@photostructure/fs-metadata 0.6.0 → 0.7.0

package/src/darwin/volume_metadata.cpp

@@ -1,22 +1,27 @@
 // src/darwin/volume_metadata.cpp
+// Thread-safe implementation with DiskArbitration mutex synchronization
 
 #include "../common/debug_log.h"
 #include "./fs_meta.h"
+#include "./path_security.h"
 #include "./raii_utils.h"
 
 #include <CoreFoundation/CoreFoundation.h>
 #include <DiskArbitration/DiskArbitration.h>
-#include <IOKit/IOBSD.h>
-#include <IOKit/storage/IOMedia.h>
-#include <IOKit/storage/IOStorageProtocolCharacteristics.h>
+#include <fcntl.h> // For open(), O_RDONLY, O_DIRECTORY
 #include <memory>
+#include <mutex>
 #include <string>
 #include <sys/mount.h>
 #include <sys/param.h>
 #include <sys/statvfs.h>
+#include <unistd.h> // For close()
 
 namespace FSMeta {
 
+// Global mutex for DiskArbitration operations
+static std::mutex g_diskArbitrationMutex;
+
 // Helper function to convert CFString to std::string
 static std::string CFStringToString(CFStringRef cfString) {
   if (!cfString) {
@@ -24,16 +29,43 @@ static std::string CFStringToString(CFStringRef cfString) {
   }
 
   CFIndex length = CFStringGetLength(cfString);
+  if (length == 0) {
+    return "";
+  }
+
+  // Check for overflow when calculating buffer size
   CFIndex maxSize =
-      CFStringGetMaximumSizeForEncoding(length, kCFStringEncodingUTF8) + 1;
+      CFStringGetMaximumSizeForEncoding(length, kCFStringEncodingUTF8);
+  if (maxSize == kCFNotFound || maxSize > INT_MAX - 1) {
+    return "";
+  }
+  maxSize += 1; // For null terminator
+
   std::string result(maxSize, '\0');
 
-  if (!CFStringGetCString(cfString, &result[0], maxSize,
-                          kCFStringEncodingUTF8)) {
+  Boolean success =
+      CFStringGetCString(cfString, &result[0], maxSize, kCFStringEncodingUTF8);
+  if (!success) {
+    // Log the failure for debugging
+    // Common reasons: encoding issue, buffer too small, or malformed string
+    DEBUG_LOG("[CFStringToString] Conversion failed - likely encoding issue or "
+              "buffer too small");
+    DEBUG_LOG("[CFStringToString] maxSize: %ld, string length: %ld", maxSize,
+              CFStringGetLength(cfString));
     return "";
   }
 
-  result.resize(strlen(result.c_str()));
+  // Find actual string length by looking for null terminator
+  // This is safer than using strlen which could read past buffer
+  size_t actualLength = 0;
+  for (size_t i = 0; i < static_cast<size_t>(maxSize); ++i) {
+    if (result[i] == '\0') {
+      actualLength = i;
+      break;
+    }
+  }
+
+  result.resize(actualLength);
   return result;
 }
 
@@ -48,10 +80,32 @@ public:
     DEBUG_LOG("[GetVolumeMetadataWorker] Executing for mount point: %s",
               mountPoint.c_str());
     try {
+      // Validate and canonicalize mount point using realpath()
+      // This follows Apple's Secure Coding Guide recommendations
+      std::string error;
+      std::string validated_mount_point =
+          ValidatePathForRead(mountPoint, error);
+      if (validated_mount_point.empty()) {
+        SetError(error);
+        return;
+      }
+
+      // Use validated path for all subsequent operations
+      DEBUG_LOG("[GetVolumeMetadataWorker] Using validated mount point: %s",
+                validated_mount_point.c_str());
+
+      // Temporarily store original mountPoint and replace with validated one
+      std::string original_mount_point = mountPoint;
+      mountPoint = validated_mount_point;
+
       if (!GetBasicVolumeInfo()) {
+        mountPoint = original_mount_point; // Restore for error reporting
         return;
       }
-      GetDiskArbitrationInfo();
+      GetDiskArbitrationInfoSafe();
+
+      // Restore original for consistency
+      mountPoint = original_mount_point;
     } catch (const std::exception &e) {
       DEBUG_LOG("[GetVolumeMetadataWorker] Exception: %s", e.what());
       SetError(e.what());
@@ -64,23 +118,53 @@ private:
   bool GetBasicVolumeInfo() {
     DEBUG_LOG("[GetVolumeMetadataWorker] Getting basic volume info for: %s",
               mountPoint.c_str());
+
+    // Use file descriptors to prevent TOCTOU race conditions
+    // Open the mount point directory with O_DIRECTORY to ensure it's a
+    // directory
+    int fd = open(mountPoint.c_str(), O_RDONLY | O_DIRECTORY);
+    if (fd < 0) {
+      int error = errno;
+      DEBUG_LOG("[GetVolumeMetadataWorker] open failed: %s (%d)",
+                strerror(error), error);
+      SetError(CreatePathErrorMessage("open", mountPoint, error));
+      return false;
+    }
+
+    // RAII wrapper for file descriptor to ensure it's always closed
+    struct FdGuard {
+      int fd;
+      ~FdGuard() {
+        if (fd >= 0) {
+          close(fd);
+        }
+      }
+    } fd_guard{fd};
+
     struct statvfs vfs;
     struct statfs fs;
 
-    if (statvfs(mountPoint.c_str(), &vfs) != 0) {
-      DEBUG_LOG("[GetVolumeMetadataWorker] statvfs failed: %s (%d)",
-                strerror(errno), errno);
-      SetError(CreatePathErrorMessage("statvfs", mountPoint, errno));
+    // Use fstatvfs and fstatfs on the file descriptor to prevent TOCTOU
+    // The fd holds a reference to the filesystem, preventing mount changes
+    if (fstatvfs(fd, &vfs) != 0) {
+      int error = errno;
+      DEBUG_LOG("[GetVolumeMetadataWorker] fstatvfs failed: %s (%d)",
+                strerror(error), error);
+      SetError(CreatePathErrorMessage("fstatvfs", mountPoint, error));
       return false;
     }
 
-    if (statfs(mountPoint.c_str(), &fs) != 0) {
-      DEBUG_LOG("[GetVolumeMetadataWorker] statfs failed: %s (%d)",
-                strerror(errno), errno);
-      SetError(CreatePathErrorMessage("statfs", mountPoint, errno));
+    if (fstatfs(fd, &fs) != 0) {
+      int error = errno;
+      DEBUG_LOG("[GetVolumeMetadataWorker] fstatfs failed: %s (%d)",
+                strerror(error), error);
+      SetError(CreatePathErrorMessage("fstatfs", mountPoint, error));
       return false;
     }
 
+    // fd_guard will automatically close the file descriptor when this function
+    // returns
+
     // Calculate sizes using uint64_t to prevent overflow
     const uint64_t blockSize = vfs.f_frsize ? vfs.f_frsize : vfs.f_bsize;
     const uint64_t totalBlocks = static_cast<uint64_t>(vfs.f_blocks);
@@ -123,7 +207,7 @@ private:
     return true;
   }
 
-  void GetDiskArbitrationInfo() {
+  void GetDiskArbitrationInfoSafe() {
     DEBUG_LOG("[GetVolumeMetadataWorker] Getting Disk Arbitration info for: %s",
               mountPoint.c_str());
 
@@ -135,8 +219,18 @@ private:
       return;
     }
 
-    // Create session on current thread
-    CFReleaser<DASessionRef> session(DASessionCreate(kCFAllocatorDefault));
+    // THREAD SAFETY NOTE:
+    // Apple's DiskArbitration Programming Guide recommends scheduling DASession
+    // on a run loop or dispatch queue before using it. We use a dedicated
+    // serial dispatch queue (not the main queue) to avoid deadlock in Node.js
+    // context while following Apple's documented usage pattern.
+    //
+    // The mutex serializes DA operations across worker threads for extra
+    // safety.
+    std::lock_guard<std::mutex> lock(g_diskArbitrationMutex);
+
+    // Create session with RAII wrapper that handles unscheduling before release
+    DASessionRAII session(DASessionCreate(kCFAllocatorDefault));
     if (!session.isValid()) {
       DEBUG_LOG("[GetVolumeMetadataWorker] Failed to create DA session");
       metadata.status = "partial";
@@ -144,41 +238,18 @@ private:
       return;
     }
 
-    try {
-      // Get thread-local runloop or create new one if needed
-      CFRunLoopRef runLoop = CFRunLoopGetCurrent();
-      if (!runLoop) {
-        // If no runloop exists, create a new one for this thread
-        CFRunLoopRun();
-        runLoop = CFRunLoopGetCurrent();
-        if (!runLoop) {
-          throw std::runtime_error("Failed to create thread-local runloop");
-        }
-      }
-
-      // Schedule session with our runloop
-      DASessionScheduleWithRunLoop(session.get(), runLoop,
-                                   kCFRunLoopDefaultMode);
-
-      // Use RAII to ensure cleanup
-      struct RunLoopCleaner {
-        DASessionRef session;
-        CFRunLoopRef runLoop;
-        bool shouldStop;
-        RunLoopCleaner(DASessionRef s, CFRunLoopRef l, bool stop = false)
-            : session(s), runLoop(l), shouldStop(stop) {}
-        ~RunLoopCleaner() {
-          DASessionUnscheduleFromRunLoop(session, runLoop,
-                                         kCFRunLoopDefaultMode);
-          if (shouldStop) {
-            CFRunLoopStop(runLoop);
-          }
-        }
-      } scopeGuard(session.get(), runLoop, !CFRunLoopGetCurrent());
+    // Schedule session on a dedicated serial dispatch queue
+    // This follows Apple's documented pattern: create session, schedule it, use
+    // it. We use a background queue (not main queue) to avoid deadlock in
+    // Node.js. The RAII wrapper will automatically unschedule in its
+    // destructor.
+    static dispatch_queue_t da_queue =
+        dispatch_queue_create("com.photostructure.fs-metadata.diskarbitration",
+                              DISPATCH_QUEUE_SERIAL);
 
-      // Run the run loop briefly to ensure DA is ready
-      CFRunLoopRunInMode(kCFRunLoopDefaultMode, 0.1, true);
+    session.scheduleOnQueue(da_queue);
 
+    try {
       CFReleaser<DADiskRef> disk(DADiskCreateFromBSDName(
           kCFAllocatorDefault, session.get(), metadata.mountFrom.c_str()));
 
@@ -186,23 +257,22 @@ private:
         DEBUG_LOG("[GetVolumeMetadataWorker] Failed to create disk reference");
         metadata.status = "partial";
         metadata.error = "Failed to create disk reference";
+        // RAII wrapper will automatically unschedule on function exit
         return;
       }
 
+      // Now safe to call DADiskCopyDescription with properly scheduled session
       CFReleaser<CFDictionaryRef> description(
           DADiskCopyDescription(disk.get()));
       if (!description.isValid()) {
         DEBUG_LOG("[GetVolumeMetadataWorker] Failed to get disk description");
         metadata.status = "partial";
         metadata.error = "Failed to get disk description";
+        // RAII wrapper will automatically unschedule on function exit
         return;
       }
 
-      // Ensure we have a complete description before continuing
-      CFRunLoopRunInMode(kCFRunLoopDefaultMode, 0.1, false);
-
-      // Process description synchronously since we're already on the right
-      // thread
+      // Process description immediately
       ProcessDiskDescription(description.get());
 
       if (metadata.status != "partial") {
@@ -214,6 +284,8 @@ private:
       metadata.status = "error";
       metadata.error = e.what();
     }
+
+    // RAII wrapper automatically unschedules and releases session here
   }
 
   void ProcessDiskDescription(CFDictionaryRef description) {
@@ -248,7 +320,9 @@ private:
     DEBUG_LOG("[GetVolumeMetadataWorker] Processing network volume");
     CFBooleanRef isNetworkVolume = (CFBooleanRef)CFDictionaryGetValue(
         description, kDADiskDescriptionVolumeNetworkKey);
-    metadata.remote = CFBooleanGetValue(isNetworkVolume);
+    if (isNetworkVolume) {
+      metadata.remote = CFBooleanGetValue(isNetworkVolume);
+    }
 
     CFURLRef url = (CFURLRef)CFDictionaryGetValue(
         description, kDADiskDescriptionVolumePathKey);

package/src/darwin/volume_mount_points.cpp

@@ -31,6 +31,11 @@ public:
       // separately and our error handling already covers mount state changes
       // See https://github.com/swiftlang/swift-corelibs-foundation/issues/4649
 
+      // getmntinfo_r_np is the thread-safe version of getmntinfo().
+      // The "_r" suffix indicates "reentrant" (thread-safe).
+      // The "_np" suffix indicates "non-portable" (Apple-specific).
+      // This function allocates a new buffer that we must free (handled by
+      // RAII).
       int count = getmntinfo_r_np(mntbuf.ptr(), MNT_NOWAIT);
 
       if (count <= 0) {
@@ -43,64 +48,92 @@ public:
         }
       }
 
-      for (int i = 0; i < count; i++) {
-        MountPoint mp;
-        mp.mountPoint = mntbuf.get()[i].f_mntonname;
-        mp.fstype = mntbuf.get()[i].f_fstypename;
-        mp.error = ""; // Initialize error field
+      // Process mount points in batches to limit concurrent threads
+      const size_t maxConcurrentChecks = 4; // Limit concurrent access checks
 
-        DEBUG_LOG("[GetVolumeMountPointsWorker] Checking mount point: %s",
-                  mp.mountPoint.c_str());
+      for (size_t i = 0; i < static_cast<size_t>(count);
+           i += maxConcurrentChecks) {
+        std::vector<std::future<std::pair<std::string, bool>>> futures;
+        std::vector<MountPoint> batchMountPoints;
+
+        // Create batch of mount points and launch their checks
+        for (size_t j = i;
+             j < static_cast<size_t>(count) && j < i + maxConcurrentChecks;
+             j++) {
+          MountPoint mp;
+          mp.mountPoint = mntbuf.get()[j].f_mntonname;
+          mp.fstype = mntbuf.get()[j].f_fstypename;
+          mp.error = ""; // Initialize error field
+
+          DEBUG_LOG("[GetVolumeMountPointsWorker] Checking mount point: %s",
+                    mp.mountPoint.c_str());
 
-        try {
-          // Use RAII to manage future
-          auto future = std::make_shared<std::future<bool>>(
+          batchMountPoints.push_back(mp);
+
+          // Launch async check
+          futures.push_back(
               std::async(std::launch::async, [path = mp.mountPoint]() {
-                // Use faccessat for better security
-                return faccessat(AT_FDCWD, path.c_str(), R_OK, AT_EACCESS) == 0;
+                // faccessat is preferred over access() for security:
+                // - AT_FDCWD: Use current working directory as base
+                // - AT_EACCESS: Check using effective user/group IDs (not real
+                // IDs) This prevents TOCTOU attacks and privilege escalation
+                // issues
+                bool accessible =
+                    faccessat(AT_FDCWD, path.c_str(), R_OK, AT_EACCESS) == 0;
+                return std::make_pair(path, accessible);
               }));
+        }
 
-          auto status = future->wait_for(std::chrono::milliseconds(timeoutMs_));
-
-          switch (status) {
-          case std::future_status::timeout:
-            mp.status = "disconnected";
-            mp.error = "Access check timed out";
-            DEBUG_LOG("[GetVolumeMountPointsWorker] Access check timed out: %s",
-                      mp.mountPoint.c_str());
-            break;
-
-          case std::future_status::ready:
-            try {
-              bool isAccessible = future->get();
-              mp.status = isAccessible ? "healthy" : "inaccessible";
-              if (!isAccessible) {
-                mp.error = "Path is not accessible";
+        // Process results for this batch
+        for (size_t k = 0; k < futures.size(); k++) {
+          auto &mp = batchMountPoints[k];
+          try {
+            auto status =
+                futures[k].wait_for(std::chrono::milliseconds(timeoutMs_));
+
+            switch (status) {
+            case std::future_status::timeout:
+              mp.status = "disconnected";
+              mp.error = "Access check timed out";
+              DEBUG_LOG(
+                  "[GetVolumeMountPointsWorker] Access check timed out: %s",
+                  mp.mountPoint.c_str());
+              break;
+
+            case std::future_status::ready:
+              try {
+                auto result = futures[k].get();
+                bool isAccessible = result.second;
+                mp.status = isAccessible ? "healthy" : "inaccessible";
+                if (!isAccessible) {
+                  mp.error = "Path is not accessible";
+                }
+                DEBUG_LOG("[GetVolumeMountPointsWorker] Access check %s: %s",
+                          isAccessible ? "succeeded" : "failed",
+                          mp.mountPoint.c_str());
+              } catch (const std::exception &e) {
+                mp.status = "error";
+                mp.error = std::string("Access check failed: ") + e.what();
+                DEBUG_LOG("[GetVolumeMountPointsWorker] Exception: %s",
+                          e.what());
               }
-              DEBUG_LOG("[GetVolumeMountPointsWorker] Access check %s: %s",
-                        isAccessible ? "succeeded" : "failed",
-                        mp.mountPoint.c_str());
-            } catch (const std::exception &e) {
+              break;
+
+            default:
               mp.status = "error";
-              mp.error = std::string("Access check failed: ") + e.what();
-              DEBUG_LOG("[GetVolumeMountPointsWorker] Exception: %s", e.what());
+              mp.error = "Unexpected future status";
+              DEBUG_LOG("[GetVolumeMountPointsWorker] Unexpected status: %s",
+                        mp.mountPoint.c_str());
+              break;
             }
-            break;
-
-          default:
+          } catch (const std::exception &e) {
             mp.status = "error";
-            mp.error = "Unexpected future status";
-            DEBUG_LOG("[GetVolumeMountPointsWorker] Unexpected status: %s",
-                      mp.mountPoint.c_str());
-            break;
+            mp.error = std::string("Mount point check failed: ") + e.what();
+            DEBUG_LOG("[GetVolumeMountPointsWorker] Exception: %s", e.what());
           }
-        } catch (const std::exception &e) {
-          mp.status = "error";
-          mp.error = std::string("Mount point check failed: ") + e.what();
-          DEBUG_LOG("[GetVolumeMountPointsWorker] Exception: %s", e.what());
-        }
 
-        mountPoints_.push_back(std::move(mp));
+          mountPoints_.push_back(std::move(mp));
+        }
       }
     } catch (const std::exception &e) {
       SetError(std::string("Failed to process mount points: ") + e.what());

package/src/hidden.ts

@@ -2,8 +2,9 @@
 
 import { rename } from "node:fs/promises";
 import { basename, dirname, join } from "node:path";
+import { debug } from "./debuglog";
 import { WrappedError } from "./error";
-import { canStatAsync, statAsync } from "./fs";
+import { statAsync } from "./fs";
 import { isRootDirectory, normalizePath } from "./path";
 import { isWindows } from "./platform";
 import type { HiddenMetadata } from "./types/hidden_metadata";
@@ -47,14 +48,24 @@ export async function isHiddenImpl(
   pathname: string,
   nativeFn: NativeBindingsFn,
 ): Promise<boolean> {
+  debug("isHiddenImpl called with pathname: %s", pathname);
   const norm = normalizePath(pathname);
   if (norm == null) {
     throw new Error("Invalid pathname: " + JSON.stringify(pathname));
   }
-  return (
-    (LocalSupport.dotPrefix && isPosixHidden(norm)) ||
-    (LocalSupport.systemFlag && isSystemHidden(norm, nativeFn))
+  debug("Normalized path: %s", norm);
+  debug(
+    "LocalSupport: dotPrefix=%s, systemFlag=%s",
+    LocalSupport.dotPrefix,
+    LocalSupport.systemFlag,
   );
+
+  const result =
+    (LocalSupport.dotPrefix && isPosixHidden(norm)) ||
+    (LocalSupport.systemFlag && (await isSystemHidden(norm, nativeFn)));
+
+  debug("isHiddenImpl returning: %s", result);
+  return result;
 }
 
 export async function isHiddenRecursiveImpl(
@@ -108,20 +119,32 @@ async function isSystemHidden(
   pathname: string,
   nativeFn: NativeBindingsFn,
 ): Promise<boolean> {
+  debug("isSystemHidden called with pathname: %s", pathname);
   if (!LocalSupport.systemFlag) {
+    debug("systemFlag not supported on this platform");
     // not supported on this platform
     return false;
   }
-  if (isWindows && isRootDirectory(pathname)) {
-    // windows `attr` thinks all drive letters don't exist.
-    return false;
-  }
 
-  // don't bother the native bindings if the file doesn't exist:
-  return (
-    (await canStatAsync(pathname)) &&
-    (await (await nativeFn()).isHidden(pathname))
-  );
+  // Let the native function handle all validation, including root directories
+  // This ensures security checks are performed before any other checks
+  const native = await nativeFn();
+  debug("Calling native isHidden for: %s", pathname);
+
+  try {
+    const isHidden = await native.isHidden(pathname);
+    debug("Native isHidden returned: %s", isHidden);
+    return isHidden;
+  } catch (error) {
+    debug("Native isHidden threw error: %s", error);
+    // Handle non-existent paths by returning false (consistent with Windows behavior)
+    const errorStr = String(error);
+    if (errorStr.includes("Path not found")) {
+      debug("Path not found, returning false");
+      return false;
+    }
+    throw error;
+  }
 }
 
 /**

package/src/linux/gio_mount_points.cpp

@@ -21,25 +21,24 @@ void GioMountPointsWorker::Execute() {
   try {
     DEBUG_LOG("[GioMountPoints] processing mounts");
 
-    MountIterator::forEachMount([this](GMount * /*mount*/, GFile *root) {
-      const GCharPtr path(g_file_get_path(root));
-      if (path) {
-        const GFileInfoPtr info(g_file_query_filesystem_info(
-            root, G_FILE_ATTRIBUTE_FILESYSTEM_TYPE, nullptr, nullptr));
-        if (info) {
-          const char *fs_type_str = g_file_info_get_attribute_string(
-              info.get(), G_FILE_ATTRIBUTE_FILESYSTEM_TYPE);
-          if (fs_type_str) {
-            const GCharPtr fs_type(g_strdup(fs_type_str));
-            DEBUG_LOG("[GioMountPoints] found {mountPoint: %s, fsType: %s}",
-                      path.get(), fs_type.get());
-            MountPoint point{};
-            point.mountPoint = path.get();
-            point.fstype = fs_type.get();
-            mountPoints.push_back(point);
-          }
-        }
+    // Use thread-safe g_unix_mounts_get() API
+    MountIterator::forEachMount([this](GUnixMountEntry *entry) {
+      // Get mount path and filesystem type from thread-safe Unix mount API
+      const char *mount_path = g_unix_mount_get_mount_path(entry);
+      const char *fs_type = g_unix_mount_get_fs_type(entry);
+
+      if (mount_path && fs_type) {
+        DEBUG_LOG("[GioMountPoints] found {mountPoint: %s, fsType: %s}",
+                  mount_path, fs_type);
+
+        MountPoint point{};
+        point.mountPoint = mount_path;
+        point.fstype = fs_type;
+        mountPoints.push_back(point);
+      } else {
+        DEBUG_LOG("[GioMountPoints] skipping mount with null path or fstype");
       }
+
       return true; // Continue iteration
     });