@seedvault/server 0.1.0 → 0.1.1

package/dist/server.js

@@ -1743,13 +1743,6 @@ async function deleteFile(storageRoot, contributor, filePath) {
     }
   }
 }
-async function readFileContent(storageRoot, contributor, filePath) {
-  const absPath = resolvePath(storageRoot, contributor, filePath);
-  if (!existsSync(absPath)) {
-    throw new FileNotFoundError(filePath);
-  }
-  return await readFile(absPath, "utf-8");
-}
 async function listFiles(storageRoot, contributor, prefix) {
   const contributorRoot = join(storageRoot, contributor);
   if (!existsSync(contributorRoot)) {
@@ -1903,17 +1896,119 @@ async function syncContributors(storageRoot, contributors) {
   }
 }
 
+// src/shell.ts
+var ALLOWED_COMMANDS = new Set([
+  "ls",
+  "cat",
+  "head",
+  "tail",
+  "find",
+  "grep",
+  "wc",
+  "tree",
+  "stat"
+]);
+var MAX_STDOUT = 1024 * 1024;
+var TIMEOUT_MS = 1e4;
+function parseCommand(cmd) {
+  const args = [];
+  let current = "";
+  let inSingle = false;
+  let inDouble = false;
+  for (let i = 0;i < cmd.length; i++) {
+    const ch = cmd[i];
+    if (ch === "'" && !inDouble) {
+      inSingle = !inSingle;
+    } else if (ch === '"' && !inSingle) {
+      inDouble = !inDouble;
+    } else if (ch === " " && !inSingle && !inDouble) {
+      if (current.length > 0) {
+        args.push(current);
+        current = "";
+      }
+    } else {
+      current += ch;
+    }
+  }
+  if (current.length > 0) {
+    args.push(current);
+  }
+  return args;
+}
+async function executeCommand(cmd, storageRoot) {
+  const argv = parseCommand(cmd.trim());
+  if (argv.length === 0) {
+    throw new ShellValidationError("Empty command");
+  }
+  const command = argv[0];
+  if (!ALLOWED_COMMANDS.has(command)) {
+    throw new ShellValidationError(`Command not allowed: ${command}. Allowed: ${[...ALLOWED_COMMANDS].join(", ")}`);
+  }
+  for (const arg of argv.slice(1)) {
+    if (arg.includes("..")) {
+      throw new ShellValidationError("Path traversal (..) is not allowed");
+    }
+  }
+  const proc = Bun.spawn(argv, {
+    cwd: storageRoot,
+    stdout: "pipe",
+    stderr: "pipe",
+    env: {}
+  });
+  const timeout = setTimeout(() => {
+    proc.kill();
+  }, TIMEOUT_MS);
+  try {
+    const [stdoutBuf, stderrBuf] = await Promise.all([
+      new Response(proc.stdout).arrayBuffer(),
+      new Response(proc.stderr).arrayBuffer()
+    ]);
+    await proc.exited;
+    const truncated = stdoutBuf.byteLength > MAX_STDOUT;
+    const stdoutBytes = truncated ? stdoutBuf.slice(0, MAX_STDOUT) : stdoutBuf;
+    let stdout = new TextDecoder().decode(stdoutBytes);
+    if (truncated) {
+      stdout += `
+[truncated]`;
+    }
+    const stderr = new TextDecoder().decode(stderrBuf);
+    return {
+      stdout,
+      stderr,
+      exitCode: proc.exitCode ?? 1,
+      truncated
+    };
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+
+class ShellValidationError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ShellValidationError";
+  }
+}
+
 // src/routes.ts
 var uiPath = resolve(import.meta.dirname, "index.html");
 var isDev = true;
 var uiHtmlCached = readFileSync(uiPath, "utf-8");
-function extractFilePath(reqPath, username) {
-  const raw2 = reqPath.replace(`/v1/contributors/${username}/files/`, "");
+function extractFileInfo(reqPath) {
+  const raw2 = reqPath.replace("/v1/files/", "");
+  let decoded;
   try {
-    return decodeURIComponent(raw2);
+    decoded = decodeURIComponent(raw2);
   } catch {
     return null;
   }
+  const slashIdx = decoded.indexOf("/");
+  if (slashIdx === -1)
+    return null;
+  return {
+    username: decoded.slice(0, slashIdx),
+    filePath: decoded.slice(slashIdx + 1)
+  };
 }
 function createApp(storageRoot) {
   const app = new Hono2;
@@ -1994,28 +2089,49 @@ function createApp(storageRoot) {
       }))
     });
   });
-  authed.put("/v1/contributors/:username/files/*", async (c) => {
+  authed.post("/v1/sh", async (c) => {
+    const body = await c.req.json();
+    if (!body.cmd || typeof body.cmd !== "string") {
+      return c.json({ error: "cmd is required" }, 400);
+    }
+    try {
+      const result = await executeCommand(body.cmd, storageRoot);
+      return new Response(result.stdout, {
+        status: 200,
+        headers: {
+          "Content-Type": "text/plain; charset=utf-8",
+          "X-Exit-Code": String(result.exitCode),
+          "X-Stderr": encodeURIComponent(result.stderr)
+        }
+      });
+    } catch (e) {
+      if (e instanceof ShellValidationError) {
+        return c.json({ error: e.message }, 400);
+      }
+      throw e;
+    }
+  });
+  authed.put("/v1/files/*", async (c) => {
     const { contributor } = getAuthCtx(c);
-    const username = c.req.param("username");
-    if (contributor.username !== username) {
+    const parsed = extractFileInfo(c.req.path);
+    if (!parsed) {
+      return c.json({ error: "Invalid file path" }, 400);
+    }
+    if (contributor.username !== parsed.username) {
       return c.json({ error: "You can only write to your own contributor" }, 403);
     }
-    if (!getContributor(username)) {
+    if (!getContributor(parsed.username)) {
       return c.json({ error: "Contributor not found" }, 404);
     }
-    const filePath = extractFilePath(c.req.path, username);
-    if (filePath === null) {
-      return c.json({ error: "Invalid URL encoding in path" }, 400);
-    }
-    const pathError = validatePath(filePath);
+    const pathError = validatePath(parsed.filePath);
     if (pathError) {
       return c.json({ error: pathError }, 400);
     }
     const content = await c.req.text();
     try {
-      const result = await writeFileAtomic(storageRoot, username, filePath, content);
+      const result = await writeFileAtomic(storageRoot, parsed.username, parsed.filePath, content);
       broadcast("file_updated", {
-        contributor: username,
+        contributor: parsed.username,
         path: result.path,
         size: result.size,
         modifiedAt: result.modifiedAt
@@ -2029,25 +2145,24 @@ function createApp(storageRoot) {
       throw e;
     }
   });
-  authed.delete("/v1/contributors/:username/files/*", async (c) => {
+  authed.delete("/v1/files/*", async (c) => {
     const { contributor } = getAuthCtx(c);
-    const username = c.req.param("username");
-    if (contributor.username !== username) {
-      return c.json({ error: "You can only delete from your own contributor" }, 403);
+    const parsed = extractFileInfo(c.req.path);
+    if (!parsed) {
+      return c.json({ error: "Invalid file path" }, 400);
     }
-    const filePath = extractFilePath(c.req.path, username);
-    if (filePath === null) {
-      return c.json({ error: "Invalid URL encoding in path" }, 400);
+    if (contributor.username !== parsed.username) {
+      return c.json({ error: "You can only delete from your own contributor" }, 403);
     }
-    const pathError = validatePath(filePath);
+    const pathError = validatePath(parsed.filePath);
     if (pathError) {
       return c.json({ error: pathError }, 400);
     }
     try {
-      await deleteFile(storageRoot, username, filePath);
+      await deleteFile(storageRoot, parsed.username, parsed.filePath);
       broadcast("file_deleted", {
-        contributor: username,
-        path: filePath
+        contributor: parsed.username,
+        path: parsed.filePath
       });
       triggerUpdate();
       return c.body(null, 204);
@@ -2058,39 +2173,24 @@ function createApp(storageRoot) {
       throw e;
     }
   });
-  authed.get("/v1/contributors/:username/files", async (c) => {
-    const username = c.req.param("username");
-    if (!getContributor(username)) {
-      return c.json({ error: "Contributor not found" }, 404);
-    }
-    const prefix = c.req.query("prefix") || undefined;
-    const files = await listFiles(storageRoot, username, prefix);
-    return c.json({ files });
-  });
-  authed.get("/v1/contributors/:username/files/*", async (c) => {
-    const username = c.req.param("username");
+  authed.get("/v1/files", async (c) => {
+    const prefix = c.req.query("prefix") || "";
+    if (!prefix) {
+      return c.json({ error: "prefix query parameter is required" }, 400);
+    }
+    const slashIdx = prefix.indexOf("/");
+    const username = slashIdx === -1 ? prefix : prefix.slice(0, slashIdx);
+    const subPrefix = slashIdx === -1 ? undefined : prefix.slice(slashIdx + 1) || undefined;
     if (!getContributor(username)) {
       return c.json({ error: "Contributor not found" }, 404);
     }
-    const filePath = extractFilePath(c.req.path, username);
-    if (filePath === null) {
-      return c.json({ error: "Invalid URL encoding in path" }, 400);
-    }
-    const pathError = validatePath(filePath);
-    if (pathError) {
-      return c.json({ error: pathError }, 400);
-    }
-    try {
-      const content = await readFileContent(storageRoot, username, filePath);
-      return c.text(content, 200, {
-        "Content-Type": "text/markdown"
-      });
-    } catch (e) {
-      if (e instanceof FileNotFoundError) {
-        return c.json({ error: "File not found" }, 404);
-      }
-      throw e;
-    }
+    const files = await listFiles(storageRoot, username, subPrefix);
+    return c.json({
+      files: files.map((f) => ({
+        ...f,
+        path: `${username}/${f.path}`
+      }))
+    });
   });
   authed.get("/v1/events", (c) => {
     let ctrl;
@@ -2162,10 +2262,8 @@ if (qmdAvailable) {
 } else {
   console.log("  QMD:      not found (search disabled)");
 }
-var src_default = {
+var server = Bun.serve({
   port: PORT,
   fetch: app.fetch
-};
-export {
-  src_default as default
-};
+});
+console.log(`Listening on http://localhost:${server.port}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@seedvault/server",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "type": "module",
   "bin": {
     "seedvault-server": "bin/seedvault-server.mjs"