hppx 0.1.8 → 0.2.2

package/dist/index.mjs

@@ -2,6 +2,7 @@
 var DEFAULT_SOURCES = ["query", "body", "params"];
 var DEFAULT_STRATEGY = "keepLast";
 var DANGEROUS_KEYS = /* @__PURE__ */ new Set(["__proto__", "prototype", "constructor"]);
+var FORBIDDEN_KEY_CHARS = /[\u0000-\u001F\u007F-\u009F\u200E\u200F\u202A-\u202E\u2066-\u2069\uFEFF]/;
 function isPlainObject(value) {
   if (value === null || typeof value !== "object") return false;
   const proto = Object.getPrototypeOf(value);
@@ -10,47 +11,65 @@ function isPlainObject(value) {
 function sanitizeKey(key, maxKeyLength) {
   if (typeof key !== "string") return null;
   if (DANGEROUS_KEYS.has(key)) return null;
-  if (key.includes("\0")) return null;
+  if (FORBIDDEN_KEY_CHARS.test(key)) return null;
   const maxLen = maxKeyLength ?? 200;
   if (key.length > maxLen) return null;
   if (key.length > 1 && /^[.\[\]]+$/.test(key)) return null;
   return key;
 }
+var PATH_SEGMENT_CACHE_LIMIT = 500;
 var pathSegmentCache = /* @__PURE__ */ new Map();
 function parsePathSegments(key) {
   const cached = pathSegmentCache.get(key);
   if (cached) return cached;
   const dotted = key.replace(/\]/g, "").replace(/\[/g, ".");
   const result = dotted.split(".").filter((s) => s.length > 0);
-  if (pathSegmentCache.size < 500) {
-    pathSegmentCache.set(key, result);
+  if (pathSegmentCache.size >= PATH_SEGMENT_CACHE_LIMIT) {
+    pathSegmentCache.clear();
   }
+  pathSegmentCache.set(key, result);
   return result;
 }
-function expandObjectPaths(obj, maxKeyLength) {
-  const result = {};
-  for (const rawKey of Object.keys(obj)) {
-    const safeKey = sanitizeKey(rawKey, maxKeyLength);
-    if (!safeKey) continue;
-    const value = obj[rawKey];
-    const expandedValue = isPlainObject(value) ? expandObjectPaths(value, maxKeyLength) : value;
-    if (safeKey.includes(".") || safeKey.includes("[")) {
-      const segments = parsePathSegments(safeKey);
-      if (segments.length > 0) {
-        setIn(result, segments, expandedValue);
-        continue;
+function __resetPathSegmentCache() {
+  pathSegmentCache.clear();
+}
+function expandObjectPaths(obj, maxKeyLength, maxDepth = 20, currentDepth = 0, seen) {
+  if (currentDepth > maxDepth) {
+    throw new Error(`Maximum object depth (${maxDepth}) exceeded`);
+  }
+  const seenSet = seen ?? /* @__PURE__ */ new WeakSet();
+  if (seenSet.has(obj)) return {};
+  seenSet.add(obj);
+  try {
+    const result = {};
+    for (const rawKey of Object.keys(obj)) {
+      const safeKey = sanitizeKey(rawKey, maxKeyLength);
+      if (!safeKey) continue;
+      const value = obj[rawKey];
+      const expandedValue = isPlainObject(value) ? expandObjectPaths(
+        value,
+        maxKeyLength,
+        maxDepth,
+        currentDepth + 1,
+        seenSet
+      ) : value;
+      if (safeKey.includes(".") || safeKey.includes("[")) {
+        const segments = parsePathSegments(safeKey);
+        if (segments.length > 0) {
+          setIn(result, segments, expandedValue);
+          continue;
+        }
       }
+      result[safeKey] = expandedValue;
     }
-    result[safeKey] = expandedValue;
+    return result;
+  } finally {
+    seenSet.delete(obj);
   }
-  return result;
 }
-function setReqPropertySafe(target, key, value) {
+function setReqPropertySafe(target, key, value, onFailure) {
   try {
     const desc = Object.getOwnPropertyDescriptor(target, key);
-    if (desc && desc.configurable === false && desc.writable === false) {
-      return;
-    }
     if (!desc || desc.configurable !== false) {
       Object.defineProperty(target, key, {
         value,
@@ -58,28 +77,79 @@ function setReqPropertySafe(target, key, value) {
         configurable: true,
         enumerable: true
       });
-      return;
+      return true;
+    }
+    if (desc.writable) {
+      target[key] = value;
+      return true;
+    }
+    try {
+      target[key] = value;
+      if (target[key] === value) return true;
+    } catch (_assignErr) {
+    }
+    if (onFailure) {
+      onFailure(
+        `[hppx] Could not write sanitized value to req.${key}: property is non-configurable and non-writable. The original (potentially polluted) value remains on req.${key}.`
+      );
+    }
+    return false;
+  } catch (_definePropErr) {
+    try {
+      target[key] = value;
+      if (target[key] === value) return true;
+    } catch (_assignErr) {
+    }
+    {
+      if (onFailure) {
+        onFailure(`[hppx] Could not write sanitized value to req.${key}: defineProperty failed.`);
+      }
+      return false;
     }
-  } catch (_) {
-  }
-  try {
-    target[key] = value;
-  } catch (_) {
   }
 }
-function safeDeepClone(input, maxKeyLength, maxArrayLength) {
+function safeDeepClone(input, maxKeyLength, maxArrayLength, maxDepth = 20, currentDepth = 0, seen) {
   if (Array.isArray(input)) {
-    const limit = maxArrayLength ?? 1e3;
-    const limited = input.slice(0, limit);
-    return limited.map((v) => safeDeepClone(v, maxKeyLength, maxArrayLength));
+    if (currentDepth > maxDepth) {
+      throw new Error(`Maximum object depth (${maxDepth}) exceeded`);
+    }
+    const seenSet = seen ?? /* @__PURE__ */ new WeakSet();
+    if (seenSet.has(input)) return [];
+    seenSet.add(input);
+    try {
+      const limit = maxArrayLength ?? 1e3;
+      const limited = input.slice(0, limit);
+      return limited.map(
+        (v) => safeDeepClone(v, maxKeyLength, maxArrayLength, maxDepth, currentDepth + 1, seenSet)
+      );
+    } finally {
+      seenSet.delete(input);
+    }
   }
   if (isPlainObject(input)) {
-    const out = {};
-    for (const k of Object.keys(input)) {
-      if (!sanitizeKey(k, maxKeyLength)) continue;
-      out[k] = safeDeepClone(input[k], maxKeyLength, maxArrayLength);
+    if (currentDepth > maxDepth) {
+      throw new Error(`Maximum object depth (${maxDepth}) exceeded`);
+    }
+    const seenSet = seen ?? /* @__PURE__ */ new WeakSet();
+    if (seenSet.has(input)) return {};
+    seenSet.add(input);
+    try {
+      const out = {};
+      for (const k of Object.keys(input)) {
+        if (!sanitizeKey(k, maxKeyLength)) continue;
+        out[k] = safeDeepClone(
+          input[k],
+          maxKeyLength,
+          maxArrayLength,
+          maxDepth,
+          currentDepth + 1,
+          seenSet
+        );
+      }
+      return out;
+    } finally {
+      seenSet.delete(input);
     }
-    return out;
   }
   return input;
 }
@@ -95,8 +165,15 @@ function mergeValues(values, strategy) {
         else acc.push(v);
         return acc;
       }, []);
-    default:
-      return values[values.length - 1];
+    /* istanbul ignore next -- exhaustiveness check unreachable from outside:
+       validateSanitizeOptions rejects every non-listed strategy at construction
+       time, so the only way to reach this branch is a programmer error (a new
+       MergeStrategy union member added without updating this switch). Failing
+       loudly here is preferable to a silent fallback. */
+    default: {
+      const _exhaustive = strategy;
+      throw new Error(`Unknown mergeStrategy: ${_exhaustive}`);
+    }
   }
 }
 function isUrlEncodedContentType(req) {
@@ -120,6 +197,7 @@ function normalizeWhitelist(whitelist) {
   if (typeof whitelist === "string") return [whitelist];
   return whitelist.filter((w) => typeof w === "string");
 }
+var WHITELIST_PATH_CACHE_LIMIT = 1e3;
 function buildWhitelistHelpers(whitelist) {
   const exact = new Set(whitelist);
   const prefixes = whitelist.filter((w) => w.length > 0);
@@ -145,9 +223,10 @@ function buildWhitelistHelpers(whitelist) {
           }
         }
       }
-      if (pathCache.size < 1e3) {
-        pathCache.set(full, result);
+      if (pathCache.size >= WHITELIST_PATH_CACHE_LIMIT) {
+        pathCache.clear();
       }
+      pathCache.set(full, result);
       return result;
     }
   };
@@ -195,20 +274,18 @@ function moveWhitelistedFromPolluted(reqPart, polluted, isWhitelisted) {
 function detectAndReduce(input, opts) {
   let keyCount = 0;
   const polluted = {};
-  const pollutedKeys = [];
-  function processNode(node, path = [], depth = 0) {
-    if (node === null || node === void 0) return opts.preserveNull ? node : node;
+  const pollutedKeysSet = /* @__PURE__ */ new Set();
+  const cloned = safeDeepClone(input, opts.maxKeyLength, opts.maxArrayLength, opts.maxDepth);
+  function processNode(node, path = [], depth = 0, inArray = false) {
+    if (node === null) return opts.preserveNull ? null : void 0;
+    if (node === void 0) return node;
     if (Array.isArray(node)) {
-      const limit = opts.maxArrayLength ?? 1e3;
-      const limitedNode = node.slice(0, limit);
-      const mapped = limitedNode.map((v) => processNode(v, path, depth));
-      if (opts.mergeStrategy === "combine") {
-        return mergeValues(mapped, "combine");
+      const mapped = node.map((v) => processNode(v, path, depth, true));
+      if (!inArray) {
+        setIn(polluted, path, node);
+        pollutedKeysSet.add(path.join("."));
       }
-      setIn(polluted, path, safeDeepClone(limitedNode, opts.maxKeyLength, opts.maxArrayLength));
-      pollutedKeys.push(path.join("."));
-      const reduced = mergeValues(mapped, opts.mergeStrategy);
-      return reduced;
+      return mergeValues(mapped, opts.mergeStrategy);
     }
     if (isPlainObject(node)) {
       if (depth > opts.maxDepth)
@@ -223,7 +300,7 @@ function detectAndReduce(input, opts) {
         if (!safeKey) continue;
         const child = node[rawKey];
         const childPath = path.concat([safeKey]);
-        let value = processNode(child, childPath, depth + 1);
+        let value = processNode(child, childPath, depth + 1, false);
         if (typeof value === "string" && opts.trimValues) value = value.trim();
         out[safeKey] = value;
       }
@@ -231,13 +308,14 @@ function detectAndReduce(input, opts) {
     }
     return node;
   }
-  const cloned = safeDeepClone(input, opts.maxKeyLength, opts.maxArrayLength);
-  const cleaned = processNode(cloned, [], 0);
-  return { cleaned, pollutedTree: polluted, pollutedKeys };
+  const cleaned = processNode(cloned, [], 0, false);
+  return { cleaned, pollutedTree: polluted, pollutedKeys: Array.from(pollutedKeysSet) };
 }
 function sanitize(input, options = {}) {
+  validateSanitizeOptions(options);
   const maxKeyLength = options.maxKeyLength ?? 200;
-  const expandedInput = isPlainObject(input) ? expandObjectPaths(input, maxKeyLength) : input;
+  const maxDepthVal = options.maxDepth ?? 20;
+  const expandedInput = isPlainObject(input) ? expandObjectPaths(input, maxKeyLength, maxDepthVal) : input;
   const whitelist = normalizeWhitelist(options.whitelist);
   const { isWhitelistedPath } = buildWhitelistHelpers(whitelist);
   const {
@@ -260,7 +338,7 @@ function sanitize(input, options = {}) {
   moveWhitelistedFromPolluted(cleaned, pollutedTree, isWhitelistedPath);
   return cleaned;
 }
-function validateOptions(options) {
+function validateSanitizeOptions(options) {
   if (options.maxDepth !== void 0 && (typeof options.maxDepth !== "number" || options.maxDepth < 1 || options.maxDepth > 100)) {
     throw new TypeError("maxDepth must be a number between 1 and 100");
   }
@@ -276,10 +354,34 @@ function validateOptions(options) {
   if (options.mergeStrategy !== void 0 && !["keepFirst", "keepLast", "combine"].includes(options.mergeStrategy)) {
     throw new TypeError("mergeStrategy must be 'keepFirst', 'keepLast', or 'combine'");
   }
+  if (options.trimValues !== void 0 && typeof options.trimValues !== "boolean") {
+    throw new TypeError("trimValues must be a boolean");
+  }
+  if (options.preserveNull !== void 0 && typeof options.preserveNull !== "boolean") {
+    throw new TypeError("preserveNull must be a boolean");
+  }
+  if (options.whitelist !== void 0) {
+    if (typeof options.whitelist !== "string" && !Array.isArray(options.whitelist)) {
+      throw new TypeError("whitelist must be a string or an array of strings");
+    }
+    if (Array.isArray(options.whitelist)) {
+      for (const entry of options.whitelist) {
+        if (typeof entry !== "string") {
+          throw new TypeError("whitelist must be a string or an array of strings");
+        }
+      }
+    }
+  }
+}
+function validateOptions(options) {
+  validateSanitizeOptions(options);
   if (options.sources !== void 0 && !Array.isArray(options.sources)) {
     throw new TypeError("sources must be an array");
   }
   if (options.sources !== void 0) {
+    if (options.sources.length === 0) {
+      throw new TypeError("sources must contain at least one of 'query', 'body', 'params'");
+    }
     for (const source of options.sources) {
       if (!["query", "body", "params"].includes(source)) {
         throw new TypeError("sources must only contain 'query', 'body', or 'params'");
@@ -289,8 +391,27 @@ function validateOptions(options) {
   if (options.checkBodyContentType !== void 0 && !["urlencoded", "any", "none"].includes(options.checkBodyContentType)) {
     throw new TypeError("checkBodyContentType must be 'urlencoded', 'any', or 'none'");
   }
-  if (options.excludePaths !== void 0 && !Array.isArray(options.excludePaths)) {
-    throw new TypeError("excludePaths must be an array");
+  if (options.excludePaths !== void 0) {
+    if (!Array.isArray(options.excludePaths)) {
+      throw new TypeError("excludePaths must be an array");
+    }
+    for (const entry of options.excludePaths) {
+      if (typeof entry !== "string") {
+        throw new TypeError("excludePaths must contain only strings");
+      }
+    }
+  }
+  if (options.logger !== void 0 && typeof options.logger !== "function") {
+    throw new TypeError("logger must be a function");
+  }
+  if (options.onPollutionDetected !== void 0 && typeof options.onPollutionDetected !== "function") {
+    throw new TypeError("onPollutionDetected must be a function");
+  }
+  if (options.strict !== void 0 && typeof options.strict !== "boolean") {
+    throw new TypeError("strict must be a boolean");
+  }
+  if (options.logPollution !== void 0 && typeof options.logPollution !== "boolean") {
+    throw new TypeError("logPollution must be a boolean");
   }
 }
 function hppx(options = {}) {
@@ -316,9 +437,39 @@ function hppx(options = {}) {
   const { isWhitelistedPath } = buildWhitelistHelpers(whitelistArr);
   return function hppxMiddleware(req, res, next) {
     try {
-      if (shouldExcludePath(req?.path, excludePaths)) return next();
+      let pathForExclusion;
+      try {
+        pathForExclusion = req?.path;
+      } catch (pathErr) {
+        const message = `[hppx] Failed to read req.path during exclusion check; proceeding without path-based exclusion. Underlying error: ${pathErr instanceof Error ? pathErr.message : String(pathErr)}`;
+        if (logger) {
+          try {
+            logger(message);
+          } catch (_) {
+            console.warn(message);
+          }
+        } else {
+          console.warn(message);
+        }
+        pathForExclusion = void 0;
+      }
+      if (shouldExcludePath(pathForExclusion, excludePaths)) return next();
       let anyPollutionDetected = false;
       const allPollutedKeys = [];
+      const warned = /* @__PURE__ */ new Set();
+      const warn = (message) => {
+        if (warned.has(message)) return;
+        warned.add(message);
+        if (logger) {
+          try {
+            logger(message);
+          } catch (_) {
+            console.warn(message);
+          }
+        } else {
+          console.warn(message);
+        }
+      };
       for (const source of sources) {
         if (!req || typeof req !== "object") break;
         if (req[source] === void 0) continue;
@@ -328,10 +479,10 @@ function hppx(options = {}) {
         }
         const part = req[source];
         if (!isPlainObject(part)) continue;
-        const expandedPart = expandObjectPaths(part, maxKeyLength);
+        const expandedPart = expandObjectPaths(part, maxKeyLength, maxDepth);
         const pollutedKey = `${source}Polluted`;
         const processedKey = `__hppxProcessed_${source}`;
-        const hasProcessedBefore = Boolean(req[processedKey]);
+        const hasProcessedBefore = Object.prototype.hasOwnProperty.call(req, processedKey);
         if (!hasProcessedBefore) {
           const { cleaned, pollutedTree, pollutedKeys } = detectAndReduce(expandedPart, {
             mergeStrategy,
@@ -342,9 +493,21 @@ function hppx(options = {}) {
             trimValues,
             preserveNull
           });
-          setReqPropertySafe(req, source, cleaned);
-          setReqPropertySafe(req, pollutedKey, pollutedTree);
-          req[processedKey] = true;
+          setReqPropertySafe(req, source, cleaned, warn);
+          setReqPropertySafe(req, pollutedKey, pollutedTree, warn);
+          try {
+            Object.defineProperty(req, processedKey, {
+              value: true,
+              writable: false,
+              configurable: false,
+              enumerable: false
+            });
+          } catch (_) {
+            try {
+              req[processedKey] = true;
+            } catch (_assignErr) {
+            }
+          }
           const sourceData = req[source];
           const pollutedData = req[pollutedKey];
           if (isPlainObject(sourceData) && isPlainObject(pollutedData)) {
@@ -411,10 +574,8 @@ function hppx(options = {}) {
         try {
           logger(error);
         } catch (logErr) {
-          if (process.env.NODE_ENV !== "production") {
-            console.error("[hppx] Logger failed:", logErr);
-            console.error("[hppx] Original error:", error);
-          }
+          console.error("[hppx] Logger failed:", logErr);
+          console.error("[hppx] Original error:", error);
         }
       }
       return next(error);
@@ -425,6 +586,7 @@ export {
   DANGEROUS_KEYS,
   DEFAULT_SOURCES,
   DEFAULT_STRATEGY,
+  __resetPathSegmentCache,
   hppx as default,
   sanitize
 };