xypriss 2.2.6 → 2.3.1

package/dist/cjs/src/middleware/built-in/security/XXEProtector.js

@@ -0,0 +1,175 @@
+'use strict';
+
+/**
+ * XXE (XML External Entity) Protection Module
+ *
+ * Detects and prevents XXE attacks in XML parsing
+ * Uses libxmljs2 for secure XML parsing
+ */
+class XXEProtector {
+    constructor(config = {}) {
+        // Dangerous XXE patterns
+        this.dangerousPatterns = [
+            // External entity declarations
+            /<!ENTITY\s+\w+\s+SYSTEM\s+/gi,
+            /<!ENTITY\s+\w+\s+PUBLIC\s+/gi,
+            // Parameter entities
+            /<!ENTITY\s+%\s+\w+/gi,
+            // External DTD
+            /<!DOCTYPE\s+\w+\s+SYSTEM\s+/gi,
+            /<!DOCTYPE\s+\w+\s+PUBLIC\s+/gi,
+            // File protocol
+            /SYSTEM\s+["']file:\/\//gi,
+            // HTTP/HTTPS external resources
+            /SYSTEM\s+["'](https?|ftp):\/\//gi,
+            // PHP wrappers (common in XXE)
+            /php:\/\//gi,
+            /expect:\/\//gi,
+            // Data URIs
+            /data:\/\//gi,
+        ];
+        this.config = {
+            enabled: config.enabled ?? true,
+            strictMode: config.strictMode ?? true,
+            logAttempts: config.logAttempts ?? true,
+            blockOnDetection: config.blockOnDetection ?? true,
+            falsePositiveThreshold: config.falsePositiveThreshold ?? 0.5,
+            customPatterns: config.customPatterns ?? [],
+            allowDTD: config.allowDTD ?? false,
+            allowExternalEntities: config.allowExternalEntities ?? false,
+            maxEntityExpansions: config.maxEntityExpansions ?? 0,
+        };
+    }
+    /**
+     * Detect XXE attempts in XML content
+     */
+    detect(xmlContent) {
+        if (!xmlContent || typeof xmlContent !== 'string') {
+            return {
+                isMalicious: false,
+                confidence: 0,
+                detectedPatterns: [],
+                riskLevel: 'LOW',
+            };
+        }
+        const result = {
+            isMalicious: false,
+            confidence: 0,
+            detectedPatterns: [],
+            sanitizedInput: xmlContent,
+            riskLevel: 'LOW',
+        };
+        // Check for dangerous patterns
+        let riskScore = 0;
+        this.dangerousPatterns.forEach((pattern, index) => {
+            const matches = xmlContent.match(pattern);
+            if (matches) {
+                const patternName = this.getPatternName(index);
+                result.detectedPatterns.push(`${patternName}: ${matches.length} occurrence(s)`);
+                riskScore += 0.7;
+            }
+        });
+        // Check for DTD if not allowed
+        if (!this.config.allowDTD && /<!DOCTYPE/gi.test(xmlContent)) {
+            result.detectedPatterns.push('DTD declaration (not allowed)');
+            riskScore += 0.5;
+        }
+        // Check for entity declarations
+        if (!this.config.allowExternalEntities && /<!ENTITY/gi.test(xmlContent)) {
+            result.detectedPatterns.push('Entity declaration (not allowed)');
+            riskScore += 0.6;
+        }
+        // Calculate confidence
+        result.confidence = Math.min(riskScore, 1.0);
+        // Determine risk level
+        if (result.confidence >= 0.8) {
+            result.riskLevel = 'CRITICAL';
+            result.isMalicious = true;
+        }
+        else if (result.confidence >= this.config.falsePositiveThreshold) {
+            result.riskLevel = 'HIGH';
+            result.isMalicious = true;
+        }
+        else if (result.confidence >= 0.3) {
+            result.riskLevel = 'MEDIUM';
+            result.isMalicious = this.config.strictMode;
+        }
+        // Sanitize XML
+        if (result.confidence >= 0.3) {
+            result.sanitizedInput = this.sanitizeXML(xmlContent);
+        }
+        // Log attempts
+        if (this.config.logAttempts && result.confidence >= 0.5) {
+            this.logAttempt(result);
+        }
+        return result;
+    }
+    /**
+     * Sanitize XML by removing dangerous constructs
+     */
+    sanitizeXML(xml) {
+        let sanitized = xml;
+        // Remove DOCTYPE declarations
+        sanitized = sanitized.replace(/<!DOCTYPE[^>]*>/gi, '');
+        // Remove ENTITY declarations
+        sanitized = sanitized.replace(/<!ENTITY[^>]*>/gi, '');
+        // Remove SYSTEM references
+        sanitized = sanitized.replace(/SYSTEM\s+["'][^"']*["']/gi, '');
+        // Remove PUBLIC references
+        sanitized = sanitized.replace(/PUBLIC\s+["'][^"']*["']/gi, '');
+        return sanitized;
+    }
+    /**
+     * Safe XML parsing helper (returns parsed object or null)
+     * Note: In production, use a library like 'libxmljs2' with secure defaults
+     */
+    safeParseXML(xmlContent) {
+        const detection = this.detect(xmlContent);
+        if (detection.isMalicious) {
+            if (this.config.blockOnDetection) {
+                throw new Error(`XXE attack detected: ${detection.detectedPatterns.join(', ')}`);
+            }
+            return null;
+        }
+        // In production, use a secure XML parser here
+        // Example with libxmljs2:
+        // const libxmljs = require('libxmljs2');
+        // return libxmljs.parseXml(detection.sanitizedInput, {
+        //     noent: false,  // Disable entity substitution
+        //     dtdload: false, // Disable DTD loading
+        //     dtdvalid: false, // Disable DTD validation
+        //     nonet: true,    // Disable network access
+        // });
+        return { warning: 'Use a secure XML parser library in production' };
+    }
+    getPatternName(index) {
+        const names = [
+            'External SYSTEM entity',
+            'External PUBLIC entity',
+            'Parameter entity',
+            'DOCTYPE SYSTEM',
+            'DOCTYPE PUBLIC',
+            'File protocol',
+            'HTTP/HTTPS external resource',
+            'PHP wrapper',
+            'Data URI',
+        ];
+        return names[index] || `Pattern ${index}`;
+    }
+    logAttempt(result) {
+        console.warn('[XXE] Attack detected:', {
+            timestamp: new Date().toISOString(),
+            confidence: result.confidence,
+            patterns: result.detectedPatterns,
+        });
+    }
+    updateConfig(newConfig) {
+        this.config = { ...this.config, ...newConfig };
+    }
+    getConfig() {
+        return { ...this.config };
+    }
+}
+
+module.exports = XXEProtector;
+//# sourceMappingURL=XXEProtector.js.map

package/dist/cjs/src/middleware/built-in/security/XXEProtector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"XXEProtector.js","sources":["../../../../../../src/middleware/built-in/security/XXEProtector.ts"],"sourcesContent":[null],"names":[],"mappings":";;AAAA;;;;;AAKG;AAUH,MAAM,YAAY,CAAA;AA8Bd,IAAA,WAAA,CAAY,SAAoB,EAAE,EAAA;;AA1BjB,QAAA,IAAA,CAAA,iBAAiB,GAAG;;YAEjC,8BAA8B;YAC9B,8BAA8B;;YAG9B,sBAAsB;;YAGtB,+BAA+B;YAC/B,+BAA+B;;YAG/B,0BAA0B;;YAG1B,kCAAkC;;YAGlC,YAAY;YACZ,eAAe;;YAGf,aAAa;SAChB,CAAC;QAGE,IAAI,CAAC,MAAM,GAAG;AACV,YAAA,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,IAAI;AAC/B,YAAA,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,IAAI;AACrC,YAAA,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,IAAI;AACvC,YAAA,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,IAAI,IAAI;AACjD,YAAA,sBAAsB,EAAE,MAAM,CAAC,sBAAsB,IAAI,GAAG;AAC5D,YAAA,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,EAAE;AAC3C,YAAA,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,KAAK;AAClC,YAAA,qBAAqB,EAAE,MAAM,CAAC,qBAAqB,IAAI,KAAK;AAC5D,YAAA,mBAAmB,EAAE,MAAM,CAAC,mBAAmB,IAAI,CAAC;SACvD,CAAC;KACL;AAED;;AAEG;AACH,IAAA,MAAM,CAAC,UAAqC,EAAA;QACxC,IAAI,CAAC,UAAU,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE;YAC/C,OAAO;AACH,gBAAA,WAAW,EAAE,KAAK;AAClB,gBAAA,UAAU,EAAE,CAAC;AACb,gBAAA,gBAAgB,EAAE,EAAE;AACpB,gBAAA,SAAS,EAAE,KAAK;aACnB,CAAC;SACL;AAED,QAAA,MAAM,MAAM,GAA4B;AACpC,YAAA,WAAW,EAAE,KAAK;AAClB,YAAA,UAAU,EAAE,CAAC;AACb,YAAA,gBAAgB,EAAE,EAAE;AACpB,YAAA,cAAc,EAAE,UAAU;AAC1B,YAAA,SAAS,EAAE,KAAK;SACnB,CAAC;;QAGF,IAAI,SAAS,GAAG,CAAC,CAAC;QAClB,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,KAAK,KAAI;YAC9C,MAAM,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC1C,IAAI,OAAO,EAAE;gBACT,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;AAC/C,gBAAA,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAA,EAAG,WAAW,CAAA,EAAA,EAAK,OAAO,CAAC,MAAM,CAAA,cAAA,CAAgB,CAAC,CAAC;gBAChF,SAAS,IAAI,GAAG,CAAC;aACpB;AACL,SAAC,CAAC,CAAC;;AAGH,QAAA,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,aAAa,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE;AACzD,YAAA,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;YAC9D,SAAS,IAAI,GAAG,CAAC;SACpB;;AAGD,QAAA,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,qBAAqB,IAAI,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE;AACrE,YAAA,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;YACjE,SAAS,IAAI,GAAG,CAAC;SACpB;;QAGD,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;;AAG7C,QAAA,IAAI,MAAM,CAAC,UAAU,IAAI,GAAG,EAAE;AAC1B,YAAA,MAAM,CAAC,SAAS,GAAG,UAAU,CAAC;AAC9B,YAAA,MAAM,CAAC,WAAW,GAAG,IAAI,CAAC;SAC7B;aAAM,IAAI,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE;AAChE,YAAA,MAAM,CAAC,SAAS,GAAG,MAAM,CAAC;AAC1B,YAAA,MAAM,CAAC,WAAW,GAAG,IAAI,CAAC;SAC7B;AAAM,aAAA,IAAI,MAAM,CAAC,UAAU,IAAI,GAAG,EAAE;AACjC,YAAA,MAAM,CAAC,SAAS,GAAG,QAAQ,CAAC;YAC5B,MAAM,CAAC,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC;SAC/C;;AAGD,QAAA,IAAI,MAAM,CAAC,UAAU,IAAI,GAAG,EAAE;YAC1B,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;SACxD;;AAGD,QAAA,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,UAAU,IAAI,GAAG,EAAE;AACrD,YAAA,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;SAC3B;AAED,QAAA,OAAO,MAAM,CAAC;KACjB;AAED;;AAEG;AACK,IAAA,WAAW,CAAC,GAAW,EAAA;QAC3B,IAAI,SAAS,GAAG,GAAG,CAAC;;QAGpB,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,mBAAmB,EAAE,EAAE,CAAC,CAAC;;QAGvD,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC;;QAGtD,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,2BAA2B,EAAE,EAAE,CAAC,CAAC;;QAG/D,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,2BAA2B,EAAE,EAAE,CAAC,CAAC;AAE/D,QAAA,OAAO,SAAS,CAAC;KACpB;AAED;;;AAGG;AACH,IAAA,YAAY,CAAC,UAAkB,EAAA;QAC3B,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;AAE1C,QAAA,IAAI,SAAS,CAAC,WAAW,EAAE;AACvB,YAAA,IAAI,IAAI,CAAC,MAAM,CAAC,gBAAgB,EAAE;AAC9B,gBAAA,MAAM,IAAI,KAAK,CAAC,CAAA,qBAAA,EAAwB,SAAS,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA,CAAE,CAAC,CAAC;aACpF;AACD,YAAA,OAAO,IAAI,CAAC;SACf;;;;;;;;;;AAYD,QAAA,OAAO,EAAE,OAAO,EAAE,+CAA+C,EAAE,CAAC;KACvE;AAEO,IAAA,cAAc,CAAC,KAAa,EAAA;AAChC,QAAA,MAAM,KAAK,GAAG;YACV,wBAAwB;YACxB,wBAAwB;YACxB,kBAAkB;YAClB,gBAAgB;YAChB,gBAAgB;YAChB,eAAe;YACf,8BAA8B;YAC9B,aAAa;YACb,UAAU;SACb,CAAC;QACF,OAAO,KAAK,CAAC,KAAK,CAAC,IAAI,CAAW,QAAA,EAAA,KAAK,EAAE,CAAC;KAC7C;AAEO,IAAA,UAAU,CAAC,MAA+B,EAAA;AAC9C,QAAA,OAAO,CAAC,IAAI,CAAC,wBAAwB,EAAE;AACnC,YAAA,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,QAAQ,EAAE,MAAM,CAAC,gBAAgB;AACpC,SAAA,CAAC,CAAC;KACN;AAED,IAAA,YAAY,CAAC,SAA6B,EAAA;AACtC,QAAA,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;KAClD;IAED,SAAS,GAAA;AACL,QAAA,OAAO,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;KAC7B;AACJ;;;;"}