@elding/cli 0.3.0 → 0.8.1

package/dist/lib/proxyServer.js

@@ -5,59 +5,162 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.startProxy = startProxy;
 const http_1 = __importDefault(require("http"));
+const https_1 = __importDefault(require("https"));
+const net_1 = __importDefault(require("net"));
+const stream_1 = require("stream");
+const dns_1 = require("dns");
 const crypto_1 = require("crypto");
+const zlib_1 = require("zlib");
+const redact_js_1 = require("./redact.js");
 const PLACEHOLDER = /\{\{([A-Z0-9_]+)\}\}/g;
-// Bloque loopback + plages privées + métadata cloud — empêche le proxy de servir de pivot SSRF
-function isBlockedHost(hostname) {
-    const h = hostname.replace(/^\[|\]$/g, "");
-    if (h === "localhost" || h === "::1")
-        return true;
-    if (/^127\./.test(h))
-        return true;
-    if (/^10\./.test(h))
-        return true;
-    if (/^192\.168\./.test(h))
-        return true;
-    if (/^172\.(1[6-9]|2\d|3[01])\./.test(h))
-        return true;
-    if (/^169\.254\./.test(h))
-        return true; // link-local + metadata (169.254.169.254)
-    if (/^fe80:/i.test(h) || /^fc00:/i.test(h) || /^fd/i.test(h))
+const PROXY_TIMEOUT_MS = 60_000;
+const MAX_HOST_LENGTH = 253;
+const HOP_BY_HOP_HEADERS = new Set([
+    "connection",
+    "content-length",
+    "keep-alive",
+    "proxy-authenticate",
+    "proxy-authorization",
+    "proxy-connection",
+    "te",
+    "trailer",
+    "transfer-encoding",
+    "upgrade",
+]);
+// Valide une IP résolue : bloque loopback + plages privées + link-local + ULA + métadata cloud.
+function isBlockedIp(ip) {
+    const normalized = stripBrackets(ip).toLowerCase();
+    const v4 = ipv4FromMappedIpv6(normalized) ?? normalized;
+    if (net_1.default.isIPv4(v4)) {
+        const [a, b, c] = v4.split(".").map(Number);
+        if (a === 0 || a === 10 || a === 127)
+            return true;
+        if (a === 100 && b >= 64 && b <= 127)
+            return true; // carrier-grade NAT
+        if (a === 192 && b === 168)
+            return true;
+        if (a === 192 && b === 0)
+            return true;
+        if (a === 172 && b >= 16 && b <= 31)
+            return true;
+        if (a === 169 && b === 254)
+            return true; // link-local + metadata 169.254.169.254
+        if (a === 198 && (b === 18 || b === 19))
+            return true; // benchmarking
+        if (a === 192 && b === 0 && c === 2)
+            return true;
+        if (a === 198 && b === 51 && c === 100)
+            return true;
+        if (a === 203 && b === 0 && c === 113)
+            return true;
+        if (a >= 224)
+            return true; // multicast + reserved
+        return false;
+    }
+    const l = normalized;
+    if (l === "::1" || l === "::")
         return true;
+    if (l.startsWith("fe8") || l.startsWith("fe9") || l.startsWith("fea") || l.startsWith("feb"))
+        return true; // fe80::/10
+    if (l.startsWith("fc") || l.startsWith("fd"))
+        return true; // ULA
+    if (l.startsWith("ff"))
+        return true; // multicast
+    if (l.startsWith("2001:db8"))
+        return true; // documentation
     return false;
 }
+function ipv4FromMappedIpv6(ip) {
+    if (!ip.startsWith("::ffff:"))
+        return null;
+    const tail = ip.slice("::ffff:".length);
+    if (net_1.default.isIPv4(tail))
+        return tail;
+    const parts = tail.split(":");
+    if (parts.length !== 2)
+        return null;
+    const high = Number.parseInt(parts[0], 16);
+    const low = Number.parseInt(parts[1], 16);
+    if (!Number.isInteger(high) || !Number.isInteger(low) || high < 0 || high > 0xffff || low < 0 || low > 0xffff) {
+        return null;
+    }
+    return `${(high >> 8) & 255}.${high & 255}.${(low >> 8) & 255}.${low & 255}`;
+}
+function stripBrackets(hostname) {
+    return hostname.startsWith("[") && hostname.endsWith("]")
+        ? hostname.slice(1, -1)
+        : hostname;
+}
+function normalizeHostname(hostname) {
+    return stripBrackets(hostname).toLowerCase().replace(/\.$/, "");
+}
+// Résout le hostname et exige que TOUTES les adresses soient publiques.
+async function resolvePublicAddresses(hostname) {
+    const normalized = normalizeHostname(hostname);
+    if (!normalized || normalized.length > MAX_HOST_LENGTH || normalized === "localhost")
+        return [];
+    const directIp = net_1.default.isIP(normalized);
+    if (directIp)
+        return isBlockedIp(normalized) ? [] : [{ address: normalized, family: directIp }];
+    try {
+        const addrs = await dns_1.promises.lookup(normalized, { all: true, verbatim: true });
+        if (addrs.length === 0 || addrs.some((a) => isBlockedIp(a.address)))
+            return [];
+        return addrs.map((a) => ({ address: a.address, family: a.family }));
+    }
+    catch {
+        return [];
+    }
+}
+// Comparaison constant-time du token de session.
+function tokenMatches(provided, expected) {
+    if (typeof provided !== "string" || provided.length !== expected.length)
+        return false;
+    return (0, crypto_1.timingSafeEqual)(Buffer.from(provided), Buffer.from(expected));
+}
 // hosts: map nom_secret -> domaine autorisé. Si défini, le secret ne peut être envoyé qu'à ce host.
-function startProxy(secrets, hosts = {}, verbose = false) {
+function startProxy(secrets, hosts = {}, verbose = false, onLog) {
     const token = (0, crypto_1.randomBytes)(24).toString("hex");
     // Log une ligne par requête — jamais les valeurs, seulement les placeholders référencés
-    const log = (method, host, path, status, ms, note = "") => {
-        if (!verbose)
-            return;
-        const code = status === "BLOCKED" ? "BLOCKED" : String(status);
-        console.error(`[elding] ${method} ${host}${path}  → ${code}  ${ms}ms${note ? "  " + note : ""}`);
+    const log = (method, host, path, status, ms, note = "", secretNames = "") => {
+        const blocked = status === "BLOCKED";
+        const code = blocked ? "BLOCKED" : String(status);
+        if (verbose)
+            console.error(`[elding] ${method} ${host}${path}  → ${code}  ${ms}ms${note ? "  " + note : ""}`);
+        onLog?.({ method, host, path, status: blocked ? 403 : status, latencyMs: ms, blocked, secretNames });
     };
     const placeholdersIn = (headers) => {
         const names = new Set();
-        for (const v of Object.values(headers))
-            for (const m of v.matchAll(PLACEHOLDER))
-                names.add(m[1]);
+        for (const v of Object.values(headers)) {
+            const values = Array.isArray(v) ? v : [v];
+            for (const item of values)
+                for (const m of item.matchAll(PLACEHOLDER))
+                    names.add(m[1]);
+        }
         return names.size ? `{{${[...names].join(",")}}}` : "";
     };
-    // Vérifie que chaque placeholder utilisé est autorisé pour ce host. Retourne le nom fautif, ou null.
+    // Vérifie que chaque placeholder utilisé est autorisé pour ce host. Retourne une raison de blocage, ou null.
     const findHostViolation = (val, targetHost) => {
         for (const m of val.matchAll(PLACEHOLDER)) {
             const name = m[1];
+            if (!Object.prototype.hasOwnProperty.call(secrets, name))
+                return `${name} inconnu`;
             const allowed = hosts[name];
-            if (allowed && allowed !== targetHost)
-                return name;
+            if (!allowed)
+                return `${name} sans domaine autorise`;
+            const allowedHost = normalizeAllowedHost(allowed);
+            if (!allowedHost || allowedHost !== targetHost)
+                return `${name} non autorise`;
         }
         return null;
     };
     const substitute = (val) => val.replace(PLACEHOLDER, (_, name) => secrets[name] ?? "");
+    // Valeurs de secret a effacer des reponses (anti-echo).
+    const secretValues = Object.values(secrets).filter((v) => typeof v === "string" && v.length >= 8);
     const server = http_1.default.createServer(async (req, res) => {
         const started = Date.now();
         try {
-            if (req.headers["x-elding-token"] !== token) {
+            if (!tokenMatches(req.headers["x-elding-token"], token)) {
                 res.writeHead(401);
                 res.end("unauthorized");
                 return;
@@ -82,24 +185,33 @@ function startProxy(secrets, hosts = {}, verbose = false) {
                 res.end("https only");
                 return;
             }
-            if (isBlockedHost(targetUrl.hostname)) {
-                log(req.method ?? "?", targetUrl.hostname, req.url ?? "/", "BLOCKED", Date.now() - started, "host bloqué");
+            if (targetUrl.username || targetUrl.password) {
+                res.writeHead(400);
+                res.end("credentials not allowed");
+                return;
+            }
+            const targetHost = normalizeHostname(targetUrl.hostname);
+            const resolved = await resolvePublicAddresses(targetHost);
+            if (resolved.length === 0) {
+                log(req.method ?? "?", targetHost, req.url ?? "/", "BLOCKED", Date.now() - started, "host bloqué");
                 res.writeHead(403);
                 res.end("blocked host");
                 return;
             }
+            const pinned = resolved[0];
             const upstream = new URL(req.url ?? "/", targetUrl);
             upstream.protocol = "https:";
             upstream.host = targetUrl.host;
             // Enforce host binding : un secret lié à un domaine ne peut partir que vers celui-ci
             for (const v of Object.values(req.headers)) {
-                if (typeof v !== "string")
-                    continue;
-                const bad = findHostViolation(v, targetUrl.hostname);
-                if (bad) {
-                    log(req.method ?? "?", targetUrl.hostname, upstream.pathname, "BLOCKED", Date.now() - started, `${bad} non autorisé`);
+                const values = Array.isArray(v) ? v : typeof v === "string" ? [v] : [];
+                for (const item of values) {
+                    const bad = findHostViolation(item, targetHost);
+                    if (!bad)
+                        continue;
+                    log(req.method ?? "?", targetHost, upstream.pathname, "BLOCKED", Date.now() - started, bad);
                     res.writeHead(403);
-                    res.end(`secret "${bad}" non autorisé pour ${targetUrl.hostname}`);
+                    res.end(`secret bloque: ${bad}`);
                     return;
                 }
             }
@@ -109,34 +221,27 @@ function startProxy(secrets, hosts = {}, verbose = false) {
                 const lk = k.toLowerCase();
                 if (lk.startsWith("x-elding-"))
                     continue;
-                if (lk === "host" || lk === "connection" || lk === "content-length")
+                if (HOP_BY_HOP_HEADERS.has(lk))
                     continue;
+                if (lk === "accept-encoding")
+                    continue; // force identite : reponse en clair pour la redaction
                 if (typeof v === "string") {
                     rawHeaders[k] = v;
                     headers[k] = substitute(v);
                 }
-            }
-            const chunks = [];
-            for await (const c of req)
-                chunks.push(c);
-            const hasBody = chunks.length > 0 && req.method !== "GET" && req.method !== "HEAD";
-            const upstreamRes = await fetch(upstream.toString(), {
-                method: req.method,
-                headers,
-                body: hasBody ? Buffer.concat(chunks) : undefined,
-            });
-            log(req.method ?? "?", targetUrl.hostname, upstream.pathname, upstreamRes.status, Date.now() - started, placeholdersIn(rawHeaders));
-            res.writeHead(upstreamRes.status, Object.fromEntries(upstreamRes.headers));
-            if (upstreamRes.body) {
-                const reader = upstreamRes.body.getReader();
-                for (;;) {
-                    const { done, value } = await reader.read();
-                    if (done)
-                        break;
-                    res.write(value);
+                else if (Array.isArray(v)) {
+                    rawHeaders[k] = v;
+                    headers[k] = v.map(substitute);
                 }
             }
-            res.end();
+            // Empeche l'upstream de compresser : sinon impossible de rediger les secrets reflechis.
+            if (secretValues.length > 0)
+                headers["accept-encoding"] = "identity";
+            // Streame le corps vers l'upstream sans le bufferiser en mémoire (évite un DoS sur gros upload)
+            const hasBody = req.method !== "GET" && req.method !== "HEAD";
+            const used = placeholdersIn(rawHeaders);
+            const status = await forwardHttps(req, res, upstream, headers, pinned, hasBody, secretValues);
+            log(req.method ?? "?", targetHost, upstream.pathname, status, Date.now() - started, used, used);
         }
         catch {
             if (!res.headersSent)
@@ -152,3 +257,112 @@ function startProxy(secrets, hosts = {}, verbose = false) {
         });
     });
 }
+function normalizeAllowedHost(value) {
+    const raw = value.trim();
+    if (!raw || raw.length > MAX_HOST_LENGTH + 8)
+        return null;
+    try {
+        const url = new URL(raw.includes("://") ? raw : `https://${raw}`);
+        if (url.username || url.password)
+            return null;
+        return normalizeHostname(url.hostname);
+    }
+    catch {
+        return null;
+    }
+}
+function filterResponseHeaders(headers, secretValues, decodedBody) {
+    const out = {};
+    const redacting = secretValues.length > 0;
+    for (const [name, value] of Object.entries(headers)) {
+        const lower = name.toLowerCase();
+        if (HOP_BY_HOP_HEADERS.has(lower))
+            continue;
+        if (decodedBody && lower === "content-encoding")
+            continue;
+        if ((redacting || decodedBody) && (lower === "content-md5" || lower === "digest" || lower === "etag"))
+            continue;
+        // La redaction modifie la taille du corps : on laisse Node re-calculer (chunked).
+        if (redacting && lower === "content-length")
+            continue;
+        if (typeof value === "string")
+            out[name] = (0, redact_js_1.redactString)(value, secretValues);
+        else if (Array.isArray(value))
+            out[name] = value.map((v) => (0, redact_js_1.redactString)(v, secretValues));
+        else
+            out[name] = value;
+    }
+    return out;
+}
+function responseBodyForRedaction(upstreamRes, shouldRedact) {
+    const raw = upstreamRes.headers["content-encoding"];
+    const encodings = (Array.isArray(raw) ? raw.join(",") : raw ?? "")
+        .toLowerCase()
+        .split(",")
+        .map((v) => v.trim())
+        .filter((v) => v && v !== "identity");
+    if (!shouldRedact || encodings.length === 0)
+        return { stream: upstreamRes, decoded: false };
+    if (encodings.length !== 1)
+        return null;
+    switch (encodings[0]) {
+        case "gzip":
+        case "x-gzip":
+            return { stream: upstreamRes.pipe((0, zlib_1.createGunzip)()), decoded: true };
+        case "deflate":
+            return { stream: upstreamRes.pipe((0, zlib_1.createInflate)()), decoded: true };
+        case "br":
+            return { stream: upstreamRes.pipe((0, zlib_1.createBrotliDecompress)()), decoded: true };
+        default:
+            return null;
+    }
+}
+function forwardHttps(req, res, upstream, headers, pinned, hasBody, secretValues) {
+    return new Promise((resolve, reject) => {
+        const upstreamHostname = normalizeHostname(upstream.hostname);
+        const upstreamReq = https_1.default.request({
+            protocol: "https:",
+            hostname: upstreamHostname,
+            port: upstream.port ? Number(upstream.port) : 443,
+            path: `${upstream.pathname}${upstream.search}`,
+            method: req.method,
+            headers: { ...headers, host: upstream.host },
+            servername: net_1.default.isIP(upstreamHostname) ? undefined : upstreamHostname,
+            timeout: PROXY_TIMEOUT_MS,
+            // Node >=20 (autoSelectFamily) appelle lookup avec { all: true } et
+            // attend un tableau ; sinon la forme simple (address, family).
+            lookup: (_hostname, options, callback) => {
+                if (options && options.all)
+                    callback(null, [{ address: pinned.address, family: pinned.family }]);
+                else
+                    callback(null, pinned.address, pinned.family);
+            },
+        }, (upstreamRes) => {
+            const status = upstreamRes.statusCode ?? 502;
+            const body = responseBodyForRedaction(upstreamRes, secretValues.length > 0);
+            if (!body) {
+                upstreamRes.resume();
+                res.writeHead(502);
+                res.end("unsupported compressed response");
+                resolve(502);
+                return;
+            }
+            res.writeHead(status, filterResponseHeaders(upstreamRes.headers, secretValues, body.decoded));
+            const redactor = (0, redact_js_1.createRedactor)(secretValues);
+            (0, stream_1.pipeline)(body.stream, redactor, res, (err) => {
+                if (err)
+                    reject(err);
+                else
+                    resolve(status);
+            });
+        });
+        upstreamReq.on("timeout", () => upstreamReq.destroy(new Error("upstream timeout")));
+        upstreamReq.on("error", reject);
+        req.on("error", reject);
+        res.on("close", () => upstreamReq.destroy());
+        if (hasBody)
+            req.pipe(upstreamReq);
+        else
+            upstreamReq.end();
+    });
+}

package/dist/lib/redact.d.ts

@@ -0,0 +1,3 @@
+import { Transform } from "stream";
+export declare function createRedactor(secretValues: string[]): Transform;
+export declare function redactString(value: string, secretValues: string[]): string;

package/dist/lib/redact.js

@@ -0,0 +1,58 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createRedactor = createRedactor;
+exports.redactString = redactString;
+const stream_1 = require("stream");
+const REDACTED = Buffer.from("[REDACTED]");
+// Remplace toutes les occurrences de `search` dans `buf` (recherche binaire, ne
+// corrompt pas les corps non-texte : sans correspondance, passthrough inchange).
+function replaceAll(buf, search) {
+    const parts = [];
+    let idx = 0;
+    let found = buf.indexOf(search, idx);
+    if (found === -1)
+        return buf;
+    while (found !== -1) {
+        parts.push(buf.subarray(idx, found), REDACTED);
+        idx = found + search.length;
+        found = buf.indexOf(search, idx);
+    }
+    parts.push(buf.subarray(idx));
+    return Buffer.concat(parts);
+}
+// Transform qui efface les valeurs de secret du flux de reponse avant qu'il
+// atteigne l'app. Tue le cas "domaine qui echo la cle". Gere les coupures de
+// chunk en retenant les (maxLen-1) derniers octets entre deux passes.
+function createRedactor(secretValues) {
+    const values = [...new Set(secretValues)]
+        .filter((v) => v.length >= 8)
+        .map((v) => Buffer.from(v, "utf8"));
+    const maxLen = values.reduce((m, v) => Math.max(m, v.length), 0);
+    let carry = Buffer.alloc(0);
+    const scrub = (b) => {
+        for (const v of values)
+            b = replaceAll(b, v);
+        return b;
+    };
+    return new stream_1.Transform({
+        transform(chunk, _enc, cb) {
+            if (values.length === 0)
+                return cb(null, chunk);
+            const buf = scrub(Buffer.concat([carry, chunk]));
+            const hold = Math.min(buf.length, maxLen - 1);
+            carry = Buffer.from(buf.subarray(buf.length - hold));
+            cb(null, buf.subarray(0, buf.length - hold));
+        },
+        flush(cb) {
+            cb(null, carry);
+        },
+    });
+}
+// Rediger aussi les valeurs de secret dans une chaine (entetes de reponse).
+function redactString(value, secretValues) {
+    let out = value;
+    for (const v of secretValues)
+        if (v.length >= 8)
+            out = out.split(v).join("[REDACTED]");
+    return out;
+}

package/dist/lib/terminal.d.ts

@@ -0,0 +1,2 @@
+export declare function safeText(value: unknown, maxLength?: number): string;
+export declare function safeError(value: unknown): string;

package/dist/lib/terminal.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.safeText = safeText;
+exports.safeError = safeError;
+const ANSI_PATTERN = /[\u001b\u009b][[\]()#;?]*(?:(?:(?:[a-zA-Z\d]*(?:;[a-zA-Z\d]*)*)?\u0007)|(?:(?:\d{1,4}(?:;\d{0,4})*)?[\dA-PR-TZcf-nq-uy=><~]))/g;
+const CONTROL_PATTERN = /[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g;
+function safeText(value, maxLength = 500) {
+    return String(value ?? "")
+        .replace(ANSI_PATTERN, "")
+        .replace(CONTROL_PATTERN, "")
+        .slice(0, maxLength);
+}
+function safeError(value) {
+    return safeText(value instanceof Error ? value.message : value, 300) || "Erreur inconnue";
+}

package/dist/lib/trust.d.ts

@@ -0,0 +1,2 @@
+import { type ProjectConfig } from "./config.js";
+export declare function ensureProjectTrusted(project: ProjectConfig): Promise<void>;

package/dist/lib/trust.js

@@ -0,0 +1,33 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ensureProjectTrusted = ensureProjectTrusted;
+const promises_1 = __importDefault(require("readline/promises"));
+const process_1 = require("process");
+const config_js_1 = require("./config.js");
+const terminal_js_1 = require("./terminal.js");
+async function ensureProjectTrusted(project) {
+    if ((0, config_js_1.isProjectTrusted)(project))
+        return;
+    const location = (0, config_js_1.projectTrustKey)();
+    const target = `${(0, terminal_js_1.safeText)(project.setName)} (${(0, terminal_js_1.safeText)(project.setId)})`;
+    const workspace = project.workspaceName ? ` / ${(0, terminal_js_1.safeText)(project.workspaceName)}` : "";
+    if (!process_1.stdin.isTTY || !process_1.stdout.isTTY) {
+        throw new Error(`Projet non approuve pour le set ${target}${workspace}. Lancez \`elding init\` ou \`elding use <set>\` interactivement.`);
+    }
+    const rl = promises_1.default.createInterface({ input: process_1.stdin, output: process_1.stdout });
+    try {
+        console.log(`Projet : ${(0, terminal_js_1.safeText)(location)}`);
+        console.log(`Set Elding : ${target}${workspace}`);
+        const answer = await rl.question("Approuver ce projet pour ce set ? [y/N] ");
+        if (!/^y(es)?$/i.test(answer.trim())) {
+            throw new Error("Projet non approuve.");
+        }
+        (0, config_js_1.trustProject)(project);
+    }
+    finally {
+        rl.close();
+    }
+}

package/package.json

@@ -1,9 +1,9 @@
 {
   "name": "@elding/cli",
-  "version": "0.3.0",
+  "version": "0.8.1",
   "description": "Elding CLI — zero .env, secrets from vault",
   "bin": {
-    "elding": "./dist/index.js"
+    "elding": "dist/index.js"
   },
   "main": "./dist/index.js",
   "files": [
@@ -15,19 +15,20 @@
   "scripts": {
     "build": "tsc",
     "dev": "tsc --watch",
+    "test": "node --test test/*.test.mjs",
     "prepublishOnly": "npm run build"
   },
   "dependencies": {
-    "commander": "^12.1.0",
-    "open": "^10.1.0",
-    "ora": "^8.1.1",
-    "chalk": "^5.3.0",
-    "inquirer": "^10.2.2"
+    "@napi-rs/keyring": "1.1.7",
+    "chalk": "5.6.2",
+    "commander": "12.1.0",
+    "inquirer": "14.0.2",
+    "open": "10.2.0",
+    "ora": "8.2.0"
   },
   "devDependencies": {
-    "@types/node": "^22.0.0",
-    "@types/inquirer": "^9.0.7",
-    "typescript": "^5.5.0"
+    "@types/node": "22.19.21",
+    "typescript": "5.9.3"
   },
   "engines": {
     "node": ">=18"