pulse-js-framework 1.11.3 → 1.11.4

package/runtime/server-components/error-sanitizer.js

@@ -26,24 +26,24 @@ const log = loggers.dom;
  * Covers secrets, connection strings, file paths, env vars.
  */
 const SENSITIVE_MESSAGE_PATTERNS = [
-  // Connection strings
-  /postgres:\/\/[^@]+@[^/]+/gi,          // PostgreSQL
-  /mongodb(\+srv)?:\/\/[^@]+@[^/]+/gi,   // MongoDB
-  /mysql:\/\/[^@]+@[^/]+/gi,             // MySQL
-  /redis:\/\/[^@]+@[^/]+/gi,             // Redis
+  // Connection strings - bound quantifiers to prevent ReDoS on strings without '@'
+  /postgres:\/\/[^@\s]{1,256}@[^/\s]{1,256}/gi,          // PostgreSQL
+  /mongodb(?:\+srv)?:\/\/[^@\s]{1,256}@[^/\s]{1,256}/gi, // MongoDB
+  /mysql:\/\/[^@\s]{1,256}@[^/\s]{1,256}/gi,             // MySQL
+  /redis:\/\/[^@\s]{1,256}@[^/\s]{1,256}/gi,             // Redis
 
-  // API keys and tokens (common formats)
-  /[a-zA-Z0-9_-]{20,}/g,                 // Generic long tokens
+  // API keys and tokens (common formats) - bounded
+  /[a-zA-Z0-9_-]{20,200}/g,              // Generic long tokens
 
-  // Environment variable values (KEY=value patterns)
-  /\b[A-Z_]+=[^\s]+/g,
+  // Environment variable values (KEY=value patterns) - bounded
+  /\b[A-Z_]{1,100}=[^\s]{1,500}/g,
 
-  // File paths (Unix and Windows)
-  /\/[a-zA-Z0-9_\-./]+\.(js|ts|json|env|config)/gi,
-  /[A-Z]:\\[^"\s]+\.(js|ts|json|env|config)/gi,
+  // File paths (Unix and Windows) - non-overlapping segments, bounded
+  /\/[a-zA-Z0-9_-]{1,100}(?:\/[a-zA-Z0-9_-]{1,100}){0,20}\.[a-z]{1,6}/gi,
+  /[A-Z]:\\[a-zA-Z0-9_-]{1,100}(?:\\[a-zA-Z0-9_-]{1,100}){0,20}\.[a-z]{1,6}/gi,
 
-  // Email addresses
-  /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/g,
+  // Email addresses - bounded segments to prevent ReDoS
+  /\b[A-Za-z0-9._%+-]{1,64}@[A-Za-z0-9.-]{1,253}\.[A-Za-z]{2,20}\b/g,
 
   // IP addresses
   /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/g
@@ -152,11 +152,11 @@ export function sanitizeStackTrace(stack) {
     // First, strip absolute paths to relative paths
     let sanitizedLine = line;
 
-    // Replace absolute paths with relative (Unix)
-    sanitizedLine = sanitizedLine.replace(/\/[a-zA-Z0-9_\-./]+\/([a-zA-Z0-9_\-./]+\.(js|ts))/g, '$1');
+    // Replace absolute paths with relative (Unix) - bounded segments to avoid ReDoS
+    sanitizedLine = sanitizedLine.replace(/\/[a-zA-Z0-9_-]{1,100}(?:\/[a-zA-Z0-9_-]{1,100}){0,30}\/([a-zA-Z0-9_.-]{1,100}\.(js|ts))/g, '$1');
 
-    // Replace absolute paths with relative (Windows)
-    sanitizedLine = sanitizedLine.replace(/[A-Z]:\\[^"]+\\([a-zA-Z0-9_\-./\\]+\.(js|ts))/g, '$1');
+    // Replace absolute paths with relative (Windows) - bounded segments to avoid ReDoS
+    sanitizedLine = sanitizedLine.replace(/[A-Z]:\\[a-zA-Z0-9_-]{1,100}(?:\\[a-zA-Z0-9_-]{1,100}){0,30}\\([a-zA-Z0-9_.-]{1,100}\.(js|ts))/g, '$1');
 
     // NOW filter out internal/sensitive paths (after path conversion)
     let shouldFilter = false;

package/runtime/server-components/security.js

@@ -66,10 +66,15 @@ const SECRET_PATTERNS = [
  */
 const XSS_PATTERNS = {
   scriptTag: /<script[\s>]/i,
-  eventHandler: /<[^>]+on\w+\s*=/i,
+  // Use non-overlapping groups: match tag name chars then specifically 'on' + handler name
+  // Avoids ReDoS by limiting [^>] to {1,1000} and using non-greedy match
+  eventHandler: /<[^>]{1,1000}?\bon\w+\s*=/i,
   javascriptProtocol: /javascript:/i,
   vbscriptProtocol: /vbscript:/i,
-  dataHtmlProtocol: /data:text\/html/i
+  // Match dangerous data: URIs - block data: with executable MIME types and SVG
+  dataProtocol: /data:\s*(?:text\/(?:html|javascript|xml)|image\/svg\+xml|application\/(?:javascript|x-javascript|ecmascript|xhtml\+xml|xml))/i,
+  // Catch-all for data: URIs not in allowlist (used in URL validation)
+  dataAny: /^\s*data\s*:/i
 };
 
 // ============================================================================
@@ -221,39 +226,51 @@ export function sanitizePropsForXSS(props, componentId) {
       let sanitized = value;
       let modified = false;
 
-      // Check for script tags
+      // Check for script tags - use loop to handle incomplete multi-character sanitization
       if (XSS_PATTERNS.scriptTag.test(sanitized)) {
         log.warn(`PSC: Script tag detected in prop '${path}' for '${componentId}'`);
-        sanitized = sanitized.replace(/<script[\s>]/gi, '&lt;script');
+        // Loop until all <script patterns are removed (handles nested/overlapping)
+        let prev;
+        do {
+          prev = sanitized;
+          sanitized = sanitized.replace(/<script[\s>]/gi, '&lt;script ');
+        } while (sanitized !== prev);
         modified = true;
       }
 
       // Check for event handlers in HTML-like content
       if (XSS_PATTERNS.eventHandler.test(sanitized)) {
         log.warn(`PSC: Event handler detected in prop '${path}' for '${componentId}'`);
-        sanitized = sanitized.replace(/on\w+\s*=/gi, 'data-blocked-event=');
+        sanitized = sanitized.replace(/\bon\w{1,50}\s*=/gi, 'data-blocked-event=');
         modified = true;
       }
 
-      // Check for javascript: protocol
-      if (XSS_PATTERNS.javascriptProtocol.test(sanitized)) {
-        log.warn(`PSC: javascript: protocol detected in prop '${path}' for '${componentId}'`);
-        sanitized = sanitized.replace(/javascript:/gi, 'blocked:');
-        modified = true;
-      }
-
-      // Check for vbscript: protocol
-      if (XSS_PATTERNS.vbscriptProtocol.test(sanitized)) {
-        log.warn(`PSC: vbscript: protocol detected in prop '${path}' for '${componentId}'`);
-        sanitized = sanitized.replace(/vbscript:/gi, 'blocked:');
-        modified = true;
-      }
-
-      // Check for data:text/html (can execute scripts)
-      if (XSS_PATTERNS.dataHtmlProtocol.test(sanitized)) {
-        log.warn(`PSC: data:text/html protocol detected in prop '${path}' for '${componentId}'`);
-        sanitized = sanitized.replace(/data:text\/html/gi, 'data:text/plain');
-        modified = true;
+      // Check for dangerous URL protocols: javascript:, vbscript:, data:
+      // All three are checked together to ensure complete URL scheme validation.
+      {
+        const DANGEROUS_PROTOCOLS = /(?:javascript|vbscript|data)\s*:/i;
+        if (DANGEROUS_PROTOCOLS.test(sanitized)) {
+          // Block javascript: and vbscript: unconditionally
+          if (/javascript\s*:/i.test(sanitized)) {
+            log.warn(`PSC: javascript: protocol detected in prop '${path}' for '${componentId}'`);
+            sanitized = sanitized.replace(/javascript\s*:/gi, 'blocked:');
+            modified = true;
+          }
+          if (/vbscript\s*:/i.test(sanitized)) {
+            log.warn(`PSC: vbscript: protocol detected in prop '${path}' for '${componentId}'`);
+            sanitized = sanitized.replace(/vbscript\s*:/gi, 'blocked:');
+            modified = true;
+          }
+          // Block data: URIs except safe image/text types - neutralize to data:text/plain
+          if (/data\s*:/i.test(sanitized)) {
+            const SAFE_DATA = /data:\s*(?:text\/plain|image\/(?:png|jpe?g|gif|webp|bmp|ico))(?:[;,]|$)/i;
+            if (!SAFE_DATA.test(sanitized)) {
+              log.warn(`PSC: blocked data: URI in prop '${path}' for '${componentId}'`);
+              sanitized = sanitized.replace(/data\s*:[^\s)"']{0,500}/gi, 'data:text/plain');
+              modified = true;
+            }
+          }
+        }
       }
 
       return sanitized;

package/runtime/ssr-preload.js

@@ -183,9 +183,11 @@ export function hintsToHTML(hints) {
   if (!hints || hints.length === 0) return '';
 
   return hints.map(hint => {
-    const parts = [`rel="${hint.rel}"`, `href="${escapeHTML(hint.href)}"`];
-    if (hint.as) parts.push(`as="${hint.as}"`);
-    if (hint.type) parts.push(`type="${hint.type}"`);
+    // Escape all attribute values for safe use in HTML (& < > and double quotes)
+    const escapeAttr = (v) => escapeHTML(v).replace(/"/g, '&quot;');
+    const parts = [`rel="${escapeAttr(hint.rel)}"`, `href="${escapeAttr(hint.href)}"`];
+    if (hint.as) parts.push(`as="${escapeAttr(hint.as)}"`);
+    if (hint.type) parts.push(`type="${escapeAttr(hint.type)}"`);
     if (hint.crossorigin) parts.push('crossorigin');
     return `<link ${parts.join(' ')}>`;
   }).join('\n');