@electron-memory/monitor 0.2.2 → 0.2.3

package/dist/index.js

@@ -1114,6 +1114,7 @@ var path3 = __toESM(require("path"));
 var import_electron2 = require("electron");
 var import_promises = require("fs/promises");
 var path2 = __toESM(require("path"));
+var import_node_url = require("url");
 var SCHEME = "emm-dashboard";
 var privilegedRegistered = false;
 var handlerRegistered = false;
@@ -1148,6 +1149,48 @@ function isPathInsideRoot(filePath, root) {
   }
   return true;
 }
+function urlToUiRelativePath(requestUrl) {
+  let u;
+  try {
+    u = new URL(requestUrl);
+  } catch {
+    return "";
+  }
+  let p = "";
+  try {
+    p = decodeURIComponent(u.pathname || "");
+  } catch {
+    p = u.pathname || "";
+  }
+  p = p.replace(/^\/+/, "");
+  const host = (u.hostname || "").toLowerCase();
+  if (p.includes("..")) {
+    return "";
+  }
+  if (host === "electron" || host === "") {
+    return p || "index.html";
+  }
+  if (p) {
+    return `${host}/${p}`.replace(/\\/g, "/");
+  }
+  if (host.includes(".")) {
+    return host;
+  }
+  return "index.html";
+}
+function bufferToResponseBody(buf) {
+  return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);
+}
+function looksLikeHtml(buf) {
+  let i = 0;
+  if (buf.length >= 3 && buf[0] === 239 && buf[1] === 187 && buf[2] === 191) {
+    i = 3;
+  }
+  while (i < buf.length && (buf[i] === 32 || buf[i] === 9 || buf[i] === 10 || buf[i] === 13)) {
+    i += 1;
+  }
+  return i < buf.length && buf[i] === 60;
+}
 function corsHeaders() {
   return {
     "Access-Control-Allow-Origin": "*",
@@ -1189,24 +1232,40 @@ function ensureDashboardProtocolHandler(uiRoot) {
       return new Response(null, { status: 204, headers: corsHeaders() });
     }
     try {
-      let pathname;
-      try {
-        pathname = decodeURIComponent(new URL(request.url).pathname);
-      } catch {
-        return new Response("Bad URL", { status: 400, headers: corsHeaders() });
+      const rel = urlToUiRelativePath(request.url);
+      if (!rel || rel.includes("..")) {
+        return new Response("Bad path", { status: 400, headers: corsHeaders() });
       }
-      let rel = pathname.replace(/^\/+/, "");
-      if (!rel) {
-        rel = "index.html";
-      }
-      const filePath = path2.resolve(path2.join(base, rel));
+      const filePath = path2.resolve(path2.join(base, ...rel.split("/")));
       if (!isPathInsideRoot(filePath, base)) {
         return new Response("Forbidden", { status: 403, headers: corsHeaders() });
       }
-      const body = await (0, import_promises.readFile)(filePath);
+      const fileUrl = (0, import_node_url.pathToFileURL)(filePath).href;
+      let upstream;
+      try {
+        upstream = await import_electron2.net.fetch(fileUrl);
+      } catch {
+        upstream = new Response(null, { status: 599 });
+      }
+      let buf;
+      if (!upstream.ok) {
+        buf = await (0, import_promises.readFile)(filePath);
+      } else {
+        const ab = await upstream.arrayBuffer();
+        buf = Buffer.from(ab);
+      }
       const ext = path2.extname(filePath).toLowerCase();
+      if (ext === ".html" && !looksLikeHtml(buf)) {
+        console.error(
+          "[@electron-memory/monitor] emm-dashboard: not HTML at",
+          filePath,
+          "url=",
+          request.url
+        );
+        return new Response("Invalid dashboard HTML", { status: 500, headers: corsHeaders() });
+      }
       const mime = MIME_BY_EXT[ext] || "application/octet-stream";
-      return new Response(body, {
+      return new Response(bufferToResponseBody(buf), {
         status: 200,
         headers: {
           "Content-Type": mime,
@@ -1216,6 +1275,7 @@ function ensureDashboardProtocolHandler(uiRoot) {
       });
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
+      console.error("[@electron-memory/monitor] emm-dashboard:", request.url, err);
       return new Response(msg, { status: 404, headers: corsHeaders() });
     }
   });