npm - @appliance.sh/api-server - Versions diffs - 1.21.0 → 1.22.1 - Mend

@appliance.sh/api-server 1.21.0 → 1.22.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json +3 -3
package/src/routes/bootstrap/index.ts +4 -3
package/src/services/build.service.ts +41 -88

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@appliance.sh/api-server",
-  "version": "1.21.0",
+  "version": "1.22.1",
   "description": "",
   "author": "Eliot Lim",
   "repository": "https://github.com/appliance-sh/appliance.sh",
@@ -19,8 +19,8 @@
     "test:e2e": "vitest run --config vitest.e2e.config.ts"
   },
   "dependencies": {
-    "@appliance.sh/infra": "1.21.0",
-    "@appliance.sh/sdk": "1.21.0",
+    "@appliance.sh/infra": "1.22.1",
+    "@appliance.sh/sdk": "1.22.1",
     "@aws-sdk/client-ecr": "^3.1005.0",
     "@aws-sdk/client-s3": "^3.750.0",
     "express": "^5.2.1"

package/src/routes/bootstrap/index.ts CHANGED Viewed

@@ -1,11 +1,12 @@
 import { Router } from 'express';
-import { timingSafeEqual } from 'crypto';
+import { createHash, timingSafeEqual } from 'crypto';
 import { apiKeyInput } from '@appliance.sh/sdk';
 import { apiKeyService } from '../../services/api-key.service';
 function constantTimeEqual(a: string, b: string): boolean {
-  if (a.length !== b.length) return false;
-  return timingSafeEqual(Buffer.from(a), Buffer.from(b));
+  const ha = createHash('sha256').update(a).digest();
+  const hb = createHash('sha256').update(b).digest();
+  return timingSafeEqual(ha, hb);
 }
 export const bootstrapRoutes = Router();

package/src/services/build.service.ts CHANGED Viewed

@@ -1,8 +1,8 @@
-import { S3Client, GetObjectCommand, PutObjectCommand } from '@aws-sdk/client-s3';
+import { S3Client, GetObjectCommand } from '@aws-sdk/client-s3';
 import { ECRClient, GetAuthorizationTokenCommand } from '@aws-sdk/client-ecr';
 import { applianceBaseConfig, applianceInput } from '@appliance.sh/sdk';
 import type { ApplianceContainer, ApplianceFrameworkApp } from '@appliance.sh/sdk';
-import { execSync } from 'child_process';
+import { execFileSync } from 'child_process';
 import * as fs from 'node:fs';
 import * as path from 'node:path';
 import * as os from 'node:os';
@@ -60,7 +60,8 @@ export class BuildService {
     try {
       // List zip contents and validate paths before extracting
-      const entries = execSync(`zipinfo -1 "${zipPath}"`, { encoding: 'utf-8' }).trim().split('\n');
+      // Validate zip contents before extracting
+      const entries = execFileSync('zipinfo', ['-1', zipPath], { encoding: 'utf-8' }).trim().split('\n');
       for (const entryPath of entries) {
         const resolved = path.resolve(tmpDir, entryPath);
         if (!resolved.startsWith(tmpDir + path.sep) && resolved !== tmpDir) {
@@ -68,7 +69,15 @@ export class BuildService {
         }
       }
-      execSync(`unzip -o -q "${zipPath}" -d "${tmpDir}"`, { stdio: 'pipe' });
+      execFileSync('unzip', ['-o', '-q', zipPath, '-d', tmpDir], { stdio: 'pipe' });
+      // Reject symlinks after extraction
+      for (const entryPath of entries) {
+        const fullPath = path.join(tmpDir, entryPath);
+        if (fs.existsSync(fullPath) && fs.lstatSync(fullPath).isSymbolicLink()) {
+          throw new Error(`Zip contains symlink: ${entryPath}`);
+        }
+      }
       // Read the manifest
       const manifestPath = path.join(tmpDir, 'appliance.json');
@@ -78,7 +87,7 @@ export class BuildService {
       if (manifest.type === 'container') {
         return this.resolveContainer(tmpDir, manifest, tag, config);
       } else if (manifest.type === 'framework') {
-        return this.resolveFramework(tmpDir, manifest, tag, config);
+        return this.resolveFramework(manifest, s3Key, config);
       } else {
         return { codeS3Key: s3Key };
       }
@@ -87,53 +96,28 @@ export class BuildService {
     }
   }
-  private async resolveFramework(
-    tmpDir: string,
+  /**
+   * Framework builds are fully pre-processed by the CLI (dependencies installed,
+   * run.sh generated). The server just resolves Lambda-specific params from the
+   * manifest metadata and points at the original uploaded zip.
+   */
+  private resolveFramework(
     manifest: ApplianceFrameworkApp,
-    tag: string,
+    s3Key: string,
     config: ReturnType<typeof getBaseConfig>
-  ): Promise<ResolvedBuild> {
-    if (!config.aws.dataBucketName) throw new Error('Data bucket not configured');
+  ): ResolvedBuild {
     const port = manifest.port ?? 8080;
     const framework = manifest.framework ?? 'auto';
-    const detectedFramework = framework === 'auto' ? this.detectFramework(tmpDir) : framework;
-    const runtime = FRAMEWORK_RUNTIMES[detectedFramework] ?? FRAMEWORK_RUNTIMES['node'];
-    // Generate a run.sh that starts the web server
-    const startCommand = manifest.scripts?.start ?? this.defaultStartCommand(detectedFramework, tmpDir);
-    const runSh = ['#!/bin/bash', `export PORT=${port}`, `exec ${startCommand}`].join('\n');
-    fs.writeFileSync(path.join(tmpDir, 'run.sh'), runSh, { mode: 0o755 });
+    const runtime = FRAMEWORK_RUNTIMES[framework] ?? FRAMEWORK_RUNTIMES['node'];
-    // Repackage as a new zip (excluding the original zip and manifest-only artifacts)
-    const repackagedKey = `builds/${tag}.zip`;
-    const repackagedZip = path.join(tmpDir, 'repackaged.zip');
-    execSync(`cd "${tmpDir}" && zip -r "${repackagedZip}" . -x "appliance.zip" -x "repackaged.zip"`, { stdio: 'pipe' });
-    // Upload the repackaged zip
-    const s3 = new S3Client({ region: config.aws.region });
-    await s3.send(
-      new PutObjectCommand({
-        Bucket: config.aws.dataBucketName,
-        Key: repackagedKey,
-        Body: fs.readFileSync(repackagedZip),
-        ContentType: 'application/zip',
-      })
-    );
-    // Resolve the Lambda Web Adapter layer ARN and architecture for this region
     const platform = manifest.platform;
     const layerArn = LAMBDA_ADAPTER_LAYER[platform]?.replace('${region}', config.aws.region);
     if (!layerArn) throw new Error(`No Lambda Web Adapter layer for platform: ${platform}`);
     const architecture = FRAMEWORK_ARCHITECTURES[platform];
     if (!architecture) throw new Error(`No Lambda architecture for platform: ${platform}`);
-    // The Web Adapter layer uses AWS_LAMBDA_EXEC_WRAPPER to intercept the
-    // Lambda runtime bootstrap. It starts run.sh (the web server) and proxies
-    // Lambda invocations to it as HTTP requests. The handler value is not
-    // called directly but must point to a valid file to pass validation.
     return {
-      codeS3Key: repackagedKey,
+      codeS3Key: s3Key,
       runtime,
       handler: 'run.sh',
       layers: [layerArn],
@@ -145,29 +129,14 @@ export class BuildService {
     };
   }
-  private detectFramework(tmpDir: string): string {
-    if (fs.existsSync(path.join(tmpDir, 'package.json'))) return 'node';
-    if (fs.existsSync(path.join(tmpDir, 'requirements.txt'))) return 'python';
-    if (fs.existsSync(path.join(tmpDir, 'Pipfile'))) return 'python';
-    if (fs.existsSync(path.join(tmpDir, 'pyproject.toml'))) return 'python';
-    return 'node';
-  }
-  private defaultStartCommand(framework: string, tmpDir: string): string {
-    if (framework === 'python') {
-      return 'python app.py';
-    }
-    // Node default
-    if (fs.existsSync(path.join(tmpDir, 'package.json'))) {
-      const pkg = JSON.parse(fs.readFileSync(path.join(tmpDir, 'package.json'), 'utf-8'));
-      if (pkg.scripts?.start) return 'npm start';
-    }
-    return 'node index.js';
-  }
+  /**
+   * Container builds are fully pre-processed by the CLI (Lambda Web Adapter
+   * already injected). The server just loads the image and pushes it to ECR.
+   * All subprocess calls use execFileSync (array args) to prevent shell injection.
+   */
   private async resolveContainer(
     tmpDir: string,
-    manifest: ApplianceContainer,
+    _manifest: ApplianceContainer,
     tag: string,
     config: ReturnType<typeof getBaseConfig>
   ): Promise<ResolvedBuild> {
@@ -175,33 +144,17 @@ export class BuildService {
     if (!ecrRepositoryUrl) throw new Error('ECR repository not configured');
     const imageTarPath = path.join(tmpDir, 'image.tar');
-    if (!fs.existsSync(imageTarPath)) throw new Error('Build missing image.tar');
+    if (!fs.existsSync(imageTarPath)) {
+      const extracted = fs.readdirSync(tmpDir);
+      throw new Error(`Build missing image.tar. Extracted contents: ${extracted.join(', ')}`);
+    }
-    // Load the user's original image into Docker and capture the loaded image reference
-    const loadOutput = execSync(`docker load -i "${imageTarPath}"`, { encoding: 'utf-8' });
-    // Output is like "Loaded image: name:tag" or "Loaded image ID: sha256:abc..."
+    // Load the pre-built Lambda-ready image
+    const loadOutput = execFileSync('docker', ['load', '-i', imageTarPath], { encoding: 'utf-8' });
     const loadedMatch = loadOutput.match(/Loaded image(?: ID)?:\s*(.+)/);
     if (!loadedMatch) throw new Error(`Failed to parse docker load output: ${loadOutput}`);
     const loadedImage = loadedMatch[1].trim();
-    // Wrap the image with the Lambda Web Adapter so the same plain HTTP
-    // container works on both Lambda and ECS/Fargate without any changes.
-    const lambdaImageName = `${manifest.name}-lambda`;
-    const wrapperDockerfile = path.join(tmpDir, 'Dockerfile.lambda');
-    fs.writeFileSync(
-      wrapperDockerfile,
-      [
-        `FROM --platform=${manifest.platform} public.ecr.aws/awsguru/aws-lambda-adapter:0.9.1 AS adapter`,
-        `FROM ${loadedImage}`,
-        `COPY --from=adapter /lambda-adapter /opt/extensions/lambda-adapter`,
-        `ENV AWS_LWA_PORT=${manifest.port}`,
-      ].join('\n')
-    );
-    execSync(
-      `docker build --platform ${manifest.platform} --provenance=false -f "${wrapperDockerfile}" -t "${lambdaImageName}" "${tmpDir}"`,
-      { stdio: 'pipe' }
-    );
     // Auth with ECR
     const ecr = new ECRClient({ region: config.aws.region });
     const authResult = await ecr.send(new GetAuthorizationTokenCommand({}));
@@ -212,20 +165,20 @@ export class BuildService {
     const decoded = Buffer.from(authData.authorizationToken, 'base64').toString();
     const [username, password] = decoded.split(':');
-    execSync(`docker login --username ${username} --password-stdin ${authData.proxyEndpoint}`, {
+    execFileSync('docker', ['login', '--username', username, '--password-stdin', authData.proxyEndpoint], {
       input: password,
       stdio: ['pipe', 'pipe', 'pipe'],
     });
-    // Tag and push the Lambda-wrapped image
+    // Tag and push
     const remoteTag = `${ecrRepositoryUrl}:${tag}`;
-    execSync(`docker tag ${lambdaImageName} ${remoteTag}`, { stdio: 'pipe' });
-    execSync(`docker push ${remoteTag}`, { stdio: 'pipe' });
+    execFileSync('docker', ['tag', loadedImage, remoteTag], { stdio: 'pipe' });
+    execFileSync('docker', ['push', remoteTag], { stdio: 'pipe' });
     // Get digest
     let imageUri: string;
     try {
-      imageUri = execSync(`docker inspect --format='{{index .RepoDigests 0}}' ${remoteTag}`, {
+      imageUri = execFileSync('docker', ['inspect', '--format={{index .RepoDigests 0}}', remoteTag], {
         encoding: 'utf-8',
       }).trim();
     } catch {