npm - cli-tunnel - Versions diffs - 1.2.0-beta.6 → 1.2.0-beta.8 - Mend

cli-tunnel 1.2.0-beta.6 → 1.2.0-beta.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +17 -97
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -243,7 +243,9 @@ const server = http.createServer((req, res) => {
     // #18: Guard against malformed URI encoding
     let decodedUrl;
     try {
-        decodedUrl = decodeURIComponent(req.url || '/');
+        // Strip query string before resolving file path
+        const urlPath = (req.url || '/').split('?')[0];
+        decodedUrl = decodeURIComponent(urlPath);
     }
     catch {
         res.writeHead(400);
@@ -603,27 +605,15 @@ async function main() {
         }
         catch { /* use as-is */ }
     }
-    // F-07: Security — allowlist safe environment variables for PTY
-    const SAFE_ENV_VARS = new Set([
-        'PATH', 'HOME', 'USERPROFILE', 'SHELL', 'TERM', 'LANG', 'LC_ALL', 'LC_CTYPE',
-        'USER', 'LOGNAME', 'EDITOR', 'VISUAL', 'COLORTERM', 'TERM_PROGRAM',
-        'HOSTNAME', 'COMPUTERNAME', 'PWD', 'OLDPWD', 'SHLVL', 'TMPDIR', 'TMP', 'TEMP',
-        'XDG_RUNTIME_DIR', 'XDG_DATA_HOME', 'XDG_CONFIG_HOME', 'XDG_CACHE_HOME',
-        'DISPLAY', 'WAYLAND_DISPLAY', 'DBUS_SESSION_BUS_ADDRESS',
-        'PROGRAMFILES', 'PROGRAMFILES(X86)', 'SYSTEMROOT', 'WINDIR', 'COMSPEC',
-        'APPDATA', 'LOCALAPPDATA', 'PROGRAMDATA',
-        'NODE_ENV',
-        'GOPATH', 'GOROOT', 'CARGO_HOME', 'RUSTUP_HOME',
-        'JAVA_HOME', 'MAVEN_HOME', 'GRADLE_HOME',
-        'PYTHONPATH', 'VIRTUAL_ENV', 'CONDA_DEFAULT_ENV',
-        'KUBECONFIG', 'DOCKER_HOST', 'DOCKER_CONFIG',
-        'GIT_AUTHOR_NAME', 'GIT_AUTHOR_EMAIL', 'GIT_COMMITTER_NAME', 'GIT_COMMITTER_EMAIL',
-        'HTTP_PROXY', 'HTTPS_PROXY', 'NO_PROXY', 'http_proxy', 'https_proxy', 'no_proxy',
-        'SSH_AUTH_SOCK', 'GPG_TTY',
-    ]);
+    // F-07: Security — filter dangerous environment variables for PTY
+    // Blocklist approach: pass everything except known dangerous vars and secrets
+    const DANGEROUS_VARS = new Set(['NODE_OPTIONS', 'NODE_REPL_HISTORY', 'NODE_EXTRA_CA_CERTS',
+        'NODE_PATH', 'NODE_REDIRECT_WARNINGS', 'NODE_PENDING_DEPRECATION',
+        'UV_THREADPOOL_SIZE', 'LD_PRELOAD', 'DYLD_INSERT_LIBRARIES']);
+    const sensitivePattern = /token|secret|key|password|credential|api_key|private_key|access_key|connection_string|auth/i;
     const safeEnv = {};
     for (const [k, v] of Object.entries(process.env)) {
-        if (SAFE_ENV_VARS.has(k) && v !== undefined) {
+        if (v !== undefined && !DANGEROUS_VARS.has(k) && !sensitivePattern.test(k)) {
             safeEnv[k] = v;
         }
     }
@@ -632,7 +622,7 @@ async function main() {
         cols, rows, cwd,
         env: safeEnv,
     });
-    // Detect CSPRNG crash (Node.js 23 + node-pty issue) and retry with fallbacks
+    // Detect CSPRNG crash (rare Node.js + PTY issue) and show helpful message
     let ptyExitedEarly = false;
     const earlyExitCheck = new Promise((resolve) => {
         ptyProcess.onExit(({ exitCode }) => {
@@ -644,82 +634,12 @@ async function main() {
         setTimeout(resolve, 2000);
     });
     await earlyExitCheck;
-    if (ptyExitedEarly && process.platform === 'win32') {
-        // Retry 1: Use full environment — CSPRNG may need env vars we filtered out
-        console.log(`  ${YELLOW}⚠${RESET} Process crashed, retrying with full environment...\n`);
-        // Blocklist approach: pass everything EXCEPT known dangerous vars
-        const DANGEROUS_VARS = new Set(['NODE_OPTIONS', 'NODE_REPL_HISTORY', 'NODE_EXTRA_CA_CERTS',
-            'NODE_PATH', 'NODE_REDIRECT_WARNINGS', 'NODE_PENDING_DEPRECATION',
-            'UV_THREADPOOL_SIZE', 'LD_PRELOAD', 'DYLD_INSERT_LIBRARIES']);
-        const fullSafeEnv = {};
-        for (const [k, v] of Object.entries(process.env)) {
-            if (!DANGEROUS_VARS.has(k) && v !== undefined)
-                fullSafeEnv[k] = v;
-        }
-        ptyProcess = nodePty.spawn(resolvedCmd, commandArgs, {
-            name: 'xterm-256color',
-            cols, rows, cwd,
-            env: fullSafeEnv,
-        });
-        let retry1Failed = false;
-        const retry1Check = new Promise((resolve) => {
-            ptyProcess.onExit(({ exitCode }) => {
-                if (exitCode === 134 || exitCode === 3221226505) {
-                    retry1Failed = true;
-                    resolve();
-                }
-            });
-            setTimeout(resolve, 2000);
-        });
-        await retry1Check;
-        if (retry1Failed) {
-            // Retry 2: cmd.exe wrapper with full env
-            console.log(`  ${YELLOW}⚠${RESET} Still crashing, retrying via cmd.exe wrapper...\n`);
-            const cmdLine = [resolvedCmd, ...commandArgs].map(a => a.includes(' ') ? `"${a}"` : a).join(' ');
-            ptyProcess = nodePty.spawn('cmd.exe', ['/c', cmdLine], {
-                name: 'xterm-256color',
-                cols, rows, cwd,
-                env: fullSafeEnv,
-            });
-            let retry2Failed = false;
-            const retry2Check = new Promise((resolve) => {
-                ptyProcess.onExit(({ exitCode }) => {
-                    if (exitCode === 134 || exitCode === 3221226505) {
-                        retry2Failed = true;
-                        resolve();
-                    }
-                });
-                setTimeout(resolve, 2000);
-            });
-            await retry2Check;
-            if (retry2Failed) {
-                // Retry 3: useConpty: false with full env
-                console.log(`  ${YELLOW}⚠${RESET} Still crashing, retrying with legacy PTY backend...\n`);
-                ptyProcess = nodePty.spawn(resolvedCmd, commandArgs, {
-                    name: 'xterm-256color',
-                    cols, rows, cwd,
-                    env: fullSafeEnv,
-                    useConpty: false,
-                });
-                let retry3Failed = false;
-                const retry3Check = new Promise((resolve) => {
-                    ptyProcess.onExit(({ exitCode }) => {
-                        if (exitCode === 134 || exitCode === 3221226505) {
-                            retry3Failed = true;
-                            resolve();
-                        }
-                    });
-                    setTimeout(resolve, 2000);
-                });
-                await retry3Check;
-                if (retry3Failed) {
-                    const nodeVer = process.version;
-                    console.log(`  ${YELLOW}⚠${RESET} The command crashed due to a known Node.js ${nodeVer} + PTY compatibility issue.`);
-                    console.log(`  ${BOLD}Fix:${RESET} Install Node.js 22 LTS: ${GREEN}nvm install 22${RESET} or ${GREEN}winget install OpenJS.NodeJS.LTS${RESET}\n`);
-                    process.exit(1);
-                }
-            }
-        }
+    if (ptyExitedEarly) {
+        const nodeVer = process.version;
+        console.log(`  ${YELLOW}⚠${RESET} The command crashed (CSPRNG assertion failure).`);
+        console.log(`  This is a known issue with Node.js ${nodeVer} + PTY on Windows.`);
+        console.log(`  ${BOLD}Fix:${RESET} Install Node.js 22 LTS: ${GREEN}nvm install 22${RESET} or ${GREEN}winget install OpenJS.NodeJS.LTS${RESET}\n`);
+        process.exit(1);
     }
     ptyProcess.onData((data) => {
         process.stdout.write(data);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cli-tunnel",
-  "version": "1.2.0-beta.6",
+  "version": "1.2.0-beta.8",
   "description": "Tunnel any CLI app to your phone — PTY + devtunnel + xterm.js",
   "type": "module",
   "main": "dist/index.js",