qumra-engine 2.0.161 → 2.0.162

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/middleware.js +7 -2
  2. package/dist/utils/isPathAllowedToRender.d.ts +9 -1
  3. package/dist/utils/isPathAllowedToRender.js +32 -14
  4. package/package.json +1 -1
package/dist/middleware.js CHANGED
@@ -86,8 +86,13 @@ const startEngine = async ({ renderApi, mode, getRender, setRender, port = 3000,
86
86
  // app.use("/api", devRouter);
87
87
  }
88
88
  app.use((req, res, next) => {
89
- if (!(0, isPathAllowedToRender_1.isPathAllowedToRender)(res.locals.parsedUrl?.pathname || req.path)) {
90
- return res.status(404).end();
89
+ const path = res.locals.parsedUrl?.pathname || req.path;
90
+ const result = (0, isPathAllowedToRender_1.validatePathForRender)(path);
91
+ if (!result.allowed) {
92
+ return res.status(result.status).json({
93
+ success: false,
94
+ message: result.reason,
95
+ });
91
96
  }
92
97
  next();
93
98
  });
package/dist/utils/isPathAllowedToRender.d.ts CHANGED
@@ -1 +1,9 @@
1
- export declare const isPathAllowedToRender: (filePath: string) => boolean;
1
+ export declare const validatePathForRender: (filePath: string) => {
2
+ allowed: boolean;
3
+ status: number;
4
+ reason: string;
5
+ } | {
6
+ allowed: boolean;
7
+ status: number;
8
+ reason?: undefined;
9
+ };
package/dist/utils/isPathAllowedToRender.js CHANGED
@@ -1,15 +1,25 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
- exports.isPathAllowedToRender = void 0;
4
- const isPathAllowedToRender = (filePath) => {
3
+ exports.validatePathForRender = void 0;
4
+ const validatePathForRender = (filePath) => {
5
5
  const lower = filePath.toLowerCase();
6
- // ❌ ممنوع أي امتداد (html/js/php/…)
7
- if (/\.[a-z0-9]+$/i.test(lower))
8
- return false;
9
- // ❌ امتدادات خطيرة للبوتات والهكر
10
- if (/\.(php|php5|php7|phtml|phar)$/i.test(lower))
11
- return false;
12
- // ❌ مسارات مشهورة للهجمات
6
+ // ❌ لو فيه امتداد → مرفوض
7
+ if (/\.[a-z0-9]+$/i.test(lower)) {
8
+ return {
9
+ allowed: false,
10
+ status: 400,
11
+ reason: "File path must not contain an extension",
12
+ };
13
+ }
14
+ // ❌ امتدادات خطيرة للهكر والبوتات
15
+ if (/\.(php|php5|php7|phtml|phar)$/i.test(lower)) {
16
+ return {
17
+ allowed: false,
18
+ status: 403,
19
+ reason: "Dangerous extension blocked",
20
+ };
21
+ }
22
+ // ❌ مسارات الهجمات الشائعة
13
23
  const blockedPaths = [
14
24
  "wp-admin",
15
25
  "wp-login",
@@ -23,7 +33,6 @@ const isPathAllowedToRender = (filePath) => {
23
33
  "composer.lock",
24
34
  "shell",
25
35
  "id_rsa",
26
- "login",
27
36
  "phpinfo",
28
37
  "server-status",
29
38
  "cgi-bin",
@@ -32,8 +41,17 @@ const isPathAllowedToRender = (filePath) => {
32
41
  "dump",
33
42
  "database",
34
43
  ];
35
- if (blockedPaths.some(p => lower.includes(p)))
36
- return false;
37
- return true;
44
+ if (blockedPaths.some(p => lower.includes(p))) {
45
+ return {
46
+ allowed: false,
47
+ status: 403,
48
+ reason: "Blocked path pattern detected",
49
+ };
50
+ }
51
+ // ✅ لو كل شيء تمام
52
+ return {
53
+ allowed: true,
54
+ status: 200,
55
+ };
38
56
  };
39
- exports.isPathAllowedToRender = isPathAllowedToRender;
57
+ exports.validatePathForRender = validatePathForRender;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "qumra-engine",
3
- "version": "2.0.161",
3
+ "version": "2.0.162",
4
4
  "main": "dist/index.js",
5
5
  "types": "dist/index.d.ts",
6
6
  "scripts": {