@shohojdhara/atomix 0.4.7 → 0.4.9

package/scripts/cli/utils/security.js

@@ -0,0 +1,302 @@
+/**
+ * Atomix CLI Security Utilities
+ * Input sanitization and security-focused validation functions
+ */
+
+import { normalize, resolve, relative, isAbsolute } from 'path';
+import { logger } from './logger.js';
+import chalk from 'chalk';
+
+export const SecurityError = {
+  PATH_TRAVERSAL: 'PATH_TRAVERSAL',
+  INVALID_INPUT: 'INVALID_INPUT',
+  MALICIOUS_CONTENT: 'MALICIOUS_CONTENT',
+  RATE_LIMIT_EXCEEDED: 'RATE_LIMIT_EXCEEDED'
+};
+
+/**
+ * Sanitizes user input to prevent injection attacks
+ * @param {string} input - The user input to sanitize
+ * @param {string} type - The type of input (filename, componentName, path, etc.)
+ * @returns {string} - Sanitized input
+ */
+export function sanitizeInput(input, type = 'generic') {
+  if (typeof input !== 'string') {
+    throw new Error(`Input must be a string, received: ${typeof input}`);
+  }
+
+  // Remove null bytes and control characters
+  let sanitized = input.replace(/[\x00-\x1F\x7F]/g, '');
+
+  switch (type) {
+    case 'filename':
+      // Remove path traversal attempts and special characters
+      sanitized = sanitized.replace(/\.\.\//g, '')
+        .replace(/[<>:"|?*]/g, '')
+        .replace(/\/+/g, '')
+        .trim();
+      break;
+
+    case 'componentName':
+      // Enforce PascalCase and remove non-alphanumeric characters
+      sanitized = sanitized.replace(/[^a-zA-Z0-9]/g, '');
+      if (sanitized.length > 0) {
+        sanitized = sanitized.charAt(0).toUpperCase() + sanitized.slice(1);
+      }
+      break;
+
+    case 'path':
+      // Basic path sanitization - more comprehensive validation happens in validatePath
+      sanitized = sanitized.replace(/[\x00-\x1F\x7F]/g, '')
+        .replace(/\/\//g, '/')
+        .trim();
+      break;
+
+    case 'prompt':
+      // For AI prompts, remove potentially malicious content but preserve most characters
+      sanitized = sanitized.replace(/[\x00-\x1F\x7F]/g, '')
+        .replace(/<script[^>]*>.*?<\/script>/gi, '')
+        .replace(/javascript:/gi, '')
+        .replace(/data:/gi, '')
+        .trim();
+      break;
+
+    default:
+      // Generic sanitization
+      sanitized = sanitized.trim();
+  }
+
+  if (sanitized.length === 0) {
+    throw new Error(`Sanitized ${type} input is empty`);
+  }
+
+  return sanitized;
+}
+
+/**
+ * Validates and secures file paths to prevent directory traversal attacks
+ * @param {string} inputPath - The path to validate
+ * @param {string} basePath - Base directory to resolve against
+ * @returns {Object} { isValid: boolean, safePath: string, error?: string }
+ */
+export function validateSecurePath(inputPath, basePath = process.cwd()) {
+  try {
+    const normalizedBase = normalize(resolve(basePath));
+    const normalizedInput = normalize(isAbsolute(inputPath)
+      ? inputPath
+      : resolve(basePath, inputPath));
+
+    const relativePath = relative(normalizedBase, normalizedInput);
+
+    // Check for path traversal attempts
+    if (relativePath.startsWith('..') || 
+        /\/\.\.\//.test(relativePath) ||
+        relativePath.includes('..\\')) {
+      return {
+        isValid: false,
+        safePath: '',
+        error: 'Path traversal attempt detected'
+      };
+    }
+
+    // Check for dangerous patterns
+    const dangerousPatterns = [
+      /\/etc\//,
+      /\/proc\//,
+      /\/dev\//,
+      /\/sys\//,
+      /\/root\//,
+      /\/bin\//,
+      /\/sbin\//,
+      /\/usr\/bin\//,
+      /\/usr\/sbin\//
+    ];
+
+    for (const pattern of dangerousPatterns) {
+      if (pattern.test(normalizedInput)) {
+        return {
+          isValid: false,
+          safePath: '',
+          error: 'Access to system directories is not allowed'
+        };
+      }
+    }
+
+    return {
+      isValid: true,
+      safePath: normalizedInput
+    };
+
+  } catch (error) {
+    return {
+      isValid: false,
+      safePath: '',
+      error: `Path validation failed: ${error.message}`
+    };
+  }
+}
+
+/**
+ * Validates component names with enhanced security checks
+ * @param {string} name - The component name to validate
+ * @returns {Object} { isValid: boolean, error?: string }
+ */
+export function validateComponentNameSecure(name) {
+  try {
+    const sanitized = sanitizeInput(name, 'componentName');
+    
+    if (!sanitized || sanitized.length < 2) {
+      return {
+        isValid: false,
+        error: 'Component name must be at least 2 characters long'
+      };
+    }
+
+    // Check PascalCase: starts with uppercase, only contains letters and numbers
+    if (!/^[A-Z][a-zA-Z0-9]*$/.test(sanitized)) {
+      return {
+        isValid: false,
+        error: 'Component name must be in PascalCase (e.g., Button, CardHeader)'
+      };
+    }
+
+    // Check for reserved words and potentially dangerous names
+    const reservedWords = [
+      'Component', 'React', 'Fragment', 'Suspense', 'StrictMode',
+      'Error', 'Loading', 'App', 'Root', 'Document', 'Html',
+      'Window', 'Document', 'Global', 'Process', 'Console',
+      'Eval', 'Function', 'Script', 'Import', 'Require', 'Module'
+    ];
+
+    if (reservedWords.includes(sanitized)) {
+      return {
+        isValid: false,
+        error: `"${sanitized}" is a reserved word. Please choose a different name.`
+      };
+    }
+
+    // Check for potentially malicious patterns
+    const maliciousPatterns = [
+      /eval/i,
+      /script/i,
+      /javascript/i,
+      /alert/i,
+      /prompt/i,
+      /confirm/i,
+      /onload/i,
+      /onerror/i,
+      /onclick/i
+    ];
+
+    for (const pattern of maliciousPatterns) {
+      if (pattern.test(sanitized)) {
+        return {
+          isValid: false,
+          error: 'Component name contains potentially malicious patterns'
+        };
+      }
+    }
+
+    return { isValid: true };
+
+  } catch (error) {
+    return {
+      isValid: false,
+      error: `Component name validation failed: ${error.message}`
+    };
+  }
+}
+
+/**
+ * Rate limiter for AI-based generation features
+ */
+export class RateLimiter {
+  constructor(maxRequests = 10, timeWindow = 60000) { // 10 requests per minute
+    this.maxRequests = maxRequests;
+    this.timeWindow = timeWindow;
+    this.requests = new Map();
+  }
+
+  checkLimit(identifier) {
+    const now = Date.now();
+    const userRequests = this.requests.get(identifier) || [];
+
+    // Remove old requests
+    const recentRequests = userRequests.filter(time => now - time < this.timeWindow);
+    
+    if (recentRequests.length >= this.maxRequests) {
+      return false;
+    }
+
+    recentRequests.push(now);
+    this.requests.set(identifier, recentRequests);
+    return true;
+  }
+
+  getRemaining(identifier) {
+    const now = Date.now();
+    const userRequests = this.requests.get(identifier) || [];
+    const recentRequests = userRequests.filter(time => now - time < this.timeWindow);
+    return Math.max(0, this.maxRequests - recentRequests.length);
+  }
+
+  reset() {
+    this.requests.clear();
+  }
+}
+
+/**
+ * Creates a backup of a file before overwriting
+ * @param {string} filePath - Path to the file to backup
+ * @param {string} backupDir - Directory to store backups
+ * @returns {Promise<string>} - Path to the backup file
+ */
+export async function createBackup(filePath, backupDir = '.atomix/backups') {
+  const { readFile, writeFile, mkdir } = await import('fs/promises');
+  const { join } = await import('path');
+
+  try {
+    const content = await readFile(filePath, 'utf8');
+    const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+    const backupFileName = `${filePath.split('/').pop()}.backup.${timestamp}`;
+    const backupPath = join(backupDir, backupFileName);
+
+    await mkdir(backupDir, { recursive: true });
+    await writeFile(backupPath, content, 'utf8');
+
+    logger.debug(`Created backup: ${backupPath}`);
+    return backupPath;
+
+  } catch (error) {
+    logger.warn(`Failed to create backup for ${filePath}: ${error.message}`);
+    throw error;
+  }
+}
+
+/**
+ * Retry mechanism with exponential backoff
+ * @param {Function} operation - The async operation to retry
+ * @param {number} maxRetries - Maximum number of retries
+ * @param {number} initialDelay - Initial delay in ms
+ * @returns {Promise<any>} - Result of the operation
+ */
+export async function retryWithBackoff(operation, maxRetries = 3, initialDelay = 100) {
+  let retries = 0;
+  let delay = initialDelay;
+
+  while (true) {
+    try {
+      return await operation();
+    } catch (error) {
+      retries++;
+      
+      if (retries > maxRetries) {
+        throw error;
+      }
+
+      logger.debug(`Retry ${retries}/${maxRetries} after ${delay}ms: ${error.message}`);
+      await new Promise(resolve => setTimeout(resolve, delay));
+      delay *= 2; // Exponential backoff
+    }
+  }
+}

package/scripts/cli/utils/telemetry.js

@@ -0,0 +1,115 @@
+/**
+ * Atomix CLI - Local Telemetry system
+ * Tracks command execution times and success/failure rates
+ */
+
+import { writeFile, readFile, mkdir } from 'fs/promises';
+import { join, dirname } from 'path';
+import { existsSync } from 'fs';
+import { configLoader } from '../internal/config-loader.js';
+import { logger } from './logger.js';
+
+class Telemetry {
+  constructor() {
+    this.logs = [];
+    this.startTime = null;
+    this.currentCommand = null;
+  }
+
+  /**
+   * Start tracking a command
+   * @param {string} commandName - Name of the command being run
+   */
+  start(commandName) {
+    const config = configLoader.get('telemetry') || {};
+    if (!config.enabled) return;
+
+    this.startTime = performance.now();
+    this.currentCommand = commandName;
+  }
+
+  /**
+   * Stop tracking and log the result
+   * @param {boolean} success - Whether the command succeeded
+   * @param {Object} extra - Extra data to log
+   */
+  async stop(success = true, extra = {}) {
+    const config = configLoader.get('telemetry') || {};
+    if (!config.enabled || !this.startTime) return;
+
+    const duration = performance.now() - this.startTime;
+    const logEntry = {
+      command: this.currentCommand,
+      duration: parseFloat(duration.toFixed(2)),
+      timestamp: new Date().toISOString(),
+      success,
+      ...extra
+    };
+
+    // Anonymize if needed
+    if (config.anonymize !== false) {
+      delete logEntry.path;
+      delete logEntry.source;
+    }
+
+    await this._saveLog(logEntry, config.path || '.atomix/telemetry.json');
+    this.startTime = null;
+  }
+
+  /**
+   * Save the log entry to the local file
+   * @private
+   */
+  async _saveLog(entry, logPath) {
+    try {
+      const fullPath = join(process.cwd(), logPath);
+      const dir = dirname(fullPath);
+
+      if (!existsSync(dir)) {
+        await mkdir(dir, { recursive: true });
+      }
+
+      let logs = [];
+      if (existsSync(fullPath)) {
+        const content = await readFile(fullPath, 'utf8');
+        try {
+          logs = JSON.parse(content);
+          if (!Array.isArray(logs)) logs = [];
+        } catch (e) {
+          logs = [];
+        }
+      }
+
+      logs.push(entry);
+      
+      // Keep only last 100 logs to prevent file bloat
+      if (logs.length > 100) {
+        logs = logs.slice(-100);
+      }
+
+      await writeFile(fullPath, JSON.stringify(logs, null, 2), 'utf8');
+    } catch (error) {
+      logger.debug(`Telemetry failed to save: ${error.message}`);
+    }
+  }
+
+  /**
+   * Get all local telemetry logs
+   */
+  async getLogs() {
+    const config = configLoader.get('telemetry') || {};
+    const logPath = config.path || '.atomix/telemetry.json';
+    const fullPath = join(process.cwd(), logPath);
+
+    if (!existsSync(fullPath)) return [];
+
+    try {
+      const content = await readFile(fullPath, 'utf8');
+      return JSON.parse(content);
+    } catch (e) {
+      return [];
+    }
+  }
+}
+
+export const telemetry = new Telemetry();

package/scripts/cli/utils/validation.js

@@ -0,0 +1,37 @@
+/**
+ * Atomix CLI Validation Utilities
+ */
+
+/**
+ * Validates component names according to PascalCase convention
+ * @param {string} name - The component name to validate
+ * @returns {Object} { isValid: boolean, error?: string }
+ */
+export async function validateComponentName(name) {
+  // Use the enhanced security validation
+  const { validateComponentNameSecure } = await import('./security.js');
+  return validateComponentNameSecure(name);
+}
+
+/**
+ * Validates theme names according to kebab-case convention
+ */
+export function validateThemeName(name) {
+  if (!name || typeof name !== 'string') return { isValid: false, error: 'Theme name must be a string' };
+  if (!/^[a-z][a-z0-9-]*$/.test(name)) return { isValid: false, error: 'Theme name must be kebab-case' };
+  if (/--/.test(name)) return { isValid: false, error: 'Cannot contain consecutive hyphens' };
+  if (name.endsWith('-')) return { isValid: false, error: 'Cannot end with a hyphen' };
+  return { isValid: true };
+}
+
+/**
+ * Validates SCSS/CSS color values
+ */
+export function isValidColor(color) {
+  const patterns = [
+    /^#[0-9A-F]{3,8}$/i,
+    /^(rgb|rgba|hsl|hsla)\(/i,
+    /^var\(--/
+  ];
+  return patterns.some(pattern => pattern.test(color));
+}