hppx 0.1.4 → 0.1.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +1 -0
- package/package.json +2 -1
- package/src/index.d.cts +74 -0
package/dist/index.cjs
CHANGED
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "hppx",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.6",
|
|
4
4
|
"description": "Superior HTTP Parameter Pollution protection middleware with modern TypeScript, robust sanitizer, and extensive tests.",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"author": "Hiprax",
|
|
@@ -25,6 +25,7 @@
|
|
|
25
25
|
},
|
|
26
26
|
"files": [
|
|
27
27
|
"dist",
|
|
28
|
+
"src/index.d.cts",
|
|
28
29
|
"README.md",
|
|
29
30
|
"LICENSE"
|
|
30
31
|
],
|
package/src/index.d.cts
ADDED
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* hppx — Superior HTTP Parameter Pollution protection middleware
|
|
3
|
+
*
|
|
4
|
+
* - Protects against parameter and prototype pollution
|
|
5
|
+
* - Supports nested whitelists via dot-notation and leaf matching
|
|
6
|
+
* - Merge strategies: keepFirst | keepLast | combine
|
|
7
|
+
* - Multiple middleware compatibility: arrays are "put aside" once and selectively restored
|
|
8
|
+
* - Exposes req.queryPolluted / req.bodyPolluted / req.paramsPolluted
|
|
9
|
+
* - TypeScript-first API
|
|
10
|
+
*/
|
|
11
|
+
|
|
12
|
+
export type RequestSource = "query" | "body" | "params";
|
|
13
|
+
export type MergeStrategy = "keepFirst" | "keepLast" | "combine";
|
|
14
|
+
|
|
15
|
+
export interface SanitizeOptions {
|
|
16
|
+
whitelist?: string[] | string;
|
|
17
|
+
mergeStrategy?: MergeStrategy;
|
|
18
|
+
maxDepth?: number;
|
|
19
|
+
maxKeys?: number;
|
|
20
|
+
maxArrayLength?: number;
|
|
21
|
+
maxKeyLength?: number;
|
|
22
|
+
trimValues?: boolean;
|
|
23
|
+
preserveNull?: boolean;
|
|
24
|
+
}
|
|
25
|
+
|
|
26
|
+
export interface HppxOptions extends SanitizeOptions {
|
|
27
|
+
sources?: RequestSource[];
|
|
28
|
+
/** When to process req.body */
|
|
29
|
+
checkBodyContentType?: "urlencoded" | "any" | "none";
|
|
30
|
+
excludePaths?: string[];
|
|
31
|
+
strict?: boolean;
|
|
32
|
+
onPollutionDetected?: (
|
|
33
|
+
req: Record<string, unknown>,
|
|
34
|
+
info: {
|
|
35
|
+
source: RequestSource;
|
|
36
|
+
pollutedKeys: string[];
|
|
37
|
+
},
|
|
38
|
+
) => void;
|
|
39
|
+
logger?: (err: Error | unknown) => void;
|
|
40
|
+
/** Enable logging when pollution is detected (default: true) */
|
|
41
|
+
logPollution?: boolean;
|
|
42
|
+
}
|
|
43
|
+
|
|
44
|
+
export interface SanitizedResult<T> {
|
|
45
|
+
cleaned: T;
|
|
46
|
+
pollutedTree: Record<string, unknown>;
|
|
47
|
+
pollutedKeys: string[];
|
|
48
|
+
}
|
|
49
|
+
|
|
50
|
+
export declare const DEFAULT_SOURCES: RequestSource[];
|
|
51
|
+
export declare const DEFAULT_STRATEGY: MergeStrategy;
|
|
52
|
+
export declare const DANGEROUS_KEYS: Set<string>;
|
|
53
|
+
|
|
54
|
+
export declare function sanitize<T extends Record<string, unknown>>(
|
|
55
|
+
input: T,
|
|
56
|
+
options?: SanitizeOptions,
|
|
57
|
+
): T;
|
|
58
|
+
|
|
59
|
+
type ExpressLikeNext = (err?: unknown) => void;
|
|
60
|
+
|
|
61
|
+
/**
|
|
62
|
+
* Main hppx middleware function with named exports attached
|
|
63
|
+
*/
|
|
64
|
+
interface HppxFunction {
|
|
65
|
+
(options?: HppxOptions): (req: any, res: any, next: ExpressLikeNext) => any;
|
|
66
|
+
sanitize: typeof sanitize;
|
|
67
|
+
DANGEROUS_KEYS: typeof DANGEROUS_KEYS;
|
|
68
|
+
DEFAULT_SOURCES: typeof DEFAULT_SOURCES;
|
|
69
|
+
DEFAULT_STRATEGY: typeof DEFAULT_STRATEGY;
|
|
70
|
+
}
|
|
71
|
+
|
|
72
|
+
declare const hppx: HppxFunction;
|
|
73
|
+
|
|
74
|
+
export = hppx;
|