UNPKG

@juspay/neurolink

Version:

Universal AI Development Platform with working MCP integration, multi-provider support, voice (TTS/STT/realtime), and professional CLI. 58+ external MCP servers discoverable, multimodal file processing, RAG pipelines. Build, test, and deploy AI applicatio

github.com/juspay/neurolink

juspay/neurolink

288 lines (287 loc) 9.96 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
/** * XML Processing Utility * * Handles downloading, validating, and processing XML files with security. * * Security Notes: * --------------- * XML parsing can be vulnerable to XML External Entity (XXE) attacks: * * 1. **XXE Attacks**: DOCTYPE and ENTITY declarations can be exploited to: * - Read local files on the server * - Perform Server-Side Request Forgery (SSRF) * - Cause Denial of Service via entity expansion * * 2. **Mitigation**: We reject XML files containing DOCTYPE or ENTITY declarations * and disable entity processing in the parser. * * References: * - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing * - https://cwe.mitre.org/data/definitions/611.html (XXE) * * @module processors/data/XmlProcessor * * @example * ```typescript * import { xmlProcessor, isXmlFile, processXml } from "./XmlProcessor.js"; * * // Check if file is XML * if (isXmlFile("application/xml", "data.xml")) { * // Process the file * const result = await processXml(fileInfo); * if (result.success && result.data) { * console.log("Root element:", result.data.rootElement); * console.log("Parsed:", result.data.parsed); * } * } * ``` */ import { createRequire } from "node:module"; import { BaseFileProcessor } from "../base/BaseFileProcessor.js"; import { SIZE_LIMITS_MB } from "../config/index.js"; import { createFileError, FileErrorCode } from "../errors/index.js"; const require = createRequire(import.meta.url); // ============================================================================= // TYPES // ============================================================================= // Re-import for local use within this file // ============================================================================= // CONSTANTS // ============================================================================= /** Supported XML MIME types */ const SUPPORTED_XML_TYPES = ["application/xml", "text/xml"]; /** Supported XML file extensions */ const SUPPORTED_XML_EXTENSIONS = [".xml"]; // ============================================================================= // XML PROCESSOR CLASS // ============================================================================= /** * XML file processor. * Extends BaseFileProcessor with XML-specific parsing and validation. * * Features: * - XXE protection (rejects DOCTYPE and ENTITY declarations) * - Parses XML to JavaScript objects * - Extracts root element name * * @example * ```typescript * const processor = new XmlProcessor(); * * const result = await processor.processFile({ * id: "file-123", * name: "data.xml", * mimetype: "application/xml", * size: 1024, * buffer: xmlBuffer, * }); * * if (result.success && result.data?.valid) { * console.log("Root element:", result.data.rootElement); * } * ``` */ export class XmlProcessor extends BaseFileProcessor { constructor() { super({ maxSizeMB: SIZE_LIMITS_MB.XML_MAX_MB, timeoutMs: 30000, supportedMimeTypes: SUPPORTED_XML_TYPES, supportedExtensions: SUPPORTED_XML_EXTENSIONS, fileTypeName: "XML", defaultFilename: "data.xml", }); } /** * Extract the root element name from XML content. * * @param content - XML content string * @returns Root element name or undefined if not found */ extractRootElement(content) { // Skip XML declaration and comments, then find first element const elementMatch = content.match(/<([a-zA-Z][a-zA-Z0-9_:-]*)[>\s/]/); return elementMatch?.[1]; } /** * Check if XML content contains XXE attack vectors. * * @param content - XML content string * @returns Object with detection results */ checkXxeVectors(content) { const lower = content.toLowerCase(); return { hasDOCTYPE: lower.includes("<!doctype"), hasENTITY: lower.includes("<!entity"), }; } /** * Parse XML content to JavaScript object securely. * * @param content - XML content string * @returns Parsed XML content */ parseXmlSecurely(content) { // Dynamically import fast-xml-parser const { XMLParser } = require("fast-xml-parser"); // Initialize XML parser with sensible defaults // XXE Protection: Disable entity processing to prevent XML External Entity attacks const parser = new XMLParser({ ignoreAttributes: false, attributeNamePrefix: "@_", textNodeName: "#text", parseAttributeValue: true, parseTagValue: true, trimValues: true, // XXE Protection - explicitly disable entity processing processEntities: false, htmlEntities: false, }); return parser.parse(content); } /** * Validate downloaded XML is parseable and safe with structured error result. * Includes XXE protection by rejecting XML with DOCTYPE or ENTITY declarations. * Returns user-friendly error messages with actionable suggestions. * * @param buffer - Downloaded file content * @param fileInfo - Original file information * @returns Success result or error result */ async validateDownloadedFileWithResult(buffer, fileInfo) { try { const content = buffer.toString("utf-8"); // XXE Protection: Check for potentially dangerous DOCTYPE/ENTITY declarations const { hasDOCTYPE, hasENTITY } = this.checkXxeVectors(content); if (hasDOCTYPE || hasENTITY) { const error = createFileError(FileErrorCode.XXE_DETECTED, { hasDOCTYPE, hasENTITY, filename: fileInfo.name, }); return { success: false, error: { code: error.code, message: error.message, userMessage: error.userMessage, details: error.details, }, }; } // Parse to validate structure this.parseXmlSecurely(content); return { success: true, data: undefined }; } catch (error) { const fileError = createFileError(FileErrorCode.PARSING_FAILED, { fileType: "XML" }, error instanceof Error ? error : undefined); return { success: false, error: { code: fileError.code, message: fileError.message, userMessage: fileError.userMessage, details: fileError.details, }, }; } } /** * Build processed XML result with parsed content. * * @param buffer - Downloaded file content * @param fileInfo - Original file information * @returns Processed XML result */ buildProcessedResult(buffer, fileInfo) { const content = buffer.toString("utf-8"); let parsed = null; let valid = true; let errorMessage; // Extract root element const rootElement = this.extractRootElement(content); try { parsed = this.parseXmlSecurely(content); } catch (error) { // This shouldn't happen since we validate, but handle gracefully valid = false; errorMessage = error instanceof Error ? error.message : "Invalid XML"; } return { content, parsed, valid, errorMessage, rootElement, buffer, mimetype: fileInfo.mimetype || "application/xml", size: fileInfo.size, filename: this.getFilename(fileInfo), }; } } // ============================================================================= // SINGLETON INSTANCE // ============================================================================= /** Singleton XML processor instance */ export const xmlProcessor = new XmlProcessor(); // ============================================================================= // UTILITY FUNCTIONS // ============================================================================= /** * Check if a file is an XML file based on MIME type or extension. * * @param mimetype - MIME type of the file * @param filename - Filename (for extension-based detection) * @returns true if the file is an XML file * * @example * ```typescript * if (isXmlFile("application/xml", "data.xml")) { * // Process as XML * } * ``` */ export function isXmlFile(mimetype, filename) { return xmlProcessor.isFileSupported(mimetype, filename); } /** * Validate XML file size against configured limit. * * @param sizeBytes - File size in bytes * @returns true if size is within the limit */ export function validateXmlSize(sizeBytes) { const maxBytes = SIZE_LIMITS_MB.XML_MAX_MB * 1024 * 1024; return sizeBytes <= maxBytes; } /** * Process a single XML file with XXE protection. * * @param fileInfo - File information (with URL or buffer) * @param options - Optional processing options (auth headers, timeout, retry config) * @returns Processing result with parsed XML or error * * @example * ```typescript * const result = await processXml({ * id: "file-123", * name: "data.xml", * mimetype: "application/xml", * size: 2048, * url: "https://example.com/data.xml", * }, { * authHeaders: { "Authorization": "Bearer token" }, * }); * * if (result.success && result.data) { * console.log("Root:", result.data.rootElement); * console.log("Parsed:", result.data.parsed); * } * ``` */ export function processXml(fileInfo, options) { return xmlProcessor.processFile(fileInfo, options); }