@robinmordasiewicz/f5xc-xcsh 1.0.91-2601040044 → 1.0.91-2601040203

package/dist/index.js

@@ -47052,8 +47052,8 @@ function getLogoModeFromEnv(envPrefix) {
 var CLI_NAME = "xcsh";
 var CLI_FULL_NAME = "F5 Distributed Cloud Shell";
 function getVersion() {
-  if ("v1.0.91-2601040044") {
-    return "v1.0.91-2601040044";
+  if ("v1.0.91-2601040203") {
+    return "v1.0.91-2601040203";
   }
   if (process.env.XCSH_VERSION) {
     return process.env.XCSH_VERSION;
@@ -145585,6 +145585,387 @@ function buildConnectionInfo(profileName, apiUrl, hasToken, namespace, isConnect
   return info;
 }
 
+// src/validation/namespace.ts
+function validateNamespaceScope(domain, action, currentNamespace, resourceType) {
+  const opInfo = getOperationDescription(domain, action, resourceType);
+  if (!opInfo?.namespaceScope) {
+    return { valid: true };
+  }
+  const scope = opInfo.namespaceScope;
+  const normalizedNamespace = currentNamespace.toLowerCase();
+  switch (scope) {
+    case "system":
+      if (normalizedNamespace !== "system") {
+        return {
+          valid: false,
+          scope,
+          message: `${action} on ${resourceType || domain} requires the 'system' namespace`,
+          suggestion: "system"
+        };
+      }
+      return { valid: true, scope };
+    case "shared":
+      if (normalizedNamespace !== "shared") {
+        return {
+          valid: false,
+          scope,
+          message: `${action} on ${resourceType || domain} requires the 'shared' namespace`,
+          suggestion: "shared"
+        };
+      }
+      return { valid: true, scope };
+    case "any":
+    default:
+      return { valid: true, scope };
+  }
+}
+
+// src/validation/safety.ts
+function checkOperationSafety(domain, action, resourceType) {
+  const opInfo = getOperationDescription(domain, action, resourceType);
+  const dangerLevel = opInfo?.dangerLevel || "low";
+  const requiresConfirmation2 = opInfo?.confirmationRequired ?? dangerLevel === "high";
+  const sideEffects = opInfo?.sideEffects;
+  const result = {
+    proceed: dangerLevel !== "high",
+    // High danger requires explicit confirmation
+    dangerLevel,
+    requiresConfirmation: requiresConfirmation2
+  };
+  if (dangerLevel === "high") {
+    result.warning = formatHighDangerWarning(domain, action, sideEffects);
+  } else if (dangerLevel === "medium") {
+    result.warning = formatMediumDangerWarning(domain, action, sideEffects);
+  }
+  if (sideEffects) {
+    result.sideEffects = sideEffects;
+  }
+  return result;
+}
+function formatHighDangerWarning(_domain, _action, sideEffects) {
+  const lines = [
+    colorRed("\u26A0\uFE0F  WARNING: This is a HIGH DANGER operation"),
+    ""
+  ];
+  if (sideEffects) {
+    if (sideEffects.deletes && sideEffects.deletes.length > 0) {
+      lines.push(
+        colorRed(`  Will DELETE: ${sideEffects.deletes.join(", ")}`)
+      );
+    }
+    if (sideEffects.updates && sideEffects.updates.length > 0) {
+      lines.push(`  Will UPDATE: ${sideEffects.updates.join(", ")}`);
+    }
+    if (sideEffects.creates && sideEffects.creates.length > 0) {
+      lines.push(
+        colorDim(`  Will CREATE: ${sideEffects.creates.join(", ")}`)
+      );
+    }
+    lines.push("");
+  }
+  lines.push(
+    colorRed("This action may be destructive and cannot be undone.")
+  );
+  return lines.join("\n");
+}
+function formatMediumDangerWarning(_domain, _action, sideEffects) {
+  const lines = [
+    colorYellow("\u26A0\uFE0F  CAUTION: This operation may have significant effects"),
+    ""
+  ];
+  if (sideEffects) {
+    const effects = [];
+    if (sideEffects.creates && sideEffects.creates.length > 0) {
+      effects.push(`creates: ${sideEffects.creates.join(", ")}`);
+    }
+    if (sideEffects.updates && sideEffects.updates.length > 0) {
+      effects.push(`updates: ${sideEffects.updates.join(", ")}`);
+    }
+    if (sideEffects.deletes && sideEffects.deletes.length > 0) {
+      effects.push(`deletes: ${sideEffects.deletes.join(", ")}`);
+    }
+    if (effects.length > 0) {
+      lines.push(`  Side effects: ${effects.join("; ")}`);
+      lines.push("");
+    }
+  }
+  return lines.join("\n");
+}
+
+// src/validation/reserved-words.ts
+var RESERVED_ACTIONS = /* @__PURE__ */ new Set([
+  // CRUD operations
+  "create",
+  "delete",
+  "list",
+  "get",
+  "update",
+  "apply",
+  "patch",
+  // Info operations
+  "describe",
+  "show",
+  "status",
+  "logs",
+  "events",
+  // Modification
+  "edit",
+  "replace",
+  "set",
+  "unset",
+  // Lifecycle
+  "start",
+  "stop",
+  "restart",
+  "rollout",
+  "scale",
+  // Connection
+  "attach",
+  "detach",
+  "connect",
+  "disconnect",
+  // Registration
+  "register",
+  "deregister",
+  "associate",
+  "disassociate",
+  // AWS-specific
+  "put",
+  "modify",
+  // Built-in xcsh commands
+  "help",
+  "quit",
+  "exit",
+  "clear",
+  "history",
+  "refresh",
+  "context",
+  "banner",
+  "profile",
+  "completion",
+  // Common CLI patterns
+  "run",
+  "exec",
+  "wait",
+  "open",
+  "close",
+  "inspect",
+  "validate",
+  "diff",
+  "plan",
+  "import",
+  "export"
+]);
+var SHELL_METACHARACTERS = /[;&|`$()<>\\#!{}[\]*?~\n\r]/;
+var DANGEROUS_PATTERNS = [
+  {
+    pattern: /^-/,
+    message: "Name cannot start with a hyphen (would be interpreted as a flag)"
+  },
+  {
+    pattern: /^--/,
+    message: "Name cannot start with double-hyphen (would be interpreted as a long flag)"
+  },
+  {
+    pattern: /\.\./,
+    message: "Name cannot contain '..' (path traversal risk)"
+  },
+  {
+    pattern: /^\./,
+    message: "Name cannot start with '.' (hidden file pattern)"
+  },
+  {
+    pattern: /\//,
+    message: "Name cannot contain '/' (path separator)"
+  },
+  {
+    pattern: /\\$/,
+    message: "Name cannot end with backslash (escape sequence risk)"
+  },
+  {
+    pattern: /\s/,
+    message: "Name cannot contain whitespace"
+  },
+  {
+    pattern: /^_/,
+    message: "Name cannot start with underscore (reserved for internal use)"
+  }
+];
+var DANGEROUS_COMMANDS = /* @__PURE__ */ new Set([
+  // File destruction
+  "rm",
+  "rm-rf",
+  "rmdir",
+  "del",
+  "unlink",
+  "shred",
+  // Privilege escalation
+  "sudo",
+  "su",
+  "chmod",
+  "chown",
+  "chattr",
+  "setfacl",
+  // Network tools (payload download)
+  "wget",
+  "curl",
+  "nc",
+  "netcat",
+  "socat",
+  "telnet",
+  "ssh",
+  "scp",
+  "rsync",
+  // Shell execution
+  "bash",
+  "sh",
+  "zsh",
+  "csh",
+  "ksh",
+  "fish",
+  "pwsh",
+  "powershell",
+  // Process execution
+  "exec",
+  "eval",
+  "source",
+  "nohup",
+  "xargs",
+  // Process termination
+  "kill",
+  "pkill",
+  "killall",
+  "killall5",
+  // Disk operations
+  "dd",
+  "mkfs",
+  "fdisk",
+  "parted",
+  "format",
+  // System control
+  "reboot",
+  "shutdown",
+  "halt",
+  "poweroff",
+  "init",
+  "systemctl",
+  // Container escape
+  "docker",
+  "kubectl",
+  "nsenter",
+  "chroot"
+]);
+var CONTROL_CHARS = /[\x00-\x1f\x7f]/;
+var RFC1035_PATTERN = /^[a-z]([a-z0-9-]{0,61}[a-z0-9])?$/;
+
+// src/validation/resource-name.ts
+var DEFAULT_OPTIONS = {
+  maxLength: 63,
+  allowUppercase: false,
+  skipFormatValidation: false
+};
+function validateResourceName(name, options = {}) {
+  const opts = { ...DEFAULT_OPTIONS, ...options };
+  const nameLower = name.toLowerCase();
+  if (!name || name.trim().length === 0) {
+    return {
+      valid: false,
+      category: "invalid",
+      message: "Resource name cannot be empty"
+    };
+  }
+  if (name.length > opts.maxLength) {
+    return {
+      valid: false,
+      category: "invalid",
+      message: `Name exceeds maximum length of ${opts.maxLength} characters (got ${name.length})`,
+      suggestion: sanitizeName(name.slice(0, opts.maxLength))
+    };
+  }
+  if (CONTROL_CHARS.test(name)) {
+    return {
+      valid: false,
+      category: "security",
+      message: "Name contains control characters which are not allowed"
+    };
+  }
+  if (SHELL_METACHARACTERS.test(name)) {
+    const match = name.match(SHELL_METACHARACTERS);
+    const char = match?.[0] ?? "unknown";
+    const charDesc = getCharacterDescription(char);
+    return {
+      valid: false,
+      category: "security",
+      message: `Name contains shell metacharacter '${charDesc}' which could enable command injection`
+    };
+  }
+  if (RESERVED_ACTIONS.has(nameLower)) {
+    return {
+      valid: false,
+      category: "reserved",
+      message: `'${name}' is a reserved CLI action word and cannot be used as a resource name`,
+      suggestion: `my-${name}`
+    };
+  }
+  if (DANGEROUS_COMMANDS.has(nameLower)) {
+    return {
+      valid: false,
+      category: "dangerous",
+      message: `'${name}' matches a dangerous system command and cannot be used as a resource name`
+    };
+  }
+  for (const { pattern, message } of DANGEROUS_PATTERNS) {
+    if (pattern.test(name)) {
+      return {
+        valid: false,
+        category: "dangerous",
+        message
+      };
+    }
+  }
+  if (!opts.skipFormatValidation) {
+    const nameToCheck = opts.allowUppercase ? nameLower : name;
+    if (!RFC1035_PATTERN.test(nameToCheck.toLowerCase())) {
+      return {
+        valid: false,
+        category: "invalid",
+        message: "Name must start with a letter, end with alphanumeric, and contain only lowercase letters, numbers, and hyphens",
+        suggestion: sanitizeName(name)
+      };
+    }
+  }
+  return { valid: true };
+}
+function getCharacterDescription(char) {
+  const descriptions = {
+    ";": "; (command separator)",
+    "&": "& (background execution)",
+    "|": "| (pipe)",
+    "`": "` (command substitution)",
+    $: "$ (variable/command expansion)",
+    "(": "( (subshell)",
+    ")": ") (subshell)",
+    "<": "< (input redirection)",
+    ">": "> (output redirection)",
+    "\\": "\\ (escape)",
+    "#": "# (comment)",
+    "!": "! (history expansion)",
+    "{": "{ (brace expansion)",
+    "}": "} (brace expansion)",
+    "[": "[ (bracket expansion)",
+    "]": "] (bracket expansion)",
+    "*": "* (glob pattern)",
+    "?": "? (glob pattern)",
+    "~": "~ (home directory)",
+    "\n": "newline",
+    "\r": "carriage return"
+  };
+  return descriptions[char] ?? char;
+}
+function sanitizeName(name) {
+  return name.toLowerCase().replace(/[^a-z0-9-]/g, "-").replace(/^[^a-z]+/, "").replace(/-+$/, "").replace(/-{2,}/g, "-").slice(0, 63) || "resource";
+}
+
 // src/domains/login/profile/create.ts
 var createCommand2 = {
   name: "create",
@@ -145611,6 +145992,18 @@ var createCommand2 = {
         ].join("\n")
       );
     }
+    const nameValidation = validateResourceName(name, {
+      maxLength: 128,
+      // Profiles can have longer names than API resources
+      resourceType: "profile"
+    });
+    if (!nameValidation.valid) {
+      const lines = [`Invalid profile name: ${nameValidation.message}`];
+      if (nameValidation.suggestion) {
+        lines.push("", `Suggested: ${nameValidation.suggestion}`);
+      }
+      return errorResult(lines.join("\n"));
+    }
     const existing = await manager.get(name);
     if (existing) {
       return errorResult(
@@ -150510,13 +150903,13 @@ var RESERVED_API_ACTIONS = /* @__PURE__ */ new Set([
   "add-labels",
   "remove-labels"
 ]);
-function isReservedAction(name) {
+function isReservedAction2(name) {
   return RESERVED_API_ACTIONS.has(name.toLowerCase());
 }
 function validateExtension(extension) {
   const conflicts = [];
   for (const [name] of extension.commands) {
-    if (isReservedAction(name)) {
+    if (isReservedAction2(name)) {
       conflicts.push(name);
     }
   }
@@ -151861,114 +152254,15 @@ function useGitStatus(options = {}) {
   return { gitInfo, refresh, lastRefresh };
 }
 
-// src/validation/namespace.ts
-function validateNamespaceScope(domain, action, currentNamespace, resourceType) {
-  const opInfo = getOperationDescription(domain, action, resourceType);
-  if (!opInfo?.namespaceScope) {
-    return { valid: true };
-  }
-  const scope = opInfo.namespaceScope;
-  const normalizedNamespace = currentNamespace.toLowerCase();
-  switch (scope) {
-    case "system":
-      if (normalizedNamespace !== "system") {
-        return {
-          valid: false,
-          scope,
-          message: `${action} on ${resourceType || domain} requires the 'system' namespace`,
-          suggestion: "system"
-        };
-      }
-      return { valid: true, scope };
-    case "shared":
-      if (normalizedNamespace !== "shared") {
-        return {
-          valid: false,
-          scope,
-          message: `${action} on ${resourceType || domain} requires the 'shared' namespace`,
-          suggestion: "shared"
-        };
-      }
-      return { valid: true, scope };
-    case "any":
-    default:
-      return { valid: true, scope };
-  }
-}
-
-// src/validation/safety.ts
-function checkOperationSafety(domain, action, resourceType) {
-  const opInfo = getOperationDescription(domain, action, resourceType);
-  const dangerLevel = opInfo?.dangerLevel || "low";
-  const requiresConfirmation2 = opInfo?.confirmationRequired ?? dangerLevel === "high";
-  const sideEffects = opInfo?.sideEffects;
-  const result = {
-    proceed: dangerLevel !== "high",
-    // High danger requires explicit confirmation
-    dangerLevel,
-    requiresConfirmation: requiresConfirmation2
-  };
-  if (dangerLevel === "high") {
-    result.warning = formatHighDangerWarning(domain, action, sideEffects);
-  } else if (dangerLevel === "medium") {
-    result.warning = formatMediumDangerWarning(domain, action, sideEffects);
-  }
-  if (sideEffects) {
-    result.sideEffects = sideEffects;
-  }
-  return result;
-}
-function formatHighDangerWarning(_domain, _action, sideEffects) {
-  const lines = [
-    colorRed("\u26A0\uFE0F  WARNING: This is a HIGH DANGER operation"),
-    ""
-  ];
-  if (sideEffects) {
-    if (sideEffects.deletes && sideEffects.deletes.length > 0) {
-      lines.push(
-        colorRed(`  Will DELETE: ${sideEffects.deletes.join(", ")}`)
-      );
-    }
-    if (sideEffects.updates && sideEffects.updates.length > 0) {
-      lines.push(`  Will UPDATE: ${sideEffects.updates.join(", ")}`);
-    }
-    if (sideEffects.creates && sideEffects.creates.length > 0) {
-      lines.push(
-        colorDim(`  Will CREATE: ${sideEffects.creates.join(", ")}`)
-      );
-    }
-    lines.push("");
-  }
-  lines.push(
-    colorRed("This action may be destructive and cannot be undone.")
-  );
-  return lines.join("\n");
-}
-function formatMediumDangerWarning(_domain, _action, sideEffects) {
-  const lines = [
-    colorYellow("\u26A0\uFE0F  CAUTION: This operation may have significant effects"),
-    ""
-  ];
-  if (sideEffects) {
-    const effects = [];
-    if (sideEffects.creates && sideEffects.creates.length > 0) {
-      effects.push(`creates: ${sideEffects.creates.join(", ")}`);
-    }
-    if (sideEffects.updates && sideEffects.updates.length > 0) {
-      effects.push(`updates: ${sideEffects.updates.join(", ")}`);
-    }
-    if (sideEffects.deletes && sideEffects.deletes.length > 0) {
-      effects.push(`deletes: ${sideEffects.deletes.join(", ")}`);
-    }
-    if (effects.length > 0) {
-      lines.push(`  Side effects: ${effects.join("; ")}`);
-      lines.push("");
-    }
-  }
-  return lines.join("\n");
-}
-
 // src/repl/executor.ts
+var WRITE_OPERATIONS = /* @__PURE__ */ new Set([
+  "create",
+  "replace",
+  "apply",
+  "patch",
+  "add-labels",
+  "remove-labels"
+]);
 var BUILTIN_COMMANDS = /* @__PURE__ */ new Set([
   "help",
   "--help",
@@ -152653,6 +152947,50 @@ async function executeAPICommand(session, ctx, cmd) {
   );
   const { resourceType, name, namespace, outputFormat, spec, noColor } = parseCommandArgs(args, domainResourceTypes);
   const effectiveNamespace = namespace ?? session.getNamespace();
+  if (effectiveNamespace) {
+    const nsNameValidation = validateResourceName(effectiveNamespace, {
+      resourceType: "namespace"
+    });
+    if (!nsNameValidation.valid) {
+      const lines = [
+        `Error: Invalid namespace name '${effectiveNamespace}'`,
+        "",
+        nsNameValidation.message ?? "Invalid namespace name"
+      ];
+      if (nsNameValidation.suggestion) {
+        lines.push("", `Suggested: ${nsNameValidation.suggestion}`);
+      }
+      return {
+        output: lines,
+        shouldExit: false,
+        shouldClear: false,
+        contextChanged: false,
+        error: nsNameValidation.message ?? "Invalid namespace name"
+      };
+    }
+  }
+  if (WRITE_OPERATIONS.has(action) && name) {
+    const nameValidation = validateResourceName(name, {
+      resourceType: resourceType ?? canonicalDomain
+    });
+    if (!nameValidation.valid) {
+      const lines = [
+        `Error: Invalid resource name '${name}'`,
+        "",
+        nameValidation.message ?? "Invalid resource name"
+      ];
+      if (nameValidation.suggestion) {
+        lines.push("", `Suggested: ${nameValidation.suggestion}`);
+      }
+      return {
+        output: lines,
+        shouldExit: false,
+        shouldClear: false,
+        contextChanged: false,
+        error: nameValidation.message ?? "Invalid resource name"
+      };
+    }
+  }
   const effectiveResource = resourceType ?? canonicalDomain;
   const nsValidation = validateNamespaceScope(
     canonicalDomain,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@robinmordasiewicz/f5xc-xcsh",
-  "version": "1.0.91-2601040044",
+  "version": "1.0.91-2601040203",
   "description": "F5 Distributed Cloud Shell - Interactive CLI for F5 XC",
   "type": "module",
   "bin": {