@configjs/cli 1.1.16 → 1.1.17

package/dist/{chunk-FIB2J36N.js → chunk-5NXT5HCC.js}

@@ -1,13 +1,115 @@
 import {
   getModuleLogger
-} from "./chunk-QPEUT7QG.js";
+} from "./chunk-VN4XTFDK.js";
+
+// src/core/path-validator.ts
+import { resolve, normalize, sep, isAbsolute, dirname } from "path";
+import { pathExists, realpath } from "fs-extra";
+import { z } from "zod";
+var pathResolutionSchema = z.object({
+  projectRoot: z.string().min(1, "Project root cannot be empty").refine(
+    (path) => isAbsolute(path),
+    "Project root must be an absolute path"
+  ),
+  userPath: z.string().min(1, "User path cannot be empty").max(1024, "Path exceeds maximum length (1024 characters)").refine((path) => !path.includes("\0"), "Path cannot contain null bytes").refine((path) => {
+    for (let i = 0; i < path.length; i++) {
+      const charCode = path.charCodeAt(i);
+      if (charCode >= 0 && charCode <= 31) {
+        return false;
+      }
+    }
+    return true;
+  }, "Path cannot contain control characters")
+});
+function validatePathInProject(projectRoot, userPath) {
+  const validated = pathResolutionSchema.parse({
+    projectRoot,
+    userPath
+  });
+  const normalizedRoot = normalize(resolve(validated.projectRoot));
+  const resolvedPath = normalize(resolve(normalizedRoot, validated.userPath));
+  const isWithinBoundary = resolvedPath === normalizedRoot || resolvedPath.startsWith(normalizedRoot + sep);
+  if (!isWithinBoundary) {
+    throw new Error(
+      `Path traversal detected: "${userPath}" attempts to escape project root. Resolved: "${resolvedPath}", allowed: "${normalizedRoot}"`
+    );
+  }
+  if (userPath.includes("..")) {
+    throw new Error(
+      `Path contains parent directory (..): "${userPath}". Only paths within project root allowed.`
+    );
+  }
+  if (isAbsolute(userPath)) {
+    throw new Error(
+      `Absolute paths not allowed: "${userPath}". Use path relative to project root.`
+    );
+  }
+  return resolvedPath;
+}
+async function findClosestExistingPath(boundaryRoot, resolvedPath) {
+  let currentPath = resolvedPath;
+  while (true) {
+    if (await pathExists(currentPath)) {
+      return currentPath;
+    }
+    if (currentPath === boundaryRoot) {
+      return null;
+    }
+    const parentPath = dirname(currentPath);
+    if (parentPath === currentPath) {
+      return null;
+    }
+    currentPath = parentPath;
+  }
+}
+async function validateSymlinkBoundary(projectRoot, resolvedPath) {
+  const normalizedRoot = normalize(resolve(projectRoot));
+  const realRoot = await realpath(normalizedRoot).catch(() => normalizedRoot);
+  const existingPath = await findClosestExistingPath(
+    normalizedRoot,
+    resolvedPath
+  );
+  if (!existingPath) {
+    return;
+  }
+  const realExisting = await realpath(existingPath).catch(() => existingPath);
+  const normalizedRealExisting = normalize(realExisting);
+  const normalizedRealRoot = normalize(realRoot);
+  const isWithinBoundary = normalizedRealExisting === normalizedRealRoot || normalizedRealExisting.startsWith(normalizedRealRoot + sep);
+  if (!isWithinBoundary) {
+    throw new Error(
+      `Symlink traversal detected: "${resolvedPath}" resolves outside project root. Resolved: "${normalizedRealExisting}", allowed: "${normalizedRealRoot}"`
+    );
+  }
+}
+async function validatePathInProjectWithSymlinks(projectRoot, userPath) {
+  const resolvedPath = validatePathInProject(projectRoot, userPath);
+  await validateSymlinkBoundary(projectRoot, resolvedPath);
+  return resolvedPath;
+}
+function getPathValidationErrorMessage(error) {
+  if (error instanceof z.ZodError) {
+    const issues = error.flatten().fieldErrors;
+    const messages = [];
+    for (const [field, msgs] of Object.entries(issues)) {
+      if (msgs && Array.isArray(msgs)) {
+        messages.push(`${field}: ${msgs.join(", ")}`);
+      }
+    }
+    return messages.join("; ") || "Invalid path format";
+  }
+  if (error instanceof Error) {
+    return error.message;
+  }
+  return "Path validation failed";
+}
 
 // src/utils/fs-helpers.ts
-import { resolve as resolve2, dirname as dirname2, extname } from "path";
+import { resolve as resolve3, dirname as dirname3, extname } from "path";
 
 // src/core/fs-adapter.ts
 import fs from "fs-extra";
-import { resolve, dirname } from "path";
+import { resolve as resolve2, dirname as dirname2 } from "path";
 var FileSystemAdapter = class {
   /**
    * @param fsImpl - Implémentation du filesystem (memfs) ou undefined pour fs-extra
@@ -25,7 +127,7 @@ var FileSystemAdapter = class {
    * Normalise un chemin (résout les chemins relatifs)
    */
   normalizePath(path) {
-    return resolve(path);
+    return resolve2(path);
   }
   // ===== Async Operations =====
   async readFile(path, encoding = "utf-8") {
@@ -50,7 +152,7 @@ var FileSystemAdapter = class {
   async writeFile(path, content, encoding = "utf-8") {
     const fullPath = this.normalizePath(path);
     const implementation = this.getFs();
-    const parentDir = dirname(fullPath);
+    const parentDir = dirname2(fullPath);
     await this.mkdir(parentDir, { recursive: true });
     if (this.fsImpl) {
       await implementation.promises.writeFile(fullPath, content, encoding);
@@ -120,7 +222,7 @@ var FileSystemAdapter = class {
   }
   async writeJson(path, data, options) {
     const fullPath = this.normalizePath(path);
-    const parentDir = dirname(fullPath);
+    const parentDir = dirname2(fullPath);
     await this.mkdir(parentDir, { recursive: true });
     if (this.fsImpl) {
       const content = JSON.stringify(data, null, options?.spaces ?? 2);
@@ -135,7 +237,7 @@ var FileSystemAdapter = class {
   async copyFile(src, dest) {
     const srcPath = this.normalizePath(src);
     const destPath = this.normalizePath(dest);
-    const destDir = dirname(destPath);
+    const destDir = dirname2(destPath);
     await this.mkdir(destDir, { recursive: true });
     if (this.fsImpl) {
       const content = await this.readFile(srcPath);
@@ -184,7 +286,7 @@ var FileSystemAdapter = class {
   writeFileSync(path, content) {
     const fullPath = this.normalizePath(path);
     const implementation = this.getFs();
-    const parentDir = dirname(fullPath);
+    const parentDir = dirname2(fullPath);
     if (!this.existsSync(parentDir)) {
       this.mkdirSync(parentDir, { recursive: true });
     }
@@ -229,7 +331,7 @@ function normalizePath(path) {
 }
 async function readPackageJson(root, fsAdapter) {
   const adapter = fsAdapter || createDefaultFsAdapter();
-  const packageJsonPath = resolve2(root, "package.json");
+  const packageJsonPath = resolve3(root, "package.json");
   if (!await adapter.pathExists(packageJsonPath)) {
     throw new Error(`package.json not found at ${packageJsonPath}`);
   }
@@ -246,7 +348,7 @@ async function readPackageJson(root, fsAdapter) {
 }
 async function writePackageJson(root, pkg, fsAdapter) {
   const adapter = fsAdapter || createDefaultFsAdapter();
-  const packageJsonPath = resolve2(root, "package.json");
+  const packageJsonPath = resolve3(root, "package.json");
   try {
     await adapter.writeJson(packageJsonPath, pkg, {
       spaces: 2,
@@ -261,9 +363,9 @@ async function writePackageJson(root, pkg, fsAdapter) {
 async function readTsConfig(root, fsAdapter) {
   const adapter = fsAdapter || createDefaultFsAdapter();
   const possiblePaths = [
-    resolve2(root, "tsconfig.json"),
-    resolve2(root, "tsconfig.app.json"),
-    resolve2(root, "tsconfig.node.json")
+    resolve3(root, "tsconfig.json"),
+    resolve3(root, "tsconfig.app.json"),
+    resolve3(root, "tsconfig.node.json")
   ];
   for (const tsconfigPath of possiblePaths) {
     if (await adapter.pathExists(tsconfigPath)) {
@@ -285,12 +387,12 @@ async function readTsConfig(root, fsAdapter) {
 }
 async function checkPathExists(path, fsAdapter) {
   const adapter = fsAdapter || createDefaultFsAdapter();
-  const fullPath = resolve2(path);
+  const fullPath = resolve3(path);
   return adapter.pathExists(fullPath);
 }
 async function ensureDirectory(path, fsAdapter) {
   const adapter = fsAdapter || createDefaultFsAdapter();
-  const fullPath = resolve2(path);
+  const fullPath = resolve3(path);
   try {
     await adapter.mkdir(fullPath, { recursive: true });
     logger.debug(`Ensured directory exists: ${fullPath}`);
@@ -299,9 +401,18 @@ async function ensureDirectory(path, fsAdapter) {
     throw new Error(`Failed to create directory ${fullPath}: ${errorMessage}`);
   }
 }
-async function readFileContent(filePath, encoding = "utf-8", fsAdapter) {
+async function readFileContent(filePath, encoding = "utf-8", fsAdapter, projectRoot) {
   const adapter = fsAdapter || createDefaultFsAdapter();
-  const fullPath = resolve2(filePath);
+  let fullPath = resolve3(filePath);
+  if (projectRoot) {
+    try {
+      fullPath = await validatePathInProjectWithSymlinks(projectRoot, filePath);
+    } catch (error) {
+      const errorMsg = getPathValidationErrorMessage(error);
+      logger.error(`Path traversal attempt blocked: ${errorMsg}`);
+      throw new Error(`Invalid path: ${errorMsg}`);
+    }
+  }
   if (!await adapter.pathExists(fullPath)) {
     throw new Error(`File not found: ${fullPath}`);
   }
@@ -314,10 +425,19 @@ async function readFileContent(filePath, encoding = "utf-8", fsAdapter) {
     throw new Error(`Failed to read file ${fullPath}: ${errorMessage}`);
   }
 }
-async function writeFileContent(filePath, content, encoding = "utf-8", fsAdapter) {
+async function writeFileContent(filePath, content, encoding = "utf-8", fsAdapter, projectRoot) {
   const adapter = fsAdapter || createDefaultFsAdapter();
-  const fullPath = resolve2(filePath);
-  const parentDir = dirname2(fullPath);
+  let fullPath = resolve3(filePath);
+  if (projectRoot) {
+    try {
+      fullPath = await validatePathInProjectWithSymlinks(projectRoot, filePath);
+    } catch (error) {
+      const errorMsg = getPathValidationErrorMessage(error);
+      logger.error(`Path traversal attempt blocked: ${errorMsg}`);
+      throw new Error(`Invalid path: ${errorMsg}`);
+    }
+  }
+  const parentDir = dirname3(fullPath);
   await ensureDirectory(parentDir, adapter);
   try {
     await adapter.writeFile(fullPath, content, encoding);
@@ -330,6 +450,8 @@ async function writeFileContent(filePath, content, encoding = "utf-8", fsAdapter
 
 export {
   createDefaultFsAdapter,
+  validatePathInProjectWithSymlinks,
+  getPathValidationErrorMessage,
   normalizePath,
   readPackageJson,
   writePackageJson,

package/dist/chunk-EDCNW4UO.js

@@ -0,0 +1,92 @@
+// src/core/input-validator.ts
+import { z } from "zod";
+var projectNameSchema = z.string().min(1, "Project name cannot be empty").max(100, "Project name cannot exceed 100 characters").regex(
+  /^[a-zA-Z0-9._-]+$/,
+  "Project name can only contain letters, numbers, dots, dashes, and underscores"
+).refine(
+  (name) => !name.includes(".."),
+  "Project name cannot contain path traversal (..) patterns"
+).refine(
+  (name) => !name.includes("/") && !name.includes("\\"),
+  "Project name cannot contain path separators"
+).transform((name) => name.trim());
+var svelteSetupSchema = z.object({
+  projectName: projectNameSchema,
+  useTypeScript: z.boolean()
+});
+var angularSetupSchema = z.object({
+  projectName: projectNameSchema,
+  useTypeScript: z.boolean(),
+  useRouting: z.boolean(),
+  useStylesheet: z.enum(["css", "scss", "sass", "less"])
+});
+var vueSetupSchema = z.object({
+  projectName: projectNameSchema,
+  typescript: z.boolean()
+});
+var nextjsSetupSchema = z.object({
+  projectName: projectNameSchema,
+  typescript: z.boolean(),
+  eslint: z.boolean(),
+  tailwind: z.boolean(),
+  srcDir: z.boolean(),
+  appRouter: z.boolean(),
+  importAlias: z.string().min(1, "Import alias cannot be empty").max(50, "Import alias cannot exceed 50 characters").regex(
+    /^@[a-zA-Z0-9_/*-]+$/,
+    "Import alias must start with @ and contain only valid characters"
+  ).default("@/*")
+});
+var viteSetupSchema = z.object({
+  projectName: projectNameSchema,
+  template: z.enum([
+    "react",
+    "react-ts",
+    "vue",
+    "vue-ts",
+    "svelte",
+    "svelte-ts"
+  ])
+});
+function validateInput(schema, data) {
+  try {
+    return schema.parse(data);
+  } catch (error) {
+    if (error instanceof z.ZodError) {
+      const messages = error.flatten().fieldErrors;
+      const errorMessages = [];
+      for (const [field, msgs] of Object.entries(messages)) {
+        if (msgs && Array.isArray(msgs)) {
+          errorMessages.push(`${field}: ${msgs.join(", ")}`);
+        }
+      }
+      throw new Error(`Input validation failed: ${errorMessages.join("; ")}`);
+    }
+    throw error;
+  }
+}
+function getValidationErrorMessage(error) {
+  if (error instanceof z.ZodError) {
+    const messages = error.flatten().fieldErrors;
+    const errorMessages = [];
+    for (const [field, msgs] of Object.entries(messages)) {
+      if (msgs && Array.isArray(msgs)) {
+        errorMessages.push(`${field}: ${msgs.join(", ")}`);
+      }
+    }
+    return errorMessages.join("; ");
+  }
+  if (error instanceof Error) {
+    return error.message;
+  }
+  return "Validation failed";
+}
+
+export {
+  svelteSetupSchema,
+  angularSetupSchema,
+  vueSetupSchema,
+  nextjsSetupSchema,
+  viteSetupSchema,
+  validateInput,
+  getValidationErrorMessage
+};

package/dist/{chunk-UKEHW2LH.js → chunk-F3VNGA2S.js}

@@ -1,6 +1,6 @@
 import {
   detectPackageManager
-} from "./chunk-6GV4NKUX.js";
+} from "./chunk-V2IBYLVH.js";
 import {
   checkPathExists,
   createDefaultFsAdapter,
@@ -8,10 +8,10 @@ import {
   readPackageJson,
   readTsConfig,
   writeFileContent
-} from "./chunk-FIB2J36N.js";
+} from "./chunk-5NXT5HCC.js";
 import {
   getModuleLogger
-} from "./chunk-QPEUT7QG.js";
+} from "./chunk-VN4XTFDK.js";
 
 // src/core/plugin-tracker.ts
 import { join } from "path";
@@ -200,6 +200,17 @@ var PluginTracker = class {
 import { resolve, join as join2 } from "path";
 import { platform, version } from "process";
 var detectionCache = /* @__PURE__ */ new Map();
+var IGNORED_DIRS = /* @__PURE__ */ new Set([
+  "node_modules",
+  ".git",
+  ".next",
+  "dist",
+  "build",
+  "coverage",
+  ".nuxt",
+  ".vite",
+  "out"
+]);
 var DetectionError = class extends Error {
   constructor(message, context) {
     super(message);
@@ -410,6 +421,9 @@ async function detectVueApi(projectRoot, srcDir, fsAdapter) {
     async function findVueFiles(dir) {
       const entries = await adapter.readdir(dir);
       for (const entryName of entries) {
+        if (IGNORED_DIRS.has(entryName)) {
+          continue;
+        }
         const fullPath = join2(dir, entryName);
         const stat = await adapter.stat(fullPath);
         if (stat.isDirectory()) {