@mooncompany/uplink-chat 0.5.0

package/server/update-checker.js

@@ -0,0 +1,172 @@
+/**
+ * Update Checker Module
+ * 
+ * Periodically checks npm registry for new versions of uplink-chat.
+ * Broadcasts update notifications to connected WebSocket clients.
+ * 
+ * - Checks on startup and every 1 hour
+ * - 5 second timeout (non-blocking, fails silently if offline)
+ * - Caches results to avoid redundant checks
+ * - No external dependencies
+ */
+
+import { readFileSync } from 'fs';
+import { join, dirname } from 'path';
+import { fileURLToPath } from 'url';
+import https from 'https';
+import http from 'http';
+import { createLogger } from './logger.js';
+
+const log = createLogger('UpdateChecker');
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const ROOT = join(__dirname, '..');
+
+const REGISTRY_URL = 'https://registry.npmjs.org/uplink-chat/latest';
+const CHECK_INTERVAL_MS = 60 * 60 * 1000; // 1 hour
+const FETCH_TIMEOUT_MS = 5000; // 5 seconds
+
+// Cache
+let cachedResult = null; // { current, latest, updateAvailable, checkedAt }
+
+/**
+ * Simple semver comparison (no external dependency)
+ * Supports standard x.y.z format
+ * Returns: -1 if a < b, 0 if equal, 1 if a > b
+ */
+function compareSemver(a, b) {
+  const partsA = a.replace(/^v/, '').split('.').map(Number);
+  const partsB = b.replace(/^v/, '').split('.').map(Number);
+  
+  for (let i = 0; i < 3; i++) {
+    const numA = partsA[i] || 0;
+    const numB = partsB[i] || 0;
+    if (numA < numB) return -1;
+    if (numA > numB) return 1;
+  }
+  return 0;
+}
+
+/**
+ * Get current version from package.json
+ */
+function getCurrentVersion() {
+  try {
+    const pkg = JSON.parse(readFileSync(join(ROOT, 'package.json'), 'utf-8'));
+    return pkg.version || '0.0.0';
+  } catch {
+    return '0.0.0';
+  }
+}
+
+/**
+ * Fetch latest version from npm registry with timeout
+ * Returns version string or null on failure
+ */
+function fetchLatestVersion() {
+  return new Promise((resolve) => {
+    const url = new URL(REGISTRY_URL);
+    const transport = url.protocol === 'https:' ? https : http;
+    
+    const req = transport.get(url.href, { timeout: FETCH_TIMEOUT_MS }, (res) => {
+      if (res.statusCode !== 200) {
+        res.resume(); // Drain the response
+        resolve(null);
+        return;
+      }
+      
+      let data = '';
+      res.on('data', (chunk) => { data += chunk; });
+      res.on('end', () => {
+        try {
+          const json = JSON.parse(data);
+          resolve(json.version || null);
+        } catch {
+          resolve(null);
+        }
+      });
+    });
+    
+    req.on('error', () => resolve(null));
+    req.on('timeout', () => {
+      req.destroy();
+      resolve(null);
+    });
+    
+    // Overall timeout safety net
+    setTimeout(() => {
+      req.destroy();
+      resolve(null);
+    }, FETCH_TIMEOUT_MS + 1000);
+  });
+}
+
+/**
+ * Check for updates and broadcast if available
+ * @param {Function} broadcastFn - Function to broadcast WebSocket messages
+ */
+async function checkForUpdate(broadcastFn) {
+  const current = getCurrentVersion();
+  const latest = await fetchLatestVersion();
+  
+  if (!latest) {
+    // Offline or registry error — skip silently
+    return;
+  }
+  
+  const updateAvailable = compareSemver(current, latest) < 0;
+  
+  cachedResult = {
+    current,
+    latest,
+    updateAvailable,
+    checkedAt: Date.now(),
+  };
+  
+  if (updateAvailable && broadcastFn) {
+    broadcastFn({
+      type: 'update_available',
+      current,
+      latest,
+    });
+  }
+}
+
+/**
+ * Start the update checker
+ * Call after server is listening.
+ * 
+ * @param {Object} server - HTTP server instance (unused, kept for API consistency)
+ * @param {Function} broadcastFn - Function to broadcast a message to all WS clients
+ */
+export function startUpdateChecker(server, broadcastFn) {
+  if (!broadcastFn) {
+    log.warn('No broadcast function provided, skipping');
+    return;
+  }
+  
+  // Initial check (non-blocking, delayed slightly to not interfere with startup)
+  setTimeout(() => {
+    checkForUpdate(broadcastFn).catch(() => {
+      // Silently ignore errors
+    });
+  }, 3000);
+  
+  // Periodic re-check every hour
+  const interval = setInterval(() => {
+    checkForUpdate(broadcastFn).catch(() => {
+      // Silently ignore errors
+    });
+  }, CHECK_INTERVAL_MS);
+  
+  // Don't keep the process alive just for update checking
+  if (interval.unref) interval.unref();
+}
+
+/**
+ * Get cached update result (for new client connections)
+ */
+export function getCachedUpdateResult() {
+  return cachedResult;
+}

package/server/utils/filename.js

@@ -0,0 +1,129 @@
+/**
+ * Filename Sanitization Utility
+ * 
+ * Prevents path traversal attacks by sanitizing user-provided filenames.
+ * Removes path components and allows only safe characters.
+ */
+
+import path from 'path';
+
+/**
+ * Sanitize a filename to prevent path traversal attacks
+ * - Removes path components (uses only basename)
+ * - Allows only alphanumeric characters, dashes, underscores, and dots
+ * - Removes leading dots (hidden files)
+ * - Limits length
+ * 
+ * @param {string} filename - The raw filename from user input
+ * @param {Object} options - Sanitization options
+ * @param {number} options.maxLength - Maximum filename length (default: 255)
+ * @param {string} options.fallback - Fallback filename if sanitization results in empty string (default: 'unnamed')
+ * @returns {string} Sanitized filename safe for filesystem operations
+ */
+export function sanitizeFilename(filename, options = {}) {
+  const { maxLength = 255, fallback = 'unnamed' } = options;
+  
+  if (!filename || typeof filename !== 'string') {
+    return fallback;
+  }
+  
+  // Step 1: Extract only the basename (removes path traversal like ../../../)
+  let sanitized = path.basename(filename);
+  
+  // Step 2: Remove any remaining path-like characters (backslash for Windows)
+  sanitized = sanitized.replace(/[\\\/]/g, '');
+  
+  // Step 3: Allow only alphanumeric, dash, underscore, and dot
+  sanitized = sanitized.replace(/[^a-zA-Z0-9._-]/g, '');
+  
+  // Step 4: Remove leading dots (prevent hidden files like .htaccess)
+  sanitized = sanitized.replace(/^[.]+/, '');
+  
+  // Step 5: Trim whitespace (should be gone from step 3, but safety check)
+  sanitized = sanitized.trim();
+  
+  // Step 6: Limit length
+  if (sanitized.length > maxLength) {
+    // Preserve extension if possible
+    const lastDot = sanitized.lastIndexOf('.');
+    if (lastDot > 0 && lastDot > sanitized.length - maxLength) {
+      const ext = sanitized.slice(lastDot);
+      sanitized = sanitized.slice(0, maxLength - ext.length) + ext;
+    } else {
+      sanitized = sanitized.slice(0, maxLength);
+    }
+  }
+  
+  // Step 7: If empty after sanitization, use fallback
+  if (!sanitized || sanitized.length === 0) {
+    return fallback;
+  }
+  
+  return sanitized;
+}
+
+/**
+ * Extract file extension from a filename safely
+ * Returns the extension including the dot (e.g., '.jpg')
+ * 
+ * @param {string} filename - The filename to extract extension from
+ * @returns {string} File extension or empty string if none
+ */
+export function getSafeExtension(filename) {
+  if (!filename || typeof filename !== 'string') {
+    return '';
+  }
+  
+  // Get basename first to avoid path traversal in extension
+  const basename = path.basename(filename);
+  
+  // Find the last dot
+  const lastDot = basename.lastIndexOf('.');
+  
+  // No extension found
+  if (lastDot <= 0) {
+    return '';
+  }
+  
+  // Extract extension
+  const ext = basename.slice(lastDot).toLowerCase();
+  
+  // Validate extension characters (only allow alphanumeric)
+  const validExt = ext.replace(/[^a-zA-Z0-9.]/g, '');
+  
+  return validExt;
+}
+
+/**
+ * Check if a filename contains path traversal attempts
+ * Useful for logging/warning without modifying the filename
+ * 
+ * @param {string} filename - The filename to check
+ * @returns {boolean} True if path traversal is detected
+ */
+export function containsPathTraversal(filename) {
+  if (!filename || typeof filename !== 'string') {
+    return false;
+  }
+  
+  // Check for common path traversal patterns
+  const traversalPatterns = [
+    /\.\.\//,       // ../
+    /\.\.\\/,       // ..\
+    /%2e%2e%2f/i,   // URL encoded ../
+    /%2e%2e\//i,    // URL encoded ../ variant
+    /\.\.\/%2f/i,   // Mixed encoding
+    /^\//,          // Absolute path Unix
+    /^[a-z]:/i,     // Absolute path Windows
+    /\\/,            // Backslash (path separator)
+    /\x00/,         // Null byte
+  ];
+  
+  return traversalPatterns.some(pattern => pattern.test(filename));
+}
+
+export default {
+  sanitizeFilename,
+  getSafeExtension,
+  containsPathTraversal
+};

package/server/utils.js

@@ -0,0 +1,147 @@
+/**
+ * Utils Module - Common utilities and helpers
+ */
+
+import fs from 'fs/promises';
+import path from 'path';
+import http from 'http';
+import https from 'https';
+
+// Re-export withRetry from unified utility module
+import { withRetry as _withRetry } from '../utils/with-retry.js';
+export const withRetry = _withRetry;
+
+// ===========================================
+// LOGGING
+// ===========================================
+const LOG_LEVEL = process.env.LOG_LEVEL || 'debug';
+const LOG_LEVELS = { debug: 0, info: 1, warn: 2, error: 3 };
+
+export function log(level, ...args) {
+  if (LOG_LEVELS[level] >= LOG_LEVELS[LOG_LEVEL]) {
+    const sanitized = args.map(arg => {
+      if (typeof arg === 'string') {
+        return LOG_LEVEL !== 'debug' && arg.length > 100
+          ? arg.substring(0, 100) + '...[truncated]'
+          : arg;
+      }
+      return arg;
+    });
+    console[level === 'debug' ? 'log' : level](...sanitized);
+  }
+}
+
+// ===========================================
+// FETCH WITH TIMEOUT
+// ===========================================
+export async function fetchWithTimeout(url, options = {}, timeoutMs = 45000) {
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+
+  try {
+    const response = await fetch(url, {
+      ...options,
+      signal: controller.signal
+    });
+    return response;
+  } catch (err) {
+    if (err.name === 'AbortError') {
+      throw new Error(`Request timed out after ${timeoutMs}ms - gateway may be busy`);
+    }
+    throw err;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+
+// ===========================================
+// RETRY HELPER
+// ===========================================
+// withRetry is now re-exported from ../utils/with-retry.js (see top of file)
+
+// ===========================================
+// FILE CLEANUP
+// ===========================================
+export async function cleanupOldFiles(dir, maxAgeMs, extensions = []) {
+  try {
+    const files = await fs.readdir(dir);
+    const now = Date.now();
+    let cleaned = 0;
+
+    for (const file of files) {
+      if (extensions.length > 0 && !extensions.some(ext => file.endsWith(ext))) {
+        continue;
+      }
+
+      const filePath = path.join(dir, file);
+      try {
+        const stat = await fs.stat(filePath);
+        if (now - stat.mtimeMs > maxAgeMs) {
+          await fs.unlink(filePath);
+          cleaned++;
+        }
+      } catch (e) {
+        // File may have been deleted
+      }
+    }
+
+    if (cleaned > 0) {
+      log('debug', `Cleaned up ${cleaned} old files from ${dir}`);
+    }
+    return cleaned;
+  } catch (e) {
+    // Directory may not exist
+    return 0;
+  }
+}
+
+// ===========================================
+// HTTP KEEP-ALIVE AGENTS
+// ===========================================
+export const httpAgent = new http.Agent({ keepAlive: true, maxSockets: 10 });
+export const httpsAgent = new https.Agent({ keepAlive: true, maxSockets: 10 });
+
+// ===========================================
+// SSRF PREVENTION
+// ===========================================
+export function isPrivateIP(hostname) {
+  const privatePatterns = [
+    /^localhost$/i,
+    /^127\./,
+    /^10\./,
+    /^172\.(1[6-9]|2[0-9]|3[0-1])\./,
+    /^192\.168\./,
+    /^0\./,
+    /^169\.254\./,
+    /^::1$/,
+    /^fc00:/i,
+    /^fe80:/i,
+  ];
+  return privatePatterns.some(pattern => pattern.test(hostname));
+}
+
+export function isAllowedExternalHost(hostname) {
+  const allowedHosts = [
+    /\.openai\.com$/i,
+    /\.anthropic\.com$/i,
+    /\.elevenlabs\.io$/i,
+    /localhost$/i,
+    /^127\./,
+  ];
+  return allowedHosts.some(pattern => pattern.test(hostname));
+}
+
+// NOTE: Request tracking has been consolidated into server.js
+// All request tracking functions are provided via requestHelpers from server.js
+// Do NOT add duplicate tracking here — see H-38 audit finding
+
+export default {
+  log,
+  fetchWithTimeout,
+  withRetry,
+  cleanupOldFiles,
+  httpAgent,
+  httpsAgent,
+  isPrivateIP,
+  isAllowedExternalHost,
+};