diffx-cli 0.7.1 → 0.8.0

package/dist/cli.mjs

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import { parseArgs } from "node:util";
 import { fileURLToPath } from "node:url";
-import { basename, dirname, extname, join, resolve } from "node:path";
+import { basename, dirname, extname, isAbsolute, join, resolve } from "node:path";
 import { mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import getPort from "get-port";
 import { execSync } from "node:child_process";
@@ -10,6 +10,21 @@ import { readFile } from "node:fs/promises";
 import { Hono } from "hono";
 import { serve } from "@hono/node-server";
 import { homedir } from "node:os";
+//#region src/path.ts
+function decodeAndNormalize(p) {
+	let decoded = p;
+	try {
+		decoded = decodeURIComponent(p);
+	} catch {}
+	return decoded.replace(/\\/g, "/");
+}
+function isSafePath(relativePath, baseDir) {
+	const normalized = decodeAndNormalize(relativePath);
+	if (normalized.includes("..") || normalized.includes("\0") || isAbsolute(normalized)) return false;
+	const resolved = resolve(baseDir, normalized);
+	return resolved.startsWith(resolve(baseDir) + "/") || resolved === resolve(baseDir);
+}
+//#endregion
 //#region src/git.ts
 function isBinaryFile(absolutePath) {
 	try {
@@ -23,8 +38,10 @@ function isBinaryFile(absolutePath) {
 }
 function getFileContent(filePath, version) {
 	const root = getRepoRoot();
+	if (!isSafePath(filePath, root)) return null;
+	const resolved = resolve(root, filePath);
 	if (version === "new") try {
-		return readFileSync(join(root, filePath));
+		return readFileSync(resolved);
 	} catch {
 		return null;
 	}
@@ -333,7 +350,9 @@ function createApp(clientDir, customDiffArgs, commentStore) {
 	app.get("/*", async (c) => {
 		let filePath = c.req.path;
 		if (filePath === "/") filePath = "/index.html";
-		const fullPath = join(clientDir, filePath);
+		const relativePath = filePath.slice(1);
+		if (!isSafePath(relativePath, clientDir)) return c.text("Forbidden", 403);
+		const fullPath = resolve(clientDir, relativePath);
 		try {
 			const content = await readFile(fullPath);
 			const contentType = MIME_TYPES[extname(fullPath)] || "application/octet-stream";
@@ -382,7 +401,7 @@ if (values.help) {
 Usage: diffx [options] [-- <git diff args>]
 
 Options:
-  -p, --port <port>  Port to run the server on (default: 3433)
+  -p, --port <port>  Port to run the server on (default: random available port)
   --no-open          Don't open the browser automatically
   -v, --version      Show version number
   -h, --help         Show this help message
@@ -405,7 +424,7 @@ if (!isGitRepo()) {
 	console.error("Error: not inside a git repository");
 	process.exit(1);
 }
-const port = await getPort({ port: values.port ? parseInt(values.port, 10) : 3433 });
+const port = await getPort(values.port ? { port: parseInt(values.port, 10) } : void 0);
 const clientDir = resolve(dirname(fileURLToPath(import.meta.url)), "client");
 const { existsSync } = await import("node:fs");
 const { port: actualPort } = await startServer({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "diffx-cli",
-  "version": "0.7.1",
+  "version": "0.8.0",
   "description": "Local code review tool for git diffs with a GitHub PR-like web UI",
   "type": "module",
   "license": "MIT",
@@ -33,6 +33,7 @@
     "open": "^11.0.0"
   },
   "devDependencies": {
+    "@changesets/changelog-git": "^0.2.1",
     "@changesets/cli": "^2.30.0",
     "@pierre/diffs": "^1.1.11",
     "@types/react": "^19.1.2",