npm - @virusis/api-client - Versions diffs - 0.1.17 → 0.1.19 - Mend

@virusis/api-client 0.1.17 → 0.1.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (65) hide show

package/dist/generated/models/access-token-i-data-result.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { AccessTokenIDataResult as __AccessTokenIDataResult } from "../index.js";
+export declare const AccessTokenIDataResult: __AccessTokenIDataResult;
+export type AccessTokenIDataResult = __AccessTokenIDataResult;
+export type accessTokenIDataResult = __AccessTokenIDataResult;

package/dist/generated/models/access-token-i-data-result.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export const AccessTokenIDataResult = {};

package/dist/generated/models/access-token.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { AccessToken as __AccessToken } from "../index.js";
+export declare const AccessToken: __AccessToken;
+export type AccessToken = __AccessToken;
+export type accessToken = __AccessToken;

package/dist/generated/models/access-token.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export const AccessToken = {};

package/dist/generated/models/application-click-event-batch-dto.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { ApplicationClickEventBatchDto as __ApplicationClickEventBatchDto } from "../index.js";
+export declare const ApplicationClickEventBatchDto: __ApplicationClickEventBatchDto;
+export type ApplicationClickEventBatchDto = __ApplicationClickEventBatchDto;
+export type applicationClickEventBatchDto = __ApplicationClickEventBatchDto;

package/dist/generated/models/application-click-event-batch-dto.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export const ApplicationClickEventBatchDto = {};

package/dist/generated/models/application-click-event-create-dto.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { ApplicationClickEventCreateDto as __ApplicationClickEventCreateDto } from "../index.js";
+export declare const ApplicationClickEventCreateDto: __ApplicationClickEventCreateDto;
+export type ApplicationClickEventCreateDto = __ApplicationClickEventCreateDto;
+export type applicationClickEventCreateDto = __ApplicationClickEventCreateDto;

package/dist/generated/models/application-click-event-create-dto.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export const ApplicationClickEventCreateDto = {};

package/dist/generated/models/feedback-category-dto-list-i-data-result.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { FeedbackCategoryDtoListIDataResult as __FeedbackCategoryDtoListIDataResult } from "../index.js";
+export declare const FeedbackCategoryDtoListIDataResult: __FeedbackCategoryDtoListIDataResult;
+export type FeedbackCategoryDtoListIDataResult = __FeedbackCategoryDtoListIDataResult;
+export type feedbackCategoryDtoListIDataResult = __FeedbackCategoryDtoListIDataResult;

package/dist/generated/models/feedback-category-dto-list-i-data-result.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export const FeedbackCategoryDtoListIDataResult = {};

package/dist/generated/models/feedback-category-dto.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { FeedbackCategoryDto as __FeedbackCategoryDto } from "../index.js";
+export declare const FeedbackCategoryDto: __FeedbackCategoryDto;
+export type FeedbackCategoryDto = __FeedbackCategoryDto;
+export type feedbackCategoryDto = __FeedbackCategoryDto;

package/dist/generated/models/feedback-category-dto.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export const FeedbackCategoryDto = {};

package/dist/generated/models/index.d.ts CHANGED Viewed

@@ -1,3 +1,5 @@
+export * from "./access-token.js";
+export * from "./access-token-i-data-result.js";
 export * from "./aggregate-exception.js";
 export * from "./app-state-log.js";
 export * from "./app-state-log-for-table-dto.js";
@@ -9,6 +11,8 @@ export * from "./app-state-log-for-table-filter-data-table-query.js";
 export * from "./app-state-log-i-data-result.js";
 export * from "./app-state-log-list-i-data-result.js";
 export * from "./application.js";
+export * from "./application-click-event-batch-dto.js";
+export * from "./application-click-event-create-dto.js";
 export * from "./application-for-table-dto.js";
 export * from "./application-for-table-dto-list-i-data-result.js";
 export * from "./application-for-table-dto-list-result-filter.js";
@@ -56,6 +60,8 @@ export * from "./device-list-i-data-result.js";
 export * from "./event-attributes.js";
 export * from "./event-info.js";
 export * from "./exception.js";
+export * from "./feedback-category-dto.js";
+export * from "./feedback-category-dto-list-i-data-result.js";
 export * from "./field-attributes.js";
 export * from "./field-info.js";
 export * from "./field-mapping-result-paginate-dto.js";
@@ -135,12 +141,21 @@ export * from "./operation-claim-for-table-filter.js";
 export * from "./operation-claim-for-table-filter-data-table-query.js";
 export * from "./operation-claim-i-data-result.js";
 export * from "./operation-claim-list-i-data-result.js";
+export * from "./otp-generate-result.js";
 export * from "./parameter-attributes.js";
 export * from "./parameter-info.js";
 export * from "./process-scan-scores-request.js";
 export * from "./process-scan-static-result-request.js";
 export * from "./property-attributes.js";
 export * from "./property-info.js";
+export * from "./queue-monitor-workers-response.js";
+export * from "./risk-flag-request-dto.js";
+export * from "./risk-signal-avg-dto.js";
+export * from "./risk-signal-client-dto.js";
+export * from "./risk-signal-counts-dto.js";
+export * from "./risk-signals-dto.js";
+export * from "./risk-state-dto.js";
+export * from "./risk-verify-dto.js";
 export * from "./runtime-field-handle.js";
 export * from "./runtime-method-handle.js";
 export * from "./runtime-type-handle.js";

package/dist/generated/models/index.js CHANGED Viewed

@@ -1,3 +1,5 @@
+export * from "./access-token.js";
+export * from "./access-token-i-data-result.js";
 export * from "./aggregate-exception.js";
 export * from "./app-state-log.js";
 export * from "./app-state-log-for-table-dto.js";
@@ -9,6 +11,8 @@ export * from "./app-state-log-for-table-filter-data-table-query.js";
 export * from "./app-state-log-i-data-result.js";
 export * from "./app-state-log-list-i-data-result.js";
 export * from "./application.js";
+export * from "./application-click-event-batch-dto.js";
+export * from "./application-click-event-create-dto.js";
 export * from "./application-for-table-dto.js";
 export * from "./application-for-table-dto-list-i-data-result.js";
 export * from "./application-for-table-dto-list-result-filter.js";
@@ -56,6 +60,8 @@ export * from "./device-list-i-data-result.js";
 export * from "./event-attributes.js";
 export * from "./event-info.js";
 export * from "./exception.js";
+export * from "./feedback-category-dto.js";
+export * from "./feedback-category-dto-list-i-data-result.js";
 export * from "./field-attributes.js";
 export * from "./field-info.js";
 export * from "./field-mapping-result-paginate-dto.js";
@@ -135,12 +141,21 @@ export * from "./operation-claim-for-table-filter.js";
 export * from "./operation-claim-for-table-filter-data-table-query.js";
 export * from "./operation-claim-i-data-result.js";
 export * from "./operation-claim-list-i-data-result.js";
+export * from "./otp-generate-result.js";
 export * from "./parameter-attributes.js";
 export * from "./parameter-info.js";
 export * from "./process-scan-scores-request.js";
 export * from "./process-scan-static-result-request.js";
 export * from "./property-attributes.js";
 export * from "./property-info.js";
+export * from "./queue-monitor-workers-response.js";
+export * from "./risk-flag-request-dto.js";
+export * from "./risk-signal-avg-dto.js";
+export * from "./risk-signal-client-dto.js";
+export * from "./risk-signal-counts-dto.js";
+export * from "./risk-signals-dto.js";
+export * from "./risk-state-dto.js";
+export * from "./risk-verify-dto.js";
 export * from "./runtime-field-handle.js";
 export * from "./runtime-method-handle.js";
 export * from "./runtime-type-handle.js";

package/dist/generated/models/otp-generate-result.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { OtpGenerateResult as __OtpGenerateResult } from "../index.js";
+export declare const OtpGenerateResult: __OtpGenerateResult;
+export type OtpGenerateResult = __OtpGenerateResult;
+export type otpGenerateResult = __OtpGenerateResult;

package/dist/generated/models/otp-generate-result.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export const OtpGenerateResult = {};

package/dist/generated/models/queue-monitor-workers-response.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { QueueMonitorWorkersResponse as __QueueMonitorWorkersResponse } from "../index.js";
+export declare const QueueMonitorWorkersResponse: __QueueMonitorWorkersResponse;
+export type QueueMonitorWorkersResponse = __QueueMonitorWorkersResponse;
+export type queueMonitorWorkersResponse = __QueueMonitorWorkersResponse;

package/dist/generated/models/queue-monitor-workers-response.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export const QueueMonitorWorkersResponse = {};

package/dist/generated/models/risk-flag-request-dto.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { RiskFlagRequestDto as __RiskFlagRequestDto } from "../index.js";
+export declare const RiskFlagRequestDto: __RiskFlagRequestDto;
+export type RiskFlagRequestDto = __RiskFlagRequestDto;
+export type riskFlagRequestDto = __RiskFlagRequestDto;

package/dist/generated/models/risk-flag-request-dto.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export const RiskFlagRequestDto = {};

package/dist/generated/models/risk-signal-avg-dto.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { RiskSignalAvgDto as __RiskSignalAvgDto } from "../index.js";
+export declare const RiskSignalAvgDto: __RiskSignalAvgDto;
+export type RiskSignalAvgDto = __RiskSignalAvgDto;
+export type riskSignalAvgDto = __RiskSignalAvgDto;

package/dist/generated/models/risk-signal-avg-dto.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export const RiskSignalAvgDto = {};

package/dist/generated/models/risk-signal-client-dto.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { RiskSignalClientDto as __RiskSignalClientDto } from "../index.js";
+export declare const RiskSignalClientDto: __RiskSignalClientDto;
+export type RiskSignalClientDto = __RiskSignalClientDto;
+export type riskSignalClientDto = __RiskSignalClientDto;

package/dist/generated/models/risk-signal-client-dto.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export const RiskSignalClientDto = {};

package/dist/generated/models/risk-signal-counts-dto.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { RiskSignalCountsDto as __RiskSignalCountsDto } from "../index.js";
+export declare const RiskSignalCountsDto: __RiskSignalCountsDto;
+export type RiskSignalCountsDto = __RiskSignalCountsDto;
+export type riskSignalCountsDto = __RiskSignalCountsDto;

package/dist/generated/models/risk-signal-counts-dto.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export const RiskSignalCountsDto = {};

package/dist/generated/models/risk-signals-dto.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { RiskSignalsDto as __RiskSignalsDto } from "../index.js";
+export declare const RiskSignalsDto: __RiskSignalsDto;
+export type RiskSignalsDto = __RiskSignalsDto;
+export type riskSignalsDto = __RiskSignalsDto;

package/dist/generated/models/risk-signals-dto.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export const RiskSignalsDto = {};

package/dist/generated/models/risk-state-dto.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { RiskStateDto as __RiskStateDto } from "../index.js";
+export declare const RiskStateDto: __RiskStateDto;
+export type RiskStateDto = __RiskStateDto;
+export type riskStateDto = __RiskStateDto;

package/dist/generated/models/risk-state-dto.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export const RiskStateDto = {};

package/dist/generated/models/risk-verify-dto.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { RiskVerifyDto as __RiskVerifyDto } from "../index.js";
+export declare const RiskVerifyDto: __RiskVerifyDto;
+export type RiskVerifyDto = __RiskVerifyDto;
+export type riskVerifyDto = __RiskVerifyDto;

package/dist/generated/models/risk-verify-dto.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export const RiskVerifyDto = {};

package/dist/index.d.ts CHANGED Viewed

@@ -5,3 +5,4 @@ export * from "./generated/models/index.js";
 export * from "./rx.js";
 export * from "./container.js";
 export * from "./base-models.js";
+export * as security from "./security/index.js";

package/dist/index.js CHANGED Viewed

@@ -5,3 +5,4 @@ export * from "./generated/models/index.js";
 export * from "./rx.js";
 export * from "./container.js";
 export * from "./base-models.js";
+export * as security from "./security/index.js";

package/dist/rx.d.ts CHANGED Viewed

@@ -36,6 +36,9 @@ export declare function createAllClients(cfg: ApiClientConfig, baseUrl?: string,
     DevicesClient: ClientCtors.DevicesClient;
     DevicesService: ClientCtors.DevicesClient;
     devicesService: ClientCtors.DevicesClient;
+    DiagnosticsClient: ClientCtors.DiagnosticsClient;
+    DiagnosticsService: ClientCtors.DiagnosticsClient;
+    diagnosticsService: ClientCtors.DiagnosticsClient;
     FeedbacksClient: ClientCtors.FeedbacksClient;
     FeedbacksService: ClientCtors.FeedbacksClient;
     feedbacksService: ClientCtors.FeedbacksClient;
@@ -60,6 +63,9 @@ export declare function createAllClients(cfg: ApiClientConfig, baseUrl?: string,
     OperationClaimsClient: ClientCtors.OperationClaimsClient;
     OperationClaimsService: ClientCtors.OperationClaimsClient;
     operationClaimsService: ClientCtors.OperationClaimsClient;
+    PortalClient: ClientCtors.PortalClient;
+    PortalService: ClientCtors.PortalClient;
+    portalService: ClientCtors.PortalClient;
     QueueMonitorClient: ClientCtors.QueueMonitorClient;
     QueueMonitorService: ClientCtors.QueueMonitorClient;
     queueMonitorService: ClientCtors.QueueMonitorClient;
@@ -69,6 +75,9 @@ export declare function createAllClients(cfg: ApiClientConfig, baseUrl?: string,
     HealthClient: ClientCtors.HealthClient;
     HealthService: ClientCtors.HealthClient;
     healthService: ClientCtors.HealthClient;
+    RiskClient: ClientCtors.RiskClient;
+    RiskService: ClientCtors.RiskClient;
+    riskService: ClientCtors.RiskClient;
     ScanApiBusSourcesClient: ClientCtors.ScanApiBusSourcesClient;
     ScanApiBusSourcesService: ClientCtors.ScanApiBusSourcesClient;
     scanApiBusSourcesService: ClientCtors.ScanApiBusSourcesClient;
@@ -266,6 +275,9 @@ export declare function createAllRxClients(cfg: ApiClientConfig, baseUrl?: strin
     DevicesClient: Rxified<ClientCtors.DevicesClient>;
     DevicesService: Rxified<ClientCtors.DevicesClient>;
     devicesService: Rxified<ClientCtors.DevicesClient>;
+    DiagnosticsClient: Rxified<ClientCtors.DiagnosticsClient>;
+    DiagnosticsService: Rxified<ClientCtors.DiagnosticsClient>;
+    diagnosticsService: Rxified<ClientCtors.DiagnosticsClient>;
     FeedbacksClient: Rxified<ClientCtors.FeedbacksClient>;
     FeedbacksService: Rxified<ClientCtors.FeedbacksClient>;
     feedbacksService: Rxified<ClientCtors.FeedbacksClient>;
@@ -290,6 +302,9 @@ export declare function createAllRxClients(cfg: ApiClientConfig, baseUrl?: strin
     OperationClaimsClient: Rxified<ClientCtors.OperationClaimsClient>;
     OperationClaimsService: Rxified<ClientCtors.OperationClaimsClient>;
     operationClaimsService: Rxified<ClientCtors.OperationClaimsClient>;
+    PortalClient: Rxified<ClientCtors.PortalClient>;
+    PortalService: Rxified<ClientCtors.PortalClient>;
+    portalService: Rxified<ClientCtors.PortalClient>;
     QueueMonitorClient: Rxified<ClientCtors.QueueMonitorClient>;
     QueueMonitorService: Rxified<ClientCtors.QueueMonitorClient>;
     queueMonitorService: Rxified<ClientCtors.QueueMonitorClient>;
@@ -299,6 +314,9 @@ export declare function createAllRxClients(cfg: ApiClientConfig, baseUrl?: strin
     HealthClient: Rxified<ClientCtors.HealthClient>;
     HealthService: Rxified<ClientCtors.HealthClient>;
     healthService: Rxified<ClientCtors.HealthClient>;
+    RiskClient: Rxified<ClientCtors.RiskClient>;
+    RiskService: Rxified<ClientCtors.RiskClient>;
+    riskService: Rxified<ClientCtors.RiskClient>;
     ScanApiBusSourcesClient: Rxified<ClientCtors.ScanApiBusSourcesClient>;
     ScanApiBusSourcesService: Rxified<ClientCtors.ScanApiBusSourcesClient>;
     scanApiBusSourcesService: Rxified<ClientCtors.ScanApiBusSourcesClient>;

package/dist/security/index.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+export type { InputPolicyKind, ThreatType, ThreatDetail, InputSecurityResult, InputSecurityPolicy, } from "./input-security-policy.js";
+export { sanitize, detect } from "./input-security-service.js";
+export { validatePath, validateAbsoluteUrl, sanitizeBody, sanitizeFormDataFileName, sanitizeHeaderValue, } from "./request-sanitizer.js";
+export type { SanitizeBodyResult } from "./request-sanitizer.js";

package/dist/security/index.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export { sanitize, detect } from "./input-security-service.js";
2	+ export { validatePath, validateAbsoluteUrl, sanitizeBody, sanitizeFormDataFileName, sanitizeHeaderValue, } from "./request-sanitizer.js";

package/dist/security/input-security-policy.d.ts ADDED Viewed

@@ -0,0 +1,23 @@
+/**
+ * Input Security Policy types for the API client.
+ * Aligned with VirusProof-main Core InputPolicyKind.
+ */
+export type InputPolicyKind = "scanName" | "url" | "ip" | "sha256" | "sha1" | "md5" | "email" | "freeTextShort" | "freeTextLong" | "scanDisplayName" | "otp" | "captchaToken" | "password" | "enum" | "date" | "fileName" | "routeSegment" | "queryText" | "headerValue" | "guid" | "scanMode" | "engineIdsJson" | "analysisIdsJson" | "workerPayload" | "jsonPayload";
+export type ThreatType = "xss" | "sql-injection" | "nosql-injection" | "ssti" | "command-injection" | "path-traversal" | "log-injection" | "header-injection" | "ssrf" | "prototype-pollution";
+export interface ThreatDetail {
+    type: ThreatType;
+    severity: "low" | "medium" | "high" | "critical";
+    message: string;
+}
+export interface InputSecurityResult {
+    sanitized: string;
+    modified: boolean;
+    blocked: boolean;
+    detectedThreats: ThreatDetail[];
+}
+export interface InputSecurityPolicy {
+    kind: InputPolicyKind;
+    maxLength: number;
+    sanitizerChain: ThreatType[];
+    blockOnDetection: boolean;
+}

package/dist/security/input-security-policy.js ADDED Viewed

@@ -0,0 +1,5 @@
+/**
+ * Input Security Policy types for the API client.
+ * Aligned with VirusProof-main Core InputPolicyKind.
+ */
+export {};

package/dist/security/input-security-service.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { InputPolicyKind, InputSecurityResult, ThreatDetail } from "./input-security-policy.js";
+export declare function sanitize(kind: InputPolicyKind, value: string | null | undefined, fieldName?: string): InputSecurityResult;
+export declare function detect(kind: InputPolicyKind, value: string): ThreatDetail[];

package/dist/security/input-security-service.js ADDED Viewed

@@ -0,0 +1,153 @@
+/**
+ * Lightweight client-side input security service.
+ * NOT authoritative — server is the trust boundary.
+ * This provides early rejection and UX feedback.
+ */
+// ─── Pattern definitions ────────────────────────────────────────
+const XSS_PATTERNS = [
+    /<script\b/i,
+    /javascript\s*:/i,
+    /on(?:load|error|click|mouse|focus|blur|change|submit)\s*=/i,
+    /<\s*(?:iframe|object|embed|svg|math|form|input)\b/i,
+    /expression\s*\(/i,
+];
+const SQL_PATTERNS = [
+    /'\s*(?:OR|AND)\s+.+?(?:=|--|;)/i,
+    /;\s*(?:DROP|ALTER|DELETE|INSERT|UPDATE|EXEC)\b/i,
+    /\bUNION\s+(?:ALL\s+)?SELECT\b/i,
+    /\b(?:WAITFOR\s+DELAY|BENCHMARK\s*\(|SLEEP\s*\()/i,
+    /\bINFORMATION_SCHEMA\b/i,
+    /\b(?:OrderBy|Where|FromSqlRaw|ExecuteSqlRaw)\s*\(/i,
+];
+const NOSQL_PATTERNS = [
+    /\$\s*(?:ne|gt|gte|lt|lte|in|nin|exists|regex|where|or|and)\b/i,
+    /\{\s*"\$/,
+];
+const SSTI_PATTERNS = [/\{\{.*?\}\}/, /\$\{.*?\}/, /\{%.*?%\}/];
+const CMD_PATTERNS = [
+    /[;&|`]/,
+    /\$\(/,
+    /\b(?:whoami|cat|wget|curl|bash|sh|rm|nc)\b/i,
+];
+const PATH_PATTERNS = [
+    /\.\.[/\\]/,
+    /%2e%2e[%2f%5c/\\]/i,
+    /%00/,
+    /\x00/,
+];
+const CRLF_PATTERN = /[\r\n]/;
+const CONTROL_CHARS = /[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/;
+const PROTOTYPE_POLLUTION_PATTERNS = [
+    /"__proto__"\s*:/,
+    /"constructor"\s*:/,
+    /"prototype"\s*:/,
+    /__proto__/,
+];
+const SSRF_PATTERNS = [
+    /^(?:javascript|data|file|vbscript|ftp|gopher|dict|ldap):/i,
+    /:\/\/(?:localhost|127\.0\.0\.1|\[::1\])/i,
+    /:\/\/169\.254\.169\.254/,
+    /:\/\/100\.100\.100\.200/,
+    /:\/\/metadata\.google\.internal/i,
+    /:\/\/10\.\d{1,3}\.\d{1,3}\.\d{1,3}/,
+    /:\/\/172\.(?:1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}/,
+    /:\/\/192\.168\.\d{1,3}\.\d{1,3}/,
+    /:\/\/[^/]*@/, // user:pass@host
+];
+const POLICIES = {
+    scanName: { maxLength: 128, block: true, checks: ["xss", "sql-injection", "command-injection", "ssti", "path-traversal", "log-injection", "header-injection"] },
+    url: { maxLength: 2048, block: true, checks: ["xss", "command-injection", "path-traversal", "header-injection", "ssrf"] },
+    ip: { maxLength: 45, block: true, checks: ["command-injection", "log-injection"] },
+    sha256: { maxLength: 64, block: true, checks: ["xss", "sql-injection", "command-injection", "path-traversal", "log-injection"] },
+    sha1: { maxLength: 40, block: true, checks: ["xss", "sql-injection", "command-injection", "path-traversal", "log-injection"] },
+    md5: { maxLength: 32, block: true, checks: ["xss", "sql-injection", "command-injection", "path-traversal", "log-injection"] },
+    email: { maxLength: 254, block: true, checks: ["xss", "sql-injection", "command-injection", "header-injection"] },
+    freeTextShort: { maxLength: 256, block: false, checks: ["xss", "sql-injection", "nosql-injection", "ssti", "command-injection", "path-traversal", "log-injection", "header-injection"] },
+    freeTextLong: { maxLength: 5000, block: false, checks: ["xss", "sql-injection", "nosql-injection", "ssti", "command-injection", "path-traversal", "log-injection", "header-injection"] },
+    scanDisplayName: { maxLength: 512, block: false, checks: ["xss", "sql-injection", "nosql-injection", "ssti", "command-injection", "path-traversal", "log-injection", "header-injection"] },
+    otp: { maxLength: 10, block: true, checks: ["sql-injection", "header-injection"] },
+    captchaToken: { maxLength: 4096, block: false, checks: [] },
+    password: { maxLength: 256, block: false, checks: [] },
+    enum: { maxLength: 64, block: true, checks: ["sql-injection", "command-injection", "log-injection"] },
+    date: { maxLength: 32, block: true, checks: ["sql-injection", "command-injection"] },
+    fileName: { maxLength: 255, block: true, checks: ["path-traversal", "command-injection", "xss", "log-injection"] },
+    routeSegment: { maxLength: 256, block: true, checks: ["path-traversal", "sql-injection", "command-injection", "header-injection"] },
+    queryText: { maxLength: 512, block: false, checks: ["xss", "sql-injection", "nosql-injection", "ssti", "command-injection", "path-traversal"] },
+    headerValue: { maxLength: 8192, block: true, checks: ["header-injection", "log-injection"] },
+    guid: { maxLength: 36, block: true, checks: ["sql-injection", "log-injection"] },
+    scanMode: { maxLength: 16, block: true, checks: ["sql-injection", "command-injection", "log-injection"] },
+    engineIdsJson: { maxLength: 4096, block: true, checks: ["nosql-injection", "sql-injection", "xss", "command-injection", "log-injection", "prototype-pollution"] },
+    analysisIdsJson: { maxLength: 8192, block: true, checks: ["nosql-injection", "sql-injection", "xss", "command-injection", "log-injection", "prototype-pollution"] },
+    workerPayload: { maxLength: 65536, block: true, checks: ["sql-injection", "nosql-injection", "command-injection", "xss", "ssti", "log-injection", "header-injection", "prototype-pollution"] },
+    jsonPayload: { maxLength: 65536, block: false, checks: ["sql-injection", "nosql-injection", "xss", "ssti", "command-injection", "log-injection", "prototype-pollution"] },
+};
+// ─── Core logic ─────────────────────────────────────────────────
+function checkPatterns(input, type) {
+    const patterns = type === "xss" ? XSS_PATTERNS
+        : type === "sql-injection" ? SQL_PATTERNS
+            : type === "nosql-injection" ? NOSQL_PATTERNS
+                : type === "ssti" ? SSTI_PATTERNS
+                    : type === "command-injection" ? CMD_PATTERNS
+                        : type === "path-traversal" ? PATH_PATTERNS
+                            : type === "log-injection" ? [CRLF_PATTERN]
+                                : type === "header-injection" ? [CRLF_PATTERN, CONTROL_CHARS]
+                                    : type === "ssrf" ? SSRF_PATTERNS
+                                        : type === "prototype-pollution" ? PROTOTYPE_POLLUTION_PATTERNS
+                                            : [];
+    for (const p of patterns) {
+        if (p.test(input)) {
+            return {
+                type,
+                severity: type === "sql-injection" || type === "command-injection" || type === "ssrf" || type === "prototype-pollution" ? "critical" : "high",
+                message: `${type} pattern detected`,
+            };
+        }
+    }
+    return null;
+}
+export function sanitize(kind, value, fieldName = "") {
+    if (!value) {
+        return { sanitized: value ?? "", modified: false, blocked: false, detectedThreats: [] };
+    }
+    const policy = POLICIES[kind];
+    let current = value.trim();
+    let modified = false;
+    // Max length
+    if (current.length > policy.maxLength) {
+        current = current.slice(0, policy.maxLength);
+        modified = true;
+    }
+    // CR/LF sanitize for all
+    if (CRLF_PATTERN.test(current)) {
+        current = current.replace(/[\r\n]/g, " ");
+        modified = true;
+    }
+    if (CONTROL_CHARS.test(current)) {
+        current = current.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, "");
+        modified = true;
+    }
+    // Run checks
+    const threats = [];
+    for (const check of policy.checks) {
+        const threat = checkPatterns(current, check);
+        if (threat)
+            threats.push(threat);
+    }
+    const blocked = policy.block && threats.length > 0;
+    return {
+        sanitized: blocked ? "" : current,
+        modified: modified || current !== value,
+        blocked,
+        detectedThreats: threats,
+    };
+}
+export function detect(kind, value) {
+    const policy = POLICIES[kind];
+    const threats = [];
+    for (const check of policy.checks) {
+        const threat = checkPatterns(value, check);
+        if (threat)
+            threats.push(threat);
+    }
+    return threats;
+}

package/dist/security/request-sanitizer.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import type { InputSecurityResult } from "./input-security-policy.js";
+export declare function validatePath(path: string): {
+    safe: boolean;
+    sanitized: string;
+};
+export declare function validateAbsoluteUrl(url: string, trustedHosts: string[]): {
+    safe: boolean;
+    reason?: string;
+};
+export interface SanitizeBodyResult {
+    body: Record<string, unknown>;
+    modified: boolean;
+    blocked: boolean;
+    threats: InputSecurityResult[];
+}
+export declare function sanitizeBody(body: Record<string, unknown>, depth?: number, visited?: WeakSet<object>): SanitizeBodyResult;
+export declare function sanitizeFormDataFileName(filename: string): string;
+export declare function sanitizeHeaderValue(value: string): string;