@cyclonedx/cdxgen 12.2.1 → 12.3.0

package/lib/server/server.js

@@ -1,4 +1,3 @@
-import fs from "node:fs";
 import http from "node:http";
 import path from "node:path";
 import process from "node:process";
@@ -9,16 +8,31 @@ import compression from "compression";
 import connect from "connect";
 
 import { createBom, submitBom } from "../cli/index.js";
+import { normalizeOutputFormats } from "../helpers/exportUtils.js";
+import {
+  cleanupSourceDir,
+  findGitRefForPurlVersion,
+  getGitAllowProtocol,
+  gitClone,
+  isAllowedPath,
+  isAllowedWinPath,
+  maybePurlSource,
+  maybeRemotePath,
+  PURL_REGISTRY_LOOKUP_WARNING,
+  resolveGitUrlFromPurl,
+  resolvePurlSourceDirectory,
+  sanitizeRemoteUrlForLogs,
+  validateAndRejectGitSource,
+  validatePurlSource,
+} from "../helpers/source.js";
 import {
   CDXGEN_VERSION,
-  getTmpDir,
   hasDangerousUnicode,
   isSecureMode,
-  isValidDriveRoot,
   isWin,
-  safeSpawnSync,
 } from "../helpers/utils.js";
 import { postProcess } from "../stages/postgen/postgen.js";
+import { convertCycloneDxToSpdx } from "../stages/postgen/spdxConverter.js";
 
 // Timeout milliseconds. Default 10 mins
 const TIMEOUT_MS =
@@ -44,6 +58,7 @@ const ALLOWED_PARAMS = [
   "serverUrl",
   "apiKey",
   "specVersion",
+  "format",
   "filter",
   "only",
   "autoCompositions",
@@ -61,274 +76,37 @@ const ALLOWED_PARAMS = [
 
 const app = connect();
 
-app.use(
-  bodyParser.json({
-    deflate: true,
-    limit: "1mb",
-  }),
-);
-app.use(compression());
-
-/**
- * Return git allow protocol string from the environment variables.
- *
- * @returns {string} git allow protocol string
- */
-function getGitAllowProtocol() {
-  return (
-    process.env.GIT_ALLOW_PROTOCOL ||
-    process.env.CDXGEN_SERVER_GIT_ALLOW_PROTOCOL ||
-    (isSecureMode ? "https:ssh" : "https:git:ssh")
-  );
-}
-
-/**
- * Checks the given hostname against the allowed list.
- *
- * @param {string} hostname Host name to check
- * @returns {boolean} true if the hostname in its entirety is allowed. false otherwise.
- */
-export function isAllowedHost(hostname) {
-  if (!process.env.CDXGEN_SERVER_ALLOWED_HOSTS) {
+function isAllowedHttpHost(hostname) {
+  if (!process.env.CDXGEN_ALLOWED_HOSTS) {
     return true;
   }
-  // Guard against dangerous Unicode characters
-  if (hasDangerousUnicode(hostname)) {
+  if (!hostname || hasDangerousUnicode(hostname)) {
     return false;
   }
-  return (process.env.CDXGEN_SERVER_ALLOWED_HOSTS || "")
-    .split(",")
-    .includes(hostname);
-}
-
-/**
- * Checks the given path string to belong to a drive in Windows.
- *
- * @param {string} p Path string to check
- * @returns {boolean} true if the windows path belongs to a drive. false otherwise (device names)
- */
-export function isAllowedWinPath(p) {
-  if (typeof p !== "string") {
-    return false;
-  }
-  if (p === "") {
-    return true;
-  }
-  // Guard against dangerous Unicode characters
-  if (hasDangerousUnicode(p)) {
-    return false;
-  }
-  try {
-    const normalized = path.normalize(p);
-    // Check the entire normalized path for dangerous patterns
-    if (hasDangerousUnicode(normalized)) {
-      return false;
-    }
-    const { root } = path.parse(normalized);
-    // Both Relative paths and invalid windows device names are resulting in an empty root
-    // To keep things simple, we don't accept relative paths for Windows server-mode users at all
-
-    // Invocations with unix-style paths result in "\\" as the root on windows
-    // path.parse(path.normalize("/foo/bar"))
-    // { root: '\\', dir: '\\foo', base: 'bar', ext: '', name: 'bar' }
-    if (root === "\\") {
+  const allowHosts = process.env.CDXGEN_ALLOWED_HOSTS.split(",")
+    .map((host) => host.trim())
+    .filter(Boolean);
+  for (const allowedHost of allowHosts) {
+    if (hostname === allowedHost) {
       return true;
     }
-    // Check for device/UNC paths - these should always return false
-    if (root.startsWith("\\\\")) {
-      return false;
-    }
-    // Strict validation for drive letter format
-    return isValidDriveRoot(root);
-  } catch (_err) {
-    return false;
-  }
-}
-
-/**
- * Checks the given path against the allowed list.
- *
- * @param {string} p Path string to check
- * @returns {boolean} true if the path is present in the allowed paths. false otherwise.
- */
-export function isAllowedPath(p) {
-  if (typeof p !== "string") {
-    return false;
-  }
-  // Guard against dangerous Unicode characters
-  if (hasDangerousUnicode(p)) {
-    return false;
-  }
-  if (!process.env.CDXGEN_SERVER_ALLOWED_PATHS) {
-    return true;
-  }
-  // Handle CVE-2025-27210 without relying entirely on node blocklists
-  if (isWin && !isAllowedWinPath(p)) {
-    return false;
-  }
-  return (process.env.CDXGEN_SERVER_ALLOWED_PATHS || "")
-    .split(",")
-    .filter(Boolean)
-    .some((ap) => {
-      const resolvedP = path.resolve(p);
-      const resolvedAp = path.resolve(ap);
-      const relativePath = path.relative(resolvedAp, resolvedP);
-      return (
-        relativePath === "" ||
-        (!relativePath.startsWith("..") && !path.isAbsolute(relativePath))
-      );
-    });
-}
-
-/**
- * Determine if the file path could be a remote URL.
- *
- * @param {string} filePath The Git URL or local path
- * @returns {Boolean} True if the file path is a remote URL. false otherwise.
- */
-export function maybeRemotePath(filePath) {
-  return /^[a-zA-Z0-9+.-]+:\/\//.test(filePath) || filePath.startsWith("git@");
-}
-
-/**
- * Validates a given Git URL/Path against dangerous protocols and allowed hosts.
- *
- * @param {string} filePath The Git URL or local path
- * @returns {Object|null} Error object if invalid, or null if valid
- */
-export function validateAndRejectGitSource(filePath) {
-  if (/^(ext|fd)::/i.test(filePath)) {
-    return {
-      status: 400,
-      error: "Invalid Protocol",
-      details: "The provided protocol is not allowed.",
-    };
-  }
-  if (maybeRemotePath(filePath)) {
-    let gitUrlObj;
-    try {
-      let urlToParse = filePath;
-      if (filePath.startsWith("git@") && !filePath.includes("://")) {
-        urlToParse = `ssh://${filePath.replace(":", "/")}`;
-      }
-      gitUrlObj = new URL(urlToParse);
-    } catch (_err) {
-      return {
-        status: 400,
-        error: "Invalid URL Format",
-        details: "The provided Git URL is malformed.",
-      };
-    }
-    const gitAllowProtocol = getGitAllowProtocol();
-    const allowedSchemes = gitAllowProtocol
-      .split(":")
-      .filter(Boolean)
-      .map((p) => `${p.toLowerCase()}:`);
-
     if (
-      allowedSchemes.includes("ssh:") &&
-      !allowedSchemes.includes("git+ssh:")
+      allowedHost.startsWith("*.") &&
+      hostname.endsWith(allowedHost.slice(1))
     ) {
-      allowedSchemes.push("git+ssh:");
-    }
-
-    if (!allowedSchemes.includes(gitUrlObj.protocol)) {
-      return {
-        status: 400,
-        error: "Protocol Not Allowed",
-        details: `The protocol '${gitUrlObj.protocol}' is not permitted by GIT_ALLOW_PROTOCOL.`,
-      };
-    }
-
-    if (gitUrlObj.href.includes("::")) {
-      return {
-        status: 400,
-        error: "Invalid URL Syntax",
-        details: "Git remote helper syntax (::) is not allowed.",
-      };
-    }
-
-    if (!isAllowedHost(gitUrlObj.hostname)) {
-      return {
-        status: 403,
-        error: "Host Not Allowed",
-        details: "The Git URL host is not allowed as per the allowlist.",
-      };
+      return true;
     }
   }
-
-  return null;
+  return false;
 }
 
-function gitClone(repoUrl, branch = null) {
-  let baseDirName = path.basename(repoUrl);
-  if (!/^[a-zA-Z0-9_-]+$/.test(baseDirName)) {
-    baseDirName = "repo-";
-  }
-  const tempDir = fs.mkdtempSync(path.join(getTmpDir(), baseDirName));
-
-  const gitArgs = [
-    "-c",
-    "alias.clone=",
-    "-c",
-    "core.fsmonitor=false",
-    "-c",
-    "safe.bareRepository=explicit",
-    "-c",
-    "core.hooksPath=/dev/null",
-    "clone",
-    "--template=",
-    repoUrl,
-    "--depth",
-    "1",
-    tempDir,
-  ];
-  if (branch) {
-    const firstBranchStr = Array.isArray(branch) ? branch[0] : String(branch);
-    if (firstBranchStr.startsWith("-")) {
-      console.log(
-        `Skipping branch clone: invalid branch name ${firstBranchStr}`,
-      );
-    } else {
-      const cloneIndex = gitArgs.indexOf("clone");
-      gitArgs.splice(cloneIndex + 1, 0, "--branch", firstBranchStr);
-    }
-  }
-  console.log(
-    `Cloning Repo${branch ? ` with branch ${branch}` : ""} to ${tempDir}`,
-  );
-  const gitAllowProtocol = getGitAllowProtocol();
-  const envConfigs = {
-    GIT_CONFIG_COUNT: "2",
-    GIT_CONFIG_KEY_0: "core.fsmonitor",
-    GIT_CONFIG_VALUE_0: "false",
-    GIT_CONFIG_KEY_1: "safe.bareRepository",
-    GIT_CONFIG_VALUE_1: "explicit",
-    GIT_TERMINAL_PROMPT: "0",
-  };
-  const env = isSecureMode
-    ? {
-        ...process.env,
-        ...envConfigs,
-        GIT_CONFIG_NOSYSTEM: "1",
-        GIT_CONFIG_GLOBAL: "/dev/null",
-        GIT_ALLOW_PROTOCOL: gitAllowProtocol,
-      }
-    : {
-        ...process.env,
-        ...envConfigs,
-        GIT_ALLOW_PROTOCOL: gitAllowProtocol,
-      };
-  const result = safeSpawnSync("git", gitArgs, {
-    shell: false,
-    env,
-  });
-  if (result.status !== 0) {
-    console.log(result.stderr);
-  }
-
-  return tempDir;
-}
+app.use(
+  bodyParser.json({
+    deflate: true,
+    limit: "1mb",
+  }),
+);
+app.use(compression());
 
 function sanitizeStr(s) {
   return s ? s.replace(/[\r\n]/g, "") : s;
@@ -512,7 +290,10 @@ const start = (options) => {
       process.exit(1);
     }
   }
-  if (!process.env.CDXGEN_SERVER_ALLOWED_HOSTS) {
+  if (
+    !process.env.CDXGEN_GIT_ALLOWED_HOSTS &&
+    !process.env.CDXGEN_SERVER_ALLOWED_HOSTS
+  ) {
     console.log(
       "No allowlist for git hosts has been specified. This is a security risk that could expose the system to SSRF vulnerabilities!",
     );
@@ -520,7 +301,11 @@ const start = (options) => {
       process.exit(1);
     }
   }
-  if (isSecureMode && !process.env.CDXGEN_SERVER_ALLOWED_PATHS) {
+  if (
+    isSecureMode &&
+    !process.env.CDXGEN_ALLOWED_PATHS &&
+    !process.env.CDXGEN_SERVER_ALLOWED_PATHS
+  ) {
     console.log(
       "No allowlist for paths has been specified. This is a security risk that could expose the filesystem and internal secrets!",
     );
@@ -588,100 +373,204 @@ const start = (options) => {
         }),
       );
     }
-    const validationError = validateAndRejectGitSource(filePath);
-    if (validationError) {
-      res.writeHead(validationError.status, {
-        "Content-Type": "application/json",
-      });
-      return res.end(
-        JSON.stringify({
-          error: validationError.error,
-          details: validationError.details,
-        }),
-      );
-    }
+    let cloneDir;
     let srcDir;
-    if (maybeRemotePath(filePath)) {
-      srcDir = gitClone(filePath, reqOptions.gitBranch);
-      cleanup = true;
-    } else {
-      srcDir = filePath;
-      if (
-        !isAllowedPath(path.resolve(srcDir)) ||
-        (isWin && !isAllowedWinPath(srcDir))
-      ) {
-        res.writeHead(403, { "Content-Type": "application/json" });
+    try {
+      let sourcePath = filePath;
+      let purlResolution;
+      if (maybePurlSource(sourcePath)) {
+        const purlValidationError = validatePurlSource(sourcePath);
+        if (purlValidationError) {
+          res.writeHead(purlValidationError.status, {
+            "Content-Type": "application/json",
+          });
+          return res.end(
+            JSON.stringify({
+              error: purlValidationError.error,
+              details: purlValidationError.details,
+            }),
+          );
+        }
+        purlResolution = await resolveGitUrlFromPurl(sourcePath);
+        if (!purlResolution?.repoUrl) {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          return res.end(
+            JSON.stringify({
+              error: "Unsupported purl source",
+              details:
+                "Unable to resolve the provided package URL to a repository URL.",
+            }),
+          );
+        }
+        if (purlResolution.registry) {
+          console.warn(
+            `${PURL_REGISTRY_LOOKUP_WARNING} Registry: ${purlResolution.registry}, purl type: ${purlResolution.type}, resolved URL: ${sanitizeRemoteUrlForLogs(purlResolution.repoUrl)}`,
+          );
+        } else {
+          console.warn(
+            `Resolved repository URL from purl metadata. purl type: ${purlResolution.type}, resolved URL: ${sanitizeRemoteUrlForLogs(purlResolution.repoUrl)}`,
+          );
+        }
+        sourcePath = purlResolution.repoUrl;
+      }
+      const validationError = validateAndRejectGitSource(sourcePath);
+      if (validationError) {
+        res.writeHead(validationError.status, {
+          "Content-Type": "application/json",
+        });
         return res.end(
           JSON.stringify({
-            error: "Path Not Allowed",
-            details: "Path is not allowed as per the allowlist.",
+            error: validationError.error,
+            details: validationError.details,
           }),
         );
       }
-    }
-    if (srcDir !== path.resolve(srcDir)) {
-      res.writeHead(500, { "Content-Type": "application/json" });
-      return res.end(
-        JSON.stringify({
-          error: "Absolute path needed",
-          details: "Relative paths are not supported in server mode.",
-        }),
-      );
-    }
-    console.log("Generating SBOM for", srcDir);
-    let bomNSData = (await createBom(srcDir, reqOptions)) || {};
-    bomNSData = postProcess(bomNSData, reqOptions);
-    if (reqOptions.serverUrl && reqOptions.apiKey) {
-      if (!isAllowedHost(reqOptions.serverUrl)) {
-        res.writeHead(403, { "Content-Type": "application/json" });
+      if (maybeRemotePath(sourcePath)) {
+        let gitRef = reqOptions.gitBranch;
+        if (!gitRef && purlResolution?.version) {
+          gitRef = findGitRefForPurlVersion(sourcePath, purlResolution);
+          if (!gitRef) {
+            console.warn(
+              `Unable to find a matching git tag for version '${purlResolution.version}'. Falling back to repository default branch.`,
+            );
+          }
+        }
+        cloneDir = gitClone(sourcePath, gitRef);
+        srcDir = cloneDir;
+        if (purlResolution?.type === "npm") {
+          const cloneRootDir = cloneDir;
+          const purlSourceDir = resolvePurlSourceDirectory(
+            srcDir,
+            purlResolution,
+          );
+          if (purlSourceDir && purlSourceDir !== cloneRootDir) {
+            const relativeDir = path.relative(cloneRootDir, purlSourceDir);
+            if (relativeDir.startsWith("..") || path.isAbsolute(relativeDir)) {
+              console.warn(
+                `Ignoring detected npm package directory outside clone root: ${purlSourceDir}`,
+              );
+            } else {
+              console.warn(
+                `Using npm package directory '${purlSourceDir}' for purl '${purlResolution.namespace ? `${purlResolution.namespace}/` : ""}${purlResolution.name}'.`,
+              );
+              srcDir = purlSourceDir;
+            }
+          }
+        }
+        cleanup = true;
+      } else {
+        srcDir = sourcePath;
+        if (
+          !isAllowedPath(path.resolve(srcDir)) ||
+          (isWin && !isAllowedWinPath(srcDir))
+        ) {
+          res.writeHead(403, { "Content-Type": "application/json" });
+          return res.end(
+            JSON.stringify({
+              error: "Path Not Allowed",
+              details: "Path is not allowed as per the allowlist.",
+            }),
+          );
+        }
+      }
+      if (srcDir !== path.resolve(srcDir)) {
+        res.writeHead(500, { "Content-Type": "application/json" });
         return res.end(
           JSON.stringify({
-            error: "Host Not Allowed",
-            details: "The URL host is not allowed as per the allowlist.",
+            error: "Absolute path needed",
+            details: "Relative paths are not supported in server mode.",
           }),
         );
       }
-      if (isSecureMode && !reqOptions.serverUrl?.startsWith("https://")) {
-        console.log(
-          "Dependency Track API server is used with a non-https url, which poses a security risk.",
-        );
+      console.log("Generating SBOM for", srcDir);
+      let bomNSData = (await createBom(srcDir, reqOptions)) || {};
+      bomNSData = postProcess(bomNSData, reqOptions, srcDir);
+      const requestedFormats = normalizeOutputFormats(reqOptions.format);
+      let responseBomJson = bomNSData.bomJson;
+      if (
+        requestedFormats.includes("spdx") &&
+        bomNSData?.bomJson?.bomFormat === "CycloneDX"
+      ) {
+        responseBomJson = convertCycloneDxToSpdx(bomNSData.bomJson, reqOptions);
       }
-      console.log(
-        `Publishing SBOM ${reqOptions.projectName} to Dependency Track`,
-        reqOptions.serverUrl,
-      );
-      try {
-        await submitBom(reqOptions, bomNSData.bomJson);
-      } catch (error) {
-        const errorMessages = error.response?.body?.errors;
-        if (errorMessages) {
-          res.writeHead(500, { "Content-Type": "application/json" });
+      if (reqOptions.serverUrl && reqOptions.apiKey) {
+        let serverHostname;
+        try {
+          serverHostname = new URL(reqOptions.serverUrl).hostname;
+        } catch (err) {
+          console.log("Invalid Dependency-Track server URL", err);
+          res.writeHead(400, { "Content-Type": "application/json" });
           return res.end(
             JSON.stringify({
-              error: "Unable to submit the SBOM to the Dependency-Track server",
-              details: errorMessages,
+              error: "Invalid Server URL",
+              details: "The Dependency-Track server URL is invalid.",
             }),
           );
         }
+        if (!isAllowedHttpHost(serverHostname)) {
+          res.writeHead(403, { "Content-Type": "application/json" });
+          return res.end(
+            JSON.stringify({
+              error: "Host Not Allowed",
+              details: "The URL host is not allowed as per the allowlist.",
+            }),
+          );
+        }
+        if (isSecureMode && !reqOptions.serverUrl?.startsWith("https://")) {
+          console.log(
+            "Dependency Track API server is used with a non-https url, which poses a security risk.",
+          );
+        }
+        console.log(
+          `Publishing SBOM ${reqOptions.projectName} to Dependency Track`,
+          reqOptions.serverUrl,
+        );
+        try {
+          await submitBom(reqOptions, bomNSData.bomJson);
+        } catch (error) {
+          const errorMessages = error.response?.body?.errors;
+          if (errorMessages) {
+            res.writeHead(500, { "Content-Type": "application/json" });
+            return res.end(
+              JSON.stringify({
+                error:
+                  "Unable to submit the SBOM to the Dependency-Track server",
+                details: errorMessages,
+              }),
+            );
+          }
+        }
       }
-    }
-    res.writeHead(200, { "Content-Type": "application/json" });
-    if (bomNSData.bomJson) {
-      if (
-        typeof bomNSData.bomJson === "string" ||
-        bomNSData.bomJson instanceof String
-      ) {
-        res.write(bomNSData.bomJson);
-      } else {
-        res.write(JSON.stringify(bomNSData.bomJson, null, null));
+      res.writeHead(200, { "Content-Type": "application/json" });
+      if (responseBomJson) {
+        if (
+          typeof responseBomJson === "string" ||
+          responseBomJson instanceof String
+        ) {
+          res.write(responseBomJson);
+        } else {
+          res.write(JSON.stringify(responseBomJson, null, null));
+        }
+      }
+      res.end("\n");
+    } catch (err) {
+      if (!res.headersSent) {
+        console.log("Unable to generate SBOM", err);
+        res.writeHead(500, { "Content-Type": "application/json" });
+        return res.end(
+          JSON.stringify({
+            error: "Unable to generate SBOM",
+            details: "Unexpected server error while generating SBOM.",
+          }),
+        );
+      }
+      console.log("Error while generating SBOM response", err);
+    } finally {
+      if (cleanup && cloneDir) {
+        cleanupSourceDir(cloneDir);
       }
-    }
-    res.end("\n");
-    if (cleanup && srcDir?.startsWith(getTmpDir()) && fs.rmSync) {
-      console.log(`Cleaning up ${srcDir}`);
-      fs.rmSync(srcDir, { recursive: true, force: true });
     }
   });
 };
 
-export { configureServer, gitClone, start };
+export { configureServer, start };