xypriss 1.2.4 → 1.3.0

package/dist/cjs/src/server/plugins/core/SecurityPlugin.js

@@ -1,799 +0,0 @@
-'use strict';
-
-var index$1 = require('../../../../mods/security/src/components/fortified-function/index.js');
-var hashCore = require('../../../../mods/security/src/core/hash/hash-core.js');
-require('../../../../mods/security/src/core/hash/hash-types.js');
-require('crypto');
-require('../../../../mods/security/src/core/hash/hash-security.js');
-require('../../../../mods/security/src/core/hash/hash-advanced.js');
-require('../../../../mods/security/src/algorithms/hash-algorithms.js');
-var PluginTypes = require('../types/PluginTypes.js');
-var index = require('../../../../mods/security/src/index.js');
-
-/**
- * Security Plugin Base Class - Ultra-Fast Security Framework
- *
- * Lean, ultra-fast security plugin framework providing essential security infrastructure
- * while allowing users to plug in their own authentication/authorization systems.
- *
- * Performance Target: <2ms execution time for security operations
- * Focus: Framework-level security that integrates with any authentication system
- */
-// import { sqlPatterns, xssPatterns } from "../../../../mods/security/src/utils/patterns";
-// import { SecurityRateLimiter } from "../../../../mods/security/src/utils/securityUtils";
-// import { TamperEvidentLogger, LogLevel } from "../../../../mods/security/src/components/tamper-evident-logging";
-// Fallback implementations for missing imports
-const sqlPatterns = [/union.*select/i, /drop.*table/i, /insert.*into/i];
-const xssPatterns = [/<script/i, /javascript:/i, /on\w+\s*=/i];
-var LogLevel;
-(function (LogLevel) {
-    LogLevel["INFO"] = "info";
-    LogLevel["WARN"] = "warn";
-    LogLevel["ERROR"] = "error";
-})(LogLevel || (LogLevel = {}));
-/**
- * Abstract base class for security plugins
- */
-class SecurityPlugin {
-    constructor() {
-        this.type = PluginTypes.PluginType.SECURITY;
-        this.priority = PluginTypes.PluginPriority.HIGH;
-        this.isAsync = true;
-        this.isCacheable = false; // Security operations should not be cached
-        this.maxExecutionTime = 2000; // 2ms max for security operations
-        // Security configuration
-        this.securityLevel = "enhanced";
-        this.encryptionRequired = true;
-        this.auditLogging = true;
-    }
-    /**
-     * Initialize security plugin with XyPrissJS utilities
-     */
-    async initialize(context) {
-        // Initialize XyPrissJS security utilities
-        this.hashUtil = hashCore.Hash;
-        this.secureObjectUtil = index.fObject;
-        // Initialize audit logging with fallback implementation
-        this.auditLogger = {
-            log: (level, message, data) => {
-                console.log(`[${level}] ${message}`, data);
-            },
-        };
-        // Initialize rate limiting with fallback implementation
-        this.rateLimiter = {
-            isAllowed: (key) => true, // Fallback always allows
-            recordAttempt: (key) => { },
-            reset: (key) => { },
-        };
-        this.slidingWindowLimiter = new Map();
-        // Create fortified execution wrapper for ultra-fast security operations
-        this.fortifiedExecute = index$1.func(async (operation) => {
-            return await operation();
-        }, {
-            ultraFast: "maximum",
-            autoEncrypt: this.encryptionRequired,
-            auditLog: this.auditLogging,
-            timeout: this.maxExecutionTime,
-            errorHandling: "graceful",
-        });
-        // Perform plugin-specific initialization
-        await this.initializeSecurityPlugin(context);
-    }
-    /**
-     * Execute security plugin with comprehensive protection
-     */
-    async execute(context) {
-        const startTime = performance.now();
-        try {
-            // Pre-execution security checks
-            const preCheckResult = await this.preExecutionSecurityCheck(context);
-            if (!preCheckResult.success) {
-                return preCheckResult;
-            }
-            // Execute main security logic
-            const result = await this.fortifiedExecute(async () => {
-                return await this.executeSecurityLogic(context);
-            });
-            const executionTime = performance.now() - startTime;
-            // Post-execution security validation
-            const validationResult = await this.postExecutionValidation(context, result);
-            if (!validationResult.success) {
-                return validationResult;
-            }
-            // Log security event if audit logging is enabled
-            if (this.auditLogging) {
-                await this.logSecurityEvent(context, result, executionTime);
-            }
-            return {
-                success: true,
-                executionTime,
-                data: result,
-                shouldContinue: true,
-            };
-        }
-        catch (error) {
-            const executionTime = performance.now() - startTime;
-            // Log security error
-            await this.logSecurityError(context, error, executionTime);
-            return {
-                success: false,
-                executionTime,
-                error,
-                shouldContinue: this.shouldContinueOnError(error),
-            };
-        }
-    }
-    /**
-     * Validate input data for security threats
-     */
-    async validateInput(context) {
-        try {
-            // Validate request body
-            if (context.req.body &&
-                !this.validateRequestBody(context.req.body)) {
-                return false;
-            }
-            // Validate query parameters
-            if (context.req.query &&
-                !this.validateQueryParameters(context.req.query)) {
-                return false;
-            }
-            // Validate headers
-            if (!this.validateHeaders(context.req.headers)) {
-                return false;
-            }
-            return true;
-        }
-        catch (error) {
-            console.error(`Input validation error in plugin ${this.id}:`, error);
-            return false;
-        }
-    }
-    /**
-     * Sanitize data to prevent security vulnerabilities
-     */
-    sanitizeData(data) {
-        if (!data)
-            return data;
-        try {
-            // Use fObject for secure data handling
-            const secureData = this.secureObjectUtil(data);
-            // Apply sanitization rules
-            return this.applySanitizationRules(secureData.getAll());
-        }
-        catch (error) {
-            console.error(`Data sanitization error in plugin ${this.id}:`, error);
-            return data; // Return original data if sanitization fails
-        }
-    }
-    // ===== SECURITY IMPLEMENTATIONS =====
-    /**
-     * Initialize plugin-specific security features
-     * implementation with comprehensive security setup
-     */
-    async initializeSecurityPlugin(context) {
-        try {
-            // Initialize security patterns from configuration
-            if (context.config.customSettings.securityPatterns) {
-                this.initializeSecurityPatterns(context.config.customSettings.securityPatterns);
-            }
-            // Setup rate limiting thresholds
-            if (context.config.customSettings.rateLimiting) {
-                this.setupRateLimitingConfig(context.config.customSettings.rateLimiting);
-            }
-            // Note: Authentication providers should be implemented by users
-            // This framework provides only the security infrastructure
-            // Setup security monitoring
-            if (context.config.enableAuditLogging) {
-                this.setupSecurityMonitoring(context);
-            }
-            context.logger.info(`Security plugin ${this.constructor.name} initialized successfully`);
-        }
-        catch (error) {
-            context.logger.error(`Error initializing security plugin: ${error.message}`, error);
-            throw error;
-        }
-    }
-    /**
-     * Execute main security logic
-     * implementation with comprehensive security checks
-     */
-    async executeSecurityLogic(context) {
-        try {
-            const securityResults = {
-                inputValidation: false,
-                rateLimitCheck: false,
-                threatDetection: false,
-                authenticationStatus: context.security.isAuthenticated,
-                securityScore: 0,
-                threats: [],
-                recommendations: [],
-            };
-            // Perform input validation
-            securityResults.inputValidation = await this.validateInput(context);
-            if (!securityResults.inputValidation) {
-                securityResults.threats.push("Invalid input detected");
-            }
-            // Perform threat detection
-            securityResults.threatDetection =
-                !this.detectSuspiciousActivity(context);
-            if (!securityResults.threatDetection) {
-                securityResults.threats.push("Suspicious activity detected");
-            }
-            // Calculate security score
-            securityResults.securityScore =
-                this.calculateSecurityScore(securityResults);
-            // Generate security recommendations
-            securityResults.recommendations =
-                this.generateSecurityRecommendations(securityResults);
-            return securityResults;
-        }
-        catch (error) {
-            console.error(`Error executing security logic: ${error.message}`);
-            return {
-                error: error.message,
-                securityScore: 0,
-                threats: ["Security check failed"],
-            };
-        }
-    }
-    /**
-     * Framework-level authentication validation
-     * Note: Users should implement their own authentication logic
-     */
-    async performAuthentication(authData, context) {
-        try {
-            if (!authData) {
-                return false;
-            }
-            // Framework-level validation only
-            // Users should override this method with their own authentication logic
-            console.warn(`SecurityPlugin.performAuthentication called but not implemented. ` +
-                `Users should implement their own authentication logic for type: ${authData.type}`);
-            return false; // Default to deny access
-        }
-        catch (error) {
-            console.error(`Authentication framework error: ${error.message}`);
-            return false;
-        }
-    }
-    /**
-     * Framework-level authorization validation
-     * Note: Users should implement their own authorization logic
-     */
-    async performAuthorization(context, resource) {
-        try {
-            // Check if user is authenticated
-            if (!context.security.isAuthenticated) {
-                return false;
-            }
-            // Framework-level validation only
-            // Users should override this method with their own authorization logic
-            console.warn(`SecurityPlugin.performAuthorization called but not implemented. ` +
-                `Users should implement their own authorization logic for resource: ${resource}`);
-            return false; // Default to deny access
-        }
-        catch (error) {
-            console.error(`Authorization framework error: ${error.message}`);
-            return false;
-        }
-    }
-    // ===== PROTECTED HELPER METHODS =====
-    /**
-     * Pre-execution security check
-     */
-    async preExecutionSecurityCheck(context) {
-        // Check for common security threats
-        if (this.detectSuspiciousActivity(context)) {
-            return {
-                success: false,
-                executionTime: 0,
-                error: new Error("Suspicious activity detected"),
-                shouldContinue: false,
-            };
-        }
-        return { success: true, executionTime: 0, shouldContinue: true };
-    }
-    /**
-     * Post-execution validation
-     */
-    async postExecutionValidation(_context, result) {
-        // Validate result data
-        if (result && typeof result === "object") {
-            const sanitizedResult = this.sanitizeData(result);
-            if (sanitizedResult !== result) {
-                console.warn(`Plugin ${this.id} result was sanitized`);
-            }
-        }
-        return { success: true, executionTime: 0, shouldContinue: true };
-    }
-    /**
-     * Extract authentication data from request
-     */
-    extractAuthenticationData(context) {
-        const { req } = context;
-        // Extract from Authorization header
-        const authHeader = req.headers.authorization;
-        if (authHeader) {
-            return this.parseAuthorizationHeader(authHeader);
-        }
-        // Extract from cookies
-        if (req.cookies) {
-            return this.parseAuthenticationCookies(req.cookies);
-        }
-        // Extract from session
-        if (req.session) {
-            return this.parseSessionData(req.session);
-        }
-        return null;
-    }
-    /**
-     * Detect suspicious activity patterns
-     */
-    detectSuspiciousActivity(context) {
-        const { req } = context;
-        // Check for SQL injection patterns
-        if (this.containsSqlInjectionPatterns(req)) {
-            return true;
-        }
-        // Check for XSS patterns
-        if (this.containsXssPatterns(req)) {
-            return true;
-        }
-        return false;
-    }
-    /**
-     * Log security event for audit trail
-     *  implementation using TamperEvidentLogger
-     */
-    async logSecurityEvent(context, result, executionTime) {
-        const logData = {
-            pluginId: this.id,
-            executionId: context.executionId,
-            userId: context.security.userId,
-            action: "security_check",
-            result: result ? "success" : "failure",
-            executionTime,
-            ipAddress: context.req.ip,
-            userAgent: context.req.headers["user-agent"],
-            path: context.req.path,
-            method: context.req.method,
-            securityScore: result?.securityScore || 0,
-            threats: result?.threats || [],
-            timestamp: Date.now(),
-        };
-        // Use tamper-evident audit logging
-        this.auditLogger.info(`Security check completed for plugin ${this.id}`, logData);
-    }
-    /**
-     * Log security error
-     *  implementation using TamperEvidentLogger
-     */
-    async logSecurityError(context, error, executionTime) {
-        const logData = {
-            pluginId: this.id,
-            executionId: context.executionId,
-            error: error.message,
-            stack: error.stack,
-            executionTime,
-            ipAddress: context.req.ip,
-            userAgent: context.req.headers["user-agent"],
-            path: context.req.path,
-            method: context.req.method,
-            timestamp: Date.now(),
-        };
-        // Use tamper-evident audit logging for security errors
-        this.auditLogger.error(`Security error in plugin ${this.id}`, logData);
-    }
-    /**
-     * Determine if execution should continue after error
-     */
-    shouldContinueOnError(_error) {
-        // Security errors should generally stop execution
-        return false;
-    }
-    // ===== VALIDATION HELPER METHODS =====
-    validateRequestBody(body) {
-        if (!body || typeof body !== "object") {
-            return true; // No body to validate
-        }
-        try {
-            // Check for suspicious patterns in body
-            const bodyString = JSON.stringify(body);
-            for (const pattern of sqlPatterns) {
-                if (pattern.test(bodyString)) {
-                    console.warn(`SQL injection pattern detected in request body: ${this.id}`);
-                    return false;
-                }
-            }
-            for (const pattern of xssPatterns) {
-                if (pattern.test(bodyString)) {
-                    console.warn(`XSS pattern detected in request body: ${this.id}`);
-                    return false;
-                }
-            }
-            return true;
-        }
-        catch (error) {
-            console.error(`Error validating request body: ${error}`);
-            return false;
-        }
-    }
-    validateQueryParameters(query) {
-        if (!query || typeof query !== "object") {
-            return true; // No query params to validate
-        }
-        try {
-            for (const [key, value] of Object.entries(query)) {
-                if (typeof value === "string") {
-                    // Check for path traversal
-                    if (value.includes("../") || value.includes("..\\")) {
-                        console.warn(`Path traversal detected in query param ${key}: ${this.id}`);
-                        return false;
-                    }
-                    // Check for command injection
-                    const cmdPatterns = [
-                        /[;&|`$()]/,
-                        /\b(cat|ls|pwd|whoami|id|uname|ps|netstat|ifconfig)\b/i,
-                    ];
-                    for (const pattern of cmdPatterns) {
-                        if (pattern.test(value)) {
-                            console.warn(`Command injection pattern detected in query param ${key}: ${this.id}`);
-                            return false;
-                        }
-                    }
-                }
-            }
-            return true;
-        }
-        catch (error) {
-            console.error(`Error validating query parameters: ${error}`);
-            return false;
-        }
-    }
-    validateHeaders(headers) {
-        if (!headers || typeof headers !== "object") {
-            return true; // No headers to validate
-        }
-        try {
-            // Check for suspicious user agents
-            const userAgent = headers["user-agent"];
-            if (userAgent) {
-                const suspiciousPatterns = [
-                    /sqlmap/i,
-                    /nikto/i,
-                    /nessus/i,
-                    /burp/i,
-                    /scanner/i,
-                ];
-                for (const pattern of suspiciousPatterns) {
-                    if (pattern.test(userAgent)) {
-                        console.warn(`Suspicious user agent detected: ${this.id}`);
-                        return false;
-                    }
-                }
-            }
-            // Check for header injection
-            for (const [key, value] of Object.entries(headers)) {
-                if (typeof value === "string") {
-                    if (value.includes("\r") || value.includes("\n")) {
-                        console.warn(`Header injection detected in ${key}: ${this.id}`);
-                        return false;
-                    }
-                }
-            }
-            return true;
-        }
-        catch (error) {
-            console.error(`Error validating headers: ${error}`);
-            return false;
-        }
-    }
-    applySanitizationRules(data) {
-        if (!data || typeof data !== "object") {
-            return data;
-        }
-        try {
-            // Use fObject for secure data handling
-            const secureData = this.secureObjectUtil(data);
-            // Get sanitized data
-            const sanitized = secureData.getAll();
-            // Additional sanitization for common security issues
-            if (sanitized.password) {
-                // Never return passwords in sanitized data
-                delete sanitized.password;
-            }
-            if (sanitized.token && typeof sanitized.token === "string") {
-                // Sanitize tokens to alphanumeric and common token characters only
-                sanitized.token = sanitized.token.replace(/[^A-Za-z0-9._-]/g, "");
-            }
-            return sanitized;
-        }
-        catch (error) {
-            console.error(`Error applying sanitization rules: ${error}`);
-            return data; // Return original data if sanitization fails
-        }
-    }
-    parseAuthorizationHeader(header) {
-        try {
-            if (header.startsWith("Bearer ")) {
-                const token = header.substring(7);
-                return {
-                    type: "bearer",
-                    token: token,
-                    userId: null, // Will be extracted from token
-                };
-            }
-            if (header.startsWith("Basic ")) {
-                const credentials = Buffer.from(header.substring(6), "base64").toString("utf8");
-                const [username, password] = credentials.split(":");
-                return {
-                    type: "basic",
-                    username,
-                    password,
-                    userId: username,
-                };
-            }
-            return null;
-        }
-        catch (error) {
-            console.error(`Error parsing authorization header: ${error}`);
-            return null;
-        }
-    }
-    parseAuthenticationCookies(cookies) {
-        try {
-            if (cookies.token) {
-                return {
-                    type: "cookie",
-                    token: cookies.token,
-                    userId: null, // Will be extracted from token
-                };
-            }
-            if (cookies.sessionId) {
-                return {
-                    type: "session",
-                    sessionId: cookies.sessionId,
-                    userId: null, // Will be extracted from session
-                };
-            }
-            return null;
-        }
-        catch (error) {
-            console.error(`Error parsing authentication cookies: ${error}`);
-            return null;
-        }
-    }
-    parseSessionData(session) {
-        try {
-            if (session.userId) {
-                return {
-                    type: "session",
-                    userId: session.userId,
-                    roles: session.roles || [],
-                    permissions: session.permissions || [],
-                };
-            }
-            return null;
-        }
-        catch (error) {
-            console.error(`Error parsing session data: ${error}`);
-            return null;
-        }
-    }
-    containsSqlInjectionPatterns(req) {
-        try {
-            // Check URL path
-            const path = req.path || "";
-            const query = req.query || {};
-            const body = req.body || {};
-            // Combine all input sources
-            const inputs = [
-                path,
-                JSON.stringify(query),
-                JSON.stringify(body),
-            ].join(" ");
-            return sqlPatterns.some((pattern) => pattern.test(inputs));
-        }
-        catch (error) {
-            console.error(`Error checking SQL injection patterns: ${error}`);
-            return false;
-        }
-    }
-    containsXssPatterns(req) {
-        try {
-            // Check URL path, query, and body
-            const path = req.path || "";
-            const query = req.query || {};
-            const body = req.body || {};
-            // Combine all input sources
-            const inputs = [
-                path,
-                JSON.stringify(query),
-                JSON.stringify(body),
-            ].join(" ");
-            return xssPatterns.some((pattern) => pattern.test(inputs));
-        }
-        catch (error) {
-            console.error(`Error checking XSS patterns: ${error}`);
-            return false;
-        }
-    }
-    /**
-     * Clean up expired rate limiting data (call periodically)
-     */
-    cleanupRateLimitingData() {
-        if (!this.slidingWindowLimiter) {
-            return;
-        }
-        const now = Date.now();
-        const windowMs = 60000; // 1 minute
-        for (const [clientIp, clientData,] of this.slidingWindowLimiter.entries()) {
-            // Remove expired requests
-            clientData.requests = clientData.requests.filter((timestamp) => now - timestamp < windowMs);
-            // Remove expired blocks
-            if (clientData.blocked &&
-                clientData.blockExpiry &&
-                now >= clientData.blockExpiry) {
-                clientData.blocked = false;
-                delete clientData.blockExpiry;
-            }
-            // Remove empty entries
-            if (clientData.requests.length === 0 && !clientData.blocked) {
-                this.slidingWindowLimiter.delete(clientIp);
-            }
-        }
-    }
-    /**
-     * Get rate limiting statistics
-     */
-    getRateLimitingStats() {
-        if (!this.slidingWindowLimiter) {
-            return { totalClients: 0, blockedClients: 0, totalRequests: 0 };
-        }
-        let blockedClients = 0;
-        let totalRequests = 0;
-        for (const clientData of this.slidingWindowLimiter.values()) {
-            if (clientData.blocked) {
-                blockedClients++;
-            }
-            totalRequests += clientData.requests.length;
-        }
-        return {
-            totalClients: this.slidingWindowLimiter.size,
-            blockedClients,
-            totalRequests,
-        };
-    }
-    // ===== SECURITY HELPER METHODS =====
-    /**
-     * Initialize security patterns from configuration
-     */
-    initializeSecurityPatterns(patterns) {
-        try {
-            // Initialize custom SQL injection patterns
-            if (patterns.sqlInjection) {
-                sqlPatterns.push(...patterns.sqlInjection.map((p) => new RegExp(p, "i")));
-            }
-            // Initialize custom XSS patterns
-            if (patterns.xss) {
-                xssPatterns.push(...patterns.xss.map((p) => new RegExp(p, "i")));
-            }
-            console.debug("Security patterns initialized successfully");
-        }
-        catch (error) {
-            console.error("Error initializing security patterns:", error);
-        }
-    }
-    /**
-     * Setup rate limiting configuration
-     */
-    setupRateLimitingConfig(config) {
-        try {
-            if (config.maxAttempts && config.windowMs) {
-                this.rateLimiter = {
-                    isAllowed: (key) => true, // Fallback always allows
-                    recordAttempt: (key) => { },
-                    reset: (key) => { },
-                };
-            }
-            console.debug("Rate limiting configuration setup completed");
-        }
-        catch (error) {
-            console.error("Error setting up rate limiting config:", error);
-        }
-    }
-    /**
-     * Framework-level authentication provider initialization
-     * Note: Users should implement their own authentication providers
-     */
-    async initializeAuthProviders(providers) {
-        try {
-            // Framework-level initialization only
-            // Users should override this method to implement their own authentication providers
-            console.warn(`SecurityPlugin.initializeAuthProviders called but not implemented. ` +
-                `Users should implement their own authentication providers for: ${Object.keys(providers).join(", ")}`);
-            console.debug("Authentication provider framework initialized");
-        }
-        catch (error) {
-            console.error("Error initializing auth provider framework:", error);
-        }
-    }
-    /**
-     * Setup security monitoring
-     */
-    setupSecurityMonitoring(context) {
-        try {
-            // Setup audit logging
-            if (context.config.enableAuditLogging) {
-                console.debug("Security monitoring and audit logging enabled");
-            }
-            // Setup threat detection monitoring
-            console.debug("Security monitoring setup completed");
-        }
-        catch (error) {
-            console.error("Error setting up security monitoring:", error);
-        }
-    }
-    /**
-     * Calculate security score based on security results
-     */
-    calculateSecurityScore(results) {
-        try {
-            let score = 100;
-            // Deduct points for each threat
-            score -= results.threats.length * 20;
-            // Deduct points for failed checks
-            if (!results.inputValidation)
-                score -= 15;
-            if (!results.rateLimitCheck)
-                score -= 25;
-            if (!results.threatDetection)
-                score -= 30;
-            // Bonus points for authentication
-            if (results.authenticationStatus)
-                score += 10;
-            return Math.max(0, Math.min(100, score));
-        }
-        catch (error) {
-            console.error("Error calculating security score:", error);
-            return 0;
-        }
-    }
-    /**
-     * Generate security recommendations
-     */
-    generateSecurityRecommendations(results) {
-        const recommendations = [];
-        try {
-            if (!results.inputValidation) {
-                recommendations.push("Implement stricter input validation");
-                recommendations.push("Consider using input sanitization libraries");
-            }
-            if (!results.rateLimitCheck) {
-                recommendations.push("Review and adjust rate limiting thresholds");
-                recommendations.push("Consider implementing progressive rate limiting");
-            }
-            if (!results.threatDetection) {
-                recommendations.push("Enhance threat detection patterns");
-                recommendations.push("Consider implementing behavioral analysis");
-            }
-            if (!results.authenticationStatus) {
-                recommendations.push("Implement proper authentication mechanisms");
-                recommendations.push("Consider multi-factor authentication");
-            }
-            if (results.securityScore < 70) {
-                recommendations.push("Overall security posture needs improvement");
-                recommendations.push("Consider security audit and penetration testing");
-            }
-            return recommendations;
-        }
-        catch (error) {
-            console.error("Error generating security recommendations:", error);
-            return ["Error generating recommendations"];
-        }
-    }
-}
-
-exports.SecurityPlugin = SecurityPlugin;
-//# sourceMappingURL=SecurityPlugin.js.map