@nitronjs/framework 0.2.27 → 0.3.1

package/lib/Validation/MagicBytes.js

@@ -0,0 +1,120 @@
+// Signatures ordered by total check bytes (offset + bytes.length) descending
+const SIGNATURES = [
+    // 12-byte region: WebP (RIFF at 0, WEBP at 8)
+    { regions: [{ bytes: [0x52, 0x49, 0x46, 0x46], offset: 0 }, { bytes: [0x57, 0x45, 0x42, 0x50], offset: 8 }], mime: "image/webp" },
+    // 8 bytes
+    { bytes: [0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A], offset: 0, mime: "image/png" },
+    // 8-byte region: MP4/ISOBMFF (ftyp at offset 4)
+    { bytes: [0x66, 0x74, 0x79, 0x70], offset: 4, mime: "video/mp4" },
+    // 6 bytes
+    { bytes: [0x37, 0x7A, 0xBC, 0xAF, 0x27, 0x1C], offset: 0, mime: "application/x-7z-compressed" },
+    { bytes: [0x52, 0x61, 0x72, 0x21, 0x1A, 0x07], offset: 0, mime: "application/x-rar-compressed" },
+    // 4 bytes
+    { bytes: [0x25, 0x50, 0x44, 0x46], offset: 0, mime: "application/pdf" },
+    { bytes: [0x50, 0x4B, 0x03, 0x04], offset: 0, mime: "application/zip" },
+    { bytes: [0x47, 0x49, 0x46, 0x38], offset: 0, mime: "image/gif" },
+    { bytes: [0x1A, 0x45, 0xDF, 0xA3], offset: 0, mime: "video/webm" },
+    { bytes: [0x00, 0x00, 0x01, 0x00], offset: 0, mime: "image/x-icon" },
+    // 3 bytes
+    { bytes: [0xFF, 0xD8, 0xFF], offset: 0, mime: "image/jpeg" },
+    { bytes: [0x49, 0x44, 0x33], offset: 0, mime: "audio/mpeg" },
+    // 2 bytes
+    { bytes: [0x1F, 0x8B], offset: 0, mime: "application/gzip" },
+    { bytes: [0x42, 0x4D], offset: 0, mime: "image/bmp" }
+];
+
+const MIME_FAMILIES = [
+    // ZIP family (jar/apk excluded)
+    ["application/zip", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", "application/vnd.openxmlformats-officedocument.presentationml.presentation", "application/vnd.oasis.opendocument.text", "application/vnd.oasis.opendocument.spreadsheet", "application/vnd.oasis.opendocument.presentation"],
+    // MPEG-4/ISOBMFF family
+    ["video/mp4", "audio/mp4", "audio/m4a", "video/quicktime", "video/3gpp"],
+    // EBML family
+    ["video/webm", "video/x-matroska", "audio/webm"]
+];
+
+/**
+ * Detect MIME type from buffer magic bytes.
+ * Returns null if buffer is empty or no signature matches.
+ */
+export function detectMime(buffer) {
+    if (!buffer || buffer.length === 0) {
+        return null;
+    }
+
+    for (const sig of SIGNATURES) {
+        if (sig.regions) {
+            let allMatch = true;
+
+            for (const region of sig.regions) {
+                if (buffer.length < region.offset + region.bytes.length) {
+                    allMatch = false;
+                    break;
+                }
+
+                for (let i = 0; i < region.bytes.length; i++) {
+                    if (buffer[region.offset + i] !== region.bytes[i]) {
+                        allMatch = false;
+                        break;
+                    }
+                }
+
+                if (!allMatch) break;
+            }
+
+            if (allMatch) return sig.mime;
+        }
+        else {
+            if (buffer.length < sig.offset + sig.bytes.length) continue;
+
+            let match = true;
+
+            for (let i = 0; i < sig.bytes.length; i++) {
+                if (buffer[sig.offset + i] !== sig.bytes[i]) {
+                    match = false;
+                    break;
+                }
+            }
+
+            if (match) return sig.mime;
+        }
+    }
+
+    return null;
+}
+
+/**
+ * Check if two MIME types belong to the same family.
+ * ZIP family includes Office XML formats. MPEG-4 family shares ftyp. EBML family shares header.
+ */
+export function isSameMimeFamily(mime1, mime2) {
+    if (!mime1 || !mime2) return false;
+
+    const m1 = mime1.toLowerCase(), m2 = mime2.toLowerCase();
+
+    if (m1 === m2) return true;
+
+    for (const family of MIME_FAMILIES) {
+        const has1 = family.includes(m1) || (family === MIME_FAMILIES[0] && (m1.startsWith("application/vnd.openxmlformats-officedocument.") || m1.startsWith("application/vnd.oasis.opendocument.")));
+        const has2 = family.includes(m2) || (family === MIME_FAMILIES[0] && (m2.startsWith("application/vnd.openxmlformats-officedocument.") || m2.startsWith("application/vnd.oasis.opendocument.")));
+
+        if (has1 && has2) return true;
+    }
+
+    return false;
+}
+
+// Regex: null bytes, URL-encoded null, bidi/invisible Unicode, control chars
+const UNSAFE_CHARS = /\x00|%00|[\u202A-\u202E\u200E\u200F\u2066-\u2069\u200B-\u200D\uFEFF]|[\x01-\x08\x0B\x0C\x0E-\x1F]/gi;
+
+/**
+ * Strip dangerous characters from filename.
+ * Removes null bytes, URL-encoded nulls, Unicode bidi/invisible chars, control chars.
+ * Returns "unnamed" if result is empty.
+ */
+export function sanitizeFilename(filename) {
+    if (!filename) return "unnamed";
+
+    const cleaned = filename.replace(UNSAFE_CHARS, "");
+
+    return cleaned || "unnamed";
+}

package/lib/Validation/Validator.js

@@ -1,4 +1,5 @@
 import { MIME_TYPES } from "./MimeTypes.js";
+import { isSameMimeFamily } from "./MagicBytes.js";
 
 /**
  * Laravel-style Validator for NitronJS
@@ -8,13 +9,12 @@ import { MIME_TYPES } from "./MimeTypes.js";
  * - Use "required" to make a field mandatory
  * - Use "nullable" to explicitly allow null (skips ALL validation)
  * 
- * SECURITY WARNING:
- * File validation (mimes, mime_types) checks MIME headers only.
- * This is NOT secure - attackers can spoof MIME types.
- * Always verify file signatures (magic bytes) server-side before storage.
+ * SECURITY:
+ * File validation (mimes, mime_types) uses magic byte verification via preHandler
+ * when available. Falls back to declared MIME type for unrecognized formats.
  * 
  * UNITS:
- * - min/max for files: BYTES (e.g., max:2097152 = 2MB)
+ * - min/max for files: KB (e.g., max:2048 = 2MB)
  * - min/max for strings: characters
  * - min/max for arrays: item count
  * - min/max for numbers: numeric value
@@ -76,6 +76,9 @@ class Validator {
 
             for (let i = 0; i < parts.length - 1; i++) {
                 const part = parts[i];
+
+                if (part === "__proto__" || part === "constructor" || part === "prototype") break;
+
                 const nextPart = parts[i + 1];
                 const isNextIndex = /^\d+$/.test(nextPart);
 
@@ -138,9 +141,21 @@ class Validator {
 
         // Backend Multipart (Fastify @fastify/multipart)
         if (typeof value.mimetype === "string" && typeof value.toBuffer === "function") {
+            let mime = value.mimetype.toLowerCase();
+
+            // Three-way _magicMime branch:
+            // undefined → magic byte check not performed, use declared MIME
+            // null → check performed but unrecognized, fallback to declared MIME
+            // string → check performed and recognized, use magic MIME (with family check)
+            if (typeof value._magicMime === "string") {
+                if (!isSameMimeFamily(mime, value._magicMime)) {
+                    mime = value._magicMime;
+                }
+            }
+
             return {
-                mime: value.mimetype.toLowerCase(),
-                size: value._buf?.length ?? null
+                mime,
+                size: value._fileSize ?? value._buf?.length ?? null
             };
         }
 
@@ -494,7 +509,7 @@ class Validator {
          * Minimum size/length/value
          * - Arrays: minimum item count
          * - Strings: minimum character count
-         * - Files: minimum size in BYTES
+         * - Files: minimum size in KB
          * - Numbers: minimum value
          */
         min: (value, params, field) => {
@@ -512,6 +527,17 @@ class Validator {
                 };
             }
 
+            // File: size in KB (before generic object — file objects are also objects)
+            const file = this.#getFileInfo(value);
+            if (file && file.size !== null) {
+                const minBytes = min * 1024;
+
+                return {
+                    passes: file.size >= minBytes,
+                    message: `The ${field} file must be at least ${this.#formatBytes(minBytes)}.`
+                };
+            }
+
             // Object: property count
             if (value !== null && typeof value === "object") {
                 const keyCount = Object.keys(value).length;
@@ -521,15 +547,6 @@ class Validator {
                 };
             }
 
-            // File: size in bytes
-            const file = this.#getFileInfo(value);
-            if (file && file.size !== null) {
-                return {
-                    passes: file.size >= min,
-                    message: `The ${field} file must be at least ${this.#formatBytes(min)}.`
-                };
-            }
-
             // String: character count
             if (typeof value === "string") {
                 return {
@@ -556,7 +573,7 @@ class Validator {
          * Maximum size/length/value
          * - Arrays: maximum item count
          * - Strings: maximum character count
-         * - Files: maximum size in BYTES
+         * - Files: maximum size in KB
          * - Numbers: maximum value
          */
         max: (value, params, field) => {
@@ -574,6 +591,17 @@ class Validator {
                 };
             }
 
+            // File: size in KB (before generic object — file objects are also objects)
+            const file = this.#getFileInfo(value);
+            if (file && file.size !== null) {
+                const maxBytes = max * 1024;
+
+                return {
+                    passes: file.size <= maxBytes,
+                    message: `The ${field} file must not exceed ${this.#formatBytes(maxBytes)}.`
+                };
+            }
+
             // Object: property count
             if (value !== null && typeof value === "object") {
                 const keyCount = Object.keys(value).length;
@@ -583,15 +611,6 @@ class Validator {
                 };
             }
 
-            // File: size in bytes
-            const file = this.#getFileInfo(value);
-            if (file && file.size !== null) {
-                return {
-                    passes: file.size <= max,
-                    message: `The ${field} file must not exceed ${this.#formatBytes(max)}.`
-                };
-            }
-
             // String: character count
             if (typeof value === "string") {
                 return {
@@ -615,8 +634,6 @@ class Validator {
         },
 
         // ─── File Rules ──────────────────────────────────────────────────────
-        // ⚠️ WARNING: These rules check MIME headers only, which can be spoofed.
-        // Always verify file signatures (magic bytes) server-side!
 
         /** Must be a valid file object */
         file: (value, params, field) => {

package/lib/View/Client/hmr-client.js

@@ -1,14 +1,24 @@
 /**
- * HMR Client - Browser-side hot module replacement handler.
- * Connects to the HMR WebSocket server and handles live updates.
+ * HMR Client — Browser-side hot module replacement handler.
+ *
+ * Connects to the dev server via Socket.IO WebSocket.
+ * On file change events, fetches a fresh RSC (React Server Components)
+ * Flight payload and lets React reconcile the DOM — no full page reload needed.
+ *
+ * Wire format from /__nitron/rsc:
+ *   "<flightLength>\n<flightPayload><jsonMetadata>"
+ *   - First line: byte length of the Flight payload
+ *   - Then the Flight payload itself (React serialization format)
+ *   - Then a JSON object with { meta, css, translations }
  */
 (function() {
     "use strict";
 
+    var RSC_ENDPOINT = "/__nitron/rsc";
     var socket = null;
-    var errorOverlay = null;
 
-    // Connection
+    // --- Connection ---
+
     function connect() {
         if (socket) return;
 
@@ -23,12 +33,14 @@
                 path: "/__nitron_hmr",
                 transports: ["websocket"],
                 reconnection: true,
-                reconnectionAttempts: 5,
+                reconnectionAttempts: Infinity,
                 reconnectionDelay: 1000,
+                reconnectionDelayMax: 5000,
                 timeout: 5000
             });
         }
         catch (e) {
+            // Socket.IO not available — HMR disabled silently (dev-only feature)
             return;
         }
 
@@ -45,131 +57,129 @@
             window.__nitron_hmr_connected__ = false;
         });
 
-        socket.on("hmr:update", function() {
-            refetchPage();
+        // Unified RSC-based change handler
+        socket.on("hmr:change", function(data) {
+            hideErrorOverlay();
+
+            if (data.changeType === "css") {
+                refreshCss();
+                return;
+            }
+
+            // page, layout — all use RSC refetch
+            refetchRSC(data.cssChanged);
         });
 
         socket.on("hmr:reload", function() {
             location.reload();
         });
 
-        socket.on("hmr:css", function(data) {
-            refreshCss(data.file);
-        });
-
         socket.on("hmr:error", function(data) {
             showErrorOverlay(data.message || "Unknown error", data.file);
         });
     }
 
-    // Page Updates
-    function refetchPage() {
+    // --- RSC Wire Format Parser ---
+
+    // Parses the length-prefixed response from /__nitron/rsc.
+    // Format: "<length>\n<flight payload><json metadata>"
+    // Returns { payload, meta, css, translations } or null on malformed input.
+    function parseLengthPrefixed(text) {
+        var nl = text.indexOf("\n");
+        if (nl === -1) return null;
+
+        var len = parseInt(text.substring(0, nl), 10);
+        if (isNaN(len) || len < 0) return null;
+
+        var flight = text.substring(nl + 1, nl + 1 + len);
+        var jsonStr = text.substring(nl + 1 + len);
+        var data;
+
+        try { data = JSON.parse(jsonStr); }
+        catch (e) { return null; }
+
+        return {
+            payload: flight,
+            meta: data.meta || null,
+            css: data.css || null,
+            translations: data.translations || null
+        };
+    }
+
+    // --- RSC Page Update ---
+
+    // Fetches a fresh Flight payload for the current URL and hands it to React.
+    // React's reconciliation updates only the changed DOM nodes — no full reload.
+    function refetchRSC(cssChanged) {
+        var rsc = window.__NITRON_RSC__;
+
+        if (!rsc || !rsc.root) {
+            location.reload();
+            return;
+        }
+
         var url = location.pathname + location.search;
 
-        fetch("/__nitron/navigate?url=" + encodeURIComponent(url), {
+        fetch(RSC_ENDPOINT + "?url=" + encodeURIComponent(url), {
             headers: { "X-Nitron-SPA": "1" },
             credentials: "same-origin"
         })
-        .then(function(response) {
-            if (!response.ok) throw new Error("HTTP " + response.status);
+        .then(function(r) {
+            if (!r.ok) throw new Error("HTTP " + r.status);
 
-            return response.json();
+            return r.text().then(function(text) {
+                return parseLengthPrefixed(text);
+            });
         })
-        .then(function(data) {
-            if (data.error || data.redirect) {
+        .then(function(d) {
+            if (!d || !d.payload) {
                 location.reload();
-
                 return;
             }
 
-            var slot = document.querySelector("[data-nitron-slot='page']");
-
-            if (!slot || !data.html) {
-                location.reload();
+            // Merge translations BEFORE navigate — persistent components (layouts) keep their keys
+            if (d.translations) {
+                var prev = window.__NITRON_TRANSLATIONS__;
 
-                return;
+                window.__NITRON_TRANSLATIONS__ = prev
+                    ? Object.assign({}, prev, d.translations)
+                    : d.translations;
             }
 
-            var container = document.createElement("div");
-            container.innerHTML = data.html;
-
-            var newSlot = container.querySelector("[data-nitron-slot='page']");
-            slot.innerHTML = newSlot ? newSlot.innerHTML : data.html;
-
-            if (data.hydrationScript) {
-                if (data.runtime && window.__NITRON_RUNTIME__) {
-                    Object.assign(window.__NITRON_RUNTIME__, data.runtime);
-                }
+            // React reconciliation — only changed DOM nodes update
+            rsc.navigate(d.payload);
 
-                if (data.props) {
-                    window.__NITRON_PROPS__ = data.props;
-                }
+            if (d.meta && d.meta.title) document.title = d.meta.title;
 
-                loadHydrationScript(data.hydrationScript);
-            }
+            if (cssChanged) refreshCss();
         })
         .catch(function() {
+            // RSC fetch failed — full reload as last resort
             location.reload();
         });
     }
 
-    function loadHydrationScript(scriptPath) {
-        var script = document.createElement("script");
-        script.type = "module";
-        script.src = "/storage" + scriptPath + "?t=" + Date.now();
-
-        script.onload = function() {
-            if (window.__NITRON_REFRESH__) {
-                try {
-                    window.__NITRON_REFRESH__.performReactRefresh();
-                }
-                catch (e) {}
-            }
+    // --- CSS Hot Reload ---
 
-            script.remove();
-        };
-
-        document.head.appendChild(script);
-    }
-
-    // CSS Updates
-    function refreshCss(filename) {
+    // Cache-busts all stylesheets by appending ?t=<timestamp>
+    function refreshCss() {
         var links = document.querySelectorAll('link[rel="stylesheet"]');
         var timestamp = Date.now();
 
-        if (!filename) {
-            for (var i = 0; i < links.length; i++) {
-                var href = (links[i].href || "").split("?")[0];
-                links[i].href = href + "?t=" + timestamp;
-            }
-
-            return;
-        }
-
-        var found = false;
-        var target = filename.split(/[\\/]/).pop();
-
         for (var i = 0; i < links.length; i++) {
             var href = (links[i].href || "").split("?")[0];
-
-            if (href.endsWith("/" + target)) {
-                links[i].href = href + "?t=" + timestamp;
-                found = true;
-            }
-        }
-
-        if (!found) {
-            location.reload();
+            links[i].href = href + "?t=" + timestamp;
         }
     }
 
-    // Error Overlay
+    // --- Build Error Overlay ---
+
     function showErrorOverlay(message, file) {
         hideErrorOverlay();
 
-        errorOverlay = document.createElement("div");
-        errorOverlay.id = "__nitron_error__";
-        errorOverlay.innerHTML =
+        var overlay = document.createElement("div");
+        overlay.id = "__nitron_error__";
+        overlay.innerHTML =
             '<div style="position:fixed;inset:0;background:rgba(0,0,0,.95);color:#ff4444;padding:32px;font-family:monospace;z-index:999999;overflow:auto">' +
                 '<div style="font-size:24px;font-weight:bold;margin-bottom:16px">Build Error</div>' +
                 '<div style="color:#888;margin-bottom:16px">' + escapeHtml(file || "") + '</div>' +
@@ -177,7 +187,7 @@
                 '<button onclick="this.parentNode.parentNode.remove()" style="position:absolute;top:16px;right:16px;background:#333;color:#fff;border:none;padding:8px 16px;cursor:pointer;border-radius:4px">Close</button>' +
             '</div>';
 
-        document.body.appendChild(errorOverlay);
+        document.body.appendChild(overlay);
     }
 
     function hideErrorOverlay() {
@@ -186,11 +196,10 @@
         if (el) {
             el.remove();
         }
-
-        errorOverlay = null;
     }
 
-    // Utilities
+    // --- Utilities ---
+
     function escapeHtml(str) {
         return String(str || "")
             .replace(/&/g, "&amp;")
@@ -198,7 +207,8 @@
             .replace(/>/g, "&gt;");
     }
 
-    // Initialize
+    // --- Initialize ---
+
     if (document.readyState === "loading") {
         document.addEventListener("DOMContentLoaded", connect);
     }