electerm 3.1.26 → 3.3.0

package/LICENSE.electron.txt

@@ -0,0 +1,21 @@
+Copyright (c) Electron contributors
+Copyright (c) 2013-2020 GitHub Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/npm/install.js

@@ -5,14 +5,50 @@
 const os = require('os')
 const { resolve } = require('path')
 const { exec, rm, mv } = require('shelljs')
-const rp = require('phin').promisified
-const download = require('download')
+const { execFile } = require('child_process')
+const { phin, download } = require('./utils')
+
 const plat = os.platform()
 const arch = os.arch()
 const { homepage } = require('../package.json')
+
 const releaseInfoUrl = `${homepage}/data/electerm-github-release.json?_=${+new Date()}`
 const versionUrl = `${homepage}/version.html?_=${+new Date()}`
 
+// ---------------------------------------------------------------------------
+// Security helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Validate that a version string is a plain semver (e.g. "1.2.3" or "v1.2.3").
+ */
+function sanitizeVersion (ver) {
+  const clean = String(ver).trim().replace(/^v/, '')
+  if (!/^\d+\.\d+\.\d+$/.test(clean)) {
+    throw new Error(
+      `Refusing to continue: remote version string failed validation: "${ver}"`
+    )
+  }
+  return clean
+}
+
+/**
+ * Validate that a release asset filename contains only safe characters.
+ */
+function sanitizeFilename (name) {
+  const clean = String(name).trim()
+  if (!/^[\w.-]+$/.test(clean)) {
+    throw new Error(
+      `Refusing to continue: remote filename failed validation: "${name}"`
+    )
+  }
+  return clean
+}
+
+// ---------------------------------------------------------------------------
+// Core helpers
+// ---------------------------------------------------------------------------
+
 function down (url, extract = true) {
   const local = resolve(__dirname, '../')
   console.log('downloading ' + url)
@@ -22,7 +58,7 @@ function down (url, extract = true) {
 }
 
 function getVer () {
-  return rp({
+  return phin({
     url: versionUrl,
     timeout: 15000
   })
@@ -30,7 +66,7 @@ function getVer () {
 }
 
 function getReleaseInfo (filter) {
-  return rp({
+  return phin({
     url: releaseInfoUrl,
     timeout: 15000
   })
@@ -52,6 +88,10 @@ function showFinalMessage () {
   console.log('========================================\n')
 }
 
+// ---------------------------------------------------------------------------
+// Platform detection helpers
+// ---------------------------------------------------------------------------
+
 // Check if running on Windows 7 or earlier
 function isWindows7OrEarlier (platform, release) {
   if (platform !== 'win32') return false
@@ -120,20 +160,30 @@ function getDownloadPattern (platform, architecture, options = {}) {
       return { pattern: new RegExp(`linux-x64${suffix}\\.tar\\.gz$`), type: `linux-x64${suffix}` }
     }
   }
+
   return { pattern: null, type: 'unsupported' }
 }
 
+// ---------------------------------------------------------------------------
+// Platform installers
 async function runLinux (folderName, filePattern) {
-  const ver = await getVer()
-  const target = resolve(__dirname, `../electerm-${ver.replace('v', '')}-${folderName}`)
+  const rawVer = await getVer()
+  const ver = sanitizeVersion(rawVer) // throws if tampered
+
+  const target = resolve(__dirname, `../electerm-${ver}-${folderName}`)
   const targetNew = resolve(__dirname, '../electerm')
-  exec(`rm -rf ${target} ${targetNew}`)
+
+  // Use shelljs array API — no shell string interpolation
+  rm('-rf', [target, targetNew])
+
   const releaseInfo = await getReleaseInfo(r => r.name.includes(filePattern))
   if (!releaseInfo) {
     throw new Error(`No release found for pattern: ${filePattern}`)
   }
+
   await down(releaseInfo.browser_download_url)
-  exec(`mv ${target} ${targetNew}`)
+
+  mv(target, targetNew)
   showFinalMessage()
   exec('electerm')
 }
@@ -144,37 +194,48 @@ async function runMac (archName) {
   if (!releaseInfo) {
     throw new Error(`No release found for Mac ${archName}`)
   }
+
+  const safeName = sanitizeFilename(releaseInfo.name) // throws if tampered
   await down(releaseInfo.browser_download_url, false)
-  const target = resolve(__dirname, '../', releaseInfo.name)
+
+  const target = resolve(__dirname, '../', safeName)
   showFinalMessage()
-  exec(`open ${target}`)
+
+  // execFile does not spawn a shell — no injection possible
+  execFile('open', [target])
 }
 
-// macOS 10.x specific version
 async function runMac10 () {
   const releaseInfo = await getReleaseInfo(r => /mac10-x64\.dmg$/.test(r.name))
   if (!releaseInfo) {
     throw new Error('No release found for macOS 10.x')
   }
+
+  const safeName = sanitizeFilename(releaseInfo.name) // throws if tampered
   await down(releaseInfo.browser_download_url, false)
-  const target = resolve(__dirname, '../', releaseInfo.name)
+
+  const target = resolve(__dirname, '../', safeName)
   showFinalMessage()
-  exec(`open ${target}`)
+
+  // execFile does not spawn a shell — no injection possible
+  execFile('open', [target])
 }
 
 async function runWin (archName) {
-  const ver = await getVer()
-  const target = resolve(__dirname, `../electerm-${ver.replace('v', '')}-win-${archName}`)
+  const rawVer = await getVer()
+  const ver = sanitizeVersion(rawVer) // consistent hardening
+
+  const target = resolve(__dirname, `../electerm-${ver}-win-${archName}`)
   const targetNew = resolve(__dirname, '../electerm')
-  rm('-rf', [
-    target,
-    targetNew
-  ])
+
+  rm('-rf', [target, targetNew])
+
   const pattern = new RegExp(`electerm-\\d+\\.\\d+\\.\\d+-win-${archName}\\.tar\\.gz$`)
   const releaseInfo = await getReleaseInfo(r => pattern.test(r.name))
   if (!releaseInfo) {
     throw new Error(`No release found for Windows ${archName}`)
   }
+
   await down(releaseInfo.browser_download_url)
   await mv(target, targetNew)
   showFinalMessage()
@@ -183,23 +244,29 @@ async function runWin (archName) {
 
 // Windows 7 specific version
 async function runWin7 () {
-  const ver = await getVer()
-  const target = resolve(__dirname, `../electerm-${ver.replace('v', '')}-win7`)
+  const rawVer = await getVer()
+  const ver = sanitizeVersion(rawVer) // consistent hardening
+
+  const target = resolve(__dirname, `../electerm-${ver}-win7`)
   const targetNew = resolve(__dirname, '../electerm')
-  rm('-rf', [
-    target,
-    targetNew
-  ])
+
+  rm('-rf', [target, targetNew])
+
   const releaseInfo = await getReleaseInfo(r => /electerm-\d+\.\d+\.\d+-win7\.tar\.gz$/.test(r.name))
   if (!releaseInfo) {
     throw new Error('No release found for Windows 7')
   }
+
   await down(releaseInfo.browser_download_url)
   await mv(target, targetNew)
   showFinalMessage()
   require('child_process').execFile(`${targetNew}\\electerm.exe`)
 }
 
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+
 async function main () {
   console.log(`Detected platform: ${plat}, architecture: ${arch}`)
 
@@ -216,34 +283,28 @@ async function main () {
 
   try {
     if (plat === 'win32') {
-      // Windows: x64, arm64, win7
       if (win7) {
         await runWin7()
       } else if (arch === 'arm64') {
         await runWin('arm64')
       } else {
-        // Default to x64 for all other Windows architectures
         await runWin('x64')
       }
     } else if (plat === 'darwin') {
-      // macOS: x64, arm64, mac10
       if (mac10) {
         await runMac10()
       } else if (arch === 'arm64') {
         await runMac('arm64')
       } else {
-        // Default to x64 for Intel Macs
         await runMac('x64')
       }
     } else if (plat === 'linux') {
-      // Linux: x64, arm64, armv7l (with legacy variants)
       const suffix = linuxLegacy ? '-legacy' : ''
       if (arch === 'arm64') {
         await runLinux(`linux-arm64${suffix}`, `linux-arm64${suffix}.tar.gz`)
       } else if (arch === 'arm') {
         await runLinux(`linux-armv7l${suffix}`, `linux-armv7l${suffix}.tar.gz`)
       } else {
-        // Default to x64 for all other Linux architectures
         await runLinux(`linux-x64${suffix}`, `linux-x64${suffix}.tar.gz`)
       }
     } else {
@@ -261,12 +322,18 @@ async function main () {
   }
 }
 
+// ---------------------------------------------------------------------------
+// Exports
+// ---------------------------------------------------------------------------
+
 // Export functions for testing
 module.exports = {
   isWindows7OrEarlier,
   isMacOS10,
   isLinuxLegacy,
-  getDownloadPattern
+  getDownloadPattern,
+  sanitizeVersion,
+  sanitizeFilename
 }
 
 // Run main only if this file is executed directly

package/npm/utils.js

@@ -0,0 +1,180 @@
+/**
+ * Utility functions for npm installer
+ * Replaces download and phin packages with native Node.js http/https and tar
+ * Supports Node.js 16+
+ */
+
+const https = require('https')
+const http = require('http')
+const fs = require('fs')
+const path = require('path')
+const tar = require('tar')
+
+/**
+ * Make an HTTP GET request
+ * @param {string} url - URL to fetch
+ * @param {number} timeout - Request timeout in milliseconds (default: 15000)
+ * @returns {Promise<string>} Response body as string
+ */
+function httpGet (url, timeout = 15000) {
+  return new Promise((resolve, reject) => {
+    const client = url.startsWith('https') ? https : http
+
+    const req = client.get(url, { timeout }, (res) => {
+      // Handle redirects
+      if (res.statusCode === 301 || res.statusCode === 302 || res.statusCode === 307) {
+        if (res.headers.location) {
+          resolve(httpGet(res.headers.location, timeout))
+          return
+        }
+      }
+
+      if (res.statusCode !== 200) {
+        reject(new Error(`HTTP ${res.statusCode}: ${res.statusMessage || 'Unknown error'}`))
+        return
+      }
+
+      const chunks = []
+      res.on('data', (chunk) => chunks.push(chunk))
+      res.on('end', () => {
+        const buffer = Buffer.concat(chunks)
+        resolve(buffer.toString())
+      })
+      res.on('error', reject)
+    })
+
+    req.on('error', reject)
+    req.on('timeout', () => {
+      req.destroy()
+      reject(new Error(`Request timeout after ${timeout}ms`))
+    })
+  })
+}
+
+/**
+ * Download a file from URL to local path
+ * @param {string} url - URL to download from
+ * @param {string} dest - Destination directory path
+ * @returns {Promise<string>} Path to downloaded file
+ */
+function downloadFile (url, dest) {
+  return new Promise((resolve, reject) => {
+    const client = url.startsWith('https') ? https : http
+
+    const req = client.get(url, { timeout: 300000 }, (res) => {
+      // Handle redirects
+      if (res.statusCode === 301 || res.statusCode === 302 || res.statusCode === 307) {
+        if (res.headers.location) {
+          resolve(downloadFile(res.headers.location, dest))
+          return
+        }
+      }
+
+      if (res.statusCode !== 200) {
+        reject(new Error(`HTTP ${res.statusCode}: ${res.statusMessage || 'Unknown error'}`))
+        return
+      }
+
+      // Extract filename from URL or Content-Disposition header
+      let filename = 'download'
+      const contentDisposition = res.headers['content-disposition']
+      if (contentDisposition) {
+        const match = contentDisposition.match(/filename[^;=\n]*=(['"]?)([^'";\n]*)\1/)
+        if (match) {
+          filename = match[2]
+        }
+      } else {
+        const urlParts = url.split('/')
+        filename = urlParts[urlParts.length - 1].split('?')[0] || 'download'
+      }
+
+      const filepath = path.join(dest, filename)
+      const fileStream = fs.createWriteStream(filepath)
+
+      res.pipe(fileStream)
+      fileStream.on('finish', () => {
+        fileStream.close()
+        resolve(filepath)
+      })
+      fileStream.on('error', (err) => {
+        fs.unlink(filepath, () => {}) // Clean up partial download
+        reject(err)
+      })
+    })
+
+    req.on('error', reject)
+    req.on('timeout', () => {
+      req.destroy()
+      reject(new Error('Download timeout after 300s'))
+    })
+  })
+}
+
+/**
+ * Extract a tar.gz file to destination directory
+ * @param {string} filepath - Path to tar.gz file
+ * @param {string} dest - Destination directory
+ * @returns {Promise<void>}
+ */
+function extractTarGz (filepath, dest) {
+  return tar.extract({
+    file: filepath,
+    cwd: dest,
+    strip: 1 // Strip top-level directory
+  })
+}
+
+/**
+ * Download and optionally extract a file
+ * Replaces the download package functionality
+ * @param {string} url - URL to download from
+ * @param {string} dest - Destination directory
+ * @param {boolean} extract - Whether to extract the file (default: true)
+ * @returns {Promise<void>}
+ */
+async function download (url, dest, { extract: doExtract = true } = {}) {
+  console.log('downloading ' + url)
+
+  const filepath = await downloadFile(url, dest)
+
+  if (doExtract && (filepath.endsWith('.tar.gz') || filepath.endsWith('.tgz'))) {
+    await extractTarGz(filepath, dest)
+    // Clean up the downloaded archive
+    try {
+      fs.unlinkSync(filepath)
+    } catch (err) {
+      console.warn('Warning: Failed to clean up downloaded archive:', err.message)
+    }
+  }
+
+  console.log('done!')
+}
+
+/**
+ * Phin replacement - simple promisified HTTP client
+ * @param {object} options - Request options
+ * @param {string} options.url - URL to fetch
+ * @param {number} options.timeout - Request timeout (default: 15000)
+ * @returns {Promise<{body: string, statusCode: number, headers: object}>}
+ */
+async function phin (options) {
+  const { url, timeout = 15000 } = options
+  const body = await httpGet(url, timeout)
+
+  return {
+    body: Buffer.from(body),
+    statusCode: 200,
+    headers: {}
+  }
+}
+
+// Export promisified version
+phin.promisified = phin
+
+module.exports = {
+  httpGet,
+  downloadFile,
+  extractTarGz,
+  download,
+  phin
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "electerm",
-  "version": "3.1.26",
+  "version": "3.3.0",
   "description": "Terminal/ssh/telnet/serialport/sftp client(linux, mac, win)",
   "main": "app.js",
   "bin": "npm/electerm",
@@ -28,8 +28,7 @@
   "preferGlobal": true,
   "dependencies": {
     "shelljs": "*",
-    "phin": "*",
-    "download": "*"
+    "tar": "*"
   },
   "files": [
     "npm",