npm - @fanboynz/network-scanner - Versions diffs - 3.0.2 → 3.1.0 - Mend

@fanboynz/network-scanner 3.0.2 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/lib/openvpn_vpn.js CHANGED Viewed

@@ -8,7 +8,8 @@
 // VPN tunnel � not just the site that requested it. For isolated
 // per-site VPN with concurrency, a SOCKS proxy approach is needed.
-const { execSync, spawn } = require('child_process');
+const { execSync, spawn, spawnSync } = require('child_process');
+const crypto = require('crypto');
 const fs = require('fs');
 const path = require('path');
 const { formatLogMessage, messageColors } = require('./colorize');
@@ -22,10 +23,17 @@ const OPENVPN_TAG = messageColors.processing('[openvpn]');
 function getExternalIP(tunDevice) {
   const services = ['https://api.ipify.org', 'https://ifconfig.me/ip', 'https://icanhazip.com'];
   for (const service of services) {
-    try {
-      const iface = tunDevice ? `--interface ${tunDevice}` : '';
-      return execSync(`curl -s -m 5 ${iface} ${service}`, { encoding: 'utf8', timeout: 8000 }).trim();
-    } catch {}
+    // spawnSync with arg array (no shell) — tunDevice flows from
+    // findTunDevice (kernel-assigned /sys/class/net names, practically
+    // safe) but the pattern with execSync + interpolation was bad style.
+    // Match wireguard_vpn.js's spawn-array approach for consistency.
+    const args = ['-s', '-m', '5'];
+    if (tunDevice) args.push('--interface', tunDevice);
+    args.push(service);
+    const result = spawnSync('curl', args, { encoding: 'utf8', timeout: 8000 });
+    if (result.status === 0 && result.stdout) {
+      return result.stdout.trim();
+    }
   }
   return null;
 }
@@ -127,7 +135,13 @@ function checkTunDevice() {
  * Ensure temp directory exists with secure permissions
  */
 function ensureTempDir() {
-  fs.mkdirSync(TEMP_DIR, { recursive: true, mode: 0o755 });
+  // 0o700 matches wireguard_vpn.js — other users on the box can't list
+  // the dir to discover which connection names exist. Individual files
+  // inside are already 0o600 so contents were safe before, but directory
+  // listing leaked the connection-name list. Note: mode is only applied
+  // on creation; an existing dir from a prior run with mode 0o755 keeps
+  // its mode until disconnectAll's rm -rf + next session creates fresh.
+  fs.mkdirSync(TEMP_DIR, { recursive: true, mode: 0o700 });
 }
 /**
@@ -169,8 +183,19 @@ function resolveConnectionName(vpnConfig) {
   if (vpnConfig.config) {
     return path.basename(vpnConfig.config, '.ovpn');
   }
-  const index = activeConnections.size;
-  return `nwss-ovpn${index}`;
+  // Inline-only config without explicit name: derive a stable name from a
+  // hash of the content so connect and disconnect resolve to the same name
+  // across calls. The old `nwss-ovpn${activeConnections.size}` used the
+  // live Map size, so disconnect computed a DIFFERENT name than connect
+  // did (size had grown in between) and silently failed to find the
+  // entry — the connection would leak until disconnectAll. Same fix as
+  // wireguard_vpn.js commit 478a3ad.
+  if (vpnConfig.config_inline) {
+    const hash = crypto.createHash('sha1').update(vpnConfig.config_inline).digest('hex').slice(0, 8);
+    return `nwss-ovpn${hash}`;
+  }
+  // Last resort — should be unreachable if validation ran first.
+  return 'nwss-ovpn-unknown';
 }
 /**
@@ -359,14 +384,23 @@ async function startConnection(configPath, vpnConfig, forceDebug = false) {
     return { success: true, connection: connectionName, tunDevice: existing.tunDevice, alreadyActive: true };
   }
-  // Kill any stale processes from a previous run using this config
-  try {
-    execSync(`sudo pkill -TERM -f "openvpn.*${connectionName}" 2>/dev/null`, {
-      encoding: 'utf8', timeout: 3000
-    });
-    // Brief wait for cleanup
-    execSync('sleep 1', { timeout: 3000 });
-  } catch {}
+  // Kill any stale processes from a previous run using this config.
+  // spawnSync with arg array (no shell) — connectionName flows from
+  // user config (vpnConfig.name). Naive shell interpolation here was
+  // vulnerable to '`; rm -rf ~; #' style injection.
+  const pkillRes = spawnSync('sudo', ['pkill', '-TERM', '-f', `openvpn.*${connectionName}`], {
+    encoding: 'utf8', timeout: 3000
+  });
+  // Only sleep if pkill actually matched + killed something (status 0).
+  // pkill exits 1 when no processes match — pre-execSync code threw on
+  // non-zero and the surrounding try/catch swallowed it, so the sleep
+  // never ran in the no-stale-process case. With spawnSync (no throw
+  // on non-zero), we have to gate this explicitly to preserve the same
+  // behavior — otherwise every fresh connect would waste 1s of
+  // blocking event loop.
+  if (pkillRes.status === 0) {
+    spawnSync('sleep', ['1'], { timeout: 3000 });
+  }
   ensureTempDir();
   const logPath = path.join(TEMP_DIR, `${connectionName}.log`);
@@ -411,7 +445,17 @@ async function startConnection(configPath, vpnConfig, forceDebug = false) {
   if (!result.connected) {
     // Kill the process if still running
     try { child.kill('SIGTERM'); } catch {}
-    setTimeout(() => { try { child.kill('SIGKILL'); } catch {} }, 3000);
+    // C2: check exitCode/signalCode before SIGKILL — child.kill uses the
+    // captured PID, and Linux PIDs can be reused. If the process already
+    // exited in the 3s window, a reused PID could belong to an unrelated
+    // process that we'd then SIGKILL. unref() lets the event loop exit
+    // naturally instead of waiting on this background cleanup timer.
+    const sigkillTimer = setTimeout(() => {
+      if (child.exitCode === null && child.signalCode === null) {
+        try { child.kill('SIGKILL'); } catch {}
+      }
+    }, 3000);
+    if (typeof sigkillTimer.unref === 'function') sigkillTimer.unref();
     return { success: false, connection: connectionName, error: result.error };
   }
@@ -441,21 +485,19 @@ function stopConnection(connectionName, forceDebug = false) {
   }
   try {
-    // Find the actual openvpn PID (child of sudo) and kill it
-    try {
-      execSync(`sudo pkill -TERM -f "openvpn.*${connectionName}" 2>/dev/null`, {
-        encoding: 'utf8', timeout: 3000
-      });
-    } catch {}
+    // Find the actual openvpn PID (child of sudo) and kill it.
+    // spawnSync with arg array — connectionName from user config, naive
+    // shell interpolation was vulnerable to ';rm -rf ~' style injection.
+    spawnSync('sudo', ['pkill', '-TERM', '-f', `openvpn.*${connectionName}`], {
+      encoding: 'utf8', timeout: 3000
+    });
     const killed = waitForProcessExit(info.pid, 5000);
     if (!killed) {
-      try {
-        execSync(`sudo pkill -9 -f "openvpn.*${connectionName}" 2>/dev/null`, {
-          encoding: 'utf8', timeout: 3000
-        });
-      } catch {}
-      }
+      spawnSync('sudo', ['pkill', '-9', '-f', `openvpn.*${connectionName}`], {
+        encoding: 'utf8', timeout: 3000
+      });
+    }
   } catch (killErr) {
     // Process may already be dead
     if (forceDebug) {
@@ -532,13 +574,18 @@ function checkConnection(connectionName, testHost = '1.1.1.1', forceDebug = fals
     return { connected: false, error: `OpenVPN process exited with code ${info.process.exitCode}` };
   }
-  // Ping through the tunnel interface
+  // Ping through the tunnel interface. spawnSync with arg array —
+  // testHost flows from user config (vpnConfig.test_host), naive shell
+  // interpolation was vulnerable to '1.1.1.1; rm -rf ~' style injection.
   try {
     const iface = info.tunDevice || 'tun0';
-    const result = execSync(
-      `ping -c 1 -W 5 -I ${iface} ${testHost} 2>&1`,
-      { encoding: 'utf8', timeout: 8000 }
-    );
+    const pingRes = spawnSync('ping', ['-c', '1', '-W', '5', '-I', iface, testHost], {
+      encoding: 'utf8', timeout: 8000
+    });
+    if (pingRes.status !== 0) {
+      throw new Error((pingRes.stderr || pingRes.stdout || '').split('\n')[0] || `ping failed for ${testHost}`);
+    }
+    const result = pingRes.stdout;
     const latencyMatch = result.match(/time=([0-9.]+)\s*ms/);
     const latencyMs = latencyMatch ? parseFloat(latencyMatch[1]) : null;
@@ -660,6 +707,23 @@ function validateOvpnConfig(ovpnConfig) {
     result.warnings.push('Both "config" and "config_inline" provided; "config" takes precedence');
   }
+  // D1: Validate user-provided connection 'name' to prevent path traversal
+  // via writeAuthFile/writeInlineConfig's path.join, AND to limit the blast
+  // radius of any future shell-interpolation that re-introduces ${name}.
+  // The current shell calls all use spawnSync with arg arrays (S1 fix), but
+  // the regex still blocks values that would confuse pkill's -f pattern
+  // match. Length 32 = generous for connection names but bounded.
+  // Mirror of wireguard_vpn.js F1 validation.
+  if (ovpnConfig.name !== undefined && ovpnConfig.name !== null) {
+    if (typeof ovpnConfig.name !== 'string' || !/^[a-zA-Z0-9_-]{1,32}$/.test(ovpnConfig.name)) {
+      result.isValid = false;
+      result.errors.push(
+        `Invalid 'name' value ${JSON.stringify(ovpnConfig.name)}: ` +
+        `must match /^[a-zA-Z0-9_-]{1,32}$/ (path-safe chars, max 32)`
+      );
+    }
+  }
   // Validate config file exists
   if (ovpnConfig.config) {
     const configPath = ovpnConfig.config;
@@ -796,7 +860,24 @@ async function connectForSite(siteConfig, forceDebug = false) {
       }
     }
-    const externalIP = getExternalIP(startResult.tunDevice);
+    // C3: Only fetch external IP when debug-logging would actually use it.
+    // getExternalIP runs up to 3 sequential 8s-timeout curls (~24s worst
+    // case of blocking event loop) per VPN connect. Without this gate,
+    // every successful OpenVPN connect burned 1-24s on a value that's
+    // only displayed in the nwss info log when present — and only
+    // genuinely useful for debugging. Matches wireguard_vpn.js's
+    // forceDebug-gated approach (commit b97dedb).
+    //
+    // UX trade-off: the nwss info log (nwss.js:2273) only shows the IP
+    // when forceDebug is on. Users wanting the IP in non-debug runs need
+    // --debug; same behavior as WireGuard.
+    let externalIP = null;
+    if (forceDebug) {
+      externalIP = getExternalIP(startResult.tunDevice);
+      if (externalIP) {
+        console.log(formatLogMessage('debug', `${OPENVPN_TAG} ${connectionName} external IP: ${externalIP}`));
+      }
+    }
     return { success: true, connection: connectionName, tunDevice: startResult.tunDevice, externalIP };
   }

package/lib/searchstring.js CHANGED Viewed

@@ -3,12 +3,12 @@
 const fs = require('fs');
 const { formatLogMessage, messageColors } = require('./colorize');
-const CURL_TAG = messageColors.processing('[curl]');
-// responseHandler is a separate code path (Puppeteer response listener,
-// not curl) — its debug output gets its own subsystem prefix so it's
-// distinguishable from curl-handler logs.
+// Subsystem tag for the Puppeteer response-listener path. createCurlHandler
+// + its CURL_TAG (and the downloadWithCurl/downloadWithRetry helpers) used
+// to live here but were dead — nwss.js imports the curl-based handler from
+// lib/curl.js instead. Removed in the same cleanup that drops those
+// functions.
 const SEARCHSTRING_TAG = messageColors.processing('[searchstring]');
-const { runProcess } = require('./spawn-async');
 const { grepContent } = require('./grep');
 // Configuration constants for search logic
@@ -51,83 +51,6 @@ function parseSearchStrings(searchstring, searchstringAnd) {
   };
 }
-/**
- * Downloads content using curl with appropriate headers and timeout
- * @param {string} url - The URL to download
- * @param {string} userAgent - User agent string to use
- * @param {number} timeout - Timeout in seconds (default: 30)
- * @returns {Promise<string>} The downloaded content
- */
-async function downloadWithCurl(url, userAgent = '', timeout = 30) {
-  const MAX_STDOUT_BYTES = 52428800; // 50MB, matches --max-filesize below
-  const curlArgs = [
-    '-s',
-    '-L',
-    '--max-time', timeout.toString(),
-    '--max-redirs', '5',
-    '--fail-with-body',
-    '--max-filesize', '52428800',
-    '--range', '0-52428799',
-    '--compressed'
-  ];
-  if (userAgent) curlArgs.push('-H', `User-Agent: ${userAgent}`);
-  curlArgs.push(
-    '-H', 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
-    '-H', 'Accept-Language: en-US,en;q=0.5',
-    '-H', 'Accept-Encoding: gzip, deflate',
-    '-H', 'Connection: keep-alive',
-    '-H', 'Upgrade-Insecure-Requests: 1'
-  );
-  curlArgs.push(url);
-  // Shared async-spawn helper — same streaming/cap/timeout/kill plumbing
-  // that used to be ~80 lines of inline boilerplate here.
-  const result = await runProcess('curl', curlArgs, {
-    timeout: timeout * 1000,
-    maxStdout: MAX_STDOUT_BYTES
-  });
-  if (result.error) throw new Error(`Curl failed for ${url}: ${result.error}`);
-  if (result.truncated) throw new Error(`Curl output exceeded ${MAX_STDOUT_BYTES} bytes for ${url}`);
-  if (result.signal) throw new Error(`Curl killed by signal ${result.signal} for ${url}`);
-  if (result.code !== 0) {
-    throw new Error(`Curl exited with status ${result.code}: ${result.stderr.toString('utf8')}`);
-  }
-  return result.stdout.toString('utf8');
-}
-/**
- * Downloads content with retry logic for transient failures
- * @param {string} url - The URL to download
- * @param {string} userAgent - User agent string to use
- * @param {number} timeout - Timeout in seconds
- * @param {number} retries - Number of retry attempts (default: 2)
- * @returns {Promise<string>} The downloaded content
- */
-async function downloadWithRetry(url, userAgent = '', timeout = 30, retries = 2) {
-  for (let attempt = 0; attempt <= retries; attempt++) {
-    try {
-      return await downloadWithCurl(url, userAgent, timeout);
-    } catch (err) {
-      // Don't retry on final attempt
-      if (attempt === retries) throw err;
-      // Only retry on specific transient errors
-      const shouldRetry = err.message.includes('timeout') ||
-                         err.message.includes('Connection refused') ||
-                         err.message.includes('502') ||
-                         err.message.includes('503') ||
-                         err.message.includes('Connection reset');
-      if (!shouldRetry) throw err;
-      // Exponential backoff: 1s, 2s, 4s...
-      await new Promise(resolve => setTimeout(resolve, 1000 * Math.pow(2, attempt)));
-    }
-  }
-}
 // Lookup table for the 6 named entities the previous chained-replace
 // handled. Hoisted out of safeDecodeXmlEntities so the object isn't
 // reallocated per call.
@@ -337,157 +260,6 @@ function shouldAnalyzeContentType(contentType) {
   return textTypes.some(type => normalizedType.startsWith(type));
 }
-/**
- * Creates a curl-based URL handler for downloading and optionally searching content
- * @param {object} config - Configuration object containing all necessary parameters
- * @returns {Function} URL handler function for curl-based content analysis
- */
-function createCurlHandler(config) {
-  const {
-    searchStrings,
-    searchStringsAnd,
-    hasSearchStringAnd,
-    regexes,
-    matchedDomains,
-    addMatchedDomain, // Helper function for adding domains
-    currentUrl,
-    perSiteSubDomains,
-    ignoreDomains,
-    matchesIgnoreDomain,
-    getRootDomain,
-    siteConfig,
-    dumpUrls,
-    matchedUrlsLogFile,
-    forceDebug,
-    userAgent,
-    resourceType, // Resource type from request
-    hasSearchString
-  } = config;
-  // Hoisted: currentUrl doesn't change for this handler's lifetime, so
-  // parsing its hostname once at handler-creation eliminates the
-  // per-request URL allocation.
-  let currentUrlHostname = '';
-  try { currentUrlHostname = new URL(currentUrl).hostname; } catch (_) {}
-  return async function curlHandler(requestUrl) {
-    // Regex check FIRST — cheap filter that skips ~99% of requests.
-    // Previously this ran AFTER a URL parse + domain-cache lookup;
-    // the parse is the expensive bit, so doing it after the cheap
-    // gate moves the cost off the hot path.
-    const matchesRegex = regexes.some(re => re.test(requestUrl));
-    if (!matchesRegex) return;
-    // Parse requestUrl ONCE and reuse. Was parsed 2-3 times.
-    let requestHostname;
-    try { requestHostname = new URL(requestUrl).hostname; } catch (_) { return; }
-    const reqDomain = perSiteSubDomains ? requestHostname : getRootDomain(requestUrl);
-    if (typeof config.isDomainAlreadyDetected === 'function' && config.isDomainAlreadyDetected(reqDomain)) {
-      if (forceDebug) {
-        console.log(formatLogMessage('debug', `${CURL_TAG} Skipping already detected domain: ${reqDomain}`));
-      }
-      return;
-    }
-    const isFirstParty = currentUrlHostname === requestHostname;
-    // Apply first-party/third-party filtering
-    if (isFirstParty && siteConfig.firstParty === false) {
-      if (forceDebug) {
-        console.log(formatLogMessage('debug', `${CURL_TAG} Skipping first-party request (firstParty=false): ${requestUrl}`));
-      }
-      return;
-    }
-    if (!isFirstParty && siteConfig.thirdParty === false) {
-      if (forceDebug) {
-        console.log(formatLogMessage('debug', `${CURL_TAG} Skipping third-party request (thirdParty=false): ${requestUrl}`));
-      }
-      return;
-    }
-    try {
-      if (forceDebug) {
-        console.log(formatLogMessage('debug', `${CURL_TAG} Downloading content from: ${requestUrl}`));
-      }
-      // If NO searchstring is defined, match immediately (like browser behavior)
-      if (!hasSearchString && !hasSearchStringAnd) {
-        if (!reqDomain || matchesIgnoreDomain(reqDomain, ignoreDomains)) {
-          return;
-        }
-        addMatchedDomain(reqDomain, resourceType);
-        const simplifiedUrl = getRootDomain(currentUrl);
-        if (siteConfig.verbose === 1) {
-          const partyType = isFirstParty ? 'first-party' : 'third-party';
-          const resourceInfo = resourceType ? ` (${resourceType})` : '';
-          console.log(`[match][${simplifiedUrl}] ${requestUrl} (${partyType}, curl) matched regex${resourceInfo}`);
-        }
-        if (dumpUrls) {
-          const timestamp = new Date().toISOString();
-          const partyType = isFirstParty ? 'first-party' : 'third-party';
-          const resourceInfo = resourceType ? ` (${resourceType})` : '';
-          try {
-            fs.appendFileSync(matchedUrlsLogFile,
-              `${timestamp} [match][${simplifiedUrl}] ${requestUrl} (${partyType}, curl)${resourceInfo}\n`);
-          } catch (logErr) {
-            console.warn(formatLogMessage('warn', `Failed to write to matched URLs log: ${logErr.message}`));
-          }
-        }
-        return;
-      }
-      // If searchstring IS defined, download and search content
-      const content = await downloadWithRetry(requestUrl, userAgent, 30);
-      // Check if content contains search strings (OR or AND logic)
-      const { found, matchedString, logicType, error } = searchContent(content, searchStrings, searchStringsAnd, '', requestUrl);
-      if (found) {
-        if (!reqDomain || matchesIgnoreDomain(reqDomain, ignoreDomains)) {
-          return;
-        }
-        addMatchedDomain(reqDomain, resourceType);
-        const simplifiedUrl = getRootDomain(currentUrl);
-        if (siteConfig.verbose === 1) {
-          const partyType = isFirstParty ? 'first-party' : 'third-party';
-          const resourceInfo = resourceType ? ` (${resourceType})` : '';
-          console.log(`[match][${simplifiedUrl}] ${requestUrl} (${partyType}, curl) contains searchstring (${logicType}): "${matchedString}"${resourceInfo}`);
-        }
-        if (dumpUrls) {
-          const timestamp = new Date().toISOString();
-          const partyType = isFirstParty ? 'first-party' : 'third-party';
-          const resourceInfo = resourceType ? ` (${resourceType})` : '';
-          try {
-            fs.appendFileSync(matchedUrlsLogFile,
-              `${timestamp} [match][${simplifiedUrl}] ${requestUrl} (${partyType}, curl, searchstring (${logicType}): "${matchedString}")${resourceInfo}\n`);
-          } catch (logErr) {
-            console.warn(formatLogMessage('warn', `Failed to write to matched URLs log: ${logErr.message}`));
-          }
-        }
-      } else if (forceDebug) {
-        const partyType = isFirstParty ? 'first-party' : 'third-party';
-        console.log(formatLogMessage('debug', `${CURL_TAG} ${requestUrl} (${partyType}) matched regex but no searchstring found`));
-        if (error) {
-          console.log(formatLogMessage('debug', `${CURL_TAG} Search error: ${error}`));
-        }
-      }
-    } catch (err) {
-      if (forceDebug) {
-        console.log(formatLogMessage('debug', `${CURL_TAG} Failed to download content for ${requestUrl}: ${err.message}`));
-      }
-    }
-  };
-}
 /**
  * Creates a response handler function for the given configuration
  * @param {object} config - Configuration object containing all necessary parameters
@@ -758,14 +530,20 @@ function validateSearchString(searchstring, searchstringAnd) {
   return { isValid: true, error: null };
 }
+// Public surface used by nwss.js (parseSearchStrings, createResponseHandler)
+// and lib/validate_rules.js (validateSearchString). searchContent,
+// safeDecodeXmlEntities, and shouldAnalyzeContentType stay exported as
+// reasonable internal-helper API surface even though current external
+// consumers don't import them. createCurlHandler + downloadWithCurl +
+// downloadWithRetry were removed entirely — createCurlHandler had no
+// external invocations (nwss.js imported the name but never called it,
+// using lib/curl.js's version instead), and the download helpers were
+// only consumed by createCurlHandler.
 module.exports = {
   parseSearchStrings,
   searchContent,
   safeDecodeXmlEntities,
   shouldAnalyzeContentType,
   createResponseHandler,
-  createCurlHandler,
-  downloadWithCurl,
-  validateSearchString,
-  downloadWithRetry
+  validateSearchString
 };