@wrongstack/tools 0.8.2 → 0.8.5

package/dist/index.js

@@ -3,10 +3,11 @@ import { stat } from 'node:fs/promises';
 import * as path from 'node:path';
 import { dirname } from 'node:path';
 import { atomicWrite, unifiedDiff, detectNewlineStyle, normalizeToLf, toStyle, compileGlob, buildChildEnv, stripAnsi, loadPlan, emptyPlan, clearPlan, savePlan, getPlanTemplate, addPlanItem, deriveTodosFromPlanItem, removePlanItem, setPlanItemStatus, formatPlan } from '@wrongstack/core';
-import { spawn, execSync, spawnSync } from 'node:child_process';
+import { spawn, execFileSync, spawnSync } from 'node:child_process';
 import * as os from 'node:os';
 import * as dns from 'node:dns/promises';
 import * as net from 'node:net';
+import { Agent } from 'undici';
 import * as fs13 from 'node:fs';
 import { statSync, mkdirSync, writeFileSync } from 'node:fs';
 import { createRequire } from 'node:module';
@@ -371,6 +372,7 @@ var replaceTool = {
     const dryRun = input.dry_run ?? false;
     const filesInput = Array.isArray(input.files) ? input.files.join(",") : input.files;
     const fileList = await resolveFiles(filesInput, ctx, globRe);
+    const realRoot = await fs4.realpath(ctx.projectRoot).catch(() => ctx.projectRoot);
     const results = [];
     let totalReplacements = 0;
     for (const absPath of fileList) {
@@ -386,7 +388,7 @@ var replaceTool = {
       } catch {
         continue;
       }
-      const rel = path.relative(ctx.projectRoot, realPath);
+      const rel = path.relative(realRoot, realPath);
       if (rel.startsWith("..") || path.isAbsolute(rel)) continue;
       const stat11 = await fs4.stat(realPath).catch(() => null);
       if (!stat11 || !stat11.isFile()) continue;
@@ -1488,8 +1490,20 @@ var BLOCKED_ARG_PATTERNS = {
   // python -c/--command executes arbitrary code; python -m runs modules
   python: [/-c$/, /^--command$/, /^-m$/, /^--module$/],
   // git --exec=<cmd> runs arbitrary commands via upload-pack/receive-pack;
-  // -C <dir> changes working directory, bypassing cwd sandbox
-  git: [/^--exec=/, /^--upload-pack=/, /^--receive-pack=/, /^-C$/],
+  // -C <dir> changes working directory, bypassing cwd sandbox;
+  // -c/--config <k>=<v> injects config that runs commands
+  // (e.g. core.sshCommand, core.pager, http.proxy, alias.x=!cmd).
+  git: [
+    /^--exec=/,
+    /^--upload-pack=/,
+    /^--receive-pack=/,
+    /^-C$/,
+    /^-c$/,
+    /^--config$/,
+    /^-c=/,
+    /^--config=/,
+    /^--config-env=/
+  ],
   // node -r/--require preloads arbitrary modules; --eval executes code
   node: [/^-r$/, /^--require$/, /^-e$/, /^--eval$/, /^--prof-process$/],
   // go run could execute arbitrary .go files; -ldflags could inject build-time code
@@ -1675,6 +1689,48 @@ function runCommand(cmd, args, cwd, timeout, signal, sessionId) {
 var MAX_BYTES2 = 131072;
 var TIMEOUT_MS2 = 2e4;
 var ALLOW_PRIVATE = process.env["WRONGSTACK_FETCH_ALLOW_PRIVATE"] === "1";
+function guardedLookup(hostname, options, callback) {
+  dns.lookup(hostname, { all: true }).then((records) => {
+    const family = options?.family;
+    const byFamily = family === 4 || family === 6 ? records.filter((r) => r.family === family) : records;
+    const list = byFamily.length > 0 ? byFamily : records;
+    if (!ALLOW_PRIVATE) {
+      for (const r of list) {
+        const bad = r.family === 4 ? isPrivateIPv4(r.address) : isPrivateIPv6(r.address);
+        if (bad) {
+          callback(
+            Object.assign(new Error(`fetch: resolved to private address ${r.address}`), {
+              code: "EAI_FAIL"
+            })
+          );
+          return;
+        }
+      }
+    }
+    if (options?.all) {
+      callback(
+        null,
+        list.map((r) => ({ address: r.address, family: r.family }))
+      );
+      return;
+    }
+    const first = list[0];
+    if (!first) {
+      callback(
+        Object.assign(new Error(`fetch: no address for ${hostname}`), { code: "ENOTFOUND" })
+      );
+      return;
+    }
+    callback(null, first.address, first.family);
+  }).catch((err) => callback(err));
+}
+var pinnedAgent;
+function getPinnedDispatcher() {
+  if (!pinnedAgent) {
+    pinnedAgent = new Agent({ connect: { lookup: guardedLookup } });
+  }
+  return pinnedAgent;
+}
 async function fetchWithRedirectLimit(url, maxRedirects, signal) {
   const headers = {
     "user-agent": "WrongStack/1.0 (+https://wrongstack.com)",
@@ -1691,11 +1747,13 @@ async function fetchWithRedirectLimit(url, maxRedirects, signal) {
       throw new Error("fetch: redirect to http:// blocked (HTTPS required by default)");
     }
     await assertNotPrivate(parsed.hostname);
-    const res = await fetch(currentUrl, {
+    const init = {
       redirect: "manual",
       signal,
-      headers
-    });
+      headers,
+      dispatcher: getPinnedDispatcher()
+    };
+    const res = await fetch(currentUrl, init);
     if (res.status < 300 || res.status > 399) {
       return res;
     }
@@ -4006,17 +4064,35 @@ async function dockerLogs(service, lines, filterRe, cwd, signal, since) {
     let stdout = "";
     let stderr = "";
     const MAX = 2e5;
+    let settled = false;
+    const empty = () => ({
+      source: `docker:${service}`,
+      entries: [],
+      total: 0,
+      truncated: false,
+      stream_mode: false
+    });
+    const finish = (result) => {
+      if (settled) return;
+      settled = true;
+      clearTimeout(timer);
+      resolve6(result);
+    };
     const child = spawn("docker", args, { cwd, signal, env: buildChildEnv(), stdio: ["ignore", "pipe", "pipe"] });
+    const timer = setTimeout(() => {
+      child.kill("SIGTERM");
+      finish(empty());
+    }, DOCKER_LOGS_TIMEOUT_MS);
     child.stdout?.on("data", (c) => {
       if (stdout.length < MAX) stdout += c.toString();
     });
     child.stderr?.on("data", (c) => {
       if (stderr.length < MAX) stderr += c.toString();
     });
-    child.on("close", (code) => {
+    child.on("close", () => {
       const output = stdout + stderr;
       const entries = parseLogLines(output, filterRe);
-      resolve6({
+      finish({
         source: `docker:${service}`,
         entries,
         total: entries.length,
@@ -4024,17 +4100,10 @@ async function dockerLogs(service, lines, filterRe, cwd, signal, since) {
         stream_mode: false
       });
     });
-    child.on("error", (e) => {
-      resolve6({
-        source: `docker:${service}`,
-        entries: [],
-        total: 0,
-        truncated: false,
-        stream_mode: false
-      });
-    });
+    child.on("error", () => finish(empty()));
   });
 }
+var DOCKER_LOGS_TIMEOUT_MS = 3e3;
 var MAX_TAIL_LINES = 1e5;
 async function fileLogs(path18, lines, filterRe, stream) {
   const { createInterface } = await import('node:readline');
@@ -5747,7 +5816,7 @@ function syncGoParse(filePath, content, lang) {
     mkdirSync(tmpDir, { recursive: true });
     const scriptPath = path.join(tmpDir, "parse.go");
     writeFileSync(scriptPath, GO_PARSE_SCRIPT, "utf8");
-    const stdout = execSync(`go run "${scriptPath}"`, {
+    const stdout = execFileSync("go", ["run", scriptPath], {
       input: content,
       timeout: 15e3,
       encoding: "utf8",
@@ -5993,7 +6062,7 @@ function syncPyParse(filePath, lang) {
     mkdirSync(tmpDir, { recursive: true });
     const scriptPath = path.join(tmpDir, "parse.py");
     writeFileSync(scriptPath, PY_PARSE_SCRIPT, "utf8");
-    const stdout = execSync(`python "${scriptPath}" "${filePath}"`, {
+    const stdout = execFileSync("python", [scriptPath, filePath], {
       timeout: 15e3,
       encoding: "utf8",
       windowsHide: true
@@ -6031,11 +6100,19 @@ function parseSymbols4(opts) {
 }
 function checkNativeParser() {
   try {
-    execSync("rustc --version", { stdio: "pipe" });
+    execFileSync("rustc", ["--version"], { stdio: "pipe" });
     const toolsDir = path.join(process.cwd(), "tools");
     try {
-      execSync(
-        "cargo metadata --no-deps --format-version 1 --manifest-path " + path.join(toolsDir, "Cargo.toml"),
+      execFileSync(
+        "cargo",
+        [
+          "metadata",
+          "--no-deps",
+          "--format-version",
+          "1",
+          "--manifest-path",
+          path.join(toolsDir, "Cargo.toml")
+        ],
         { stdio: "pipe" }
       );
       return true;