@inspecto-dev/plugin 0.3.4 → 0.3.6

package/dist/rollup.js

@@ -36,12 +36,57 @@ var DEFAULT_ESCAPE_TAGS = /* @__PURE__ */ new Set([
   "NuxtLink"
 ]);
 var JSX_EXTENSIONS = /* @__PURE__ */ new Set([".jsx", ".tsx", ".js", ".ts", ".mjs", ".mts"]);
+function normalizeWebpackModuleRequest(id) {
+  return id.replace(/!+$/, "").replace(/^\((?:app-pages-browser|rsc|ssr)\)\/\.\//, "");
+}
+function extractNextModuleRequest(id) {
+  if (!id.includes("next-flight-client-entry-loader.js?")) {
+    return void 0;
+  }
+  const queryIndex = id.indexOf("?");
+  if (queryIndex === -1) {
+    return void 0;
+  }
+  const params = new URLSearchParams(id.slice(queryIndex + 1).replace(/!+$/, ""));
+  for (const entry of params.getAll("modules")) {
+    try {
+      const parsed = JSON.parse(entry);
+      if (typeof parsed.request === "string" && parsed.request.length > 0) {
+        return parsed.request;
+      }
+    } catch {
+      continue;
+    }
+  }
+  return void 0;
+}
+function extractTransformFilePath(requestId) {
+  const normalizedRequestId = normalizeWebpackModuleRequest(requestId);
+  const nextModuleRequest = extractNextModuleRequest(normalizedRequestId);
+  if (nextModuleRequest) {
+    return {
+      requestId,
+      filePath: nextModuleRequest,
+      wrapped: true
+    };
+  }
+  const lastLoaderSeparator = normalizedRequestId.lastIndexOf("!");
+  const resourceRequest = lastLoaderSeparator >= 0 ? normalizedRequestId.slice(lastLoaderSeparator + 1) : normalizedRequestId;
+  const queryIndex = resourceRequest.indexOf("?");
+  const filePath = queryIndex >= 0 ? resourceRequest.slice(0, queryIndex) : resourceRequest;
+  return {
+    requestId,
+    filePath,
+    wrapped: filePath !== requestId
+  };
+}
 function shouldTransform(filePath, options) {
+  const resolvedFilePath = extractTransformFilePath(filePath).filePath;
   if (process.env["NODE_ENV"] === "production") return false;
-  if (filePath.includes("node_modules")) return false;
-  if (filePath.startsWith("\0")) return false;
-  if (/[/\\](dist|build|\.next|\.nuxt)[/\\]/.test(filePath)) return false;
-  const ext = filePath.split(".").pop()?.toLowerCase();
+  if (resolvedFilePath.includes("node_modules")) return false;
+  if (resolvedFilePath.startsWith("\0")) return false;
+  if (/[/\\](dist|build|\.next|\.nuxt)[/\\]/.test(resolvedFilePath)) return false;
+  const ext = resolvedFilePath.split(".").pop()?.toLowerCase();
   if (ext && !["js", "jsx", "ts", "tsx", "mjs", "mts", "vue"].includes(ext)) {
     return false;
   }
@@ -269,7 +314,7 @@ function transformRouter(options) {
 
 // src/server/index.ts
 import http from "http";
-import fs4 from "fs";
+import fs5 from "fs";
 import path8 from "path";
 import os2 from "os";
 import crypto2 from "crypto";
@@ -807,6 +852,7 @@ function hasOverrides(overrides) {
 
 // src/server/path-guards.ts
 import path6 from "path";
+import fs3 from "fs";
 function isWindowsAbsolutePath(file) {
   return /^[a-zA-Z]:[\\/]/.test(file) || /^\\\\[^\\]+\\[^\\]+/.test(file);
 }
@@ -817,9 +863,94 @@ function resolveWorkspacePath(file, cwd) {
   return path6.isAbsolute(file) ? path6.resolve(file) : path6.resolve(cwd, file);
 }
 function assertPathWithinProject(file, projectRoot) {
-  const relativeToRoot = isWindowsAbsolutePath(file) || isWindowsAbsolutePath(projectRoot) ? path6.win32.relative(path6.win32.normalize(projectRoot), path6.win32.normalize(file)) : path6.relative(projectRoot, file);
-  if (relativeToRoot.startsWith("..") || path6.isAbsolute(relativeToRoot)) {
-    throw new Error("Access denied: File is outside of project workspace");
+  let realFile = file;
+  let realProjectRoot = projectRoot;
+  try {
+    if (fs3.existsSync(file)) {
+      realFile = fs3.realpathSync(file);
+    }
+  } catch {
+  }
+  try {
+    if (fs3.existsSync(projectRoot)) {
+      realProjectRoot = fs3.realpathSync(projectRoot);
+    }
+  } catch {
+  }
+  if (isWithinPath(file, projectRoot) || isWithinPath(realFile, realProjectRoot)) {
+    return;
+  }
+  throw new Error(
+    `Access denied: File ${normalizeForComparison(realFile)} is outside of project workspace ${normalizeForComparison(realProjectRoot)}`
+  );
+}
+function tryReadPackageName(packageRoot) {
+  try {
+    const packageJsonPath = path6.join(packageRoot, "package.json");
+    if (!fs3.existsSync(packageJsonPath)) return void 0;
+    const packageJson = JSON.parse(fs3.readFileSync(packageJsonPath, "utf8"));
+    return typeof packageJson.name === "string" ? packageJson.name : void 0;
+  } catch {
+    return void 0;
+  }
+}
+function findNearestPackageRoot(file) {
+  let current = path6.dirname(file);
+  while (true) {
+    if (fs3.existsSync(path6.join(current, "package.json"))) {
+      return current;
+    }
+    const parent = path6.dirname(current);
+    if (parent === current) {
+      return void 0;
+    }
+    current = parent;
+  }
+}
+function normalizeForComparison(file) {
+  return isWindowsAbsolutePath(file) ? path6.win32.normalize(file) : path6.normalize(file);
+}
+function pathSeparatorFor(file) {
+  return isWindowsAbsolutePath(file) ? path6.win32.sep : path6.sep;
+}
+function isWithinPath(file, root) {
+  const normalizedFile = normalizeForComparison(file);
+  const normalizedRoot = normalizeForComparison(root);
+  const separator = pathSeparatorFor(normalizedRoot);
+  const rootWithSep = normalizedRoot.endsWith(separator) ? normalizedRoot : normalizedRoot + separator;
+  return normalizedFile === normalizedRoot || normalizedFile.startsWith(rootWithSep);
+}
+function resolveLinkedDependencyEntry(projectRoot, packageName) {
+  const packageSegments = packageName.split("/");
+  const dependencyPath = path6.join(projectRoot, "node_modules", ...packageSegments);
+  if (!fs3.existsSync(dependencyPath)) return void 0;
+  try {
+    return fs3.realpathSync(dependencyPath);
+  } catch {
+    return dependencyPath;
+  }
+}
+function isLinkedDependencyPath(file, projectRoot, packageName) {
+  const linkedDependencyRoot = resolveLinkedDependencyEntry(projectRoot, packageName);
+  if (!linkedDependencyRoot) return false;
+  return isWithinPath(file, linkedDependencyRoot);
+}
+function isLinkedDependencySourcePath(file, projectRoot) {
+  const packageRoot = findNearestPackageRoot(file);
+  if (!packageRoot) return false;
+  const packageName = tryReadPackageName(packageRoot);
+  if (!packageName) return false;
+  return isLinkedDependencyPath(file, projectRoot, packageName);
+}
+function assertPathWithinIdeOpenScope(file, projectRoot) {
+  try {
+    assertPathWithinProject(file, projectRoot);
+    return;
+  } catch {
+    if (isLinkedDependencySourcePath(file, projectRoot)) {
+      return;
+    }
+    throw new Error(`Access denied: File is outside of project workspace`);
   }
 }
 
@@ -1024,7 +1155,7 @@ var VSCODE_FAMILY_SCHEMES = [
 ];
 function handleOpenFileRequest(body, serverState2) {
   const absolutePath = resolveWorkspacePath(body.file, serverState2.cwd);
-  assertPathWithinProject(absolutePath, serverState2.projectRoot);
+  assertPathWithinIdeOpenScope(absolutePath, serverState2.projectRoot);
   const userConfig = loadUserConfigSync(false, serverState2.cwd, serverState2.configRoot);
   const configuredIde = userConfig.ide;
   const activeIde = serverState2.ideInfo?.ide;
@@ -1082,7 +1213,7 @@ function handleOpenFileRequest(body, serverState2) {
 }
 
 // src/server/project-root.ts
-import fs3 from "fs";
+import fs4 from "fs";
 import path7 from "path";
 import { execSync } from "child_process";
 var serverLogger3 = createLogger("inspecto:server", { logLevel: getGlobalLogLevel() });
@@ -1100,7 +1231,7 @@ function resolveProjectRoot() {
     let current = start;
     while (!visited.has(current)) {
       visited.add(current);
-      if (fs3.existsSync(path7.join(current, ".inspecto"))) return current;
+      if (fs4.existsSync(path7.join(current, ".inspecto"))) return current;
       if (current === stop) break;
       const parent = path7.dirname(current);
       if (parent === current) break;
@@ -1172,28 +1303,28 @@ async function startServer() {
   const portFile = path8.join(os2.tmpdir(), "inspecto.port.json");
   try {
     let portData = {};
-    if (fs4.existsSync(portFile)) {
+    if (fs5.existsSync(portFile)) {
       try {
-        portData = JSON.parse(fs4.readFileSync(portFile, "utf-8"));
+        portData = JSON.parse(fs5.readFileSync(portFile, "utf-8"));
       } catch (e) {
       }
     }
     const rootHash = crypto2.createHash("md5").update(serverState.projectRoot).digest("hex");
     portData[rootHash] = port;
-    fs4.writeFileSync(portFile, JSON.stringify(portData, null, 2), "utf-8");
+    fs5.writeFileSync(portFile, JSON.stringify(portData, null, 2), "utf-8");
   } catch (e) {
     serverLogger4.warn("Failed to write port file:", e);
   }
   process.once("exit", () => {
     try {
-      if (fs4.existsSync(portFile)) {
-        const portData = JSON.parse(fs4.readFileSync(portFile, "utf-8"));
+      if (fs5.existsSync(portFile)) {
+        const portData = JSON.parse(fs5.readFileSync(portFile, "utf-8"));
         const rootHash = crypto2.createHash("md5").update(serverState.projectRoot).digest("hex");
         delete portData[rootHash];
         if (Object.keys(portData).length === 0) {
-          fs4.unlinkSync(portFile);
+          fs5.unlinkSync(portFile);
         } else {
-          fs4.writeFileSync(portFile, JSON.stringify(portData, null, 2), "utf-8");
+          fs5.writeFileSync(portFile, JSON.stringify(portData, null, 2), "utf-8");
         }
       }
     } catch {
@@ -1262,8 +1393,10 @@ async function handleRequest(url, req, res) {
     }
     try {
       handleOpenFileRequest(body, serverState);
-    } catch {
-      serverLogger4.warn(`Security: Blocked path traversal attempt in IDE_OPEN: ${body.file}`);
+    } catch (err) {
+      serverLogger4.warn(
+        `Security: Blocked path traversal attempt in IDE_OPEN: ${body.file}. Reason: ${err.message}`
+      );
       res.writeHead(403, { "Content-Type": "application/json" });
       res.end(JSON.stringify({ error: "Access denied: File is outside of project workspace" }));
       return;
@@ -1281,8 +1414,10 @@ async function handleRequest(url, req, res) {
       const absolutePath = resolveWorkspacePath(file, serverState.cwd);
       try {
         assertPathWithinProject(absolutePath, serverState.projectRoot);
-      } catch {
-        serverLogger4.warn(`Security: Blocked path traversal attempt in PROJECT_SNIPPET: ${file}`);
+      } catch (err) {
+        serverLogger4.warn(
+          `Security: Blocked path traversal attempt in PROJECT_SNIPPET: ${file}. Reason: ${err.message}`
+        );
         res.writeHead(403, { "Content-Type": "application/json" });
         res.end(
           JSON.stringify({
@@ -1449,23 +1584,25 @@ function injectWebpack(compiler, serverPortFn, resolveClientModule2) {
         return data;
       });
     } else {
-      compilation.hooks.processAssets.tapPromise(
-        {
-          name: "inspecto-overlay",
-          stage: compiler.webpack.Compilation.PROCESS_ASSETS_STAGE_ADDITIONS
-        },
-        async (assets) => {
-          const port = await serverPortFn();
-          const mainAssetKey = Object.keys(assets).find(
-            (key) => key.endsWith(".js") && (key.includes("main") || key.includes("app"))
-          );
-          if (!mainAssetKey) return;
-          const originalSource = assets[mainAssetKey].source();
-          assets[mainAssetKey] = new compiler.webpack.sources.RawSource(
-            getWebpackAssetScript(port) + "\n" + originalSource
-          );
-        }
-      );
+      if (compilation.hooks.processAssets) {
+        compilation.hooks.processAssets.tapPromise(
+          {
+            name: "inspecto-overlay",
+            stage: compiler.webpack.Compilation.PROCESS_ASSETS_STAGE_ADDITIONS
+          },
+          async (assets) => {
+            const port = await serverPortFn();
+            const mainAssetKey = Object.keys(assets).find(
+              (key) => key.endsWith(".js") && (key.includes("main") || key.includes("app") || key.includes("umi"))
+            );
+            if (!mainAssetKey) return;
+            const originalSource = assets[mainAssetKey].source();
+            assets[mainAssetKey] = new compiler.webpack.sources.RawSource(
+              getWebpackAssetScript(port) + "\n" + originalSource
+            );
+          }
+        );
+      }
     }
   });
 }
@@ -1517,7 +1654,6 @@ var DEFAULT_OPTIONS = {
   logLevel: "warn"
 };
 var DEFAULT_PORT = 5678;
-var getCleanId = (id) => id.split("?")[0];
 var InspectoPlugin = createUnplugin((userOptions = {}) => {
   const options = {
     ...DEFAULT_OPTIONS,
@@ -1604,14 +1740,13 @@ var InspectoPlugin = createUnplugin((userOptions = {}) => {
     },
     transformInclude(id) {
       if (isProduction || !id) return false;
-      const cleanId = getCleanId(id);
-      return shouldTransform(cleanId, options);
+      return shouldTransform(id, options);
     },
     transform(code, id) {
       if (isProduction || !id) return null;
-      const cleanId = getCleanId(id);
+      const { filePath } = extractTransformFilePath(id);
       const result = transformRouter({
-        filePath: cleanId,
+        filePath,
         source: code,
         projectRoot,
         pluginOptions: options