npm - create-fluxstack - Versions diffs - 1.13.0 → 1.14.0 - Mend

create-fluxstack 1.13.0 → 1.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (61) hide show

package/LLMD/patterns/anti-patterns.md +100 -0
package/LLMD/reference/routing.md +39 -39
package/LLMD/resources/live-auth.md +20 -2
package/LLMD/resources/live-components.md +94 -10
package/LLMD/resources/live-logging.md +95 -33
package/LLMD/resources/live-upload.md +59 -8
package/app/client/index.html +2 -2
package/app/client/public/favicon.svg +46 -0
package/app/client/src/App.tsx +2 -1
package/app/client/src/assets/fluxstack-static.svg +46 -0
package/app/client/src/assets/fluxstack.svg +183 -0
package/app/client/src/components/AppLayout.tsx +138 -9
package/app/client/src/components/BackButton.tsx +13 -13
package/app/client/src/components/DemoPage.tsx +4 -4
package/app/client/src/live/AuthDemo.tsx +23 -21
package/app/client/src/live/ChatDemo.tsx +2 -2
package/app/client/src/live/CounterDemo.tsx +12 -12
package/app/client/src/live/FormDemo.tsx +2 -2
package/app/client/src/live/LiveDebuggerPanel.tsx +779 -0
package/app/client/src/live/RoomChatDemo.tsx +24 -16
package/app/client/src/main.tsx +13 -13
package/app/client/src/pages/ApiTestPage.tsx +6 -6
package/app/client/src/pages/HomePage.tsx +80 -52
package/app/server/live/LiveAdminPanel.ts +1 -0
package/app/server/live/LiveChat.ts +78 -77
package/app/server/live/LiveCounter.ts +1 -1
package/app/server/live/LiveForm.ts +1 -0
package/app/server/live/LiveLocalCounter.ts +38 -37
package/app/server/live/LiveProtectedChat.ts +1 -0
package/app/server/live/LiveRoomChat.ts +1 -0
package/app/server/live/LiveUpload.ts +1 -0
package/app/server/live/register-components.ts +19 -19
package/config/system/runtime.config.ts +4 -0
package/core/build/optimizer.ts +235 -235
package/core/client/components/Live.tsx +17 -11
package/core/client/components/LiveDebugger.tsx +1324 -0
package/core/client/hooks/AdaptiveChunkSizer.ts +215 -215
package/core/client/hooks/useLiveComponent.ts +11 -1
package/core/client/hooks/useLiveDebugger.ts +392 -0
package/core/client/index.ts +14 -0
package/core/plugins/built-in/index.ts +134 -134
package/core/plugins/built-in/live-components/commands/create-live-component.ts +4 -0
package/core/plugins/built-in/vite/index.ts +75 -21
package/core/server/index.ts +15 -15
package/core/server/live/ComponentRegistry.ts +55 -26
package/core/server/live/FileUploadManager.ts +188 -24
package/core/server/live/LiveDebugger.ts +462 -0
package/core/server/live/LiveLogger.ts +38 -5
package/core/server/live/LiveRoomManager.ts +17 -1
package/core/server/live/StateSignature.ts +87 -27
package/core/server/live/WebSocketConnectionManager.ts +11 -10
package/core/server/live/auto-generated-components.ts +1 -1
package/core/server/live/websocket-plugin.ts +233 -8
package/core/server/plugins/static-files-plugin.ts +179 -69
package/core/types/build.ts +219 -219
package/core/types/plugin.ts +107 -107
package/core/types/types.ts +145 -9
package/core/utils/logger/startup-banner.ts +82 -82
package/core/utils/version.ts +6 -6
package/package.json +1 -1
package/app/client/src/assets/react.svg +0 -1

package/core/server/live/FileUploadManager.ts CHANGED Viewed

@@ -1,35 +1,115 @@
 import { writeFile, mkdir, unlink } from 'fs/promises'
 import { existsSync } from 'fs'
-import { join, extname } from 'path'
-import type {
-  ActiveUpload,
-  FileUploadStartMessage,
+import { join, extname, basename } from 'path'
+import { liveLog, liveWarn } from './LiveLogger'
+import type {
+  ActiveUpload,
+  FileUploadStartMessage,
   FileUploadChunkMessage,
   FileUploadCompleteMessage,
   FileUploadProgressResponse,
   FileUploadCompleteResponse
 } from '@core/types/types'
+// 🔒 Magic bytes mapping for content validation
+// Validates actual file content, not just the MIME type header
+const MAGIC_BYTES: Record<string, { bytes: number[]; offset?: number }[]> = {
+  'image/jpeg': [{ bytes: [0xFF, 0xD8, 0xFF] }],
+  'image/png': [{ bytes: [0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A] }],
+  'image/gif': [
+    { bytes: [0x47, 0x49, 0x46, 0x38, 0x37, 0x61] }, // GIF87a
+    { bytes: [0x47, 0x49, 0x46, 0x38, 0x39, 0x61] }, // GIF89a
+  ],
+  'image/webp': [
+    { bytes: [0x52, 0x49, 0x46, 0x46], offset: 0 }, // RIFF header
+    // Byte 8-11 should be WEBP, checked separately
+  ],
+  'application/pdf': [{ bytes: [0x25, 0x50, 0x44, 0x46] }], // %PDF
+  'application/zip': [
+    { bytes: [0x50, 0x4B, 0x03, 0x04] }, // PK\x03\x04
+    { bytes: [0x50, 0x4B, 0x05, 0x06] }, // Empty archive
+  ],
+  'application/gzip': [{ bytes: [0x1F, 0x8B] }],
+}
 export class FileUploadManager {
   private activeUploads = new Map<string, ActiveUpload>()
-  private readonly maxUploadSize = 500 * 1024 * 1024 // 500MB max (aceita qualquer arquivo)
+  private readonly maxUploadSize = 50 * 1024 * 1024 // 🔒 50MB max (reduced from 500MB)
   private readonly chunkTimeout = 30000 // 30 seconds timeout per chunk
-  private readonly allowedTypes: string[] = [] // Array vazio = aceita todos os tipos de arquivo
+  // 🔒 Per-user upload quota tracking
+  private userUploadBytes = new Map<string, number>() // userId -> total bytes uploaded
+  private readonly maxBytesPerUser = 500 * 1024 * 1024 // 🔒 500MB per user total
+  private readonly quotaResetInterval = 24 * 60 * 60 * 1000 // Reset quotas daily
+  // 🔒 Default allowed MIME types - safe file types only
+  private readonly allowedTypes: string[] = [
+    'image/jpeg', 'image/png', 'image/gif', 'image/webp', 'image/svg+xml',
+    'application/pdf',
+    'text/plain', 'text/csv', 'text/markdown',
+    'application/json',
+    'application/zip', 'application/gzip',
+  ]
+  // 🔒 Blocked file extensions that could be dangerous
+  private readonly blockedExtensions: Set<string> = new Set([
+    '.exe', '.bat', '.cmd', '.com', '.msi', '.scr', '.pif',
+    '.sh', '.bash', '.zsh', '.csh',
+    '.ps1', '.psm1', '.psd1',
+    '.vbs', '.vbe', '.js', '.jse', '.wsf', '.wsh',
+    '.dll', '.sys', '.drv', '.so', '.dylib',
+  ])
   constructor() {
     // Cleanup stale uploads every 5 minutes
     setInterval(() => this.cleanupStaleUploads(), 5 * 60 * 1000)
+    // 🔒 Reset per-user upload quotas daily
+    setInterval(() => this.resetUploadQuotas(), this.quotaResetInterval)
   }
-  async startUpload(message: FileUploadStartMessage): Promise<{ success: boolean; error?: string }> {
+  async startUpload(message: FileUploadStartMessage, userId?: string): Promise<{ success: boolean; error?: string }> {
     try {
       const { uploadId, componentId, filename, fileType, fileSize, chunkSize = 64 * 1024 } = message
-      // Validate file size (sem restrição de tipo)
+      // 🔒 Validate file size
       if (fileSize > this.maxUploadSize) {
         throw new Error(`File too large: ${fileSize} bytes. Max: ${this.maxUploadSize} bytes`)
       }
+      // 🔒 Per-user upload quota check
+      if (userId) {
+        const currentUsage = this.userUploadBytes.get(userId) || 0
+        if (currentUsage + fileSize > this.maxBytesPerUser) {
+          throw new Error(`Upload quota exceeded for user. Used: ${currentUsage} bytes, limit: ${this.maxBytesPerUser} bytes`)
+        }
+      }
+      // 🔒 Validate MIME type against allowlist
+      if (this.allowedTypes.length > 0 && !this.allowedTypes.includes(fileType)) {
+        throw new Error(`File type not allowed: ${fileType}`)
+      }
+      // 🔒 Validate filename - sanitize and check extension
+      const safeBase = basename(filename) // Strip any path traversal
+      const ext = extname(safeBase).toLowerCase()
+      if (this.blockedExtensions.has(ext)) {
+        throw new Error(`File extension not allowed: ${ext}`)
+      }
+      // 🔒 Double extension bypass prevention (e.g., malware.exe.jpg)
+      const parts = safeBase.split('.')
+      if (parts.length > 2) {
+        // Check all intermediate extensions
+        for (let i = 1; i < parts.length - 1; i++) {
+          const intermediateExt = '.' + parts[i].toLowerCase()
+          if (this.blockedExtensions.has(intermediateExt)) {
+            throw new Error(`Suspicious double extension detected: ${intermediateExt} in ${safeBase}`)
+          }
+        }
+      }
+      // 🔒 Validate filename length
+      if (safeBase.length > 255) {
+        throw new Error('Filename too long')
+      }
       // Check if upload already exists
       if (this.activeUploads.has(uploadId)) {
         throw new Error(`Upload ${uploadId} already in progress`)
@@ -54,13 +134,20 @@ export class FileUploadManager {
       this.activeUploads.set(uploadId, upload)
-      console.log('📤 Upload started:', {
+      // 🔒 Reserve quota for this upload
+      if (userId) {
+        const currentUsage = this.userUploadBytes.get(userId) || 0
+        this.userUploadBytes.set(userId, currentUsage + fileSize)
+      }
+      liveLog('messages', componentId, '📤 Upload started:', {
         uploadId,
         componentId,
         filename,
         fileType,
         fileSize,
-        totalChunks
+        totalChunks,
+        userId: userId || 'anonymous'
       })
       return { success: true }
@@ -87,7 +174,7 @@ export class FileUploadManager {
       // Check if chunk already received
       if (upload.receivedChunks.has(chunkIndex)) {
-        console.log(`📦 Chunk ${chunkIndex} already received for upload ${uploadId}`)
+        liveLog('messages', upload.componentId, `📦 Chunk ${chunkIndex} already received for upload ${uploadId}`)
       } else {
         // Store chunk data - use binary data if available, otherwise use base64 string
         let chunkBytes: number
@@ -105,7 +192,7 @@ export class FileUploadManager {
         upload.lastChunkTime = Date.now()
         upload.bytesReceived += chunkBytes
-        console.log(`📦 Received chunk ${chunkIndex + 1}/${totalChunks} for upload ${uploadId} (${chunkBytes} bytes, total: ${upload.bytesReceived}/${upload.fileSize})${binaryData ? ' [binary]' : ' [base64]'}`)
+        liveLog('messages', upload.componentId, `📦 Received chunk ${chunkIndex + 1}/${totalChunks} for upload ${uploadId} (${chunkBytes} bytes, total: ${upload.bytesReceived}/${upload.fileSize})${binaryData ? ' [binary]' : ' [base64]'}`)
       }
       // Calculate progress based on actual bytes received (supports adaptive chunking)
@@ -114,7 +201,7 @@ export class FileUploadManager {
       // Log completion status (but don't finalize until COMPLETE message)
       if (upload.bytesReceived >= upload.fileSize) {
-        console.log(`✅ All bytes received for upload ${uploadId} (${upload.bytesReceived}/${upload.fileSize}), waiting for COMPLETE message`)
+        liveLog('messages', upload.componentId, `✅ All bytes received for upload ${uploadId} (${upload.bytesReceived}/${upload.fileSize}), waiting for COMPLETE message`)
       }
       return {
@@ -137,7 +224,7 @@ export class FileUploadManager {
   private async finalizeUpload(upload: ActiveUpload): Promise<void> {
     try {
-      console.log(`✅ Upload completed: ${upload.uploadId}`)
+      liveLog('messages', upload.componentId, `✅ Upload completed: ${upload.uploadId}`)
       // Assemble file from chunks
       const fileUrl = await this.assembleFile(upload)
@@ -160,7 +247,7 @@ export class FileUploadManager {
         throw new Error(`Upload ${uploadId} not found`)
       }
-      console.log(`✅ Upload completion requested: ${uploadId}`)
+      liveLog('messages', upload.componentId, `✅ Upload completion requested: ${uploadId}`)
       // Validate bytes received (supports adaptive chunking)
       if (upload.bytesReceived !== upload.fileSize) {
@@ -168,8 +255,10 @@ export class FileUploadManager {
         throw new Error(`Incomplete upload: received ${upload.bytesReceived}/${upload.fileSize} bytes (${bytesShort} bytes short)`)
       }
-      console.log(`✅ Upload validation passed: ${uploadId} (${upload.bytesReceived} bytes)`)
+      // 🔒 Content validation: verify file magic bytes match claimed MIME type
+      this.validateContentMagicBytes(upload)
+      liveLog('messages', upload.componentId, `✅ Upload validation passed: ${uploadId} (${upload.bytesReceived} bytes)`)
       // Assemble file from chunks
       const fileUrl = await this.assembleFile(upload)
@@ -209,11 +298,9 @@ export class FileUploadManager {
         await mkdir(uploadsDir, { recursive: true })
       }
-      // Generate unique filename
-      const timestamp = Date.now()
-      const extension = extname(upload.filename)
-      const baseName = upload.filename.replace(extension, '')
-      const safeFilename = `${baseName}_${timestamp}${extension}`
+      // 🔒 Generate secure unique filename using UUID (prevents path traversal and name collisions)
+      const extension = extname(basename(upload.filename)).toLowerCase()
+      const safeFilename = `${crypto.randomUUID()}${extension}`
       const filePath = join(uploadsDir, safeFilename)
       // Assemble chunks in order
@@ -234,7 +321,7 @@ export class FileUploadManager {
       const fileBuffer = Buffer.concat(chunks)
       await writeFile(filePath, fileBuffer)
-      console.log(`📁 File assembled: ${filePath}`)
+      liveLog('messages', upload.componentId, `📁 File assembled: ${filePath}`)
       return `/uploads/${safeFilename}`
     } catch (error) {
@@ -257,11 +344,88 @@ export class FileUploadManager {
     for (const uploadId of staleUploads) {
       this.activeUploads.delete(uploadId)
-      console.log(`🧹 Cleaned up stale upload: ${uploadId}`)
+      liveLog('messages', null, `🧹 Cleaned up stale upload: ${uploadId}`)
     }
     if (staleUploads.length > 0) {
-      console.log(`🧹 Cleaned up ${staleUploads.length} stale uploads`)
+      liveLog('messages', null, `🧹 Cleaned up ${staleUploads.length} stale uploads`)
+    }
+  }
+  /**
+   * 🔒 Validate that the first bytes of the uploaded file match the claimed MIME type.
+   * Prevents attacks where a malicious file is uploaded with a fake MIME type header.
+   */
+  private validateContentMagicBytes(upload: ActiveUpload): void {
+    const expectedSignatures = MAGIC_BYTES[upload.fileType]
+    if (!expectedSignatures) {
+      // No magic bytes defined for this type (text types, SVG, JSON, etc.) - skip binary check
+      // For text types, we could add content sniffing but it's less critical
+      return
+    }
+    // Get the first chunk to read magic bytes
+    const firstChunk = upload.receivedChunks.get(0)
+    if (!firstChunk) {
+      throw new Error('Cannot validate file content: first chunk missing')
+    }
+    const headerBuffer = Buffer.isBuffer(firstChunk)
+      ? firstChunk
+      : Buffer.from(firstChunk, 'base64')
+    // Check if any of the expected signatures match
+    let matched = false
+    for (const sig of expectedSignatures) {
+      const offset = sig.offset ?? 0
+      if (headerBuffer.length < offset + sig.bytes.length) {
+        continue // File too small for this signature
+      }
+      let sigMatches = true
+      for (let i = 0; i < sig.bytes.length; i++) {
+        if (headerBuffer[offset + i] !== sig.bytes[i]) {
+          sigMatches = false
+          break
+        }
+      }
+      if (sigMatches) {
+        matched = true
+        break
+      }
+    }
+    if (!matched) {
+      liveWarn('messages', upload.componentId, `🔒 Content validation failed for upload ${upload.uploadId}: ` +
+        `claimed type ${upload.fileType} does not match file magic bytes`)
+      throw new Error(
+        `File content does not match claimed type '${upload.fileType}'. ` +
+        `The file may be disguised as a different format.`
+      )
+    }
+  }
+  /**
+   * 🔒 Reset per-user upload quotas (called periodically)
+   */
+  private resetUploadQuotas(): void {
+    const userCount = this.userUploadBytes.size
+    this.userUploadBytes.clear()
+    if (userCount > 0) {
+      liveLog('messages', null, `🔒 Reset upload quotas for ${userCount} users`)
+    }
+  }
+  /**
+   * Get per-user upload usage
+   */
+  getUserUploadUsage(userId: string): { used: number; limit: number; remaining: number } {
+    const used = this.userUploadBytes.get(userId) || 0
+    return {
+      used,
+      limit: this.maxBytesPerUser,
+      remaining: Math.max(0, this.maxBytesPerUser - used)
     }
   }