking traversal patterns (../, etc.)
+ * - Enforcing path length limits
+ *
+ * Security Properties:
+ * - Path canonicalization
+ * - Prefix validation
+ * - Symlink resolution (optional)
+ * - Traversal pattern detection
+ *
+ * @module v3/security/path-validator
+ */
+export interface PathValidatorConfig {
+    /**
+     * Allowed directory prefixes.
+     * Paths must start with one of these after resolution.
+     */
+    allowedPrefixes: string[];
+    /**
+     * Blocked file extensions.
+     * Files with these extensions are rejected.
+     */
+    blockedExtensions?: string[];
+    /**
+     * Blocked file names.
+     * Files matching these names are rejected.
+     */
+    blockedNames?: string[];
+    /**
+     * Maximum path length.
+     * Default: 4096 characters
+     */
+    maxPathLength?: number;
+    /**
+     * Whether to resolve symlinks.
+     * Default: true
+     */
+    resolveSymlinks?: boolean;
+    /**
+     * Whether to allow paths that don't exist.
+     * Default: true (for write operations)
+     */
+    allowNonExistent?: boolean;
+    /**
+     * Whether to allow hidden files/directories.
+     * Default: false
+     */
+    allowHidden?: boolean;
+}
+export interface PathValidationResult {
+    isValid: boolean;
+    resolvedPath: string;
+    relativePath: string;
+    matchedPrefix: string;
+    errors: string[];
+}
+export declare class PathValidatorError extends Error {
+    readonly code: string;
+    readonly path?: string | undefined;
+    constructor(message: string, code: string, path?: string | undefined);
+}
+/**
+ * Path validator that prevents traversal attacks.
+ *
+ * This class validates file paths to ensure they stay within
+ * allowed directories and don't access sensitive files.
+ *
+ * @example
+ * ```typescript
+ * const validator = new PathValidator({
+ *   allowedPrefixes: ['/workspaces/project']
+ * });
+ *
+ * const result = await validator.validate('/workspaces/project/src/file.ts');
+ * if (result.isValid) {
+ *   // Safe to use result.resolvedPath
+ * }
+ * ```
+ */
+export declare class PathValidator {
+    private readonly config;
+    private readonly resolvedPrefixes;
+    constructor(config: PathValidatorConfig);
+    /**
+     * Validates a path against security rules.
+     *
+     * @param inputPath - The path to validate
+     * @returns Validation result with resolved path
+     */
+    validate(inputPath: string): Promise<PathValidationResult>;
+    /**
+     * Validates and returns resolved path, throwing on failure.
+     *
+     * @param inputPath - The path to validate
+     * @returns Resolved path if valid
+     * @throws PathValidatorError if validation fails
+     */
+    validateOrThrow(inputPath: string): Promise<string>;
+    /**
+     * Synchronous validation (without symlink resolution).
+     *
+     * @param inputPath - The path to validate
+     * @returns Validation result
+     */
+    validateSync(inputPath: string): PathValidationResult;
+    /**
+     * Securely joins path segments within allowed directories.
+     *
+     * @param prefix - Base directory (must be in allowedPrefixes)
+     * @param segments - Path segments to join
+     * @returns Validated resolved path
+     */
+    securePath(prefix: string, ...segments: string[]): Promise<string>;
+    /**
+     * Adds a prefix to the allowed list at runtime.
+     *
+     * @param prefix - Prefix to add
+     */
+    addPrefix(prefix: string): void;
+    /**
+     * Returns the current allowed prefixes.
+     */
+    getAllowedPrefixes(): readonly string[];
+    /**
+     * Checks if a path is within allowed prefixes (quick check).
+     */
+    isWithinAllowed(inputPath: string): boolean;
+}
+/**
+ * Factory function to create a path validator for a project directory.
+ *
+ * @param projectRoot - Root directory of the project
+ * @returns Configured PathValidator
+ */
+export declare function createProjectPathValidator(projectRoot: string): PathValidator;
+/**
+ * Factory function to create a path validator for the entire project.
+ *
+ * @param projectRoot - Root directory of the project
+ * @returns Configured PathValidator
+ */
+export declare function createFullProjectPathValidator(projectRoot: string): PathValidator;
+//# sourceMappingURL=path-validator.d.ts.map

package/dist/path-validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-validator.d.ts","sourceRoot":"","sources":["../src/path-validator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAKH,MAAM,WAAW,mBAAmB;IAClC;;;OAGG;IACH,eAAe,EAAE,MAAM,EAAE,CAAC;IAE1B;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAE7B;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IAExB;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;OAGG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC;IAE1B;;;OAGG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAE3B;;;OAGG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,qBAAa,kBAAmB,SAAQ,KAAK;aAGzB,IAAI,EAAE,MAAM;aACZ,IAAI,CAAC,EAAE,MAAM;gBAF7B,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,MAAM,EACZ,IAAI,CAAC,EAAE,MAAM,YAAA;CAKhC;AAqDD;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAgC;IACvD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAW;gBAEhC,MAAM,EAAE,mBAAmB;IAwBvC;;;;;OAKG;IACG,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAwIhE;;;;;;OAMG;IACG,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAczD;;;;;OAKG;IACH,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,oBAAoB;IA4FrD;;;;;;OAMG;IACG,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,QAAQ,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;IAQxE;;;;OAIG;IACH,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAQ/B;;OAEG;IACH,kBAAkB,IAAI,SAAS,MAAM,EAAE;IAIvC;;OAEG;IACH,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO;CAU5C;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CAAC,WAAW,EAAE,MAAM,GAAG,aAAa,CAS7E;AAED;;;;;GAKG;AACH,wBAAgB,8BAA8B,CAAC,WAAW,EAAE,MAAM,GAAG,aAAa,CASjF"}