UNPKG

@sentzunhat/zacatl

Version:

A modular, high-performance TypeScript microservice framework for Node.js, featuring layered architecture, dependency injection, and robust validation for building scalable APIs and distributed systems.

github.com/sentzunhat/zacatl

sentzunhat/zacatl

49 lines 2.03 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
import { ValidationError } from '../../error/index.js'; const SUSPICIOUS_CHARS_RE = /[;&|`$<>!\\]/; export const validateCommandSpec = (spec, policy) => { if (policy.allowlist && policy.allowlist.length > 0) { if (!policy.allowlist.includes(spec.cmd)) { throw new ValidationError({ message: `Command "${spec.cmd}" is not in the allowlist`, component: 'CommandRunner', operation: 'validateCommandSpec', metadata: { cmd: spec.cmd, allowlist: policy.allowlist }, }); } } if (policy.denyPatterns && policy.denyPatterns.length > 0) { for (const arg of spec.args) { for (const pattern of policy.denyPatterns) { if (new RegExp(pattern).test(arg)) { throw new ValidationError({ message: `Argument "${arg}" matches deny pattern "${pattern}"`, component: 'CommandRunner', operation: 'validateCommandSpec', metadata: { arg, pattern }, }); } } } } for (const arg of spec.args) { if (SUSPICIOUS_CHARS_RE.test(arg)) { throw new ValidationError({ message: `Argument "${arg}" contains a suspicious character`, component: 'CommandRunner', operation: 'validateCommandSpec', metadata: { arg }, }); } } if (policy.cwdPrefix !== undefined && spec.cwd !== undefined) { if (!spec.cwd.startsWith(policy.cwdPrefix)) { throw new ValidationError({ message: `Working directory "${spec.cwd}" is outside the allowed prefix "${policy.cwdPrefix}"`, component: 'CommandRunner', operation: 'validateCommandSpec', metadata: { cwd: spec.cwd, cwdPrefix: policy.cwdPrefix }, }); } } }; //# sourceMappingURL=policy.js.map