@inspecto-dev/plugin 0.3.4 → 0.3.6

package/dist/legacy/rspack/index.js

@@ -14,7 +14,7 @@ var __dirname = /* @__PURE__ */ getDirname();
 
 // src/server/index.ts
 import http from "http";
-import fs4 from "fs";
+import fs5 from "fs";
 import path6 from "path";
 import os2 from "os";
 import crypto2 from "crypto";
@@ -538,6 +538,7 @@ function hasOverrides(overrides) {
 
 // src/server/path-guards.ts
 import path4 from "path";
+import fs3 from "fs";
 function isWindowsAbsolutePath(file) {
   return /^[a-zA-Z]:[\\/]/.test(file) || /^\\\\[^\\]+\\[^\\]+/.test(file);
 }
@@ -548,9 +549,94 @@ function resolveWorkspacePath(file, cwd) {
   return path4.isAbsolute(file) ? path4.resolve(file) : path4.resolve(cwd, file);
 }
 function assertPathWithinProject(file, projectRoot) {
-  const relativeToRoot = isWindowsAbsolutePath(file) || isWindowsAbsolutePath(projectRoot) ? path4.win32.relative(path4.win32.normalize(projectRoot), path4.win32.normalize(file)) : path4.relative(projectRoot, file);
-  if (relativeToRoot.startsWith("..") || path4.isAbsolute(relativeToRoot)) {
-    throw new Error("Access denied: File is outside of project workspace");
+  let realFile = file;
+  let realProjectRoot = projectRoot;
+  try {
+    if (fs3.existsSync(file)) {
+      realFile = fs3.realpathSync(file);
+    }
+  } catch {
+  }
+  try {
+    if (fs3.existsSync(projectRoot)) {
+      realProjectRoot = fs3.realpathSync(projectRoot);
+    }
+  } catch {
+  }
+  if (isWithinPath(file, projectRoot) || isWithinPath(realFile, realProjectRoot)) {
+    return;
+  }
+  throw new Error(
+    `Access denied: File ${normalizeForComparison(realFile)} is outside of project workspace ${normalizeForComparison(realProjectRoot)}`
+  );
+}
+function tryReadPackageName(packageRoot) {
+  try {
+    const packageJsonPath = path4.join(packageRoot, "package.json");
+    if (!fs3.existsSync(packageJsonPath)) return void 0;
+    const packageJson = JSON.parse(fs3.readFileSync(packageJsonPath, "utf8"));
+    return typeof packageJson.name === "string" ? packageJson.name : void 0;
+  } catch {
+    return void 0;
+  }
+}
+function findNearestPackageRoot(file) {
+  let current = path4.dirname(file);
+  while (true) {
+    if (fs3.existsSync(path4.join(current, "package.json"))) {
+      return current;
+    }
+    const parent = path4.dirname(current);
+    if (parent === current) {
+      return void 0;
+    }
+    current = parent;
+  }
+}
+function normalizeForComparison(file) {
+  return isWindowsAbsolutePath(file) ? path4.win32.normalize(file) : path4.normalize(file);
+}
+function pathSeparatorFor(file) {
+  return isWindowsAbsolutePath(file) ? path4.win32.sep : path4.sep;
+}
+function isWithinPath(file, root) {
+  const normalizedFile = normalizeForComparison(file);
+  const normalizedRoot = normalizeForComparison(root);
+  const separator = pathSeparatorFor(normalizedRoot);
+  const rootWithSep = normalizedRoot.endsWith(separator) ? normalizedRoot : normalizedRoot + separator;
+  return normalizedFile === normalizedRoot || normalizedFile.startsWith(rootWithSep);
+}
+function resolveLinkedDependencyEntry(projectRoot, packageName) {
+  const packageSegments = packageName.split("/");
+  const dependencyPath = path4.join(projectRoot, "node_modules", ...packageSegments);
+  if (!fs3.existsSync(dependencyPath)) return void 0;
+  try {
+    return fs3.realpathSync(dependencyPath);
+  } catch {
+    return dependencyPath;
+  }
+}
+function isLinkedDependencyPath(file, projectRoot, packageName) {
+  const linkedDependencyRoot = resolveLinkedDependencyEntry(projectRoot, packageName);
+  if (!linkedDependencyRoot) return false;
+  return isWithinPath(file, linkedDependencyRoot);
+}
+function isLinkedDependencySourcePath(file, projectRoot) {
+  const packageRoot = findNearestPackageRoot(file);
+  if (!packageRoot) return false;
+  const packageName = tryReadPackageName(packageRoot);
+  if (!packageName) return false;
+  return isLinkedDependencyPath(file, projectRoot, packageName);
+}
+function assertPathWithinIdeOpenScope(file, projectRoot) {
+  try {
+    assertPathWithinProject(file, projectRoot);
+    return;
+  } catch {
+    if (isLinkedDependencySourcePath(file, projectRoot)) {
+      return;
+    }
+    throw new Error(`Access denied: File is outside of project workspace`);
   }
 }
 
@@ -755,7 +841,7 @@ var VSCODE_FAMILY_SCHEMES = [
 ];
 function handleOpenFileRequest(body, serverState3) {
   const absolutePath = resolveWorkspacePath(body.file, serverState3.cwd);
-  assertPathWithinProject(absolutePath, serverState3.projectRoot);
+  assertPathWithinIdeOpenScope(absolutePath, serverState3.projectRoot);
   const userConfig = loadUserConfigSync(false, serverState3.cwd, serverState3.configRoot);
   const configuredIde = userConfig.ide;
   const activeIde = serverState3.ideInfo?.ide;
@@ -813,7 +899,7 @@ function handleOpenFileRequest(body, serverState3) {
 }
 
 // src/server/project-root.ts
-import fs3 from "fs";
+import fs4 from "fs";
 import path5 from "path";
 import { execSync } from "child_process";
 var serverLogger3 = createLogger("inspecto:server", { logLevel: getGlobalLogLevel() });
@@ -831,7 +917,7 @@ function resolveProjectRoot() {
     let current = start;
     while (!visited.has(current)) {
       visited.add(current);
-      if (fs3.existsSync(path5.join(current, ".inspecto"))) return current;
+      if (fs4.existsSync(path5.join(current, ".inspecto"))) return current;
       if (current === stop) break;
       const parent = path5.dirname(current);
       if (parent === current) break;
@@ -903,28 +989,28 @@ async function startServer() {
   const portFile = path6.join(os2.tmpdir(), "inspecto.port.json");
   try {
     let portData = {};
-    if (fs4.existsSync(portFile)) {
+    if (fs5.existsSync(portFile)) {
       try {
-        portData = JSON.parse(fs4.readFileSync(portFile, "utf-8"));
+        portData = JSON.parse(fs5.readFileSync(portFile, "utf-8"));
       } catch (e) {
       }
     }
     const rootHash = crypto2.createHash("md5").update(serverState.projectRoot).digest("hex");
     portData[rootHash] = port;
-    fs4.writeFileSync(portFile, JSON.stringify(portData, null, 2), "utf-8");
+    fs5.writeFileSync(portFile, JSON.stringify(portData, null, 2), "utf-8");
   } catch (e) {
     serverLogger4.warn("Failed to write port file:", e);
   }
   process.once("exit", () => {
     try {
-      if (fs4.existsSync(portFile)) {
-        const portData = JSON.parse(fs4.readFileSync(portFile, "utf-8"));
+      if (fs5.existsSync(portFile)) {
+        const portData = JSON.parse(fs5.readFileSync(portFile, "utf-8"));
         const rootHash = crypto2.createHash("md5").update(serverState.projectRoot).digest("hex");
         delete portData[rootHash];
         if (Object.keys(portData).length === 0) {
-          fs4.unlinkSync(portFile);
+          fs5.unlinkSync(portFile);
         } else {
-          fs4.writeFileSync(portFile, JSON.stringify(portData, null, 2), "utf-8");
+          fs5.writeFileSync(portFile, JSON.stringify(portData, null, 2), "utf-8");
         }
       }
     } catch {
@@ -993,8 +1079,10 @@ async function handleRequest(url, req, res) {
     }
     try {
       handleOpenFileRequest(body, serverState);
-    } catch {
-      serverLogger4.warn(`Security: Blocked path traversal attempt in IDE_OPEN: ${body.file}`);
+    } catch (err) {
+      serverLogger4.warn(
+        `Security: Blocked path traversal attempt in IDE_OPEN: ${body.file}. Reason: ${err.message}`
+      );
       res.writeHead(403, { "Content-Type": "application/json" });
       res.end(JSON.stringify({ error: "Access denied: File is outside of project workspace" }));
       return;
@@ -1012,8 +1100,10 @@ async function handleRequest(url, req, res) {
       const absolutePath = resolveWorkspacePath(file, serverState.cwd);
       try {
         assertPathWithinProject(absolutePath, serverState.projectRoot);
-      } catch {
-        serverLogger4.warn(`Security: Blocked path traversal attempt in PROJECT_SNIPPET: ${file}`);
+      } catch (err) {
+        serverLogger4.warn(
+          `Security: Blocked path traversal attempt in PROJECT_SNIPPET: ${file}. Reason: ${err.message}`
+        );
         res.writeHead(403, { "Content-Type": "application/json" });
         res.end(
           JSON.stringify({