lsh-framework 3.1.23 → 3.1.25

package/dist/lib/input-validator.js

@@ -1,318 +0,0 @@
-/**
- * Input Validation Utilities
- * Provides secure input validation for user-facing data
- */
-/**
- * Common disposable email domains that should be blocked for signups.
- * This is a minimal list - consider using a more comprehensive service
- * for production use.
- */
-const DISPOSABLE_EMAIL_DOMAINS = new Set([
-    'mailinator.com',
-    'guerrillamail.com',
-    'guerrillamail.org',
-    'tempmail.com',
-    'temp-mail.org',
-    '10minutemail.com',
-    'throwaway.email',
-    'fakeinbox.com',
-    'trashmail.com',
-    'yopmail.com',
-    'maildrop.cc',
-    'getnada.com',
-    'sharklasers.com',
-    'dispostable.com',
-    'mailnesia.com',
-]);
-/**
- * RFC 5322 compliant email regex (simplified but comprehensive).
- * Allows most valid email formats while rejecting clearly invalid ones.
- */
-const EMAIL_REGEX = /^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/;
-/**
- * Maximum email length per RFC 5321
- */
-const MAX_EMAIL_LENGTH = 254;
-/**
- * Maximum local part length per RFC 5321
- */
-const MAX_LOCAL_PART_LENGTH = 64;
-/**
- * Validate an email address.
- *
- * Performs the following checks:
- * 1. Not empty or whitespace-only
- * 2. Within length limits (254 chars total, 64 chars local part)
- * 3. Matches RFC 5322 email format
- * 4. Domain has at least one dot (e.g., rejects "user@localhost")
- * 5. Optionally blocks disposable email domains
- *
- * @param email - Email address to validate
- * @param options - Validation options
- * @returns Validation result with normalized email if valid
- *
- * @example
- * ```typescript
- * const result = validateEmail('User@Example.COM');
- * if (result.valid) {
- *   console.log(result.normalized); // 'user@example.com'
- * } else {
- *   console.error(result.message);
- * }
- * ```
- */
-export function validateEmail(email, options = {}) {
-    const { blockDisposable = false, requireTld = true } = options;
-    // Check for empty/null/undefined
-    if (!email || typeof email !== 'string') {
-        return {
-            valid: false,
-            error: 'EMPTY',
-            message: 'Email address is required',
-        };
-    }
-    // Trim whitespace
-    const trimmed = email.trim();
-    if (trimmed.length === 0) {
-        return {
-            valid: false,
-            error: 'EMPTY',
-            message: 'Email address is required',
-        };
-    }
-    // Check total length
-    if (trimmed.length > MAX_EMAIL_LENGTH) {
-        return {
-            valid: false,
-            error: 'TOO_LONG',
-            message: `Email address must be ${MAX_EMAIL_LENGTH} characters or less`,
-        };
-    }
-    // Split into local and domain parts
-    const atIndex = trimmed.lastIndexOf('@');
-    if (atIndex === -1) {
-        return {
-            valid: false,
-            error: 'INVALID_FORMAT',
-            message: 'Email address must contain @',
-        };
-    }
-    const localPart = trimmed.substring(0, atIndex);
-    const domain = trimmed.substring(atIndex + 1);
-    // Check local part length
-    if (localPart.length === 0) {
-        return {
-            valid: false,
-            error: 'INVALID_LOCAL_PART',
-            message: 'Email local part (before @) is required',
-        };
-    }
-    if (localPart.length > MAX_LOCAL_PART_LENGTH) {
-        return {
-            valid: false,
-            error: 'INVALID_LOCAL_PART',
-            message: `Email local part must be ${MAX_LOCAL_PART_LENGTH} characters or less`,
-        };
-    }
-    // Check domain
-    if (domain.length === 0) {
-        return {
-            valid: false,
-            error: 'INVALID_DOMAIN',
-            message: 'Email domain (after @) is required',
-        };
-    }
-    // Require TLD (at least one dot in domain)
-    if (requireTld && !domain.includes('.')) {
-        return {
-            valid: false,
-            error: 'DOMAIN_TOO_SHORT',
-            message: 'Email domain must include a valid TLD (e.g., .com, .org)',
-        };
-    }
-    // Check domain TLD length (must be at least 2 chars)
-    if (requireTld) {
-        const lastDot = domain.lastIndexOf('.');
-        const tld = domain.substring(lastDot + 1);
-        if (tld.length < 2) {
-            return {
-                valid: false,
-                error: 'DOMAIN_TOO_SHORT',
-                message: 'Email domain TLD must be at least 2 characters',
-            };
-        }
-    }
-    // Validate format with regex
-    if (!EMAIL_REGEX.test(trimmed)) {
-        return {
-            valid: false,
-            error: 'INVALID_FORMAT',
-            message: 'Email address format is invalid',
-        };
-    }
-    // Normalize to lowercase
-    const normalized = trimmed.toLowerCase();
-    const normalizedDomain = domain.toLowerCase();
-    // Check for disposable domains
-    if (blockDisposable && DISPOSABLE_EMAIL_DOMAINS.has(normalizedDomain)) {
-        return {
-            valid: false,
-            error: 'DISPOSABLE_DOMAIN',
-            message: 'Disposable email addresses are not allowed',
-        };
-    }
-    return {
-        valid: true,
-        normalized,
-    };
-}
-/**
- * Quick check if an email is valid (without detailed error info).
- *
- * @param email - Email to check
- * @returns true if valid, false otherwise
- */
-export function isValidEmail(email) {
-    return validateEmail(email).valid;
-}
-/**
- * Normalize an email address (lowercase, trimmed).
- * Returns null if email is invalid.
- *
- * @param email - Email to normalize
- * @returns Normalized email or null if invalid
- */
-export function normalizeEmail(email) {
-    const result = validateEmail(email);
-    return result.valid ? result.normalized : null;
-}
-/**
- * Common passwords to reject (minimal list - use larger database in production)
- */
-const COMMON_PASSWORDS = new Set([
-    'password',
-    'password1',
-    'password123',
-    '123456',
-    '12345678',
-    '123456789',
-    '1234567890',
-    'qwerty',
-    'qwerty123',
-    'letmein',
-    'welcome',
-    'admin',
-    'login',
-    'abc123',
-    'monkey',
-    'master',
-    'dragon',
-    'sunshine',
-    'princess',
-    'football',
-    'baseball',
-    'iloveyou',
-    'trustno1',
-    'superman',
-    'batman',
-]);
-/**
- * Minimum password length
- */
-const MIN_PASSWORD_LENGTH = 8;
-/**
- * Maximum password length (bcrypt has a 72-byte limit)
- */
-const MAX_PASSWORD_LENGTH = 72;
-/**
- * Validate a password against security requirements.
- *
- * Requirements:
- * - 8-72 characters
- * - At least one lowercase letter
- * - At least one uppercase letter
- * - At least one digit
- * - At least one special character
- * - Not a common password
- *
- * @param password - Password to validate
- * @param options - Validation options
- * @returns Validation result with strength score
- */
-export function validatePassword(password, options = {}) {
-    const { minLength = MIN_PASSWORD_LENGTH, requireUppercase = true, requireLowercase = true, requireDigit = true, requireSpecial = true, checkCommon = true, } = options;
-    const errors = [];
-    let strength = 0;
-    // Handle null/undefined
-    if (!password || typeof password !== 'string') {
-        return {
-            valid: false,
-            errors: ['TOO_SHORT'],
-            strength: 0,
-            strengthLabel: 'very_weak',
-        };
-    }
-    // Check length
-    if (password.length < minLength) {
-        errors.push('TOO_SHORT');
-    }
-    else {
-        strength++;
-    }
-    if (password.length > MAX_PASSWORD_LENGTH) {
-        errors.push('TOO_LONG');
-    }
-    // Check for lowercase
-    if (requireLowercase && !/[a-z]/.test(password)) {
-        errors.push('NO_LOWERCASE');
-    }
-    else if (/[a-z]/.test(password)) {
-        strength++;
-    }
-    // Check for uppercase
-    if (requireUppercase && !/[A-Z]/.test(password)) {
-        errors.push('NO_UPPERCASE');
-    }
-    else if (/[A-Z]/.test(password)) {
-        strength++;
-    }
-    // Check for digit
-    if (requireDigit && !/\d/.test(password)) {
-        errors.push('NO_DIGIT');
-    }
-    else if (/\d/.test(password)) {
-        strength++;
-    }
-    // Check for special character
-    if (requireSpecial && !/[!@#$%^&*()_+\-=[\]{};':"\\|,.<>/?`~]/.test(password)) {
-        errors.push('NO_SPECIAL');
-    }
-    // Check for common passwords
-    if (checkCommon && COMMON_PASSWORDS.has(password.toLowerCase())) {
-        errors.push('COMMON_PASSWORD');
-    }
-    // Cap strength at 4
-    const cappedStrength = Math.min(strength, 4);
-    const strengthLabels = {
-        0: 'very_weak',
-        1: 'weak',
-        2: 'fair',
-        3: 'strong',
-        4: 'very_strong',
-    };
-    return {
-        valid: errors.length === 0,
-        errors,
-        strength: cappedStrength,
-        strengthLabel: strengthLabels[cappedStrength],
-    };
-}
-/**
- * Quick check if a password meets minimum requirements.
- *
- * @param password - Password to check
- * @returns true if valid, false otherwise
- */
-export function isValidPassword(password) {
-    return validatePassword(password).valid;
-}

package/dist/lib/safe-eval.js

@@ -1,124 +0,0 @@
-/**
- * Safe Evaluation Utilities
- *
- * This module centralizes all intentional uses of the Function constructor
- * to provide a single, well-documented location for dynamic code execution.
- *
- * SECURITY NOTICE:
- * These utilities use the Function constructor which can execute arbitrary code.
- * They should ONLY be used in controlled scenarios where:
- * 1. Input is strictly validated/sanitized
- * 2. The execution context is understood
- * 3. There is no viable alternative (e.g., for runtime environment detection)
- *
- * Each function in this module documents its specific use case and security
- * considerations.
- */
-/**
- * Pattern matching only allowed mathematical expression characters.
- * Includes: digits, decimal points, basic operators, parentheses, whitespace,
- * and common math function names.
- */
-const SAFE_MATH_EXPRESSION_PATTERN = /^[\d\s+\-*/().%^eE,]+$|^(Math\.(abs|ceil|floor|round|sqrt|pow|min|max|random|sin|cos|tan|log|exp)|\d)+[\d\s+\-*/().%^eE,()]*$/;
-/**
- * Validate that a mathematical expression contains only safe characters.
- *
- * @param expression - The expression string to validate
- * @returns true if the expression is safe, false otherwise
- */
-export function isValidMathExpression(expression) {
-    // Empty or whitespace-only strings are invalid
-    if (!expression || !expression.trim()) {
-        return false;
-    }
-    // Check for dangerous patterns first
-    const dangerousPatterns = [
-        /\beval\b/i,
-        /\bFunction\b/i,
-        /\bimport\b/i,
-        /\brequire\b/i,
-        /\bglobalThis\b/i,
-        /\bwindow\b/i,
-        /\bprocess\b/i,
-        /\bconstructor\b/i,
-        /\bprototype\b/i,
-        /\b__proto__\b/i,
-        /\[\s*['"]/, // Property access with string literals
-        /['"`]/, // String literals
-    ];
-    for (const pattern of dangerousPatterns) {
-        if (pattern.test(expression)) {
-            return false;
-        }
-    }
-    // Check that expression only contains allowed characters
-    return SAFE_MATH_EXPRESSION_PATTERN.test(expression.trim());
-}
-/**
- * Safely evaluate a mathematical expression.
- *
- * SECURITY: This function uses the Function constructor for dynamic evaluation.
- * It MUST only be called with validated input from isValidMathExpression().
- *
- * Use case: Calculator functionality requiring dynamic expression evaluation
- * Alternative considered: Using a proper expression parser library (recommended
- * for production with complex expressions)
- *
- * @param expression - A pre-validated mathematical expression
- * @returns The numeric result of the expression
- * @throws Error if evaluation fails or result is not a valid number
- *
- * @example
- * ```typescript
- * if (isValidMathExpression(expr)) {
- *   const result = evaluateMathExpression(expr);
- * }
- * ```
- */
-export function evaluateMathExpression(expression) {
-    // Double-check validation (defense in depth)
-    if (!isValidMathExpression(expression)) {
-        throw new Error('Invalid mathematical expression');
-    }
-    try {
-        // eslint-disable-next-line no-new-func
-        const func = new Function(`"use strict"; return (${expression})`);
-        const result = func();
-        if (typeof result !== 'number' || !isFinite(result)) {
-            throw new Error('Expression did not evaluate to a finite number');
-        }
-        return result;
-    }
-    catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        throw new Error(`Expression evaluation failed: ${message}`);
-    }
-}
-/**
- * Check if the current module is the main entry point (ESM-compatible).
- *
- * SECURITY: This function uses the Function constructor to access import.meta.url
- * in a way that's compatible with both ESM and CommonJS environments without
- * causing parse-time errors.
- *
- * Use case: Runtime environment detection for CLI entry points
- * Why Function constructor: import.meta syntax causes parse errors in CommonJS/Jest
- * Alternative: Separate entry point files (increases maintenance burden)
- *
- * @returns true if running as main module, false otherwise
- */
-export function isMainModule() {
-    try {
-        // Use Function constructor to avoid parse-time errors with import.meta in CommonJS/Jest.
-        // This is a well-known pattern for ESM/CJS interoperability.
-        // The constructed function only accesses import.meta.url which is safe.
-        // eslint-disable-next-line no-new-func
-        const getImportMetaUrl = new Function('return import.meta.url');
-        const metaUrl = getImportMetaUrl();
-        return metaUrl === `file://${process.argv[1]}`;
-    }
-    catch {
-        // In CommonJS or environments where import.meta is not available
-        return false;
-    }
-}