cli-tunnel 1.0.2 → 1.1.0

package/dist/index.js

@@ -16,7 +16,8 @@
  */
 import path from 'node:path';
 import fs from 'node:fs';
-import { execSync, spawn } from 'node:child_process';
+import crypto from 'node:crypto';
+import { execSync, execFileSync, spawn } from 'node:child_process';
 import { fileURLToPath } from 'node:url';
 import http from 'node:http';
 import { WebSocketServer, WebSocket } from 'ws';
@@ -100,6 +101,12 @@ function getGitInfo() {
         return { repo: path.basename(cwd), branch: 'unknown' };
     }
 }
+// ─── Security: Session token for WebSocket auth ────────────
+const sessionToken = crypto.randomUUID();
+// ─── Security: Redact secrets from replay events ────────────
+function redactSecrets(text) {
+    return text.replace(/(?:token|secret|key|password|credential|authorization)[\s:="']+[^\s"']{8,}/gi, '$& [REDACTED]');
+}
 // ─── Bridge server ──────────────────────────────────────────
 const acpEventLog = [];
 const connections = new Map();
@@ -126,11 +133,11 @@ const server = http.createServer((req, res) => {
                     url: `https://${id}-${p}.${cluster}.devtunnels.ms`,
                 };
             });
-            res.writeHead(200, { 'Content-Type': 'application/json' });
+            res.writeHead(200, { 'Content-Type': 'application/json', 'X-Frame-Options': 'DENY', 'X-Content-Type-Options': 'nosniff' });
             res.end(JSON.stringify({ sessions }));
         }
         catch {
-            res.writeHead(200, { 'Content-Type': 'application/json' });
+            res.writeHead(200, { 'Content-Type': 'application/json', 'X-Frame-Options': 'DENY', 'X-Content-Type-Options': 'nosniff' });
             res.end(JSON.stringify({ sessions: [] }));
         }
         return;
@@ -138,39 +145,67 @@ const server = http.createServer((req, res) => {
     // Delete session
     if (req.url?.startsWith('/api/sessions/') && req.method === 'DELETE') {
         const tunnelId = req.url.replace('/api/sessions/', '').replace(/\.\w+$/, '');
+        if (!/^[a-zA-Z0-9._-]+$/.test(tunnelId)) {
+            res.writeHead(400, { 'Content-Type': 'application/json', 'X-Frame-Options': 'DENY', 'X-Content-Type-Options': 'nosniff' });
+            res.end(JSON.stringify({ error: 'Invalid tunnel ID' }));
+            return;
+        }
         try {
-            execSync(`devtunnel delete ${tunnelId} --force`, { encoding: 'utf-8', timeout: 10000, stdio: ['pipe', 'pipe', 'pipe'] });
-            res.writeHead(200, { 'Content-Type': 'application/json' });
+            execFileSync('devtunnel', ['delete', tunnelId, '--force'], { encoding: 'utf-8', timeout: 10000, stdio: ['pipe', 'pipe', 'pipe'] });
+            res.writeHead(200, { 'Content-Type': 'application/json', 'X-Frame-Options': 'DENY', 'X-Content-Type-Options': 'nosniff' });
             res.end(JSON.stringify({ deleted: true }));
         }
         catch {
-            res.writeHead(200, { 'Content-Type': 'application/json' });
+            res.writeHead(200, { 'Content-Type': 'application/json', 'X-Frame-Options': 'DENY', 'X-Content-Type-Options': 'nosniff' });
             res.end(JSON.stringify({ deleted: false }));
         }
         return;
     }
     // Static files
     const uiDir = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '../remote-ui');
-    let filePath = path.join(uiDir, req.url === '/' ? 'index.html' : req.url || 'index.html');
+    const decodedUrl = decodeURIComponent(req.url || '/');
+    if (decodedUrl.includes('..')) {
+        res.writeHead(400);
+        res.end();
+        return;
+    }
+    let filePath = path.resolve(uiDir, decodedUrl === '/' ? 'index.html' : decodedUrl.replace(/^\//, ''));
     if (!filePath.startsWith(uiDir)) {
         res.writeHead(403);
         res.end();
         return;
     }
     if (!fs.existsSync(filePath))
-        filePath = path.join(uiDir, 'index.html');
+        filePath = path.resolve(uiDir, 'index.html');
     const ext = path.extname(filePath);
     const mimes = { '.html': 'text/html', '.js': 'application/javascript', '.css': 'text/css', '.json': 'application/json' };
-    res.writeHead(200, { 'Content-Type': mimes[ext] || 'application/octet-stream' });
+    const securityHeaders = {
+        'Content-Type': mimes[ext] || 'application/octet-stream',
+        'X-Frame-Options': 'DENY',
+        'X-Content-Type-Options': 'nosniff',
+        'Content-Security-Policy': "default-src 'self'; script-src 'self' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; connect-src 'self' ws: wss:;",
+    };
+    res.writeHead(200, securityHeaders);
     fs.createReadStream(filePath).pipe(res);
 });
-const wss = new WebSocketServer({ server });
-wss.on('connection', (ws) => {
+const wss = new WebSocketServer({
+    server,
+    maxPayload: 1048576,
+    verifyClient: (info) => {
+        const url = new URL(info.req.url, `http://${info.req.headers.host}`);
+        return url.searchParams.get('token') === sessionToken;
+    },
+});
+// ─── Security: Audit log for remote PTY input ──────────────
+const auditLogPath = path.join(os.tmpdir(), `cli-tunnel-audit-${Date.now()}.log`);
+const auditLog = fs.createWriteStream(auditLogPath, { flags: 'a' });
+wss.on('connection', (ws, req) => {
     const id = Math.random().toString(36).substring(2);
+    const remoteAddress = req.socket.remoteAddress || 'unknown';
     connections.set(id, ws);
-    // Replay history
+    // Replay history with secrets redacted
     for (const event of acpEventLog) {
-        ws.send(JSON.stringify({ type: '_replay', data: event }));
+        ws.send(JSON.stringify({ type: '_replay', data: redactSecrets(event) }));
     }
     ws.send(JSON.stringify({ type: '_replay_done' }));
     ws.on('message', (data) => {
@@ -178,10 +213,13 @@ wss.on('connection', (ws) => {
         try {
             const msg = JSON.parse(raw);
             if (msg.type === 'pty_input' && ptyProcess) {
+                auditLog.write(`${new Date().toISOString()} [${remoteAddress}] ${JSON.stringify(msg.data)}\n`);
                 ptyProcess.write(msg.data);
             }
             if (msg.type === 'pty_resize' && ptyProcess) {
-                ptyProcess.resize(msg.cols, msg.rows);
+                const cols = Math.max(1, Math.min(500, msg.cols));
+                const rows = Math.max(1, Math.min(200, msg.rows));
+                ptyProcess.resize(cols, rows);
             }
         }
         catch {
@@ -218,6 +256,7 @@ async function main() {
     console.log(`  ${DIM}Command:${RESET}  ${command} ${commandArgs.join(' ')}`);
     console.log(`  ${DIM}Name:${RESET}     ${displayName}`);
     console.log(`  ${DIM}Port:${RESET}     ${actualPort}`);
+    console.log(`  ${DIM}Audit log:${RESET} ${auditLogPath}`);
     // Tunnel
     if (hasTunnel) {
         // Check if devtunnel is installed
@@ -281,11 +320,12 @@ async function main() {
                     });
                     hostProc.on('error', (e) => { clearTimeout(timeout); reject(e); });
                 });
-                console.log(`  ${GREEN}✓${RESET} Tunnel: ${BOLD}${url}${RESET}\n`);
+                const tunnelUrlWithToken = `${url}?token=${sessionToken}`;
+                console.log(`  ${GREEN}✓${RESET} Tunnel: ${BOLD}${tunnelUrlWithToken}${RESET}\n`);
                 try {
                     // @ts-ignore
                     const qr = (await import('qrcode-terminal'));
-                    qr.default.generate(url, { small: true }, (code) => console.log(code));
+                    qr.default.generate(tunnelUrlWithToken, { small: true }, (code) => console.log(code));
                 }
                 catch { }
                 process.on('SIGINT', () => { hostProc.kill(); try {
@@ -325,10 +365,18 @@ async function main() {
         }
         catch { /* use as-is */ }
     }
+    // Security: filter sensitive environment variables
+    const safeEnv = {};
+    const sensitivePatterns = /token|secret|key|password|credential|api_key|private/i;
+    for (const [k, v] of Object.entries(process.env)) {
+        if (!sensitivePatterns.test(k) && v !== undefined) {
+            safeEnv[k] = v;
+        }
+    }
     ptyProcess = nodePty.spawn(resolvedCmd, commandArgs, {
         name: 'xterm-256color',
         cols, rows, cwd,
-        env: process.env,
+        env: safeEnv,
     });
     ptyProcess.onData((data) => {
         process.stdout.write(data);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cli-tunnel",
-  "version": "1.0.2",
+  "version": "1.1.0",
   "description": "Tunnel any CLI app to your phone - PTY + devtunnel + xterm.js",
   "type": "module",
   "main": "dist/index.js",

package/remote-ui/app.js

@@ -339,19 +339,26 @@
   }
 
   // ─── WebSocket ───────────────────────────────────────────
+  let reconnectAttempt = 0;
+
   function connect() {
     const proto = location.protocol === 'https:' ? 'wss:' : 'ws:';
-    ws = new WebSocket(`${proto}//${location.host}`);
+    const tokenParam = new URLSearchParams(window.location.search).get('token');
+    const wsUrl = tokenParam ? `${proto}//${location.host}?token=${encodeURIComponent(tokenParam)}` : `${proto}//${location.host}`;
+    ws = new WebSocket(wsUrl);
     setStatus('connecting', 'Connecting...');
 
     ws.onopen = () => {
       connected = true;
+      reconnectAttempt = 0;
       setTimeout(() => initializeACP(1), 1000);
     };
     ws.onclose = () => {
       connected = false; acpReady = false; sessionId = null;
       setStatus('offline', 'Disconnected');
-      setTimeout(connect, 3000);
+      const delay = Math.min(30000, 1000 * Math.pow(2, reconnectAttempt)) + Math.random() * 1000;
+      reconnectAttempt++;
+      setTimeout(connect, delay);
     };
     ws.onerror = () => setStatus('offline', 'Error');
     ws.onmessage = (e) => {
@@ -534,7 +541,7 @@
     requestAnimationFrame(() => { terminal.scrollTop = terminal.scrollHeight; });
   }
   function escapeHtml(s) {
-    const d = document.createElement('div'); d.textContent = s || ''; return d.innerHTML;
+    const d = document.createElement('div'); d.textContent = s || ''; return d.innerHTML.replace(/'/g, ''');
   }
   function formatText(text) {
     return escapeHtml(text)

package/remote-ui/index.html

@@ -7,7 +7,7 @@
   <meta name="apple-mobile-web-app-capable" content="yes">
   <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
   <title>cli-tunnel</title>
-  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@xterm/xterm@5.5.0/css/xterm.min.css">
+  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@xterm/xterm@5.5.0/css/xterm.min.css" integrity="sha384-tStR1zLfWgsiXCF3IgfB3lBa8KmBe/lG287CL9WCeKgQYcp1bjb4/+mwN6oti4Co" crossorigin="anonymous">
   <link rel="stylesheet" href="/styles.css">
 </head>
 <body>
@@ -50,8 +50,8 @@
     </footer>
   </div>
   <div id="permission-overlay" class="hidden"></div>
-  <script src="https://cdn.jsdelivr.net/npm/@xterm/xterm@5.5.0/lib/xterm.min.js"></script>
-  <script src="https://cdn.jsdelivr.net/npm/@xterm/addon-fit@0.10.0/lib/addon-fit.min.js"></script>
+  <script src="https://cdn.jsdelivr.net/npm/@xterm/xterm@5.5.0/lib/xterm.min.js" integrity="sha384-J4qzUjBl1FxyLsl/kQPQIOeINsmp17OHYXDOMpMxlKX53ZfYsL+aWHpgArvOuof9" crossorigin="anonymous"></script>
+  <script src="https://cdn.jsdelivr.net/npm/@xterm/addon-fit@0.10.0/lib/addon-fit.min.js" integrity="sha384-XGqKrV8Jrukp1NITJbOEHwg01tNkuXr6uB6YEj69ebpYU3v7FvoGgEg23C1Gcehk" crossorigin="anonymous"></script>
   <script src="/app.js"></script>
 </body>
 </html>