npm - cli-tunnel - Versions diffs - 1.2.0-beta.5 → 1.2.0-beta.7 - Mend

cli-tunnel 1.2.0-beta.5 → 1.2.0-beta.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +16 -49
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -603,27 +603,15 @@ async function main() {
         }
         catch { /* use as-is */ }
     }
-    // F-07: Security — allowlist safe environment variables for PTY
-    const SAFE_ENV_VARS = new Set([
-        'PATH', 'HOME', 'USERPROFILE', 'SHELL', 'TERM', 'LANG', 'LC_ALL', 'LC_CTYPE',
-        'USER', 'LOGNAME', 'EDITOR', 'VISUAL', 'COLORTERM', 'TERM_PROGRAM',
-        'HOSTNAME', 'COMPUTERNAME', 'PWD', 'OLDPWD', 'SHLVL', 'TMPDIR', 'TMP', 'TEMP',
-        'XDG_RUNTIME_DIR', 'XDG_DATA_HOME', 'XDG_CONFIG_HOME', 'XDG_CACHE_HOME',
-        'DISPLAY', 'WAYLAND_DISPLAY', 'DBUS_SESSION_BUS_ADDRESS',
-        'PROGRAMFILES', 'PROGRAMFILES(X86)', 'SYSTEMROOT', 'WINDIR', 'COMSPEC',
-        'APPDATA', 'LOCALAPPDATA', 'PROGRAMDATA',
-        'NODE_ENV',
-        'GOPATH', 'GOROOT', 'CARGO_HOME', 'RUSTUP_HOME',
-        'JAVA_HOME', 'MAVEN_HOME', 'GRADLE_HOME',
-        'PYTHONPATH', 'VIRTUAL_ENV', 'CONDA_DEFAULT_ENV',
-        'KUBECONFIG', 'DOCKER_HOST', 'DOCKER_CONFIG',
-        'GIT_AUTHOR_NAME', 'GIT_AUTHOR_EMAIL', 'GIT_COMMITTER_NAME', 'GIT_COMMITTER_EMAIL',
-        'HTTP_PROXY', 'HTTPS_PROXY', 'NO_PROXY', 'http_proxy', 'https_proxy', 'no_proxy',
-        'SSH_AUTH_SOCK', 'GPG_TTY',
-    ]);
+    // F-07: Security — filter dangerous environment variables for PTY
+    // Blocklist approach: pass everything except known dangerous vars and secrets
+    const DANGEROUS_VARS = new Set(['NODE_OPTIONS', 'NODE_REPL_HISTORY', 'NODE_EXTRA_CA_CERTS',
+        'NODE_PATH', 'NODE_REDIRECT_WARNINGS', 'NODE_PENDING_DEPRECATION',
+        'UV_THREADPOOL_SIZE', 'LD_PRELOAD', 'DYLD_INSERT_LIBRARIES']);
+    const sensitivePattern = /token|secret|key|password|credential|api_key|private_key|access_key|connection_string|auth/i;
     const safeEnv = {};
     for (const [k, v] of Object.entries(process.env)) {
-        if (SAFE_ENV_VARS.has(k) && v !== undefined) {
+        if (v !== undefined && !DANGEROUS_VARS.has(k) && !sensitivePattern.test(k)) {
             safeEnv[k] = v;
         }
     }
@@ -632,45 +620,24 @@ async function main() {
         cols, rows, cwd,
         env: safeEnv,
     });
-    // Detect CSPRNG crash (Node.js 23 + node-pty issue) and retry via cmd.exe wrapper
+    // Detect CSPRNG crash (rare Node.js + PTY issue) and show helpful message
     let ptyExitedEarly = false;
     const earlyExitCheck = new Promise((resolve) => {
         ptyProcess.onExit(({ exitCode }) => {
-            if (exitCode === 134 || exitCode === 3221226505) { // 134 = SIGABRT, 3221226505 = STATUS_BREAKPOINT
+            if (exitCode === 134 || exitCode === 3221226505) {
                 ptyExitedEarly = true;
                 resolve();
             }
         });
-        setTimeout(resolve, 2000); // Wait 2s — if still running, it's fine
+        setTimeout(resolve, 2000);
     });
     await earlyExitCheck;
-    if (ptyExitedEarly && process.platform === 'win32') {
-        console.log(`  ${YELLOW}⚠${RESET} CSPRNG crash detected (Node.js + PTY issue), retrying via cmd.exe wrapper...\n`);
-        // Spawn through cmd.exe /c — this adds a shell layer that avoids the crash
-        const cmdLine = [resolvedCmd, ...commandArgs].map(a => a.includes(' ') ? `"${a}"` : a).join(' ');
-        ptyProcess = nodePty.spawn('cmd.exe', ['/c', cmdLine], {
-            name: 'xterm-256color',
-            cols, rows, cwd,
-            env: safeEnv,
-        });
-        // Check if cmd.exe wrapper also fails
-        let retryFailed = false;
-        const retryCheck = new Promise((resolve) => {
-            ptyProcess.onExit(({ exitCode }) => {
-                if (exitCode === 134 || exitCode === 3221226505) {
-                    retryFailed = true;
-                    resolve();
-                }
-            });
-            setTimeout(resolve, 2000);
-        });
-        await retryCheck;
-        if (retryFailed) {
-            const nodeVer = process.version;
-            console.log(`  ${YELLOW}⚠${RESET} The command crashed due to a known Node.js ${nodeVer} + PTY compatibility issue.`);
-            console.log(`  ${BOLD}Fix:${RESET} Install Node.js 22 LTS: ${GREEN}nvm install 22${RESET} or ${GREEN}winget install OpenJS.NodeJS.LTS${RESET}\n`);
-            process.exit(1);
-        }
+    if (ptyExitedEarly) {
+        const nodeVer = process.version;
+        console.log(`  ${YELLOW}⚠${RESET} The command crashed (CSPRNG assertion failure).`);
+        console.log(`  This is a known issue with Node.js ${nodeVer} + PTY on Windows.`);
+        console.log(`  ${BOLD}Fix:${RESET} Install Node.js 22 LTS: ${GREEN}nvm install 22${RESET} or ${GREEN}winget install OpenJS.NodeJS.LTS${RESET}\n`);
+        process.exit(1);
     }
     ptyProcess.onData((data) => {
         process.stdout.write(data);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cli-tunnel",
-  "version": "1.2.0-beta.5",
+  "version": "1.2.0-beta.7",
   "description": "Tunnel any CLI app to your phone — PTY + devtunnel + xterm.js",
   "type": "module",
   "main": "dist/index.js",