aicodeman 0.6.9 → 0.6.11

package/dist/web/routes/session-routes.js

@@ -8,6 +8,7 @@ import { homedir } from 'node:os';
 import { existsSync, statSync, mkdirSync, writeFileSync } from 'node:fs';
 import { execFile } from 'node:child_process';
 import fs from 'node:fs/promises';
+import { randomBytes } from 'node:crypto';
 import { ApiErrorCode, createErrorResponse, getErrorMessage, } from '../../types.js';
 import { Session } from '../../session.js';
 import { SseEvent } from '../sse-events.js';
@@ -86,6 +87,73 @@ export function stripInkRedrawBloat(buffer) {
     parts.push(buffer.slice(cursor));
     return parts.join('');
 }
+/**
+ * Validate image bytes against a declared extension. Sniffs the first ~12 bytes
+ * for a known magic-number signature. Defends against polyglots (e.g. HTML or
+ * SVG disguised under a `Content-Type: image/png` header) and against simple
+ * extension-only spoofing — both the multipart filename and the Content-Type
+ * are attacker-controlled, the raw bytes are not.
+ *
+ * Signatures: https://en.wikipedia.org/wiki/List_of_file_signatures
+ */
+export function imageMagicMatchesExt(data, ext) {
+    if (data.length < 12)
+        return false;
+    const u32be = (off) => data.readUInt32BE(off);
+    switch (ext) {
+        case '.png':
+            return u32be(0) === 0x89504e47 && u32be(4) === 0x0d0a1a0a;
+        case '.jpg':
+        case '.jpeg':
+            return data[0] === 0xff && data[1] === 0xd8 && data[2] === 0xff;
+        case '.gif':
+            return (data[0] === 0x47 &&
+                data[1] === 0x49 &&
+                data[2] === 0x46 &&
+                data[3] === 0x38 &&
+                (data[4] === 0x37 || data[4] === 0x39) &&
+                data[5] === 0x61);
+        case '.webp':
+            // RIFF....WEBP
+            return u32be(0) === 0x52494646 && u32be(8) === 0x57454250;
+        case '.bmp':
+            return data[0] === 0x42 && data[1] === 0x4d;
+        default:
+            return false;
+    }
+}
+// Per-(IP, sessionId) token bucket for paste-image. 30 requests/minute.
+// Bucket map entries are pruned when they drift > 1h stale to bound memory
+// against a flood of unique IP keys.
+const PASTE_RATE_TOKENS = 30;
+const PASTE_RATE_REFILL_PER_MS = PASTE_RATE_TOKENS / 60_000;
+const PASTE_BUCKET_TTL_MS = 60 * 60 * 1000;
+const PASTE_BUCKET_GC_THRESHOLD = 1000;
+const pasteRateBuckets = new Map();
+export function consumePasteToken(key, now = Date.now()) {
+    if (pasteRateBuckets.size > PASTE_BUCKET_GC_THRESHOLD) {
+        for (const [k, b] of pasteRateBuckets) {
+            if (now - b.lastRefill > PASTE_BUCKET_TTL_MS)
+                pasteRateBuckets.delete(k);
+        }
+    }
+    let b = pasteRateBuckets.get(key);
+    if (!b) {
+        b = { tokens: PASTE_RATE_TOKENS, lastRefill: now };
+        pasteRateBuckets.set(key, b);
+    }
+    const delta = (now - b.lastRefill) * PASTE_RATE_REFILL_PER_MS;
+    b.tokens = Math.min(PASTE_RATE_TOKENS, b.tokens + delta);
+    b.lastRefill = now;
+    if (b.tokens < 1)
+        return false;
+    b.tokens -= 1;
+    return true;
+}
+// Test hook: reset between runs.
+export function _resetPasteRateBuckets() {
+    pasteRateBuckets.clear();
+}
 export function registerSessionRoutes(app, ctx) {
     // ═══════════════════════════════════════════════════════════════
     // Auth
@@ -1077,36 +1145,76 @@ export function registerSessionRoutes(app, ctx) {
      * Claude CLI encodes both '/' and '_' as '-', so each '-' in the key could be
      * any of: '/' (path separator), '_' (underscore), or '-' (literal dash).
      *
-     * Strategy: look-ahead matching. At each '-', try consuming multiple segments
-     * joined by '_' or '-' to find an existing child directory, then recurse.
-     * E.g. for segments [AI, project, Mirror] inside /Workspace:
-     *   try /Workspace/AI (no) -> /Workspace/AI_project (yes!) -> continue with [Mirror]
+     * Strategy: recursive backtracking with longest-match-first preference.
+     * At each segment boundary, try joining as many segments as possible (with '_'
+     * or '-') into a single existing directory name. If a shorter match leads to a
+     * dead end, backtrack and try the next-shorter candidate.
+     *
+     * Why backtracking: when both `diary/` and `diary-app/` exist as siblings, the
+     * naive shortest-match would pick `diary` and then fail to find `app` inside,
+     * leaving the rest of the key unresolved. Longest-first picks `diary-app`.
      */
     async function decodeProjectKey(projKey) {
         const encoded = projKey.startsWith('-') ? projKey.slice(1) : projKey;
         const segments = encoded.split('-');
-        const isDir = async (p) => fs
-            .stat(p)
-            .then((s) => s.isDirectory())
-            .catch(() => false);
+        const isDirCache = new Map();
+        const isDir = async (p) => {
+            const cached = isDirCache.get(p);
+            if (cached !== undefined)
+                return cached;
+            const result = await fs
+                .stat(p)
+                .then((s) => s.isDirectory())
+                .catch(() => false);
+            isDirCache.set(p, result);
+            return result;
+        };
+        // Recursive backtracking: returns the deepest valid path that consumes all
+        // segments. Tries the longest segment-join first at each step so that
+        // dash-containing directory names win over shorter same-prefix siblings.
+        async function tryDecode(idx, current) {
+            if (idx >= segments.length)
+                return current;
+            const maxLook = Math.min(idx + 4, segments.length);
+            // Longest first: end = maxLook-1 down to idx
+            for (let end = maxLook - 1; end >= idx; end--) {
+                const candidates = [];
+                if (end === idx) {
+                    candidates.push(segments[idx]);
+                }
+                else {
+                    candidates.push(segments.slice(idx, end + 1).join('-'));
+                    candidates.push(segments.slice(idx, end + 1).join('_'));
+                }
+                for (const child of candidates) {
+                    const candidate = current + '/' + child;
+                    if (await isDir(candidate)) {
+                        const result = await tryDecode(end + 1, candidate);
+                        if (result)
+                            return result;
+                    }
+                }
+            }
+            return null;
+        }
+        const decoded = await tryDecode(0, '');
+        if (decoded)
+            return decoded;
+        // Fallback: greedy shortest-match (original behavior) — best effort when
+        // no fully-valid path exists (e.g. directory was deleted after the
+        // conversation was recorded).
         let current = '';
         let i = 0;
         while (i < segments.length) {
-            // Try progressively longer child names by joining segments with '_' or '-'
             let matched = false;
-            // Limit look-ahead to avoid excessive fs checks (max 4 segments per component)
             const maxLook = Math.min(i + 4, segments.length);
             for (let end = i; end < maxLook; end++) {
-                // Build candidate child name from segments[i..end]
-                // Try all separator combinations: for 2+ segments, try '_' first then '-'
                 const candidates = [];
                 if (end === i) {
                     candidates.push(segments[i]);
                 }
                 else {
-                    // Build with underscores between joined segments
                     candidates.push(segments.slice(i, end + 1).join('_'));
-                    // Build with dashes (literal)
                     candidates.push(segments.slice(i, end + 1).join('-'));
                 }
                 for (const child of candidates) {
@@ -1122,7 +1230,6 @@ export function registerSessionRoutes(app, ctx) {
                     break;
             }
             if (!matched) {
-                // No directory match found — append as-is and move on
                 current = current + '/' + segments[i];
                 i++;
             }
@@ -1164,156 +1271,190 @@ export function registerSessionRoutes(app, ctx) {
             return null;
         }
     }
-    app.get('/api/history/sessions', async () => {
+    // Scan a single project directory and return all valid history sessions in it.
+    // Reused by both the global overview and the single-folder drill-down.
+    async function scanProjectDir(projPath, projDir, headBuf) {
+        const out = [];
+        const stat = await fs.stat(projPath).catch(() => null);
+        if (!stat?.isDirectory())
+            return out;
+        const workingDir = await decodeProjectKey(projDir);
+        const entries = await fs.readdir(projPath).catch(() => []);
+        for (const entry of entries) {
+            if (!entry.endsWith('.jsonl'))
+                continue;
+            const sessionId = entry.replace('.jsonl', '');
+            if (!/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/.test(sessionId))
+                continue;
+            const filePath = join(projPath, entry);
+            const fileStat = await fs.stat(filePath).catch(() => null);
+            if (!fileStat)
+                continue;
+            if (fileStat.size < 4000)
+                continue;
+            let firstPrompt;
+            const head = await readFileHead(filePath, headBuf);
+            const hasConversation = (text) => text.includes('"type":"user"') || text.includes('"type":"assistant"') || text.includes('"type":"summary"');
+            let foundContent = head ? hasConversation(head) : false;
+            let tail = null;
+            if (!foundContent && fileStat.size > 16384) {
+                const tailBuf = Buffer.alloc(32768);
+                tail = await readFileTail(filePath, tailBuf, fileStat.size);
+                if (tail)
+                    foundContent = hasConversation(tail);
+            }
+            if (!foundContent)
+                continue;
+            if (head)
+                firstPrompt = extractFirstUserPrompt(head);
+            if (!firstPrompt && fileStat.size > 65536) {
+                if (!tail) {
+                    const tailBuf = Buffer.alloc(32768);
+                    tail = await readFileTail(filePath, tailBuf, fileStat.size);
+                }
+                if (tail)
+                    firstPrompt = extractFirstUserPrompt(tail);
+            }
+            out.push({
+                sessionId,
+                workingDir,
+                projectKey: projDir,
+                sizeBytes: fileStat.size,
+                lastModified: fileStat.mtime.toISOString(),
+                firstPrompt,
+            });
+        }
+        return out;
+    }
+    app.get('/api/history/sessions', async (req) => {
+        const query = req.query;
         const projectsDir = join(process.env.HOME || '/tmp', '.claude', 'projects');
-        const results = [];
         const headBuf = Buffer.alloc(16384);
+        // Single-folder drill-down: when projectKey is provided, scan only that
+        // directory, bypass the 50-cap, and honor offset/limit pagination.
+        if (query.projectKey) {
+            // Validate projectKey format to prevent path traversal
+            if (!/^[A-Za-z0-9_-]+$/.test(query.projectKey)) {
+                return { sessions: [], total: 0 };
+            }
+            const offset = Math.max(0, parseInt(query.offset || '0', 10) || 0);
+            const limit = Math.min(100, Math.max(1, parseInt(query.limit || '20', 10) || 20));
+            const projPath = join(projectsDir, query.projectKey);
+            const all = await scanProjectDir(projPath, query.projectKey, headBuf);
+            all.sort((a, b) => new Date(b.lastModified).getTime() - new Date(a.lastModified).getTime());
+            return { sessions: all.slice(offset, offset + limit), total: all.length };
+        }
+        // Global overview: scan all projects, return up to 50 most-recent sessions.
+        const results = [];
         try {
             const projectDirs = await fs.readdir(projectsDir);
             for (const projDir of projectDirs) {
                 const projPath = join(projectsDir, projDir);
-                const stat = await fs.stat(projPath).catch(() => null);
-                if (!stat?.isDirectory())
-                    continue;
-                // Decode project key to working dir. Claude CLI encodes '/' as '-',
-                // but path components may also contain '-' (e.g. "AI_project" vs "AI-project").
-                // Use recursive backtracking: try each '-' as either '/' or literal '-',
-                // verify which decoded path actually exists on disk.
-                const workingDir = await decodeProjectKey(projDir);
-                const entries = await fs.readdir(projPath);
-                for (const entry of entries) {
-                    if (!entry.endsWith('.jsonl'))
-                        continue;
-                    const sessionId = entry.replace('.jsonl', '');
-                    // Only valid UUIDs
-                    if (!/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/.test(sessionId))
-                        continue;
-                    const filePath = join(projPath, entry);
-                    const fileStat = await fs.stat(filePath).catch(() => null);
-                    if (!fileStat)
-                        continue;
-                    // Skip files too small to contain real conversation (metadata-only sessions
-                    // like file-history-snapshot entries are typically < 4KB)
-                    if (fileStat.size < 4000)
-                        continue;
-                    // Quick content check: verify actual conversation data exists.
-                    // Sessions with only file-history-snapshot or hook_progress entries have
-                    // no "user"/"assistant" messages and will fail claude --resume.
-                    // Read first 16KB to check content and extract first user prompt.
-                    let firstPrompt;
-                    const head = await readFileHead(filePath, headBuf);
-                    const hasConversation = (text) => text.includes('"type":"user"') || text.includes('"type":"assistant"') || text.includes('"type":"summary"');
-                    let foundContent = head ? hasConversation(head) : false;
-                    // For large files, head may not contain user messages (e.g. /init followed
-                    // by large system entries). Check the tail as well.
-                    let tail = null;
-                    if (!foundContent && fileStat.size > 16384) {
-                        const tailBuf = Buffer.alloc(32768);
-                        tail = await readFileTail(filePath, tailBuf, fileStat.size);
-                        if (tail)
-                            foundContent = hasConversation(tail);
-                    }
-                    if (!foundContent)
-                        continue; // No conversation content — skip
-                    if (head)
-                        firstPrompt = extractFirstUserPrompt(head);
-                    // If head scan found no usable prompt (e.g. session started with /init),
-                    // try reading the tail for a recent user message.
-                    if (!firstPrompt && fileStat.size > 65536) {
-                        if (!tail) {
-                            const tailBuf = Buffer.alloc(32768);
-                            tail = await readFileTail(filePath, tailBuf, fileStat.size);
-                        }
-                        if (tail)
-                            firstPrompt = extractFirstUserPrompt(tail);
-                    }
-                    results.push({
-                        sessionId,
-                        workingDir,
-                        projectKey: projDir,
-                        sizeBytes: fileStat.size,
-                        lastModified: fileStat.mtime.toISOString(),
-                        firstPrompt,
-                    });
-                }
+                const list = await scanProjectDir(projPath, projDir, headBuf);
+                results.push(...list);
             }
         }
         catch {
             // Projects dir may not exist
         }
-        // Sort by lastModified descending
         results.sort((a, b) => new Date(b.lastModified).getTime() - new Date(a.lastModified).getTime());
         return { sessions: results.slice(0, 50) };
     });
     // ═══════════════════════════════════════════════════════════════
     // Paste Image (clipboard / drag-drop upload)
     // ═══════════════════════════════════════════════════════════════
-    const MAX_PASTE_IMAGE_SIZE = 10 * 1024 * 1024; // 10 MB
     const ALLOWED_IMAGE_EXTS = new Set(['.png', '.jpg', '.jpeg', '.gif', '.webp', '.bmp']);
+    // The 10MB size cap is enforced by @fastify/multipart (registered in server.ts).
     app.post('/api/sessions/:id/paste-image', async (req, reply) => {
+        // CSRF defense: state-changing routes must come from same origin.
+        // Cookies are SameSite=lax, multipart/form-data is a "simple" CORS request
+        // (no preflight), so a cross-origin <form enctype="multipart/form-data">
+        // submit attaches the session cookie unimpeded. Reject unless Origin/Referer
+        // matches req.host. Non-browser clients (no Origin AND no Referer) must
+        // supply X-Codeman-CSRF — a header browsers cannot add cross-origin without
+        // a preflight, which our CORS config does not allow from other origins.
+        const reqHost = req.headers.host;
+        const origin = req.headers.origin;
+        const referer = req.headers.referer;
+        let csrfOk = false;
+        if (origin) {
+            try {
+                csrfOk = new URL(origin).host === reqHost;
+            }
+            catch {
+                /* invalid Origin → not ok */
+            }
+        }
+        else if (referer) {
+            try {
+                csrfOk = new URL(referer).host === reqHost;
+            }
+            catch {
+                /* invalid Referer → not ok */
+            }
+        }
+        else {
+            csrfOk = !!req.headers['x-codeman-csrf'];
+        }
+        if (!csrfOk) {
+            reply.code(403);
+            return createErrorResponse(ApiErrorCode.INVALID_INPUT, 'CSRF check failed');
+        }
         const { id } = req.params;
+        // Rate limit per (IP, sessionId): 30/min. Defends against disk-fill DoS
+        // — even an authenticated attacker can otherwise loop 10MB POSTs.
+        if (!consumePasteToken(`${req.ip}:${id}`)) {
+            reply.code(429);
+            reply.header('Retry-After', '60');
+            return createErrorResponse(ApiErrorCode.INVALID_INPUT, 'Rate limit exceeded (30 uploads/min per session)');
+        }
         const session = findSessionOrFail(ctx, id);
-        const contentType = req.headers['content-type'] ?? '';
-        if (!contentType.includes('multipart/form-data')) {
+        if (!req.isMultipart()) {
             reply.code(400);
             return createErrorResponse(ApiErrorCode.INVALID_INPUT, 'Expected multipart/form-data');
         }
-        // Parse multipart boundary
-        const boundaryMatch = contentType.match(/boundary=(.+?)(?:;|$)/);
-        if (!boundaryMatch) {
-            reply.code(400);
-            return createErrorResponse(ApiErrorCode.INVALID_INPUT, 'Missing boundary');
-        }
-        // Collect raw body with size limit
-        const chunks = [];
-        let totalSize = 0;
-        for await (const chunk of req.raw) {
-            totalSize += chunk.length;
-            if (totalSize > MAX_PASTE_IMAGE_SIZE) {
-                reply.code(413);
-                return createErrorResponse(ApiErrorCode.INVALID_INPUT, 'File too large (max 10MB)');
-            }
-            chunks.push(chunk);
-        }
-        const body = Buffer.concat(chunks);
-        // Extract image from multipart body
-        const boundary = '--' + boundaryMatch[1];
-        const boundaryBuf = Buffer.from(boundary);
-        const parts = [];
-        let pos = 0;
-        while (pos < body.length) {
-            const start = body.indexOf(boundaryBuf, pos);
-            if (start === -1)
-                break;
-            const afterBoundary = start + boundaryBuf.length;
-            if (body[afterBoundary] === 0x2d && body[afterBoundary + 1] === 0x2d)
-                break;
-            const headerStart = afterBoundary + 2;
-            const headerEnd = body.indexOf(Buffer.from('\r\n\r\n'), headerStart);
-            if (headerEnd === -1)
-                break;
-            const headers = body.subarray(headerStart, headerEnd).toString();
-            const dataStart = headerEnd + 4;
-            const nextBoundary = body.indexOf(boundaryBuf, dataStart);
-            const dataEnd = nextBoundary === -1 ? body.length : nextBoundary - 2;
-            parts.push({ headers, data: body.subarray(dataStart, dataEnd) });
-            pos = nextBoundary === -1 ? body.length : nextBoundary;
-        }
-        const imagePart = parts.find((p) => p.headers.includes('name="image"'));
-        if (!imagePart || imagePart.data.length === 0) {
+        // Read the single file part. @fastify/multipart enforces the 10MB size cap
+        // and the 1-file/4-field count limits (server.ts), replacing a hand-rolled
+        // boundary scanner with several bugs: literal boundary matches anywhere in
+        // body, LF-only clients silently corrupted the last byte (hard-coded \r\n
+        // offsets), no part-count cap.
+        let part;
+        try {
+            part = await req.file();
+        }
+        catch (err) {
+            reply.code(413);
+            return createErrorResponse(ApiErrorCode.INVALID_INPUT, getErrorMessage(err) || 'Invalid multipart payload');
+        }
+        if (!part) {
             reply.code(400);
             return createErrorResponse(ApiErrorCode.INVALID_INPUT, 'No image uploaded');
         }
-        // Determine extension from filename or Content-Type
+        if (part.fieldname !== 'image') {
+            reply.code(400);
+            return createErrorResponse(ApiErrorCode.INVALID_INPUT, `Unexpected field "${part.fieldname}", expected "image"`);
+        }
+        let imageBytes;
+        try {
+            imageBytes = await part.toBuffer();
+        }
+        catch (err) {
+            reply.code(413);
+            return createErrorResponse(ApiErrorCode.INVALID_INPUT, getErrorMessage(err) || 'File too large (max 10MB)');
+        }
+        if (imageBytes.length === 0) {
+            reply.code(400);
+            return createErrorResponse(ApiErrorCode.INVALID_INPUT, 'Empty file');
+        }
+        // Determine extension from filename or Content-Type.
         let ext = '.png';
-        const filenameMatch = imagePart.headers.match(/filename="(.+?)"/);
-        if (filenameMatch) {
-            const origExt = extname(filenameMatch[1]).toLowerCase();
+        if (part.filename) {
+            const origExt = extname(part.filename).toLowerCase();
             if (ALLOWED_IMAGE_EXTS.has(origExt))
                 ext = origExt;
         }
-        const ctMatch = imagePart.headers.match(/Content-Type:\s*image\/(png|jpeg|jpg|webp|gif|bmp)/i);
-        if (ctMatch) {
+        const mimeMatch = (part.mimetype || '').toLowerCase().match(/^image\/(png|jpeg|jpg|webp|gif|bmp)$/);
+        if (mimeMatch) {
             const map = {
                 png: '.png',
                 jpeg: '.jpg',
@@ -1322,20 +1463,52 @@ export function registerSessionRoutes(app, ctx) {
                 gif: '.gif',
                 bmp: '.bmp',
             };
-            ext = map[ctMatch[1].toLowerCase()] ?? ext;
+            ext = map[mimeMatch[1]] ?? ext;
         }
         if (!ALLOWED_IMAGE_EXTS.has(ext)) {
             reply.code(400);
             return createErrorResponse(ApiErrorCode.INVALID_INPUT, `Unsupported image type: ${ext}. Allowed: ${[...ALLOWED_IMAGE_EXTS].join(', ')}`);
         }
+        // Sniff actual bytes — filename and Content-Type are both attacker-supplied.
+        // Polyglot HTML/PNG would otherwise pass and serve back with image/png MIME.
+        if (!imageMagicMatchesExt(imageBytes, ext)) {
+            reply.code(415);
+            return createErrorResponse(ApiErrorCode.INVALID_INPUT, `Image bytes do not match declared type ${ext}`);
+        }
         // Save to {workingDir}/.claude-images/
+        // Refuse symlinks at imageDir — an agent or postinstall script could plant
+        // `.claude-images -> ~/.ssh/` and redirect future writes outside workingDir.
+        // We lstat (not stat) so we see the symlink itself. Use mkdir without
+        // `recursive` so the leaf creation does not follow a symlink either, and
+        // O_EXCL|O_NOFOLLOW on the file open so the write itself is symlink-safe.
         const imageDir = join(session.workingDir, '.claude-images');
-        if (!existsSync(imageDir)) {
-            mkdirSync(imageDir, { recursive: true });
+        try {
+            const dirStat = await fs.lstat(imageDir);
+            if (dirStat.isSymbolicLink() || !dirStat.isDirectory()) {
+                reply.code(403);
+                return createErrorResponse(ApiErrorCode.INVALID_INPUT, '.claude-images is not a regular directory');
+            }
         }
-        const filename = `paste-${Date.now()}${ext}`;
+        catch (err) {
+            if (err.code !== 'ENOENT')
+                throw err;
+            // Non-recursive mkdir: errors on EEXIST and does not follow symlinks for
+            // the leaf. session.workingDir is guaranteed to exist (live session).
+            await fs.mkdir(imageDir);
+        }
+        // Date.now() collides on same-ms uploads from two tabs (last-write wins
+        // silently). Append 8 hex chars so concurrent pastes get distinct names.
+        const filename = `paste-${Date.now()}-${randomBytes(4).toString('hex')}${ext}`;
         const filepath = join(imageDir, filename);
-        await fs.writeFile(filepath, imagePart.data);
+        // O_EXCL: refuse to overwrite (collision is impossible with random suffix,
+        // but defends against TOCTOU). O_NOFOLLOW: refuse if filepath is a symlink.
+        const fh = await fs.open(filepath, fs.constants.O_WRONLY | fs.constants.O_CREAT | fs.constants.O_EXCL | fs.constants.O_NOFOLLOW);
+        try {
+            await fh.writeFile(imageBytes);
+        }
+        finally {
+            await fh.close();
+        }
         return { success: true, path: filepath, filename };
     });
 }