@checkstack/healthcheck-script-backend 0.3.0 → 0.3.2

package/CHANGELOG.md

@@ -1,5 +1,49 @@
 # @checkstack/healthcheck-script-backend
 
+## 0.3.2
+
+### Patch Changes
+
+- d73e33e: Security fix: Prevent environment variable leakage to child processes.
+- 0ebbe56: Security Vulnerability Remediation completed:
+  - Refactored core authorization to Fail-Closed architecture with secure defaults.
+  - Implemented `assertTeamManagementAccess` to resolve BOLA in Teams Management.
+  - Protected internal S2S capabilities via explicit wildcard `serviceScope` definitions.
+  - Disarmed OS Command Injection in DiskCollector via strict regex validation and bash escaping.
+  - Re-architected inline script processing executing scripts in sandboxed Web Worker contexts.
+  - Isolated subprocess environment scopes in PingStrategy limiting variable leakage.
+  - Enforced strict token/API Key parsing with URLSearchParams checking.
+  - Explicitly fail-fast on missing DATABASE_URL configuration across independent backend clusters.
+  - Activated strict HTTP Security Headers (HSTS, CSP, X-Frame-Options) across the API automatically.
+- Updated dependencies [0ebbe56]
+  - @checkstack/backend-api@0.8.1
+  - @checkstack/common@0.6.3
+  - @checkstack/healthcheck-common@0.8.3
+
+## 0.3.1
+
+### Patch Changes
+
+- 869b4ab: ## Health Check Execution Improvements
+
+  ### Breaking Changes (backend-api)
+
+  - `HealthCheckStrategy.createClient()` now accepts `unknown` instead of `TConfig` due to TypeScript contravariance constraints. Implementations should use `this.config.validate(config)` to narrow the type.
+
+  ### Features
+
+  - **Platform-level hard timeout**: The executor now wraps the entire health check execution (connection + all collectors) in a single timeout, ensuring checks never hang indefinitely.
+  - **Parallel collector execution**: Collectors now run in parallel using `Promise.allSettled()`, improving performance while ensuring all collectors complete regardless of individual failures.
+  - **Base strategy config schema**: All strategy configs now extend `baseStrategyConfigSchema` which provides a standardized `timeout` field with sensible defaults (30s, min 100ms).
+
+  ### Fixes
+
+  - Fixed HTTP and Jenkins strategies clearing timeouts before reading the full response body.
+  - Simplified registry type signatures by using default type parameters.
+
+- Updated dependencies [869b4ab]
+  - @checkstack/backend-api@0.8.0
+
 ## 0.3.0
 
 ### Minor Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/healthcheck-script-backend",
-  "version": "0.3.0",
+  "version": "0.3.2",
   "type": "module",
   "main": "src/index.ts",
   "scripts": {
@@ -9,9 +9,9 @@
     "lint:code": "eslint . --max-warnings 0"
   },
   "dependencies": {
-    "@checkstack/backend-api": "0.5.2",
-    "@checkstack/common": "0.6.1",
-    "@checkstack/healthcheck-common": "0.8.1"
+    "@checkstack/backend-api": "0.8.0",
+    "@checkstack/common": "0.6.2",
+    "@checkstack/healthcheck-common": "0.8.2"
   },
   "devDependencies": {
     "@types/bun": "^1.0.0",

package/src/inline-script-collector.ts

@@ -77,22 +77,67 @@ async function executeInlineScript({
   timedOut: boolean;
 }> {
   try {
-    // Create an async function from the script
-    const asyncFn = new Function(
-      "context",
-      "console",
-      "fetch",
-      `return (async () => { ${script} })();`,
-    );
-
-    // Execute with timeout
-    const result = await Promise.race([
-      asyncFn(context, safeConsole, fetch),
+    // SECURITY: Execute in isolated Worker to prevent access to process, require, Bun, etc.
+    const workerCode = `
+      self.onmessage = async (event) => {
+        const { script, config } = event.data;
+        const logs = [];
+        const safeConsole = {
+          log: (...args) => logs.push(args.map(a => typeof a === "object" ? JSON.stringify(a) : String(a)).join(" ")),
+          warn: (...args) => logs.push("[WARN] " + args.map(a => typeof a === "object" ? JSON.stringify(a) : String(a)).join(" ")),
+          error: (...args) => logs.push("[ERROR] " + args.map(a => typeof a === "object" ? JSON.stringify(a) : String(a)).join(" ")),
+          info: (...args) => logs.push("[INFO] " + args.map(a => typeof a === "object" ? JSON.stringify(a) : String(a)).join(" ")),
+        };
+        const context = { config, fetch: globalThis.fetch };
+        try {
+          const fn = new Function("context", "console", "fetch",
+            "return (async () => { " + script + " })();"
+          );
+          const result = await fn(context, safeConsole, globalThis.fetch);
+          self.postMessage({ result, logs });
+        } catch (error) {
+          self.postMessage({ error: error.message, logs });
+        }
+      };
+    `;
+    const blob = new Blob([workerCode], { type: "application/javascript" });
+    const workerUrl = URL.createObjectURL(blob);
+    const worker = new Worker(workerUrl);
+
+    const workerResult = await Promise.race([
+      new Promise<{ result?: unknown; error?: string; logs: string[] }>((resolve) => {
+        worker.addEventListener("message", (event: MessageEvent) => resolve(event.data));
+        worker.postMessage({ script, config: context.config });
+      }),
       new Promise<never>((_, reject) =>
         setTimeout(() => reject(new Error("__TIMEOUT__")), timeoutMs),
       ),
     ]);
 
+    worker.terminate();
+    URL.revokeObjectURL(workerUrl);
+
+    // Replay logs into the outer safeConsole
+    if (workerResult.logs && Array.isArray(workerResult.logs)) {
+      for (const logLine of workerResult.logs) {
+        if (logLine.startsWith("[WARN] ")) {
+          safeConsole.warn(logLine.slice(7));
+        } else if (logLine.startsWith("[ERROR] ")) {
+          safeConsole.error(logLine.slice(8));
+        } else if (logLine.startsWith("[INFO] ")) {
+          safeConsole.info(logLine.slice(7));
+        } else {
+          safeConsole.log(logLine);
+        }
+      }
+    }
+
+    if (workerResult.error) {
+      throw new Error(workerResult.error);
+    }
+
+    const { result } = workerResult;
+
     // Normalize result
     if (result === undefined || result === null) {
       return { result: { success: true }, timedOut: false };
@@ -103,11 +148,12 @@ async function executeInlineScript({
     }
 
     if (typeof result === "object") {
+      const resultObj = result as Record<string, unknown>;
       return {
         result: {
-          success: Boolean(result.success ?? true),
-          message: result.message,
-          value: result.value,
+          success: Boolean(resultObj.success ?? true),
+          message: typeof resultObj.message === "string" ? resultObj.message : undefined,
+          value: typeof resultObj.value === "number" ? resultObj.value : undefined,
         },
         timedOut: false,
       };

package/src/security.test.ts

@@ -0,0 +1,30 @@
+import { describe, expect, it } from "bun:test";
+import { ScriptHealthCheckStrategy } from "./strategy";
+
+describe("ScriptHealthCheckStrategy Security", () => {
+  it("should not leak sensitive environment variables to child process", async () => {
+    // Set a secret in the current process
+    process.env.TEST_SECRET_KEY = "SUPER_SECRET_KEY_DO_NOT_LEAK";
+
+    // Use the default strategy which uses the real Bun.spawn
+    const strategy = new ScriptHealthCheckStrategy();
+    const connectedClient = await strategy.createClient({ timeout: 5000 });
+
+    const result = await connectedClient.client.exec({
+      command: "env",
+      args: [],
+      timeout: 5000,
+    });
+
+    connectedClient.close();
+
+    // Cleanup before assertions to be safe
+    delete process.env.TEST_SECRET_KEY;
+
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout).not.toContain("SUPER_SECRET_KEY_DO_NOT_LEAK");
+    // Ensure we still have some environment variables
+    // PATH is usually present, but let's check for something else generic or just ensure output is not empty
+    expect(result.stdout.length).toBeGreaterThan(0);
+  });
+});

package/src/strategy.ts

@@ -13,6 +13,7 @@ import {
   z,
   type ConnectedClient,
   type InferAggregatedResult,
+  baseStrategyConfigSchema,
 } from "@checkstack/backend-api";
 import {
   healthResultBoolean,
@@ -34,13 +35,7 @@ import type {
  * Configuration schema for Script health checks.
  * Global defaults only - action params moved to ExecuteCollector.
  */
-export const scriptConfigSchema = z.object({
-  timeout: z
-    .number()
-    .min(100)
-    .default(30_000)
-    .describe("Default execution timeout in milliseconds"),
-});
+export const scriptConfigSchema = baseStrategyConfigSchema.extend({});
 
 export type ScriptConfig = z.infer<typeof scriptConfigSchema>;
 export type ScriptConfigInput = z.input<typeof scriptConfigSchema>;
@@ -134,6 +129,19 @@ export interface ScriptExecutor {
   }): Promise<ScriptExecutionResult>;
 }
 
+const SAFE_ENV_VARS = [
+  "PATH",
+  "HOME",
+  "USER",
+  "LANG",
+  "LC_ALL",
+  "LC_CTYPE",
+  "TZ",
+  "TMPDIR",
+  "HOSTNAME",
+  "SHELL",
+];
+
 // Default executor using Bun.spawn
 const defaultScriptExecutor: ScriptExecutor = {
   async execute(config) {
@@ -148,11 +156,18 @@ const defaultScriptExecutor: ScriptExecutor = {
       }, config.timeout);
     });
 
+    const safeEnv: Record<string, string> = {};
+    for (const key of SAFE_ENV_VARS) {
+      if (process.env[key] !== undefined) {
+        safeEnv[key] = process.env[key]!;
+      }
+    }
+
     try {
       proc = spawn({
         cmd: [config.command, ...config.args],
         cwd: config.cwd,
-        env: { ...process.env, ...config.env },
+        env: { ...safeEnv, ...config.env },
         stdout: "pipe",
         stderr: "pipe",
       });