elit 3.6.8 → 3.6.9

package/Cargo.lock

@@ -1211,7 +1211,7 @@ dependencies = [
 
 [[package]]
 name = "elit-desktop"
-version = "3.6.8"
+version = "3.6.9"
 dependencies = [
  "eframe",
  "http",

package/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "elit-desktop"
-version = "3.6.8"
+version = "3.6.9"
 edition = "2021"
 build = "desktop/build.rs"
 

package/dist/cli.cjs

@@ -58249,11 +58249,11 @@ function readdirp(root, options = {}) {
   options.root = root;
   return new ReaddirpStream(options);
 }
-var import_promises, import_node_stream, import_node_path28, EntryTypes, defaultOptions3, RECURSIVE_ERROR_CODE, NORMAL_FLOW_ERRORS, ALL_TYPES, DIR_TYPES, FILE_TYPES, isNormalFlowError, wantBigintFsStats, emptyFn, normalizeFilter, ReaddirpStream;
+var import_promises2, import_node_stream, import_node_path28, EntryTypes, defaultOptions3, RECURSIVE_ERROR_CODE, NORMAL_FLOW_ERRORS, ALL_TYPES, DIR_TYPES, FILE_TYPES, isNormalFlowError, wantBigintFsStats, emptyFn, normalizeFilter, ReaddirpStream;
 var init_esm = __esm({
   "node_modules/readdirp/esm/index.js"() {
     "use strict";
-    import_promises = require("fs/promises");
+    import_promises2 = require("fs/promises");
     import_node_stream = require("stream");
     import_node_path28 = require("path");
     EntryTypes = {
@@ -58320,7 +58320,7 @@ var init_esm = __esm({
         const { root, type } = opts;
         this._fileFilter = normalizeFilter(opts.fileFilter);
         this._directoryFilter = normalizeFilter(opts.directoryFilter);
-        const statMethod = opts.lstat ? import_promises.lstat : import_promises.stat;
+        const statMethod = opts.lstat ? import_promises2.lstat : import_promises2.stat;
         if (wantBigintFsStats) {
           this._stat = (path) => statMethod(path, { bigint: true });
         } else {
@@ -58391,7 +58391,7 @@ var init_esm = __esm({
       async _exploreDir(path, depth) {
         let files;
         try {
-          files = await (0, import_promises.readdir)(path, this._rdOptions);
+          files = await (0, import_promises2.readdir)(path, this._rdOptions);
         } catch (error) {
           this._onError(error);
         }
@@ -58429,8 +58429,8 @@ var init_esm = __esm({
         if (stats && stats.isSymbolicLink()) {
           const full = entry.fullPath;
           try {
-            const entryRealPath = await (0, import_promises.realpath)(full);
-            const entryRealPathStats = await (0, import_promises.lstat)(entryRealPath);
+            const entryRealPath = await (0, import_promises2.realpath)(full);
+            const entryRealPathStats = await (0, import_promises2.lstat)(entryRealPath);
             if (entryRealPathStats.isFile()) {
               return "file";
             }
@@ -58475,12 +58475,12 @@ function createFsWatchInstance(path, options, listener, errHandler, emitRaw) {
     return void 0;
   }
 }
-var import_fs25, import_promises2, sysPath, import_os, STR_DATA, STR_END, STR_CLOSE, EMPTY_FN, pl, isWindows2, isMacos, isLinux, isFreeBSD, isIBMi, EVENTS, EV, THROTTLE_MODE_WATCH, statMethods, KEY_LISTENERS, KEY_ERR, KEY_RAW, HANDLER_KEYS, binaryExtensions, isBinaryPath, foreach, addAndConvert, clearItem, delFromSet, isEmptySet, FsWatchInstances, fsWatchBroadcast, setFsWatchListener, FsWatchFileInstances, setFsWatchFileListener, NodeFsHandler;
+var import_fs25, import_promises3, sysPath, import_os, STR_DATA, STR_END, STR_CLOSE, EMPTY_FN, pl, isWindows2, isMacos, isLinux, isFreeBSD, isIBMi, EVENTS, EV, THROTTLE_MODE_WATCH, statMethods, KEY_LISTENERS, KEY_ERR, KEY_RAW, HANDLER_KEYS, binaryExtensions, isBinaryPath, foreach, addAndConvert, clearItem, delFromSet, isEmptySet, FsWatchInstances, fsWatchBroadcast, setFsWatchListener, FsWatchFileInstances, setFsWatchFileListener, NodeFsHandler;
 var init_handler = __esm({
   "node_modules/chokidar/esm/handler.js"() {
     "use strict";
     import_fs25 = require("fs");
-    import_promises2 = require("fs/promises");
+    import_promises3 = require("fs/promises");
     sysPath = __toESM(require("path"), 1);
     import_os = require("os");
     STR_DATA = "data";
@@ -58507,7 +58507,7 @@ var init_handler = __esm({
     };
     EV = EVENTS;
     THROTTLE_MODE_WATCH = "watch";
-    statMethods = { lstat: import_promises2.lstat, stat: import_promises2.stat };
+    statMethods = { lstat: import_promises3.lstat, stat: import_promises3.stat };
     KEY_LISTENERS = "listeners";
     KEY_ERR = "errHandlers";
     KEY_RAW = "rawEmitters";
@@ -58847,7 +58847,7 @@ var init_handler = __esm({
             cont.watcherUnusable = true;
           if (isWindows2 && error.code === "EPERM") {
             try {
-              const fd = await (0, import_promises2.open)(path, "r");
+              const fd = await (0, import_promises3.open)(path, "r");
               await fd.close();
               broadcastErr(error);
             } catch (err) {
@@ -58976,7 +58976,7 @@ var init_handler = __esm({
             return;
           if (!newStats || newStats.mtimeMs === 0) {
             try {
-              const newStats2 = await (0, import_promises2.stat)(file);
+              const newStats2 = await (0, import_promises3.stat)(file);
               if (this.fsw.closed)
                 return;
               const at = newStats2.atimeMs;
@@ -59031,7 +59031,7 @@ var init_handler = __esm({
           this.fsw._incrReadyCount();
           let linkPath;
           try {
-            linkPath = await (0, import_promises2.realpath)(path);
+            linkPath = await (0, import_promises3.realpath)(path);
           } catch (e) {
             this.fsw._emitReady();
             return true;
@@ -59179,7 +59179,7 @@ var init_handler = __esm({
           let closer;
           if (stats.isDirectory()) {
             const absPath = sysPath.resolve(path);
-            const targetPath = follow ? await (0, import_promises2.realpath)(path) : path;
+            const targetPath = follow ? await (0, import_promises3.realpath)(path) : path;
             if (this.fsw.closed)
               return;
             closer = await this._handleDir(wh.watchPath, stats, initialAdd, depth, target, wh, targetPath);
@@ -59189,7 +59189,7 @@ var init_handler = __esm({
               this.fsw._symlinkPaths.set(absPath, targetPath);
             }
           } else if (stats.isSymbolicLink()) {
-            const targetPath = follow ? await (0, import_promises2.realpath)(path) : path;
+            const targetPath = follow ? await (0, import_promises3.realpath)(path) : path;
             if (this.fsw.closed)
               return;
             const parent = sysPath.dirname(wh.watchPath);
@@ -59296,12 +59296,12 @@ function watch3(paths, options = {}) {
   watcher.add(paths);
   return watcher;
 }
-var import_fs26, import_promises3, import_events4, sysPath2, SLASH, SLASH_SLASH, ONE_DOT, TWO_DOTS, STRING_TYPE, BACK_SLASH_RE, DOUBLE_SLASH_RE, DOT_RE, REPLACER_RE, isMatcherObject, unifyPaths, toUnix, normalizePathToUnix, normalizeIgnored, getAbsolutePath, EMPTY_SET, DirEntry, STAT_METHOD_F, STAT_METHOD_L, WatchHelper, FSWatcher2, esm_default;
+var import_fs26, import_promises4, import_events4, sysPath2, SLASH, SLASH_SLASH, ONE_DOT, TWO_DOTS, STRING_TYPE, BACK_SLASH_RE, DOUBLE_SLASH_RE, DOT_RE, REPLACER_RE, isMatcherObject, unifyPaths, toUnix, normalizePathToUnix, normalizeIgnored, getAbsolutePath, EMPTY_SET, DirEntry, STAT_METHOD_F, STAT_METHOD_L, WatchHelper, FSWatcher2, esm_default;
 var init_esm2 = __esm({
   "node_modules/chokidar/esm/index.js"() {
     "use strict";
     import_fs26 = require("fs");
-    import_promises3 = require("fs/promises");
+    import_promises4 = require("fs/promises");
     import_events4 = require("events");
     sysPath2 = __toESM(require("path"), 1);
     init_esm();
@@ -59374,7 +59374,7 @@ var init_esm2 = __esm({
           return;
         const dir = this.path;
         try {
-          await (0, import_promises3.readdir)(dir);
+          await (0, import_promises4.readdir)(dir);
         } catch (err) {
           if (this._removeWatcher) {
             this._removeWatcher(sysPath2.dirname(dir), sysPath2.basename(dir));
@@ -59699,7 +59699,7 @@ var init_esm2 = __esm({
           const fullPath = opts.cwd ? sysPath2.join(opts.cwd, path) : path;
           let stats2;
           try {
-            stats2 = await (0, import_promises3.stat)(fullPath);
+            stats2 = await (0, import_promises4.stat)(fullPath);
           } catch (err) {
           }
           if (!stats2 || this.closed)
@@ -81590,6 +81590,217 @@ function watch2(paths, options) {
 var import_node_http = require("http");
 var import_node_https = require("https");
 var import_node_net = require("net");
+var import_promises = require("dns/promises");
+var BLOCKED_IPV4_PREFIXES = [
+  "0.",
+  "10.",
+  "100.64.",
+  "100.65.",
+  "100.66.",
+  "100.67.",
+  "100.68.",
+  "100.69.",
+  "100.70.",
+  "100.71.",
+  "100.72.",
+  "100.73.",
+  "100.74.",
+  "100.75.",
+  "100.76.",
+  "100.77.",
+  "100.78.",
+  "100.79.",
+  "100.80.",
+  "100.81.",
+  "100.82.",
+  "100.83.",
+  "100.84.",
+  "100.85.",
+  "100.86.",
+  "100.87.",
+  "100.88.",
+  "100.89.",
+  "100.90.",
+  "100.91.",
+  "100.92.",
+  "100.93.",
+  "100.94.",
+  "100.95.",
+  "100.96.",
+  "100.97.",
+  "100.98.",
+  "100.99.",
+  "100.100.",
+  "100.101.",
+  "100.102.",
+  "100.103.",
+  "100.104.",
+  "100.105.",
+  "100.106.",
+  "100.107.",
+  "100.108.",
+  "100.109.",
+  "100.110.",
+  "100.111.",
+  "100.112.",
+  "100.113.",
+  "100.114.",
+  "100.115.",
+  "100.116.",
+  "100.117.",
+  "100.118.",
+  "100.119.",
+  "100.120.",
+  "100.121.",
+  "100.122.",
+  "100.123.",
+  "100.124.",
+  "100.125.",
+  "100.126.",
+  "100.127.",
+  "127.",
+  "169.254.",
+  "172.16.",
+  "172.17.",
+  "172.18.",
+  "172.19.",
+  "172.20.",
+  "172.21.",
+  "172.22.",
+  "172.23.",
+  "172.24.",
+  "172.25.",
+  "172.26.",
+  "172.27.",
+  "172.28.",
+  "172.29.",
+  "172.30.",
+  "172.31.",
+  "192.0.2.",
+  "192.88.99.",
+  "192.168.",
+  "198.18.",
+  "198.19.",
+  "198.51.100.",
+  "203.0.113.",
+  "224.",
+  "225.",
+  "226.",
+  "227.",
+  "228.",
+  "229.",
+  "230.",
+  "231.",
+  "232.",
+  "233.",
+  "234.",
+  "235.",
+  "236.",
+  "237.",
+  "238.",
+  "239.",
+  "240.",
+  "241.",
+  "242.",
+  "243.",
+  "244.",
+  "245.",
+  "246.",
+  "247.",
+  "248.",
+  "249.",
+  "250.",
+  "251.",
+  "252.",
+  "253.",
+  "254.",
+  "255."
+];
+var ALLOWED_PROXY_PROTOCOLS = /* @__PURE__ */ new Set(["http:", "https:"]);
+function isBlockedIpv4(hostname) {
+  const octets = hostname.split(".");
+  if (octets.length !== 4) return false;
+  const joined = hostname;
+  return BLOCKED_IPV4_PREFIXES.some((prefix) => joined.startsWith(prefix));
+}
+function isBlockedIpv6(hostname) {
+  const lower = hostname.toLowerCase();
+  if (lower === "::1" || lower === "::" || lower === "0:0:0:0:0:0:0:1" || lower === "0:0:0:0:0:0:0:0") {
+    return true;
+  }
+  const ffffMatch = lower.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/);
+  if (ffffMatch) {
+    return isBlockedIpv4(ffffMatch[1]);
+  }
+  const compatMatch = lower.match(/^::(\d+\.\d+\.\d+\.\d+)$/);
+  if (compatMatch) {
+    return isBlockedIpv4(compatMatch[1]);
+  }
+  return false;
+}
+function isSafeHostname(hostname) {
+  if (!hostname) return false;
+  if (/^\d{1,3}(\.\d{1,3}){3}$/.test(hostname)) return !isBlockedIpv4(hostname);
+  if (/^\[.*\]$/.test(hostname)) return !isBlockedIpv6(hostname.slice(1, -1));
+  if (hostname.includes(":")) return !isBlockedIpv6(hostname);
+  return true;
+}
+async function safeResolveHostname(hostname) {
+  try {
+    const result2 = await (0, import_promises.lookup)(hostname);
+    const ip = result2.address;
+    if (isBlockedIpv4(ip) || isBlockedIpv6(ip)) {
+      throw new Error(`PM proxy target resolved to a blocked address: ${ip}`);
+    }
+    return ip;
+  } catch (error) {
+    if (error instanceof Error && error.message.includes("blocked address")) {
+      throw error;
+    }
+    throw new Error(`PM proxy failed to resolve target hostname "${hostname}": ${error instanceof Error ? error.message : String(error)}`);
+  }
+}
+async function validateProxyTargetUrl(target) {
+  if (!ALLOWED_PROXY_PROTOCOLS.has(target.protocol)) {
+    throw new Error(`PM proxy target protocol "${target.protocol}" is not allowed. Only http: and https: are permitted.`);
+  }
+  const hostname = target.hostname;
+  if (!isSafeHostname(hostname)) {
+    throw new Error(`PM proxy target "${hostname}" resolves to a blocked address and is not allowed.`);
+  }
+  if (!/^\d{1,3}(\.\d{1,3}){3}$/.test(hostname) && !/^\[.*\]$/.test(hostname)) {
+    await safeResolveHostname(hostname);
+  }
+}
+function sanitizeProxyRequestPath(requestUrl) {
+  if (!requestUrl || requestUrl === "/") return "/";
+  try {
+    const normalizedInput = requestUrl.replace(/\\/g, "/");
+    const parsed = new URL(normalizedInput, "http://placeholder");
+    if (parsed.username || parsed.password || parsed.hostname !== "placeholder" || parsed.port) {
+      return "/";
+    }
+    const pathname = parsed.pathname || "/";
+    let decodedPathname = pathname;
+    try {
+      decodedPathname = decodeURIComponent(pathname);
+    } catch {
+      return "/";
+    }
+    const lowerPath = pathname.toLowerCase();
+    if (lowerPath.includes("%2f") || lowerPath.includes("%5c") || lowerPath.includes("%40") || lowerPath.includes("%00")) {
+      return "/";
+    }
+    const segments = decodedPathname.split("/");
+    if (segments.some((segment) => segment === "." || segment === "..")) {
+      return "/";
+    }
+    const sanitized = pathname + parsed.search;
+    return sanitized.startsWith("/") ? sanitized || "/" : `/${sanitized}`;
+  } catch {
+    return "/";
+  }
+}
 function resolvePmProxyHost(proxy) {
   return proxy.host?.trim() || "0.0.0.0";
 }
@@ -81679,6 +81890,9 @@ async function createPmProxyController(proxy) {
     nextTargetIndex = (nextTargetIndex + 1) % targets.length;
     return target;
   };
+  const validateTarget = async (target) => {
+    await validateProxyTargetUrl(target);
+  };
   const server = (0, import_node_http.createServer)((req, res) => {
     const target = pickTarget();
     if (!target) {
@@ -81686,29 +81900,45 @@ async function createPmProxyController(proxy) {
       res.end("PM proxy target is not ready.");
       return;
     }
+    const sanitizedPath = sanitizeProxyRequestPath(req.url || "/");
     const requestLib = target.protocol === "https:" ? import_node_https.request : import_node_http.request;
-    const targetUrl = new URL(req.url || "/", target);
     const headers = buildPmProxyHeaders(req.headers, target.host);
-    const proxyReq = requestLib(targetUrl, {
-      method: req.method,
-      headers
-    }, (proxyRes) => {
-      const outgoingHeaders = {};
-      for (const [key, value] of Object.entries(proxyRes.headers)) {
-        if (value !== void 0) {
-          outgoingHeaders[key] = value;
+    if (!ALLOWED_PROXY_PROTOCOLS.has(target.protocol)) {
+      res.statusCode = 400;
+      res.end("PM proxy rejected unsafe target protocol.");
+      return;
+    }
+    validateTarget(target).then(() => {
+      const proxyReq = requestLib({
+        protocol: target.protocol,
+        hostname: target.hostname,
+        port: target.port || void 0,
+        path: sanitizedPath,
+        method: req.method,
+        headers
+      }, (proxyRes) => {
+        const outgoingHeaders = {};
+        for (const [key, value] of Object.entries(proxyRes.headers)) {
+          if (value !== void 0) {
+            outgoingHeaders[key] = value;
+          }
         }
-      }
-      res.writeHead(proxyRes.statusCode || 200, outgoingHeaders);
-      proxyRes.pipe(res);
-    });
-    proxyReq.on("error", (error) => {
+        res.writeHead(proxyRes.statusCode || 200, outgoingHeaders);
+        proxyRes.pipe(res);
+      });
+      proxyReq.on("error", (error) => {
+        if (!res.headersSent) {
+          res.statusCode = 502;
+        }
+        res.end(`PM proxy error: ${error.message}`);
+      });
+      req.pipe(proxyReq);
+    }).catch((error) => {
       if (!res.headersSent) {
-        res.statusCode = 502;
+        res.statusCode = 403;
       }
-      res.end(`PM proxy error: ${error.message}`);
+      res.end(`PM proxy blocked target: ${error instanceof Error ? error.message : String(error)}`);
     });
-    req.pipe(proxyReq);
   });
   server.on("upgrade", (req, socket, head) => {
     const target = pickTarget();
@@ -81720,38 +81950,56 @@ async function createPmProxyController(proxy) {
       socket.destroy();
       return;
     }
+    const sanitizedPath = sanitizeProxyRequestPath(req.url || "/");
     const requestLib = target.protocol === "https:" ? import_node_https.request : import_node_http.request;
-    const targetUrl = new URL(req.url || "/", target);
-    const proxyReq = requestLib(targetUrl, {
-      method: req.method,
-      headers: buildPmProxyHeaders(req.headers, target.host)
-    });
-    proxyReq.on("upgrade", (proxyRes, proxySocket, proxyHead) => {
-      writeRawHttpResponse(socket, proxyRes.statusCode || 101, proxyRes.statusMessage || "Switching Protocols", proxyRes.headers);
-      if (head.length > 0) {
-        proxySocket.write(head);
-      }
-      if (proxyHead.length > 0) {
-        socket.write(proxyHead);
-      }
-      socket.on("error", () => proxySocket.destroy());
-      proxySocket.on("error", () => socket.destroy());
-      proxySocket.pipe(socket);
-      socket.pipe(proxySocket);
-    });
-    proxyReq.on("response", (proxyRes) => {
-      writeRawHttpResponse(socket, proxyRes.statusCode || 502, proxyRes.statusMessage || "Bad Gateway", proxyRes.headers);
-      proxyRes.pipe(socket);
-    });
-    proxyReq.on("error", (error) => {
-      writeRawHttpResponse(socket, 502, "Bad Gateway", {
+    const targetUrl = new URL(sanitizedPath, target);
+    if (targetUrl.hostname !== target.hostname || targetUrl.port !== target.port || !ALLOWED_PROXY_PROTOCOLS.has(targetUrl.protocol)) {
+      writeRawHttpResponse(socket, 400, "Bad Request", {
+        connection: "close",
+        "content-length": 0
+      });
+      socket.destroy();
+      return;
+    }
+    validateTarget(target).then(() => {
+      const proxyReq = requestLib(targetUrl, {
+        method: req.method,
+        headers: buildPmProxyHeaders(req.headers, target.host)
+      });
+      proxyReq.on("upgrade", (proxyRes, proxySocket, proxyHead) => {
+        writeRawHttpResponse(socket, proxyRes.statusCode || 101, proxyRes.statusMessage || "Switching Protocols", proxyRes.headers);
+        if (head.length > 0) {
+          proxySocket.write(head);
+        }
+        if (proxyHead.length > 0) {
+          socket.write(proxyHead);
+        }
+        socket.on("error", () => proxySocket.destroy());
+        proxySocket.on("error", () => socket.destroy());
+        proxySocket.pipe(socket);
+        socket.pipe(proxySocket);
+      });
+      proxyReq.on("response", (proxyRes) => {
+        writeRawHttpResponse(socket, proxyRes.statusCode || 502, proxyRes.statusMessage || "Bad Gateway", proxyRes.headers);
+        proxyRes.pipe(socket);
+      });
+      proxyReq.on("error", (error) => {
+        writeRawHttpResponse(socket, 502, "Bad Gateway", {
+          connection: "close",
+          "content-type": "text/plain; charset=utf-8",
+          "content-length": Buffer.byteLength(`PM proxy error: ${error.message}`)
+        });
+        socket.end(`PM proxy error: ${error.message}`);
+      });
+      proxyReq.end();
+    }).catch((error) => {
+      writeRawHttpResponse(socket, 403, "Forbidden", {
         connection: "close",
         "content-type": "text/plain; charset=utf-8",
-        "content-length": Buffer.byteLength(`PM proxy error: ${error.message}`)
+        "content-length": Buffer.byteLength(`PM proxy blocked target: ${error instanceof Error ? error.message : String(error)}`)
       });
-      socket.end(`PM proxy error: ${error.message}`);
+      socket.end(`PM proxy blocked target: ${error instanceof Error ? error.message : String(error)}`);
     });
-    proxyReq.end();
   });
   await new Promise((resolve26, reject) => {
     server.once("error", reject);
@@ -81759,10 +82007,25 @@ async function createPmProxyController(proxy) {
   });
   return {
     setTarget(targetUrl) {
-      setResolvedTargets(targetUrl ? [new URL(targetUrl)] : []);
+      if (targetUrl) {
+        const parsed = new URL(targetUrl);
+        validateProxyTargetUrl(parsed).then(() => {
+          setResolvedTargets([parsed]);
+        }).catch((error) => {
+          console.error(`[PM proxy] Blocked setTarget: ${error instanceof Error ? error.message : String(error)}`);
+          setResolvedTargets([]);
+        });
+      } else {
+        setResolvedTargets([]);
+      }
     },
     setTargets(targetUrls) {
-      setResolvedTargets(targetUrls.map((targetUrl) => new URL(targetUrl)));
+      Promise.all(targetUrls.map((url) => validateProxyTargetUrl(new URL(url)))).then(() => {
+        setResolvedTargets(targetUrls.map((targetUrl) => new URL(targetUrl)));
+      }).catch((error) => {
+        console.error(`[PM proxy] Blocked setTargets: ${error instanceof Error ? error.message : String(error)}`);
+        setResolvedTargets([]);
+      });
     },
     close() {
       return new Promise((resolve26, reject) => {
@@ -86181,7 +86444,7 @@ function parsePreviewArgs(args) {
 // package.json
 var package_default = {
   name: "elit",
-  version: "3.6.8",
+  version: "3.6.9",
   description: "Optimized lightweight library for creating DOM elements with reactive state",
   main: "dist/index.js",
   module: "dist/index.mjs",