@dotenvx/primitives 0.2.1 → 0.4.0

package/dist/index.cjs

@@ -3146,7 +3146,7 @@ var require_hash_to_curve = __commonJS({
         k: "number",
         hash: "function"
       });
-      const { p, k, m, hash, expand, DST } = options;
+      const { p, k, m, hash, expand: expand2, DST } = options;
       if (!(0, utils_ts_1.isHash)(options.hash))
         throw new Error("expected valid hash");
       (0, utils_ts_1.abytes)(msg);
@@ -3155,11 +3155,11 @@ var require_hash_to_curve = __commonJS({
       const L = Math.ceil((log2p + k) / 8);
       const len_in_bytes = count * m * L;
       let prb;
-      if (expand === "xmd") {
+      if (expand2 === "xmd") {
         prb = expand_message_xmd(msg, DST, len_in_bytes, hash);
-      } else if (expand === "xof") {
+      } else if (expand2 === "xof") {
         prb = expand_message_xof(msg, DST, len_in_bytes, k, hash);
-      } else if (expand === "_internal_pass") {
+      } else if (expand2 === "_internal_pass") {
         prb = msg;
       } else {
         throw new Error('expand must be "xmd" or "xof"');
@@ -5318,7 +5318,7 @@ var require_hkdf = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.hkdf = void 0;
     exports2.extract = extract;
-    exports2.expand = expand;
+    exports2.expand = expand2;
     var hmac_ts_1 = require_hmac();
     var utils_ts_1 = require_utils2();
     function extract(hash, ikm, salt) {
@@ -5329,7 +5329,7 @@ var require_hkdf = __commonJS({
     }
     var HKDF_COUNTER = /* @__PURE__ */ Uint8Array.from([0]);
     var EMPTY_BUFFER = /* @__PURE__ */ Uint8Array.of();
-    function expand(hash, prk, info, length = 32) {
+    function expand2(hash, prk, info, length = 32) {
       (0, utils_ts_1.ahash)(hash);
       (0, utils_ts_1.anumber)(length);
       const olen = hash.outputLen;
@@ -5353,7 +5353,7 @@ var require_hkdf = __commonJS({
       (0, utils_ts_1.clean)(T, HKDF_COUNTER);
       return okm.slice(0, length);
     }
-    var hkdf = (hash, ikm, salt, info, length) => expand(hash, extract(hash, ikm, salt), info, length);
+    var hkdf = (hash, ikm, salt, info, length) => expand2(hash, extract(hash, ikm, salt), info, length);
     exports2.hkdf = hkdf;
   }
 });
@@ -5588,18 +5588,18 @@ var require_symmetric = __commonJS({
     function _encrypt(func, key, data, nonceLength, tagLength, AAD) {
       const nonce = (0, webcrypto_1.randomBytes)(nonceLength);
       const cipher = func(key, nonce, AAD);
-      const encrypted = cipher.encrypt(data);
-      const cipherTextLength = encrypted.length - tagLength;
-      const cipherText = encrypted.subarray(0, cipherTextLength);
-      const tag = encrypted.subarray(cipherTextLength);
+      const encrypted2 = cipher.encrypt(data);
+      const cipherTextLength = encrypted2.length - tagLength;
+      const cipherText = encrypted2.subarray(0, cipherTextLength);
+      const tag = encrypted2.subarray(cipherTextLength);
       return (0, utils_1.concatBytes)(nonce, tag, cipherText);
     }
     function _decrypt(func, key, data, nonceLength, tagLength, AAD) {
       const nonce = data.subarray(0, nonceLength);
       const cipher = func(key, Uint8Array.from(nonce), AAD);
-      const encrypted = data.subarray(nonceLength);
-      const tag = encrypted.subarray(0, tagLength);
-      const cipherText = encrypted.subarray(tagLength);
+      const encrypted2 = data.subarray(nonceLength);
+      const tag = encrypted2.subarray(0, tagLength);
+      const cipherText = encrypted2.subarray(tagLength);
       return cipher.decrypt((0, utils_1.concatBytes)(cipherText, tag));
     }
   }
@@ -5838,17 +5838,17 @@ var require_dist = __commonJS({
       const receiverPK = receiverRawPK instanceof Uint8Array ? new index_js_1.PublicKey(receiverRawPK, curve) : index_js_1.PublicKey.fromHex(receiverRawPK, curve);
       const sharedKey = ephemeralSK.encapsulate(receiverPK, config.isHkdfKeyCompressed);
       const ephemeralPK = ephemeralSK.publicKey.toBytes(config.isEphemeralKeyCompressed);
-      const encrypted = (0, index_js_2.symEncrypt)(config, sharedKey, data);
-      return (0, utils_1.concatBytes)(ephemeralPK, encrypted);
+      const encrypted2 = (0, index_js_2.symEncrypt)(config, sharedKey, data);
+      return (0, utils_1.concatBytes)(ephemeralPK, encrypted2);
     }
     function decrypt2(receiverRawSK, data, config = config_js_1.ECIES_CONFIG) {
       const curve = config.ellipticCurve;
       const receiverSK = receiverRawSK instanceof Uint8Array ? new index_js_1.PrivateKey(receiverRawSK, curve) : index_js_1.PrivateKey.fromHex(receiverRawSK, curve);
       const keySize = config.ephemeralKeySize;
       const ephemeralPK = new index_js_1.PublicKey(data.subarray(0, keySize), curve);
-      const encrypted = data.subarray(keySize);
+      const encrypted2 = data.subarray(keySize);
       const sharedKey = ephemeralPK.decapsulate(receiverSK, config.isHkdfKeyCompressed);
-      return (0, index_js_2.symDecrypt)(config, sharedKey, encrypted);
+      return (0, index_js_2.symDecrypt)(config, sharedKey, encrypted2);
     }
     var config_js_2 = require_config();
     Object.defineProperty(exports2, "ECIES_CONFIG", { enumerable: true, get: function() {
@@ -5872,11 +5872,13 @@ var require_errors = __commonJS({
       INVALID_PRIVATE_KEY: "https://github.com/dotenvx/dotenvx/issues/465",
       WRONG_PRIVATE_KEY: "https://github.com/dotenvx/dotenvx/issues/466",
       MALFORMED_ENCRYPTED_DATA: "https://github.com/dotenvx/dotenvx/issues/467",
-      DECRYPTION_FAILED: "https://github.com/dotenvx/dotenvx/issues/757"
+      DECRYPTION_FAILED: "https://github.com/dotenvx/dotenvx/issues/757",
+      COMMAND_SUBSTITUTION_FAILED: "https://github.com/dotenvx/dotenvx/issues/532"
     };
     var Errors = class {
       constructor(options = {}) {
         this.message = options.message;
+        this.command = options.command;
       }
       missingPrivateKey() {
         const code = "MISSING_PRIVATE_KEY";
@@ -5928,20 +5930,42 @@ var require_errors = __commonJS({
         e.messageWithHelp = `${message}. ${help}`;
         return e;
       }
+      commandSubstitutionFailed() {
+        const code = "COMMAND_SUBSTITUTION_FAILED";
+        const message = `[${code}] could not evaluate command '${this.command}': ${this.message}`;
+        const help = `fix: [${ISSUE_BY_CODE[code]}]`;
+        const e = new Error(message);
+        e.code = code;
+        e.help = help;
+        e.messageWithHelp = `${message}. ${help}`;
+        return e;
+      }
     };
     Errors.ISSUE_BY_CODE = ISSUE_BY_CODE;
     module2.exports = Errors;
   }
 });
 
+// src/encrypted.js
+var require_encrypted = __commonJS({
+  "src/encrypted.js"(exports2, module2) {
+    var PREFIX = "encrypted:";
+    function encrypted2(value) {
+      return value.startsWith(PREFIX);
+    }
+    module2.exports = encrypted2;
+    module2.exports.PREFIX = PREFIX;
+  }
+});
+
 // src/decrypt.js
 var require_decrypt = __commonJS({
   "src/decrypt.js"(exports2, module2) {
     var { decrypt: eciesDecrypt } = require_dist();
     var Errors = require_errors();
-    var PREFIX = "encrypted:";
+    var encrypted2 = require_encrypted();
     function decrypt2(privateKeyHex, encryptedValue) {
-      if (!encryptedValue.startsWith(PREFIX)) {
+      if (!encrypted2(encryptedValue)) {
         return encryptedValue;
       }
       if (!privateKeyHex || privateKeyHex.length < 1) {
@@ -5949,7 +5973,7 @@ var require_decrypt = __commonJS({
       }
       try {
         const privateKey = Buffer.from(privateKeyHex, "hex");
-        const ciphertext = Buffer.from(encryptedValue.substring(PREFIX.length), "base64");
+        const ciphertext = Buffer.from(encryptedValue.substring(encrypted2.PREFIX.length), "base64");
         return Buffer.from(eciesDecrypt(privateKey, ciphertext)).toString("utf8");
       } catch (e) {
         if (e.message === "Invalid private key") {
@@ -5967,8 +5991,285 @@ var require_decrypt = __commonJS({
   }
 });
 
+// src/derive.js
+var require_derive = __commonJS({
+  "src/derive.js"(exports2, module2) {
+    var { PrivateKey } = require_dist();
+    function derive2(privateKeyHex) {
+      return new PrivateKey(Buffer.from(privateKeyHex, "hex")).publicKey.toHex();
+    }
+    module2.exports = derive2;
+  }
+});
+
+// src/evaluate.js
+var require_evaluate = __commonJS({
+  "src/evaluate.js"(exports2, module2) {
+    var { execSync } = require("child_process");
+    var Errors = require_errors();
+    function chomp(value) {
+      return value.replace(/[\r\n]+$/, "");
+    }
+    function evaluate2(value, opts) {
+      const processEnv = opts.processEnv || process.env;
+      const runningParsed = opts.runningParsed || {};
+      const matches = value.match(/\$\(([^)]+(?:\)[^(]*)*)\)/g) || [];
+      return matches.reduce((newValue, match) => {
+        const command = match.slice(2, -1);
+        let result;
+        try {
+          result = execSync(command, { env: { ...processEnv, ...runningParsed } }).toString();
+        } catch (e) {
+          throw new Errors({ command, message: e.message.trim() }).commandSubstitutionFailed();
+        }
+        result = chomp(result);
+        return newValue.replace(match, result);
+      }, value);
+    }
+    module2.exports = evaluate2;
+  }
+});
+
+// src/expand.js
+var require_expand = __commonJS({
+  "src/expand.js"(exports2, module2) {
+    function expand2(value, opts) {
+      const overload = opts.overload;
+      const processEnv = opts.processEnv || process.env;
+      const runningParsed = opts.runningParsed || {};
+      const literals = opts.literals || {};
+      let env = { ...runningParsed, ...processEnv };
+      if (overload) {
+        env = { ...processEnv, ...runningParsed };
+      }
+      const regex = /(?<!\\)\${([^{}]+)}|(?<!\\)\$([A-Za-z_][A-Za-z0-9_]*)/g;
+      let result = value;
+      let match;
+      while ((match = regex.exec(result)) !== null) {
+        const [template, bracedExpression, unbracedExpression] = match;
+        const expression = bracedExpression || unbracedExpression;
+        const opRegex = /(:\+|\+|:-|-)/;
+        const opMatch = expression.match(opRegex);
+        const splitter = opMatch ? opMatch[0] : null;
+        const r = expression.split(splitter);
+        let defaultValue;
+        let value2;
+        const name = r.shift();
+        if ([":+", "+"].includes(splitter)) {
+          defaultValue = env[name] ? r.join(splitter) : "";
+          value2 = null;
+        } else {
+          defaultValue = r.join(splitter);
+          value2 = env[name];
+        }
+        if (value2) {
+          result = result.replace(template, value2);
+        } else {
+          result = result.replace(template, defaultValue);
+        }
+        if (result === env[name]) {
+          break;
+        }
+        if (literals[name] && /\$\{[^}]+\}|\$[A-Za-z_][A-Za-z0-9_]*/.test(literals[name])) {
+          break;
+        }
+        regex.lastIndex = 0;
+      }
+      return result;
+    }
+    module2.exports = expand2;
+  }
+});
+
+// src/scan.js
+var require_scan = __commonJS({
+  "src/scan.js"(exports2, module2) {
+    function trimmer(value) {
+      return (value || "").trim();
+    }
+    function getQuote(value) {
+      const v = trimmer(value);
+      const maybeQuote = v[0];
+      let q = "";
+      switch (maybeQuote) {
+        // single
+        case "'":
+          q = "'";
+          break;
+        // double
+        case '"':
+          q = '"';
+          break;
+        // backtick
+        case "`":
+          q = "`";
+          break;
+        // empty
+        default:
+          q = "";
+      }
+      return q;
+    }
+    function clean(value, quote) {
+      let v = trimmer(value);
+      v = v.replace(/^(['"`])([\s\S]*)\1$/mg, "$2");
+      if (quote === '"') {
+        v = v.replace(/\\n/g, "\n");
+        v = v.replace(/\\r/g, "\r");
+        v = v.replace(/\\t/g, "	");
+      }
+      return v;
+    }
+    function scan2(src, transform) {
+      const LINE = /(?:^|^)\s*(?:export\s+)?([\w.-]+)(?:\s*=\s*?|:\s+?)(\s*'(?:\\'|[^'])*'|\s*"(?:\\"|[^"])*"|\s*`(?:\\`|[^`])*`|[^#\r\n]+)?\s*(?:#.*)?(?:$|$)/mg;
+      const parsed = {};
+      const lines = (src || "").toString().replace(/\r\n?/mg, "\n");
+      let match;
+      while ((match = LINE.exec(lines)) !== null) {
+        const name = match[1];
+        const raw = match[2];
+        const quote = getQuote(raw);
+        const value = clean(raw, quote);
+        let parsedValue = value;
+        if (typeof transform === "function") {
+          parsedValue = transform({
+            name,
+            value,
+            quote
+          });
+        }
+        parsed[name] = parsedValue;
+      }
+      return {
+        parsed
+      };
+    }
+    module2.exports = scan2;
+  }
+});
+
+// src/keyring.js
+var require_keyring = __commonJS({
+  "src/keyring.js"(exports2, module2) {
+    var fs = require("fs");
+    var derive2 = require_derive();
+    var scan2 = require_scan();
+    function keysFromFile(filepath = ".env.keys") {
+      try {
+        const src = fs.readFileSync(filepath, "utf8");
+        const { parsed } = scan2(src);
+        return parsed;
+      } catch (_e) {
+        return {};
+      }
+    }
+    function keyring2() {
+      const mem = {};
+      const processEnv = process.env;
+      const keysFilepath = ".env.keys";
+      const sources = {
+        ...keysFromFile(keysFilepath),
+        ...processEnv
+        // process.env wins
+      };
+      for (const name in sources) {
+        if (name.startsWith("DOTENV_PRIVATE_KEY")) {
+          try {
+            const privateKeyHex = sources[name];
+            const publicKeyHex = derive2(privateKeyHex);
+            mem[publicKeyHex] = privateKeyHex;
+          } catch (_e) {
+          }
+        }
+      }
+      return mem;
+    }
+    module2.exports = keyring2;
+  }
+});
+
+// src/parse.js
+var require_parse = __commonJS({
+  "src/parse.js"(exports2, module2) {
+    var decrypt2 = require_decrypt();
+    var keyring2 = require_keyring();
+    var encrypted2 = require_encrypted();
+    var evaluate2 = require_evaluate();
+    var expand2 = require_expand();
+    var scan2 = require_scan();
+    function resolveEscapeSequences(value) {
+      return value.replace(/\\\$/g, "$");
+    }
+    function parse2(src, opts = {}) {
+      const overload = opts.overload;
+      const processEnv = opts.processEnv || process.env;
+      const ring = keyring2();
+      function inProcessEnv(name) {
+        return Object.prototype.hasOwnProperty.call(processEnv, name);
+      }
+      let publicKeyHex;
+      let runningParsed = {};
+      let literals = {};
+      const { parsed } = scan2(src, ({ name, value, quote }) => {
+        let parsedValue = value;
+        if (name.startsWith("DOTENV_PUBLIC_KEY")) {
+          publicKeyHex = parsedValue;
+        }
+        if (!overload && inProcessEnv(name)) {
+          parsedValue = processEnv[name];
+        }
+        try {
+          parsedValue = decrypt2(ring[publicKeyHex], parsedValue);
+        } catch (_e) {
+        }
+        const encryptedPrefixed = encrypted2(parsedValue);
+        let evaled = false;
+        if (!encryptedPrefixed && quote !== "'" && (!inProcessEnv(name) || processEnv[name] === parsedValue)) {
+          const priorEvaled = parsedValue;
+          try {
+            parsedValue = evaluate2(priorEvaled, { processEnv, runningParsed });
+          } catch (_e) {
+          }
+          if (priorEvaled !== parsedValue) {
+            evaled = true;
+          }
+        }
+        if (!encryptedPrefixed && !evaled && quote !== "'" && (!processEnv[name] || overload)) {
+          parsedValue = resolveEscapeSequences(expand2(parsedValue, { processEnv, runningParsed, literals }));
+        }
+        if (quote === "'") {
+          literals[name] = parsedValue;
+        }
+        runningParsed[name] = parsedValue;
+        if (Object.prototype.hasOwnProperty.call(processEnv, name) && !overload) {
+        } else {
+        }
+        return parsedValue;
+      });
+      return {
+        parsed
+      };
+    }
+    module2.exports = parse2;
+  }
+});
+
 // src/index.js
 var decrypt = require_decrypt();
+var derive = require_derive();
+var encrypted = require_encrypted();
+var evaluate = require_evaluate();
+var expand = require_expand();
+var keyring = require_keyring();
+var parse = require_parse();
+var scan = require_scan();
 module.exports = {
-  decrypt
+  decrypt,
+  derive,
+  encrypted,
+  evaluate,
+  expand,
+  keyring,
+  parse,
+  scan
 };

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.2.1",
+  "version": "0.4.0",
   "name": "@dotenvx/primitives",
   "description": "a secure dotenv–from the creator of `dotenv`",
   "author": "@motdotla",