@elding/cli 0.3.0 → 0.8.0

package/dist/lib/proxyServer.js

@@ -5,51 +5,149 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.startProxy = startProxy;
 const http_1 = __importDefault(require("http"));
+const https_1 = __importDefault(require("https"));
+const net_1 = __importDefault(require("net"));
+const dns_1 = require("dns");
 const crypto_1 = require("crypto");
 const PLACEHOLDER = /\{\{([A-Z0-9_]+)\}\}/g;
-// Bloque loopback + plages privées + métadata cloud — empêche le proxy de servir de pivot SSRF
-function isBlockedHost(hostname) {
-    const h = hostname.replace(/^\[|\]$/g, "");
-    if (h === "localhost" || h === "::1")
-        return true;
-    if (/^127\./.test(h))
-        return true;
-    if (/^10\./.test(h))
-        return true;
-    if (/^192\.168\./.test(h))
-        return true;
-    if (/^172\.(1[6-9]|2\d|3[01])\./.test(h))
-        return true;
-    if (/^169\.254\./.test(h))
-        return true; // link-local + metadata (169.254.169.254)
-    if (/^fe80:/i.test(h) || /^fc00:/i.test(h) || /^fd/i.test(h))
+const PROXY_TIMEOUT_MS = 60_000;
+const MAX_HOST_LENGTH = 253;
+const HOP_BY_HOP_HEADERS = new Set([
+    "connection",
+    "content-length",
+    "keep-alive",
+    "proxy-authenticate",
+    "proxy-authorization",
+    "proxy-connection",
+    "te",
+    "trailer",
+    "transfer-encoding",
+    "upgrade",
+]);
+// Valide une IP résolue : bloque loopback + plages privées + link-local + ULA + métadata cloud.
+function isBlockedIp(ip) {
+    const normalized = stripBrackets(ip).toLowerCase();
+    const v4 = ipv4FromMappedIpv6(normalized) ?? normalized;
+    if (net_1.default.isIPv4(v4)) {
+        const [a, b, c] = v4.split(".").map(Number);
+        if (a === 0 || a === 10 || a === 127)
+            return true;
+        if (a === 100 && b >= 64 && b <= 127)
+            return true; // carrier-grade NAT
+        if (a === 192 && b === 168)
+            return true;
+        if (a === 192 && b === 0)
+            return true;
+        if (a === 172 && b >= 16 && b <= 31)
+            return true;
+        if (a === 169 && b === 254)
+            return true; // link-local + metadata 169.254.169.254
+        if (a === 198 && (b === 18 || b === 19))
+            return true; // benchmarking
+        if (a === 192 && b === 0 && c === 2)
+            return true;
+        if (a === 198 && b === 51 && c === 100)
+            return true;
+        if (a === 203 && b === 0 && c === 113)
+            return true;
+        if (a >= 224)
+            return true; // multicast + reserved
+        return false;
+    }
+    const l = normalized;
+    if (l === "::1" || l === "::")
         return true;
+    if (l.startsWith("fe8") || l.startsWith("fe9") || l.startsWith("fea") || l.startsWith("feb"))
+        return true; // fe80::/10
+    if (l.startsWith("fc") || l.startsWith("fd"))
+        return true; // ULA
+    if (l.startsWith("ff"))
+        return true; // multicast
+    if (l.startsWith("2001:db8"))
+        return true; // documentation
     return false;
 }
+function ipv4FromMappedIpv6(ip) {
+    if (!ip.startsWith("::ffff:"))
+        return null;
+    const tail = ip.slice("::ffff:".length);
+    if (net_1.default.isIPv4(tail))
+        return tail;
+    const parts = tail.split(":");
+    if (parts.length !== 2)
+        return null;
+    const high = Number.parseInt(parts[0], 16);
+    const low = Number.parseInt(parts[1], 16);
+    if (!Number.isInteger(high) || !Number.isInteger(low) || high < 0 || high > 0xffff || low < 0 || low > 0xffff) {
+        return null;
+    }
+    return `${(high >> 8) & 255}.${high & 255}.${(low >> 8) & 255}.${low & 255}`;
+}
+function stripBrackets(hostname) {
+    return hostname.startsWith("[") && hostname.endsWith("]")
+        ? hostname.slice(1, -1)
+        : hostname;
+}
+function normalizeHostname(hostname) {
+    return stripBrackets(hostname).toLowerCase().replace(/\.$/, "");
+}
+// Résout le hostname et exige que TOUTES les adresses soient publiques.
+async function resolvePublicAddresses(hostname) {
+    const normalized = normalizeHostname(hostname);
+    if (!normalized || normalized.length > MAX_HOST_LENGTH || normalized === "localhost")
+        return [];
+    const directIp = net_1.default.isIP(normalized);
+    if (directIp)
+        return isBlockedIp(normalized) ? [] : [{ address: normalized, family: directIp }];
+    try {
+        const addrs = await dns_1.promises.lookup(normalized, { all: true, verbatim: true });
+        if (addrs.length === 0 || addrs.some((a) => isBlockedIp(a.address)))
+            return [];
+        return addrs.map((a) => ({ address: a.address, family: a.family }));
+    }
+    catch {
+        return [];
+    }
+}
+// Comparaison constant-time du token de session.
+function tokenMatches(provided, expected) {
+    if (typeof provided !== "string" || provided.length !== expected.length)
+        return false;
+    return (0, crypto_1.timingSafeEqual)(Buffer.from(provided), Buffer.from(expected));
+}
 // hosts: map nom_secret -> domaine autorisé. Si défini, le secret ne peut être envoyé qu'à ce host.
-function startProxy(secrets, hosts = {}, verbose = false) {
+function startProxy(secrets, hosts = {}, verbose = false, onLog) {
     const token = (0, crypto_1.randomBytes)(24).toString("hex");
     // Log une ligne par requête — jamais les valeurs, seulement les placeholders référencés
-    const log = (method, host, path, status, ms, note = "") => {
-        if (!verbose)
-            return;
-        const code = status === "BLOCKED" ? "BLOCKED" : String(status);
-        console.error(`[elding] ${method} ${host}${path}  → ${code}  ${ms}ms${note ? "  " + note : ""}`);
+    const log = (method, host, path, status, ms, note = "", secretNames = "") => {
+        const blocked = status === "BLOCKED";
+        const code = blocked ? "BLOCKED" : String(status);
+        if (verbose)
+            console.error(`[elding] ${method} ${host}${path}  → ${code}  ${ms}ms${note ? "  " + note : ""}`);
+        onLog?.({ method, host, path, status: blocked ? 403 : status, latencyMs: ms, blocked, secretNames });
     };
     const placeholdersIn = (headers) => {
         const names = new Set();
-        for (const v of Object.values(headers))
-            for (const m of v.matchAll(PLACEHOLDER))
-                names.add(m[1]);
+        for (const v of Object.values(headers)) {
+            const values = Array.isArray(v) ? v : [v];
+            for (const item of values)
+                for (const m of item.matchAll(PLACEHOLDER))
+                    names.add(m[1]);
+        }
         return names.size ? `{{${[...names].join(",")}}}` : "";
     };
-    // Vérifie que chaque placeholder utilisé est autorisé pour ce host. Retourne le nom fautif, ou null.
+    // Vérifie que chaque placeholder utilisé est autorisé pour ce host. Retourne une raison de blocage, ou null.
     const findHostViolation = (val, targetHost) => {
         for (const m of val.matchAll(PLACEHOLDER)) {
             const name = m[1];
+            if (!Object.prototype.hasOwnProperty.call(secrets, name))
+                return `${name} inconnu`;
             const allowed = hosts[name];
-            if (allowed && allowed !== targetHost)
-                return name;
+            if (!allowed)
+                return `${name} sans domaine autorise`;
+            const allowedHost = normalizeAllowedHost(allowed);
+            if (!allowedHost || allowedHost !== targetHost)
+                return `${name} non autorise`;
         }
         return null;
     };
@@ -57,7 +155,7 @@ function startProxy(secrets, hosts = {}, verbose = false) {
     const server = http_1.default.createServer(async (req, res) => {
         const started = Date.now();
         try {
-            if (req.headers["x-elding-token"] !== token) {
+            if (!tokenMatches(req.headers["x-elding-token"], token)) {
                 res.writeHead(401);
                 res.end("unauthorized");
                 return;
@@ -82,24 +180,33 @@ function startProxy(secrets, hosts = {}, verbose = false) {
                 res.end("https only");
                 return;
             }
-            if (isBlockedHost(targetUrl.hostname)) {
-                log(req.method ?? "?", targetUrl.hostname, req.url ?? "/", "BLOCKED", Date.now() - started, "host bloqué");
+            if (targetUrl.username || targetUrl.password) {
+                res.writeHead(400);
+                res.end("credentials not allowed");
+                return;
+            }
+            const targetHost = normalizeHostname(targetUrl.hostname);
+            const resolved = await resolvePublicAddresses(targetHost);
+            if (resolved.length === 0) {
+                log(req.method ?? "?", targetHost, req.url ?? "/", "BLOCKED", Date.now() - started, "host bloqué");
                 res.writeHead(403);
                 res.end("blocked host");
                 return;
             }
+            const pinned = resolved[0];
             const upstream = new URL(req.url ?? "/", targetUrl);
             upstream.protocol = "https:";
             upstream.host = targetUrl.host;
             // Enforce host binding : un secret lié à un domaine ne peut partir que vers celui-ci
             for (const v of Object.values(req.headers)) {
-                if (typeof v !== "string")
-                    continue;
-                const bad = findHostViolation(v, targetUrl.hostname);
-                if (bad) {
-                    log(req.method ?? "?", targetUrl.hostname, upstream.pathname, "BLOCKED", Date.now() - started, `${bad} non autorisé`);
+                const values = Array.isArray(v) ? v : typeof v === "string" ? [v] : [];
+                for (const item of values) {
+                    const bad = findHostViolation(item, targetHost);
+                    if (!bad)
+                        continue;
+                    log(req.method ?? "?", targetHost, upstream.pathname, "BLOCKED", Date.now() - started, bad);
                     res.writeHead(403);
-                    res.end(`secret "${bad}" non autorisé pour ${targetUrl.hostname}`);
+                    res.end(`secret bloque: ${bad}`);
                     return;
                 }
             }
@@ -109,34 +216,22 @@ function startProxy(secrets, hosts = {}, verbose = false) {
                 const lk = k.toLowerCase();
                 if (lk.startsWith("x-elding-"))
                     continue;
-                if (lk === "host" || lk === "connection" || lk === "content-length")
+                if (HOP_BY_HOP_HEADERS.has(lk))
                     continue;
                 if (typeof v === "string") {
                     rawHeaders[k] = v;
                     headers[k] = substitute(v);
                 }
-            }
-            const chunks = [];
-            for await (const c of req)
-                chunks.push(c);
-            const hasBody = chunks.length > 0 && req.method !== "GET" && req.method !== "HEAD";
-            const upstreamRes = await fetch(upstream.toString(), {
-                method: req.method,
-                headers,
-                body: hasBody ? Buffer.concat(chunks) : undefined,
-            });
-            log(req.method ?? "?", targetUrl.hostname, upstream.pathname, upstreamRes.status, Date.now() - started, placeholdersIn(rawHeaders));
-            res.writeHead(upstreamRes.status, Object.fromEntries(upstreamRes.headers));
-            if (upstreamRes.body) {
-                const reader = upstreamRes.body.getReader();
-                for (;;) {
-                    const { done, value } = await reader.read();
-                    if (done)
-                        break;
-                    res.write(value);
+                else if (Array.isArray(v)) {
+                    rawHeaders[k] = v;
+                    headers[k] = v.map(substitute);
                 }
             }
-            res.end();
+            // Streame le corps vers l'upstream sans le bufferiser en mémoire (évite un DoS sur gros upload)
+            const hasBody = req.method !== "GET" && req.method !== "HEAD";
+            const used = placeholdersIn(rawHeaders);
+            const status = await forwardHttps(req, res, upstream, headers, pinned, hasBody);
+            log(req.method ?? "?", targetHost, upstream.pathname, status, Date.now() - started, used, used);
         }
         catch {
             if (!res.headersSent)
@@ -152,3 +247,58 @@ function startProxy(secrets, hosts = {}, verbose = false) {
         });
     });
 }
+function normalizeAllowedHost(value) {
+    const raw = value.trim();
+    if (!raw || raw.length > MAX_HOST_LENGTH + 8)
+        return null;
+    try {
+        const url = new URL(raw.includes("://") ? raw : `https://${raw}`);
+        if (url.username || url.password)
+            return null;
+        return normalizeHostname(url.hostname);
+    }
+    catch {
+        return null;
+    }
+}
+function filterResponseHeaders(headers) {
+    const out = {};
+    for (const [name, value] of Object.entries(headers)) {
+        if (HOP_BY_HOP_HEADERS.has(name.toLowerCase()))
+            continue;
+        out[name] = value;
+    }
+    return out;
+}
+function forwardHttps(req, res, upstream, headers, pinned, hasBody) {
+    return new Promise((resolve, reject) => {
+        const upstreamHostname = normalizeHostname(upstream.hostname);
+        const upstreamReq = https_1.default.request({
+            protocol: "https:",
+            hostname: upstreamHostname,
+            port: upstream.port ? Number(upstream.port) : 443,
+            path: `${upstream.pathname}${upstream.search}`,
+            method: req.method,
+            headers: { ...headers, host: upstream.host },
+            servername: net_1.default.isIP(upstreamHostname) ? undefined : upstreamHostname,
+            timeout: PROXY_TIMEOUT_MS,
+            lookup: (_hostname, _options, callback) => {
+                callback(null, pinned.address, pinned.family);
+            },
+        }, (upstreamRes) => {
+            const status = upstreamRes.statusCode ?? 502;
+            res.writeHead(status, filterResponseHeaders(upstreamRes.headers));
+            upstreamRes.pipe(res);
+            upstreamRes.on("end", () => resolve(status));
+            upstreamRes.on("error", reject);
+        });
+        upstreamReq.on("timeout", () => upstreamReq.destroy(new Error("upstream timeout")));
+        upstreamReq.on("error", reject);
+        req.on("error", reject);
+        res.on("close", () => upstreamReq.destroy());
+        if (hasBody)
+            req.pipe(upstreamReq);
+        else
+            upstreamReq.end();
+    });
+}

package/dist/lib/terminal.d.ts

@@ -0,0 +1,2 @@
+export declare function safeText(value: unknown, maxLength?: number): string;
+export declare function safeError(value: unknown): string;

package/dist/lib/terminal.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.safeText = safeText;
+exports.safeError = safeError;
+const ANSI_PATTERN = /[\u001b\u009b][[\]()#;?]*(?:(?:(?:[a-zA-Z\d]*(?:;[a-zA-Z\d]*)*)?\u0007)|(?:(?:\d{1,4}(?:;\d{0,4})*)?[\dA-PR-TZcf-nq-uy=><~]))/g;
+const CONTROL_PATTERN = /[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g;
+function safeText(value, maxLength = 500) {
+    return String(value ?? "")
+        .replace(ANSI_PATTERN, "")
+        .replace(CONTROL_PATTERN, "")
+        .slice(0, maxLength);
+}
+function safeError(value) {
+    return safeText(value instanceof Error ? value.message : value, 300) || "Erreur inconnue";
+}

package/dist/lib/trust.d.ts

@@ -0,0 +1,2 @@
+import { type ProjectConfig } from "./config.js";
+export declare function ensureProjectTrusted(project: ProjectConfig): Promise<void>;

package/dist/lib/trust.js

@@ -0,0 +1,33 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ensureProjectTrusted = ensureProjectTrusted;
+const promises_1 = __importDefault(require("readline/promises"));
+const process_1 = require("process");
+const config_js_1 = require("./config.js");
+const terminal_js_1 = require("./terminal.js");
+async function ensureProjectTrusted(project) {
+    if ((0, config_js_1.isProjectTrusted)(project))
+        return;
+    const location = (0, config_js_1.projectTrustKey)();
+    const target = `${(0, terminal_js_1.safeText)(project.setName)} (${(0, terminal_js_1.safeText)(project.setId)})`;
+    const workspace = project.workspaceName ? ` / ${(0, terminal_js_1.safeText)(project.workspaceName)}` : "";
+    if (!process_1.stdin.isTTY || !process_1.stdout.isTTY) {
+        throw new Error(`Projet non approuve pour le set ${target}${workspace}. Lancez \`elding init\` ou \`elding use <set>\` interactivement.`);
+    }
+    const rl = promises_1.default.createInterface({ input: process_1.stdin, output: process_1.stdout });
+    try {
+        console.log(`Projet : ${(0, terminal_js_1.safeText)(location)}`);
+        console.log(`Set Elding : ${target}${workspace}`);
+        const answer = await rl.question("Approuver ce projet pour ce set ? [y/N] ");
+        if (!/^y(es)?$/i.test(answer.trim())) {
+            throw new Error("Projet non approuve.");
+        }
+        (0, config_js_1.trustProject)(project);
+    }
+    finally {
+        rl.close();
+    }
+}

package/package.json

@@ -1,9 +1,9 @@
 {
   "name": "@elding/cli",
-  "version": "0.3.0",
+  "version": "0.8.0",
   "description": "Elding CLI — zero .env, secrets from vault",
   "bin": {
-    "elding": "./dist/index.js"
+    "elding": "dist/index.js"
   },
   "main": "./dist/index.js",
   "files": [
@@ -15,19 +15,20 @@
   "scripts": {
     "build": "tsc",
     "dev": "tsc --watch",
+    "test": "node --test test/*.test.mjs",
     "prepublishOnly": "npm run build"
   },
   "dependencies": {
-    "commander": "^12.1.0",
-    "open": "^10.1.0",
-    "ora": "^8.1.1",
-    "chalk": "^5.3.0",
-    "inquirer": "^10.2.2"
+    "@napi-rs/keyring": "1.1.7",
+    "chalk": "5.6.2",
+    "commander": "12.1.0",
+    "inquirer": "14.0.2",
+    "open": "10.2.0",
+    "ora": "8.2.0"
   },
   "devDependencies": {
-    "@types/node": "^22.0.0",
-    "@types/inquirer": "^9.0.7",
-    "typescript": "^5.5.0"
+    "@types/node": "22.19.21",
+    "typescript": "5.9.3"
   },
   "engines": {
     "node": ">=18"