@fanboynz/network-scanner 3.0.3 → 3.1.2

package/lib/nettools.js

@@ -561,8 +561,19 @@ async function whoisLookup(domain = '', timeout = 10000, whoisServer = '', debug
 
     const { stdout, stderr } = await execFileWithTimeout('whois', whoisArgs, timeout);
     const duration = Date.now() - startTime;
-    
-    if (stderr && stderr.trim()) {
+
+    // Treat stderr as failure ONLY when there's no usable stdout. Many whois
+    // servers/clients emit non-fatal notices to stderr — referral/redirect
+    // lines, rate-limit and GDPR "data redacted" banners, registry
+    // disclaimers — while returning the real record on stdout. The old "any
+    // stderr -> fail" path discarded those valid records (and triggered
+    // needless fallback retries in whoisLookupWithRetry). When stdout has
+    // content we prefer it and treat the lookup as successful; the downstream
+    // term match is the real gate, so this can't manufacture a match. stderr
+    // is still surfaced in debug logging below for visibility.
+    const hasUsableStdout = !!(stdout && stdout.trim());
+
+    if (!hasUsableStdout && stderr && stderr.trim()) {
       if (debugMode) {
         if (logFunc) {
           logFunc(`${messageColors.highlight('[whois]')} Lookup failed for ${cleanDomain} after ${duration}ms`);
@@ -604,6 +615,14 @@ async function whoisLookup(domain = '', timeout = 10000, whoisServer = '', debug
         console.log(formatLogMessage('debug', `${messageColors.highlight('[whois]')} Server: ${selectedServer || 'default'}`));
         console.log(formatLogMessage('debug', `${messageColors.highlight('[whois]')} Output length: ${stdout.length} characters`));
       }
+      // Non-fatal stderr alongside usable stdout — kept visible so a real
+      // problem (truncation, partial referral) is still diagnosable even
+      // though we're treating the lookup as a success.
+      if (stderr && stderr.trim()) {
+        const note = `${messageColors.highlight('[whois]')} Non-fatal stderr (stdout used): ${stderr.trim()}`;
+        if (logFunc) logFunc(note);
+        else console.log(formatLogMessage('debug', note));
+      }
     }
     
     return {
@@ -1021,66 +1040,6 @@ async function digLookup(domain = '', recordType = 'A', timeout = 5000) {
   }
 }
 
-/**
- * Checks if whois output contains all specified search terms (AND logic)
- * @param {string} whoisOutput - The whois lookup output
- * @param {Array<string>} searchTerms - Array of terms that must all be present
- * @returns {boolean} True if all terms are found
- */
-function checkWhoisTerms(whoisOutput, searchTerms) {
-  if (!searchTerms || !Array.isArray(searchTerms) || searchTerms.length === 0) {
-    return false;
-  }
-  
-  const lowerOutput = whoisOutput.toLowerCase();
-  return searchTerms.every(term => lowerOutput.includes(term.toLowerCase()));
-}
-
-/**
- * Checks if whois output contains any of the specified search terms (OR logic)
- * @param {string} whoisOutput - The whois lookup output
- * @param {Array<string>} searchTerms - Array of terms where at least one must be present
- * @returns {boolean} True if any term is found
- */
-function checkWhoisTermsOr(whoisOutput, searchTerms) {
-  if (!searchTerms || !Array.isArray(searchTerms) || searchTerms.length === 0) {
-    return false;
-  }
-  
-  const lowerOutput = whoisOutput.toLowerCase();
-  return searchTerms.some(term => lowerOutput.includes(term.toLowerCase()));
-}
-
-/**
- * Checks if dig output contains all specified search terms (AND logic)
- * @param {string} digOutput - The dig lookup output
- * @param {Array<string>} searchTerms - Array of terms that must all be present
- * @returns {boolean} True if all terms are found
- */
-function checkDigTerms(digOutput, searchTerms) {
-  if (!searchTerms || !Array.isArray(searchTerms) || searchTerms.length === 0) {
-    return false;
-  }
-  
-  const lowerOutput = digOutput.toLowerCase();
-  return searchTerms.every(term => lowerOutput.includes(term.toLowerCase()));
-}
-
-/**
- * Checks if dig output contains any of the specified search terms (OR logic)
- * @param {string} digOutput - The dig lookup output
- * @param {Array<string>} searchTerms - Array of terms where at least one must be present
- * @returns {boolean} True if any term is found
- */
-function checkDigTermsOr(digOutput, searchTerms) {
-  if (!searchTerms || !Array.isArray(searchTerms) || searchTerms.length === 0) {
-    return false;
-  }
-  
-  const lowerOutput = digOutput.toLowerCase();
-  return searchTerms.some(term => lowerOutput.includes(term.toLowerCase()));
-}
-
 /**
  * Enhanced dry run callback factory for better nettools reporting
  * @param {Map} matchedDomains - The matched domains collection
@@ -1221,7 +1180,20 @@ function createNetToolsHandler(config) {
     const digDedupeKey = `${digDomain}:${digConfigKey}`;
     const needsWhoisLookup = (hasWhois || hasWhoisOr) && !processedWhoisDomains.has(whoisDedupeKey);
     const needsDigLookup = (hasDig || hasDigOr) && !processedDigDomains.has(digDedupeKey);
-    
+
+    // Claim the dedupe keys NOW, synchronously, before executeNetToolsLookup
+    // hits its first await. These Sets are shared across all concurrent URL
+    // handlers, so the .has() checks above and these .add() claims must sit in
+    // the same uninterrupted synchronous span to be atomic. The whois claim
+    // was already safe (its add ran before any await), but the dig claim used
+    // to live AFTER the whois lookup's await — opening a window where a second
+    // handler for the same domain passed the dig check before the first
+    // claimed it, running dig twice. Claiming both here closes that window.
+    // Matches the existing claim-before-lookup semantics (no rollback on
+    // failure: a failed lookup still suppresses retries for the TTL).
+    if (needsWhoisLookup) processedWhoisDomains.add(whoisDedupeKey);
+    if (needsDigLookup) processedDigDomains.add(digDedupeKey);
+
     // Skip if we don't need to perform any lookups
     if (!needsWhoisLookup && !needsDigLookup) {
       if (forceDebug) {
@@ -1320,9 +1292,9 @@ function createNetToolsHandler(config) {
       
       // Perform whois lookup if either whois or whois-or is configured
       if (needsWhoisLookup) {
-        // Mark whois root domain+config as being processed
-        processedWhoisDomains.add(whoisDedupeKey);
-        
+        // Dedupe key already claimed up-front (before the first await) to keep
+        // the has()/add() span atomic across concurrent handlers.
+
         // Check whois cache first - cache key includes server for accuracy
         const selectedServer = selectWhoisServer(whoisServer, whoisServerMode);
         const whoisCacheKey = `${whoisRootDomain}-${(selectedServer && selectedServer !== '') ? selectedServer : 'default'}`;
@@ -1438,11 +1410,10 @@ function createNetToolsHandler(config) {
         if (whoisResult) {
 
           if (whoisResult.success) {
-            // Lowercase the output ONCE — checkWhoisTerms / checkWhoisTermsOr
-            // each call .toLowerCase() on their input independently, which
-            // re-allocates a multi-KB lowercased string per call. Pre-lowering
-            // here lets the AND check, OR check, and matched-term find share
-            // a single allocation.
+            // Lowercase the output ONCE. The AND check, OR check, and
+            // matched-term find below each need a lowercased copy; doing it
+            // per-check would re-allocate a multi-KB string each time, so
+            // pre-lower here and let all three share a single allocation.
             const whoisOutputLower = whoisResult.output.toLowerCase();
 
             // Check AND terms if configured
@@ -1578,9 +1549,10 @@ function createNetToolsHandler(config) {
       
       // Perform dig lookup if configured
       if (needsDigLookup) {
-        // Mark dig domain+config as being processed (includes specific subdomain)
-        processedDigDomains.add(digDedupeKey);
-        
+        // Dedupe key already claimed up-front (before the first await) to keep
+        // the has()/add() span atomic across concurrent handlers — this used
+        // to claim here, after the whois await, which left the race window.
+
         if (forceDebug) {
           const digTypes = [];
           if (hasDig) digTypes.push('dig-and');
@@ -1826,8 +1798,7 @@ function createNetToolsHandler(config) {
 
 // Public surface kept narrow on purpose -- only what nwss.js actually
 // imports (verified via repo-wide grep). Internal helpers
-// (whoisLookup, whoisLookupWithRetry, digLookup, checkWhoisTerms,
-// checkWhoisTermsOr, checkDigTerms, checkDigTermsOr, selectWhoisServer,
+// (whoisLookup, whoisLookupWithRetry, digLookup, selectWhoisServer,
 // getCommonWhoisServers, suggestWhoisServers, execFileWithTimeout,
 // markResolved, digOutputIndicatesResolution, loadDiskCache,
 // saveDiskCache, enforceCacheCap, stripAnsiColors) stay as module-local

package/lib/openvpn_vpn.js

@@ -8,7 +8,8 @@
 // VPN tunnel � not just the site that requested it. For isolated
 // per-site VPN with concurrency, a SOCKS proxy approach is needed.
 
-const { execSync, spawn } = require('child_process');
+const { execSync, spawn, spawnSync } = require('child_process');
+const crypto = require('crypto');
 const fs = require('fs');
 const path = require('path');
 const { formatLogMessage, messageColors } = require('./colorize');
@@ -22,10 +23,17 @@ const OPENVPN_TAG = messageColors.processing('[openvpn]');
 function getExternalIP(tunDevice) {
   const services = ['https://api.ipify.org', 'https://ifconfig.me/ip', 'https://icanhazip.com'];
   for (const service of services) {
-    try {
-      const iface = tunDevice ? `--interface ${tunDevice}` : '';
-      return execSync(`curl -s -m 5 ${iface} ${service}`, { encoding: 'utf8', timeout: 8000 }).trim();
-    } catch {}
+    // spawnSync with arg array (no shell) — tunDevice flows from
+    // findTunDevice (kernel-assigned /sys/class/net names, practically
+    // safe) but the pattern with execSync + interpolation was bad style.
+    // Match wireguard_vpn.js's spawn-array approach for consistency.
+    const args = ['-s', '-m', '5'];
+    if (tunDevice) args.push('--interface', tunDevice);
+    args.push(service);
+    const result = spawnSync('curl', args, { encoding: 'utf8', timeout: 8000 });
+    if (result.status === 0 && result.stdout) {
+      return result.stdout.trim();
+    }
   }
   return null;
 }
@@ -127,7 +135,13 @@ function checkTunDevice() {
  * Ensure temp directory exists with secure permissions
  */
 function ensureTempDir() {
-  fs.mkdirSync(TEMP_DIR, { recursive: true, mode: 0o755 });
+  // 0o700 matches wireguard_vpn.js — other users on the box can't list
+  // the dir to discover which connection names exist. Individual files
+  // inside are already 0o600 so contents were safe before, but directory
+  // listing leaked the connection-name list. Note: mode is only applied
+  // on creation; an existing dir from a prior run with mode 0o755 keeps
+  // its mode until disconnectAll's rm -rf + next session creates fresh.
+  fs.mkdirSync(TEMP_DIR, { recursive: true, mode: 0o700 });
 }
 
 /**
@@ -169,8 +183,19 @@ function resolveConnectionName(vpnConfig) {
   if (vpnConfig.config) {
     return path.basename(vpnConfig.config, '.ovpn');
   }
-  const index = activeConnections.size;
-  return `nwss-ovpn${index}`;
+  // Inline-only config without explicit name: derive a stable name from a
+  // hash of the content so connect and disconnect resolve to the same name
+  // across calls. The old `nwss-ovpn${activeConnections.size}` used the
+  // live Map size, so disconnect computed a DIFFERENT name than connect
+  // did (size had grown in between) and silently failed to find the
+  // entry — the connection would leak until disconnectAll. Same fix as
+  // wireguard_vpn.js commit 478a3ad.
+  if (vpnConfig.config_inline) {
+    const hash = crypto.createHash('sha1').update(vpnConfig.config_inline).digest('hex').slice(0, 8);
+    return `nwss-ovpn${hash}`;
+  }
+  // Last resort — should be unreachable if validation ran first.
+  return 'nwss-ovpn-unknown';
 }
 
 /**
@@ -359,14 +384,23 @@ async function startConnection(configPath, vpnConfig, forceDebug = false) {
     return { success: true, connection: connectionName, tunDevice: existing.tunDevice, alreadyActive: true };
   }
 
-  // Kill any stale processes from a previous run using this config
-  try {
-    execSync(`sudo pkill -TERM -f "openvpn.*${connectionName}" 2>/dev/null`, {
-      encoding: 'utf8', timeout: 3000
-    });
-    // Brief wait for cleanup
-    execSync('sleep 1', { timeout: 3000 });
-  } catch {}
+  // Kill any stale processes from a previous run using this config.
+  // spawnSync with arg array (no shell) — connectionName flows from
+  // user config (vpnConfig.name). Naive shell interpolation here was
+  // vulnerable to '`; rm -rf ~; #' style injection.
+  const pkillRes = spawnSync('sudo', ['pkill', '-TERM', '-f', `openvpn.*${connectionName}`], {
+    encoding: 'utf8', timeout: 3000
+  });
+  // Only sleep if pkill actually matched + killed something (status 0).
+  // pkill exits 1 when no processes match — pre-execSync code threw on
+  // non-zero and the surrounding try/catch swallowed it, so the sleep
+  // never ran in the no-stale-process case. With spawnSync (no throw
+  // on non-zero), we have to gate this explicitly to preserve the same
+  // behavior — otherwise every fresh connect would waste 1s of
+  // blocking event loop.
+  if (pkillRes.status === 0) {
+    spawnSync('sleep', ['1'], { timeout: 3000 });
+  }
 
   ensureTempDir();
   const logPath = path.join(TEMP_DIR, `${connectionName}.log`);
@@ -411,7 +445,17 @@ async function startConnection(configPath, vpnConfig, forceDebug = false) {
   if (!result.connected) {
     // Kill the process if still running
     try { child.kill('SIGTERM'); } catch {}
-    setTimeout(() => { try { child.kill('SIGKILL'); } catch {} }, 3000);
+    // C2: check exitCode/signalCode before SIGKILL — child.kill uses the
+    // captured PID, and Linux PIDs can be reused. If the process already
+    // exited in the 3s window, a reused PID could belong to an unrelated
+    // process that we'd then SIGKILL. unref() lets the event loop exit
+    // naturally instead of waiting on this background cleanup timer.
+    const sigkillTimer = setTimeout(() => {
+      if (child.exitCode === null && child.signalCode === null) {
+        try { child.kill('SIGKILL'); } catch {}
+      }
+    }, 3000);
+    if (typeof sigkillTimer.unref === 'function') sigkillTimer.unref();
     return { success: false, connection: connectionName, error: result.error };
   }
 
@@ -441,21 +485,19 @@ function stopConnection(connectionName, forceDebug = false) {
   }
 
   try {
-    // Find the actual openvpn PID (child of sudo) and kill it
-    try {
-      execSync(`sudo pkill -TERM -f "openvpn.*${connectionName}" 2>/dev/null`, {
-        encoding: 'utf8', timeout: 3000
-      });
-    } catch {}
+    // Find the actual openvpn PID (child of sudo) and kill it.
+    // spawnSync with arg array — connectionName from user config, naive
+    // shell interpolation was vulnerable to ';rm -rf ~' style injection.
+    spawnSync('sudo', ['pkill', '-TERM', '-f', `openvpn.*${connectionName}`], {
+      encoding: 'utf8', timeout: 3000
+    });
 
     const killed = waitForProcessExit(info.pid, 5000);
     if (!killed) {
-      try {
-        execSync(`sudo pkill -9 -f "openvpn.*${connectionName}" 2>/dev/null`, {
-          encoding: 'utf8', timeout: 3000
-        });
-      } catch {}
-      }
+      spawnSync('sudo', ['pkill', '-9', '-f', `openvpn.*${connectionName}`], {
+        encoding: 'utf8', timeout: 3000
+      });
+    }
   } catch (killErr) {
     // Process may already be dead
     if (forceDebug) {
@@ -532,13 +574,18 @@ function checkConnection(connectionName, testHost = '1.1.1.1', forceDebug = fals
     return { connected: false, error: `OpenVPN process exited with code ${info.process.exitCode}` };
   }
 
-  // Ping through the tunnel interface
+  // Ping through the tunnel interface. spawnSync with arg array —
+  // testHost flows from user config (vpnConfig.test_host), naive shell
+  // interpolation was vulnerable to '1.1.1.1; rm -rf ~' style injection.
   try {
     const iface = info.tunDevice || 'tun0';
-    const result = execSync(
-      `ping -c 1 -W 5 -I ${iface} ${testHost} 2>&1`,
-      { encoding: 'utf8', timeout: 8000 }
-    );
+    const pingRes = spawnSync('ping', ['-c', '1', '-W', '5', '-I', iface, testHost], {
+      encoding: 'utf8', timeout: 8000
+    });
+    if (pingRes.status !== 0) {
+      throw new Error((pingRes.stderr || pingRes.stdout || '').split('\n')[0] || `ping failed for ${testHost}`);
+    }
+    const result = pingRes.stdout;
 
     const latencyMatch = result.match(/time=([0-9.]+)\s*ms/);
     const latencyMs = latencyMatch ? parseFloat(latencyMatch[1]) : null;
@@ -660,6 +707,23 @@ function validateOvpnConfig(ovpnConfig) {
     result.warnings.push('Both "config" and "config_inline" provided; "config" takes precedence');
   }
 
+  // D1: Validate user-provided connection 'name' to prevent path traversal
+  // via writeAuthFile/writeInlineConfig's path.join, AND to limit the blast
+  // radius of any future shell-interpolation that re-introduces ${name}.
+  // The current shell calls all use spawnSync with arg arrays (S1 fix), but
+  // the regex still blocks values that would confuse pkill's -f pattern
+  // match. Length 32 = generous for connection names but bounded.
+  // Mirror of wireguard_vpn.js F1 validation.
+  if (ovpnConfig.name !== undefined && ovpnConfig.name !== null) {
+    if (typeof ovpnConfig.name !== 'string' || !/^[a-zA-Z0-9_-]{1,32}$/.test(ovpnConfig.name)) {
+      result.isValid = false;
+      result.errors.push(
+        `Invalid 'name' value ${JSON.stringify(ovpnConfig.name)}: ` +
+        `must match /^[a-zA-Z0-9_-]{1,32}$/ (path-safe chars, max 32)`
+      );
+    }
+  }
+
   // Validate config file exists
   if (ovpnConfig.config) {
     const configPath = ovpnConfig.config;
@@ -796,7 +860,24 @@ async function connectForSite(siteConfig, forceDebug = false) {
       }
     }
 
-    const externalIP = getExternalIP(startResult.tunDevice);
+    // C3: Only fetch external IP when debug-logging would actually use it.
+    // getExternalIP runs up to 3 sequential 8s-timeout curls (~24s worst
+    // case of blocking event loop) per VPN connect. Without this gate,
+    // every successful OpenVPN connect burned 1-24s on a value that's
+    // only displayed in the nwss info log when present — and only
+    // genuinely useful for debugging. Matches wireguard_vpn.js's
+    // forceDebug-gated approach (commit b97dedb).
+    //
+    // UX trade-off: the nwss info log (nwss.js:2273) only shows the IP
+    // when forceDebug is on. Users wanting the IP in non-debug runs need
+    // --debug; same behavior as WireGuard.
+    let externalIP = null;
+    if (forceDebug) {
+      externalIP = getExternalIP(startResult.tunDevice);
+      if (externalIP) {
+        console.log(formatLogMessage('debug', `${OPENVPN_TAG} ${connectionName} external IP: ${externalIP}`));
+      }
+    }
     return { success: true, connection: connectionName, tunDevice: startResult.tunDevice, externalIP };
   }
 

package/lib/proxy.js

@@ -253,8 +253,12 @@ function getProxyArgs(siteConfig, forceDebug = false) {
     console.warn(formatLogMessage('proxy', `proxy_remote_dns ignored: SOCKS4 cannot do proxy-side DNS resolution (use SOCKS5)`));
   }
 
-  // Bypass list: domains that skip the proxy
-  const bypass = siteConfig.proxy_bypass || siteConfig.socks5_bypass || [];
+  // Bypass list: domains that skip the proxy. Accept either an array (the
+  // documented form) or a single string — a bare "localhost" used to throw
+  // `bypass.join is not a function` here, in the browser-launch path. Same
+  // string-or-array tolerance as the dig/whois siteConfig fields.
+  const rawBypass = siteConfig.proxy_bypass || siteConfig.socks5_bypass || [];
+  const bypass = Array.isArray(rawBypass) ? rawBypass : [rawBypass];
   if (bypass.length > 0) {
     args.push(`--proxy-bypass-list=${bypass.join(';')}`);
   }