@configjs/cli 1.1.16 → 1.1.18

package/dist/{chunk-FIB2J36N.js → chunk-HI7RYD6W.js}

@@ -1,13 +1,118 @@
 import {
   getModuleLogger
-} from "./chunk-QPEUT7QG.js";
+} from "./chunk-VN4XTFDK.js";
+
+// src/core/path-validator.ts
+import { resolve, normalize, sep, isAbsolute, dirname } from "path";
+import { realpath as realpathCallback } from "fs/promises";
+import fs from "fs-extra";
+import { z } from "zod";
+var pathExists = fs.pathExists;
+var realpath = realpathCallback;
+var pathResolutionSchema = z.object({
+  projectRoot: z.string().min(1, "Project root cannot be empty").refine(
+    (path) => isAbsolute(path),
+    "Project root must be an absolute path"
+  ),
+  userPath: z.string().min(1, "User path cannot be empty").max(1024, "Path exceeds maximum length (1024 characters)").refine((path) => !path.includes("\0"), "Path cannot contain null bytes").refine((path) => {
+    for (let i = 0; i < path.length; i++) {
+      const charCode = path.charCodeAt(i);
+      if (charCode >= 0 && charCode <= 31) {
+        return false;
+      }
+    }
+    return true;
+  }, "Path cannot contain control characters")
+});
+function validatePathInProject(projectRoot, userPath) {
+  const validated = pathResolutionSchema.parse({
+    projectRoot,
+    userPath
+  });
+  const normalizedRoot = normalize(resolve(validated.projectRoot));
+  const resolvedPath = normalize(resolve(normalizedRoot, validated.userPath));
+  const isWithinBoundary = resolvedPath === normalizedRoot || resolvedPath.startsWith(normalizedRoot + sep);
+  if (!isWithinBoundary) {
+    throw new Error(
+      `Path traversal detected: "${userPath}" attempts to escape project root. Resolved: "${resolvedPath}", allowed: "${normalizedRoot}"`
+    );
+  }
+  if (userPath.includes("..")) {
+    throw new Error(
+      `Path contains parent directory (..): "${userPath}". Only paths within project root allowed.`
+    );
+  }
+  if (isAbsolute(userPath)) {
+    throw new Error(
+      `Absolute paths not allowed: "${userPath}". Use path relative to project root.`
+    );
+  }
+  return resolvedPath;
+}
+async function findClosestExistingPath(boundaryRoot, resolvedPath) {
+  let currentPath = resolvedPath;
+  while (true) {
+    if (await pathExists(currentPath)) {
+      return currentPath;
+    }
+    if (currentPath === boundaryRoot) {
+      return null;
+    }
+    const parentPath = dirname(currentPath);
+    if (parentPath === currentPath) {
+      return null;
+    }
+    currentPath = parentPath;
+  }
+}
+async function validateSymlinkBoundary(projectRoot, resolvedPath) {
+  const normalizedRoot = normalize(resolve(projectRoot));
+  const realRoot = await realpath(normalizedRoot).catch(() => normalizedRoot);
+  const existingPath = await findClosestExistingPath(
+    normalizedRoot,
+    resolvedPath
+  );
+  if (!existingPath) {
+    return;
+  }
+  const realExisting = await realpath(existingPath).catch(() => existingPath);
+  const normalizedRealExisting = normalize(realExisting);
+  const normalizedRealRoot = normalize(realRoot);
+  const isWithinBoundary = normalizedRealExisting === normalizedRealRoot || normalizedRealExisting.startsWith(normalizedRealRoot + sep);
+  if (!isWithinBoundary) {
+    throw new Error(
+      `Symlink traversal detected: "${resolvedPath}" resolves outside project root. Resolved: "${normalizedRealExisting}", allowed: "${normalizedRealRoot}"`
+    );
+  }
+}
+async function validatePathInProjectWithSymlinks(projectRoot, userPath) {
+  const resolvedPath = validatePathInProject(projectRoot, userPath);
+  await validateSymlinkBoundary(projectRoot, resolvedPath);
+  return resolvedPath;
+}
+function getPathValidationErrorMessage(error) {
+  if (error instanceof z.ZodError) {
+    const issues = error.flatten().fieldErrors;
+    const messages = [];
+    for (const [field, msgs] of Object.entries(issues)) {
+      if (msgs && Array.isArray(msgs)) {
+        messages.push(`${field}: ${msgs.join(", ")}`);
+      }
+    }
+    return messages.join("; ") || "Invalid path format";
+  }
+  if (error instanceof Error) {
+    return error.message;
+  }
+  return "Path validation failed";
+}
 
 // src/utils/fs-helpers.ts
-import { resolve as resolve2, dirname as dirname2, extname } from "path";
+import { resolve as resolve3, dirname as dirname3, extname } from "path";
 
 // src/core/fs-adapter.ts
-import fs from "fs-extra";
-import { resolve, dirname } from "path";
+import fs2 from "fs-extra";
+import { resolve as resolve2, dirname as dirname2 } from "path";
 var FileSystemAdapter = class {
   /**
    * @param fsImpl - Implémentation du filesystem (memfs) ou undefined pour fs-extra
@@ -19,13 +124,13 @@ var FileSystemAdapter = class {
    * Obtient l'implémentation du filesystem
    */
   getFs() {
-    return this.fsImpl || fs;
+    return this.fsImpl || fs2;
   }
   /**
    * Normalise un chemin (résout les chemins relatifs)
    */
   normalizePath(path) {
-    return resolve(path);
+    return resolve2(path);
   }
   // ===== Async Operations =====
   async readFile(path, encoding = "utf-8") {
@@ -39,7 +144,7 @@ var FileSystemAdapter = class {
       const buffer = content;
       return buffer.toString(encoding);
     } else {
-      const content = await fs.readFile(fullPath, encoding);
+      const content = await fs2.readFile(fullPath, encoding);
       if (typeof content === "string") {
         return content;
       }
@@ -50,12 +155,12 @@ var FileSystemAdapter = class {
   async writeFile(path, content, encoding = "utf-8") {
     const fullPath = this.normalizePath(path);
     const implementation = this.getFs();
-    const parentDir = dirname(fullPath);
+    const parentDir = dirname2(fullPath);
     await this.mkdir(parentDir, { recursive: true });
     if (this.fsImpl) {
       await implementation.promises.writeFile(fullPath, content, encoding);
     } else {
-      await fs.writeFile(fullPath, content, encoding);
+      await fs2.writeFile(fullPath, content, encoding);
     }
   }
   async mkdir(path, _options) {
@@ -64,7 +169,7 @@ var FileSystemAdapter = class {
     if (this.fsImpl) {
       await implementation.promises.mkdir(fullPath, { recursive: true });
     } else {
-      await fs.ensureDir(fullPath);
+      await fs2.ensureDir(fullPath);
     }
   }
   async readdir(path) {
@@ -73,7 +178,7 @@ var FileSystemAdapter = class {
       const entries = this.fsImpl.readdirSync(fullPath);
       return Promise.resolve(entries.map((entry) => String(entry)));
     } else {
-      return await fs.readdir(fullPath);
+      return await fs2.readdir(fullPath);
     }
   }
   async stat(path) {
@@ -87,7 +192,7 @@ var FileSystemAdapter = class {
         mtime: stats.mtime
       };
     } else {
-      const stats = await fs.stat(fullPath);
+      const stats = await fs2.stat(fullPath);
       return {
         isFile: () => stats.isFile(),
         isDirectory: () => stats.isDirectory(),
@@ -106,7 +211,7 @@ var FileSystemAdapter = class {
         return false;
       }
     } else {
-      return await fs.pathExists(fullPath);
+      return await fs2.pathExists(fullPath);
     }
   }
   async readJson(path) {
@@ -115,18 +220,18 @@ var FileSystemAdapter = class {
       const content = await this.readFile(fullPath);
       return JSON.parse(content);
     } else {
-      return await fs.readJson(fullPath);
+      return await fs2.readJson(fullPath);
     }
   }
   async writeJson(path, data, options) {
     const fullPath = this.normalizePath(path);
-    const parentDir = dirname(fullPath);
+    const parentDir = dirname2(fullPath);
     await this.mkdir(parentDir, { recursive: true });
     if (this.fsImpl) {
       const content = JSON.stringify(data, null, options?.spaces ?? 2);
       await this.writeFile(fullPath, content);
     } else {
-      await fs.writeJson(fullPath, data, {
+      await fs2.writeJson(fullPath, data, {
         spaces: options?.spaces ?? 2,
         EOL: options?.EOL ?? "\n"
       });
@@ -135,13 +240,13 @@ var FileSystemAdapter = class {
   async copyFile(src, dest) {
     const srcPath = this.normalizePath(src);
     const destPath = this.normalizePath(dest);
-    const destDir = dirname(destPath);
+    const destDir = dirname2(destPath);
     await this.mkdir(destDir, { recursive: true });
     if (this.fsImpl) {
       const content = await this.readFile(srcPath);
       await this.writeFile(destPath, content);
     } else {
-      await fs.copyFile(srcPath, destPath);
+      await fs2.copyFile(srcPath, destPath);
     }
   }
   async remove(path) {
@@ -158,7 +263,7 @@ var FileSystemAdapter = class {
       } catch {
       }
     } else {
-      await fs.remove(fullPath);
+      await fs2.remove(fullPath);
     }
   }
   // ===== Sync Operations (pour compatibilité) =====
@@ -173,7 +278,7 @@ var FileSystemAdapter = class {
       const buffer = content;
       return buffer.toString(encoding);
     } else {
-      const content = fs.readFileSync(fullPath, encoding);
+      const content = fs2.readFileSync(fullPath, encoding);
       if (typeof content === "string") {
         return content;
       }
@@ -184,14 +289,14 @@ var FileSystemAdapter = class {
   writeFileSync(path, content) {
     const fullPath = this.normalizePath(path);
     const implementation = this.getFs();
-    const parentDir = dirname(fullPath);
+    const parentDir = dirname2(fullPath);
     if (!this.existsSync(parentDir)) {
       this.mkdirSync(parentDir, { recursive: true });
     }
     if (this.fsImpl) {
       implementation.writeFileSync(fullPath, content);
     } else {
-      fs.writeFileSync(fullPath, content);
+      fs2.writeFileSync(fullPath, content);
     }
   }
   existsSync(path) {
@@ -205,7 +310,7 @@ var FileSystemAdapter = class {
         return false;
       }
     } else {
-      return fs.existsSync(fullPath);
+      return fs2.existsSync(fullPath);
     }
   }
   mkdirSync(path, _options) {
@@ -214,7 +319,7 @@ var FileSystemAdapter = class {
     if (this.fsImpl) {
       implementation.mkdirSync(fullPath, { recursive: true });
     } else {
-      fs.ensureDirSync(fullPath);
+      fs2.ensureDirSync(fullPath);
     }
   }
 };
@@ -229,7 +334,7 @@ function normalizePath(path) {
 }
 async function readPackageJson(root, fsAdapter) {
   const adapter = fsAdapter || createDefaultFsAdapter();
-  const packageJsonPath = resolve2(root, "package.json");
+  const packageJsonPath = resolve3(root, "package.json");
   if (!await adapter.pathExists(packageJsonPath)) {
     throw new Error(`package.json not found at ${packageJsonPath}`);
   }
@@ -246,7 +351,7 @@ async function readPackageJson(root, fsAdapter) {
 }
 async function writePackageJson(root, pkg, fsAdapter) {
   const adapter = fsAdapter || createDefaultFsAdapter();
-  const packageJsonPath = resolve2(root, "package.json");
+  const packageJsonPath = resolve3(root, "package.json");
   try {
     await adapter.writeJson(packageJsonPath, pkg, {
       spaces: 2,
@@ -261,9 +366,9 @@ async function writePackageJson(root, pkg, fsAdapter) {
 async function readTsConfig(root, fsAdapter) {
   const adapter = fsAdapter || createDefaultFsAdapter();
   const possiblePaths = [
-    resolve2(root, "tsconfig.json"),
-    resolve2(root, "tsconfig.app.json"),
-    resolve2(root, "tsconfig.node.json")
+    resolve3(root, "tsconfig.json"),
+    resolve3(root, "tsconfig.app.json"),
+    resolve3(root, "tsconfig.node.json")
   ];
   for (const tsconfigPath of possiblePaths) {
     if (await adapter.pathExists(tsconfigPath)) {
@@ -285,12 +390,12 @@ async function readTsConfig(root, fsAdapter) {
 }
 async function checkPathExists(path, fsAdapter) {
   const adapter = fsAdapter || createDefaultFsAdapter();
-  const fullPath = resolve2(path);
+  const fullPath = resolve3(path);
   return adapter.pathExists(fullPath);
 }
 async function ensureDirectory(path, fsAdapter) {
   const adapter = fsAdapter || createDefaultFsAdapter();
-  const fullPath = resolve2(path);
+  const fullPath = resolve3(path);
   try {
     await adapter.mkdir(fullPath, { recursive: true });
     logger.debug(`Ensured directory exists: ${fullPath}`);
@@ -299,9 +404,18 @@ async function ensureDirectory(path, fsAdapter) {
     throw new Error(`Failed to create directory ${fullPath}: ${errorMessage}`);
   }
 }
-async function readFileContent(filePath, encoding = "utf-8", fsAdapter) {
+async function readFileContent(filePath, encoding = "utf-8", fsAdapter, projectRoot) {
   const adapter = fsAdapter || createDefaultFsAdapter();
-  const fullPath = resolve2(filePath);
+  let fullPath = resolve3(filePath);
+  if (projectRoot) {
+    try {
+      fullPath = await validatePathInProjectWithSymlinks(projectRoot, filePath);
+    } catch (error) {
+      const errorMsg = getPathValidationErrorMessage(error);
+      logger.error(`Path traversal attempt blocked: ${errorMsg}`);
+      throw new Error(`Invalid path: ${errorMsg}`);
+    }
+  }
   if (!await adapter.pathExists(fullPath)) {
     throw new Error(`File not found: ${fullPath}`);
   }
@@ -314,10 +428,19 @@ async function readFileContent(filePath, encoding = "utf-8", fsAdapter) {
     throw new Error(`Failed to read file ${fullPath}: ${errorMessage}`);
   }
 }
-async function writeFileContent(filePath, content, encoding = "utf-8", fsAdapter) {
+async function writeFileContent(filePath, content, encoding = "utf-8", fsAdapter, projectRoot) {
   const adapter = fsAdapter || createDefaultFsAdapter();
-  const fullPath = resolve2(filePath);
-  const parentDir = dirname2(fullPath);
+  let fullPath = resolve3(filePath);
+  if (projectRoot) {
+    try {
+      fullPath = await validatePathInProjectWithSymlinks(projectRoot, filePath);
+    } catch (error) {
+      const errorMsg = getPathValidationErrorMessage(error);
+      logger.error(`Path traversal attempt blocked: ${errorMsg}`);
+      throw new Error(`Invalid path: ${errorMsg}`);
+    }
+  }
+  const parentDir = dirname3(fullPath);
   await ensureDirectory(parentDir, adapter);
   try {
     await adapter.writeFile(fullPath, content, encoding);
@@ -330,6 +453,8 @@ async function writeFileContent(filePath, content, encoding = "utf-8", fsAdapter
 
 export {
   createDefaultFsAdapter,
+  validatePathInProjectWithSymlinks,
+  getPathValidationErrorMessage,
   normalizePath,
   readPackageJson,
   writePackageJson,