@checkstack/healthcheck-script-backend 0.3.1 → 0.3.2

package/CHANGELOG.md

@@ -1,5 +1,25 @@
 # @checkstack/healthcheck-script-backend
 
+## 0.3.2
+
+### Patch Changes
+
+- d73e33e: Security fix: Prevent environment variable leakage to child processes.
+- 0ebbe56: Security Vulnerability Remediation completed:
+  - Refactored core authorization to Fail-Closed architecture with secure defaults.
+  - Implemented `assertTeamManagementAccess` to resolve BOLA in Teams Management.
+  - Protected internal S2S capabilities via explicit wildcard `serviceScope` definitions.
+  - Disarmed OS Command Injection in DiskCollector via strict regex validation and bash escaping.
+  - Re-architected inline script processing executing scripts in sandboxed Web Worker contexts.
+  - Isolated subprocess environment scopes in PingStrategy limiting variable leakage.
+  - Enforced strict token/API Key parsing with URLSearchParams checking.
+  - Explicitly fail-fast on missing DATABASE_URL configuration across independent backend clusters.
+  - Activated strict HTTP Security Headers (HSTS, CSP, X-Frame-Options) across the API automatically.
+- Updated dependencies [0ebbe56]
+  - @checkstack/backend-api@0.8.1
+  - @checkstack/common@0.6.3
+  - @checkstack/healthcheck-common@0.8.3
+
 ## 0.3.1
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/healthcheck-script-backend",
-  "version": "0.3.1",
+  "version": "0.3.2",
   "type": "module",
   "main": "src/index.ts",
   "scripts": {
@@ -9,7 +9,7 @@
     "lint:code": "eslint . --max-warnings 0"
   },
   "dependencies": {
-    "@checkstack/backend-api": "0.7.0",
+    "@checkstack/backend-api": "0.8.0",
     "@checkstack/common": "0.6.2",
     "@checkstack/healthcheck-common": "0.8.2"
   },

package/src/inline-script-collector.ts

@@ -77,22 +77,67 @@ async function executeInlineScript({
   timedOut: boolean;
 }> {
   try {
-    // Create an async function from the script
-    const asyncFn = new Function(
-      "context",
-      "console",
-      "fetch",
-      `return (async () => { ${script} })();`,
-    );
-
-    // Execute with timeout
-    const result = await Promise.race([
-      asyncFn(context, safeConsole, fetch),
+    // SECURITY: Execute in isolated Worker to prevent access to process, require, Bun, etc.
+    const workerCode = `
+      self.onmessage = async (event) => {
+        const { script, config } = event.data;
+        const logs = [];
+        const safeConsole = {
+          log: (...args) => logs.push(args.map(a => typeof a === "object" ? JSON.stringify(a) : String(a)).join(" ")),
+          warn: (...args) => logs.push("[WARN] " + args.map(a => typeof a === "object" ? JSON.stringify(a) : String(a)).join(" ")),
+          error: (...args) => logs.push("[ERROR] " + args.map(a => typeof a === "object" ? JSON.stringify(a) : String(a)).join(" ")),
+          info: (...args) => logs.push("[INFO] " + args.map(a => typeof a === "object" ? JSON.stringify(a) : String(a)).join(" ")),
+        };
+        const context = { config, fetch: globalThis.fetch };
+        try {
+          const fn = new Function("context", "console", "fetch",
+            "return (async () => { " + script + " })();"
+          );
+          const result = await fn(context, safeConsole, globalThis.fetch);
+          self.postMessage({ result, logs });
+        } catch (error) {
+          self.postMessage({ error: error.message, logs });
+        }
+      };
+    `;
+    const blob = new Blob([workerCode], { type: "application/javascript" });
+    const workerUrl = URL.createObjectURL(blob);
+    const worker = new Worker(workerUrl);
+
+    const workerResult = await Promise.race([
+      new Promise<{ result?: unknown; error?: string; logs: string[] }>((resolve) => {
+        worker.addEventListener("message", (event: MessageEvent) => resolve(event.data));
+        worker.postMessage({ script, config: context.config });
+      }),
       new Promise<never>((_, reject) =>
         setTimeout(() => reject(new Error("__TIMEOUT__")), timeoutMs),
       ),
     ]);
 
+    worker.terminate();
+    URL.revokeObjectURL(workerUrl);
+
+    // Replay logs into the outer safeConsole
+    if (workerResult.logs && Array.isArray(workerResult.logs)) {
+      for (const logLine of workerResult.logs) {
+        if (logLine.startsWith("[WARN] ")) {
+          safeConsole.warn(logLine.slice(7));
+        } else if (logLine.startsWith("[ERROR] ")) {
+          safeConsole.error(logLine.slice(8));
+        } else if (logLine.startsWith("[INFO] ")) {
+          safeConsole.info(logLine.slice(7));
+        } else {
+          safeConsole.log(logLine);
+        }
+      }
+    }
+
+    if (workerResult.error) {
+      throw new Error(workerResult.error);
+    }
+
+    const { result } = workerResult;
+
     // Normalize result
     if (result === undefined || result === null) {
       return { result: { success: true }, timedOut: false };
@@ -103,11 +148,12 @@ async function executeInlineScript({
     }
 
     if (typeof result === "object") {
+      const resultObj = result as Record<string, unknown>;
       return {
         result: {
-          success: Boolean(result.success ?? true),
-          message: result.message,
-          value: result.value,
+          success: Boolean(resultObj.success ?? true),
+          message: typeof resultObj.message === "string" ? resultObj.message : undefined,
+          value: typeof resultObj.value === "number" ? resultObj.value : undefined,
         },
         timedOut: false,
       };

package/src/security.test.ts

@@ -0,0 +1,30 @@
+import { describe, expect, it } from "bun:test";
+import { ScriptHealthCheckStrategy } from "./strategy";
+
+describe("ScriptHealthCheckStrategy Security", () => {
+  it("should not leak sensitive environment variables to child process", async () => {
+    // Set a secret in the current process
+    process.env.TEST_SECRET_KEY = "SUPER_SECRET_KEY_DO_NOT_LEAK";
+
+    // Use the default strategy which uses the real Bun.spawn
+    const strategy = new ScriptHealthCheckStrategy();
+    const connectedClient = await strategy.createClient({ timeout: 5000 });
+
+    const result = await connectedClient.client.exec({
+      command: "env",
+      args: [],
+      timeout: 5000,
+    });
+
+    connectedClient.close();
+
+    // Cleanup before assertions to be safe
+    delete process.env.TEST_SECRET_KEY;
+
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout).not.toContain("SUPER_SECRET_KEY_DO_NOT_LEAK");
+    // Ensure we still have some environment variables
+    // PATH is usually present, but let's check for something else generic or just ensure output is not empty
+    expect(result.stdout.length).toBeGreaterThan(0);
+  });
+});

package/src/strategy.ts

@@ -129,6 +129,19 @@ export interface ScriptExecutor {
   }): Promise<ScriptExecutionResult>;
 }
 
+const SAFE_ENV_VARS = [
+  "PATH",
+  "HOME",
+  "USER",
+  "LANG",
+  "LC_ALL",
+  "LC_CTYPE",
+  "TZ",
+  "TMPDIR",
+  "HOSTNAME",
+  "SHELL",
+];
+
 // Default executor using Bun.spawn
 const defaultScriptExecutor: ScriptExecutor = {
   async execute(config) {
@@ -143,11 +156,18 @@ const defaultScriptExecutor: ScriptExecutor = {
       }, config.timeout);
     });
 
+    const safeEnv: Record<string, string> = {};
+    for (const key of SAFE_ENV_VARS) {
+      if (process.env[key] !== undefined) {
+        safeEnv[key] = process.env[key]!;
+      }
+    }
+
     try {
       proc = spawn({
         cmd: [config.command, ...config.args],
         cwd: config.cwd,
-        env: { ...process.env, ...config.env },
+        env: { ...safeEnv, ...config.env },
         stdout: "pipe",
         stderr: "pipe",
       });