@configjs/cli 1.1.16 → 1.1.18

package/dist/{chunk-JYWGJJ4M.js → chunk-D7IWYKUX.js}

@@ -1,19 +1,18 @@
 import {
   installPackages
-} from "./chunk-6GV4NKUX.js";
+} from "./chunk-V2IBYLVH.js";
 import {
   checkPathExists,
   ensureDirectory,
   normalizePath,
   readFileContent,
-  readPackageJson,
   writeFileContent,
   writePackageJson
-} from "./chunk-FIB2J36N.js";
+} from "./chunk-HI7RYD6W.js";
 import {
   getModuleLogger,
   logger
-} from "./chunk-QPEUT7QG.js";
+} from "./chunk-VN4XTFDK.js";
 
 // src/types/index.ts
 var Category = /* @__PURE__ */ ((Category2) => {
@@ -31,6 +30,426 @@ var Category = /* @__PURE__ */ ((Category2) => {
   return Category2;
 })(Category || {});
 
+// src/core/config-sanitizer.ts
+import { parse } from "@babel/parser";
+import { parseDocument } from "yaml";
+import { parse as parseToml } from "@iarna/toml";
+var ConfigSanitizer = class {
+  /**
+   * Validates and sanitizes JSON configuration
+   * Rejects if:
+   * - Invalid JSON syntax
+   * - Circular references
+   * - Prototype pollution attempts
+   *
+   * @param content - Raw JSON content
+   * @returns Parsed and validated JSON object
+   * @throws Error if JSON is invalid or contains injection attempts
+   */
+  static validateJSON(content) {
+    try {
+      const parsed = JSON.parse(content);
+      if (this.hasPrototypePollution(parsed)) {
+        throw new Error("Prototype pollution detected in JSON");
+      }
+      if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+        throw new Error("JSON must be an object");
+      }
+      return parsed;
+    } catch (error) {
+      if (error instanceof SyntaxError) {
+        throw new Error(`Invalid JSON: ${error.message}`);
+      }
+      throw error;
+    }
+  }
+  /**
+   * Validates JavaScript configuration file
+   * Rejects if:
+   * - Invalid JavaScript syntax
+   * - Contains eval/Function/require calls (except static imports)
+   * - Contains suspicious patterns
+   *
+   * @param content - Raw JavaScript content
+   * @returns Validated content (still as string, needs parsing via AST)
+   * @throws Error if JavaScript is invalid or contains suspicious code
+   */
+  static validateJavaScript(content) {
+    const ast = this.parseJavaScriptAst(content);
+    const blockedModules = /* @__PURE__ */ new Set([
+      "child_process",
+      "node:child_process",
+      "fs",
+      "node:fs",
+      "fs/promises",
+      "node:fs/promises"
+    ]);
+    this.walkAst(ast, (node, parent, parentKey) => {
+      if (node["type"] === "CallExpression") {
+        const callee = node["callee"];
+        if (callee?.["type"] === "Identifier" && callee["name"] === "eval") {
+          throw new Error("Dangerous pattern detected in JavaScript: eval()");
+        }
+        if (callee?.["type"] === "Identifier" && callee["name"] === "require") {
+          throw new Error("Dangerous pattern detected in JavaScript: require()");
+        }
+        const requireObject = callee?.["type"] === "MemberExpression" ? callee["object"] : void 0;
+        if (callee?.["type"] === "MemberExpression" && requireObject?.["type"] === "Identifier" && requireObject["name"] === "require") {
+          throw new Error("Dangerous pattern detected in JavaScript: require()");
+        }
+      }
+      if (node["type"] === "NewExpression") {
+        const callee = node["callee"];
+        if (callee?.["type"] === "Identifier" && callee["name"] === "Function") {
+          throw new Error(
+            "Dangerous pattern detected in JavaScript: new Function()"
+          );
+        }
+      }
+      if (node["type"] === "ImportExpression") {
+        throw new Error("Dangerous pattern detected in JavaScript: import()");
+      }
+      if (node["type"] === "ImportDeclaration") {
+        const source = node["source"];
+        const sourceValue = source?.["value"];
+        if (typeof sourceValue === "string" && blockedModules.has(sourceValue)) {
+          throw new Error(
+            `Dangerous pattern detected in JavaScript: import ${sourceValue}`
+          );
+        }
+      }
+      if (node["type"] === "MemberExpression") {
+        const objectNode = node["object"];
+        if (objectNode?.["type"] === "Identifier" && objectNode["name"] === "process") {
+          throw new Error(
+            "Dangerous pattern detected in JavaScript: process access"
+          );
+        }
+      }
+      if (node["type"] === "Identifier") {
+        const identifierName = node["name"];
+        const isObjectKey = parent?.["type"] === "ObjectProperty" && parentKey === "key" && parent["computed"] === false;
+        if (!isObjectKey && identifierName === "__dirname") {
+          throw new Error("Dangerous pattern detected in JavaScript: __dirname");
+        }
+        if (!isObjectKey && identifierName === "__filename") {
+          throw new Error(
+            "Dangerous pattern detected in JavaScript: __filename"
+          );
+        }
+      }
+      if (node["type"] === "TemplateLiteral") {
+        const expressions = node["expressions"];
+        if (Array.isArray(expressions) && expressions.length > 0) {
+          throw new Error(
+            "Dangerous pattern detected in JavaScript: template literal"
+          );
+        }
+      }
+    });
+    return content;
+  }
+  /**
+   * Validates YAML configuration
+   * Rejects if:
+   * - Invalid YAML syntax
+   * - Contains dangerous tags (!!, !!python, !!env)
+   * - Suspicious merge keys
+   *
+   * @param content - Raw YAML content
+   * @returns Validated content
+   * @throws Error if YAML is invalid or contains injection attempts
+   */
+  static validateYAML(content) {
+    const document = parseDocument(content, {
+      schema: "core"
+    });
+    if (document.errors.length > 0) {
+      throw new Error(
+        `Invalid YAML: ${document.errors[0]?.message ?? "unknown"}`
+      );
+    }
+    this.validateYamlNodes(document.contents);
+    const parsed = document.toJS({ maxAliasCount: 50 });
+    if (this.hasPrototypePollution(parsed)) {
+      throw new Error("Prototype pollution detected in YAML");
+    }
+    if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+      throw new Error("YAML must be an object");
+    }
+    if (this.hasSuspiciousStringValue(parsed)) {
+      throw new Error("Template syntax detected in YAML");
+    }
+    if (this.hasDangerousKey(parsed, /* @__PURE__ */ new Set(["exec", "eval", "require"]))) {
+      throw new Error("Dangerous key detected in YAML");
+    }
+    return content;
+  }
+  /**
+   * Validates TOML configuration
+   * Rejects if:
+   * - Invalid TOML syntax
+   * - Suspicious key names
+   * - Values that look like code injection
+   *
+   * @param content - Raw TOML content
+   * @returns Validated content
+   * @throws Error if TOML is invalid or contains injection attempts
+   */
+  static validateTOML(content) {
+    let parsed;
+    try {
+      parsed = parseToml(content);
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      throw new Error(`Invalid TOML: ${errorMessage}`);
+    }
+    if (this.hasPrototypePollution(parsed)) {
+      throw new Error("Prototype pollution detected in TOML");
+    }
+    if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+      throw new Error("TOML must be an object");
+    }
+    if (this.hasSuspiciousStringValue(parsed)) {
+      throw new Error("Template syntax detected in TOML");
+    }
+    if (this.hasDangerousKey(parsed, /* @__PURE__ */ new Set(["exec", "eval", "require"]))) {
+      throw new Error("Dangerous key detected in TOML");
+    }
+    return content;
+  }
+  /**
+   * Escapes string values to prevent injection
+   * Used when inserting values into configs
+   *
+   * @param value - Value to escape
+   * @param format - Config format (json, js, yaml, toml)
+   * @returns Escaped value safe for insertion
+   */
+  static escapeValue(value, format = "json") {
+    if (!value) return value;
+    switch (format) {
+      case "json":
+        return JSON.stringify(value);
+      case "js":
+        return `'${value.replace(/\\/g, "\\\\").replace(/'/g, "\\'")}'`;
+      case "yaml":
+        if (value.includes(":") || value.includes("#") || value.includes("{")) {
+          return `"${value.replace(/"/g, '\\"')}"`;
+        }
+        return value;
+      case "toml":
+        return `"${value.replace(/"/g, '\\"')}"`;
+      default:
+        return value;
+    }
+  }
+  /**
+   * Detects prototype pollution attempts in objects
+   * Checks for dangerous keys like __proto__, constructor, prototype
+   *
+   * @param obj - Object to check
+   * @returns True if prototype pollution attempt detected
+   */
+  static hasPrototypePollution(obj) {
+    if (typeof obj !== "object" || obj === null) {
+      return false;
+    }
+    const dangerousKeys = ["__proto__", "constructor", "prototype"];
+    for (const [key, value] of Object.entries(obj)) {
+      if (dangerousKeys.includes(key)) {
+        return true;
+      }
+      if (typeof value === "object" && value !== null) {
+        if (this.hasPrototypePollution(value)) {
+          return true;
+        }
+      }
+    }
+    return false;
+  }
+  static parseJavaScriptAst(content) {
+    try {
+      return parse(content, {
+        sourceType: "module",
+        plugins: ["typescript", "jsx"]
+      });
+    } catch {
+      try {
+        return parse(content, {
+          sourceType: "script",
+          plugins: ["typescript", "jsx"]
+        });
+      } catch (error) {
+        const errorMessage = error instanceof Error ? error.message : String(error);
+        throw new Error(`Invalid JavaScript: ${errorMessage}`);
+      }
+    }
+  }
+  static walkAst(node, visitor, parent, parentKey) {
+    if (!node || typeof node !== "object") {
+      return;
+    }
+    const currentNode = node;
+    if (typeof currentNode["type"] !== "string") {
+      return;
+    }
+    visitor(currentNode, parent, parentKey);
+    for (const [key, value] of Object.entries(currentNode)) {
+      if (Array.isArray(value)) {
+        for (const item of value) {
+          this.walkAst(item, visitor, currentNode, key);
+        }
+      } else if (value && typeof value === "object") {
+        this.walkAst(value, visitor, currentNode, key);
+      }
+    }
+  }
+  static validateYamlNodes(node) {
+    if (!node || typeof node !== "object") {
+      return;
+    }
+    const currentNode = node;
+    if (currentNode.tag) {
+      const allowedTags = /* @__PURE__ */ new Set([
+        "tag:yaml.org,2002:map",
+        "tag:yaml.org,2002:seq",
+        "tag:yaml.org,2002:str",
+        "tag:yaml.org,2002:int",
+        "tag:yaml.org,2002:float",
+        "tag:yaml.org,2002:bool",
+        "tag:yaml.org,2002:null"
+      ]);
+      if (!allowedTags.has(currentNode.tag)) {
+        throw new Error(`Dangerous YAML tag detected: ${currentNode.tag}`);
+      }
+    }
+    if (Array.isArray(currentNode.items)) {
+      for (const item of currentNode.items) {
+        const pair = item;
+        const keyValue = pair?.key?.value;
+        if (keyValue === "<<") {
+          throw new Error("Dangerous YAML merge key detected");
+        }
+        this.validateYamlNodes(pair?.key);
+        this.validateYamlNodes(pair?.value);
+      }
+    }
+    this.validateYamlNodes(currentNode.key);
+    this.validateYamlNodes(currentNode.value);
+  }
+  static hasSuspiciousStringValue(value) {
+    if (typeof value === "string") {
+      return value.includes("${") || value.includes("`");
+    }
+    if (Array.isArray(value)) {
+      return value.some((item) => this.hasSuspiciousStringValue(item));
+    }
+    if (value && typeof value === "object") {
+      return Object.values(value).some(
+        (item) => this.hasSuspiciousStringValue(item)
+      );
+    }
+    return false;
+  }
+  static hasDangerousKey(value, dangerousKeys) {
+    if (Array.isArray(value)) {
+      return value.some((item) => this.hasDangerousKey(item, dangerousKeys));
+    }
+    if (value && typeof value === "object") {
+      for (const [key, item] of Object.entries(value)) {
+        if (dangerousKeys.has(key)) {
+          return true;
+        }
+        if (this.hasDangerousKey(item, dangerousKeys)) {
+          return true;
+        }
+      }
+    }
+    return false;
+  }
+  /**
+   * Validates that a config file can be safely modified
+   * Checks structure and ensures it matches expected format
+   *
+   * @param content - Config file content
+   * @param format - Expected config format
+   * @returns True if config is valid and safe to modify
+   * @throws Error if config is invalid
+   */
+  static canSafelyModify(content, format) {
+    try {
+      switch (format) {
+        case "json":
+          this.validateJSON(content);
+          break;
+        case "js":
+          this.validateJavaScript(content);
+          break;
+        case "yaml":
+          this.validateYAML(content);
+          break;
+        case "toml":
+          this.validateTOML(content);
+          break;
+      }
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Merges configurations safely
+   * Prevents injection by validating before merge
+   *
+   * @param original - Original config object
+   * @param updates - Updates to merge (user-provided)
+   * @param format - Config format
+   * @returns Merged configuration
+   * @throws Error if updates contain injection attempts
+   */
+  static mergeSafely(original, updates, format = "json") {
+    if (this.hasPrototypePollution(updates)) {
+      throw new Error("Prototype pollution detected in updates");
+    }
+    const result = { ...original };
+    for (const [key, value] of Object.entries(updates)) {
+      if (!this.isValidKey(key)) {
+        throw new Error(`Invalid key name: ${key}`);
+      }
+      if (typeof value === "object" && value !== null && !Array.isArray(value)) {
+        result[key] = this.mergeSafely(
+          original[key] || {},
+          value,
+          format
+        );
+      } else {
+        result[key] = value;
+      }
+    }
+    return result;
+  }
+  /**
+   * Validates if a key name is safe to use
+   * Prevents prototype pollution and suspicious keys
+   *
+   * @param key - Key name to validate
+   * @returns True if key is valid and safe
+   */
+  static isValidKey(key) {
+    const dangerousKeys = [
+      "__proto__",
+      "constructor",
+      "prototype",
+      "constructor.prototype"
+    ];
+    if (dangerousKeys.includes(key)) {
+      return false;
+    }
+    return /^[a-zA-Z0-9_-]+$/.test(key);
+  }
+};
+
 // src/plugins/animation/framer-motion.ts
 import { join } from "path";
 
@@ -258,6 +677,7 @@ var BackupManager = class {
 
 // src/core/config-writer.ts
 import { resolve as resolve2, dirname } from "path";
+import { createHash } from "crypto";
 var ConfigWriter = class {
   /**
    * @param backupManager - Gestionnaire de backups à utiliser
@@ -268,6 +688,7 @@ var ConfigWriter = class {
     this.fsAdapter = fsAdapter;
   }
   logger = getModuleLogger();
+  jsonCache = /* @__PURE__ */ new Map();
   /**
    * Écrit ou modifie un fichier avec backup automatique
    *
@@ -359,24 +780,32 @@ var ConfigWriter = class {
    */
   async modifyPackageJson(projectRoot, modifier) {
     const fullPath = resolve2(projectRoot);
+    const packageJsonPath = resolve2(fullPath, "package.json");
     let pkg;
+    let existingContent;
     try {
-      pkg = await readPackageJson(fullPath, this.fsAdapter);
+      existingContent = await readFileContent(
+        packageJsonPath,
+        "utf-8",
+        this.fsAdapter
+      );
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : String(error);
       throw new Error(
         `Failed to read package.json: ${errorMessage}. Make sure you're in a valid project directory.`
       );
     }
-    const packageJsonPath = resolve2(fullPath, "package.json");
+    try {
+      pkg = this.parseJsonWithCache(packageJsonPath, existingContent);
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      throw new Error(
+        `Failed to read package.json: ${errorMessage}. File may be invalid JSON.`
+      );
+    }
     if (this.backupManager.hasBackup(packageJsonPath)) {
     } else {
       try {
-        const existingContent = await readFileContent(
-          packageJsonPath,
-          "utf-8",
-          this.fsAdapter
-        );
         this.backupManager.backup(packageJsonPath, existingContent);
       } catch (error) {
         const errorMessage = error instanceof Error ? error.message : String(error);
@@ -389,6 +818,7 @@ var ConfigWriter = class {
     try {
       await writePackageJson(fullPath, modifiedPkg, this.fsAdapter);
       this.logger.debug(`Modified package.json: ${packageJsonPath}`);
+      this.jsonCache.delete(packageJsonPath);
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : String(error);
       throw new Error(
@@ -497,6 +927,16 @@ var ConfigWriter = class {
     });
     this.logger.debug(`Injected import into ${fullPath}`);
   }
+  parseJsonWithCache(filePath, content) {
+    const hash = createHash("sha256").update(content).digest("hex");
+    const cached = this.jsonCache.get(filePath);
+    if (cached?.hash === hash) {
+      return cached.parsed;
+    }
+    const parsed = JSON.parse(content);
+    this.jsonCache.set(filePath, { hash, parsed });
+    return parsed;
+  }
 };
 
 // src/plugins/utils/plugin-services.ts
@@ -4707,6 +5147,12 @@ var nextjsImageOptimizationPlugin = {
           "utf-8",
           ctx.fsAdapter
         );
+        const configFormat = extension === "ts" ? "js" : "js";
+        if (!ConfigSanitizer.canSafelyModify(existingContent, configFormat)) {
+          throw new Error(
+            `Invalid or unsafe next.config.${extension} - cannot safely modify`
+          );
+        }
         const updatedContent = injectImageConfig(existingContent, extension);
         if (updatedContent !== existingContent) {
           await writer.writeFile(nextConfigPath, updatedContent, {
@@ -4802,6 +5248,9 @@ function injectImageConfig(content, _extension) {
     logger17.warn("Image configuration already exists in next.config");
     return content;
   }
+  if (!ConfigSanitizer.canSafelyModify(content, "js")) {
+    throw new Error("Invalid JavaScript in next.config file");
+  }
   let modifiedContent = content;
   const configRegex = /(const\s+nextConfig\s*=\s*\{|nextConfig\s*=\s*\{)([\s\S]*?)(\})/m;
   if (configRegex.test(modifiedContent)) {
@@ -4811,24 +5260,29 @@ function injectImageConfig(content, _extension) {
         if (configContent.includes("images:")) {
           return match;
         }
+        const imageConfig = buildImageConfig();
         const trimmed = configContent.trim();
         const hasTrailingComma = trimmed.endsWith(",");
-        const imageConfig = `  images: {
-    remotePatterns: [
-      {
-        protocol: 'https',
-        hostname: '**',
-      },
-    ],
-  },${hasTrailingComma ? "" : "\n"}`;
         return `${start}${trimmed}${hasTrailingComma ? "" : ","}
 ${imageConfig}
 }`;
       }
     );
   } else {
-    const imageConfig = `
-  images: {
+    const imageConfig = buildImageConfig();
+    modifiedContent = modifiedContent.replace(
+      /(\}\s*)$/,
+      (match) => `  ${imageConfig}
+${match}`
+    );
+  }
+  if (!ConfigSanitizer.canSafelyModify(modifiedContent, "js")) {
+    throw new Error("Failed to safely inject image configuration");
+  }
+  return modifiedContent;
+}
+function buildImageConfig() {
+  return `  images: {
     remotePatterns: [
       {
         protocol: 'https',
@@ -4836,13 +5290,6 @@ ${imageConfig}
       },
     ],
   },`;
-    modifiedContent = modifiedContent.replace(
-      /(\}\s*)$/,
-      (match) => `${imageConfig}
-${match}`
-    );
-  }
-  return modifiedContent;
 }
 
 // src/plugins/nextjs/middleware.ts
@@ -15321,6 +15768,7 @@ function getRecommendedPlugins(ctx) {
 export {
   BackupManager,
   ConfigWriter,
+  ConfigSanitizer,
   pluginRegistry,
   getPluginsByCategory,
   getRecommendedPlugins

package/dist/chunk-EDCNW4UO.js

@@ -0,0 +1,92 @@
+// src/core/input-validator.ts
+import { z } from "zod";
+var projectNameSchema = z.string().min(1, "Project name cannot be empty").max(100, "Project name cannot exceed 100 characters").regex(
+  /^[a-zA-Z0-9._-]+$/,
+  "Project name can only contain letters, numbers, dots, dashes, and underscores"
+).refine(
+  (name) => !name.includes(".."),
+  "Project name cannot contain path traversal (..) patterns"
+).refine(
+  (name) => !name.includes("/") && !name.includes("\\"),
+  "Project name cannot contain path separators"
+).transform((name) => name.trim());
+var svelteSetupSchema = z.object({
+  projectName: projectNameSchema,
+  useTypeScript: z.boolean()
+});
+var angularSetupSchema = z.object({
+  projectName: projectNameSchema,
+  useTypeScript: z.boolean(),
+  useRouting: z.boolean(),
+  useStylesheet: z.enum(["css", "scss", "sass", "less"])
+});
+var vueSetupSchema = z.object({
+  projectName: projectNameSchema,
+  typescript: z.boolean()
+});
+var nextjsSetupSchema = z.object({
+  projectName: projectNameSchema,
+  typescript: z.boolean(),
+  eslint: z.boolean(),
+  tailwind: z.boolean(),
+  srcDir: z.boolean(),
+  appRouter: z.boolean(),
+  importAlias: z.string().min(1, "Import alias cannot be empty").max(50, "Import alias cannot exceed 50 characters").regex(
+    /^@[a-zA-Z0-9_/*-]+$/,
+    "Import alias must start with @ and contain only valid characters"
+  ).default("@/*")
+});
+var viteSetupSchema = z.object({
+  projectName: projectNameSchema,
+  template: z.enum([
+    "react",
+    "react-ts",
+    "vue",
+    "vue-ts",
+    "svelte",
+    "svelte-ts"
+  ])
+});
+function validateInput(schema, data) {
+  try {
+    return schema.parse(data);
+  } catch (error) {
+    if (error instanceof z.ZodError) {
+      const messages = error.flatten().fieldErrors;
+      const errorMessages = [];
+      for (const [field, msgs] of Object.entries(messages)) {
+        if (msgs && Array.isArray(msgs)) {
+          errorMessages.push(`${field}: ${msgs.join(", ")}`);
+        }
+      }
+      throw new Error(`Input validation failed: ${errorMessages.join("; ")}`);
+    }
+    throw error;
+  }
+}
+function getValidationErrorMessage(error) {
+  if (error instanceof z.ZodError) {
+    const messages = error.flatten().fieldErrors;
+    const errorMessages = [];
+    for (const [field, msgs] of Object.entries(messages)) {
+      if (msgs && Array.isArray(msgs)) {
+        errorMessages.push(`${field}: ${msgs.join(", ")}`);
+      }
+    }
+    return errorMessages.join("; ");
+  }
+  if (error instanceof Error) {
+    return error.message;
+  }
+  return "Validation failed";
+}
+
+export {
+  svelteSetupSchema,
+  angularSetupSchema,
+  vueSetupSchema,
+  nextjsSetupSchema,
+  viteSetupSchema,
+  validateInput,
+  getValidationErrorMessage
+};