npm - @fanboynz/network-scanner - Versions diffs - 3.0.3 → 3.1.2 - Mend

@fanboynz/network-scanner 3.0.3 → 3.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/lib/wireguard_vpn.js CHANGED Viewed

@@ -33,8 +33,15 @@ function getExternalIP(interfaceName) {
 // Track active interfaces for cleanup
 const activeInterfaces = new Map();
-// Temp config directory for inline configs
-const TEMP_CONFIG_DIR = '/tmp/nwss-wireguard';
+// Temp config directory for inline configs — namespaced per process.
+// disconnectAll() rmSync's this whole directory on exit; a fixed shared path
+// meant two concurrent nwss processes using inline configs would clobber each
+// other: the first to exit deleted the survivor's live .conf, so its
+// `wg-quick down <path>` then failed (file gone) and the kernel interface
+// leaked. Scoping to the PID keeps each process's teardown to its own files.
+// (Stale dirs from a crashed process are left for manual cleanup — sweeping
+// them would reintroduce the same cross-process destruction this avoids.)
+const TEMP_CONFIG_DIR = path.join('/tmp/nwss-wireguard', String(process.pid));
 /**
  * Check if running with sufficient privileges
@@ -85,9 +92,11 @@ function resolveInterfaceName(vpnConfig) {
  * @returns {string} Path to temp config file
  */
 function writeInlineConfig(interfaceName, configContent) {
-  if (!fs.existsSync(TEMP_CONFIG_DIR)) {
-    fs.mkdirSync(TEMP_CONFIG_DIR, { recursive: true, mode: 0o700 });
-  }
+  // mkdirSync with recursive:true is a no-op when the directory exists,
+  // so the prior existsSync gate was redundant. Saves one stat() syscall
+  // per VPN bringup and follows the standard "act, don't check-then-act"
+  // idiom (also avoids a microscopic TOCTOU window).
+  fs.mkdirSync(TEMP_CONFIG_DIR, { recursive: true, mode: 0o700 });
   const configPath = path.join(TEMP_CONFIG_DIR, `${interfaceName}.conf`);
   fs.writeFileSync(configPath, configContent, { mode: 0o600 });
@@ -114,6 +123,14 @@ function interfaceUp(configPath, interfaceName, forceDebug = false) {
     // spawnSync with arg array (no shell) — configPath comes from user
     // JSON, so naive `sudo wg-quick up "${configPath}"` was vulnerable
     // to a `";rm -rf ~;"` payload escaping the quotes.
+    //
+    // NOTE: an "already exists" failure here usually means a previous
+    // run's teardown failed and left the kernel interface alive. Recover
+    // manually with `sudo wg-quick down <name>` or `sudo ip link delete
+    // <name>`. A self-heal mechanism was tried (commit e032bde) and
+    // reverted because it raced with concurrent nwss processes sharing
+    // the same VPN config — process B's self-heal would destroy process
+    // A's live interface. Keep the manual-recovery default for safety.
     const upRes = spawnSync('sudo', ['wg-quick', 'up', configPath], {
       encoding: 'utf8',
       timeout: 15000
@@ -193,10 +210,12 @@ function interfaceDown(interfaceName, forceDebug = false) {
     // down failure where the kernel interface might persist briefly.
     // Was previously only inside the try block, so failure paths
     // leaked the temp file.
+    //
+    // No existsSync gate — unlinkSync throws ENOENT for missing files
+    // and the try/catch already swallows it. Saves one stat() and
+    // closes a microscopic TOCTOU window.
     const tempPath = path.join(TEMP_CONFIG_DIR, `${interfaceName}.conf`);
-    if (fs.existsSync(tempPath)) {
-      try { fs.unlinkSync(tempPath); } catch {}
-    }
+    try { fs.unlinkSync(tempPath); } catch {}
   }
 }
@@ -310,6 +329,22 @@ function validateVpnConfig(vpnConfig) {
     result.warnings.push('Both "config" and "config_inline" provided; "config" takes precedence');
   }
+  // F1: Validate user-provided interface name to prevent path traversal via
+  // resolveInterfaceName → writeInlineConfig's path.join. Also enforces
+  // Linux IFNAMSIZ (15 chars max). User would need to attack their own
+  // config (same trust boundary as rest of nwss + must run as root for WG),
+  // so this is defensive rather than security-critical — but the validation
+  // catches typos that would otherwise produce confusing wg-quick errors.
+  if (vpnConfig.interface !== undefined && vpnConfig.interface !== null) {
+    if (typeof vpnConfig.interface !== 'string' || !/^[a-zA-Z0-9_-]{1,15}$/.test(vpnConfig.interface)) {
+      result.isValid = false;
+      result.errors.push(
+        `Invalid 'interface' name ${JSON.stringify(vpnConfig.interface)}: ` +
+        `must match /^[a-zA-Z0-9_-]{1,15}$/ (Linux IFNAMSIZ limit + path-safe chars)`
+      );
+    }
+  }
   // Validate config file exists
   if (vpnConfig.config) {
     const configPath = vpnConfig.config;
@@ -365,8 +400,11 @@ async function connectForSite(siteConfig, forceDebug = false) {
   const interfaceName = resolveInterfaceName(vpnConfig);
-  // Resolve config path
-  let configPath;
+  // Resolve config path. A file-based config path is fixed up-front; an
+  // inline config is a temp file we (re)write inside the retry loop below
+  // (it can't be hoisted — see the writeInlineConfig call for why).
+  const useInlineConfig = !vpnConfig.config;
+  let configPath = null;
   if (vpnConfig.config) {
     configPath = vpnConfig.config;
     // Resolve wg-quick style: if no path separators, look in /etc/wireguard/
@@ -376,8 +414,6 @@ async function connectForSite(siteConfig, forceDebug = false) {
         configPath = etcPath;
       }
     }
-  } else {
-    configPath = writeInlineConfig(interfaceName, vpnConfig.config_inline);
   }
   const maxAttempts = vpnConfig.retry ? vpnConfig.max_retries + 1 : 1;
@@ -395,9 +431,25 @@ async function connectForSite(siteConfig, forceDebug = false) {
       await new Promise(resolve => setTimeout(resolve, 2000));
     }
+    // (Re)write the inline temp config before each attempt. interfaceDown's
+    // finally unlinks the temp .conf (both the retry reset just above and any
+    // teardown from a prior run), so hoisting this above the loop meant a
+    // retry's `wg-quick up` ran against a deleted file and always failed.
+    // Idempotent on the first attempt.
+    if (useInlineConfig) {
+      configPath = writeInlineConfig(interfaceName, vpnConfig.config_inline);
+    }
     const upResult = interfaceUp(configPath, interfaceName, forceDebug);
     if (!upResult.success) {
       if (attempt === maxAttempts) {
+        // interfaceUp never registered the interface (no activeInterfaces
+        // entry), so interfaceDown's finally won't run to clean the temp.
+        // Unlink the inline config here so a fully-failed connect doesn't
+        // leave a PrivateKey-bearing .conf in /tmp until process exit.
+        if (useInlineConfig && configPath) {
+          try { fs.unlinkSync(configPath); } catch {}
+        }
         return upResult;
       }
       continue;