@wrongstack/tools 0.8.4 → 0.8.6

package/dist/builtin.js

@@ -1,7 +1,7 @@
-import { spawn, execSync, spawnSync } from 'node:child_process';
+import { spawn, execFileSync, spawnSync } from 'node:child_process';
 import { buildChildEnv, stripAnsi, detectNewlineStyle, normalizeToLf, toStyle, atomicWrite, unifiedDiff, compileGlob, loadPlan, emptyPlan, clearPlan, savePlan, getPlanTemplate, addPlanItem, deriveTodosFromPlanItem, removePlanItem, setPlanItemStatus, formatPlan } from '@wrongstack/core';
 import * as path from 'node:path';
-import { dirname } from 'node:path';
+import { resolve, sep, dirname } from 'node:path';
 import * as os from 'node:os';
 import * as fs11 from 'node:fs/promises';
 import { stat } from 'node:fs/promises';
@@ -11,6 +11,7 @@ import { statSync, mkdirSync, writeFileSync } from 'node:fs';
 import * as ts from 'typescript';
 import * as dns from 'node:dns/promises';
 import * as net from 'node:net';
+import { Agent } from 'undici';
 
 var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
   get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
@@ -65,8 +66,8 @@ async function* spawnStream(opts) {
   let spawnFailed = false;
   for (; ; ) {
     while (queue.length === 0) {
-      await new Promise((resolve6) => {
-        waiter = resolve6;
+      await new Promise((resolve7) => {
+        waiter = resolve7;
       });
     }
     const chunk = queue.shift();
@@ -741,10 +742,10 @@ var bashTool = {
         queue.push(c);
       }
     };
-    const next = () => new Promise((resolve6) => {
+    const next = () => new Promise((resolve7) => {
       const c = queue.shift();
-      if (c) resolve6(c);
-      else resolveNext = resolve6;
+      if (c) resolve7(c);
+      else resolveNext = resolve7;
     });
     let lastFlush = Date.now();
     const flush = () => {
@@ -1716,7 +1717,7 @@ function syncGoParse(filePath, content, lang) {
     mkdirSync(tmpDir, { recursive: true });
     const scriptPath = path.join(tmpDir, "parse.go");
     writeFileSync(scriptPath, GO_PARSE_SCRIPT, "utf8");
-    const stdout = execSync(`go run "${scriptPath}"`, {
+    const stdout = execFileSync("go", ["run", scriptPath], {
       input: content,
       timeout: 15e3,
       encoding: "utf8",
@@ -1962,7 +1963,7 @@ function syncPyParse(filePath, lang) {
     mkdirSync(tmpDir, { recursive: true });
     const scriptPath = path.join(tmpDir, "parse.py");
     writeFileSync(scriptPath, PY_PARSE_SCRIPT, "utf8");
-    const stdout = execSync(`python "${scriptPath}" "${filePath}"`, {
+    const stdout = execFileSync("python", [scriptPath, filePath], {
       timeout: 15e3,
       encoding: "utf8",
       windowsHide: true
@@ -2000,11 +2001,19 @@ function parseSymbols4(opts) {
 }
 function checkNativeParser() {
   try {
-    execSync("rustc --version", { stdio: "pipe" });
+    execFileSync("rustc", ["--version"], { stdio: "pipe" });
     const toolsDir = path.join(process.cwd(), "tools");
     try {
-      execSync(
-        "cargo metadata --no-deps --format-version 1 --manifest-path " + path.join(toolsDir, "Cargo.toml"),
+      execFileSync(
+        "cargo",
+        [
+          "metadata",
+          "--no-deps",
+          "--format-version",
+          "1",
+          "--manifest-path",
+          path.join(toolsDir, "Cargo.toml")
+        ],
         { stdio: "pipe" }
       );
       return true;
@@ -2961,7 +2970,7 @@ function findGitDir(cwd) {
   return null;
 }
 function runGit(args, cwd, signal) {
-  return new Promise((resolve6) => {
+  return new Promise((resolve7) => {
     let stdout = "";
     let stderr = "";
     const child = spawn("git", args, { cwd, signal, env: buildChildEnv(), stdio: ["ignore", "pipe", "pipe"] });
@@ -2971,8 +2980,8 @@ function runGit(args, cwd, signal) {
     child.stderr?.on("data", (c) => {
       stderr += c.toString();
     });
-    child.on("close", (code) => resolve6({ stdout, stderr, exitCode: code ?? 0 }));
-    child.on("error", (e) => resolve6({ stdout: "", stderr: e.message, exitCode: 1 }));
+    child.on("close", (code) => resolve7({ stdout, stderr, exitCode: code ?? 0 }));
+    child.on("error", (e) => resolve7({ stdout: "", stderr: e.message, exitCode: 1 }));
   });
 }
 async function fileDiff(input, ctx, signal) {
@@ -3324,8 +3333,20 @@ var BLOCKED_ARG_PATTERNS = {
   // python -c/--command executes arbitrary code; python -m runs modules
   python: [/-c$/, /^--command$/, /^-m$/, /^--module$/],
   // git --exec=<cmd> runs arbitrary commands via upload-pack/receive-pack;
-  // -C <dir> changes working directory, bypassing cwd sandbox
-  git: [/^--exec=/, /^--upload-pack=/, /^--receive-pack=/, /^-C$/],
+  // -C <dir> changes working directory, bypassing cwd sandbox;
+  // -c/--config <k>=<v> injects config that runs commands
+  // (e.g. core.sshCommand, core.pager, http.proxy, alias.x=!cmd).
+  git: [
+    /^--exec=/,
+    /^--upload-pack=/,
+    /^--receive-pack=/,
+    /^-C$/,
+    /^-c$/,
+    /^--config$/,
+    /^-c=/,
+    /^--config=/,
+    /^--config-env=/
+  ],
   // node -r/--require preloads arbitrary modules; --eval executes code
   node: [/^-r$/, /^--require$/, /^-e$/, /^--eval$/, /^--prof-process$/],
   // go run could execute arbitrary .go files; -ldflags could inject build-time code
@@ -3448,7 +3469,7 @@ var execTool = {
   }
 };
 function runCommand(cmd, args, cwd, timeout, signal, sessionId) {
-  return new Promise((resolve6) => {
+  return new Promise((resolve7) => {
     let stdout = "";
     let stderr = "";
     let killed = false;
@@ -3482,7 +3503,7 @@ function runCommand(cmd, args, cwd, timeout, signal, sessionId) {
       const durationMs = Date.now() - startedAt;
       const exitCode = killed ? 124 : code ?? 1;
       registry.afterCall(durationMs, exitCode !== 0);
-      resolve6({
+      resolve7({
         command: cmd,
         args,
         stdout: stdout.slice(0, MAX_OUTPUT2),
@@ -3496,7 +3517,7 @@ function runCommand(cmd, args, cwd, timeout, signal, sessionId) {
       clearTimeout(timer);
       if (typeof pid === "number") registry.unregister(pid);
       registry.afterCall(Date.now() - startedAt, true);
-      resolve6({
+      resolve7({
         command: cmd,
         args,
         stdout: stdout.slice(0, MAX_OUTPUT2),
@@ -3511,6 +3532,48 @@ function runCommand(cmd, args, cwd, timeout, signal, sessionId) {
 var MAX_BYTES = 131072;
 var TIMEOUT_MS2 = 2e4;
 var ALLOW_PRIVATE = process.env["WRONGSTACK_FETCH_ALLOW_PRIVATE"] === "1";
+function guardedLookup(hostname, options, callback) {
+  dns.lookup(hostname, { all: true }).then((records) => {
+    const family = options?.family;
+    const byFamily = family === 4 || family === 6 ? records.filter((r) => r.family === family) : records;
+    const list = byFamily.length > 0 ? byFamily : records;
+    if (!ALLOW_PRIVATE) {
+      for (const r of list) {
+        const bad = r.family === 4 ? isPrivateIPv4(r.address) : isPrivateIPv6(r.address);
+        if (bad) {
+          callback(
+            Object.assign(new Error(`fetch: resolved to private address ${r.address}`), {
+              code: "EAI_FAIL"
+            })
+          );
+          return;
+        }
+      }
+    }
+    if (options?.all) {
+      callback(
+        null,
+        list.map((r) => ({ address: r.address, family: r.family }))
+      );
+      return;
+    }
+    const first = list[0];
+    if (!first) {
+      callback(
+        Object.assign(new Error(`fetch: no address for ${hostname}`), { code: "ENOTFOUND" })
+      );
+      return;
+    }
+    callback(null, first.address, first.family);
+  }).catch((err) => callback(err));
+}
+var pinnedAgent;
+function getPinnedDispatcher() {
+  if (!pinnedAgent) {
+    pinnedAgent = new Agent({ connect: { lookup: guardedLookup } });
+  }
+  return pinnedAgent;
+}
 async function fetchWithRedirectLimit(url, maxRedirects, signal) {
   const headers = {
     "user-agent": "WrongStack/1.0 (+https://wrongstack.com)",
@@ -3527,11 +3590,13 @@ async function fetchWithRedirectLimit(url, maxRedirects, signal) {
       throw new Error("fetch: redirect to http:// blocked (HTTPS required by default)");
     }
     await assertNotPrivate(parsed.hostname);
-    const res = await fetch(currentUrl, {
+    const init = {
       redirect: "manual",
       signal,
-      headers
-    });
+      headers,
+      dispatcher: getPinnedDispatcher()
+    };
+    const res = await fetch(currentUrl, init);
     if (res.status < 300 || res.status > 399) {
       return res;
     }
@@ -3973,6 +4038,10 @@ var gitTool = {
         truncated: false
       };
     }
+    if (input.command === "worktree") {
+      const guard = validateWorktreeInput(input, ctx.projectRoot);
+      if (guard) return guard;
+    }
     const gitDir = findGitDir2(ctx.cwd, ctx.projectRoot);
     if (!gitDir) {
       return {
@@ -3987,13 +4056,34 @@ var gitTool = {
     return await runGit2(args, gitDir, opts.signal);
   }
 };
+function validateWorktreeInput(input, projectRoot) {
+  const reject = (stderr) => ({
+    command: "worktree",
+    stdout: "",
+    stderr,
+    exitCode: 1,
+    truncated: false
+  });
+  if (input.branch?.startsWith("-")) return reject(`unsafe branch name: ${input.branch}`);
+  if (input.worktreePath?.startsWith("-")) {
+    return reject(`unsafe worktree path: ${input.worktreePath}`);
+  }
+  if ((input.worktreeAction === "add" || input.worktreeAction === "remove") && input.worktreePath) {
+    const root = resolve(projectRoot);
+    const abs = resolve(root, input.worktreePath);
+    if (abs !== root && !abs.startsWith(root + sep)) {
+      return reject(`unsafe worktree path (escapes project root): ${input.worktreePath}`);
+    }
+  }
+  return null;
+}
 function findGitDir2(cwd, projectRoot) {
   const root = projectRoot;
   let dir = cwd;
   for (let i = 0; i < 20; i++) {
     try {
       const stat11 = statSync(`${dir}/.git`);
-      if (stat11.isDirectory()) return dir;
+      if (stat11.isDirectory() || stat11.isFile()) return dir;
     } catch {
     }
     if (dir === root) break;
@@ -4049,14 +4139,14 @@ function buildArgs(input) {
       switch (input.worktreeAction) {
         case "list":
           return ["worktree", "list"];
-        case "add":
-          return [
-            "worktree",
-            "add",
-            ...input.newBranch ? ["-b"] : [],
-            ...input.branch ? [input.branch] : [],
-            input.worktreePath ?? ""
-          ].filter(Boolean);
+        case "add": {
+          if (!input.worktreePath) return ["worktree", "list"];
+          const add = ["worktree", "add"];
+          if (input.newBranch && input.branch) add.push("-b", input.branch);
+          add.push(input.worktreePath);
+          if (!input.newBranch && input.branch) add.push(input.branch);
+          return add;
+        }
         case "remove":
           return [
             "worktree",
@@ -4074,7 +4164,7 @@ function buildArgs(input) {
   }
 }
 function runGit2(args, cwd, signal) {
-  return new Promise((resolve6) => {
+  return new Promise((resolve7) => {
     let stdout = "";
     let stderr = "";
     const child = spawn("git", args, {
@@ -4094,7 +4184,7 @@ function runGit2(args, cwd, signal) {
       }
     });
     child.on("error", (err) => {
-      resolve6({
+      resolve7({
         command: args[0],
         stdout,
         stderr: err.message,
@@ -4103,7 +4193,7 @@ function runGit2(args, cwd, signal) {
       });
     });
     child.on("close", (code) => {
-      resolve6({
+      resolve7({
         command: args[0],
         stdout: stdout.slice(0, MAX_OUTPUT3),
         stderr: stderr.slice(0, MAX_OUTPUT3),
@@ -4289,13 +4379,13 @@ var grepTool = {
   }
 };
 async function detectRg(signal) {
-  return new Promise((resolve6) => {
+  return new Promise((resolve7) => {
     try {
       const p = spawn("rg", ["--version"], { env: buildChildEnv(), stdio: "ignore", signal });
-      p.on("error", () => resolve6(false));
-      p.on("close", (code) => resolve6(code === 0));
+      p.on("error", () => resolve7(false));
+      p.on("close", (code) => resolve7(code === 0));
     } catch {
-      resolve6(false);
+      resolve7(false);
     }
   });
 }
@@ -4902,21 +4992,39 @@ async function dockerLogs(service, lines, filterRe, cwd, signal, since) {
     };
   }
   args.push("--timestamps", service);
-  return new Promise((resolve6) => {
+  return new Promise((resolve7) => {
     let stdout = "";
     let stderr = "";
     const MAX = 2e5;
+    let settled = false;
+    const empty = () => ({
+      source: `docker:${service}`,
+      entries: [],
+      total: 0,
+      truncated: false,
+      stream_mode: false
+    });
+    const finish = (result) => {
+      if (settled) return;
+      settled = true;
+      clearTimeout(timer);
+      resolve7(result);
+    };
     const child = spawn("docker", args, { cwd, signal, env: buildChildEnv(), stdio: ["ignore", "pipe", "pipe"] });
+    const timer = setTimeout(() => {
+      child.kill("SIGTERM");
+      finish(empty());
+    }, DOCKER_LOGS_TIMEOUT_MS);
     child.stdout?.on("data", (c) => {
       if (stdout.length < MAX) stdout += c.toString();
     });
     child.stderr?.on("data", (c) => {
       if (stderr.length < MAX) stderr += c.toString();
     });
-    child.on("close", (code) => {
+    child.on("close", () => {
       const output = stdout + stderr;
       const entries = parseLogLines(output, filterRe);
-      resolve6({
+      finish({
         source: `docker:${service}`,
         entries,
         total: entries.length,
@@ -4924,17 +5032,10 @@ async function dockerLogs(service, lines, filterRe, cwd, signal, since) {
         stream_mode: false
       });
     });
-    child.on("error", (e) => {
-      resolve6({
-        source: `docker:${service}`,
-        entries: [],
-        total: 0,
-        truncated: false,
-        stream_mode: false
-      });
-    });
+    child.on("error", () => finish(empty()));
   });
 }
+var DOCKER_LOGS_TIMEOUT_MS = 3e3;
 var MAX_TAIL_LINES = 1e5;
 async function fileLogs(path18, lines, filterRe, stream) {
   const { createInterface } = await import('node:readline');
@@ -5058,7 +5159,7 @@ async function detectManager2(cwd) {
   return "npm";
 }
 function runOutdated(manager, args, cwd, signal) {
-  return new Promise((resolve6) => {
+  return new Promise((resolve7) => {
     let stdout = "";
     let stderr = "";
     const MAX = 1e5;
@@ -5071,10 +5172,10 @@ function runOutdated(manager, args, cwd, signal) {
     });
     child.on("close", (code) => {
       const result = parseOutdatedOutput(stdout, code ?? 0);
-      resolve6(result);
+      resolve7(result);
     });
     child.on("error", (e) => {
-      resolve6({
+      resolve7({
         exit_code: 1,
         packages: [],
         total: 0,
@@ -5204,7 +5305,7 @@ function stripPathComponents(p, strip) {
   return parts.slice(strip).join("/");
 }
 function runPatch(args, cwd, signal) {
-  return new Promise((resolve6) => {
+  return new Promise((resolve7) => {
     let stdout = "";
     let stderr = "";
     const env = { ...buildChildEnv(), LANG: "C", LC_ALL: "C" };
@@ -5215,8 +5316,8 @@ function runPatch(args, cwd, signal) {
     child.stderr?.on("data", (c) => {
       stderr += c.toString();
     });
-    child.on("close", (code) => resolve6({ exitCode: code ?? 1, stdout, stderr }));
-    child.on("error", (e) => resolve6({ exitCode: 1, stdout: "", stderr: e.message }));
+    child.on("close", (code) => resolve7({ exitCode: code ?? 1, stdout, stderr }));
+    child.on("error", (e) => resolve7({ exitCode: 1, stdout: "", stderr: e.message }));
   });
 }
 function extractPatchedFiles(output) {
@@ -5465,6 +5566,7 @@ var replaceTool = {
     const dryRun = input.dry_run ?? false;
     const filesInput = Array.isArray(input.files) ? input.files.join(",") : input.files;
     const fileList = await resolveFiles2(filesInput, ctx, globRe);
+    const realRoot = await fs11.realpath(ctx.projectRoot).catch(() => ctx.projectRoot);
     const results = [];
     let totalReplacements = 0;
     for (const absPath of fileList) {
@@ -5480,7 +5582,7 @@ var replaceTool = {
       } catch {
         continue;
       }
-      const rel = path.relative(ctx.projectRoot, realPath);
+      const rel = path.relative(realRoot, realPath);
       if (rel.startsWith("..") || path.isAbsolute(rel)) continue;
       const stat11 = await fs11.stat(realPath).catch(() => null);
       if (!stat11 || !stat11.isFile()) continue;
@@ -5558,13 +5660,13 @@ async function globFiles(pattern, base, extraGlob) {
   return await globNative(pattern, base, extraGlob);
 }
 function checkRg() {
-  return new Promise((resolve6) => {
+  return new Promise((resolve7) => {
     try {
       const p = spawn("rg", ["--version"], { env: buildChildEnv(), stdio: "ignore" });
-      p.on("error", () => resolve6(false));
-      p.on("close", (code) => resolve6(code === 0));
+      p.on("error", () => resolve7(false));
+      p.on("close", (code) => resolve7(code === 0));
     } catch {
-      resolve6(false);
+      resolve7(false);
     }
   });
 }
@@ -5576,10 +5678,10 @@ function spawnRgFind(pattern, base) {
     buf += chunk.toString();
   });
   return {
-    promise: new Promise((resolve6, reject) => {
+    promise: new Promise((resolve7, reject) => {
       child.on("error", reject);
       child.on("close", () => {
-        resolve6(buf.split("\n").filter(Boolean));
+        resolve7(buf.split("\n").filter(Boolean));
       });
     })
   };