@wrongstack/core 0.3.8 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -393,7 +393,7 @@ function walkCount(node, vault, counter) {
393
393
  if (Array.isArray(node)) {
394
394
  return node.map((item) => walkCount(item, vault, counter));
395
395
  }
396
- const out = {};
396
+ const out = /* @__PURE__ */ Object.create(null);
397
397
  for (const [k, v] of Object.entries(node)) {
398
398
  if (typeof v === "string" && isSecretField(k) && !vault.isEncrypted(v) && v.length > 0) {
399
399
  out[k] = vault.encrypt(v);
@@ -406,7 +406,15 @@ function walkCount(node, vault, counter) {
406
406
  }
407
407
  return out;
408
408
  }
409
- var FORBIDDEN_PROTO_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
409
+ var FORBIDDEN_PROTO_KEYS = /* @__PURE__ */ new Set([
410
+ "__proto__",
411
+ "constructor",
412
+ "prototype",
413
+ "__defineGetter__",
414
+ "__defineSetter__",
415
+ "__lookupGetter__",
416
+ "__lookupSetter__"
417
+ ]);
410
418
  function deepMerge(a, b) {
411
419
  const out = { ...a };
412
420
  for (const [k, v] of Object.entries(b)) {
@@ -1152,12 +1160,15 @@ var PATTERNS = [
1152
1160
  { type: "redis_uri", regex: /redis:\/\/[^\s"'`]+/g },
1153
1161
  {
1154
1162
  type: "bearer_token",
1155
- regex: /(?<![A-Za-z0-9_.~+/-])Bearer\s+[A-Za-z0-9._~+/-]{20,}=*(?![A-Za-z0-9_.~+/-])/g
1163
+ // Bounded at 512 chars to prevent catastrophic backtracking on adversarial input.
1164
+ // Negative lookahead is a simple single-char check — no backtracking risk.
1165
+ regex: /(?<![A-Za-z0-9_.~+/-])Bearer\s+[A-Za-z0-9._~+/-]{20,512}=*(?![A-Za-z0-9_.~+/-])/g
1156
1166
  },
1157
1167
  {
1158
1168
  type: "high_entropy_env",
1159
- // Value-side word boundary + length gate to avoid matching short random strings
1160
- regex: /\b([A-Z_]{4,}(?:KEY|TOKEN|SECRET|PASSWORD|PWD))\s*[:=]\s*['"]?([A-Za-z0-9_/+=-]{20,})['"]?(?!\s*[A-Za-z_]{4,}(?:KEY|TOKEN|SECRET|PASSWORD|PWD))/g
1169
+ // Value bounded at 512 chars; negative lookahead simplified to avoid
1170
+ // nested quantifier backtracking on adversarial input.
1171
+ regex: /\b([A-Z_]{4,}(?:KEY|TOKEN|SECRET|PASSWORD|PWD))\s*[:=]\s*['"]?([A-Za-z0-9_/+=-]{20,512})['"]?/g
1161
1172
  }
1162
1173
  ];
1163
1174
  var SCRUB_CHUNK_BYTES = 64 * 1024;