@fanboynz/network-scanner 2.0.66 → 3.0.0

package/lib/wireguard_vpn.js

@@ -2,10 +2,12 @@
 // Per-site VPN configuration for network scanner
 // Manages WireGuard interfaces, routing, and lifecycle
 
-const { execSync, exec } = require('child_process');
+const { spawnSync } = require('child_process');
+const crypto = require('crypto');
 const fs = require('fs');
 const path = require('path');
-const { formatLogMessage } = require('./colorize');
+const { formatLogMessage, messageColors } = require('./colorize');
+const VPN_TAG = messageColors.processing('[vpn]');
 
 /**
  * Fetch external IP address through the active tunnel
@@ -15,10 +17,15 @@ const { formatLogMessage } = require('./colorize');
 function getExternalIP(interfaceName) {
   const services = ['https://api.ipify.org', 'https://ifconfig.me/ip', 'https://icanhazip.com'];
   for (const service of services) {
-    try {
-      const iface = interfaceName ? `--interface ${interfaceName}` : '';
-      return execSync(`curl -s -m 5 ${iface} ${service}`, { encoding: 'utf8', timeout: 8000 }).trim();
-    } catch {}
+    const args = ['-s', '-m', '5'];
+    if (interfaceName) args.push('--interface', interfaceName);
+    args.push(service);
+    // spawnSync (no shell) so a malicious interfaceName like
+    // "wg-foo; rm -rf ~" can't be split into a second command.
+    const result = spawnSync('curl', args, { encoding: 'utf8', timeout: 8000 });
+    if (result.status === 0 && result.stdout) {
+      return result.stdout.trim();
+    }
   }
   return null;
 }
@@ -29,24 +36,6 @@ const activeInterfaces = new Map();
 // Temp config directory for inline configs
 const TEMP_CONFIG_DIR = '/tmp/nwss-wireguard';
 
-/**
- * Validate WireGuard availability on the system
- * @returns {Object} { isAvailable, version, error }
- */
-function validateWireGuardAvailability() {
-  try {
-    const version = execSync('wg --version 2>&1', { encoding: 'utf8' }).trim();
-    // Check wg-quick is also available
-    execSync('which wg-quick', { encoding: 'utf8' });
-    return { isAvailable: true, version };
-  } catch (error) {
-    return {
-      isAvailable: false,
-      error: 'WireGuard not found. Install with: sudo apt install wireguard'
-    };
-  }
-}
-
 /**
  * Check if running with sufficient privileges
  * @returns {boolean}
@@ -69,12 +58,24 @@ function resolveInterfaceName(vpnConfig) {
     return vpnConfig.interface;
   }
   if (vpnConfig.config) {
-    // Extract name from /etc/wireguard/wg-example.conf ? wg-example
+    // Extract name from /etc/wireguard/wg-example.conf → wg-example
     return path.basename(vpnConfig.config, '.conf');
   }
-  // Auto-generate from index
-  const index = activeInterfaces.size;
-  return `wg-nwss${index}`;
+  // Inline-only config without an explicit interface: derive a stable
+  // name from a hash of the content so connect and disconnect resolve
+  // to the same name across calls. The old `wg-nwss${activeInterfaces.size}`
+  // used the live Map size, so disconnect computed a DIFFERENT name
+  // than connect did (size had grown in between) and silently failed
+  // to find the entry — the interface would leak until disconnectAll.
+  //
+  // Truncated SHA-1 to 8 hex chars keeps the total under Linux's
+  // 15-char IFNAMSIZ limit ('wg-nwss' = 7 + 8 = 15).
+  if (vpnConfig.config_inline) {
+    const hash = crypto.createHash('sha1').update(vpnConfig.config_inline).digest('hex').slice(0, 8);
+    return `wg-nwss${hash}`;
+  }
+  // Last resort — should be unreachable if validation ran first.
+  return 'wg-nwss-unknown';
 }
 
 /**
@@ -103,17 +104,24 @@ function writeInlineConfig(interfaceName, configContent) {
 function interfaceUp(configPath, interfaceName, forceDebug = false) {
   if (activeInterfaces.has(interfaceName)) {
     if (forceDebug) {
-      console.log(formatLogMessage('debug', `[vpn] Interface ${interfaceName} already active`));
+      console.log(formatLogMessage('debug', `${VPN_TAG} Interface ${interfaceName} already active`));
     }
     return { success: true, interface: interfaceName, alreadyActive: true };
   }
 
   try {
-    // wg-quick accepts a config path or interface name in /etc/wireguard/
-    execSync(`sudo wg-quick up "${configPath}"`, {
+    // wg-quick accepts a config path or interface name in /etc/wireguard/.
+    // spawnSync with arg array (no shell) — configPath comes from user
+    // JSON, so naive `sudo wg-quick up "${configPath}"` was vulnerable
+    // to a `";rm -rf ~;"` payload escaping the quotes.
+    const upRes = spawnSync('sudo', ['wg-quick', 'up', configPath], {
       encoding: 'utf8',
       timeout: 15000
     });
+    if (upRes.error) throw upRes.error;
+    if (upRes.status !== 0) {
+      throw new Error((upRes.stderr || '').trim() || `wg-quick up exited with status ${upRes.status}`);
+    }
 
     activeInterfaces.set(interfaceName, {
       configPath,
@@ -122,11 +130,19 @@ function interfaceUp(configPath, interfaceName, forceDebug = false) {
     });
 
     if (forceDebug) {
-      console.log(formatLogMessage('debug', `[vpn] Interface ${interfaceName} is up`));
+      console.log(formatLogMessage('debug', `${VPN_TAG} Interface ${interfaceName} is up`));
+      // Only fetch the external IP when debug-logging would actually
+      // display it — getExternalIP runs 3 sequential 8s-timeout curls
+      // (~24s worst case of blocking event loop). The result was
+      // previously included in the return shape but no caller read
+      // it; the work was pure waste outside debug runs.
+      const externalIP = getExternalIP(interfaceName);
+      if (externalIP) {
+        console.log(formatLogMessage('debug', `${VPN_TAG} ${interfaceName} external IP: ${externalIP}`));
+      }
     }
 
-    const externalIP = getExternalIP(interfaceName);
-    return { success: true, interface: interfaceName, externalIP };
+    return { success: true, interface: interfaceName };
   } catch (error) {
     return {
       success: false,
@@ -149,21 +165,20 @@ function interfaceDown(interfaceName, forceDebug = false) {
   }
 
   try {
-    execSync(`sudo wg-quick down "${info.configPath}"`, {
+    // spawnSync with arg array (see interfaceUp comment for rationale).
+    const downRes = spawnSync('sudo', ['wg-quick', 'down', info.configPath], {
       encoding: 'utf8',
       timeout: 10000
     });
+    if (downRes.error) throw downRes.error;
+    if (downRes.status !== 0) {
+      throw new Error((downRes.stderr || '').trim() || `wg-quick down exited with status ${downRes.status}`);
+    }
 
     activeInterfaces.delete(interfaceName);
 
-    // Clean up temp config if it was inline
-    const tempPath = path.join(TEMP_CONFIG_DIR, `${interfaceName}.conf`);
-    if (fs.existsSync(tempPath)) {
-      try { fs.unlinkSync(tempPath); } catch {}
-    }
-
     if (forceDebug) {
-      console.log(formatLogMessage('debug', `[vpn] Interface ${interfaceName} is down`));
+      console.log(formatLogMessage('debug', `${VPN_TAG} Interface ${interfaceName} is down`));
     }
 
     return { success: true };
@@ -171,6 +186,17 @@ function interfaceDown(interfaceName, forceDebug = false) {
     // Force remove from tracking even if wg-quick fails
     activeInterfaces.delete(interfaceName);
     return { success: false, error: error.message.trim() };
+  } finally {
+    // Clean up temp config regardless of wg-quick outcome — a leaked
+    // .conf in TEMP_CONFIG_DIR could collide on a re-connect with the
+    // same hash-derived interface name, especially after a wg-quick
+    // down failure where the kernel interface might persist briefly.
+    // Was previously only inside the try block, so failure paths
+    // leaked the temp file.
+    const tempPath = path.join(TEMP_CONFIG_DIR, `${interfaceName}.conf`);
+    if (fs.existsSync(tempPath)) {
+      try { fs.unlinkSync(tempPath); } catch {}
+    }
   }
 }
 
@@ -183,21 +209,32 @@ function interfaceDown(interfaceName, forceDebug = false) {
  */
 function checkConnection(interfaceName, testHost = '1.1.1.1', forceDebug = false) {
   try {
-    // Check interface exists
-    execSync(`ip link show ${interfaceName}`, { encoding: 'utf8', timeout: 3000 });
+    // Check interface exists. spawnSync with arg array — interfaceName
+    // can come from user JSON (siteConfig.vpn.interface) so the old
+    // shell-interpolated `execSync(\`ip link show ${interfaceName}\`)`
+    // was injection-vulnerable.
+    const linkRes = spawnSync('ip', ['link', 'show', interfaceName], { encoding: 'utf8', timeout: 3000 });
+    if (linkRes.status !== 0) {
+      throw new Error((linkRes.stderr || '').trim() || `ip link show failed for ${interfaceName}`);
+    }
 
-    // Ping through the specific interface
-    const result = execSync(
-      `ping -c 1 -W 5 -I ${interfaceName} ${testHost} 2>&1`,
-      { encoding: 'utf8', timeout: 8000 }
-    );
+    // Ping through the specific interface. testHost defaults to '1.1.1.1'
+    // but can be overridden by user config — same injection concern.
+    const pingRes = spawnSync('ping', ['-c', '1', '-W', '5', '-I', interfaceName, testHost], {
+      encoding: 'utf8', timeout: 8000
+    });
+    if (pingRes.status !== 0) {
+      // Combine stderr + stdout (no shell `2>&1` available with spawnSync)
+      throw new Error((pingRes.stderr || pingRes.stdout || '').split('\n')[0] || `ping failed for ${testHost}`);
+    }
+    const result = pingRes.stdout;
 
     const latencyMatch = result.match(/time=([0-9.]+)\s*ms/);
     const latencyMs = latencyMatch ? parseFloat(latencyMatch[1]) : null;
 
     if (forceDebug) {
       console.log(formatLogMessage('debug',
-        `[vpn] ${interfaceName} connected (${latencyMs ? latencyMs + 'ms' : 'ok'})`
+        `${VPN_TAG} ${interfaceName} connected (${latencyMs ? latencyMs + 'ms' : 'ok'})`
       ));
     }
 
@@ -205,44 +242,13 @@ function checkConnection(interfaceName, testHost = '1.1.1.1', forceDebug = false
   } catch (error) {
     if (forceDebug) {
       console.log(formatLogMessage('debug',
-        `[vpn] ${interfaceName} health check failed: ${error.message.split('\n')[0]}`
+        `${VPN_TAG} ${interfaceName} health check failed: ${error.message.split('\n')[0]}`
       ));
     }
     return { connected: false, error: error.message.split('\n')[0] };
   }
 }
 
-/**
- * Get WireGuard status for an interface
- * @param {string} interfaceName - Interface name
- * @returns {Object} Parsed wg show output
- */
-function getInterfaceStatus(interfaceName) {
-  try {
-    const output = execSync(`wg show ${interfaceName}`, {
-      encoding: 'utf8',
-      timeout: 5000
-    });
-
-    const status = { interface: interfaceName, raw: output };
-
-    // Parse key fields
-    const endpointMatch = output.match(/endpoint:\s*(.+)/);
-    const transferMatch = output.match(/transfer:\s*(.+)/);
-    const handshakeMatch = output.match(/latest handshake:\s*(.+)/);
-    const allowedMatch = output.match(/allowed ips:\s*(.+)/);
-
-    if (endpointMatch) status.endpoint = endpointMatch[1].trim();
-    if (transferMatch) status.transfer = transferMatch[1].trim();
-    if (handshakeMatch) status.latestHandshake = handshakeMatch[1].trim();
-    if (allowedMatch) status.allowedIps = allowedMatch[1].trim();
-
-    return status;
-  } catch (error) {
-    return { interface: interfaceName, error: error.message.split('\n')[0] };
-  }
-}
-
 /**
  * Parse and validate a VPN site config
  * @param {Object|string} vpnConfig - VPN config from site JSON
@@ -258,6 +264,17 @@ function normalizeVpnConfig(vpnConfig) {
     return null;
   }
 
+  // Accept non-negative integers only — rejects:
+  //   - undefined/null/false (would have hit '|| 2' fallback anyway)
+  //   - strings like "3" (the old `|| 2` accepted those, then
+  //     `vpnConfig.max_retries + 1` downstream string-concatenated
+  //     to "31" and ran 31 retry attempts instead of 4)
+  //   - negative numbers / non-integers
+  // Explicit 0 IS accepted now ("no retries, fail fast") — the old
+  // `|| 2` treated 0 as falsy and silently substituted 2.
+  const mr = vpnConfig.max_retries;
+  const max_retries = (typeof mr === 'number' && Number.isInteger(mr) && mr >= 0) ? mr : 2;
+
   return {
     config: vpnConfig.config || null,
     config_inline: vpnConfig.config_inline || null,
@@ -265,7 +282,7 @@ function normalizeVpnConfig(vpnConfig) {
     health_check: vpnConfig.health_check !== false,
     test_host: vpnConfig.test_host || '1.1.1.1',
     retry: vpnConfig.retry !== false,
-    max_retries: vpnConfig.max_retries || 2
+    max_retries
   };
 }
 
@@ -368,7 +385,7 @@ async function connectForSite(siteConfig, forceDebug = false) {
   for (let attempt = 1; attempt <= maxAttempts; attempt++) {
     if (forceDebug && attempt > 1) {
       console.log(formatLogMessage('debug',
-        `[vpn] Retry ${attempt - 1}/${vpnConfig.max_retries} for ${interfaceName}`
+        `${VPN_TAG} Retry ${attempt - 1}/${vpnConfig.max_retries} for ${interfaceName}`
       ));
     }
 
@@ -448,7 +465,7 @@ function disconnectForSite(siteConfig, forceDebug = false) {
 
   if (forceDebug) {
     console.log(formatLogMessage('debug',
-      `[vpn] ${interfaceName} still used by ${info.sites.size} site(s), keeping up`
+      `${VPN_TAG} ${interfaceName} still used by ${info.sites.size} site(s), keeping up`
     ));
   }
 
@@ -480,47 +497,24 @@ function disconnectAll(forceDebug = false) {
 
   if (forceDebug && results.tornDown > 0) {
     console.log(formatLogMessage('debug',
-      `[vpn] Disconnected ${results.tornDown} interface(s)`
+      `${VPN_TAG} Disconnected ${results.tornDown} interface(s)`
     ));
   }
 
   return results;
 }
 
-/**
- * Get summary of all active VPN interfaces
- * @returns {Array} Array of interface status objects
- */
-function getActiveInterfaces() {
-  const interfaces = [];
-
-  for (const [name, info] of activeInterfaces) {
-    const status = getInterfaceStatus(name);
-    interfaces.push({
-      name,
-      configPath: info.configPath,
-      uptime: Math.round((Date.now() - info.startedAt) / 1000),
-      sites: Array.from(info.sites),
-      ...status
-    });
-  }
-
-  return interfaces;
-}
-
+// Public surface used by nwss.js. Internal helpers (checkConnection,
+// interfaceUp, interfaceDown, resolveInterfaceName, hasRootPrivileges,
+// getExternalIP, writeInlineConfig) stay module-private — none had
+// external callers. validateWireGuardAvailability, getInterfaceStatus,
+// and getActiveInterfaces were removed entirely (zero callers anywhere,
+// including no internal ones once their downstream consumers were
+// pruned).
 module.exports = {
-  validateWireGuardAvailability,
   validateVpnConfig,
   normalizeVpnConfig,
   connectForSite,
   disconnectForSite,
-  disconnectAll,
-  checkConnection,
-  getInterfaceStatus,
-  getActiveInterfaces,
-  // Low-level (for testing or advanced use)
-  interfaceUp,
-  interfaceDown,
-  resolveInterfaceName,
-  hasRootPrivileges
+  disconnectAll
 };