@howlil/ez-agents 3.4.2 → 4.0.0

package/ez-agents/bin/lib/safe-exec.cjs

@@ -1,214 +1,128 @@
-#!/usr/bin/env node
-
-/**
- * EZ Safe Exec — Secure command execution with allowlist and validation
- *
- * Prevents command injection by:
- * - Using execFile instead of execSync with string concatenation
- * - Validating commands against allowlist
- * - Blocking dangerous shell metacharacters in arguments
- * - Logging all commands for audit
- * - Cross-platform shell detection (Windows: powershell/cmd, Unix: bash)
- *
- * Usage:
- *   const { safeExec, safeExecJSON, getShellConfig } = require('./safe-exec.cjs');
- *   const result = await safeExec('git', ['status']);
- */
-
-const { execFile, spawn } = require('child_process');
-const { promisify } = require('util');
-const os = require('os');
-const execFileAsync = promisify(execFile);
-const Logger = require('./logger.cjs');
-const logger = new Logger();
-
-// Allowlist of safe commands
-const ALLOWED_COMMANDS = new Set([
-  'git', 'node', 'npm', 'npx', 'find', 'grep', 'head', 'tail', 'wc',
-  'mkdir', 'cp', 'mv', 'rm', 'cat', 'echo', 'test', 'ls', 'dir',
-  'pwd', 'cd', 'type', 'where', 'which', 'chmod', 'touch'
-]);
-
-// Dangerous shell metacharacters that could enable injection
-const DANGEROUS_PATTERN = /[;&|`$(){}\\<>]/;
-
-/**
- * Get shell configuration for current platform
- * Returns shell executable and any platform-specific flags
- * @returns {{shell: string, shellFlag: string}} - Shell config object
- */
-function getShellConfig() {
-  const platform = process.platform;
-  
-  if (platform === 'win32') {
-    // Windows: prefer PowerShell if available, fallback to cmd.exe
-    // Check if PowerShell is available
-    try {
-      // PowerShell Core (pwsh) or Windows PowerShell (powershell)
-      const pwshPath = require('path').join(
-        process.env.ProgramFiles || 'C:\\Program Files',
-        'PowerShell', '7', 'pwsh.exe'
-      );
-      if (require('fs').existsSync(pwshPath)) {
-        return { shell: 'pwsh', shellFlag: '-Command' };
-      }
-      return { shell: 'powershell', shellFlag: '-Command' };
-    } catch {
-      return { shell: 'cmd', shellFlag: '/C' };
-    }
-  }
-  
-  // Unix-like platforms (macOS, Linux): use bash or sh
-  return { shell: 'bash', shellFlag: '-c' };
-}
-
-/**
- * Execute a shell command with platform-appropriate shell
- * @param {string} command - Full command string to execute
- * @param {Object} options - Execution options
- * @returns {Promise<string>} - Command stdout
- */
-async function safeShellExec(command, options = {}) {
-  const { timeout = 30000, log = true } = options;
-  const { shell, shellFlag } = getShellConfig();
-  
-  const startTime = Date.now();
-  
-  try {
-    if (log) {
-      logger.info('Executing shell command', {
-        command,
-        shell,
-        platform: process.platform,
-        timestamp: new Date().toISOString()
-      });
-    }
-    
-    const result = await execFileAsync(shell, [shellFlag, command], {
-      timeout,
-      maxBuffer: 10 * 1024 * 1024, // 10MB buffer
-      windowsHide: true // Prevent console flash on Windows
-    });
-    
-    const duration = Date.now() - startTime;
-    if (log) {
-      logger.debug('Shell command completed', {
-        command,
-        shell,
-        duration,
-        stdout_length: result.stdout?.length || 0
-      });
-    }
-    
-    return result.stdout.trim();
-  } catch (err) {
-    const duration = Date.now() - startTime;
-    logger.error('Shell command failed', {
-      command,
-      shell,
-      error: err.message,
-      duration,
-      code: err.code,
-      signal: err.signal,
-      platform: process.platform
-    });
-    throw err;
-  }
-}
-
-/**
- * Validate command is in allowlist
- * @param {string} cmd - Command to validate
- * @throws {Error} If command not allowed
- */
-function validateCommand(cmd) {
-  const baseCmd = cmd.split(' ')[0].toLowerCase();
-  if (!ALLOWED_COMMANDS.has(baseCmd)) {
-    throw new Error(`Command not allowed: ${cmd}. Allowed: ${Array.from(ALLOWED_COMMANDS).join(', ')}`);
-  }
-}
-
-/**
- * Validate arguments don't contain injection patterns
- * @param {string[]} args - Arguments to validate
- * @throws {Error} If dangerous pattern found
- */
-function validateArgs(args) {
-  for (const arg of args) {
-    if (DANGEROUS_PATTERN.test(arg)) {
-      throw new Error(`Dangerous argument rejected: ${arg}`);
-    }
-  }
-}
-
-/**
- * Execute command safely with validation and logging
- * @param {string} cmd - Command to execute
- * @param {string[]} args - Command arguments
- * @param {Object} options - Execution options
- * @returns {Promise<string>} - Command stdout
- */
-async function safeExec(cmd, args = [], options = {}) {
-  const { timeout = 30000, log = true } = options;
-  
-  // Validate command and arguments
-  validateCommand(cmd);
-  validateArgs(args);
-  
-  const startTime = Date.now();
-  
-  try {
-    if (log) {
-      logger.info('Executing command', { 
-        cmd, 
-        args, 
-        timestamp: new Date().toISOString() 
-      });
-    }
-    
-    const result = await execFileAsync(cmd, args, { 
-      timeout,
-      maxBuffer: 10 * 1024 * 1024 // 10MB buffer
-    });
-    
-    const duration = Date.now() - startTime;
-    if (log) {
-      logger.debug('Command completed', { 
-        cmd, 
-        duration,
-        stdout_length: result.stdout?.length || 0 
-      });
-    }
-    
-    return result.stdout.trim();
-  } catch (err) {
-    const duration = Date.now() - startTime;
-    logger.error('Command failed', { 
-      cmd, 
-      args, 
-      error: err.message,
-      duration,
-      code: err.code,
-      signal: err.signal
-    });
-    throw err;
-  }
-}
-
-/**
- * Execute command and return JSON parsed output
- * @param {string} cmd - Command to execute
- * @param {string[]} args - Command arguments
- * @returns {Promise<Object>} - Parsed JSON output
- */
-async function safeExecJSON(cmd, args = []) {
-  const output = await safeExec(cmd, args);
-  try {
-    return JSON.parse(output);
-  } catch (err) {
-    logger.error('Failed to parse JSON output', { cmd, output });
-    throw new Error(`Invalid JSON from ${cmd}: ${err.message}`);
-  }
-}
-
-module.exports = { safeExec, safeExecJSON, ALLOWED_COMMANDS };
+#!/usr/bin/env node
+
+/**
+ * EZ Safe Exec — Secure command execution with allowlist and validation
+ * 
+ * Prevents command injection by:
+ * - Using execFile instead of execSync with string concatenation
+ * - Validating commands against allowlist
+ * - Blocking dangerous shell metacharacters in arguments
+ * - Logging all commands for audit
+ * 
+ * Usage:
+ *   const { safeExec, safeExecJSON } = require('./safe-exec.cjs');
+ *   const result = await safeExec('git', ['status']);
+ */
+
+const { execFile } = require('child_process');
+const { promisify } = require('util');
+const execFileAsync = promisify(execFile);
+const Logger = require('./logger.cjs');
+const logger = new Logger();
+
+// Allowlist of safe commands
+const ALLOWED_COMMANDS = new Set([
+  'git', 'node', 'npm', 'npx', 'find', 'grep', 'head', 'tail', 'wc',
+  'mkdir', 'cp', 'mv', 'rm', 'cat', 'echo', 'test', 'ls', 'dir',
+  'pwd', 'cd', 'type', 'where', 'which', 'chmod', 'touch'
+]);
+
+// Dangerous shell metacharacters that could enable injection
+const DANGEROUS_PATTERN = /[;&|`$(){}\\<>]/;
+
+/**
+ * Validate command is in allowlist
+ * @param {string} cmd - Command to validate
+ * @throws {Error} If command not allowed
+ */
+function validateCommand(cmd) {
+  const baseCmd = cmd.split(' ')[0].toLowerCase();
+  if (!ALLOWED_COMMANDS.has(baseCmd)) {
+    throw new Error(`Command not allowed: ${cmd}. Allowed: ${Array.from(ALLOWED_COMMANDS).join(', ')}`);
+  }
+}
+
+/**
+ * Validate arguments don't contain injection patterns
+ * @param {string[]} args - Arguments to validate
+ * @throws {Error} If dangerous pattern found
+ */
+function validateArgs(args) {
+  for (const arg of args) {
+    if (DANGEROUS_PATTERN.test(arg)) {
+      throw new Error(`Dangerous argument rejected: ${arg}`);
+    }
+  }
+}
+
+/**
+ * Execute command safely with validation and logging
+ * @param {string} cmd - Command to execute
+ * @param {string[]} args - Command arguments
+ * @param {Object} options - Execution options
+ * @returns {Promise<string>} - Command stdout
+ */
+async function safeExec(cmd, args = [], options = {}) {
+  const { timeout = 30000, log = true } = options;
+  
+  // Validate command and arguments
+  validateCommand(cmd);
+  validateArgs(args);
+  
+  const startTime = Date.now();
+  
+  try {
+    if (log) {
+      logger.info('Executing command', { 
+        cmd, 
+        args, 
+        timestamp: new Date().toISOString() 
+      });
+    }
+    
+    const result = await execFileAsync(cmd, args, { 
+      timeout,
+      maxBuffer: 10 * 1024 * 1024 // 10MB buffer
+    });
+    
+    const duration = Date.now() - startTime;
+    if (log) {
+      logger.debug('Command completed', { 
+        cmd, 
+        duration,
+        stdout_length: result.stdout?.length || 0 
+      });
+    }
+    
+    return result.stdout.trim();
+  } catch (err) {
+    const duration = Date.now() - startTime;
+    logger.error('Command failed', { 
+      cmd, 
+      args, 
+      error: err.message,
+      duration,
+      code: err.code,
+      signal: err.signal
+    });
+    throw err;
+  }
+}
+
+/**
+ * Execute command and return JSON parsed output
+ * @param {string} cmd - Command to execute
+ * @param {string[]} args - Command arguments
+ * @returns {Promise<Object>} - Parsed JSON output
+ */
+async function safeExecJSON(cmd, args = []) {
+  const output = await safeExec(cmd, args);
+  try {
+    return JSON.parse(output);
+  } catch (err) {
+    logger.error('Failed to parse JSON output', { cmd, output });
+    throw new Error(`Invalid JSON from ${cmd}: ${err.message}`);
+  }
+}
+
+module.exports = { safeExec, safeExecJSON, ALLOWED_COMMANDS };

package/ez-agents/bin/lib/security-errors.cjs

@@ -0,0 +1,62 @@
+#!/usr/bin/env node
+
+/**
+ * Security Operations Error Classes
+ *
+ * Provides structured error handling for security operations
+ */
+
+class SecurityOpsError extends Error {
+  constructor(message, context = {}) {
+    super(message);
+    this.name = 'SecurityOpsError';
+    this.context = context;
+    this.timestamp = new Date().toISOString();
+    Error.captureStackTrace(this, SecurityOpsError);
+  }
+
+  toJSON() {
+    return {
+      name: this.name,
+      message: this.message,
+      context: this.context,
+      timestamp: this.timestamp
+    };
+  }
+}
+
+class SecurityScanError extends SecurityOpsError {
+  constructor(message, context = {}) {
+    super(message, context);
+    this.name = 'SecurityScanError';
+  }
+}
+
+class SecurityProviderError extends SecurityOpsError {
+  constructor(message, context = {}) {
+    super(message, context);
+    this.name = 'SecurityProviderError';
+  }
+}
+
+class SecurityComplianceError extends SecurityOpsError {
+  constructor(message, context = {}) {
+    super(message, context);
+    this.name = 'SecurityComplianceError';
+  }
+}
+
+class SecurityAuditError extends SecurityOpsError {
+  constructor(message, context = {}) {
+    super(message, context);
+    this.name = 'SecurityAuditError';
+  }
+}
+
+module.exports = {
+  SecurityOpsError,
+  SecurityScanError,
+  SecurityProviderError,
+  SecurityComplianceError,
+  SecurityAuditError
+};