@zintrust/core 0.1.42 → 0.1.44

package/packages/workers/src/http/middleware/FeaturesValidator.js

@@ -0,0 +1,60 @@
+import { Logger } from '../../../../../src/index.js';
+const VALID_FEATURES = new Set([
+    'clustering',
+    'metrics',
+    'autoScaling',
+    'circuitBreaker',
+    'deadLetterQueue',
+    'resourceMonitoring',
+    'compliance',
+    'observability',
+    'plugins',
+    'versioning',
+    'datacenterOrchestration',
+]);
+export const withFeaturesValidation = (handler) => {
+    return async (req, res) => {
+        try {
+            const data = req.data();
+            const features = data['features'];
+            if (!features) {
+                return handler(req, res); // Skip validation if features is not provided
+            }
+            // Check if features is an object
+            if (typeof features !== 'object' || features === null || Array.isArray(features)) {
+                return res.setStatus(400).json({
+                    error: 'Invalid features configuration',
+                    message: 'Features must be an object',
+                    code: 'INVALID_FEATURES_TYPE',
+                });
+            }
+            // Validate each feature key and value
+            const featureKeys = Object.keys(features);
+            for (const key of featureKeys) {
+                if (!VALID_FEATURES.has(key)) {
+                    return res.setStatus(400).json({
+                        error: 'Invalid feature',
+                        message: `Unknown feature: ${key}. Valid features are: ${Array.from(VALID_FEATURES).join(', ')}`,
+                        code: 'INVALID_FEATURE',
+                    });
+                }
+                const value = features[key];
+                if (typeof value !== 'boolean') {
+                    return res.setStatus(400).json({
+                        error: 'Invalid feature value',
+                        message: `Feature ${key} must be a boolean (true or false)`,
+                        code: 'INVALID_FEATURE_VALUE',
+                    });
+                }
+            }
+            return handler(req, res);
+        }
+        catch (error) {
+            Logger.error('Features validation failed', error);
+            return res.setStatus(500).json({
+                error: 'Internal validation error',
+                code: 'VALIDATION_ERROR',
+            });
+        }
+    };
+};

package/packages/workers/src/http/middleware/InfrastructureValidator.d.ts

@@ -0,0 +1,32 @@
+import { type IRequest, type IResponse } from '../../../../../src/index.js';
+export type RouteHandler = (req: IRequest, res: IResponse) => Promise<void> | void;
+export interface InfrastructureConfig {
+    persistence: {
+        driver: string;
+    };
+    redis: {
+        env: boolean;
+        host: string;
+        port: string;
+        db: string;
+        password: string;
+    };
+    deadLetterQueue: {
+        policy: string;
+    };
+    compliance: {
+        config: {
+            retentionDays: number;
+        };
+    };
+    observability: {
+        enabled: boolean;
+    };
+    autoScaler: {
+        enabled: boolean;
+        minWorkers: number;
+        maxWorkers: number;
+    };
+}
+export declare const withInfrastructureValidation: (handler: RouteHandler) => RouteHandler;
+//# sourceMappingURL=InfrastructureValidator.d.ts.map

package/packages/workers/src/http/middleware/InfrastructureValidator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"InfrastructureValidator.d.ts","sourceRoot":"","sources":["../../../../../../packages/workers/src/http/middleware/InfrastructureValidator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAU,KAAK,QAAQ,EAAE,KAAK,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAEvE,MAAM,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AAKnF,MAAM,WAAW,oBAAoB;IACnC,WAAW,EAAE;QACX,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,KAAK,EAAE;QACL,GAAG,EAAE,OAAO,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,EAAE,EAAE,MAAM,CAAC;QACX,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,eAAe,EAAE;QACf,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,UAAU,EAAE;QACV,MAAM,EAAE;YACN,aAAa,EAAE,MAAM,CAAC;SACvB,CAAC;KACH,CAAC;IACF,aAAa,EAAE;QACb,OAAO,EAAE,OAAO,CAAC;KAClB,CAAC;IACF,UAAU,EAAE;QACV,OAAO,EAAE,OAAO,CAAC;QACjB,UAAU,EAAE,MAAM,CAAC;QACnB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;CACH;AAuKD,eAAO,MAAM,4BAA4B,GAAI,SAAS,YAAY,KAAG,YA6FpE,CAAC"}

package/packages/workers/src/http/middleware/InfrastructureValidator.js

@@ -0,0 +1,226 @@
+import { Logger } from '../../../../../src/index.js';
+const VALID_DRIVERS = new Set(['database', 'redis', 'memory']);
+const VALID_DEAD_LETTER_POLICIES = new Set(['expire', 'retry', 'dead-letter']);
+const validatePersistence = (persistence) => {
+    if (!persistence)
+        return 'Persistence configuration is required';
+    // Validate persistence driver
+    if (!persistence.driver) {
+        return 'Persistence driver is required';
+    }
+    if (!VALID_DRIVERS.has(persistence.driver)) {
+        return 'Persistence driver must be one of: database, redis, memory';
+    }
+    return null;
+};
+const validateRedis = (redis) => {
+    if (!redis)
+        return 'Redis configuration is required';
+    // Validate env flag
+    if (typeof redis.env !== 'boolean') {
+        return 'Redis env flag must be a boolean';
+    }
+    // Validate required fields when not using env
+    if (!redis.env) {
+        const requiredFieldsError = validateRequiredRedisFields(redis);
+        if (requiredFieldsError)
+            return requiredFieldsError;
+    }
+    // Validate string fields
+    return validateRedisStringFields(redis);
+};
+const validateRequiredRedisFields = (redis) => {
+    if (!redis.host || typeof redis.host !== 'string') {
+        return 'Redis host is required when env is false';
+    }
+    if (redis.port === undefined || redis.port === null) {
+        return 'Redis port is required when env is false';
+    }
+    if (typeof redis.port !== 'string' && typeof redis.port !== 'number') {
+        return 'Redis port must be a string or number';
+    }
+    if (!redis.db || typeof redis.db !== 'string') {
+        return 'Redis db is required when env is false';
+    }
+    return null;
+};
+const validateRedisStringFields = (redis) => {
+    if (redis.host && typeof redis.host !== 'string') {
+        return 'Redis host must be a string';
+    }
+    if (redis.port && typeof redis.port !== 'string' && typeof redis.port !== 'number') {
+        return 'Redis port must be a string or number';
+    }
+    if (redis.db && typeof redis.db !== 'string') {
+        return 'Redis db must be a string';
+    }
+    if (redis.password && typeof redis.password !== 'string') {
+        return 'Redis password must be a string';
+    }
+    return null;
+};
+const validateDeadLetterQueue = (deadLetterQueue) => {
+    if (!deadLetterQueue)
+        return 'DeadLetterQueue configuration is required';
+    // Validate policy
+    if (!deadLetterQueue.policy) {
+        return 'DeadLetterQueue policy is required';
+    }
+    if (!VALID_DEAD_LETTER_POLICIES.has(deadLetterQueue.policy)) {
+        return 'Policy must be one of: expire, retry, dead-letter';
+    }
+    return null;
+};
+const validateCompliance = (compliance) => {
+    if (!compliance)
+        return 'Compliance configuration is required';
+    if (!compliance.config) {
+        return 'Compliance config is required';
+    }
+    if (typeof compliance.config.retentionDays !== 'number' || compliance.config.retentionDays < 0) {
+        return 'Retention days must be a non-negative number';
+    }
+    const MAX_RETENTION_DAYS = 3650; // ~10 years
+    if (compliance.config.retentionDays > MAX_RETENTION_DAYS) {
+        return `Retention days cannot exceed ${MAX_RETENTION_DAYS}`;
+    }
+    return null;
+};
+const validateObservability = (observability) => {
+    if (!observability)
+        return 'Observability configuration is required';
+    if (typeof observability.enabled !== 'boolean') {
+        return 'Observability enabled flag must be a boolean';
+    }
+    return null;
+};
+const validateAutoScaler = (autoScaler) => {
+    if (!autoScaler)
+        return 'AutoScaler configuration is required';
+    if (typeof autoScaler.enabled !== 'boolean') {
+        return 'AutoScaler enabled flag must be a boolean';
+    }
+    if (autoScaler.enabled) {
+        const minWorkersError = validateWorkerCount(autoScaler.minWorkers, 'minWorkers');
+        if (minWorkersError)
+            return minWorkersError;
+        const maxWorkersError = validateWorkerCount(autoScaler.maxWorkers, 'maxWorkers');
+        if (maxWorkersError)
+            return maxWorkersError;
+        if (autoScaler.minWorkers > autoScaler.maxWorkers) {
+            return 'AutoScaler minWorkers cannot be greater than maxWorkers';
+        }
+        const MAX_AUTOSCALER_WORKERS = 1000;
+        if (autoScaler.maxWorkers > MAX_AUTOSCALER_WORKERS) {
+            return `AutoScaler maxWorkers cannot exceed ${MAX_AUTOSCALER_WORKERS}`;
+        }
+    }
+    return null;
+};
+const validateWorkerCount = (value, fieldName) => {
+    if (typeof value !== 'number') {
+        return `AutoScaler ${fieldName} must be a number`;
+    }
+    if (!Number.isInteger(value)) {
+        return `AutoScaler ${fieldName} must be a whole number (integer)`;
+    }
+    if (value < 0) {
+        return `AutoScaler ${fieldName} must be a non-negative number`;
+    }
+    return null;
+};
+const sanitizeInfrastructure = (infrastructure) => {
+    return {
+        ...infrastructure,
+        autoScaler: {
+            ...infrastructure.autoScaler,
+            minWorkers: Math.floor(infrastructure.autoScaler.minWorkers),
+            maxWorkers: Math.floor(infrastructure.autoScaler.maxWorkers),
+        },
+    };
+};
+export const withInfrastructureValidation = (handler) => {
+    return async (req, res) => {
+        try {
+            const data = req.data();
+            const infrastructure = data['infrastructure'];
+            if (!infrastructure) {
+                return res.setStatus(400).json({
+                    error: 'Infrastructure configuration is required',
+                    code: 'MISSING_INFRASTRUCTURE',
+                });
+            }
+            // Validate persistence
+            const persistenceError = validatePersistence(infrastructure.persistence);
+            if (persistenceError) {
+                return res.setStatus(400).json({
+                    error: 'Invalid persistence configuration',
+                    message: persistenceError,
+                    code: 'INVALID_PERSISTENCE_CONFIG',
+                });
+            }
+            // Validate redis
+            const redisError = validateRedis(infrastructure.redis);
+            if (redisError) {
+                return res.setStatus(400).json({
+                    error: 'Invalid redis configuration',
+                    message: redisError,
+                    code: 'INVALID_REDIS_CONFIG',
+                });
+            }
+            // Validate deadLetterQueue
+            const deadLetterQueueError = validateDeadLetterQueue(infrastructure.deadLetterQueue);
+            if (deadLetterQueueError) {
+                return res.setStatus(400).json({
+                    error: 'Invalid deadLetterQueue configuration',
+                    message: deadLetterQueueError,
+                    code: 'INVALID_DEAD_LETTER_QUEUE_CONFIG',
+                });
+            }
+            // Validate compliance
+            const complianceError = validateCompliance(infrastructure.compliance);
+            if (complianceError) {
+                return res.setStatus(400).json({
+                    error: 'Invalid compliance configuration',
+                    message: complianceError,
+                    code: 'INVALID_COMPLIANCE_CONFIG',
+                });
+            }
+            // Validate observability
+            const observabilityError = validateObservability(infrastructure.observability);
+            if (observabilityError) {
+                return res.setStatus(400).json({
+                    error: 'Invalid observability configuration',
+                    message: observabilityError,
+                    code: 'INVALID_OBSERVABILITY_CONFIG',
+                });
+            }
+            // Validate autoScaler
+            const autoScalerError = validateAutoScaler(infrastructure.autoScaler);
+            if (autoScalerError) {
+                return res.setStatus(400).json({
+                    error: 'Invalid autoScaler configuration',
+                    message: autoScalerError,
+                    code: 'INVALID_AUTO_SCALER_CONFIG',
+                });
+            }
+            // Sanitize infrastructure values
+            const currentBody = req.getBody();
+            const sanitizedInfrastructure = sanitizeInfrastructure(infrastructure);
+            // Update the infrastructure in the request body
+            const updatedBody = {
+                ...currentBody,
+                infrastructure: sanitizedInfrastructure,
+            };
+            req.setBody(updatedBody);
+            return handler(req, res);
+        }
+        catch (error) {
+            Logger.error('Infrastructure validation failed', error);
+            return res.setStatus(500).json({
+                error: 'Internal validation error',
+                code: 'VALIDATION_ERROR',
+            });
+        }
+    };
+};

package/packages/workers/src/http/middleware/OptionsValidator.d.ts

@@ -0,0 +1,4 @@
+import { type IRequest, type IResponse } from '../../../../../src/index.js';
+export type RouteHandler = (req: IRequest, res: IResponse) => Promise<void> | void;
+export declare const withOptionsValidation: (handler: RouteHandler) => RouteHandler;
+//# sourceMappingURL=OptionsValidator.d.ts.map

package/packages/workers/src/http/middleware/OptionsValidator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OptionsValidator.d.ts","sourceRoot":"","sources":["../../../../../../packages/workers/src/http/middleware/OptionsValidator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAU,KAAK,QAAQ,EAAE,KAAK,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAEvE,MAAM,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AAqFnF,eAAO,MAAM,qBAAqB,GAAI,SAAS,YAAY,KAAG,YAwD7D,CAAC"}

package/packages/workers/src/http/middleware/OptionsValidator.js

@@ -0,0 +1,112 @@
+import { Logger } from '../../../../../src/index.js';
+const validateConcurrency = (concurrency) => {
+    if (concurrency === undefined || concurrency === null) {
+        return 'Concurrency is required';
+    }
+    if (typeof concurrency !== 'number') {
+        return 'Concurrency must be a number';
+    }
+    if (!Number.isInteger(concurrency)) {
+        return 'Concurrency must be a whole number (integer)';
+    }
+    if (concurrency < 1) {
+        return 'Concurrency must be at least 1';
+    }
+    const MAX_CONCURRENCY = 200;
+    if (concurrency > MAX_CONCURRENCY) {
+        return `Concurrency cannot exceed ${MAX_CONCURRENCY}`;
+    }
+    return null;
+};
+const validateLimiter = (limiter) => {
+    if (!limiter) {
+        return 'Limiter configuration is required';
+    }
+    // Validate max
+    if (limiter.max === undefined || limiter.max === null) {
+        return 'Limiter max is required';
+    }
+    if (typeof limiter.max !== 'number') {
+        return 'Limiter max must be a number';
+    }
+    if (!Number.isInteger(limiter.max)) {
+        return 'Limiter max must be a whole number (integer)';
+    }
+    if (limiter.max < 1) {
+        return 'Limiter max must be at least 1';
+    }
+    const MAX_LIMITER_MAX = 100000;
+    if (limiter.max > MAX_LIMITER_MAX) {
+        return `Limiter max cannot exceed ${MAX_LIMITER_MAX}`;
+    }
+    // Validate duration
+    if (limiter.duration === undefined || limiter.duration === null) {
+        return 'Limiter duration is required';
+    }
+    if (typeof limiter.duration !== 'number') {
+        return 'Limiter duration must be a number';
+    }
+    if (!Number.isInteger(limiter.duration)) {
+        return 'Limiter duration must be a whole number (integer)';
+    }
+    if (limiter.duration < 1000) {
+        return 'Limiter duration must be at least 1000ms';
+    }
+    const MAX_LIMITER_DURATION = 24 * 60 * 60 * 1000; // 1 day
+    if (limiter.duration > MAX_LIMITER_DURATION) {
+        return `Limiter duration cannot exceed ${MAX_LIMITER_DURATION} ms`;
+    }
+    return null;
+};
+export const withOptionsValidation = (handler) => {
+    return async (req, res) => {
+        try {
+            const data = req.data();
+            const options = data['options'];
+            if (!options) {
+                return res.setStatus(400).json({
+                    error: 'Options configuration is required',
+                    code: 'MISSING_OPTIONS',
+                });
+            }
+            // Validate concurrency
+            const concurrencyError = validateConcurrency(options.concurrency);
+            if (concurrencyError) {
+                return res.setStatus(400).json({
+                    error: 'Invalid concurrency',
+                    message: concurrencyError,
+                    code: 'INVALID_CONCURRENCY',
+                });
+            }
+            // Validate limiter
+            const limiterError = validateLimiter(options.limiter);
+            if (limiterError) {
+                return res.setStatus(400).json({
+                    error: 'Invalid limiter configuration',
+                    message: limiterError,
+                    code: 'INVALID_LIMITER_CONFIG',
+                });
+            }
+            // Sanitize concurrency to ensure it's an integer
+            const currentBody = req.getBody();
+            const sanitizedOptions = {
+                ...options,
+                concurrency: Math.floor(options.concurrency),
+                limiter: {
+                    ...options.limiter,
+                    max: Math.floor(options.limiter.max),
+                    duration: Math.floor(options.limiter.duration),
+                },
+            };
+            req.setBody({ ...currentBody, options: sanitizedOptions });
+            return handler(req, res);
+        }
+        catch (error) {
+            Logger.error('Options validation failed', error);
+            return res.setStatus(500).json({
+                error: 'Internal validation error',
+                code: 'VALIDATION_ERROR',
+            });
+        }
+    };
+};

package/packages/workers/src/http/middleware/PayloadSanitizer.d.ts

@@ -0,0 +1,8 @@
+import { type IRequest, type IResponse } from '../../../../../src/index.js';
+export type RouteHandler = (req: IRequest, res: IResponse) => Promise<void> | void;
+/**
+ * Middleware to strip unknown properties from the request body.
+ * Only properties included in the allowedKeys list are preserved.
+ */
+export declare const withStrictPayloadKeys: (allowedKeys: string[], handler: RouteHandler) => RouteHandler;
+//# sourceMappingURL=PayloadSanitizer.d.ts.map

package/packages/workers/src/http/middleware/PayloadSanitizer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"PayloadSanitizer.d.ts","sourceRoot":"","sources":["../../../../../../packages/workers/src/http/middleware/PayloadSanitizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAU,KAAK,QAAQ,EAAE,KAAK,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAEvE,MAAM,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AAEnF;;;GAGG;AACH,eAAO,MAAM,qBAAqB,GAChC,aAAa,MAAM,EAAE,EACrB,SAAS,YAAY,KACpB,YAwCF,CAAC"}

package/packages/workers/src/http/middleware/PayloadSanitizer.js

@@ -0,0 +1,42 @@
+import { Logger } from '../../../../../src/index.js';
+/**
+ * Middleware to strip unknown properties from the request body.
+ * Only properties included in the allowedKeys list are preserved.
+ */
+export const withStrictPayloadKeys = (allowedKeys, handler) => {
+    const allowedSet = new Set(allowedKeys);
+    return async (req, res) => {
+        try {
+            const data = req.data();
+            if (!data || typeof data !== 'object' || Array.isArray(data)) {
+                // If body is not an object, skip stripping or strictly enforce object?
+                // For worker creation, it must be an object.
+                // Let's rely on downstream validators to complain if data is missing/wrong type.
+                return handler(req, res);
+            }
+            const body = data;
+            const strippedBody = {};
+            let hasUnknowns = false;
+            for (const key of Object.keys(body)) {
+                if (allowedSet.has(key)) {
+                    strippedBody[key] = body[key];
+                }
+                else {
+                    hasUnknowns = true;
+                }
+            }
+            if (hasUnknowns) {
+                // Update the body with sanitized version
+                req.setBody(strippedBody);
+            }
+            return handler(req, res);
+        }
+        catch (error) {
+            Logger.error('Strict payload validation failed', error);
+            return res.setStatus(500).json({
+                error: 'Internal validation error',
+                code: 'VALIDATION_ERROR',
+            });
+        }
+    };
+};

package/packages/workers/src/http/middleware/ProcessorPathSanitizer.d.ts

@@ -0,0 +1,4 @@
+import { type IRequest, type IResponse } from '../../../../../src/index.js';
+export type RouteHandler = (req: IRequest, res: IResponse) => Promise<void> | void;
+export declare const withProcessorPathValidation: (handler: RouteHandler) => RouteHandler;
+//# sourceMappingURL=ProcessorPathSanitizer.d.ts.map

package/packages/workers/src/http/middleware/ProcessorPathSanitizer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ProcessorPathSanitizer.d.ts","sourceRoot":"","sources":["../../../../../../packages/workers/src/http/middleware/ProcessorPathSanitizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAIL,KAAK,QAAQ,EACb,KAAK,SAAS,EACf,MAAM,gBAAgB,CAAC;AAExB,MAAM,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AA4GnF,eAAO,MAAM,2BAA2B,GAAI,SAAS,YAAY,KAAG,YAwDnE,CAAC"}

package/packages/workers/src/http/middleware/ProcessorPathSanitizer.js

@@ -0,0 +1,140 @@
+import { Logger, NodeSingletons, workersConfig, } from '../../../../../src/index.js';
+const PROCESSOR_PATH_PATTERN = /^[a-zA-Z0-9/_.-]+\.(ts|js|mjs|cjs)$/;
+const isUrlSpec = (value) => {
+    if (value.startsWith('url:'))
+        return true;
+    return value.includes('://');
+};
+const normalizeUrlSpec = (value) => {
+    return value.startsWith('url:') ? value.slice(4) : value;
+};
+const isAllowedRemoteHost = (host) => {
+    const allowlist = workersConfig.processorSpec.remoteAllowlist;
+    return allowlist.map((value) => value.toLowerCase()).includes(host.toLowerCase());
+};
+const decodeProcessorPath = (processor) => {
+    return processor
+        .replaceAll('/', '/') // HTML hex entity for /
+        .replaceAll('%2F', '/') // URL encoding for /
+        .replaceAll('.', '.') // HTML hex entity for .
+        .replaceAll('%2E', '.') // URL encoding for .
+        .replaceAll('_', '_') // HTML hex entity for _
+        .replaceAll('%5F', '_') // URL encoding for _
+        .replaceAll('-', '-') // HTML hex entity for -
+        .replaceAll('%2D', '-'); // URL encoding for -
+};
+const validateUrlSpec = (processor) => {
+    const normalized = normalizeUrlSpec(processor);
+    let parsed;
+    try {
+        parsed = new URL(normalized);
+    }
+    catch {
+        return {
+            isValid: false,
+            error: { error: 'Invalid processor url', code: 'INVALID_PROCESSOR_URL' },
+        };
+    }
+    if (parsed.protocol === 'file:') {
+        const path = NodeSingletons.path;
+        const baseDir = path.resolve(process.cwd());
+        const resolved = path.resolve(baseDir, decodeURIComponent(parsed.pathname));
+        if (!resolved.startsWith(baseDir)) {
+            return {
+                isValid: false,
+                error: { error: 'Invalid processor path', code: 'INVALID_PROCESSOR_PATH_TRAVERSAL' },
+            };
+        }
+    }
+    else {
+        if (parsed.protocol !== 'https:') {
+            return {
+                isValid: false,
+                error: { error: 'Invalid processor url', code: 'INVALID_PROCESSOR_URL' },
+            };
+        }
+        if (!isAllowedRemoteHost(parsed.host)) {
+            return {
+                isValid: false,
+                error: { error: 'Invalid processor url host', code: 'INVALID_PROCESSOR_URL_HOST' },
+            };
+        }
+    }
+    return { isValid: true };
+};
+const validateRelativePath = (processor) => {
+    if (processor.includes('..') || processor.startsWith('/')) {
+        return {
+            isValid: false,
+            error: { error: 'Invalid processor path', code: 'INVALID_PROCESSOR_PATH' },
+        };
+    }
+    if (!PROCESSOR_PATH_PATTERN.test(processor)) {
+        return {
+            isValid: false,
+            error: { error: 'Invalid processor path', code: 'INVALID_PROCESSOR_EXTENSION' },
+        };
+    }
+    return { isValid: true };
+};
+const sanitizeAndResolvePath = (processor) => {
+    const sanitizedProcessor = processor.replaceAll(/[^a-zA-Z0-9/_.-]/g, '');
+    const path = NodeSingletons.path;
+    const baseDir = path.resolve(process.cwd());
+    const resolved = path.resolve(baseDir, sanitizedProcessor);
+    if (!resolved.startsWith(baseDir)) {
+        return { isValid: false, sanitized: processor };
+    }
+    return { isValid: true, sanitized: sanitizedProcessor };
+};
+export const withProcessorPathValidation = (handler) => {
+    return async (req, res) => {
+        try {
+            const data = req.data();
+            let processor = data['processor'];
+            if (!processor) {
+                return res.setStatus(400).json({
+                    error: 'Processor spec is required',
+                    code: 'MISSING_PROCESSOR_SPEC',
+                });
+            }
+            // Decode URL-encoded characters
+            processor = decodeProcessorPath(processor);
+            // Trim whitespace
+            processor = processor.trim();
+            const isUrl = isUrlSpec(processor);
+            let validation;
+            if (isUrl) {
+                validation = validateUrlSpec(processor);
+            }
+            else {
+                validation = validateRelativePath(processor);
+                if (validation.isValid) {
+                    const pathValidation = sanitizeAndResolvePath(processor);
+                    if (pathValidation.isValid) {
+                        processor = pathValidation.sanitized;
+                    }
+                    else {
+                        validation = {
+                            isValid: false,
+                            error: { error: 'Invalid processor path', code: 'INVALID_PROCESSOR_PATH_TRAVERSAL' },
+                        };
+                    }
+                }
+            }
+            if (!validation.isValid) {
+                return res.setStatus(400).json(validation.error);
+            }
+            const currentBody = req.getBody();
+            req.setBody({ ...currentBody, processor });
+            return handler(req, res);
+        }
+        catch (error) {
+            Logger.error('Processor path validation failed', error);
+            return res.setStatus(500).json({
+                error: 'Internal validation error',
+                code: 'VALIDATION_ERROR',
+            });
+        }
+    };
+};

package/packages/workers/src/http/middleware/QueueNameSanitizer.d.ts

@@ -0,0 +1,4 @@
+import { type IRequest, type IResponse } from '../../../../../src/index.js';
+export type RouteHandler = (req: IRequest, res: IResponse) => Promise<void> | void;
+export declare const withQueueNameValidation: (handler: RouteHandler) => RouteHandler;
+//# sourceMappingURL=QueueNameSanitizer.d.ts.map

package/packages/workers/src/http/middleware/QueueNameSanitizer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"QueueNameSanitizer.d.ts","sourceRoot":"","sources":["../../../../../../packages/workers/src/http/middleware/QueueNameSanitizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAU,KAAK,QAAQ,EAAE,KAAK,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAEvE,MAAM,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AAInF,eAAO,MAAM,uBAAuB,GAAI,SAAS,YAAY,KAAG,YAgD/D,CAAC"}