mastercontroller 1.3.21 → 1.3.23
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/MasterRouter.js +14 -7
- package/error/MasterErrorHandler.js +2 -1
- package/package.json +1 -1
package/MasterRouter.js
CHANGED
|
@@ -124,14 +124,18 @@ const ROUTER_CONFIG = {
|
|
|
124
124
|
return paramValue;
|
|
125
125
|
}
|
|
126
126
|
|
|
127
|
+
// Fast path: skip expensive regex checks for simple alphanumeric values
|
|
128
|
+
if (/^[a-zA-Z0-9_-]+$/.test(paramValue)) {
|
|
129
|
+
return paramValue;
|
|
130
|
+
}
|
|
131
|
+
|
|
127
132
|
// Check for path traversal attempts
|
|
128
133
|
const pathCheck = detectPathTraversal(paramValue);
|
|
129
134
|
if (!pathCheck.safe) {
|
|
130
135
|
logger.warn({
|
|
131
136
|
code: 'MC_SECURITY_PATH_TRAVERSAL',
|
|
132
137
|
message: 'Path traversal attempt detected in route parameter',
|
|
133
|
-
param: paramName,
|
|
134
|
-
value: paramValue
|
|
138
|
+
context: { param: paramName, value: paramValue }
|
|
135
139
|
});
|
|
136
140
|
|
|
137
141
|
// Remove dangerous content
|
|
@@ -144,8 +148,7 @@ const ROUTER_CONFIG = {
|
|
|
144
148
|
logger.warn({
|
|
145
149
|
code: 'MC_SECURITY_SQL_INJECTION',
|
|
146
150
|
message: 'SQL injection attempt detected in route parameter',
|
|
147
|
-
param: paramName,
|
|
148
|
-
value: paramValue
|
|
151
|
+
context: { param: paramName, value: paramValue }
|
|
149
152
|
});
|
|
150
153
|
|
|
151
154
|
// Escape to prevent injection
|
|
@@ -158,8 +161,7 @@ const ROUTER_CONFIG = {
|
|
|
158
161
|
logger.warn({
|
|
159
162
|
code: 'MC_SECURITY_COMMAND_INJECTION',
|
|
160
163
|
message: 'Command injection attempt detected in route parameter',
|
|
161
|
-
param: paramName,
|
|
162
|
-
value: paramValue
|
|
164
|
+
context: { param: paramName, value: paramValue }
|
|
163
165
|
});
|
|
164
166
|
|
|
165
167
|
// Remove dangerous characters
|
|
@@ -810,7 +812,7 @@ class MasterRouter {
|
|
|
810
812
|
const control = new Control(requestObject);
|
|
811
813
|
const _callEmit = new EventEmitter();
|
|
812
814
|
|
|
813
|
-
_callEmit.
|
|
815
|
+
_callEmit.once(EVENT_NAMES.CONTROLLER, function(){
|
|
814
816
|
try {
|
|
815
817
|
control.next = function(){
|
|
816
818
|
control.__callAfterAction(control, requestObject);
|
|
@@ -961,6 +963,11 @@ class MasterRouter {
|
|
|
961
963
|
throw new TypeError('Request object must have a valid type (HTTP method)');
|
|
962
964
|
}
|
|
963
965
|
|
|
966
|
+
// Skip route processing for OPTIONS requests already handled by CORS middleware
|
|
967
|
+
if (rr.type.toLowerCase() === 'options' && (rr.response.headersSent || rr.response._headerSent)) {
|
|
968
|
+
return;
|
|
969
|
+
}
|
|
970
|
+
|
|
964
971
|
const $that = this;
|
|
965
972
|
// FIX: Use direct reference instead of Object.create() to preserve request/response objects
|
|
966
973
|
// Object.create() puts properties on prototype, causing undefined access issues
|
|
@@ -75,7 +75,8 @@ const ERROR_CODES = {
|
|
|
75
75
|
* Levenshtein distance for "Did you mean?" suggestions
|
|
76
76
|
*/
|
|
77
77
|
function levenshteinDistance(str1, str2) {
|
|
78
|
-
// Guard against
|
|
78
|
+
// Guard against non-strings (objects, regex, undefined) and extremely long paths
|
|
79
|
+
if (typeof str1 !== 'string' || typeof str2 !== 'string') return Infinity;
|
|
79
80
|
if (str1.length > 200 || str2.length > 200) return Infinity;
|
|
80
81
|
const len1 = str1.length;
|
|
81
82
|
const len2 = str2.length;
|
package/package.json
CHANGED