@xyne/workflow-sdk 2.1.2 → 2.3.0

package/dist/util/executable-check.js

@@ -0,0 +1,115 @@
+/**
+ * Executable upload safety check.
+ *
+ * Allow-by-default with a deny-list of known dangerous types — covers the
+ * common attack surface (native binaries, scripts that auto-run, installers,
+ * macro-enabled Office docs) without forcing workflow authors to enumerate
+ * every safe MIME type.
+ *
+ * Two checks run in parallel so spoofed MIME types alone can't bypass:
+ *   1. MIME type matches the deny-list
+ *   2. Filename extension matches the deny-list
+ *
+ * Either match blocks the upload. To accept executables (e.g. a security-
+ * analysis workflow that intentionally examines binaries), the host opts
+ * in via `RuntimeOptions.allowExecutableUploads = true`.
+ */
+/**
+ * MIME types treated as executable / unsafe (lowercase — input is also
+ * lowercased before comparison).
+ */
+export const BLOCKED_EXECUTABLE_MIME_TYPES = new Set([
+    // Native binaries
+    'application/x-msdownload',
+    'application/x-msdos-program',
+    'application/x-executable',
+    'application/x-mach-binary',
+    'application/vnd.microsoft.portable-executable',
+    'application/x-msi',
+    'application/x-ms-installer',
+    // Shell + Windows scripts
+    'application/x-sh',
+    'application/x-shellscript',
+    'application/x-bat',
+    'application/x-csh',
+    'application/x-cmd',
+    'application/x-msmetafile',
+    // JavaScript / ECMAScript
+    'text/javascript',
+    'application/javascript',
+    'application/ecmascript',
+    'application/x-javascript',
+    // Java / Flash
+    'application/java-archive',
+    'application/x-java-archive',
+    'application/x-java-jnlp-file',
+    'application/x-shockwave-flash',
+    // Installer / package formats that bundle executables
+    'application/vnd.android.package-archive',
+    'application/x-debian-package',
+    'application/x-rpm',
+    // Macro-enabled Office documents (lowercased — IANA tokens are case-insensitive)
+    'application/vnd.ms-word.document.macroenabled.12',
+    'application/vnd.ms-word.template.macroenabled.12',
+    'application/vnd.ms-excel.sheet.macroenabled.12',
+    'application/vnd.ms-excel.template.macroenabled.12',
+    'application/vnd.ms-excel.addin.macroenabled.12',
+    'application/vnd.ms-excel.sheet.binary.macroenabled.12',
+    'application/vnd.ms-powerpoint.presentation.macroenabled.12',
+    'application/vnd.ms-powerpoint.template.macroenabled.12',
+    'application/vnd.ms-powerpoint.addin.macroenabled.12',
+]);
+/**
+ * File extensions treated as executable / unsafe (case-insensitive, no dot).
+ * The check uses the LAST extension so `report.exe.txt` is treated as text
+ * (Windows shows the trailing extension, which is what the user actually sees).
+ */
+export const BLOCKED_EXECUTABLE_EXTENSIONS = new Set([
+    // Windows
+    'exe', 'msi', 'com', 'scr', 'cmd', 'bat', 'ps1', 'psm1',
+    'vbs', 'vbe', 'wsf', 'wsh', 'hta', 'cpl', 'lnk',
+    'dll', 'sys', 'drv', 'ocx',
+    // macOS / Unix
+    'app', 'dmg', 'pkg',
+    'sh', 'bash', 'zsh', 'fish', 'csh', 'ksh', 'command', 'tool',
+    // Java / Flash
+    'jar', 'war', 'jnlp', 'swf',
+    // Mobile installers
+    'apk', 'ipa', 'xap',
+    // Linux installers
+    'deb', 'rpm', 'run', 'bin',
+    // JavaScript (auto-executes in browser / Node contexts)
+    'js', 'mjs', 'cjs',
+    // Macro-enabled Office
+    'docm', 'dotm', 'xlsm', 'xltm', 'xlam', 'xlsb',
+    'pptm', 'potm', 'ppam', 'ppsm', 'sldm',
+]);
+/**
+ * Extract the lowercase extension (no dot) from a filename, or '' if none.
+ * A leading dot doesn't count — `.bashrc` has no extension, not "bashrc".
+ */
+export function extensionOf(name) {
+    const dot = name.lastIndexOf('.');
+    if (dot <= 0 || dot === name.length - 1)
+        return '';
+    return name.slice(dot + 1).toLowerCase();
+}
+/**
+ * Returns a human-readable reason if the file should be blocked as
+ * executable, or `null` if it's safe.
+ *
+ * Always check both the MIME type and the filename — clients can spoof one
+ * but rarely both. This is defense-in-depth, not authoritative malware
+ * detection (run real AV at the storage layer for that).
+ */
+export function isExecutable(mimeType, name) {
+    if (BLOCKED_EXECUTABLE_MIME_TYPES.has(mimeType.toLowerCase())) {
+        return `Executable MIME type "${mimeType}" is not allowed.`;
+    }
+    const ext = extensionOf(name);
+    if (ext && BLOCKED_EXECUTABLE_EXTENSIONS.has(ext)) {
+        return `Files with .${ext} extension are not allowed.`;
+    }
+    return null;
+}
+//# sourceMappingURL=executable-check.js.map

package/dist/util/executable-check.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"executable-check.js","sourceRoot":"","sources":["../../src/util/executable-check.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH;;;GAGG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAwB,IAAI,GAAG,CAAC;IACxE,kBAAkB;IAClB,0BAA0B;IAC1B,6BAA6B;IAC7B,0BAA0B;IAC1B,2BAA2B;IAC3B,+CAA+C;IAC/C,mBAAmB;IACnB,4BAA4B;IAC5B,0BAA0B;IAC1B,kBAAkB;IAClB,2BAA2B;IAC3B,mBAAmB;IACnB,mBAAmB;IACnB,mBAAmB;IACnB,0BAA0B;IAC1B,0BAA0B;IAC1B,iBAAiB;IACjB,wBAAwB;IACxB,wBAAwB;IACxB,0BAA0B;IAC1B,eAAe;IACf,0BAA0B;IAC1B,4BAA4B;IAC5B,8BAA8B;IAC9B,+BAA+B;IAC/B,sDAAsD;IACtD,yCAAyC;IACzC,8BAA8B;IAC9B,mBAAmB;IACnB,iFAAiF;IACjF,kDAAkD;IAClD,kDAAkD;IAClD,gDAAgD;IAChD,mDAAmD;IACnD,gDAAgD;IAChD,uDAAuD;IACvD,4DAA4D;IAC5D,wDAAwD;IACxD,qDAAqD;CACtD,CAAC,CAAC;AAEH;;;;GAIG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAwB,IAAI,GAAG,CAAC;IACxE,UAAU;IACV,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM;IACvD,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK;IAC/C,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK;IAC1B,eAAe;IACf,KAAK,EAAE,KAAK,EAAE,KAAK;IACnB,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM;IAC5D,eAAe;IACf,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK;IAC3B,oBAAoB;IACpB,KAAK,EAAE,KAAK,EAAE,KAAK;IACnB,mBAAmB;IACnB,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK;IAC1B,wDAAwD;IACxD,IAAI,EAAE,KAAK,EAAE,KAAK;IAClB,uBAAuB;IACvB,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IAC9C,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;CACvC,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,IAAY;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,GAAG,IAAI,CAAC,IAAI,GAAG,KAAK,IAAI,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IACnD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAAC,QAAgB,EAAE,IAAY;IACzD,IAAI,6BAA6B,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAC9D,OAAO,yBAAyB,QAAQ,mBAAmB,CAAC;IAC9D,CAAC;IACD,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;IAC9B,IAAI,GAAG,IAAI,6BAA6B,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;QAClD,OAAO,eAAe,GAAG,6BAA6B,CAAC;IACzD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@xyne/workflow-sdk",
-  "version": "2.1.2",
+  "version": "2.3.0",
   "description": "Workflow engine SDK — steps, triggers, executor, agents, and a framework-agnostic HTTP router.",
   "license": "UNLICENSED",
   "repository": {