npm - @http-client-toolkit/dashboard - Versions diffs - 1.0.1 → 2.0.1 - Mend

@http-client-toolkit/dashboard 1.0.1 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/lib/index.cjs CHANGED Viewed

@@ -381,6 +381,7 @@ var DashboardOptionsSchema = zod.z
       .min(1, 'At least one client is required'),
     basePath: zod.z.string().default('/'),
     pollIntervalMs: zod.z.number().int().positive().default(5e3),
+    readonly: zod.z.boolean().default(false),
   })
   .refine(
     (data) => {
@@ -417,7 +418,11 @@ function parseUrl(req, basePath) {
   const raw = req.url ?? '/';
   const url = new URL(raw, 'http://localhost');
   let pathname = url.pathname;
-  if (basePath !== '/' && pathname.startsWith(basePath)) {
+  if (
+    basePath !== '/' &&
+    pathname.startsWith(basePath) &&
+    (pathname.length === basePath.length || pathname[basePath.length] === '/')
+  ) {
     pathname = pathname.slice(basePath.length) || '/';
   }
   return { pathname, query: url.searchParams };
@@ -435,15 +440,23 @@ function extractParam(pathname, pattern) {
   if (paramIndex === -1) return void 0;
   return pathParts[paramIndex];
 }
+var MAX_BODY_SIZE = 1024 * 1024;
 async function readJsonBody(req) {
-  return new Promise((resolve, reject) => {
+  return new Promise((resolve3, reject) => {
     let body = '';
+    let size = 0;
     req.on('data', (chunk) => {
+      size += chunk.length;
+      if (size > MAX_BODY_SIZE) {
+        req.destroy();
+        reject(new Error('Request body too large'));
+        return;
+      }
       body += chunk.toString();
     });
     req.on('end', () => {
       try {
-        resolve(JSON.parse(body));
+        resolve3(JSON.parse(body));
       } catch {
         reject(new Error('Invalid JSON body'));
       }
@@ -471,6 +484,9 @@ function sendNotFound(res) {
 function sendMethodNotAllowed(res) {
   sendError(res, 'Method not allowed', 405);
 }
+function sendForbidden(res) {
+  sendError(res, 'Dashboard is in readonly mode', 403);
+}
 // src/server/handlers/cache.ts
 async function handleCacheStats(res, adapter) {
@@ -701,7 +717,15 @@ function createApiRouter(ctx) {
         sendError(res, `Unknown client: ${clientName}`, 404);
         return true;
       }
-      return routeClientApi(req, res, client, subPath, method, query);
+      return routeClientApi(
+        req,
+        res,
+        client,
+        subPath,
+        method,
+        query,
+        ctx.readonly,
+      );
     }
     if (pathname.startsWith('/api/')) {
       sendNotFound(res);
@@ -710,7 +734,22 @@ function createApiRouter(ctx) {
     return false;
   };
 }
-async function routeClientApi(req, res, client, subPath, method, query) {
+function isMutatingMethod(method) {
+  return method === 'DELETE' || method === 'PUT' || method === 'POST';
+}
+async function routeClientApi(
+  req,
+  res,
+  client,
+  subPath,
+  method,
+  query,
+  readonly,
+) {
+  if (readonly && isMutatingMethod(method)) {
+    sendForbidden(res);
+    return true;
+  }
   if (subPath.startsWith('/cache')) {
     if (!client.cache) {
       sendError(res, 'Cache store not configured', 404);
@@ -835,7 +874,7 @@ function getCurrentDir() {
 function getClientDir() {
   if (clientDir) return clientDir;
   const currentDir = getCurrentDir();
-  clientDir = path.join(currentDir, '..', 'dist', 'client');
+  clientDir = path.resolve(currentDir, '..', 'dist', 'client');
   return clientDir;
 }
 function getIndexHtml() {
@@ -861,7 +900,12 @@ function getIndexHtml() {
 function serveStatic(res, pathname) {
   const dir = getClientDir();
   if (pathname !== '/' && pathname !== '/index.html') {
-    const filePath = path.join(dir, pathname);
+    const filePath = path.resolve(path.join(dir, pathname));
+    if (!filePath.startsWith(dir + '/')) {
+      res.writeHead(400, { 'Content-Type': 'text/plain' });
+      res.end('Bad request');
+      return true;
+    }
     if (fs.existsSync(filePath)) {
       try {
         const content = fs.readFileSync(filePath);
@@ -911,6 +955,7 @@ function createDashboard(options) {
   const ctx = {
     clients,
     pollIntervalMs: opts.pollIntervalMs,
+    readonly: opts.readonly,
   };
   const apiRouter = createApiRouter(ctx);
   return (req, res, _next) => {
@@ -969,7 +1014,7 @@ function getCurrentDir2() {
 function getClientDir2() {
   if (clientDir2) return clientDir2;
   const currentDir = getCurrentDir2();
-  clientDir2 = path.join(currentDir, '..', 'dist', 'client');
+  clientDir2 = path.resolve(currentDir, '..', 'dist', 'client');
   return clientDir2;
 }
 function getIndexHtml2() {
@@ -995,7 +1040,10 @@ function getIndexHtml2() {
 function serveStaticWeb(pathname) {
   const dir = getClientDir2();
   if (pathname !== '/' && pathname !== '/index.html') {
-    const filePath = path.join(dir, pathname);
+    const filePath = path.resolve(path.join(dir, pathname));
+    if (!filePath.startsWith(dir + '/')) {
+      return new Response('Bad request', { status: 400 });
+    }
     if (fs.existsSync(filePath)) {
       try {
         const content = fs.readFileSync(filePath);
@@ -1068,14 +1116,34 @@ async function routeApi(request, pathname, query, ctx) {
     if (!client) {
       return errorResponse(`Unknown client: ${clientName}`, 404);
     }
-    return routeClientApi2(request, subPath, method, client, query);
+    return routeClientApi2(
+      request,
+      subPath,
+      method,
+      client,
+      query,
+      ctx.readonly,
+    );
   }
   if (pathname.startsWith('/api/')) {
     return errorResponse('Not found', 404);
   }
   return null;
 }
-async function routeClientApi2(request, subPath, method, client, query) {
+function isMutatingMethod2(method) {
+  return method === 'DELETE' || method === 'PUT' || method === 'POST';
+}
+async function routeClientApi2(
+  request,
+  subPath,
+  method,
+  client,
+  query,
+  readonly,
+) {
+  if (readonly && isMutatingMethod2(method)) {
+    return errorResponse('Dashboard is in readonly mode', 403);
+  }
   if (subPath.startsWith('/cache')) {
     if (!client.cache) return errorResponse('Cache store not configured', 404);
     return routeCache(subPath, method, client.cache, query);
@@ -1219,12 +1287,18 @@ function createDashboardHandler(options) {
   const ctx = {
     clients,
     pollIntervalMs: opts.pollIntervalMs,
+    readonly: opts.readonly,
   };
   return async (request) => {
     try {
       const url = new URL(request.url);
       let pathname = url.pathname;
-      if (opts.basePath !== '/' && pathname.startsWith(opts.basePath)) {
+      if (
+        opts.basePath !== '/' &&
+        pathname.startsWith(opts.basePath) &&
+        (pathname.length === opts.basePath.length ||
+          pathname[opts.basePath.length] === '/')
+      ) {
         pathname = pathname.slice(opts.basePath.length) || '/';
       }
       const apiResponse = await routeApi(
@@ -1246,14 +1320,14 @@ async function startDashboard(options) {
   const server = http.createServer((req, res) => {
     middleware(req, res);
   });
-  return new Promise((resolve, reject) => {
+  return new Promise((resolve3, reject) => {
     server.on('error', reject);
     server.listen(opts.port, opts.host, () => {
       const addr = server.address();
       const url =
         typeof addr === 'string' ? addr : `http://${opts.host}:${opts.port}`;
       console.log(`Dashboard running at ${url}`);
-      resolve({
+      resolve3({
         server,
         async close() {
           return new Promise((res, rej) => {