xypriss 2.2.5 → 2.3.0

package/dist/esm/src/middleware/built-in/BuiltInMiddleware.js

@@ -0,0 +1,318 @@
+import helmet from 'helmet';
+import cors from 'cors';
+import rateLimit from 'express-rate-limit';
+import compression from 'compression';
+import hpp from 'hpp';
+import mongoSanitize from 'express-mongo-sanitize';
+import xss from 'xss';
+import morgan from 'morgan';
+import slowDown from 'express-slow-down';
+import ExpressBrute from 'express-brute';
+import multer from 'multer';
+import { doubleCsrf } from 'csrf-csrf';
+
+/**
+ * XyPriss Built-in Middleware
+ * Wrappers around popular middleware libraries
+ */
+class BuiltInMiddleware {
+    /**
+     * Get Helmet middleware for security headers
+     */
+    static helmet(options = {}) {
+        const defaultOptions = {
+            contentSecurityPolicy: {
+                directives: {
+                    defaultSrc: ["'self'"],
+                    scriptSrc: ["'self'"],
+                    styleSrc: ["'self'", "'unsafe-inline'"],
+                    imgSrc: ["'self'", "data:"],
+                    fontSrc: ["'self'"],
+                },
+            },
+            crossOriginEmbedderPolicy: true,
+            crossOriginOpenerPolicy: true,
+            crossOriginResourcePolicy: { policy: "same-origin" },
+            dnsPrefetchControl: { allow: false },
+            frameguard: { action: "deny" },
+            hidePoweredBy: true,
+            hsts: {
+                maxAge: 31536000,
+                includeSubDomains: true,
+                preload: false,
+            },
+            ieNoOpen: true,
+            noSniff: true,
+            originAgentCluster: true,
+            permittedCrossDomainPolicies: false,
+            referrerPolicy: { policy: "strict-origin-when-cross-origin" },
+            xssFilter: true,
+        };
+        const config = { ...defaultOptions, ...options };
+        return helmet(config);
+    }
+    /**
+     * Get CORS middleware
+     *
+     * By default, allows all headers to be developer-friendly.
+     * Developers can restrict headers via config if needed for production.
+     */
+    static cors(options = {}) {
+        const defaultOptions = {
+            origin: true,
+            methods: ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE"],
+            // Allow all headers by default - developers can restrict via config
+            // This prevents CORS issues during development
+            credentials: false,
+            maxAge: 86400, // 24 hours
+        };
+        const config = { ...defaultOptions, ...options };
+        return cors(config);
+    }
+    /**
+     * Get Rate Limiting middleware
+     */
+    static rateLimit(options = {}) {
+        const defaultOptions = {
+            windowMs: 15 * 60 * 1000, // 15 minutes
+            max: 100, // limit each IP to 100 requests per windowMs
+            message: {
+                error: "Too many requests from this IP, please try again later.",
+                retryAfter: "Please try again later.",
+            },
+            standardHeaders: true,
+            legacyHeaders: false,
+            handler: (req, res, next, options) => {
+                const message = options?.message;
+                if (typeof message === 'string') {
+                    res.status(429).json({
+                        error: "Rate limit exceeded",
+                        message: message,
+                        retryAfter: Math.ceil((options?.windowMs || 60000) / 1000) || 900,
+                    });
+                }
+                else if (typeof message === 'object' && message !== null) {
+                    res.status(429).json({
+                        ...message,
+                        retryAfter: Math.ceil((options?.windowMs || 60000) / 1000) || 900,
+                    });
+                }
+                else {
+                    res.status(429).json({
+                        error: "Too many requests",
+                        message: "Rate limit exceeded. Please try again later.",
+                        retryAfter: Math.ceil((options?.windowMs || 60000) / 1000) || 900,
+                    });
+                }
+            },
+        };
+        const config = { ...defaultOptions, ...options };
+        return rateLimit(config);
+    }
+    /**
+     * Get Compression middleware
+     */
+    static compression(options = {}) {
+        const defaultOptions = {
+            level: 6,
+            threshold: 1024, // Only compress responses >= 1KB
+            filter: (req, res) => {
+                // Don't compress responses with this request header
+                if (req.headers["x-no-compression"]) {
+                    return false;
+                }
+                // Fallback to standard filter function
+                return compression.filter(req, res);
+            },
+        };
+        const config = { ...defaultOptions, ...options };
+        return compression(config);
+    }
+    /**
+     * CSRF protection middleware using csrf-csrf library
+     */
+    static csrf(options = {
+        getSecret: () => "e6ac40fffc5e9399eab10f5b84fcba2c923e7f74a73b76b56c11b722671eea5e",
+        getSessionIdentifier: (req) => req.session.id,
+    }) {
+        const defaultOptions = {
+            cookieName: "__Host-psifi.x-csrf-token",
+            cookieOptions: {
+                httpOnly: true,
+                sameSite: "strict",
+                secure: process.env.NODE_ENV === "production",
+                maxAge: 3600000, // 1 hour
+            },
+            size: 64,
+            ignoredMethods: ["GET", "HEAD", "OPTIONS"],
+            getTokenFromRequest: (req) => {
+                return (req.headers["x-csrf-token"] ||
+                    req.body?._csrf ||
+                    req.query?._csrf);
+            },
+        };
+        const config = { ...defaultOptions, ...options };
+        const { doubleCsrfProtection } = doubleCsrf(config);
+        // Return the protection middleware
+        return doubleCsrfProtection;
+    }
+    /**
+     * Get HPP (HTTP Parameter Pollution) protection middleware
+     */
+    static hpp(options = {}) {
+        const defaultOptions = {
+            whitelist: ["tags", "categories"], // Allow arrays for these parameters
+        };
+        const config = { ...defaultOptions, ...options };
+        return hpp(config);
+    }
+    /**
+     * Get MongoDB injection protection middleware
+     */
+    static mongoSanitize(options = {}) {
+        const defaultOptions = {
+            replaceWith: "_",
+            onSanitize: (key, value) => {
+                console.warn(`[MongoSanitize] Sanitized key: ${key}, value: ${value}`);
+            },
+        };
+        const config = { ...defaultOptions, ...options };
+        return mongoSanitize(config);
+    }
+    /**
+     * Get XSS protection middleware
+     */
+    static xss(options = {}) {
+        const defaultOptions = {
+            whiteList: {
+                a: ["href", "title"],
+                b: [],
+                i: [],
+                strong: [],
+                em: [],
+            },
+        };
+        const config = { ...defaultOptions, ...options };
+        return (req, _res, next) => {
+            // Sanitize request body
+            if (req.body) {
+                req.body = this.sanitizeObject(req.body, config);
+            }
+            // Sanitize query parameters
+            if (req.query) {
+                req.query = this.sanitizeObject(req.query, config);
+            }
+            next();
+        };
+    }
+    /**
+     * Get Morgan logging middleware
+     */
+    static morgan(options = {}) {
+        const defaultFormat = options.format || "combined";
+        const defaultOptions = {
+            skip: (_req, res) => res.statusCode < 400, // Only log errors by default
+            stream: process.stdout,
+        };
+        const config = { ...defaultOptions, ...options };
+        return morgan(defaultFormat, config);
+    }
+    /**
+     * Get Slow Down middleware for progressive delays
+     */
+    static slowDown(options = {}) {
+        const defaultOptions = {
+            windowMs: 15 * 60 * 1000, // 15 minutes
+            delayAfter: 2, // Allow 2 requests per windowMs without delay
+            delayMs: 500, // Add 500ms delay per request after delayAfter
+            maxDelayMs: 20000, // Maximum delay of 20 seconds
+            skipFailedRequests: false,
+            skipSuccessfulRequests: false,
+        };
+        const config = { ...defaultOptions, ...options };
+        return slowDown(config);
+    }
+    /**
+     * Get Express Brute middleware for brute force protection
+     */
+    static brute(options = {
+        prefix: "nehonix.xypriss.brute",
+    }) {
+        const store = new ExpressBrute.MemoryStore();
+        const defaultOptions = {
+            freeRetries: 2,
+            minWait: 5 * 60 * 1000, // 5 minutes
+            maxWait: 60 * 60 * 1000, // 1 hour
+            lifetime: 24 * 60 * 60, // 1 day (in seconds)
+            failCallback: (_req, res, _next, nextValidRequestDate) => {
+                res.status(429).json({
+                    error: "Too many failed attempts",
+                    message: "Account temporarily locked due to too many failed attempts",
+                    nextValidRequestDate: nextValidRequestDate,
+                });
+            },
+        };
+        const config = { ...defaultOptions, ...options };
+        const bruteforce = new ExpressBrute(store, config);
+        return bruteforce.prevent;
+    }
+    /**
+     * Get Multer middleware for file uploads
+     */
+    static multer(options = {}) {
+        const defaultOptions = {
+            limits: {
+                fileSize: 5 * 1024 * 1024, // 5MB limit
+                files: 5, // Maximum 5 files
+            },
+            fileFilter: (_req, file, cb) => {
+                // Allow only specific file types
+                const allowedTypes = /jpeg|jpg|png|gif|pdf|doc|docx/;
+                const extname = allowedTypes.test(file.originalname.toLowerCase());
+                const mimetype = allowedTypes.test(file.mimetype);
+                if (mimetype && extname) {
+                    return cb(null, true);
+                }
+                else {
+                    cb(new Error("Invalid file type. Only images and documents are allowed."));
+                }
+            },
+        };
+        const config = { ...defaultOptions, ...options };
+        return multer(config);
+    }
+    /**
+     * Get all default security middleware
+     */
+    static security(options = {}) {
+        return {
+            helmet: this.helmet(options.helmet),
+            cors: this.cors(options.cors),
+            rateLimit: this.rateLimit(options.rateLimit),
+            compression: this.compression(options.compression),
+            csrf: this.csrf(options.csrf),
+        };
+    }
+    // Helper method for XSS sanitization
+    static sanitizeObject(obj, config) {
+        if (typeof obj === "string") {
+            return xss(obj, config);
+        }
+        else if (Array.isArray(obj)) {
+            return obj.map((item) => this.sanitizeObject(item, config));
+        }
+        else if (obj && typeof obj === "object") {
+            const sanitized = {};
+            for (const key in obj) {
+                if (obj.hasOwnProperty(key)) {
+                    sanitized[key] = this.sanitizeObject(obj[key], config);
+                }
+            }
+            return sanitized;
+        }
+        return obj;
+    }
+}
+
+export { BuiltInMiddleware };
+//# sourceMappingURL=BuiltInMiddleware.js.map

package/dist/esm/src/middleware/built-in/BuiltInMiddleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"BuiltInMiddleware.js","sources":["../../../../../src/middleware/built-in/BuiltInMiddleware.ts"],"sourcesContent":[null],"names":[],"mappings":";;;;;;;;;;;;;AAAA;;;AAGG;MAgCU,iBAAiB,CAAA;AAC1B;;AAEG;AACH,IAAA,OAAO,MAAM,CAAC,OAAA,GAAwC,EAAE,EAAA;AACpD,QAAA,MAAM,cAAc,GAAiC;AACjD,YAAA,qBAAqB,EAAE;AACnB,gBAAA,UAAU,EAAE;oBACR,UAAU,EAAE,CAAC,QAAQ,CAAC;oBACtB,SAAS,EAAE,CAAC,QAAQ,CAAC;AACrB,oBAAA,QAAQ,EAAE,CAAC,QAAQ,EAAE,iBAAiB,CAAC;AACvC,oBAAA,MAAM,EAAE,CAAC,QAAQ,EAAE,OAAO,CAAC;oBAC3B,OAAO,EAAE,CAAC,QAAQ,CAAC;AACtB,iBAAA;AACJ,aAAA;AACD,YAAA,yBAAyB,EAAE,IAAI;AAC/B,YAAA,uBAAuB,EAAE,IAAI;AAC7B,YAAA,yBAAyB,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE;AACpD,YAAA,kBAAkB,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE;AACpC,YAAA,UAAU,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;AAC9B,YAAA,aAAa,EAAE,IAAI;AACnB,YAAA,IAAI,EAAE;AACF,gBAAA,MAAM,EAAE,QAAQ;AAChB,gBAAA,iBAAiB,EAAE,IAAI;AACvB,gBAAA,OAAO,EAAE,KAAK;AACjB,aAAA;AACD,YAAA,QAAQ,EAAE,IAAI;AACd,YAAA,OAAO,EAAE,IAAI;AACb,YAAA,kBAAkB,EAAE,IAAI;AACxB,YAAA,4BAA4B,EAAE,KAAK;AACnC,YAAA,cAAc,EAAE,EAAE,MAAM,EAAE,iCAAiC,EAAE;AAC7D,YAAA,SAAS,EAAE,IAAI;SAClB,CAAC;QAEF,MAAM,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,OAAO,EAAE,CAAC;AACjD,QAAA,OAAO,MAAM,CAAC,MAAa,CAAC,CAAC;KAChC;AAED;;;;;AAKG;AACH,IAAA,OAAO,IAAI,CAAC,OAAA,GAAsC,EAAE,EAAA;AAChD,QAAA,MAAM,cAAc,GAAG;AACnB,YAAA,MAAM,EAAE,IAAI;AACZ,YAAA,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC;;;AAG1D,YAAA,WAAW,EAAE,KAAK;YAClB,MAAM,EAAE,KAAK;SAChB,CAAC;QAEF,MAAM,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,OAAO,EAAE,CAAC;AACjD,QAAA,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;KACvB;AAED;;AAEG;AACH,IAAA,OAAO,SAAS,CAAC,OAAA,GAA2C,EAAE,EAAA;AAC1D,QAAA,MAAM,cAAc,GAAG;AACnB,YAAA,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI;YACxB,GAAG,EAAE,GAAG;AACR,YAAA,OAAO,EAAE;AACL,gBAAA,KAAK,EAAE,yDAAyD;AAChE,gBAAA,UAAU,EAAE,yBAAyB;AACxC,aAAA;AACD,YAAA,eAAe,EAAE,IAAI;AACrB,YAAA,aAAa,EAAE,KAAK;YACpB,OAAO,EAAE,CAAC,GAAQ,EAAE,GAAQ,EAAE,IAAS,EAAE,OAAY,KAAI;AACrD,gBAAA,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,CAAC;AACjC,gBAAA,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE;AAC7B,oBAAA,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;AACjB,wBAAA,KAAK,EAAE,qBAAqB;AAC5B,wBAAA,OAAO,EAAE,OAAO;AAChB,wBAAA,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,QAAQ,IAAI,KAAK,IAAI,IAAI,CAAC,IAAI,GAAG;AACpE,qBAAA,CAAC,CAAC;iBACN;qBAAM,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,EAAE;AACxD,oBAAA,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;AACjB,wBAAA,GAAG,OAAO;AACV,wBAAA,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,QAAQ,IAAI,KAAK,IAAI,IAAI,CAAC,IAAI,GAAG;AACpE,qBAAA,CAAC,CAAC;iBACN;qBAAM;AACH,oBAAA,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;AACjB,wBAAA,KAAK,EAAE,mBAAmB;AAC1B,wBAAA,OAAO,EAAE,8CAA8C;AACvD,wBAAA,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,QAAQ,IAAI,KAAK,IAAI,IAAI,CAAC,IAAI,GAAG;AACpE,qBAAA,CAAC,CAAC;iBACN;aACJ;SACJ,CAAC;QAEF,MAAM,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,OAAO,EAAE,CAAC;AACjD,QAAA,OAAO,SAAS,CAAC,MAAM,CAAC,CAAC;KAC5B;AAED;;AAEG;AACH,IAAA,OAAO,WAAW,CAAC,OAAA,GAA6C,EAAE,EAAA;AAC9D,QAAA,MAAM,cAAc,GAAG;AACnB,YAAA,KAAK,EAAE,CAAC;YACR,SAAS,EAAE,IAAI;AACf,YAAA,MAAM,EAAE,CAAC,GAAQ,EAAE,GAAQ,KAAI;;AAE3B,gBAAA,IAAI,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAAE;AACjC,oBAAA,OAAO,KAAK,CAAC;iBAChB;;gBAGD,OAAO,WAAW,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;aACvC;SACJ,CAAC;QAEF,MAAM,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,OAAO,EAAE,CAAC;AACjD,QAAA,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC;KAC9B;AAED;;AAEG;IACH,OAAO,IAAI,CACP,OAA4C,GAAA;AACxC,QAAA,SAAS,EAAE,MACP,kEAAkE;QACtE,oBAAoB,EAAE,CAAC,GAAQ,KAAK,GAAG,CAAC,OAAO,CAAC,EAAE;AACrD,KAAA,EAAA;AAED,QAAA,MAAM,cAAc,GAAG;AACnB,YAAA,UAAU,EAAE,2BAA2B;AACvC,YAAA,aAAa,EAAE;AACX,gBAAA,QAAQ,EAAE,IAAI;AACd,gBAAA,QAAQ,EAAE,QAAQ;AAClB,gBAAA,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;gBAC7C,MAAM,EAAE,OAAO;AAClB,aAAA;AACD,YAAA,IAAI,EAAE,EAAE;AACR,YAAA,cAAc,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;AAC1C,YAAA,mBAAmB,EAAE,CAAC,GAAQ,KAAI;AAC9B,gBAAA,QACI,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC;oBAC3B,GAAG,CAAC,IAAI,EAAE,KAAK;AACf,oBAAA,GAAG,CAAC,KAAK,EAAE,KAAK,EAClB;aACL;SACJ,CAAC;QAEF,MAAM,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,OAAO,EAAE,CAAC;QAEjD,MAAM,EAAE,oBAAoB,EAAE,GAAG,UAAU,CAAC,MAAa,CAAC,CAAC;;AAG3D,QAAA,OAAO,oBAAoB,CAAC;KAC/B;AAED;;AAEG;AACH,IAAA,OAAO,GAAG,CAAC,OAAA,GAAqC,EAAE,EAAA;AAC9C,QAAA,MAAM,cAAc,GAAG;AACnB,YAAA,SAAS,EAAE,CAAC,MAAM,EAAE,YAAY,CAAC;SACpC,CAAC;QAEF,MAAM,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,OAAO,EAAE,CAAC;AACjD,QAAA,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC;KACtB;AAED;;AAEG;AACH,IAAA,OAAO,aAAa,CAAC,OAAA,GAA+C,EAAE,EAAA;AAClE,QAAA,MAAM,cAAc,GAAG;AACnB,YAAA,WAAW,EAAE,GAAG;AAChB,YAAA,UAAU,EAAE,CAAC,GAAW,EAAE,KAAU,KAAI;gBACpC,OAAO,CAAC,IAAI,CACR,CAAA,+BAAA,EAAkC,GAAG,CAAY,SAAA,EAAA,KAAK,CAAE,CAAA,CAC3D,CAAC;aACL;SACJ,CAAC;QAEF,MAAM,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,OAAO,EAAE,CAAC;AACjD,QAAA,OAAO,aAAa,CAAC,MAAa,CAAC,CAAC;KACvC;AAED;;AAEG;AACH,IAAA,OAAO,GAAG,CAAC,OAAA,GAAe,EAAE,EAAA;AACxB,QAAA,MAAM,cAAc,GAAG;AACnB,YAAA,SAAS,EAAE;AACP,gBAAA,CAAC,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC;AACpB,gBAAA,CAAC,EAAE,EAAE;AACL,gBAAA,CAAC,EAAE,EAAE;AACL,gBAAA,MAAM,EAAE,EAAE;AACV,gBAAA,EAAE,EAAE,EAAE;AACT,aAAA;SACJ,CAAC;QAEF,MAAM,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,OAAO,EAAE,CAAC;AAEjD,QAAA,OAAO,CAAC,GAAQ,EAAE,IAAS,EAAE,IAAS,KAAI;;AAEtC,YAAA,IAAI,GAAG,CAAC,IAAI,EAAE;AACV,gBAAA,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;aACpD;;AAGD,YAAA,IAAI,GAAG,CAAC,KAAK,EAAE;AACX,gBAAA,GAAG,CAAC,KAAK,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;aACtD;AAED,YAAA,IAAI,EAAE,CAAC;AACX,SAAC,CAAC;KACL;AAED;;AAEG;AACH,IAAA,OAAO,MAAM,CAAC,OAAA,GAAwC,EAAE,EAAA;AACpD,QAAA,MAAM,aAAa,GAAI,OAAe,CAAC,MAAM,IAAI,UAAU,CAAC;AAC5D,QAAA,MAAM,cAAc,GAAG;AACnB,YAAA,IAAI,EAAE,CAAC,IAAS,EAAE,GAAQ,KAAK,GAAG,CAAC,UAAU,GAAG,GAAG;YACnD,MAAM,EAAE,OAAO,CAAC,MAAM;SACzB,CAAC;QAEF,MAAM,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,OAAO,EAAE,CAAC;AACjD,QAAA,OAAO,MAAM,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;KACxC;AAED;;AAEG;AACH,IAAA,OAAO,QAAQ,CAAC,OAAA,GAA0C,EAAE,EAAA;AACxD,QAAA,MAAM,cAAc,GAAG;AACnB,YAAA,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI;YACxB,UAAU,EAAE,CAAC;YACb,OAAO,EAAE,GAAG;YACZ,UAAU,EAAE,KAAK;AACjB,YAAA,kBAAkB,EAAE,KAAK;AACzB,YAAA,sBAAsB,EAAE,KAAK;SAChC,CAAC;QAEF,MAAM,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,OAAO,EAAE,CAAC;AACjD,QAAA,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC;KAC3B;AAED;;AAEG;IACH,OAAO,KAAK,CACR,OAAqE,GAAA;AACjE,QAAA,MAAM,EAAE,uBAAuB;AAClC,KAAA,EAAA;AAED,QAAA,MAAM,KAAK,GAAG,IAAI,YAAY,CAAC,WAAW,EAAE,CAAC;AAC7C,QAAA,MAAM,cAAc,GAAkD;AAClE,YAAA,WAAW,EAAE,CAAC;AACd,YAAA,OAAO,EAAE,CAAC,GAAG,EAAE,GAAG,IAAI;AACtB,YAAA,OAAO,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI;AACvB,YAAA,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE;YACtB,YAAY,EAAE,CACV,IAAS,EACT,GAAQ,EACR,KAAU,EACV,oBAA0B,KAC1B;AACA,gBAAA,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;AACjB,oBAAA,KAAK,EAAE,0BAA0B;AACjC,oBAAA,OAAO,EACH,4DAA4D;AAChE,oBAAA,oBAAoB,EAAE,oBAAoB;AAC7C,iBAAA,CAAC,CAAC;aACN;SACJ,CAAC;QAEF,MAAM,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,OAAO,EAAE,CAAC;QACjD,MAAM,UAAU,GAAG,IAAI,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAEnD,OAAO,UAAU,CAAC,OAAO,CAAC;KAC7B;AAED;;AAEG;AACH,IAAA,OAAO,MAAM,CAAC,OAAA,GAAwC,EAAE,EAAA;AACpD,QAAA,MAAM,cAAc,GAAG;AACnB,YAAA,MAAM,EAAE;AACJ,gBAAA,QAAQ,EAAE,CAAC,GAAG,IAAI,GAAG,IAAI;gBACzB,KAAK,EAAE,CAAC;AACX,aAAA;YACD,UAAU,EAAE,CAAC,IAAS,EAAE,IAAS,EAAE,EAAO,KAAI;;gBAE1C,MAAM,YAAY,GAAG,+BAA+B,CAAC;AACrD,gBAAA,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAC7B,IAAI,CAAC,YAAY,CAAC,WAAW,EAAE,CAClC,CAAC;gBACF,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AAElD,gBAAA,IAAI,QAAQ,IAAI,OAAO,EAAE;AACrB,oBAAA,OAAO,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;iBACzB;qBAAM;AACH,oBAAA,EAAE,CACE,IAAI,KAAK,CACL,2DAA2D,CAC9D,CACJ,CAAC;iBACL;aACJ;SACJ,CAAC;QAEF,MAAM,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,OAAO,EAAE,CAAC;AACjD,QAAA,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC;KACzB;AAED;;AAEG;AACH,IAAA,OAAO,QAAQ,CAAC,OAAA,GAAmC,EAAE,EAAA;QACjD,OAAO;YACH,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC;YACnC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;YAC7B,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC;YAC5C,WAAW,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,WAAW,CAAC;YAClD,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;SAChC,CAAC;KACL;;AAGO,IAAA,OAAO,cAAc,CAAC,GAAQ,EAAE,MAAW,EAAA;AAC/C,QAAA,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE;AACzB,YAAA,OAAO,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;SAC3B;AAAM,aAAA,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE;AAC3B,YAAA,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;SAC/D;AAAM,aAAA,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE;YACvC,MAAM,SAAS,GAAQ,EAAE,CAAC;AAC1B,YAAA,KAAK,MAAM,GAAG,IAAI,GAAG,EAAE;AACnB,gBAAA,IAAI,GAAG,CAAC,cAAc,CAAC,GAAG,CAAC,EAAE;AACzB,oBAAA,SAAS,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,CAAC;iBAC1D;aACJ;AACD,YAAA,OAAO,SAAS,CAAC;SACpB;AACD,QAAA,OAAO,GAAG,CAAC;KACd;AACJ;;;;"}

package/dist/esm/src/middleware/built-in/security/CommandInjectionDetector.js

@@ -0,0 +1,213 @@
+/**
+ * Command Injection Detection Module
+ *
+ * Detects and prevents OS command injection attacks with
+ * intelligent context-aware false positive reduction
+ */
+class CommandInjectionDetector {
+    constructor(config = {}) {
+        // High-risk command injection patterns
+        this.highRiskPatterns = [
+            // Command chaining
+            /[;&|`]\s*(ls|cat|wget|curl|nc|netcat|bash|sh|cmd|powershell|eval|exec)/gi,
+            // Command substitution
+            /\$\(.*?\)/g,
+            /`.*?`/g,
+            // Pipe to dangerous commands
+            /\|\s*(bash|sh|cmd|powershell|python|perl|ruby|node)/gi,
+            // Redirection with dangerous commands
+            /[<>]\s*(\/etc\/|\/bin\/|C:\\)/gi,
+            // Encoded command injection
+            /%0a|%0d|%09/gi, // newline, carriage return, tab
+            // Dangerous system commands
+            /(rm\s+-rf|del\s+\/|format\s+|mkfs|dd\s+if=)/gi,
+            // Network commands
+            /(wget|curl|nc|netcat|telnet|ssh|ftp)\s+/gi,
+            // Eval/exec patterns
+            /(eval|exec|system|passthru|shell_exec|popen)\s*\(/gi,
+        ];
+        // Medium-risk patterns
+        this.mediumRiskPatterns = [
+            // Shell metacharacters
+            /[;&|`$()]/g,
+            // Redirection operators
+            /[<>]/g,
+            // Common command names (could be legitimate text)
+            /\b(ls|cat|echo|pwd|cd|mkdir|touch|grep|find|chmod|chown)\b/gi,
+        ];
+        this.config = {
+            enabled: config.enabled ?? true,
+            strictMode: config.strictMode ?? false,
+            logAttempts: config.logAttempts ?? true,
+            blockOnDetection: config.blockOnDetection ?? true,
+            falsePositiveThreshold: config.falsePositiveThreshold ?? 0.7,
+            customPatterns: config.customPatterns ?? [],
+            allowedCommands: config.allowedCommands ?? [],
+            contextualAnalysis: config.contextualAnalysis ?? true,
+        };
+    }
+    /**
+     * Detect command injection attempts
+     */
+    detect(input, context) {
+        if (!input || typeof input !== 'string') {
+            return {
+                isMalicious: false,
+                confidence: 0,
+                detectedPatterns: [],
+                riskLevel: 'LOW',
+            };
+        }
+        const result = {
+            isMalicious: false,
+            confidence: 0,
+            detectedPatterns: [],
+            sanitizedInput: input,
+            riskLevel: 'LOW',
+        };
+        // High-risk pattern detection
+        let highRiskScore = 0;
+        this.highRiskPatterns.forEach((pattern, index) => {
+            const matches = input.match(pattern);
+            if (matches) {
+                const patternName = this.getHighRiskPatternName(index);
+                result.detectedPatterns.push(`${patternName}: ${matches.join(', ')}`);
+                highRiskScore += this.getHighRiskWeight(index);
+            }
+        });
+        // Medium-risk pattern detection with context
+        let mediumRiskScore = 0;
+        if (this.config.contextualAnalysis && context) {
+            mediumRiskScore = this.analyzeContext(input, context);
+        }
+        else {
+            this.mediumRiskPatterns.forEach((pattern) => {
+                const matches = input.match(pattern);
+                if (matches) {
+                    mediumRiskScore += 0.1 * matches.length;
+                }
+            });
+        }
+        // Legitimacy checks
+        const legitimacyScore = this.calculateLegitimacyScore(input);
+        // Calculate final confidence
+        result.confidence = Math.max(0, highRiskScore + mediumRiskScore * 0.3 - legitimacyScore);
+        result.confidence = Math.min(result.confidence, 1.0);
+        // Determine risk level
+        if (result.confidence >= 0.9) {
+            result.riskLevel = 'CRITICAL';
+            result.isMalicious = true;
+        }
+        else if (result.confidence >= this.config.falsePositiveThreshold) {
+            result.riskLevel = 'HIGH';
+            result.isMalicious = true;
+        }
+        else if (result.confidence >= 0.4) {
+            result.riskLevel = 'MEDIUM';
+            result.isMalicious = false;
+        }
+        // Sanitize input
+        if (result.confidence >= 0.4) {
+            result.sanitizedInput = this.sanitizeInput(input);
+        }
+        // Log attempts
+        if (this.config.logAttempts && result.confidence >= 0.7) {
+            this.logAttempt(input, result);
+        }
+        return result;
+    }
+    /**
+     * Sanitize input by removing command injection sequences
+     */
+    sanitizeInput(input) {
+        let sanitized = input;
+        // Remove command chaining characters
+        sanitized = sanitized.replace(/[;&|`]/g, '');
+        // Remove command substitution
+        sanitized = sanitized.replace(/\$\(.*?\)/g, '');
+        // Remove backticks
+        sanitized = sanitized.replace(/`/g, '');
+        // Remove redirection operators
+        sanitized = sanitized.replace(/[<>]/g, '');
+        // Remove encoded newlines/tabs
+        sanitized = sanitized.replace(/%0a|%0d|%09/gi, '');
+        return sanitized.trim();
+    }
+    /**
+     * Analyze context to reduce false positives
+     */
+    analyzeContext(input, context) {
+        let score = 0;
+        // Check if this is a code/technical field where commands might be legitimate
+        const technicalContexts = ['code', 'script', 'command', 'terminal', 'shell'];
+        const isTechnicalContext = technicalContexts.some(ctx => context.fieldName?.toLowerCase().includes(ctx) ||
+            context.fieldType?.toLowerCase().includes(ctx));
+        this.mediumRiskPatterns.forEach((pattern, index) => {
+            const matches = input.match(pattern);
+            if (matches) {
+                let patternScore = 0.1 * matches.length;
+                // Reduce score for technical contexts
+                if (isTechnicalContext && index > 1) {
+                    patternScore *= 0.2; // Reduce by 80% for command names in technical fields
+                }
+                score += patternScore;
+            }
+        });
+        return score;
+    }
+    /**
+     * Calculate legitimacy score
+     */
+    calculateLegitimacyScore(input) {
+        let score = 0;
+        // Natural language indicators
+        const words = input.split(/\s+/);
+        if (words.length > 3 && words.every(w => /^[a-zA-Z]+$/.test(w))) {
+            score += 0.3; // Looks like natural text
+        }
+        // No shell metacharacters
+        if (!/[;&|`$()<>]/.test(input)) {
+            score += 0.2;
+        }
+        // Reasonable length for user input
+        if (input.length > 10 && input.length < 200) {
+            score += 0.1;
+        }
+        return Math.min(score, 0.5);
+    }
+    getHighRiskPatternName(index) {
+        const names = [
+            'Command chaining',
+            'Command substitution ($())',
+            'Backtick substitution',
+            'Pipe to shell',
+            'Redirection to system paths',
+            'Encoded injection',
+            'Dangerous system commands',
+            'Network commands',
+            'Eval/exec functions',
+        ];
+        return names[index] || `High-risk pattern ${index}`;
+    }
+    getHighRiskWeight(index) {
+        const weights = [0.9, 0.9, 0.9, 0.8, 0.7, 0.6, 0.9, 0.7, 0.9];
+        return weights[index] || 0.7;
+    }
+    logAttempt(input, result) {
+        console.warn('[CommandInjection] Attack detected:', {
+            timestamp: new Date().toISOString(),
+            input: input.substring(0, 100),
+            confidence: result.confidence,
+            patterns: result.detectedPatterns,
+        });
+    }
+    updateConfig(newConfig) {
+        this.config = { ...this.config, ...newConfig };
+    }
+    getConfig() {
+        return { ...this.config };
+    }
+}
+
+export { CommandInjectionDetector as default };
+//# sourceMappingURL=CommandInjectionDetector.js.map

package/dist/esm/src/middleware/built-in/security/CommandInjectionDetector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"CommandInjectionDetector.js","sources":["../../../../../../src/middleware/built-in/security/CommandInjectionDetector.ts"],"sourcesContent":[null],"names":[],"mappings":"AAAA;;;;;AAKG;AASH,MAAM,wBAAwB,CAAA;AA2C1B,IAAA,WAAA,CAAY,SAAiC,EAAE,EAAA;;AAvC9B,QAAA,IAAA,CAAA,gBAAgB,GAAG;;YAEhC,0EAA0E;;YAG1E,YAAY;YACZ,QAAQ;;YAGR,uDAAuD;;YAGvD,iCAAiC;;AAGjC,YAAA,eAAe;;YAGf,+CAA+C;;YAG/C,2CAA2C;;YAG3C,qDAAqD;SACxD,CAAC;;AAGe,QAAA,IAAA,CAAA,kBAAkB,GAAG;;YAElC,YAAY;;YAGZ,OAAO;;YAGP,8DAA8D;SACjE,CAAC;QAGE,IAAI,CAAC,MAAM,GAAG;AACV,YAAA,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,IAAI;AAC/B,YAAA,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,KAAK;AACtC,YAAA,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,IAAI;AACvC,YAAA,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,IAAI,IAAI;AACjD,YAAA,sBAAsB,EAAE,MAAM,CAAC,sBAAsB,IAAI,GAAG;AAC5D,YAAA,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,EAAE;AAC3C,YAAA,eAAe,EAAE,MAAM,CAAC,eAAe,IAAI,EAAE;AAC7C,YAAA,kBAAkB,EAAE,MAAM,CAAC,kBAAkB,IAAI,IAAI;SACxD,CAAC;KACL;AAED;;AAEG;IACH,MAAM,CAAC,KAAgC,EAAE,OAAqB,EAAA;QAC1D,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;YACrC,OAAO;AACH,gBAAA,WAAW,EAAE,KAAK;AAClB,gBAAA,UAAU,EAAE,CAAC;AACb,gBAAA,gBAAgB,EAAE,EAAE;AACpB,gBAAA,SAAS,EAAE,KAAK;aACnB,CAAC;SACL;AAED,QAAA,MAAM,MAAM,GAA4B;AACpC,YAAA,WAAW,EAAE,KAAK;AAClB,YAAA,UAAU,EAAE,CAAC;AACb,YAAA,gBAAgB,EAAE,EAAE;AACpB,YAAA,cAAc,EAAE,KAAK;AACrB,YAAA,SAAS,EAAE,KAAK;SACnB,CAAC;;QAGF,IAAI,aAAa,GAAG,CAAC,CAAC;QACtB,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,KAAK,KAAI;YAC7C,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACrC,IAAI,OAAO,EAAE;gBACT,MAAM,WAAW,GAAG,IAAI,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC;AACvD,gBAAA,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,WAAW,CAAA,EAAA,EAAK,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA,CAAE,CAAC,CAAC;AACtE,gBAAA,aAAa,IAAI,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;aAClD;AACL,SAAC,CAAC,CAAC;;QAGH,IAAI,eAAe,GAAG,CAAC,CAAC;QACxB,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,IAAI,OAAO,EAAE;YAC3C,eAAe,GAAG,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;SACzD;aAAM;YACH,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,OAAO,KAAI;gBACxC,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;gBACrC,IAAI,OAAO,EAAE;AACT,oBAAA,eAAe,IAAI,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC;iBAC3C;AACL,aAAC,CAAC,CAAC;SACN;;QAGD,MAAM,eAAe,GAAG,IAAI,CAAC,wBAAwB,CAAC,KAAK,CAAC,CAAC;;AAG7D,QAAA,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,aAAa,GAAG,eAAe,GAAG,GAAG,GAAG,eAAe,CAAC,CAAC;AACzF,QAAA,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;;AAGrD,QAAA,IAAI,MAAM,CAAC,UAAU,IAAI,GAAG,EAAE;AAC1B,YAAA,MAAM,CAAC,SAAS,GAAG,UAAU,CAAC;AAC9B,YAAA,MAAM,CAAC,WAAW,GAAG,IAAI,CAAC;SAC7B;aAAM,IAAI,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE;AAChE,YAAA,MAAM,CAAC,SAAS,GAAG,MAAM,CAAC;AAC1B,YAAA,MAAM,CAAC,WAAW,GAAG,IAAI,CAAC;SAC7B;AAAM,aAAA,IAAI,MAAM,CAAC,UAAU,IAAI,GAAG,EAAE;AACjC,YAAA,MAAM,CAAC,SAAS,GAAG,QAAQ,CAAC;AAC5B,YAAA,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC;SAC9B;;AAGD,QAAA,IAAI,MAAM,CAAC,UAAU,IAAI,GAAG,EAAE;YAC1B,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;SACrD;;AAGD,QAAA,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,UAAU,IAAI,GAAG,EAAE;AACrD,YAAA,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;SAClC;AAED,QAAA,OAAO,MAAM,CAAC;KACjB;AAED;;AAEG;AACK,IAAA,aAAa,CAAC,KAAa,EAAA;QAC/B,IAAI,SAAS,GAAG,KAAK,CAAC;;QAGtB,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;;QAG7C,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;;QAGhD,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;;QAGxC,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;;QAG3C,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC,CAAC;AAEnD,QAAA,OAAO,SAAS,CAAC,IAAI,EAAE,CAAC;KAC3B;AAED;;AAEG;IACK,cAAc,CAAC,KAAa,EAAE,OAAoB,EAAA;QACtD,IAAI,KAAK,GAAG,CAAC,CAAC;;AAGd,QAAA,MAAM,iBAAiB,GAAG,CAAC,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;QAC7E,MAAM,kBAAkB,GAAG,iBAAiB,CAAC,IAAI,CAAC,GAAG,IACjD,OAAO,CAAC,SAAS,EAAE,WAAW,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC;YAC9C,OAAO,CAAC,SAAS,EAAE,WAAW,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CACjD,CAAC;QAEF,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,KAAK,KAAI;YAC/C,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACrC,IAAI,OAAO,EAAE;AACT,gBAAA,IAAI,YAAY,GAAG,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC;;AAGxC,gBAAA,IAAI,kBAAkB,IAAI,KAAK,GAAG,CAAC,EAAE;AACjC,oBAAA,YAAY,IAAI,GAAG,CAAC;iBACvB;gBAED,KAAK,IAAI,YAAY,CAAC;aACzB;AACL,SAAC,CAAC,CAAC;AAEH,QAAA,OAAO,KAAK,CAAC;KAChB;AAED;;AAEG;AACK,IAAA,wBAAwB,CAAC,KAAa,EAAA;QAC1C,IAAI,KAAK,GAAG,CAAC,CAAC;;QAGd,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACjC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE;AAC7D,YAAA,KAAK,IAAI,GAAG,CAAC;SAChB;;QAGD,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE;YAC5B,KAAK,IAAI,GAAG,CAAC;SAChB;;AAGD,QAAA,IAAI,KAAK,CAAC,MAAM,GAAG,EAAE,IAAI,KAAK,CAAC,MAAM,GAAG,GAAG,EAAE;YACzC,KAAK,IAAI,GAAG,CAAC;SAChB;QAED,OAAO,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;KAC/B;AAEO,IAAA,sBAAsB,CAAC,KAAa,EAAA;AACxC,QAAA,MAAM,KAAK,GAAG;YACV,kBAAkB;YAClB,4BAA4B;YAC5B,uBAAuB;YACvB,eAAe;YACf,6BAA6B;YAC7B,mBAAmB;YACnB,2BAA2B;YAC3B,kBAAkB;YAClB,qBAAqB;SACxB,CAAC;QACF,OAAO,KAAK,CAAC,KAAK,CAAC,IAAI,CAAqB,kBAAA,EAAA,KAAK,EAAE,CAAC;KACvD;AAEO,IAAA,iBAAiB,CAAC,KAAa,EAAA;QACnC,MAAM,OAAO,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;AAC9D,QAAA,OAAO,OAAO,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC;KAChC;IAEO,UAAU,CAAC,KAAa,EAAE,MAA+B,EAAA;AAC7D,QAAA,OAAO,CAAC,IAAI,CAAC,qCAAqC,EAAE;AAChD,YAAA,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,KAAK,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;YAC9B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,QAAQ,EAAE,MAAM,CAAC,gBAAgB;AACpC,SAAA,CAAC,CAAC;KACN;AAED,IAAA,YAAY,CAAC,SAA0C,EAAA;AACnD,QAAA,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;KAClD;IAED,SAAS,GAAA;AACL,QAAA,OAAO,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;KAC7B;AACJ;;;;"}

package/dist/esm/src/middleware/built-in/security/LDAPInjectionDetector.js

@@ -0,0 +1,94 @@
+/**
+ * LDAP Injection Detection Module
+ *
+ * Detects and prevents LDAP injection attacks
+ */
+class LDAPInjectionDetector {
+    constructor(config = {}) {
+        // LDAP injection patterns
+        this.injectionPatterns = [
+            // LDAP filter metacharacters
+            /[*()\\|&]/g,
+            // Null byte
+            /\x00/g,
+            // LDAP filter injection attempts
+            /\)\s*\(\s*\|/gi, // )( | pattern
+            /\)\s*\(\s*&/gi, // )( & pattern
+            // Wildcard abuse
+            /\*{2,}/g,
+            // DN injection
+            /,\s*(cn|ou|dc|o)=/gi,
+        ];
+        this.config = {
+            enabled: config.enabled ?? true,
+            strictMode: config.strictMode ?? false,
+            logAttempts: config.logAttempts ?? true,
+            blockOnDetection: config.blockOnDetection ?? true,
+            falsePositiveThreshold: config.falsePositiveThreshold ?? 0.6,
+            customPatterns: config.customPatterns ?? [],
+        };
+    }
+    detect(input) {
+        if (!input || typeof input !== 'string') {
+            return {
+                isMalicious: false,
+                confidence: 0,
+                detectedPatterns: [],
+                riskLevel: 'LOW',
+            };
+        }
+        const result = {
+            isMalicious: false,
+            confidence: 0,
+            detectedPatterns: [],
+            sanitizedInput: input,
+            riskLevel: 'LOW',
+        };
+        let riskScore = 0;
+        this.injectionPatterns.forEach((pattern, index) => {
+            const matches = input.match(pattern);
+            if (matches) {
+                result.detectedPatterns.push(`LDAP metacharacter: ${matches.join(', ')}`);
+                riskScore += 0.3 * matches.length;
+            }
+        });
+        result.confidence = Math.min(riskScore, 1.0);
+        if (result.confidence >= 0.7) {
+            result.riskLevel = 'HIGH';
+            result.isMalicious = true;
+        }
+        else if (result.confidence >= this.config.falsePositiveThreshold) {
+            result.riskLevel = 'MEDIUM';
+            result.isMalicious = this.config.strictMode;
+        }
+        if (result.confidence >= 0.3) {
+            result.sanitizedInput = this.sanitize(input);
+        }
+        if (this.config.logAttempts && result.confidence >= 0.6) {
+            console.warn('[LDAP] Injection attempt detected:', {
+                timestamp: new Date().toISOString(),
+                input: input.substring(0, 100),
+                confidence: result.confidence,
+            });
+        }
+        return result;
+    }
+    sanitize(input) {
+        // Escape LDAP special characters
+        return input
+            .replace(/\\/g, '\\5c')
+            .replace(/\*/g, '\\2a')
+            .replace(/\(/g, '\\28')
+            .replace(/\)/g, '\\29')
+            .replace(/\x00/g, '\\00');
+    }
+    updateConfig(newConfig) {
+        this.config = { ...this.config, ...newConfig };
+    }
+    getConfig() {
+        return { ...this.config };
+    }
+}
+
+export { LDAPInjectionDetector as default };
+//# sourceMappingURL=LDAPInjectionDetector.js.map

package/dist/esm/src/middleware/built-in/security/LDAPInjectionDetector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"LDAPInjectionDetector.js","sources":["../../../../../../src/middleware/built-in/security/LDAPInjectionDetector.ts"],"sourcesContent":[null],"names":[],"mappings":"AAAA;;;;AAIG;AAIH,MAAM,qBAAqB,CAAA;AAsBvB,IAAA,WAAA,CAAY,SAA+B,EAAE,EAAA;;AAlB5B,QAAA,IAAA,CAAA,iBAAiB,GAAG;;YAEjC,YAAY;;YAGZ,OAAO;;AAGP,YAAA,gBAAgB;AAChB,YAAA,eAAe;;YAGf,SAAS;;YAGT,qBAAqB;SACxB,CAAC;QAGE,IAAI,CAAC,MAAM,GAAG;AACV,YAAA,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,IAAI;AAC/B,YAAA,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,KAAK;AACtC,YAAA,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,IAAI;AACvC,YAAA,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,IAAI,IAAI;AACjD,YAAA,sBAAsB,EAAE,MAAM,CAAC,sBAAsB,IAAI,GAAG;AAC5D,YAAA,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,EAAE;SAC9C,CAAC;KACL;AAED,IAAA,MAAM,CAAC,KAAgC,EAAA;QACnC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;YACrC,OAAO;AACH,gBAAA,WAAW,EAAE,KAAK;AAClB,gBAAA,UAAU,EAAE,CAAC;AACb,gBAAA,gBAAgB,EAAE,EAAE;AACpB,gBAAA,SAAS,EAAE,KAAK;aACnB,CAAC;SACL;AAED,QAAA,MAAM,MAAM,GAA4B;AACpC,YAAA,WAAW,EAAE,KAAK;AAClB,YAAA,UAAU,EAAE,CAAC;AACb,YAAA,gBAAgB,EAAE,EAAE;AACpB,YAAA,cAAc,EAAE,KAAK;AACrB,YAAA,SAAS,EAAE,KAAK;SACnB,CAAC;QAEF,IAAI,SAAS,GAAG,CAAC,CAAC;QAClB,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,KAAK,KAAI;YAC9C,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACrC,IAAI,OAAO,EAAE;AACT,gBAAA,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAuB,oBAAA,EAAA,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA,CAAE,CAAC,CAAC;AAC1E,gBAAA,SAAS,IAAI,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC;aACrC;AACL,SAAC,CAAC,CAAC;QAEH,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;AAE7C,QAAA,IAAI,MAAM,CAAC,UAAU,IAAI,GAAG,EAAE;AAC1B,YAAA,MAAM,CAAC,SAAS,GAAG,MAAM,CAAC;AAC1B,YAAA,MAAM,CAAC,WAAW,GAAG,IAAI,CAAC;SAC7B;aAAM,IAAI,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE;AAChE,YAAA,MAAM,CAAC,SAAS,GAAG,QAAQ,CAAC;YAC5B,MAAM,CAAC,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC;SAC/C;AAED,QAAA,IAAI,MAAM,CAAC,UAAU,IAAI,GAAG,EAAE;YAC1B,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;SAChD;AAED,QAAA,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,UAAU,IAAI,GAAG,EAAE;AACrD,YAAA,OAAO,CAAC,IAAI,CAAC,oCAAoC,EAAE;AAC/C,gBAAA,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,KAAK,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;gBAC9B,UAAU,EAAE,MAAM,CAAC,UAAU;AAChC,aAAA,CAAC,CAAC;SACN;AAED,QAAA,OAAO,MAAM,CAAC;KACjB;AAEO,IAAA,QAAQ,CAAC,KAAa,EAAA;;AAE1B,QAAA,OAAO,KAAK;AACP,aAAA,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC;AACtB,aAAA,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC;AACtB,aAAA,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC;AACtB,aAAA,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC;AACtB,aAAA,OAAO,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;KACjC;AAED,IAAA,YAAY,CAAC,SAAwC,EAAA;AACjD,QAAA,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;KAClD;IAED,SAAS,GAAA;AACL,QAAA,OAAO,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;KAC7B;AACJ;;;;"}