@dynamicu/chromedebug-mcp 2.2.0

package/src/validation/log-transformer.js

@@ -0,0 +1,125 @@
+/**
+ * Log Transformation Utility
+ * Transforms Chrome extension logs to match associateLogsSchema compliance
+ *
+ * CONTRACT A: associateLogsSchema requires only {level, message, timestamp, args}
+ * CONTRACT B: Remove non-schema fields while preserving all valid data
+ */
+
+/**
+ * Transform logs to match associateLogsSchema format
+ * Filters out non-schema fields like 'source', 'type' while preserving valid fields
+ *
+ * @param {Array} logs - Array of log objects from Chrome extension
+ * @returns {Array} - Transformed logs matching associateLogsSchema
+ */
+export function transformLogsForSchema(logs) {
+  if (!Array.isArray(logs)) {
+    return logs;
+  }
+
+  return logs.map(log => {
+    // Handle null/undefined/non-object logs gracefully
+    if (!log || typeof log !== 'object') {
+      return log; // Return as-is, let schema validation handle it
+    }
+
+    // Only include fields that are allowed by associateLogsSchema
+    const transformedLog = {};
+
+    // Required fields
+    if (log.level !== undefined) {
+      transformedLog.level = log.level;
+    }
+    if (log.message !== undefined) {
+      transformedLog.message = log.message;
+    }
+    if (log.timestamp !== undefined) {
+      transformedLog.timestamp = log.timestamp;
+    }
+
+    // Optional fields
+    if (log.args !== undefined) {
+      transformedLog.args = log.args;
+    }
+
+    // Explicitly exclude non-schema fields:
+    // - source (from Chrome extension test harness)
+    // - type (from Chrome extension)
+    // - any other fields not in schema
+
+    return transformedLog;
+  });
+}
+
+/**
+ * Transform full associate-logs request payload
+ * Preserves sessionId and transforms logs array
+ *
+ * @param {Object} requestPayload - Request with sessionId and logs
+ * @returns {Object} - Transformed payload ready for schema validation
+ */
+export function transformAssociateLogsRequest(requestPayload) {
+  if (!requestPayload || typeof requestPayload !== 'object') {
+    return requestPayload;
+  }
+
+  const transformed = { ...requestPayload };
+
+  if (transformed.logs) {
+    transformed.logs = transformLogsForSchema(transformed.logs);
+  }
+
+  return transformed;
+}
+
+/**
+ * Validation helper - checks if logs contain non-schema fields
+ * Used for logging/diagnostics
+ *
+ * @param {Array} logs - Array of log objects
+ * @returns {Object} - Analysis of field compliance
+ */
+export function analyzeLogFieldCompliance(logs) {
+  if (!Array.isArray(logs)) {
+    return { isCompliant: false, reason: 'logs is not an array' };
+  }
+
+  const allowedFields = new Set(['level', 'message', 'timestamp', 'args']);
+  const nonSchemaFields = new Set();
+  const missingRequiredFields = new Set();
+
+  for (const log of logs) {
+    if (!log || typeof log !== 'object') {
+      continue;
+    }
+
+    // Check for non-schema fields
+    for (const field of Object.keys(log)) {
+      if (!allowedFields.has(field)) {
+        nonSchemaFields.add(field);
+      }
+    }
+
+    // Check for missing required fields
+    const requiredFields = ['level', 'message', 'timestamp'];
+    for (const required of requiredFields) {
+      if (!(required in log)) {
+        missingRequiredFields.add(required);
+      }
+    }
+  }
+
+  return {
+    isCompliant: nonSchemaFields.size === 0 && missingRequiredFields.size === 0,
+    nonSchemaFields: Array.from(nonSchemaFields),
+    missingRequiredFields: Array.from(missingRequiredFields),
+    totalLogs: logs.length
+  };
+}
+
+export default {
+  transformLogsForSchema,
+  transformAssociateLogsRequest,
+  analyzeLogFieldCompliance
+};

package/src/validation/schemas.js

@@ -0,0 +1,391 @@
+import Joi from 'joi';
+
+// Common validation patterns
+const patterns = {
+  sessionId: Joi.string().pattern(/^[a-zA-Z0-9_-]+$/).min(1).max(100),
+  url: Joi.string().uri({ scheme: ['http', 'https'] }).max(2048),
+  selector: Joi.string().min(1).max(1000),
+  expression: Joi.string().min(1).max(10000),
+  recordingId: Joi.string().pattern(/^[a-zA-Z0-9_-]+$/).min(1).max(100),
+  frameIndex: Joi.number().integer().min(0).max(999999)
+};
+
+// Workflow recording schemas
+export const workflowRecordingSchema = Joi.object({
+  sessionId: patterns.sessionId.required(),
+  url: patterns.url.optional(),
+  title: Joi.string().max(500).optional(),
+  includeLogs: Joi.boolean().default(false),
+  actions: Joi.array().items(
+    Joi.object({
+      type: Joi.string().required(),
+      timestamp: Joi.number().required(),
+      data: Joi.object().optional()
+    })
+  ).required(),
+  logs: Joi.array().items(
+    Joi.object({
+      level: Joi.string().valid('log', 'info', 'warn', 'error', 'debug').required(),
+      message: Joi.string().required(),
+      timestamp: Joi.number().required(),
+      args: Joi.array().optional()
+    })
+  ).optional(),
+  functionTraces: Joi.array().items(
+    Joi.object({
+      type: Joi.string().optional(),
+      component: Joi.string().optional(),
+      args: Joi.array().optional(),
+      timestamp: Joi.number().optional(),
+      stack: Joi.string().optional()
+    })
+  ).optional(),
+  name: Joi.any().optional(),
+  screenshotSettings: Joi.object({
+    width: Joi.number().integer().min(100).max(4000).optional(),
+    height: Joi.number().integer().min(100).max(4000).optional(),
+    quality: Joi.number().min(10).max(100).optional()
+  }).optional()
+});
+
+// Frame batch schema
+export const frameBatchSchema = Joi.object({
+  sessionId: patterns.sessionId.required(),
+  sessionName: Joi.string().max(200).optional().allow(null), // Optional session name for recordings
+  frames: Joi.array().items(
+    Joi.object({
+      timestamp: Joi.number().required(),
+      absoluteTimestamp: Joi.number().optional(), // Chrome extension sends this
+      imageData: Joi.string().required(), // Base64 encoded image
+      consoleLog: Joi.string().optional(),
+      frameIndex: Joi.number().integer().min(0).optional(),
+      index: Joi.number().integer().min(0).optional(), // Chrome extension sends this
+      logs: Joi.array().items(
+        Joi.object({
+          level: Joi.string().valid('log', 'info', 'warn', 'error', 'debug').required(),
+          message: Joi.string().required(),
+          timestamp: Joi.number().required(),
+          args: Joi.array().optional()
+        })
+      ).optional(), // Chrome extension sends this
+      interactions: Joi.array().items(
+        Joi.object({
+          type: Joi.string().valid('click', 'scroll', 'keydown', 'drag').required(),
+          timestamp: Joi.number().required(),
+          x: Joi.number().when('type', { is: 'click', then: Joi.required(), otherwise: Joi.optional() }),
+          y: Joi.number().when('type', { is: 'click', then: Joi.required(), otherwise: Joi.optional() }),
+          target: Joi.string().optional(),
+          targetId: Joi.string().optional(),
+          scrollX: Joi.number().when('type', { is: 'scroll', then: Joi.required(), otherwise: Joi.optional() }),
+          scrollY: Joi.number().when('type', { is: 'scroll', then: Joi.required(), otherwise: Joi.optional() }),
+          key: Joi.string().when('type', { is: 'keydown', then: Joi.required(), otherwise: Joi.optional() })
+        })
+      ).optional().default([]) // Interaction tracking data
+    })
+  ).min(1).max(1000).required()
+});
+
+// Associate logs schema
+export const associateLogsSchema = Joi.object({
+  sessionId: patterns.sessionId.required(),
+  logs: Joi.array().items(
+    Joi.object({
+      level: Joi.string().valid('log', 'info', 'warn', 'error', 'debug').required(),
+      message: Joi.string().required(),
+      timestamp: Joi.number().required(),
+      args: Joi.array().optional()
+    })
+  ).required()
+});
+
+// Stream logs schema for batched real-time log streaming
+export const streamLogsSchema = Joi.object({
+  sessionId: patterns.sessionId.required(),
+  logs: Joi.array().items(
+    Joi.object({
+      level: Joi.string().valid('log', 'info', 'warn', 'error', 'debug', 'trace', 'table', 'dir', 'group', 'groupEnd', 'time', 'timeEnd', 'count').required(),
+      message: Joi.string().required(),
+      timestamp: Joi.number().required(),
+      sequence: Joi.number().integer().min(0).required(),
+      args: Joi.array().optional()
+    })
+  ).min(1).max(100).required() // Limit batch size
+});
+
+// DOM intent schema
+export const domIntentSchema = Joi.object({
+  selector: patterns.selector.required(),
+  instruction: Joi.string().max(1000).optional().allow(''),
+  elementInfo: Joi.object({
+    tagName: Joi.string().optional(),
+    className: Joi.string().optional(),
+    id: Joi.string().optional(),
+    textContent: Joi.string().max(1000).optional(),
+    attributes: Joi.object().optional()
+  }).optional()
+});
+
+// Chrome control schemas
+export const navigateSchema = Joi.object({
+  url: patterns.url.required()
+});
+
+export const evaluateSchema = Joi.object({
+  expression: patterns.expression.required()
+});
+
+// Screen interactions schema
+export const screenInteractionsSchema = Joi.object({
+  interactions: Joi.array().items(
+    Joi.object({
+      type: Joi.string().valid('click', 'scroll', 'keypress', 'mousemove', 'input', 'change', 'drag').required(),
+      timestamp: Joi.number().required(),
+      x: Joi.number().optional(),
+      y: Joi.number().optional(),
+      key: Joi.string().optional(),
+      target: Joi.string().optional(),
+      // Basic element fields that were previously blocked
+      selector: Joi.string().optional(),
+      xpath: Joi.string().optional(),
+      text: Joi.string().allow('').optional(),
+      value: Joi.string().allow('').optional(),
+      // Enhanced capture fields
+      element_html: Joi.string().optional(),
+      component_data: Joi.alternatives().try(Joi.string(), Joi.object()).optional(),
+      event_handlers: Joi.alternatives().try(Joi.string(), Joi.object()).optional(),
+      element_state: Joi.alternatives().try(Joi.string(), Joi.object()).optional(),
+      performance_metrics: Joi.alternatives().try(Joi.string(), Joi.object()).optional(),
+      frameIndex: Joi.number().integer().min(0).optional()
+    })
+  ).optional().default([]) // Allow empty arrays - Chrome extension sends empty arrays when no interactions occur during frame capture
+});
+
+// API key management schemas
+export const createApiKeySchema = Joi.object({
+  name: Joi.string().min(1).max(100).required(),
+  role: Joi.string().valid('admin', 'user', 'readonly').default('user')
+});
+
+export const updateApiKeySchema = Joi.object({
+  name: Joi.string().min(1).max(100).optional(),
+  active: Joi.boolean().optional()
+});
+
+// Parameter validation schemas
+export const sessionIdParam = Joi.object({
+  sessionId: patterns.sessionId.required()
+});
+
+export const recordingIdParam = Joi.object({
+  recordingId: patterns.recordingId.required()
+});
+
+export const frameParams = Joi.object({
+  sessionId: patterns.sessionId.required(),
+  frameIndex: patterns.frameIndex.required()
+});
+
+// Query parameter schemas
+export const pageContentQuery = Joi.object({
+  includeText: Joi.boolean().default(true),
+  includeHtml: Joi.boolean().default(false),
+  includeStructure: Joi.boolean().default(true)
+});
+
+export const paginationQuery = Joi.object({
+  page: Joi.number().integer().min(1).default(1),
+  limit: Joi.number().integer().min(1).max(1000).default(50),
+  search: Joi.string().max(500).optional()
+});
+
+// WebSocket message schemas
+export const wsMessageSchema = Joi.object({
+  type: Joi.string().valid('element_selected', 'get_status').required(),
+  data: Joi.object().optional()
+});
+
+// File upload validation
+export const validateFileUpload = (file, allowedTypes = ['image/jpeg', 'image/png', 'image/webp']) => {
+  const errors = [];
+  
+  if (!file) {
+    errors.push('File is required');
+    return errors;
+  }
+  
+  // Check file size (50MB limit)
+  const maxSize = 50 * 1024 * 1024;
+  if (file.size > maxSize) {
+    errors.push(`File size exceeds ${maxSize / (1024 * 1024)}MB limit`);
+  }
+  
+  // Check file type
+  if (!allowedTypes.includes(file.mimetype)) {
+    errors.push(`File type ${file.mimetype} not allowed. Allowed types: ${allowedTypes.join(', ')}`);
+  }
+  
+  return errors;
+};
+
+// Sanitization helpers
+export const sanitizers = {
+  // Remove potentially dangerous HTML/JS
+  sanitizeHtml: (str) => {
+    if (typeof str !== 'string') return str;
+    return str
+      .replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '')
+      .replace(/javascript:/gi, '')
+      .replace(/on\w+\s*=/gi, '');
+  },
+  
+  // Sanitize SQL-like patterns
+  sanitizeSql: (str) => {
+    if (typeof str !== 'string') return str;
+    return str.replace(/['"`;\\]/g, '');
+  },
+  
+  // Sanitize file paths
+  sanitizePath: (str) => {
+    if (typeof str !== 'string') return str;
+    return str
+      .replace(/[\.]{2,}/g, '') // Remove directory traversal
+      .replace(/\/+/g, '/') // Normalize multiple slashes
+      .replace(/^\/+/, '') // Remove leading slashes
+      .replace(/[^a-zA-Z0-9_\-\.\/]/g, ''); // Remove dangerous characters
+  }
+};
+
+// Validation middleware factory
+export function createValidator(schema, target = 'body') {
+  return (req, res, next) => {
+    const data = target === 'params' ? req.params : 
+                 target === 'query' ? req.query : req.body;
+    
+    const { error, value } = schema.validate(data, {
+      abortEarly: false,
+      stripUnknown: true,
+      allowUnknown: false
+    });
+    
+    if (error) {
+      // Diagnostic logging for validation failures
+      console.log(`[Validation] Failed for ${target}:`, JSON.stringify(data, null, 2));
+      console.log(`[Validation] Errors:`, error.details.map(d => ({ field: d.path.join('.'), message: d.message, value: d.context?.value })));
+
+      return res.status(400).json({
+        error: 'Validation failed',
+        details: error.details.map(detail => ({
+          field: detail.path.join('.'),
+          message: detail.message,
+          value: detail.context?.value
+        }))
+      });
+    }
+    
+    // Replace original data with validated/sanitized data
+    if (target === 'params') {
+      req.params = value;
+    } else if (target === 'query') {
+      req.query = value;
+    } else {
+      req.body = value;
+    }
+    
+    next();
+  };
+}
+
+// Instrumentation validation schemas
+export const instrumentationProjectSchema = Joi.object({
+  projectPath: Joi.string().min(1).max(1000).required()
+    .custom((value, helpers) => {
+      // Prevent directory traversal attacks
+      if (value.includes('..') || value.includes('~')) {
+        return helpers.error('path.unsafe');
+      }
+      // Must be absolute path
+      if (!value.startsWith('/')) {
+        return helpers.error('path.relative');
+      }
+      return value;
+    }),
+  patterns: Joi.array().items(Joi.string().min(1).max(200)).default([]),
+  exclusions: Joi.array().items(Joi.string().min(1).max(200)).default([])
+});
+
+export const instrumentationOptionsSchema = Joi.object({
+  preserveComments: Joi.boolean().default(true),
+  createBackup: Joi.boolean().default(true),
+  dryRun: Joi.boolean().default(false),
+  useWorkerThreads: Joi.boolean().default(false),
+  maxPreviewFiles: Joi.number().integer().min(1).max(100).default(10),
+  instrumentationType: Joi.string().valid('auto-detect', 'react', 'vue', 'angular', 'vanilla-js').default('auto-detect'),
+  excludeTests: Joi.boolean().default(true),
+  backupStrategy: Joi.string().valid('git-stash', 'file-copy', 'none').default('git-stash')
+});
+
+// Git repository validation
+export const gitRepositorySchema = Joi.object({
+  projectPath: Joi.string().required(),
+  allowUncommittedChanges: Joi.boolean().default(false),
+  requireGitRepo: Joi.boolean().default(false),
+  protectedBranches: Joi.array().items(Joi.string()).default(['main', 'master', 'production'])
+});
+
+// File pattern validation with security constraints
+export const filePatternSchema = Joi.object({
+  patterns: Joi.array().items(
+    Joi.string().pattern(/^[a-zA-Z0-9_\-\.\*\/]+$/).max(200)
+      .custom((value, helpers) => {
+        // Prevent malicious glob patterns
+        if (value.includes('/../') || value.startsWith('../')) {
+          return helpers.error('pattern.traversal');
+        }
+        // Prevent excessive wildcards that could cause DoS
+        const wildcardCount = (value.match(/\*/g) || []).length;
+        if (wildcardCount > 3) {
+          return helpers.error('pattern.excessive');
+        }
+        return value;
+      })
+  ).required(),
+  exclusions: Joi.array().items(
+    Joi.string().pattern(/^[a-zA-Z0-9_\-\.\*\/]+$/).max(200)
+  ).default([])
+});
+
+// Project boundary validation
+export const projectBoundarySchema = Joi.object({
+  projectRoot: Joi.string().required(),
+  allowedPaths: Joi.array().items(Joi.string()).optional(),
+  restrictedPaths: Joi.array().items(Joi.string()).default([
+    '/etc', '/usr', '/var', '/home', '/root', '/System', '/Library'
+  ])
+});
+
+export default {
+  workflowRecordingSchema,
+  frameBatchSchema,
+  associateLogsSchema,
+  streamLogsSchema,
+  domIntentSchema,
+  navigateSchema,
+  evaluateSchema,
+  screenInteractionsSchema,
+  createApiKeySchema,
+  updateApiKeySchema,
+  sessionIdParam,
+  recordingIdParam,
+  frameParams,
+  pageContentQuery,
+  paginationQuery,
+  wsMessageSchema,
+  instrumentationProjectSchema,
+  instrumentationOptionsSchema,
+  gitRepositorySchema,
+  filePatternSchema,
+  projectBoundarySchema,
+  validateFileUpload,
+  sanitizers,
+  createValidator
+};