codeflow-hook 2.0.1 → 2.0.3

package/bin/codeflow-hook.js

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env node
 
 import { Command } from 'commander';
 import chalk from 'chalk';

package/lib/cli-integration/src/index.ts

@@ -21,9 +21,51 @@ import fs from 'fs';
 // Load environment variables
 config();
 
+// Validate and sanitize environment variables
+const validateEnvironmentVariables = () => {
+  const envVars = {
+    LOG_LEVEL: process.env.LOG_LEVEL || 'info',
+    INGESTION_SERVICE_URL: process.env.INGESTION_SERVICE_URL || 'http://localhost:3000',
+    QUERY_SERVICE_URL: process.env.QUERY_SERVICE_URL || 'http://localhost:4000',
+    REQUEST_TIMEOUT: process.env.REQUEST_TIMEOUT || '30000',
+    REQUEST_RETRIES: process.env.REQUEST_RETRIES || '3'
+  };
+
+  // Validate log level
+  const validLogLevels = ['error', 'warn', 'info', 'debug'];
+  if (!validLogLevels.includes(envVars.LOG_LEVEL)) {
+    throw new Error(`Invalid LOG_LEVEL: ${envVars.LOG_LEVEL}. Must be one of: ${validLogLevels.join(', ')}`);
+  }
+
+  // Validate URLs
+  if (!envVars.INGESTION_SERVICE_URL.startsWith('http://') && !envVars.INGESTION_SERVICE_URL.startsWith('https://')) {
+    throw new Error(`Invalid INGESTION_SERVICE_URL: ${envVars.INGESTION_SERVICE_URL}. Must start with http:// or https://`);
+  }
+
+  if (!envVars.QUERY_SERVICE_URL.startsWith('http://') && !envVars.QUERY_SERVICE_URL.startsWith('https://')) {
+    throw new Error(`Invalid QUERY_SERVICE_URL: ${envVars.QUERY_SERVICE_URL}. Must start with http:// or https://`);
+  }
+
+  // Validate timeout
+  const timeout = parseInt(envVars.REQUEST_TIMEOUT, 10);
+  if (isNaN(timeout) || timeout <= 0 || timeout > 300000) { // Max 5 minutes
+    throw new Error(`Invalid REQUEST_TIMEOUT: ${envVars.REQUEST_TIMEOUT}. Must be between 1 and 300000 milliseconds`);
+  }
+
+  // Validate retries
+  const retries = parseInt(envVars.REQUEST_RETRIES, 10);
+  if (isNaN(retries) || retries <= 0 || retries > 10) {
+    throw new Error(`Invalid REQUEST_RETRIES: ${envVars.REQUEST_RETRIES}. Must be between 1 and 10`);
+  }
+
+  return envVars;
+};
+
+const envVars = validateEnvironmentVariables();
+
 // Configure logger
 const logger = winston.createLogger({
-  level: process.env.LOG_LEVEL || 'info',
+  level: envVars.LOG_LEVEL,
   format: winston.format.combine(
     winston.format.timestamp(),
     winston.format.errors({ stack: true }),
@@ -636,7 +678,7 @@ export class CLIIntegrationService {
   }
 
   /**
-   * Make HTTP request to backend service with retry logic
+   * Make HTTP request to backend service with retry logic and security validation
    */
   private async makeBackendRequest(
     url: string,
@@ -645,21 +687,32 @@ export class CLIIntegrationService {
   ): Promise<any> {
     let lastError: any;
 
+    // Validate URL to prevent SSRF attacks
+    if (!this.isValidUrl(url)) {
+      throw new Error('Invalid URL provided');
+    }
+
+    // Sanitize headers to prevent header injection
+    const sanitizedHeaders = this.sanitizeHeaders(headers);
+
     for (let attempt = 1; attempt <= this.config.retries; attempt++) {
       try {
         const response = await axios.post(url, data, {
           headers: {
-            ...headers,
-            'X-Attempt': attempt.toString()
+            ...sanitizedHeaders,
+            'X-Attempt': attempt.toString(),
+            'User-Agent': 'Codeflow-CLI-Integration/1.0'
           },
-          timeout: this.config.timeout
+          timeout: this.config.timeout,
+          maxRedirects: 3,
+          validateStatus: (status) => status < 500 // Don't throw on 4xx errors
         });
 
         return response;
       } catch (error) {
         lastError = error;
         logger.warn(`Backend request attempt ${attempt} failed`, {
-          url,
+          url: this.sanitizeUrlForLogging(url),
           attempt,
           error: this.formatError(error)
         });
@@ -674,6 +727,58 @@ export class CLIIntegrationService {
     throw lastError;
   }
 
+  /**
+   * Validate URL to prevent SSRF attacks
+   */
+  private isValidUrl(url: string): boolean {
+    try {
+      const urlObj = new URL(url);
+      
+      // Block internal network ranges
+      const hostname = urlObj.hostname;
+      if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname.startsWith('10.') || 
+          hostname.startsWith('192.168.') || hostname.match(/^172\.(1[6-9]|2\d|3[01])\./)) {
+        return false;
+      }
+
+      // Only allow HTTP/HTTPS protocols
+      return urlObj.protocol === 'http:' || urlObj.protocol === 'https:';
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Sanitize headers to prevent header injection
+   */
+  private sanitizeHeaders(headers: Record<string, string>): Record<string, string> {
+    const sanitized: Record<string, string> = {};
+    
+    for (const [key, value] of Object.entries(headers)) {
+      // Remove potentially dangerous headers
+      if (key.toLowerCase().includes('cookie') || key.toLowerCase().includes('authorization')) {
+        continue;
+      }
+      
+      // Sanitize header values
+      sanitized[key] = value.replace(/[^\x20-\x7E]/g, '');
+    }
+    
+    return sanitized;
+  }
+
+  /**
+   * Sanitize URL for logging to prevent log injection
+   */
+  private sanitizeUrlForLogging(url: string): string {
+    try {
+      const urlObj = new URL(url);
+      return `${urlObj.protocol}//${urlObj.hostname}${urlObj.pathname}`;
+    } catch {
+      return url.replace(/[\r\n]/g, '');
+    }
+  }
+
   /**
    * Make GraphQL request to Query Service
    */

package/lib/cli-integration/src/simulationEngine.ts

@@ -26,6 +26,10 @@ export class SimulationEngine {
     const executionId = this.generateExecutionId();
     const startTime = Date.now();
 
+    // Validate configuration before execution
+    this.validatePipelineConfig(config);
+    this.validateEnvironmentVariables();
+
     this.context = {
       pipelineId: config.id,
       executionId,
@@ -105,6 +109,103 @@ export class SimulationEngine {
     }
   }
 
+  /**
+   * Validate environment variables for security
+   */
+  private validateEnvironmentVariables(): void {
+    // Validate environment variables that might affect simulation
+    const envVars = {
+      NODE_ENV: process.env.NODE_ENV || 'development',
+      LOG_LEVEL: process.env.LOG_LEVEL || 'info',
+      SIMULATION_TIMEOUT: process.env.SIMULATION_TIMEOUT || '300000', // 5 minutes default
+      MAX_CONCURRENCY: process.env.MAX_CONCURRENCY || '5'
+    };
+
+    // Validate NODE_ENV
+    const validNodeEnvs = ['development', 'test', 'production'];
+    if (!validNodeEnvs.includes(envVars.NODE_ENV)) {
+      throw new Error(`Invalid NODE_ENV: ${envVars.NODE_ENV}. Must be one of: ${validNodeEnvs.join(', ')}`);
+    }
+
+    // Validate LOG_LEVEL
+    const validLogLevels = ['error', 'warn', 'info', 'debug'];
+    if (!validLogLevels.includes(envVars.LOG_LEVEL)) {
+      throw new Error(`Invalid LOG_LEVEL: ${envVars.LOG_LEVEL}. Must be one of: ${validLogLevels.join(', ')}`);
+    }
+
+    // Validate simulation timeout
+    const timeout = parseInt(envVars.SIMULATION_TIMEOUT, 10);
+    if (isNaN(timeout) || timeout <= 0 || timeout > 3600000) { // Max 1 hour
+      throw new Error(`Invalid SIMULATION_TIMEOUT: ${envVars.SIMULATION_TIMEOUT}. Must be between 1 and 3600000 milliseconds`);
+    }
+
+    // Validate max concurrency
+    const concurrency = parseInt(envVars.MAX_CONCURRENCY, 10);
+    if (isNaN(concurrency) || concurrency <= 0 || concurrency > 20) {
+      throw new Error(`Invalid MAX_CONCURRENCY: ${envVars.MAX_CONCURRENCY}. Must be between 1 and 20`);
+    }
+  }
+
+  /**
+   * Validate pipeline configuration for security and correctness
+   */
+  private validatePipelineConfig(config: PipelineConfig): void {
+    // Validate pipeline ID format
+    if (!config.id || !/^[a-z0-9-]+$/.test(config.id)) {
+      throw new Error('Invalid pipeline ID format - must contain only lowercase letters, numbers, and hyphens');
+    }
+
+    // Validate stage configurations
+    if (!config.stages || config.stages.length === 0) {
+      throw new Error('Pipeline must contain at least one stage');
+    }
+
+    // Validate each stage
+    const stageIds = new Set<string>();
+    for (const stage of config.stages) {
+      // Check for duplicate stage IDs
+      if (stageIds.has(stage.id)) {
+        throw new Error(`Duplicate stage ID found: ${stage.id}`);
+      }
+      stageIds.add(stage.id);
+
+      // Validate stage ID format
+      if (!/^[a-z0-9-]+$/.test(stage.id)) {
+        throw new Error(`Invalid stage ID format: ${stage.id}`);
+      }
+
+      // Validate dependencies don't create cycles (basic check)
+      if (stage.dependencies.includes(stage.id)) {
+        throw new Error(`Stage ${stage.id} cannot depend on itself`);
+      }
+
+      // Validate timeout values
+      if (stage.timeout <= 0 || stage.timeout > 7200000) { // Max 2 hours
+        throw new Error(`Invalid timeout for stage ${stage.id}: must be between 1ms and 2 hours`);
+      }
+
+      // Validate success rate
+      if (stage.successRate < 0 || stage.successRate > 1) {
+        throw new Error(`Invalid success rate for stage ${stage.id}: must be between 0 and 1`);
+      }
+
+      // Validate duration range
+      if (stage.durationRange.min <= 0 || stage.durationRange.max <= 0 || 
+          stage.durationRange.min > stage.durationRange.max) {
+        throw new Error(`Invalid duration range for stage ${stage.id}`);
+      }
+    }
+
+    // Validate pipeline settings
+    if (config.settings.maxConcurrency <= 0 || config.settings.maxConcurrency > 10) {
+      throw new Error('Invalid maxConcurrency setting: must be between 1 and 10');
+    }
+
+    if (config.settings.timeout <= 0 || config.settings.timeout > 86400000) { // Max 24 hours
+      throw new Error('Invalid pipeline timeout: must be between 1ms and 24 hours');
+    }
+  }
+
   /**
    * Execute stages respecting dependencies and concurrency limits
    */
@@ -381,18 +482,23 @@ export class SimulationEngine {
   ): { success: boolean; logs: string[]; metrics: StageMetrics; errors?: ErrorInfo[] } {
     const logs: string[] = [];
 
-    logs.push(`[${new Date().toISOString()}] 🐳 Building Docker image \`${stageConfig.config.imageName || 'app:latest'}\``);
-    logs.push(`[${new Date().toISOString()}] 📦 Step 1/8 : FROM ${stageConfig.config.baseImage || 'node:18-alpine'}`);
+    // Sanitize input to prevent command injection
+    const imageName = this.sanitizeInput(stageConfig.config.imageName || 'app:latest');
+    const baseImage = this.sanitizeInput(stageConfig.config.baseImage || 'node:18-alpine');
+
+    logs.push(`[${new Date().toISOString()}] 🐳 Building Docker image \`${imageName}\``);
+    logs.push(`[${new Date().toISOString()}] 📦 Step 1/8 : FROM ${baseImage}`);
 
     if (success) {
       logs.push(`[${new Date().toISOString()}] 📦 Step 8/8 : CMD ["npm", "start"]`);
       logs.push(`[${new Date().toISOString()}] ✅ Successfully built ${stageConfig.config.imageId || 'a1b2c3d4e5f6'}`);
       logs.push(`[${new Date().toISOString()}] 🔍 Image size: ${50 + Math.random() * 200}MB`);
 
-      // Create artifact
+      // Create artifact with sanitized data
       if (this.context) {
+        const sanitizedImageName = this.sanitizeInput(stageConfig.config.imageName || 'app');
         this.context.artifacts.set(`${stageConfig.id}-image`, {
-          name: `${stageConfig.config.imageName || 'app'}.tar.gz`,
+          name: `${sanitizedImageName}.tar.gz`,
           type: 'docker-image',
           size: Math.round(50 + Math.random() * 200) * 1024 * 1024,
           path: `/artifacts/${stageConfig.id}`,
@@ -406,6 +512,14 @@ export class SimulationEngine {
     return { success, logs, metrics };
   }
 
+  /**
+   * Sanitize input to prevent injection attacks
+   */
+  private sanitizeInput(input: string): string {
+    // Remove potentially dangerous characters
+    return input.replace(/[^\w\-\.\/:]/g, '');
+  }
+
   /**
    * Simulate unit test stage
    */

package/package.json

@@ -1,7 +1,7 @@
 
 {
   "name": "codeflow-hook",
-  "version": "2.0.1",
+  "version": "2.0.3",
   "description": "An interactive CI/CD simulator and lightweight pre-push code reviewer using Gemini AI",
   "type": "module",
   "main": "index.js",

package/lib/cli-integration/dist/index.d.ts

@@ -1,128 +0,0 @@
-#!/usr/bin/env node
-/**
- * CLI Integration Service - Phase 4
- *
- * Bridges the local CLI commands with EKG backend services.
- * Transforms CLI operations from local processing to backend-driven workflows.
- *
- * Key transformations:
- * - `codeflow index` → EKG Ingestion Service webhook simulation
- * - `codeflow analyze-diff` → EKG Query Service context-enhanced analysis
- */
-/**
- * CLI Integration Service
- * Provides methods that CLI commands can call to interact with EKG backend
- */
-export declare class CLIIntegrationService {
-    private config;
-    private git;
-    constructor();
-    /**
-     * Index repository for EKG - equivalent to `codeflow index`
-     *
-     * Sends repository URL to EKG Ingestion Service for analysis and graph population
-     */
-    indexRepository(options?: {
-        repositoryUrl?: string;
-        dryRun?: boolean;
-    }): Promise<{
-        success: boolean;
-        repositoryId?: string;
-        message: string;
-        stats?: {
-            indexedFiles: number;
-            analysisTime: number;
-            webhookAccepted: boolean;
-        };
-    }>;
-    /**
-     * Analyze code diff with EKG context enhancement
-     *
-     * Sends diff to Query Service for EKG-enhanced analysis instead of local RAG
-     */
-    analyzeDiff(diffContent: string, options?: {
-        legacy?: boolean;
-        outputFormat?: 'console' | 'json';
-    }): Promise<{
-        success: boolean;
-        analysis: any;
-        message: string;
-        stats?: {
-            ekg_queries: number;
-            similar_repos_found: number;
-            analysis_time: number;
-        };
-    }>;
-    /**
-     * Analyze diff content and extract structured information
-     */
-    private analyzeDiffContent;
-    /**
-     * Query EKG for context on affected files
-     */
-    private getEKGContext;
-    /**
-     * Generate enhanced analysis using EKG context
-     */
-    private generateEKGEnhancedAnalysis;
-    /**
-     * Get current repository information
-     */
-    private getRepositoryInfo;
-    /**
-     * Get list of files that would be indexed
-     */
-    private getIndexableFiles;
-    /**
-     * Make HTTP request to backend service with retry logic
-     */
-    private makeBackendRequest;
-    /**
-     * Make GraphQL request to Query Service
-     */
-    private makeGraphQLRequest;
-    /**
-     * Generate repository ID (similar to ingestion service)
-     */
-    private generateRepositoryId;
-    /**
-     * Get current user information
-     */
-    private getCurrentUser;
-    /**
-     * Detect language from file extension
-     */
-    private detectLanguage;
-    /**
-     * Format error for logging and display
-     */
-    private formatError;
-}
-export declare const cliIntegrationService: CLIIntegrationService;
-export declare const indexProject: (options?: {
-    repositoryUrl?: string;
-    dryRun?: boolean;
-}) => Promise<{
-    success: boolean;
-    repositoryId?: string;
-    message: string;
-    stats?: {
-        indexedFiles: number;
-        analysisTime: number;
-        webhookAccepted: boolean;
-    };
-}>;
-export declare const analyzeDiff: (diffContent: string, options?: {
-    legacy?: boolean;
-    outputFormat?: 'console' | 'json';
-}) => Promise<{
-    success: boolean;
-    analysis: any;
-    message: string;
-    stats?: {
-        ekg_queries: number;
-        similar_repos_found: number;
-        analysis_time: number;
-    };
-}>;
-export default cliIntegrationService;