npm - mastercontroller - Versions diffs - 1.3.8 → 1.3.10 - Mend

mastercontroller 1.3.8 → 1.3.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/.claude/settings.local.json +4 -1
package/FIXES_APPLIED.md +378 -0
package/MasterAction.js +10 -263
package/MasterControl.js +128 -27
package/MasterRequest.js +6 -0
package/MasterRouter.js +27 -32
package/PERFORMANCE_SECURITY_AUDIT.md +677 -0
package/README.md +117 -43
package/monitoring/README.md +3112 -0
package/package.json +1 -1
package/security/README.md +1805 -0
package/test-raw-body-preservation.js +128 -0
package/MasterCors.js.tmp +0 -0
package/MasterHtml.js +0 -649
package/MasterPipeline.js.tmp +0 -0
package/MasterRequest.js.tmp +0 -0
package/MasterRouter.js.tmp +0 -0
package/MasterSocket.js.tmp +0 -0
package/MasterTemp.js.tmp +0 -0
package/MasterTemplate.js +0 -230
package/MasterTimeout.js.tmp +0 -0
package/TemplateOverwrite.js +0 -41
package/TemplateOverwrite.js.tmp +0 -0
package/ssr/hydration-client.js +0 -93
package/ssr/runtime-ssr.cjs +0 -553
package/ssr/ssr-shims.js +0 -73

package/MasterControl.js CHANGED Viewed

@@ -67,6 +67,7 @@ class MasterControl {
     _hstsMaxAge = 31536000 // 1 year default
     _hstsIncludeSubDomains = true
     _hstsPreload = false
+    _viewEngine = null // Pluggable view engine (MasterView, EJS, Pug, etc.)
     #loadTransientListClasses(name, params){
         Object.defineProperty(this.requestList, name, {
@@ -124,35 +125,127 @@ class MasterControl {
         }
     }
+    /**
+     * Initialize prototype pollution protection
+     * SECURITY: Prevents malicious modification of Object/Array prototypes
+     */
+    _initPrototypePollutionProtection() {
+        // Only freeze in production to allow for easier debugging in development
+        const isProduction = process.env.NODE_ENV === 'production';
+        if (isProduction) {
+            // Freeze prototypes to prevent prototype pollution attacks
+            try {
+                Object.freeze(Object.prototype);
+                Object.freeze(Array.prototype);
+                Object.freeze(Function.prototype);
+                logger.info({
+                    code: 'MC_SECURITY_PROTOTYPE_FROZEN',
+                    message: 'Prototypes frozen in production mode for security'
+                });
+            } catch (err) {
+                logger.warn({
+                    code: 'MC_SECURITY_FREEZE_FAILED',
+                    message: 'Failed to freeze prototypes',
+                    error: err.message
+                });
+            }
+        }
+        // Add prototype pollution detection utility
+        this._detectPrototypePollution = (obj) => {
+            if (!obj || typeof obj !== 'object') {
+                return false;
+            }
+            const dangerousKeys = ['__proto__', 'constructor', 'prototype'];
+            for (const key of dangerousKeys) {
+                if (key in obj) {
+                    logger.error({
+                        code: 'MC_SECURITY_PROTOTYPE_POLLUTION',
+                        message: `Prototype pollution detected: ${key} in object`,
+                        severity: 'CRITICAL'
+                    });
+                    return true;
+                }
+            }
+            return false;
+        };
+        console.log('[MasterControl] Prototype pollution protection initialized');
+    }
     // extends class methods to be used inside of the view class using the THIS keyword
     extendView( name, element){
         element = new element();
-        var $that = this;
-        var propertyNames = Object.getOwnPropertyNames( element.__proto__);
+        const propertyNames = Object.getOwnPropertyNames(element.__proto__);
         this.viewList[name] = {};
-        for(var i in propertyNames){
-            if(propertyNames[i] !== "constructor"){
-                if (propertyNames.hasOwnProperty(i)) {
-                    $that.viewList[name][propertyNames[i]] = element[propertyNames[i]];
-                }
+        // Fixed: Use for...of instead of for...in for array iteration
+        // Filter out 'constructor' and iterate efficiently
+        for (const propName of propertyNames) {
+            if (propName !== "constructor") {
+                this.viewList[name][propName] = element[propName];
             }
-        };
+        }
     }
     // extends class methods to be used inside of the controller class using the THIS keyword
     extendController(element){
         element = new element();
-        var $that = this;
-        var propertyNames = Object.getOwnPropertyNames( element.__proto__);
-        for(var i in propertyNames){
-            if(propertyNames[i] !== "constructor"){
-                if (propertyNames.hasOwnProperty(i)) {
-                    $that.controllerList[propertyNames[i]] = element[propertyNames[i]];
-                }
+        const propertyNames = Object.getOwnPropertyNames(element.__proto__);
+        // Fixed: Use for...of instead of for...in for array iteration
+        // Filter out 'constructor' and iterate efficiently
+        for (const propName of propertyNames) {
+            if (propName !== "constructor") {
+                this.controllerList[propName] = element[propName];
             }
-        };
+        }
     }
+    /**
+     * Register a view engine (MasterView, React, EJS, Pug, etc.)
+     * This allows for pluggable view rendering
+     *
+     * @param {Object|Function} ViewEngine - View engine class or instance
+     * @param {Object} options - Configuration options for the view engine
+     * @returns {MasterControl} - Returns this for chaining
+     *
+     * @example
+     * // Use MasterView (official view engine)
+     * const MasterView = require('masterview');
+     * master.useView(MasterView, { ssr: true });
+     *
+     * @example
+     * // Use EJS adapter
+     * const EJSAdapter = require('./adapters/ejs');
+     * master.useView(EJSAdapter);
+     */
+    useView(ViewEngine, options = {}) {
+        if (typeof ViewEngine === 'function') {
+            this._viewEngine = new ViewEngine(options);
+        } else {
+            this._viewEngine = ViewEngine;
+        }
+        // Let the view engine register itself
+        if (this._viewEngine && this._viewEngine.register) {
+            this._viewEngine.register(this);
+        }
+        logger.info({
+            code: 'MC_INFO_VIEW_ENGINE_REGISTERED',
+            message: 'View engine registered',
+            engine: ViewEngine.name || 'Custom'
+        });
+        return this;
+    }
     /*
     Services are created each time they are requested.
     It gets a new instance of the injected object, on each request of this object.
@@ -299,6 +392,9 @@ class MasterControl {
         try {
             var $that = this;
+            // SECURITY: Initialize prototype pollution protection
+            this._initPrototypePollutionProtection();
             // AUTO-LOAD internal framework modules
             // These are required for the framework to function and are loaded transparently
             const internalModules = {
@@ -313,10 +409,11 @@ class MasterControl {
                 'MasterCors': './MasterCors',
                 'SessionSecurity': './security/SessionSecurity',
                 'MasterSocket': './MasterSocket',
-                'MasterHtml': './MasterHtml',
-                'MasterTemplate': './MasterTemplate',
-                'MasterTools': './MasterTools',
-                'TemplateOverwrite': './TemplateOverwrite'
+                'MasterTools': './MasterTools'
+                // View modules removed - use master.useView(MasterView) instead
+                // 'MasterHtml': './MasterHtml',
+                // 'MasterTemplate': './MasterTemplate',
+                // 'TemplateOverwrite': './TemplateOverwrite'
             };
             // Explicit module registration (prevents circular dependency issues)
@@ -331,8 +428,8 @@ class MasterControl {
                 'cors': { path: './MasterCors', exportName: 'MasterCors' },
                 'socket': { path: './MasterSocket', exportName: 'MasterSocket' },
                 'tempdata': { path: './MasterTemp', exportName: 'MasterTemp' },
-                'overwrite': { path: './TemplateOverwrite', exportName: 'TemplateOverwrite' },
                 'session': { path: './security/SessionSecurity', exportName: 'MasterSessionSecurity' }
+                // 'overwrite' removed - will be provided by view engine (master.useView())
             };
             for (const [name, config] of Object.entries(moduleRegistry)) {
@@ -354,13 +451,12 @@ class MasterControl {
             // Legacy code uses master.sessions (plural), new API uses master.session (singular)
             $that.sessions = $that.session;
-            // Load view and controller extensions (these extend prototypes, not master instance)
+            // Load controller extensions (these extend prototypes, not master instance)
             try {
                 require('./MasterAction');
                 require('./MasterActionFilters');
-                require('./MasterHtml');
-                require('./MasterTemplate');
                 require('./MasterTools');
+                // View extensions (MasterHtml, MasterTemplate) removed - use master.useView() instead
             } catch (e) {
                 console.error('[MasterControl] Failed to load extensions:', e.message);
             }
@@ -734,9 +830,14 @@ class MasterControl {
         });
         // 4. Load Scoped Services (per request - always needed)
+        // Cache keys for performance (computed once, not on every request)
+        const scopedKeys = Object.keys($that._scopedList);
         $that.pipeline.use(async (ctx, next) => {
-            for (var key in $that._scopedList) {
-                var className = $that._scopedList[key];
+            // Fixed: Use cached keys with direct array iteration (faster & safer)
+            for (let i = 0; i < scopedKeys.length; i++) {
+                const key = scopedKeys[i];
+                const className = $that._scopedList[key];
                 $that.requestList[key] = new className();
             }
             await next();

package/MasterRequest.js CHANGED Viewed

@@ -290,6 +290,8 @@ class MasterRequest{
           buffer += decoder.end();
           var buff = qs.parse(buffer);
+          // Preserve raw body for signature verification
+          buff._rawBody = buffer;
           func(buff);
       });
@@ -343,6 +345,10 @@ class MasterRequest{
             try {
                 var buff = JSON.parse(buffer);
+                // IMPORTANT: Preserve raw body for webhook signature verification
+                // Many webhook providers (Stripe, GitHub, Shopify, etc.) require the
+                // exact raw body string to verify HMAC signatures
+                buff._rawBody = buffer;
                 func(buff);
             } catch (e) {
                 // Security: Don't fallback to qs.parse to avoid prototype pollution

package/MasterRouter.js CHANGED Viewed

@@ -121,32 +121,33 @@ const isDevelopment = process.env.NODE_ENV !== 'production' && process.env.maste
             }
             if(routeList.length > 0){
-                // loop through routes
-                for(var item in routeList){
+                // FIXED: Use for...of instead of for...in for array iteration
+                // This prevents prototype pollution and improves performance
+                for(const route of routeList){
                     // Store current route for error handling
                     currentRouteBeingProcessed = {
-                        path: routeList[item].path,
-                        toController: routeList[item].toController,
-                        toAction: routeList[item].toAction,
-                        type: routeList[item].type
+                        path: route.path,
+                        toController: route.toController,
+                        toAction: route.toAction,
+                        type: route.type
                     };
                     try {
-                        requestObject.toController = routeList[item].toController;
-                        requestObject.toAction = routeList[item].toAction;
+                        requestObject.toController = route.toController;
+                        requestObject.toAction = route.toAction;
                         // FIX: Create a clean copy of params for each route test to prevent parameter pollution
                         // This prevents parameters from non-matching routes from accumulating in requestObject.params
                         var testParams = Object.assign({}, requestObject.params);
-                        var pathObj = normalizePaths(requestObject.pathName, routeList[item].path, testParams);
+                        var pathObj = normalizePaths(requestObject.pathName, route.path, testParams);
                         // if we find the route that matches the request
-                        if(pathObj.requestPath === pathObj.routePath && routeList[item].type === requestObject.type){
+                        if(pathObj.requestPath === pathObj.routePath && route.type === requestObject.type){
                             // Only commit the extracted params if this route actually matches
                             requestObject.params = testParams;
                             // call Constraint
-                            if(typeof routeList[item].constraint === "function"){
+                            if(typeof route.constraint === "function"){
                                 var newObj = {};
                                 //tools.combineObjects(newObj, this._master.controllerList);
@@ -163,7 +164,7 @@ const isDevelopment = process.env.NODE_ENV !== 'production' && process.env.maste
                                 // Wrap constraint execution with error handling
                                 try {
-                                    routeList[item].constraint.call(newObj, requestObject);
+                                    route.constraint.call(newObj, requestObject);
                                 } catch(constraintError) {
                                     const routeError = handleRoutingError(
                                         requestObject.pathName,
@@ -238,10 +239,10 @@ const isDevelopment = process.env.NODE_ENV !== 'production' && process.env.maste
 };
 var loadScopedListClasses = function(){
-    for (var key in this._master._scopedList) {
-        var className =  this._master._scopedList[key];
+    // FIXED: Use Object.entries() for safe iteration (prevents prototype pollution)
+    for (const [key, className] of Object.entries(this._master._scopedList)) {
         this._master.requestList[key] = new className();
-    };
+    }
 };
@@ -397,25 +398,19 @@ class MasterRouter {
     }
     findMimeType(fileExt){
-        if(fileExt){
-            var type = undefined;
-            var mime = this.mimeTypes;
-            for(var i in mime) {
-                if("." + i === fileExt){
-                    type = mime[i];
-                }
-            }
-            if(type === undefined){
-                return false;
-            }
-            else{
-                return type;
-            }
-        }
-        else{
+        if(!fileExt){
             return false;
         }
+        // FIXED: O(1) direct lookup instead of O(n) loop
+        // Remove leading dot if present for consistent lookup
+        const ext = fileExt.startsWith('.') ? fileExt.slice(1) : fileExt;
+        // Direct object access - constant time complexity
+        const type = this.mimeTypes[ext];
+        // Return the MIME type or false if not found
+        return type || false;
     }
     _call(requestObject){