nextjs-secure 0.2.0 → 0.5.0

package/dist/validation.js

@@ -0,0 +1,1964 @@
+// src/middleware/validation/utils.ts
+function isZodSchema(schema) {
+  return typeof schema === "object" && schema !== null && "safeParse" in schema && typeof schema.safeParse === "function";
+}
+function isCustomSchema(schema) {
+  if (typeof schema !== "object" || schema === null) return false;
+  if ("safeParse" in schema) return false;
+  const entries = Object.entries(schema);
+  if (entries.length === 0) return false;
+  return entries.every(([_, rule]) => {
+    return typeof rule === "object" && rule !== null && "type" in rule;
+  });
+}
+var EMAIL_PATTERN = /^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/;
+var URL_PATTERN = /^https?:\/\/(?:(?:www\.)?[-a-zA-Z0-9@:%._+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}|localhost|(?:\d{1,3}\.){3}\d{1,3})(?::\d{1,5})?(?:[-a-zA-Z0-9()@:%_+.~#?&/=]*)$/;
+var UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+var DATE_PATTERN = /^\d{4}-\d{2}-\d{2}(?:T\d{2}:\d{2}:\d{2}(?:\.\d{3})?(?:Z|[+-]\d{2}:?\d{2})?)?$/;
+function validateField(value, rule, fieldName) {
+  if (value === void 0 || value === null || value === "") {
+    if (rule.required) {
+      return {
+        field: fieldName,
+        code: "required",
+        message: rule.message || `${fieldName} is required`,
+        received: value
+      };
+    }
+    return null;
+  }
+  switch (rule.type) {
+    case "string":
+      if (typeof value !== "string") {
+        return {
+          field: fieldName,
+          code: "invalid_type",
+          message: rule.message || `${fieldName} must be a string`,
+          expected: "string",
+          received: typeof value
+        };
+      }
+      if (rule.minLength !== void 0 && value.length < rule.minLength) {
+        return {
+          field: fieldName,
+          code: "too_short",
+          message: rule.message || `${fieldName} must be at least ${rule.minLength} characters`,
+          received: value.length
+        };
+      }
+      if (rule.maxLength !== void 0 && value.length > rule.maxLength) {
+        return {
+          field: fieldName,
+          code: "too_long",
+          message: rule.message || `${fieldName} must be at most ${rule.maxLength} characters`,
+          received: value.length
+        };
+      }
+      if (rule.pattern && !rule.pattern.test(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_pattern",
+          message: rule.message || `${fieldName} has invalid format`,
+          received: value
+        };
+      }
+      break;
+    case "number":
+      const num = typeof value === "number" ? value : Number(value);
+      if (isNaN(num)) {
+        return {
+          field: fieldName,
+          code: "invalid_type",
+          message: rule.message || `${fieldName} must be a number`,
+          expected: "number",
+          received: typeof value
+        };
+      }
+      if (rule.integer && !Number.isInteger(num)) {
+        return {
+          field: fieldName,
+          code: "invalid_integer",
+          message: rule.message || `${fieldName} must be an integer`,
+          received: num
+        };
+      }
+      if (rule.min !== void 0 && num < rule.min) {
+        return {
+          field: fieldName,
+          code: "too_small",
+          message: rule.message || `${fieldName} must be at least ${rule.min}`,
+          received: num
+        };
+      }
+      if (rule.max !== void 0 && num > rule.max) {
+        return {
+          field: fieldName,
+          code: "too_large",
+          message: rule.message || `${fieldName} must be at most ${rule.max}`,
+          received: num
+        };
+      }
+      break;
+    case "boolean":
+      if (typeof value !== "boolean" && value !== "true" && value !== "false") {
+        return {
+          field: fieldName,
+          code: "invalid_type",
+          message: rule.message || `${fieldName} must be a boolean`,
+          expected: "boolean",
+          received: typeof value
+        };
+      }
+      break;
+    case "email":
+      if (typeof value !== "string" || !EMAIL_PATTERN.test(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_email",
+          message: rule.message || `${fieldName} must be a valid email address`,
+          received: value
+        };
+      }
+      break;
+    case "url":
+      if (typeof value !== "string" || !URL_PATTERN.test(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_url",
+          message: rule.message || `${fieldName} must be a valid URL`,
+          received: value
+        };
+      }
+      break;
+    case "uuid":
+      if (typeof value !== "string" || !UUID_PATTERN.test(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_uuid",
+          message: rule.message || `${fieldName} must be a valid UUID`,
+          received: value
+        };
+      }
+      break;
+    case "date":
+      if (typeof value !== "string" || !DATE_PATTERN.test(value)) {
+        const parsed = new Date(value);
+        if (isNaN(parsed.getTime())) {
+          return {
+            field: fieldName,
+            code: "invalid_date",
+            message: rule.message || `${fieldName} must be a valid date`,
+            received: value
+          };
+        }
+      }
+      break;
+    case "array":
+      if (!Array.isArray(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_type",
+          message: rule.message || `${fieldName} must be an array`,
+          expected: "array",
+          received: typeof value
+        };
+      }
+      if (rule.minItems !== void 0 && value.length < rule.minItems) {
+        return {
+          field: fieldName,
+          code: "too_few_items",
+          message: rule.message || `${fieldName} must have at least ${rule.minItems} items`,
+          received: value.length
+        };
+      }
+      if (rule.maxItems !== void 0 && value.length > rule.maxItems) {
+        return {
+          field: fieldName,
+          code: "too_many_items",
+          message: rule.message || `${fieldName} must have at most ${rule.maxItems} items`,
+          received: value.length
+        };
+      }
+      if (rule.items) {
+        for (let i = 0; i < value.length; i++) {
+          const itemError = validateField(value[i], rule.items, `${fieldName}[${i}]`);
+          if (itemError) return itemError;
+        }
+      }
+      break;
+    case "object":
+      if (typeof value !== "object" || value === null || Array.isArray(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_type",
+          message: rule.message || `${fieldName} must be an object`,
+          expected: "object",
+          received: Array.isArray(value) ? "array" : typeof value
+        };
+      }
+      break;
+  }
+  if (rule.custom) {
+    const result = rule.custom(value);
+    if (result !== true) {
+      return {
+        field: fieldName,
+        code: "custom_validation",
+        message: typeof result === "string" ? result : rule.message || `${fieldName} failed validation`,
+        received: value
+      };
+    }
+  }
+  return null;
+}
+function validateCustomSchema(data, schema) {
+  if (typeof data !== "object" || data === null) {
+    return {
+      success: false,
+      errors: [{
+        field: "_root",
+        code: "invalid_type",
+        message: "Expected an object",
+        received: data
+      }]
+    };
+  }
+  const errors = [];
+  const record = data;
+  for (const [fieldName, rule] of Object.entries(schema)) {
+    const error = validateField(record[fieldName], rule, fieldName);
+    if (error) {
+      errors.push(error);
+    }
+  }
+  if (errors.length > 0) {
+    return { success: false, errors };
+  }
+  return { success: true, data };
+}
+function validateZodSchema(data, schema) {
+  const result = schema.safeParse(data);
+  if (result.success) {
+    return { success: true, data: result.data };
+  }
+  const errors = result.error.issues.map((issue) => ({
+    field: issue.path.join(".") || "_root",
+    code: issue.code,
+    message: issue.message,
+    path: issue.path.map(String)
+  }));
+  return { success: false, errors };
+}
+function getByPath(obj, path) {
+  if (typeof obj !== "object" || obj === null) return void 0;
+  const parts = path.split(".");
+  let current = obj;
+  for (const part of parts) {
+    if (typeof current !== "object" || current === null) return void 0;
+    current = current[part];
+  }
+  return current;
+}
+function setByPath(obj, path, value) {
+  const parts = path.split(".");
+  let current = obj;
+  for (let i = 0; i < parts.length - 1; i++) {
+    const part = parts[i];
+    if (!(part in current) || typeof current[part] !== "object") {
+      current[part] = {};
+    }
+    current = current[part];
+  }
+  current[parts[parts.length - 1]] = value;
+}
+function walkObject(obj, fn, path = "") {
+  if (typeof obj === "string") {
+    return fn(obj, path);
+  }
+  if (Array.isArray(obj)) {
+    return obj.map((item, i) => walkObject(item, fn, `${path}[${i}]`));
+  }
+  if (typeof obj === "object" && obj !== null) {
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+      const newPath = path ? `${path}.${key}` : key;
+      result[key] = walkObject(value, fn, newPath);
+    }
+    return result;
+  }
+  return obj;
+}
+function parseQueryString(url) {
+  const result = {};
+  try {
+    const urlObj = new URL(url);
+    for (const [key, value] of urlObj.searchParams.entries()) {
+      if (key in result) {
+        const existing = result[key];
+        if (Array.isArray(existing)) {
+          existing.push(value);
+        } else {
+          result[key] = [existing, value];
+        }
+      } else {
+        result[key] = value;
+      }
+    }
+  } catch {
+  }
+  return result;
+}
+
+// src/middleware/validation/validators/schema.ts
+function validate(data, schema) {
+  if (isZodSchema(schema)) {
+    return validateZodSchema(data, schema);
+  }
+  if (isCustomSchema(schema)) {
+    return validateCustomSchema(data, schema);
+  }
+  return {
+    success: false,
+    errors: [{
+      field: "_schema",
+      code: "invalid_schema",
+      message: "Invalid schema provided"
+    }]
+  };
+}
+async function validateBody(request, schema) {
+  let body;
+  try {
+    const contentType = request.headers.get("content-type") || "";
+    if (contentType.includes("application/json")) {
+      body = await request.json();
+    } else if (contentType.includes("application/x-www-form-urlencoded")) {
+      const text = await request.text();
+      body = Object.fromEntries(new URLSearchParams(text));
+    } else if (contentType.includes("multipart/form-data")) {
+      const formData = await request.formData();
+      const obj = {};
+      formData.forEach((value, key) => {
+        if (typeof value === "string") {
+          obj[key] = value;
+        }
+      });
+      body = obj;
+    } else {
+      try {
+        body = await request.json();
+      } catch {
+        body = {};
+      }
+    }
+  } catch (error) {
+    return {
+      success: false,
+      errors: [{
+        field: "_body",
+        code: "parse_error",
+        message: "Failed to parse request body"
+      }]
+    };
+  }
+  return validate(body, schema);
+}
+function validateQuery(request, schema) {
+  const query = parseQueryString(request.url);
+  return validate(query, schema);
+}
+function validateParams(params, schema) {
+  return validate(params, schema);
+}
+async function validateRequest(request, config) {
+  const allErrors = [];
+  const data = {};
+  if (config.body) {
+    const bodyResult = await validateBody(request, config.body);
+    if (!bodyResult.success) {
+      allErrors.push(...(bodyResult.errors || []).map((e) => ({
+        ...e,
+        field: `body.${e.field}`.replace("body._root", "body")
+      })));
+    } else {
+      data.body = bodyResult.data;
+    }
+  } else {
+    data.body = {};
+  }
+  if (config.query) {
+    const queryResult = validateQuery(request, config.query);
+    if (!queryResult.success) {
+      allErrors.push(...(queryResult.errors || []).map((e) => ({
+        ...e,
+        field: `query.${e.field}`.replace("query._root", "query")
+      })));
+    } else {
+      data.query = queryResult.data;
+    }
+  } else {
+    data.query = {};
+  }
+  if (config.params && config.routeParams) {
+    const paramsResult = validateParams(config.routeParams, config.params);
+    if (!paramsResult.success) {
+      allErrors.push(...(paramsResult.errors || []).map((e) => ({
+        ...e,
+        field: `params.${e.field}`.replace("params._root", "params")
+      })));
+    } else {
+      data.params = paramsResult.data;
+    }
+  } else {
+    data.params = {};
+  }
+  if (allErrors.length > 0) {
+    return { success: false, errors: allErrors };
+  }
+  return {
+    success: true,
+    data
+  };
+}
+function defaultValidationErrorResponse(errors) {
+  return new Response(
+    JSON.stringify({
+      error: "validation_error",
+      message: "Request validation failed",
+      details: errors.map((e) => ({
+        field: e.field,
+        code: e.code,
+        message: e.message
+      }))
+    }),
+    {
+      status: 400,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function createValidator(schema) {
+  return (data) => validate(data, schema);
+}
+function allValid(...results) {
+  return results.every((r) => r.success);
+}
+function mergeErrors(...results) {
+  const errors = [];
+  for (const result of results) {
+    if (result.errors) {
+      errors.push(...result.errors);
+    }
+  }
+  return errors;
+}
+
+// src/middleware/validation/validators/content-type.ts
+var MIME_TYPES = {
+  // Text
+  TEXT_PLAIN: "text/plain",
+  TEXT_HTML: "text/html",
+  TEXT_CSS: "text/css",
+  TEXT_JAVASCRIPT: "text/javascript",
+  // Application
+  JSON: "application/json",
+  FORM_URLENCODED: "application/x-www-form-urlencoded",
+  MULTIPART_FORM: "multipart/form-data",
+  XML: "application/xml",
+  PDF: "application/pdf",
+  ZIP: "application/zip",
+  GZIP: "application/gzip",
+  OCTET_STREAM: "application/octet-stream",
+  // Image
+  IMAGE_PNG: "image/png",
+  IMAGE_JPEG: "image/jpeg",
+  IMAGE_GIF: "image/gif",
+  IMAGE_WEBP: "image/webp",
+  IMAGE_SVG: "image/svg+xml",
+  // Audio
+  AUDIO_MP3: "audio/mpeg",
+  AUDIO_WAV: "audio/wav",
+  AUDIO_OGG: "audio/ogg",
+  // Video
+  VIDEO_MP4: "video/mp4",
+  VIDEO_WEBM: "video/webm"
+};
+function parseContentType(header) {
+  if (!header) {
+    return {
+      type: "",
+      subtype: "",
+      mediaType: "",
+      parameters: {}
+    };
+  }
+  const parts = header.split(";").map((p) => p.trim());
+  const mediaType = parts[0].toLowerCase();
+  const [type = "", subtype = ""] = mediaType.split("/");
+  const parameters = {};
+  for (let i = 1; i < parts.length; i++) {
+    const [key, value] = parts[i].split("=").map((p) => p.trim());
+    if (key && value) {
+      parameters[key.toLowerCase()] = value.replace(/^["']|["']$/g, "");
+    }
+  }
+  return {
+    type,
+    subtype,
+    mediaType,
+    charset: parameters["charset"],
+    boundary: parameters["boundary"],
+    parameters
+  };
+}
+function isAllowedContentType(contentType, allowedTypes, strict = false) {
+  if (!contentType) {
+    return !strict;
+  }
+  const { mediaType } = parseContentType(contentType);
+  return allowedTypes.some((allowed) => {
+    const normalizedAllowed = allowed.toLowerCase().trim();
+    if (mediaType === normalizedAllowed) {
+      return true;
+    }
+    if (normalizedAllowed.endsWith("/*")) {
+      const prefix = normalizedAllowed.slice(0, -2);
+      return mediaType.startsWith(prefix + "/");
+    }
+    if (!normalizedAllowed.includes("/")) {
+      const { type } = parseContentType(contentType);
+      return type === normalizedAllowed;
+    }
+    return false;
+  });
+}
+function validateContentType(request, config) {
+  const contentType = request.headers.get("content-type");
+  const { allowed, strict = false, charset } = config;
+  if (strict && !contentType) {
+    return {
+      valid: false,
+      contentType: null,
+      reason: "Content-Type header is required"
+    };
+  }
+  if (contentType && !isAllowedContentType(contentType, allowed, strict)) {
+    return {
+      valid: false,
+      contentType,
+      reason: `Content-Type '${contentType}' is not allowed`
+    };
+  }
+  if (charset && contentType) {
+    const parsed = parseContentType(contentType);
+    if (parsed.charset && parsed.charset.toLowerCase() !== charset.toLowerCase()) {
+      return {
+        valid: false,
+        contentType,
+        reason: `Charset '${parsed.charset}' is not allowed, expected '${charset}'`
+      };
+    }
+  }
+  return { valid: true, contentType };
+}
+function defaultContentTypeErrorResponse(contentType, reason) {
+  return new Response(
+    JSON.stringify({
+      error: "invalid_content_type",
+      message: reason,
+      received: contentType
+    }),
+    {
+      status: 415,
+      // Unsupported Media Type
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function isJsonRequest(request) {
+  return isAllowedContentType(
+    request.headers.get("content-type"),
+    [MIME_TYPES.JSON]
+  );
+}
+function isFormRequest(request) {
+  return isAllowedContentType(
+    request.headers.get("content-type"),
+    [MIME_TYPES.FORM_URLENCODED, MIME_TYPES.MULTIPART_FORM]
+  );
+}
+function isMultipartRequest(request) {
+  return isAllowedContentType(
+    request.headers.get("content-type"),
+    [MIME_TYPES.MULTIPART_FORM]
+  );
+}
+function getMultipartBoundary(request) {
+  const contentType = request.headers.get("content-type");
+  if (!contentType) return null;
+  const { boundary } = parseContentType(contentType);
+  return boundary || null;
+}
+
+// src/middleware/validation/sanitizers/path.ts
+var DANGEROUS_PATTERNS = [
+  // Unix path traversal
+  /\.\.\//g,
+  /\.\./g,
+  // Windows path traversal
+  /\.\.\\/g,
+  // Null byte (can truncate paths in some systems)
+  /%00/g,
+  /\0/g,
+  // URL encoded traversal
+  /%2e%2e%2f/gi,
+  // ../
+  /%2e%2e\//gi,
+  // ../
+  /%2e%2e%5c/gi,
+  // ..\
+  /%2e%2e\\/gi,
+  // ..\
+  // Double URL encoding
+  /%252e%252e%252f/gi,
+  /%252e%252e%255c/gi,
+  // Unicode encoding
+  /\.%u002e\//gi,
+  /%u002e%u002e%u002f/gi,
+  // Overlong UTF-8 encoding
+  /%c0%ae%c0%ae%c0%af/gi,
+  /%c1%9c/gi
+  // Backslash variant
+];
+var DEFAULT_BLOCKED_EXTENSIONS = [
+  ".exe",
+  ".dll",
+  ".so",
+  ".dylib",
+  // Executables
+  ".sh",
+  ".bash",
+  ".bat",
+  ".cmd",
+  ".ps1",
+  // Scripts
+  ".php",
+  ".asp",
+  ".aspx",
+  ".jsp",
+  ".cgi",
+  // Server scripts
+  ".htaccess",
+  ".htpasswd",
+  // Apache config
+  ".env",
+  ".git",
+  ".svn"
+  // Config/VCS
+];
+function normalizePathSeparators(path) {
+  return path.replace(/\\/g, "/");
+}
+function decodePathComponent(path) {
+  let result = path;
+  let previous = "";
+  while (result !== previous) {
+    previous = result;
+    try {
+      result = decodeURIComponent(result);
+    } catch {
+      break;
+    }
+  }
+  return result;
+}
+function hasPathTraversal(path) {
+  if (!path || typeof path !== "string") return false;
+  const normalized = normalizePathSeparators(decodePathComponent(path));
+  for (const pattern of DANGEROUS_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(normalized)) {
+      return true;
+    }
+  }
+  if (normalized.includes("..")) {
+    return true;
+  }
+  return false;
+}
+function validatePath(path, config = {}) {
+  if (!path || typeof path !== "string") {
+    return { valid: false, reason: "Path is empty or not a string" };
+  }
+  const {
+    allowAbsolute = false,
+    allowedPrefixes = [],
+    allowedExtensions,
+    blockedExtensions = DEFAULT_BLOCKED_EXTENSIONS,
+    maxDepth = 10,
+    maxLength = 255,
+    normalize = true
+  } = config;
+  if (path.length > maxLength) {
+    return { valid: false, reason: `Path exceeds maximum length of ${maxLength}` };
+  }
+  let normalized = decodePathComponent(path);
+  if (normalize) {
+    normalized = normalizePathSeparators(normalized);
+  }
+  if (normalized.includes("\0") || path.includes("%00")) {
+    return { valid: false, reason: "Path contains null bytes" };
+  }
+  if (hasPathTraversal(path)) {
+    return { valid: false, reason: "Path contains traversal sequences" };
+  }
+  const isAbsolute = normalized.startsWith("/") || /^[a-zA-Z]:/.test(normalized) || // Windows drive letter
+  normalized.startsWith("\\\\");
+  if (isAbsolute && !allowAbsolute) {
+    return { valid: false, reason: "Absolute paths are not allowed" };
+  }
+  if (allowedPrefixes.length > 0) {
+    const hasValidPrefix = allowedPrefixes.some((prefix) => {
+      const normalizedPrefix = normalizePathSeparators(prefix);
+      return normalized.startsWith(normalizedPrefix);
+    });
+    if (!hasValidPrefix) {
+      return { valid: false, reason: "Path does not start with an allowed prefix" };
+    }
+  }
+  const segments = normalized.split("/").filter((s) => s && s !== ".");
+  if (segments.length > maxDepth) {
+    return { valid: false, reason: `Path depth exceeds maximum of ${maxDepth}` };
+  }
+  const lastSegment = segments[segments.length - 1] || "";
+  const dotIndex = lastSegment.lastIndexOf(".");
+  const extension = dotIndex > 0 ? lastSegment.slice(dotIndex).toLowerCase() : "";
+  if (extension && blockedExtensions.length > 0) {
+    if (blockedExtensions.map((e) => e.toLowerCase()).includes(extension)) {
+      return { valid: false, reason: `Extension ${extension} is not allowed` };
+    }
+  }
+  if (extension && allowedExtensions && allowedExtensions.length > 0) {
+    if (!allowedExtensions.map((e) => e.toLowerCase()).includes(extension)) {
+      return { valid: false, reason: `Extension ${extension} is not in allowed list` };
+    }
+  }
+  const sanitized = normalized.replace(/\/+/g, "/");
+  return { valid: true, sanitized };
+}
+function sanitizePath(path, config = {}) {
+  if (!path || typeof path !== "string") return "";
+  const { normalize = true, maxLength = 255 } = config;
+  let result = decodePathComponent(path);
+  if (normalize) {
+    result = normalizePathSeparators(result);
+  }
+  result = result.replace(/\0/g, "").replace(/%00/g, "");
+  result = result.replace(/\.\.\//g, "").replace(/\.\.\\/g, "");
+  if (!config.allowAbsolute) {
+    result = result.replace(/^\/+/, "");
+    result = result.replace(/^[a-zA-Z]:/, "");
+    result = result.replace(/^\\\\/, "");
+  }
+  result = result.replace(/\/+/g, "/");
+  result = result.replace(/\/+$/, "");
+  if (result.length > maxLength) {
+    result = result.slice(0, maxLength);
+  }
+  return result;
+}
+function isPathContained(path, baseDir) {
+  if (!path || !baseDir) return false;
+  const normalizedPath = normalizePathSeparators(decodePathComponent(path));
+  const normalizedBase = normalizePathSeparators(baseDir);
+  const resolvedPath = resolvePath(normalizedPath, normalizedBase);
+  return resolvedPath.startsWith(normalizedBase.replace(/\/$/, "") + "/");
+}
+function resolvePath(path, base) {
+  let combined;
+  if (path.startsWith("/")) {
+    combined = path;
+  } else {
+    combined = `${base.replace(/\/$/, "")}/${path}`;
+  }
+  const segments = [];
+  for (const segment of combined.split("/")) {
+    if (segment === "" || segment === ".") {
+      continue;
+    }
+    if (segment === "..") {
+      segments.pop();
+    } else {
+      segments.push(segment);
+    }
+  }
+  return "/" + segments.join("/");
+}
+function getExtension(path) {
+  if (!path || typeof path !== "string") return "";
+  const normalized = normalizePathSeparators(path);
+  const segments = normalized.split("/");
+  const filename = segments[segments.length - 1] || "";
+  const dotIndex = filename.lastIndexOf(".");
+  if (dotIndex <= 0) return "";
+  return filename.slice(dotIndex).toLowerCase();
+}
+function getFilename(path) {
+  if (!path || typeof path !== "string") return "";
+  const normalized = normalizePathSeparators(path);
+  const segments = normalized.split("/");
+  return segments[segments.length - 1] || "";
+}
+function sanitizeFilename(filename) {
+  if (typeof filename !== "string") return "file";
+  if (!filename) return "file";
+  let result = filename;
+  result = result.replace(/[/\\]/g, "");
+  result = result.replace(/\0/g, "");
+  result = result.replace(/[\x00-\x1f\x7f]/g, "");
+  result = result.replace(/[<>:"|?*]/g, "");
+  result = result.replace(/^[.\s]+|[.\s]+$/g, "");
+  if (result.length > 255) {
+    const ext = getExtension(result);
+    const name = result.slice(0, 255 - ext.length);
+    result = name + ext;
+  }
+  return result || "file";
+}
+function isHiddenPath(path) {
+  if (!path) return false;
+  const normalized = normalizePathSeparators(path);
+  const segments = normalized.split("/").filter(Boolean);
+  return segments.some((segment) => segment.startsWith("."));
+}
+
+// src/middleware/validation/validators/file.ts
+var MAGIC_NUMBERS = [
+  // Images
+  { type: "image/jpeg", extension: ".jpg", signature: [255, 216, 255] },
+  { type: "image/png", extension: ".png", signature: [137, 80, 78, 71, 13, 10, 26, 10] },
+  { type: "image/gif", extension: ".gif", signature: [71, 73, 70, 56] },
+  // GIF87a or GIF89a
+  { type: "image/webp", extension: ".webp", signature: [82, 73, 70, 70], offset: 0 },
+  // RIFF
+  { type: "image/bmp", extension: ".bmp", signature: [66, 77] },
+  { type: "image/tiff", extension: ".tiff", signature: [73, 73, 42, 0] },
+  // Little endian
+  { type: "image/tiff", extension: ".tiff", signature: [77, 77, 0, 42] },
+  // Big endian
+  { type: "image/x-icon", extension: ".ico", signature: [0, 0, 1, 0] },
+  { type: "image/svg+xml", extension: ".svg", signature: [60, 63, 120, 109, 108] },
+  // <?xml
+  // Documents
+  { type: "application/pdf", extension: ".pdf", signature: [37, 80, 68, 70] },
+  // %PDF
+  { type: "application/zip", extension: ".zip", signature: [80, 75, 3, 4] },
+  // PK
+  { type: "application/gzip", extension: ".gz", signature: [31, 139] },
+  { type: "application/x-rar-compressed", extension: ".rar", signature: [82, 97, 114, 33] },
+  { type: "application/x-7z-compressed", extension: ".7z", signature: [55, 122, 188, 175, 39, 28] },
+  // Microsoft Office (new format - zip based)
+  { type: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", extension: ".xlsx", signature: [80, 75, 3, 4] },
+  { type: "application/vnd.openxmlformats-officedocument.wordprocessingml.document", extension: ".docx", signature: [80, 75, 3, 4] },
+  { type: "application/vnd.openxmlformats-officedocument.presentationml.presentation", extension: ".pptx", signature: [80, 75, 3, 4] },
+  // Microsoft Office (old format)
+  { type: "application/msword", extension: ".doc", signature: [208, 207, 17, 224, 161, 177, 26, 225] },
+  { type: "application/vnd.ms-excel", extension: ".xls", signature: [208, 207, 17, 224, 161, 177, 26, 225] },
+  // Audio
+  { type: "audio/mpeg", extension: ".mp3", signature: [255, 251] },
+  // MP3 frame sync
+  { type: "audio/mpeg", extension: ".mp3", signature: [73, 68, 51] },
+  // ID3
+  { type: "audio/wav", extension: ".wav", signature: [82, 73, 70, 70] },
+  // RIFF
+  { type: "audio/ogg", extension: ".ogg", signature: [79, 103, 103, 83] },
+  { type: "audio/flac", extension: ".flac", signature: [102, 76, 97, 67] },
+  // Video
+  { type: "video/mp4", extension: ".mp4", signature: [0, 0, 0], offset: 0 },
+  // Partial match
+  { type: "video/webm", extension: ".webm", signature: [26, 69, 223, 163] },
+  { type: "video/avi", extension: ".avi", signature: [82, 73, 70, 70] },
+  // RIFF
+  { type: "video/quicktime", extension: ".mov", signature: [0, 0, 0, 20, 102, 116, 121, 112] },
+  // Web
+  { type: "application/wasm", extension: ".wasm", signature: [0, 97, 115, 109] },
+  // \0asm
+  // Fonts
+  { type: "font/woff", extension: ".woff", signature: [119, 79, 70, 70] },
+  { type: "font/woff2", extension: ".woff2", signature: [119, 79, 70, 50] }
+];
+var DEFAULT_MAX_FILE_SIZE = 10 * 1024 * 1024;
+var DEFAULT_MAX_FILES = 10;
+var DANGEROUS_EXTENSIONS = [
+  ".exe",
+  ".dll",
+  ".so",
+  ".dylib",
+  ".bin",
+  ".sh",
+  ".bash",
+  ".bat",
+  ".cmd",
+  ".ps1",
+  ".vbs",
+  ".php",
+  ".asp",
+  ".aspx",
+  ".jsp",
+  ".cgi",
+  ".pl",
+  ".py",
+  ".rb",
+  ".jar",
+  ".class",
+  ".msi",
+  ".dmg",
+  ".pkg",
+  ".deb",
+  ".rpm",
+  ".scr",
+  ".pif",
+  ".com",
+  ".hta"
+];
+function checkMagicNumber(bytes, magicNumber) {
+  const offset = magicNumber.offset || 0;
+  const signature = magicNumber.signature;
+  if (bytes.length < offset + signature.length) {
+    return false;
+  }
+  for (let i = 0; i < signature.length; i++) {
+    if (bytes[offset + i] !== signature[i]) {
+      return false;
+    }
+  }
+  return true;
+}
+function detectFileType(bytes) {
+  for (const magic of MAGIC_NUMBERS) {
+    if (checkMagicNumber(bytes, magic)) {
+      return { type: magic.type, extension: magic.extension };
+    }
+  }
+  return null;
+}
+async function validateFile(file, config = {}) {
+  const {
+    maxSize = DEFAULT_MAX_FILE_SIZE,
+    minSize = 0,
+    allowedTypes = [],
+    blockedTypes = [],
+    allowedExtensions = [],
+    blockedExtensions = DANGEROUS_EXTENSIONS,
+    validateMagicNumbers = true,
+    sanitizeFilename: doSanitize = true
+  } = config;
+  const errors = [];
+  const extension = getExtension(file.name);
+  const info = {
+    filename: doSanitize ? sanitizeFilename(file.name) : file.name,
+    size: file.size,
+    type: file.type,
+    extension
+  };
+  if (file.size > maxSize) {
+    errors.push({
+      filename: file.name,
+      code: "size_exceeded",
+      message: `File size (${formatBytes(file.size)}) exceeds maximum allowed (${formatBytes(maxSize)})`,
+      details: { size: file.size, maxSize }
+    });
+  }
+  if (file.size < minSize) {
+    errors.push({
+      filename: file.name,
+      code: "size_too_small",
+      message: `File size (${formatBytes(file.size)}) is below minimum required (${formatBytes(minSize)})`,
+      details: { size: file.size, minSize }
+    });
+  }
+  if (blockedExtensions.length > 0 && extension) {
+    if (blockedExtensions.map((e) => e.toLowerCase()).includes(extension.toLowerCase())) {
+      errors.push({
+        filename: file.name,
+        code: "extension_not_allowed",
+        message: `File extension '${extension}' is not allowed`,
+        details: { extension, blockedExtensions }
+      });
+    }
+  }
+  if (allowedExtensions.length > 0 && extension) {
+    if (!allowedExtensions.map((e) => e.toLowerCase()).includes(extension.toLowerCase())) {
+      errors.push({
+        filename: file.name,
+        code: "extension_not_allowed",
+        message: `File extension '${extension}' is not in allowed list`,
+        details: { extension, allowedExtensions }
+      });
+    }
+  }
+  if (blockedTypes.length > 0 && file.type) {
+    if (blockedTypes.includes(file.type)) {
+      errors.push({
+        filename: file.name,
+        code: "type_not_allowed",
+        message: `File type '${file.type}' is not allowed`,
+        details: { type: file.type, blockedTypes }
+      });
+    }
+  }
+  if (allowedTypes.length > 0) {
+    if (!allowedTypes.includes(file.type)) {
+      errors.push({
+        filename: file.name,
+        code: "type_not_allowed",
+        message: `File type '${file.type}' is not in allowed list`,
+        details: { type: file.type, allowedTypes }
+      });
+    }
+  }
+  if (validateMagicNumbers && errors.length === 0) {
+    try {
+      const buffer = await file.arrayBuffer();
+      const bytes = new Uint8Array(buffer.slice(0, 32));
+      const detected = detectFileType(bytes);
+      if (detected) {
+        if (file.type && detected.type !== file.type) {
+          const isSimilar = detected.type.startsWith("image/") && file.type.startsWith("image/") || detected.type.startsWith("audio/") && file.type.startsWith("audio/") || detected.type.startsWith("video/") && file.type.startsWith("video/");
+          if (!isSimilar) {
+            errors.push({
+              filename: file.name,
+              code: "invalid_content",
+              message: `File content doesn't match declared type (claimed: ${file.type}, detected: ${detected.type})`,
+              details: { claimed: file.type, detected: detected.type }
+            });
+          }
+        }
+      }
+    } catch {
+    }
+  }
+  return {
+    valid: errors.length === 0,
+    info,
+    errors
+  };
+}
+async function validateFiles(files, config = {}) {
+  const { maxFiles = DEFAULT_MAX_FILES } = config;
+  const allErrors = [];
+  const infos = [];
+  if (files.length > maxFiles) {
+    allErrors.push({
+      filename: "",
+      code: "too_many_files",
+      message: `Too many files (${files.length}), maximum allowed is ${maxFiles}`,
+      details: { count: files.length, maxFiles }
+    });
+  }
+  for (const file of files) {
+    const result = await validateFile(file, config);
+    infos.push(result.info);
+    allErrors.push(...result.errors);
+  }
+  return {
+    valid: allErrors.length === 0,
+    infos,
+    errors: allErrors
+  };
+}
+function extractFilesFromFormData(formData) {
+  const files = /* @__PURE__ */ new Map();
+  formData.forEach((value, key) => {
+    if (value instanceof File) {
+      const existing = files.get(key) || [];
+      existing.push(value);
+      files.set(key, existing);
+    }
+  });
+  return files;
+}
+async function validateFilesFromRequest(request, config = {}) {
+  const contentType = request.headers.get("content-type") || "";
+  if (!contentType.includes("multipart/form-data")) {
+    return { valid: true, files: /* @__PURE__ */ new Map(), errors: [] };
+  }
+  try {
+    const formData = await request.formData();
+    const fileMap = extractFilesFromFormData(formData);
+    const allInfos = /* @__PURE__ */ new Map();
+    const allErrors = [];
+    let totalFileCount = 0;
+    for (const [field, files] of fileMap.entries()) {
+      totalFileCount += files.length;
+      const result = await validateFiles(files, { ...config, maxFiles: Infinity });
+      allInfos.set(field, result.infos);
+      allErrors.push(...result.errors.map((e) => ({ ...e, field })));
+    }
+    const maxFiles = config.maxFiles ?? DEFAULT_MAX_FILES;
+    if (totalFileCount > maxFiles) {
+      allErrors.push({
+        filename: "",
+        code: "too_many_files",
+        message: `Total file count (${totalFileCount}) exceeds maximum (${maxFiles})`,
+        details: { count: totalFileCount, maxFiles }
+      });
+    }
+    return {
+      valid: allErrors.length === 0,
+      files: allInfos,
+      errors: allErrors
+    };
+  } catch {
+    return {
+      valid: false,
+      files: /* @__PURE__ */ new Map(),
+      errors: [{
+        filename: "",
+        code: "invalid_content",
+        message: "Failed to parse multipart form data"
+      }]
+    };
+  }
+}
+function defaultFileErrorResponse(errors) {
+  return new Response(
+    JSON.stringify({
+      error: "file_validation_error",
+      message: "File validation failed",
+      details: errors.map((e) => ({
+        filename: e.filename,
+        field: e.field,
+        code: e.code,
+        message: e.message
+      }))
+    }),
+    {
+      status: 400,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function formatBytes(bytes) {
+  if (bytes === 0) return "0 B";
+  const units = ["B", "KB", "MB", "GB"];
+  const k = 1024;
+  const i = Math.floor(Math.log(bytes) / Math.log(k));
+  return `${parseFloat((bytes / Math.pow(k, i)).toFixed(2))} ${units[i]}`;
+}
+
+// src/middleware/validation/sanitizers/xss.ts
+var DEFAULT_ALLOWED_TAGS = [
+  "a",
+  "abbr",
+  "b",
+  "blockquote",
+  "br",
+  "code",
+  "del",
+  "em",
+  "h1",
+  "h2",
+  "h3",
+  "h4",
+  "h5",
+  "h6",
+  "hr",
+  "i",
+  "ins",
+  "li",
+  "mark",
+  "ol",
+  "p",
+  "pre",
+  "q",
+  "s",
+  "small",
+  "span",
+  "strong",
+  "sub",
+  "sup",
+  "u",
+  "ul"
+];
+var DEFAULT_ALLOWED_ATTRIBUTES = {
+  a: ["href", "title", "target", "rel"],
+  img: ["src", "alt", "title", "width", "height"],
+  abbr: ["title"],
+  q: ["cite"],
+  blockquote: ["cite"]
+};
+var DEFAULT_SAFE_PROTOCOLS = ["http:", "https:", "mailto:", "tel:"];
+var DANGEROUS_PATTERNS2 = [
+  // Event handlers
+  /\bon\w+\s*=/gi,
+  // JavaScript protocol
+  /javascript\s*:/gi,
+  // VBScript protocol
+  /vbscript\s*:/gi,
+  // Data URI with scripts
+  /data\s*:[^,]*(?:text\/html|application\/javascript|text\/javascript)/gi,
+  // Expression in CSS
+  /expression\s*\(/gi,
+  // Binding in CSS (Firefox)
+  /-moz-binding\s*:/gi,
+  // Behavior in CSS (IE)
+  /behavior\s*:/gi,
+  // Import in CSS
+  /@import/gi,
+  // Script tags
+  /<\s*script/gi,
+  // Style tags with expressions
+  /<\s*style[^>]*>[^<]*expression/gi,
+  // SVG with scripts
+  /<\s*svg[^>]*onload/gi,
+  // Object/embed/applet tags
+  /<\s*(object|embed|applet)/gi,
+  // Base tag (can redirect resources)
+  /<\s*base/gi,
+  // Meta refresh
+  /<\s*meta[^>]*http-equiv\s*=\s*["']?refresh/gi,
+  // Form action hijacking
+  /<\s*form[^>]*action\s*=\s*["']?javascript/gi,
+  // Link tag with import
+  /<\s*link[^>]*rel\s*=\s*["']?import/gi
+];
+var HTML_ENTITIES = {
+  "&": "&amp;",
+  "<": "&lt;",
+  ">": "&gt;",
+  '"': "&quot;",
+  "'": "&#x27;",
+  "/": "&#x2F;",
+  "`": "&#x60;",
+  "=": "&#x3D;"
+};
+function escapeHtml(str) {
+  return str.replace(/[&<>"'`=/]/g, (char) => HTML_ENTITIES[char] || char);
+}
+function unescapeHtml(str) {
+  const entityMap = {
+    "&amp;": "&",
+    "&lt;": "<",
+    "&gt;": ">",
+    "&quot;": '"',
+    "&#x27;": "'",
+    "&#x2F;": "/",
+    "&#x60;": "`",
+    "&#x3D;": "=",
+    "&#39;": "'",
+    "&#47;": "/"
+  };
+  return str.replace(/&(?:amp|lt|gt|quot|#x27|#x2F|#x60|#x3D|#39|#47);/gi, (entity) => {
+    return entityMap[entity.toLowerCase()] || entity;
+  });
+}
+function stripHtml(str) {
+  let result = str.replace(/<script[^>]*>[\s\S]*?<\/script>/gi, "");
+  result = result.replace(/<style[^>]*>[\s\S]*?<\/style>/gi, "");
+  result = result.replace(/<[^>]*>/g, "");
+  result = unescapeHtml(result);
+  result = result.replace(/\0/g, "");
+  return result.trim();
+}
+function isSafeUrl(url, allowedProtocols = DEFAULT_SAFE_PROTOCOLS) {
+  if (!url) return true;
+  const trimmed = url.trim().toLowerCase();
+  if (trimmed.startsWith("javascript:")) return false;
+  if (trimmed.startsWith("vbscript:")) return false;
+  if (trimmed.startsWith("data:image/")) return true;
+  if (trimmed.startsWith("data:")) return false;
+  try {
+    const parsed = new URL(url, "https://example.com");
+    if (parsed.protocol && !allowedProtocols.includes(parsed.protocol)) {
+      if (!url.includes(":")) return true;
+      return false;
+    }
+  } catch {
+    return true;
+  }
+  return true;
+}
+function sanitizeHtml(str, allowedTags = DEFAULT_ALLOWED_TAGS, allowedAttributes = DEFAULT_ALLOWED_ATTRIBUTES, allowedProtocols = DEFAULT_SAFE_PROTOCOLS) {
+  let result = str.replace(/\0/g, "");
+  result = result.replace(/<script[^>]*>[\s\S]*?<\/script>/gi, "");
+  result = result.replace(/<style[^>]*>[\s\S]*?<\/style>/gi, "");
+  result = result.replace(/<!--[\s\S]*?-->/g, "");
+  result = result.replace(/<\/?([a-z][a-z0-9]*)\b([^>]*)>/gi, (match, tagName, attributes) => {
+    const lowerTag = tagName.toLowerCase();
+    const isClosing = match.startsWith("</");
+    if (!allowedTags.includes(lowerTag)) {
+      return "";
+    }
+    if (isClosing) {
+      return `</${lowerTag}>`;
+    }
+    const allowedAttrs = allowedAttributes[lowerTag] || [];
+    const safeAttrs = [];
+    const attrRegex = /([a-z][a-z0-9-]*)\s*=\s*(?:"([^"]*)"|'([^']*)'|([^\s>]*))/gi;
+    let attrMatch;
+    while ((attrMatch = attrRegex.exec(attributes)) !== null) {
+      const attrName = attrMatch[1].toLowerCase();
+      const attrValue = attrMatch[2] || attrMatch[3] || attrMatch[4] || "";
+      if (!allowedAttrs.includes(attrName)) continue;
+      if (DANGEROUS_PATTERNS2.some((pattern) => pattern.test(attrValue))) continue;
+      if (["href", "src", "action", "formaction"].includes(attrName)) {
+        if (!isSafeUrl(attrValue, allowedProtocols)) continue;
+      }
+      const safeValue = escapeHtml(attrValue);
+      safeAttrs.push(`${attrName}="${safeValue}"`);
+    }
+    const attrStr = safeAttrs.length > 0 ? " " + safeAttrs.join(" ") : "";
+    return `<${lowerTag}${attrStr}>`;
+  });
+  for (const pattern of DANGEROUS_PATTERNS2) {
+    result = result.replace(pattern, "");
+  }
+  return result;
+}
+function detectXSS(str) {
+  if (!str || typeof str !== "string") return false;
+  const normalized = str.replace(/\\x([0-9a-f]{2})/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16))).replace(/\\u([0-9a-f]{4})/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16))).replace(/&#x([0-9a-f]+);?/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16))).replace(/&#(\d+);?/gi, (_, dec) => String.fromCharCode(parseInt(dec, 10)));
+  for (const pattern of DANGEROUS_PATTERNS2) {
+    pattern.lastIndex = 0;
+    if (pattern.test(normalized)) {
+      return true;
+    }
+  }
+  return false;
+}
+function sanitize(input, config = {}) {
+  if (!input || typeof input !== "string") return "";
+  const {
+    mode = "escape",
+    allowedTags = DEFAULT_ALLOWED_TAGS,
+    allowedAttributes = DEFAULT_ALLOWED_ATTRIBUTES,
+    allowedProtocols = DEFAULT_SAFE_PROTOCOLS,
+    maxLength,
+    stripNull = true
+  } = config;
+  let result = input;
+  if (stripNull) {
+    result = result.replace(/\0/g, "");
+  }
+  switch (mode) {
+    case "escape":
+      result = escapeHtml(result);
+      break;
+    case "strip":
+      result = stripHtml(result);
+      break;
+    case "allow-safe":
+      result = sanitizeHtml(result, allowedTags, allowedAttributes, allowedProtocols);
+      break;
+  }
+  if (maxLength !== void 0 && result.length > maxLength) {
+    result = result.slice(0, maxLength);
+  }
+  return result;
+}
+function sanitizeObject(obj, config = {}) {
+  if (typeof obj === "string") {
+    return sanitize(obj, config);
+  }
+  if (Array.isArray(obj)) {
+    return obj.map((item) => sanitizeObject(item, config));
+  }
+  if (typeof obj === "object" && obj !== null) {
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+      result[key] = sanitizeObject(value, config);
+    }
+    return result;
+  }
+  return obj;
+}
+function sanitizeFields(obj, fields, config = {}) {
+  const result = { ...obj };
+  for (const field of fields) {
+    if (field in result && typeof result[field] === "string") {
+      result[field] = sanitize(result[field], config);
+    }
+  }
+  return result;
+}
+
+// src/middleware/validation/sanitizers/sql.ts
+var SQL_PATTERNS = [
+  // High severity - Definite attacks
+  {
+    pattern: /'\s*OR\s+'?\d+'?\s*=\s*'?\d+'?/gi,
+    name: "OR '1'='1' attack",
+    severity: "high"
+  },
+  {
+    pattern: /'\s*OR\s+'[^']*'\s*=\s*'[^']*'/gi,
+    name: "OR 'x'='x' attack",
+    severity: "high"
+  },
+  {
+    pattern: /;\s*DROP\s+(TABLE|DATABASE|INDEX|VIEW)/gi,
+    name: "DROP statement",
+    severity: "high"
+  },
+  {
+    pattern: /;\s*DELETE\s+FROM/gi,
+    name: "DELETE statement",
+    severity: "high"
+  },
+  {
+    pattern: /;\s*TRUNCATE\s+/gi,
+    name: "TRUNCATE statement",
+    severity: "high"
+  },
+  {
+    pattern: /;\s*INSERT\s+INTO/gi,
+    name: "INSERT statement",
+    severity: "high"
+  },
+  {
+    pattern: /;\s*UPDATE\s+\w+\s+SET/gi,
+    name: "UPDATE statement",
+    severity: "high"
+  },
+  {
+    pattern: /UNION\s+(ALL\s+)?SELECT/gi,
+    name: "UNION SELECT attack",
+    severity: "high"
+  },
+  {
+    pattern: /EXEC(\s+|\()+(sp_|xp_)/gi,
+    name: "SQL Server stored procedure",
+    severity: "high"
+  },
+  {
+    pattern: /EXECUTE\s+IMMEDIATE/gi,
+    name: "Oracle EXECUTE IMMEDIATE",
+    severity: "high"
+  },
+  {
+    pattern: /INTO\s+(OUT|DUMP)FILE/gi,
+    name: "MySQL file write",
+    severity: "high"
+  },
+  {
+    pattern: /LOAD_FILE\s*\(/gi,
+    name: "MySQL file read",
+    severity: "high"
+  },
+  {
+    pattern: /BENCHMARK\s*\(\s*\d+\s*,/gi,
+    name: "MySQL BENCHMARK DoS",
+    severity: "high"
+  },
+  {
+    pattern: /SLEEP\s*\(\s*\d+\s*\)/gi,
+    name: "SQL SLEEP time-based attack",
+    severity: "high"
+  },
+  {
+    pattern: /WAITFOR\s+DELAY/gi,
+    name: "SQL Server WAITFOR DELAY",
+    severity: "high"
+  },
+  {
+    pattern: /PG_SLEEP\s*\(/gi,
+    name: "PostgreSQL pg_sleep",
+    severity: "high"
+  },
+  // Medium severity - Likely attacks
+  {
+    pattern: /'\s*--/g,
+    name: "SQL comment injection",
+    severity: "medium"
+  },
+  {
+    pattern: /'\s*#/g,
+    name: "MySQL comment injection",
+    severity: "medium"
+  },
+  {
+    pattern: /\/\*[\s\S]*?\*\//g,
+    name: "Block comment",
+    severity: "medium"
+  },
+  {
+    pattern: /'\s*;\s*$/g,
+    name: "Statement terminator",
+    severity: "medium"
+  },
+  {
+    pattern: /HAVING\s+\d+\s*=\s*\d+/gi,
+    name: "HAVING clause injection",
+    severity: "medium"
+  },
+  {
+    pattern: /GROUP\s+BY\s+\d+/gi,
+    name: "GROUP BY injection",
+    severity: "medium"
+  },
+  {
+    pattern: /ORDER\s+BY\s+\d+/gi,
+    name: "ORDER BY injection",
+    severity: "medium"
+  },
+  {
+    pattern: /CONCAT\s*\(/gi,
+    name: "CONCAT function",
+    severity: "medium"
+  },
+  {
+    pattern: /CHAR\s*\(\s*\d+\s*\)/gi,
+    name: "CHAR function bypass",
+    severity: "medium"
+  },
+  {
+    pattern: /0x[0-9a-f]{2,}/gi,
+    name: "Hex encoded value",
+    severity: "medium"
+  },
+  {
+    pattern: /CONVERT\s*\(/gi,
+    name: "CONVERT function",
+    severity: "medium"
+  },
+  {
+    pattern: /CAST\s*\(/gi,
+    name: "CAST function",
+    severity: "medium"
+  },
+  // Low severity - Suspicious but may be false positives
+  {
+    pattern: /'\s*AND\s+'?\d+'?\s*=\s*'?\d+'?/gi,
+    name: "AND '1'='1' pattern",
+    severity: "low"
+  },
+  {
+    pattern: /'\s*AND\s+'[^']*'\s*=\s*'[^']*'/gi,
+    name: "AND 'x'='x' pattern",
+    severity: "low"
+  },
+  {
+    pattern: /SELECT\s+[\w\s,*]+\s+FROM/gi,
+    name: "SELECT statement",
+    severity: "low"
+  },
+  {
+    pattern: /'\s*\+\s*'/g,
+    name: "String concatenation",
+    severity: "low"
+  },
+  {
+    pattern: /'\s*\|\|\s*'/g,
+    name: "Oracle string concatenation",
+    severity: "low"
+  }
+];
+var ENCODED_PATTERNS = [
+  {
+    pattern: /%27\s*%4f%52\s*%27/gi,
+    // URL encoded ' OR '
+    name: "URL encoded OR injection",
+    severity: "high"
+  },
+  {
+    pattern: /%27\s*%2d%2d/gi,
+    // URL encoded ' --
+    name: "URL encoded comment injection",
+    severity: "medium"
+  },
+  {
+    pattern: /\0|%00/g,
+    // Null byte (decoded or encoded)
+    name: "Null byte injection",
+    severity: "high"
+  },
+  {
+    pattern: /\\x27/gi,
+    // Hex escape
+    name: "Hex escaped quote",
+    severity: "medium"
+  },
+  {
+    pattern: /\\u0027/gi,
+    // Unicode escape
+    name: "Unicode escaped quote",
+    severity: "medium"
+  }
+];
+function normalizeInput(input) {
+  let result = input;
+  try {
+    result = decodeURIComponent(result);
+  } catch {
+  }
+  result = result.replace(/&#x([0-9a-f]+);?/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16))).replace(/&#(\d+);?/gi, (_, dec) => String.fromCharCode(parseInt(dec, 10))).replace(/&quot;/gi, '"').replace(/&apos;/gi, "'").replace(/&lt;/gi, "<").replace(/&gt;/gi, ">").replace(/&amp;/gi, "&");
+  result = result.replace(
+    /\\x([0-9a-f]{2})/gi,
+    (_, hex) => String.fromCharCode(parseInt(hex, 16))
+  );
+  result = result.replace(
+    /\\u([0-9a-f]{4})/gi,
+    (_, hex) => String.fromCharCode(parseInt(hex, 16))
+  );
+  return result;
+}
+function detectSQLInjection(input, options = {}) {
+  if (!input || typeof input !== "string") return [];
+  const {
+    customPatterns = [],
+    checkEncoded = true,
+    minSeverity = "low"
+  } = options;
+  const severityOrder = { low: 0, medium: 1, high: 2 };
+  const minSeverityLevel = severityOrder[minSeverity];
+  const detections = [];
+  const seenPatterns = /* @__PURE__ */ new Set();
+  const normalizedInput = checkEncoded ? normalizeInput(input) : input;
+  const allPatterns = [
+    ...SQL_PATTERNS,
+    ...checkEncoded ? ENCODED_PATTERNS : [],
+    ...customPatterns.map((p) => ({ pattern: p, name: "Custom pattern", severity: "high" }))
+  ];
+  for (const { pattern, name, severity } of allPatterns) {
+    if (severityOrder[severity] < minSeverityLevel) continue;
+    pattern.lastIndex = 0;
+    const testInput = checkEncoded ? normalizedInput : input;
+    if (pattern.test(testInput)) {
+      const key = `${name}:${severity}`;
+      if (!seenPatterns.has(key)) {
+        seenPatterns.add(key);
+        detections.push({
+          field: "",
+          // Will be set by caller
+          value: input,
+          pattern: name,
+          severity
+        });
+      }
+    }
+  }
+  return detections;
+}
+function hasSQLInjection(input, minSeverity = "medium") {
+  return detectSQLInjection(input, { minSeverity }).length > 0;
+}
+function sanitizeSQLInput(input) {
+  if (!input || typeof input !== "string") return "";
+  let result = input;
+  result = result.replace(/\0/g, "");
+  result = result.replace(/'/g, "''");
+  result = result.replace(/;/g, "");
+  result = result.replace(/--/g, "");
+  result = result.replace(/\/\*/g, "");
+  result = result.replace(/\*\//g, "");
+  result = result.replace(/0x[0-9a-f]+/gi, "");
+  return result;
+}
+function detectSQLInjectionInObject(obj, options = {}) {
+  const { fields, deep = true, customPatterns, minSeverity } = options;
+  const detections = [];
+  function walk(value, path) {
+    if (typeof value === "string") {
+      if (fields && fields.length > 0) {
+        const fieldName = path.split(".").pop() || path;
+        if (!fields.includes(fieldName)) return;
+      }
+      const detected = detectSQLInjection(value, { customPatterns, minSeverity });
+      for (const d of detected) {
+        detections.push({ ...d, field: path });
+      }
+    } else if (deep && Array.isArray(value)) {
+      value.forEach((item, i) => walk(item, `${path}[${i}]`));
+    } else if (deep && typeof value === "object" && value !== null) {
+      for (const [key, val] of Object.entries(value)) {
+        walk(val, path ? `${path}.${key}` : key);
+      }
+    }
+  }
+  walk(obj, "");
+  return detections;
+}
+function isAllowedValue(value, allowList) {
+  if (!allowList || allowList.length === 0) return false;
+  return allowList.includes(value);
+}
+
+// src/middleware/validation/middleware.ts
+function withValidation(handler, config) {
+  const onError = config.onError || ((_, errors) => defaultValidationErrorResponse(errors));
+  return async (req) => {
+    const result = await validateRequest(req, {
+      body: config.body,
+      query: config.query,
+      params: config.params,
+      routeParams: config.routeParams
+    });
+    if (!result.success) {
+      return onError(req, result.errors || []);
+    }
+    return handler(req, { validated: result.data });
+  };
+}
+function withSanitization(handler, config = {}) {
+  const {
+    fields,
+    mode = "escape",
+    allowedTags,
+    skip,
+    onSanitized
+  } = config;
+  return async (req) => {
+    if (skip && await skip(req)) {
+      return handler(req, { sanitized: null, changes: [] });
+    }
+    let body;
+    try {
+      body = await req.json();
+    } catch {
+      return handler(req, { sanitized: null, changes: [] });
+    }
+    const changes = [];
+    const sanitized = walkObject(body, (value, path) => {
+      if (fields && fields.length > 0) {
+        const fieldName = path.split(".").pop() || path;
+        if (!fields.includes(fieldName)) {
+          return value;
+        }
+      }
+      const cleaned = sanitize(value, { mode, allowedTags });
+      if (cleaned !== value) {
+        changes.push({
+          field: path,
+          original: value,
+          sanitized: cleaned
+        });
+      }
+      return cleaned;
+    }, "");
+    if (onSanitized && changes.length > 0) {
+      onSanitized(req, changes);
+    }
+    return handler(req, { sanitized, changes });
+  };
+}
+function withXSSProtection(handler, config = {}) {
+  const { fields, onDetection, checkQuery = true } = config;
+  return async (req) => {
+    const detections = [];
+    if (checkQuery) {
+      const url = new URL(req.url);
+      for (const [key, value] of url.searchParams.entries()) {
+        if (detectXSS(value)) {
+          detections.push({ field: `query.${key}`, value });
+        }
+      }
+    }
+    let body;
+    try {
+      body = await req.json();
+    } catch {
+      body = null;
+    }
+    if (body) {
+      walkObject(body, (value, path) => {
+        if (fields && fields.length > 0) {
+          const fieldName = path.split(".").pop() || path;
+          if (!fields.includes(fieldName)) {
+            return value;
+          }
+        }
+        if (detectXSS(value)) {
+          detections.push({ field: path, value });
+        }
+        return value;
+      }, "");
+    }
+    if (detections.length > 0) {
+      if (onDetection) {
+        for (const { field, value } of detections) {
+          const result = await onDetection(req, field, value);
+          if (result instanceof Response) {
+            return result;
+          }
+        }
+      }
+      return new Response(
+        JSON.stringify({
+          error: "xss_detected",
+          message: "Potentially malicious content detected",
+          fields: detections.map((d) => d.field)
+        }),
+        {
+          status: 400,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+    return handler(req);
+  };
+}
+function withSQLProtection(handler, config = {}) {
+  const {
+    fields,
+    deep = true,
+    mode = "block",
+    customPatterns,
+    allowList = [],
+    onDetection
+  } = config;
+  return async (req) => {
+    let body;
+    try {
+      body = await req.json();
+    } catch {
+      return handler(req);
+    }
+    const detections = detectSQLInjectionInObject(body, {
+      fields,
+      deep,
+      customPatterns,
+      minSeverity: mode === "detect" ? "low" : "medium"
+    });
+    const filtered = detections.filter((d) => !allowList.includes(d.value));
+    if (filtered.length > 0) {
+      if (onDetection) {
+        const result = await onDetection(req, filtered);
+        if (result instanceof Response) {
+          return result;
+        }
+      }
+      if (mode === "block") {
+        return new Response(
+          JSON.stringify({
+            error: "sql_injection_detected",
+            message: "Potentially malicious SQL detected",
+            detections: filtered.map((d) => ({
+              field: d.field,
+              pattern: d.pattern,
+              severity: d.severity
+            }))
+          }),
+          {
+            status: 400,
+            headers: { "Content-Type": "application/json" }
+          }
+        );
+      }
+    }
+    return handler(req);
+  };
+}
+function withContentType(handler, config) {
+  const onInvalid = config.onInvalid || ((_, contentType) => defaultContentTypeErrorResponse(contentType, `Content-Type '${contentType}' is not allowed`));
+  return async (req) => {
+    const result = validateContentType(req, config);
+    if (!result.valid) {
+      return onInvalid(req, result.contentType);
+    }
+    return handler(req);
+  };
+}
+function withFileValidation(handler, config = {}) {
+  const onInvalid = config.onInvalid || ((_, errors) => defaultFileErrorResponse(errors));
+  return async (req) => {
+    const result = await validateFilesFromRequest(req, config);
+    if (!result.valid) {
+      return onInvalid(req, result.errors);
+    }
+    return handler(req, { files: result.files });
+  };
+}
+function withSecureValidation(handler, config) {
+  return async (req) => {
+    const allErrors = [];
+    if (config.contentType) {
+      const ctResult = validateContentType(req, config.contentType);
+      if (!ctResult.valid) {
+        allErrors.push({
+          field: "Content-Type",
+          code: "invalid_content_type",
+          message: ctResult.reason || "Invalid Content-Type"
+        });
+      }
+    }
+    let files;
+    if (config.files) {
+      const fileResult = await validateFilesFromRequest(req, config.files);
+      if (!fileResult.valid) {
+        allErrors.push(...fileResult.errors.map((e) => ({
+          field: e.field || e.filename,
+          code: e.code,
+          message: e.message
+        })));
+      } else {
+        files = fileResult.files;
+      }
+    }
+    if (allErrors.length > 0) {
+      const onError = config.onError || ((_, errors) => defaultValidationErrorResponse(errors));
+      return onError(req, allErrors);
+    }
+    let validated;
+    if (config.schema) {
+      const schemaResult = await validateRequest(req, {
+        body: config.schema.body,
+        query: config.schema.query,
+        params: config.schema.params,
+        routeParams: config.routeParams
+      });
+      if (!schemaResult.success) {
+        allErrors.push(...schemaResult.errors || []);
+      } else {
+        validated = schemaResult.data;
+      }
+    } else {
+      validated = {
+        body: {},
+        query: {},
+        params: {}
+      };
+    }
+    if (config.sql && validated?.body) {
+      const sqlDetections = detectSQLInjectionInObject(validated.body, {
+        fields: config.sql.fields,
+        deep: config.sql.deep,
+        customPatterns: config.sql.customPatterns
+      });
+      if (sqlDetections.length > 0 && config.sql.mode !== "detect") {
+        allErrors.push(...sqlDetections.map((d) => ({
+          field: d.field,
+          code: "sql_injection",
+          message: `Potential SQL injection detected: ${d.pattern}`
+        })));
+      }
+    }
+    if (config.xss?.enabled && validated?.body) {
+      walkObject(validated.body, (value, path) => {
+        if (config.xss?.fields && config.xss.fields.length > 0) {
+          const fieldName = path.split(".").pop() || path;
+          if (!config.xss.fields.includes(fieldName)) {
+            return value;
+          }
+        }
+        if (detectXSS(value)) {
+          allErrors.push({
+            field: path,
+            code: "xss_detected",
+            message: "Potentially malicious content detected"
+          });
+        }
+        return value;
+      }, "");
+    }
+    if (allErrors.length > 0) {
+      const onError = config.onError || ((_, errors) => defaultValidationErrorResponse(errors));
+      return onError(req, allErrors);
+    }
+    return handler(req, { validated, files });
+  };
+}
+
+export { DANGEROUS_EXTENSIONS, DEFAULT_MAX_FILES, DEFAULT_MAX_FILE_SIZE, MIME_TYPES, allValid, checkMagicNumber, createValidator, defaultContentTypeErrorResponse, defaultFileErrorResponse, defaultValidationErrorResponse, detectFileType, detectSQLInjection, detectSQLInjectionInObject, detectXSS, escapeHtml, extractFilesFromFormData, getByPath, getExtension, getFilename, getMultipartBoundary, hasPathTraversal, hasSQLInjection, isAllowedContentType, isAllowedValue, isCustomSchema, isFormRequest, isHiddenPath, isJsonRequest, isMultipartRequest, isPathContained, isSafeUrl, isZodSchema, mergeErrors, parseContentType, parseQueryString, sanitize, sanitizeFields, sanitizeFilename, sanitizeHtml, sanitizeObject, sanitizePath, sanitizeSQLInput, setByPath, stripHtml, unescapeHtml, validate, validateBody, validateContentType, validateCustomSchema, validateField, validateFile, validateFiles, validateFilesFromRequest, validateParams, validatePath, validateQuery, validateRequest, validateZodSchema, walkObject, withContentType, withFileValidation, withSQLProtection, withSanitization, withSecureValidation, withValidation, withXSSProtection };
+//# sourceMappingURL=validation.js.map
+//# sourceMappingURL=validation.js.map