hppx 0.1.5 → 0.1.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +2 -1
- package/src/index.d.cts +70 -0
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "hppx",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.7",
|
|
4
4
|
"description": "Superior HTTP Parameter Pollution protection middleware with modern TypeScript, robust sanitizer, and extensive tests.",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"author": "Hiprax",
|
|
@@ -25,6 +25,7 @@
|
|
|
25
25
|
},
|
|
26
26
|
"files": [
|
|
27
27
|
"dist",
|
|
28
|
+
"src/index.d.cts",
|
|
28
29
|
"README.md",
|
|
29
30
|
"LICENSE"
|
|
30
31
|
],
|
package/src/index.d.cts
ADDED
|
@@ -0,0 +1,70 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* hppx — Superior HTTP Parameter Pollution protection middleware
|
|
3
|
+
*
|
|
4
|
+
* - Protects against parameter and prototype pollution
|
|
5
|
+
* - Supports nested whitelists via dot-notation and leaf matching
|
|
6
|
+
* - Merge strategies: keepFirst | keepLast | combine
|
|
7
|
+
* - Multiple middleware compatibility: arrays are "put aside" once and selectively restored
|
|
8
|
+
* - Exposes req.queryPolluted / req.bodyPolluted / req.paramsPolluted
|
|
9
|
+
* - TypeScript-first API
|
|
10
|
+
*/
|
|
11
|
+
|
|
12
|
+
type RequestSource = "query" | "body" | "params";
|
|
13
|
+
type MergeStrategy = "keepFirst" | "keepLast" | "combine";
|
|
14
|
+
|
|
15
|
+
interface SanitizeOptions {
|
|
16
|
+
whitelist?: string[] | string;
|
|
17
|
+
mergeStrategy?: MergeStrategy;
|
|
18
|
+
maxDepth?: number;
|
|
19
|
+
maxKeys?: number;
|
|
20
|
+
maxArrayLength?: number;
|
|
21
|
+
maxKeyLength?: number;
|
|
22
|
+
trimValues?: boolean;
|
|
23
|
+
preserveNull?: boolean;
|
|
24
|
+
}
|
|
25
|
+
|
|
26
|
+
interface HppxOptions extends SanitizeOptions {
|
|
27
|
+
sources?: RequestSource[];
|
|
28
|
+
/** When to process req.body */
|
|
29
|
+
checkBodyContentType?: "urlencoded" | "any" | "none";
|
|
30
|
+
excludePaths?: string[];
|
|
31
|
+
strict?: boolean;
|
|
32
|
+
onPollutionDetected?: (
|
|
33
|
+
req: Record<string, unknown>,
|
|
34
|
+
info: {
|
|
35
|
+
source: RequestSource;
|
|
36
|
+
pollutedKeys: string[];
|
|
37
|
+
},
|
|
38
|
+
) => void;
|
|
39
|
+
logger?: (err: Error | unknown) => void;
|
|
40
|
+
/** Enable logging when pollution is detected (default: true) */
|
|
41
|
+
logPollution?: boolean;
|
|
42
|
+
}
|
|
43
|
+
|
|
44
|
+
interface SanitizedResult<T> {
|
|
45
|
+
cleaned: T;
|
|
46
|
+
pollutedTree: Record<string, unknown>;
|
|
47
|
+
pollutedKeys: string[];
|
|
48
|
+
}
|
|
49
|
+
|
|
50
|
+
type ExpressLikeNext = (err?: unknown) => void;
|
|
51
|
+
|
|
52
|
+
/**
|
|
53
|
+
* Main hppx middleware function
|
|
54
|
+
*/
|
|
55
|
+
declare function hppx(options?: HppxOptions): (req: any, res: any, next: ExpressLikeNext) => any;
|
|
56
|
+
|
|
57
|
+
declare namespace hppx {
|
|
58
|
+
export type { RequestSource, MergeStrategy, SanitizeOptions, HppxOptions, SanitizedResult };
|
|
59
|
+
|
|
60
|
+
export function sanitize<T extends Record<string, unknown>>(
|
|
61
|
+
input: T,
|
|
62
|
+
options?: SanitizeOptions,
|
|
63
|
+
): T;
|
|
64
|
+
|
|
65
|
+
export const DANGEROUS_KEYS: Set<string>;
|
|
66
|
+
export const DEFAULT_SOURCES: RequestSource[];
|
|
67
|
+
export const DEFAULT_STRATEGY: MergeStrategy;
|
|
68
|
+
}
|
|
69
|
+
|
|
70
|
+
export = hppx;
|