@photostructure/fs-metadata 0.6.1 → 0.7.0

package/src/windows/error_utils.h

@@ -1,9 +1,10 @@
 // src/windows/error_utils.h
 #pragma once
+#include "../common/debug_log.h"
+#include "windows_arch.h"
 #include <sstream>
 #include <stdexcept>
 #include <string>
-#include <windows.h>
 
 namespace FSMeta {
 
@@ -16,27 +17,77 @@ public:
       : std::runtime_error(FormatWindowsError(operation, errorCode)) {}
 
 private:
+  // RAII wrapper for LocalFree - ensures cleanup even if exception thrown
+  // Prevents memory leaks when FormatMessageA allocates a buffer
+  struct LocalFreeGuard {
+    LPVOID ptr;
+
+    explicit LocalFreeGuard(LPVOID p) : ptr(p) {}
+
+    ~LocalFreeGuard() {
+      if (ptr) {
+        LocalFree(ptr);
+        DEBUG_LOG("[LocalFreeGuard] LocalFree called on FormatMessage buffer");
+      }
+    }
+
+    // Prevent copying to ensure single ownership
+    LocalFreeGuard(const LocalFreeGuard &) = delete;
+    LocalFreeGuard &operator=(const LocalFreeGuard &) = delete;
+
+    // Allow moving for flexibility
+    LocalFreeGuard(LocalFreeGuard &&other) noexcept : ptr(other.ptr) {
+      other.ptr = nullptr;
+    }
+
+    LocalFreeGuard &operator=(LocalFreeGuard &&other) noexcept {
+      if (this != &other) {
+        if (ptr) {
+          LocalFree(ptr);
+        }
+        ptr = other.ptr;
+        other.ptr = nullptr;
+      }
+      return *this;
+    }
+  };
+
   static std::string FormatWindowsError(const std::string &operation,
                                         DWORD error) {
     if (error == 0) {
       return operation + " failed with an unknown error";
     }
 
-    LPVOID messageBuffer;
+    LPVOID messageBuffer = nullptr;
     size_t size = FormatMessageA(
         FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM |
             FORMAT_MESSAGE_IGNORE_INSERTS,
         NULL, error, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
         (LPSTR)&messageBuffer, 0, NULL);
 
+    // RAII guard ensures LocalFree is called even if exception thrown
+    LocalFreeGuard guard(messageBuffer);
+
     if (size == 0 || !messageBuffer) {
+      DWORD formatError = GetLastError();
+      DEBUG_LOG("[FormatWindowsError] FormatMessageA failed for error %lu: "
+                "FormatMessage error=%lu, size=%zu",
+                error, formatError, size);
       return operation + " failed with error code: " + std::to_string(error);
     }
 
+    // Now safe: guard will free messageBuffer even if string construction
+    // throws
     std::string errorMessage((LPSTR)messageBuffer, size);
-    LocalFree(messageBuffer);
+
+    // Trim trailing newlines/carriage returns that Windows adds
+    while (!errorMessage.empty() &&
+           (errorMessage.back() == '\r' || errorMessage.back() == '\n')) {
+      errorMessage.pop_back();
+    }
 
     return operation + " failed: " + errorMessage;
+    // guard destructor automatically calls LocalFree here
   }
 };
 

package/src/windows/fs_meta.h

@@ -3,7 +3,7 @@
 #pragma once
 #include "../common/volume_metadata.h"
 #include "../common/volume_mount_points.h"
-#include <windows.h> // for MAX_PATH
+#include "windows_arch.h"
 
 namespace FSMeta {
 

package/src/windows/hidden.cpp

@@ -1,36 +1,12 @@
 // src/windows/hidden.cpp
 #include "hidden.h"
+#include "../common/debug_log.h"
 #include "error_utils.h"
-#include <windows.h>
+#include "security_utils.h"
 
 namespace FSMeta {
 
 namespace {
-// Utility class for path conversion
-class PathConverter {
-public:
-  static std::wstring ToWString(const std::string &path) {
-    if (path.empty()) {
-      return std::wstring();
-    }
-
-    // Pre-calculate required buffer size
-    int wlen = MultiByteToWideChar(CP_UTF8, 0, path.c_str(),
-                                   static_cast<int>(path.length()), nullptr, 0);
-    if (wlen == 0) {
-      throw FSException("Path conversion", GetLastError());
-    }
-
-    // Reserve exact size needed
-    std::wstring wpath(wlen, 0);
-    if (!MultiByteToWideChar(CP_UTF8, 0, path.c_str(),
-                             static_cast<int>(path.length()), &wpath[0],
-                             wlen)) {
-      throw FSException("Path conversion", GetLastError());
-    }
-    return wpath;
-  }
-};
 
 // RAII wrapper for file attributes
 class FileAttributeHandler {
@@ -48,8 +24,9 @@ public:
   bool isHidden() const { return (attributes & FILE_ATTRIBUTE_HIDDEN) != 0; }
 
   void setHidden(bool value) {
-    DWORD newAttrs = value ? (attributes | FILE_ATTRIBUTE_HIDDEN)
-                           : (attributes & ~FILE_ATTRIBUTE_HIDDEN);
+    DWORD newAttrs =
+        value ? (attributes | static_cast<DWORD>(FILE_ATTRIBUTE_HIDDEN))
+              : (attributes & ~static_cast<DWORD>(FILE_ATTRIBUTE_HIDDEN));
 
     if (!SetFileAttributesW(path.c_str(), newAttrs)) {
       throw FSException("SetFileAttributes", GetLastError());
@@ -61,7 +38,7 @@ public:
 
 class GetHiddenWorker : public Napi::AsyncWorker {
   const std::string path;
-  bool result;
+  bool result = false;
   Napi::Promise::Deferred deferred;
 
 public:
@@ -70,28 +47,68 @@ public:
 
   void Execute() override {
     try {
-      // Add path validation to prevent directory traversal
-      if (path.find("..") != std::string::npos) {
-        throw FSException("Invalid path containing '..'",
+      // Debug: Log the input path
+      DEBUG_LOG("[GetHiddenWorker] Checking path: %s", path.c_str());
+
+      // Enhanced security validation
+      if (!SecurityUtils::IsPathSecure(path)) {
+        DEBUG_LOG("[GetHiddenWorker] Path failed security check: %s",
+                  path.c_str());
+        throw FSException("Security validation failed: invalid path",
                           ERROR_INVALID_PARAMETER);
       }
 
-      auto wpath = PathConverter::ToWString(path);
-      FileAttributeHandler handler(wpath);
-      result = handler.isHidden();
+      DEBUG_LOG("[GetHiddenWorker] Path passed security check");
+
+      auto wpath = SecurityUtils::SafeStringToWide(path);
+      DEBUG_LOG("[GetHiddenWorker] Converted to wide string");
+
+      // Check if file exists before checking attributes
+      DWORD attributes = GetFileAttributesW(wpath.c_str());
+      if (attributes == INVALID_FILE_ATTRIBUTES) {
+        DWORD error = GetLastError();
+        if (error == ERROR_FILE_NOT_FOUND || error == ERROR_PATH_NOT_FOUND) {
+          DEBUG_LOG("[GetHiddenWorker] File not found: %s", path.c_str());
+          result = false; // Non-existent files are not hidden
+          return;
+        }
+        // Other errors should throw
+        throw FSException("GetFileAttributes", error);
+      }
+
+      // Check if it's a root directory
+      bool isRoot =
+          (wpath.length() == 3 && wpath[1] == L':' && wpath[2] == L'\\');
+      if (isRoot) {
+        DEBUG_LOG(
+            "[GetHiddenWorker] Root directory detected: %s, attributes: 0x%X",
+            path.c_str(), attributes);
+        // Windows may report root directories as hidden/system, but we'll
+        // report the actual state The tests will need to be updated to reflect
+        // actual Windows behavior
+      }
+
+      result = (attributes & FILE_ATTRIBUTE_HIDDEN) != 0;
+      DEBUG_LOG("[GetHiddenWorker] Result: %s",
+                result ? "hidden" : "not hidden");
     } catch (const FSException &e) {
+      DEBUG_LOG("[GetHiddenWorker] Caught FSException: %s", e.what());
       SetError(e.what());
     } catch (const std::exception &e) {
+      DEBUG_LOG("[GetHiddenWorker] Caught std::exception: %s", e.what());
       SetError(std::string("Unexpected error: ") + e.what());
     }
   }
 
   void OnOK() override {
+    DEBUG_LOG("[GetHiddenWorker] OnOK called, result=%s",
+              result ? "true" : "false");
     Napi::HandleScope scope(Env());
     deferred.Resolve(Napi::Boolean::New(Env(), result));
   }
 
   void OnError(const Napi::Error &e) override {
+    DEBUG_LOG("[GetHiddenWorker] OnError called with: %s", e.Message().c_str());
     Napi::HandleScope scope(Env());
     deferred.Reject(e.Value());
   }
@@ -109,13 +126,13 @@ public:
 
   void Execute() override {
     try {
-      // Add path validation to prevent directory traversal
-      if (path.find("..") != std::string::npos) {
-        throw FSException("Invalid path containing '..'",
+      // Enhanced security validation
+      if (!SecurityUtils::IsPathSecure(path)) {
+        throw FSException("Security validation failed: invalid path",
                           ERROR_INVALID_PARAMETER);
       }
 
-      auto wpath = PathConverter::ToWString(path);
+      auto wpath = SecurityUtils::SafeStringToWide(path);
       FileAttributeHandler handler(wpath);
       handler.setHidden(value);
     } catch (const FSException &e) {
@@ -145,8 +162,8 @@ Napi::Promise GetHiddenAttribute(const Napi::CallbackInfo &info) {
       throw Napi::TypeError::New(env, "String path expected");
     }
 
-    std::string path = info[0].As<Napi::String>();
-    auto *worker = new GetHiddenWorker(env, std::move(path), deferred);
+    auto *worker = new GetHiddenWorker(
+        env, info[0].As<Napi::String>().Utf8Value(), deferred);
     worker->Queue();
 
     return deferred.Promise();
@@ -165,10 +182,10 @@ Napi::Promise SetHiddenAttribute(const Napi::CallbackInfo &info) {
       throw Napi::TypeError::New(env, "String path and boolean value expected");
     }
 
-    std::string path = info[0].As<Napi::String>();
     bool value = info[1].As<Napi::Boolean>();
 
-    auto *worker = new SetHiddenWorker(env, std::move(path), value, deferred);
+    auto *worker = new SetHiddenWorker(
+        env, info[0].As<Napi::String>().Utf8Value(), value, deferred);
     worker->Queue();
 
     return deferred.Promise();

package/src/windows/security_utils.h

@@ -0,0 +1,250 @@
+// src/windows/security_utils.h
+#pragma once
+#include "windows_arch.h"
+#include <algorithm>
+#include <cctype>
+#include <pathcch.h>
+#include <sddl.h>
+#include <stdexcept>
+#include <string>
+#include <strsafe.h>
+#include <vector>
+
+#pragma comment(lib, "Pathcch.lib")
+
+namespace FSMeta {
+
+class SecurityUtils {
+public:
+  // Path validation to prevent security vulnerabilities
+  static bool IsPathSecure(const std::string &path) {
+    // Check for empty path
+    if (path.empty()) {
+      return false;
+    }
+
+    // Check for excessive length (prevent buffer overflow)
+    // Windows 10+ supports paths up to 32,768 characters (PATHCCH_MAX_CCH)
+    // UTF-8 worst case: 3 bytes per wide character
+    if (path.length() > PATHCCH_MAX_CCH * 3) {
+      return false;
+    }
+
+    // Check for null bytes
+    if (path.find('\0') != std::string::npos) {
+      return false;
+    }
+
+    // Check for directory traversal - be more strict
+    // Check if path starts with ..
+    if (path.size() >= 2 && path.substr(0, 2) == "..") {
+      return false;
+    }
+
+    // Check for basic directory traversal
+    if (path.find("..\\") != std::string::npos ||
+        path.find("../") != std::string::npos ||
+        path.find("\\..") != std::string::npos ||
+        path.find("/..") != std::string::npos) {
+      return false;
+    }
+
+    // Check for device names that could be exploited
+    static const std::vector<std::string> deviceNames = {
+        "CON",  "PRN",  "AUX",  "NUL",  "COM1", "COM2", "COM3", "COM4",
+        "COM5", "COM6", "COM7", "COM8", "COM9", "LPT1", "LPT2", "LPT3",
+        "LPT4", "LPT5", "LPT6", "LPT7", "LPT8", "LPT9"};
+
+    std::string upperPath = path;
+    std::transform(upperPath.begin(), upperPath.end(), upperPath.begin(),
+                   ::toupper);
+
+    for (const auto &device : deviceNames) {
+      // Check for device name in path components
+      if (upperPath.find("\\" + device) != std::string::npos ||
+          upperPath.find("/" + device) != std::string::npos) {
+        // Check if it's followed by a backslash, forward slash, dot, or end of
+        // string
+        size_t pos = upperPath.find("\\" + device);
+        if (pos == std::string::npos) {
+          pos = upperPath.find("/" + device);
+        }
+        if (pos != std::string::npos) {
+          size_t endPos = pos + 1 + device.length();
+          if (endPos >= upperPath.length() || upperPath[endPos] == '\\' ||
+              upperPath[endPos] == '/' || upperPath[endPos] == '.') {
+            return false;
+          }
+        }
+      }
+    }
+
+    // Check for alternate data streams (except drive letter colon)
+    size_t colonPos = path.find(':');
+    if (colonPos != std::string::npos) {
+      // Allow only if it's a drive letter at position 1
+      if (!(colonPos == 1 && isalpha(path[0]) &&
+            (path.length() == 2 || path[2] == '\\' || path[2] == '/'))) {
+        return false; // Alternate data stream attempt
+      }
+      // Check for multiple colons
+      if (path.find(':', colonPos + 1) != std::string::npos) {
+        return false;
+      }
+    }
+
+    // Check for UNC path injection
+    if (path.size() >= 4) {
+      if ((path.substr(0, 4) == "\\\\?\\") ||
+          (path.substr(0, 4) == "\\\\.\\")) {
+        return false; // Device namespace paths are dangerous
+      }
+    }
+
+    return true;
+  }
+
+  // Safe path normalization with long path support (up to 32,768 characters)
+  // Uses PathCchCanonicalizeEx to support Windows 10+ long paths
+  static std::wstring NormalizePath(const std::wstring &path) {
+    // Use PATHCCH_MAX_CCH (32,768) instead of MAX_PATH (260)
+    wchar_t canonicalPath[PATHCCH_MAX_CCH];
+    HRESULT hr = PathCchCanonicalizeEx(
+        canonicalPath, PATHCCH_MAX_CCH, path.c_str(),
+        PATHCCH_ALLOW_LONG_PATHS // Enable long path support for Windows 10+
+    );
+
+    if (FAILED(hr)) {
+      throw std::runtime_error("Failed to canonicalize path: HRESULT " +
+                               std::to_string(hr));
+    }
+
+    return std::wstring(canonicalPath);
+  }
+
+  // Check if process has required privileges
+  static bool HasRequiredPrivileges() {
+    HANDLE token;
+    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token)) {
+      return false;
+    }
+
+    TOKEN_ELEVATION elevation;
+    DWORD size = sizeof(elevation);
+    BOOL result = GetTokenInformation(token, TokenElevation, &elevation,
+                                      sizeof(elevation), &size);
+
+    CloseHandle(token);
+    return result && elevation.TokenIsElevated;
+  }
+
+  // Safe string conversion with validation
+  // Default max length supports long paths (PATHCCH_MAX_CCH = 32,768 wide
+  // chars) UTF-8 worst case: 3 bytes per wide character
+  static std::wstring SafeStringToWide(const std::string &str,
+                                       size_t maxLength = PATHCCH_MAX_CCH * 3) {
+    if (str.empty()) {
+      return L"";
+    }
+
+    if (str.length() > maxLength) {
+      throw std::invalid_argument("String exceeds maximum allowed length");
+    }
+
+    // Validate UTF-8 sequence before conversion
+    int requiredSize = MultiByteToWideChar(CP_UTF8, MB_ERR_INVALID_CHARS,
+                                           str.c_str(), -1, nullptr, 0);
+
+    if (requiredSize == 0) {
+      throw std::runtime_error("Invalid UTF-8 sequence");
+    }
+
+    std::wstring result(requiredSize - 1, L'\0');
+    if (!MultiByteToWideChar(CP_UTF8, MB_ERR_INVALID_CHARS, str.c_str(), -1,
+                             &result[0], requiredSize)) {
+      throw std::runtime_error("Failed to convert string");
+    }
+
+    return result;
+  }
+};
+
+// RAII wrapper for HANDLE resources
+class HandleGuard {
+  HANDLE handle;
+
+public:
+  explicit HandleGuard(HANDLE h) : handle(h) {}
+
+  ~HandleGuard() {
+    if (handle && handle != INVALID_HANDLE_VALUE) {
+      CloseHandle(handle);
+    }
+  }
+
+  HandleGuard(HandleGuard &&other) noexcept : handle(other.handle) {
+    other.handle = nullptr;
+  }
+
+  HandleGuard &operator=(HandleGuard &&other) noexcept {
+    if (this != &other) {
+      if (handle && handle != INVALID_HANDLE_VALUE) {
+        CloseHandle(handle);
+      }
+      handle = other.handle;
+      other.handle = nullptr;
+    }
+    return *this;
+  }
+
+  // Delete copy operations
+  HandleGuard(const HandleGuard &) = delete;
+  HandleGuard &operator=(const HandleGuard &) = delete;
+
+  HANDLE get() const { return handle; }
+  HANDLE release() {
+    HANDLE h = handle;
+    handle = nullptr;
+    return h;
+  }
+
+  explicit operator bool() const {
+    return handle && handle != INVALID_HANDLE_VALUE;
+  }
+};
+
+// RAII wrapper for critical sections
+class CriticalSectionGuard {
+  CRITICAL_SECTION cs;
+
+public:
+  CriticalSectionGuard() { InitializeCriticalSection(&cs); }
+
+  ~CriticalSectionGuard() { DeleteCriticalSection(&cs); }
+
+  // Delete copy/move operations
+  CriticalSectionGuard(const CriticalSectionGuard &) = delete;
+  CriticalSectionGuard &operator=(const CriticalSectionGuard &) = delete;
+  CriticalSectionGuard(CriticalSectionGuard &&) = delete;
+  CriticalSectionGuard &operator=(CriticalSectionGuard &&) = delete;
+
+  void Enter() { EnterCriticalSection(&cs); }
+  void Leave() { LeaveCriticalSection(&cs); }
+  BOOL TryEnter() { return TryEnterCriticalSection(&cs); }
+
+  // RAII lock helper
+  class Lock {
+    CriticalSectionGuard &guard;
+
+  public:
+    explicit Lock(CriticalSectionGuard &g) : guard(g) { guard.Enter(); }
+
+    ~Lock() { guard.Leave(); }
+
+    // Delete copy/move
+    Lock(const Lock &) = delete;
+    Lock &operator=(const Lock &) = delete;
+  };
+};
+
+} // namespace FSMeta

package/src/windows/string.h

@@ -1,22 +1,55 @@
 // src/windows/string.h
 
 #pragma once
+#include "../common/debug_log.h"
+#include "windows_arch.h"
+#include <climits>
+#include <pathcch.h>
+#include <stdexcept>
 #include <string>
-#include <windows.h>
 
 namespace FSMeta {
 
+// Maximum reasonable size for string conversions (1MB)
+// Prevents allocation of excessive memory due to overflow or malicious input
+constexpr int MAX_STRING_CONVERSION_SIZE = 1024 * 1024;
+
 inline std::string WideToUtf8(const WCHAR *wide) {
   if (!wide || wide[0] == 0)
     return "";
 
+  // Get required buffer size
   int size =
       WideCharToMultiByte(CP_UTF8, 0, wide, -1, nullptr, 0, nullptr, nullptr);
-  if (size <= 0)
+
+  // Validate size is reasonable
+  if (size <= 0) {
+    DEBUG_LOG("[WideToUtf8] WideCharToMultiByte returned invalid size: %d",
+              size);
     return "";
+  }
+
+  // Check for overflow: size - 1 should be positive and reasonable
+  // INT_MAX - 1 check prevents overflow in subtraction
+  // MAX_STRING_CONVERSION_SIZE check prevents excessive allocations
+  if (size > INT_MAX - 1 || size > MAX_STRING_CONVERSION_SIZE) {
+    DEBUG_LOG("[WideToUtf8] Size too large: %d (max: %d)", size,
+              MAX_STRING_CONVERSION_SIZE);
+    throw std::runtime_error(
+        "String conversion size exceeds reasonable limits");
+  }
+
+  std::string result(static_cast<size_t>(size - 1), 0);
+
+  // Perform conversion and check result
+  int written = WideCharToMultiByte(CP_UTF8, 0, wide, -1, &result[0], size,
+                                    nullptr, nullptr);
+  if (written <= 0) {
+    DEBUG_LOG("[WideToUtf8] WideCharToMultiByte conversion failed: %lu",
+              GetLastError());
+    throw std::runtime_error("String conversion failed");
+  }
 
-  std::string result(size - 1, 0);
-  WideCharToMultiByte(CP_UTF8, 0, wide, -1, &result[0], size, nullptr, nullptr);
   return result;
 }
 
@@ -27,18 +60,42 @@ public:
       return L"";
     }
 
-    int wlen = MultiByteToWideChar(CP_UTF8, 0, path.c_str(),
+    // Validate input length fits in int (required by MultiByteToWideChar)
+    if (path.length() > static_cast<size_t>(INT_MAX)) {
+      DEBUG_LOG("[ToWString] Input path length exceeds INT_MAX: %zu",
+                path.length());
+      throw std::runtime_error("Input string too large for conversion");
+    }
+
+    int wlen = MultiByteToWideChar(CP_UTF8, MB_ERR_INVALID_CHARS, path.c_str(),
                                    static_cast<int>(path.length()), nullptr, 0);
 
-    if (wlen == 0) {
+    // Validate wlen
+    if (wlen <= 0) {
+      DEBUG_LOG(
+          "[ToWString] MultiByteToWideChar returned invalid size: %d (error: "
+          "%lu)",
+          wlen, GetLastError());
       return L"";
     }
 
-    std::wstring wpath(wlen, 0);
-    if (!MultiByteToWideChar(CP_UTF8, 0, path.c_str(),
-                             static_cast<int>(path.length()), &wpath[0],
-                             wlen)) {
-      return L"";
+    // Check for reasonable size (PATHCCH_MAX_CCH for paths)
+    if (wlen > PATHCCH_MAX_CCH) {
+      DEBUG_LOG("[ToWString] Size exceeds maximum path length: %d (max: %d)",
+                wlen, PATHCCH_MAX_CCH);
+      throw std::runtime_error("Path too long for conversion");
+    }
+
+    std::wstring wpath(static_cast<size_t>(wlen), 0);
+
+    // Perform conversion with error checking
+    int written =
+        MultiByteToWideChar(CP_UTF8, MB_ERR_INVALID_CHARS, path.c_str(),
+                            static_cast<int>(path.length()), &wpath[0], wlen);
+    if (written <= 0) {
+      DEBUG_LOG("[ToWString] MultiByteToWideChar conversion failed: %lu",
+                GetLastError());
+      throw std::runtime_error("String conversion failed");
     }
 
     return wpath;

package/src/windows/system_volume.h

@@ -2,10 +2,10 @@
 #pragma once
 #include "../common/debug_log.h"
 #include "string.h"
+#include "windows_arch.h"
 #include <PathCch.h>
 #include <shlobj.h> // For SHGetFolderPathW and CSIDL constants
 #include <string>
-#include <windows.h>
 
 // If FILE_SUPPORTS_SYSTEM_PATHS is not defined (older SDK)
 #ifndef FILE_SUPPORTS_SYSTEM_PATHS