fullstackgtm 0.25.0 → 0.25.2

package/src/market.ts

@@ -1,5 +1,7 @@
 import { createHash } from "node:crypto";
+import { lookup } from "node:dns/promises";
 import { existsSync, mkdirSync, readFileSync, readdirSync, writeFileSync } from "node:fs";
+import { isIP } from "node:net";
 import { join } from "node:path";
 import { credentialsDir } from "./credentials.ts";
 import type { GtmEvidence } from "./types.ts";
@@ -309,15 +311,129 @@ export function extractReadableText(html: string): string {
 
 export type FetchPage = (url: string) => Promise<{ status: number; body: string }>;
 
+/**
+ * SSRF guard. market.config.json URLs are operator-authored, but configs are
+ * shared/templated in consulting/team use and `market capture|refresh` is on
+ * the cron allowlist — an unguarded fetch is an unattended internal-network
+ * and cloud-metadata probe. We therefore (1) allow only http/https, (2) refuse
+ * any host that is or resolves to a private/loopback/link-local/metadata
+ * address, and (3) follow redirects manually, re-validating each hop.
+ *
+ * Residual gap (documented, not defended here): TOCTOU DNS rebinding between
+ * our lookup and fetch's own resolution. Out of scope for fetching public
+ * competitor pages; a hardened deployment should fetch through an egress proxy.
+ */
+const MAX_REDIRECTS = 5;
+const FETCH_TIMEOUT_MS = 15_000;
+const MAX_BODY_BYTES = 5_000_000;
+
+function ipv4IsPrivate(ip: string): boolean {
+  const parts = ip.split(".").map((n) => Number(n));
+  if (parts.length !== 4 || parts.some((n) => !Number.isInteger(n) || n < 0 || n > 255)) return true;
+  const [a, b] = parts;
+  if (a === 0 || a === 127) return true; // this-host, loopback
+  if (a === 10) return true; // private
+  if (a === 172 && b >= 16 && b <= 31) return true; // private
+  if (a === 192 && b === 168) return true; // private
+  if (a === 169 && b === 254) return true; // link-local incl. 169.254.169.254 metadata
+  if (a === 100 && b >= 64 && b <= 127) return true; // CGNAT
+  if (a >= 224) return true; // multicast / reserved
+  return false;
+}
+
+function ipIsPrivate(ip: string): boolean {
+  const family = isIP(ip);
+  if (family === 4) return ipv4IsPrivate(ip);
+  if (family === 6) {
+    const lower = ip.toLowerCase();
+    if (lower === "::1" || lower === "::") return true; // loopback / unspecified
+    // IPv4-mapped (::ffff:…) — Node normalizes ::ffff:127.0.0.1 to ::ffff:7f00:1,
+    // so accept both the dotted and the hex-pair forms, unwrap, check the v4.
+    const mapped = lower.match(/^::ffff:(.+)$/);
+    if (mapped) {
+      const rest = mapped[1];
+      if (rest.includes(".")) return ipv4IsPrivate(rest);
+      const groups = rest.split(":");
+      if (groups.length === 2) {
+        const hi = parseInt(groups[0], 16);
+        const lo = parseInt(groups[1], 16);
+        if (Number.isNaN(hi) || Number.isNaN(lo)) return true;
+        return ipv4IsPrivate(`${(hi >> 8) & 0xff}.${hi & 0xff}.${(lo >> 8) & 0xff}.${lo & 0xff}`);
+      }
+      return true; // unrecognized mapped form → refuse
+    }
+    if (lower.startsWith("fe8") || lower.startsWith("fe9") || lower.startsWith("fea") || lower.startsWith("feb")) return true; // link-local fe80::/10
+    if (lower.startsWith("fc") || lower.startsWith("fd")) return true; // unique-local fc00::/7
+    return false;
+  }
+  return true; // not a recognizable IP literal → refuse
+}
+
+export async function assertPublicUrl(rawUrl: string): Promise<URL> {
+  let url: URL;
+  try {
+    url = new URL(rawUrl);
+  } catch {
+    throw new Error(`market capture: "${rawUrl}" is not a valid URL.`);
+  }
+  if (url.protocol !== "http:" && url.protocol !== "https:") {
+    throw new Error(`market capture refuses ${url.protocol} URLs (only http/https): ${rawUrl}`);
+  }
+  const host = url.hostname.replace(/^\[|\]$/g, ""); // strip IPv6 brackets
+  if (isIP(host)) {
+    if (ipIsPrivate(host)) throw new Error(`market capture refuses private/loopback address ${host} (SSRF guard).`);
+    return url;
+  }
+  // Hostname: resolve and refuse if ANY address is private.
+  const addrs = await lookup(host, { all: true });
+  for (const { address } of addrs) {
+    if (ipIsPrivate(address)) {
+      throw new Error(`market capture refuses ${host} — it resolves to private/internal address ${address} (SSRF guard).`);
+    }
+  }
+  return url;
+}
+
 const defaultFetchPage: FetchPage = async (url) => {
-  const response = await fetch(url, {
-    headers: {
-      "User-Agent": "fullstackgtm-market/0 (+https://github.com/fullstackgtm/core)",
-      "Accept-Language": "en-US",
-    },
-    redirect: "follow",
-  });
-  return { status: response.status, body: await response.text() };
+  let current = url;
+  for (let hop = 0; hop <= MAX_REDIRECTS; hop++) {
+    await assertPublicUrl(current);
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+    let response: Response;
+    try {
+      response = await fetch(current, {
+        headers: {
+          "User-Agent": "fullstackgtm-market/0 (+https://github.com/fullstackgtm/core)",
+          "Accept-Language": "en-US",
+        },
+        redirect: "manual",
+        signal: controller.signal,
+      });
+    } finally {
+      clearTimeout(timer);
+    }
+    if (response.status >= 300 && response.status < 400 && response.headers.get("location")) {
+      current = new URL(response.headers.get("location") as string, current).toString();
+      continue; // re-validate the redirect target on the next iteration
+    }
+    const reader = response.body?.getReader();
+    if (!reader) return { status: response.status, body: await response.text() };
+    const chunks: Uint8Array[] = [];
+    let total = 0;
+    for (;;) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      total += value.length;
+      if (total > MAX_BODY_BYTES) {
+        await reader.cancel();
+        break;
+      }
+      chunks.push(value);
+    }
+    return { status: response.status, body: Buffer.concat(chunks).toString("utf8") };
+  }
+  throw new Error(`market capture: too many redirects (>${MAX_REDIRECTS}) for ${url}`);
 };
 
 export type CaptureOptions = {
@@ -478,6 +594,11 @@ export function validateObservationSet(config: MarketConfig, set: ObservationSet
     if (!INTENSITY_RANK[obs.intensity] && obs.intensity !== "unobservable") {
       problems.push(`${cell}: invalid intensity "${obs.intensity}"`);
     }
+    // confidence is rendered into the HTML report; only the enum is allowed, so
+    // an `observe --from` file can't smuggle markup through a free-text value.
+    if (obs.confidence !== "high" && obs.confidence !== "medium" && obs.confidence !== "low") {
+      problems.push(`${cell}: invalid confidence "${String(obs.confidence)}" (expected high, medium, or low)`);
+    }
     if ((obs.intensity === "loud" || obs.intensity === "quiet") && obs.evidence.length === 0) {
       problems.push(`${cell}: ${obs.intensity} reading with no quoted evidence`);
     }

package/src/marketReport.ts

@@ -40,6 +40,23 @@ function escapeHtml(value: string): string {
     .replace(/"/g, """);
 }
 
+/**
+ * Serialize JSON for embedding inside an inline <script> block. JSON.stringify
+ * does not escape `<`, `>`, `&`, or the U+2028/U+2029 line separators, so a
+ * vendor name containing `</script>` (these are untrusted, competitor-authored
+ * strings) would close the tag and inject markup. Replacing them with their
+ * \uXXXX escapes keeps the parsed value identical while making the breakout
+ * sequence unrepresentable in the HTML source.
+ */
+export function safeJsonForScript(value: unknown): string {
+  return JSON.stringify(value)
+    .replace(/</g, "\\u003c")
+    .replace(/>/g, "\\u003e")
+    .replace(/&/g, "\\u0026")
+    .replace(/\u2028/g, "\\u2028")
+    .replace(/\u2029/g, "\\u2029");
+}
+
 type MapModel = {
   config: MarketConfig;
   set: ObservationSet;
@@ -374,7 +391,7 @@ function axisSectionsHtml(
       <table class="legend"><thead><tr><th></th><th>vendor</th><th class="num">${legendMeasureHead}</th></tr></thead><tbody>${legendRows}</tbody></table>
     </div>
     <div class="map-tip" id="map-tip" hidden></div>
-    <script type="application/json" id="map-data">${JSON.stringify(tipData)}</script>
+    <script type="application/json" id="map-data">${safeJsonForScript(tipData)}</script>
     <script>
     (function () {
       var data = JSON.parse(document.getElementById("map-data").textContent);
@@ -385,7 +402,16 @@ function axisSectionsHtml(
       function show(v, evt) {
         var d = data[v];
         if (!d) return;
-        tip.innerHTML = "<b>" + d.n + " · " + d.name + "</b>" + d.lines.map(function (l) { return "<div>" + l + "</div>"; }).join("");
+        // textContent only — vendor names / axis labels are untrusted (competitor-controlled).
+        tip.textContent = "";
+        var head = document.createElement("b");
+        head.textContent = d.n + " · " + d.name;
+        tip.appendChild(head);
+        d.lines.forEach(function (l) {
+          var div = document.createElement("div");
+          div.textContent = l;
+          tip.appendChild(div);
+        });
         tip.hidden = false;
         var box = fig.getBoundingClientRect();
         tip.style.left = Math.min(evt.clientX - box.left + 14, box.width - tip.offsetWidth - 8) + "px";
@@ -481,7 +507,7 @@ export function marketMapToHtml(config: MarketConfig, set: ObservationSet): stri
     const anchorLoud = anchor
       ? claimIds.filter((claimId) => model.cell(anchor, claimId)?.intensity === "loud").length
       : 0;
-    const anchorNote = anchor ? ` · ${vendorNamesById.get(anchor) ?? anchor} loud on ${anchorLoud}` : "";
+    const anchorNote = anchor ? ` · ${e(vendorNamesById.get(anchor) ?? anchor)} loud on ${anchorLoud}` : "";
     return `<details class="claim-group"><summary><b>${e(group.title)}</b> — ${claimIds.length} claim${claimIds.length === 1 ? "" : "s"} <span class="sum-soft">(${e(group.blurb)}${anchorNote})</span></summary>
       <table><thead><tr><th></th>${vendorHeads}<th></th></tr></thead><tbody>${claimIds.map(matrixRow).join("")}</tbody></table>
     </details>`;
@@ -543,7 +569,7 @@ export function marketMapToHtml(config: MarketConfig, set: ObservationSet): stri
         if (!obs || obs.evidence.length === 0) return [];
         return obs.evidence.map(
           (evidence) =>
-            `<div class="ev"><span class="ev-head">${e(claimId)} · ${obs.intensity.toUpperCase()} (${obs.confidence})</span>` +
+            `<div class="ev"><span class="ev-head">${e(claimId)} · ${e(obs.intensity.toUpperCase())} (${e(String(obs.confidence ?? ""))})</span>` +
             `<blockquote>“${e(evidence.text)}”</blockquote>` +
             `<span class="ev-src">${e(String(evidence.metadata?.url ?? ""))} · capture ${e(String(evidence.metadata?.captureHash ?? "").slice(0, 12))}</span></div>`,
         );

package/src/schedule.ts

@@ -145,6 +145,75 @@ export function validateSchedulableArgv(argv: string[]): void {
   }
 }
 
+/**
+ * A schedule label is free text the operator chooses, but it is later
+ * interpolated into a crontab comment line by `renderManagedBlock`. A newline
+ * (or carriage return) would break out of the comment and inject an arbitrary
+ * crontab entry on `schedule install`. Reject control characters at the entry
+ * point so a label can never carry a second line; `renderManagedBlock` also
+ * strips them defensively in case a hand-edited schedules.json slips one past.
+ */
+export function assertSingleLineLabel(label: string): void {
+  if (hasControlChar(label)) {
+    throw new Error(
+      "A schedule --label cannot contain newlines or control characters " +
+        "(they would inject lines into the managed crontab block). Use a plain single-line name.",
+    );
+  }
+}
+
+/**
+ * True if the string contains any line-breaking or control character. Covers
+ * C0 controls + DEL, plus the Unicode separators a non-cron parser might honor
+ * (NEL U+0085, LS U+2028, PS U+2029, VT U+000B, FF U+000C) — defense-in-depth
+ * for the future modal/aws scaffold renderers whose target formats may treat
+ * those as line breaks.
+ */
+export function hasControlChar(value: string): boolean {
+  for (let i = 0; i < value.length; i++) {
+    const code = value.charCodeAt(i);
+    if (code < 0x20 || code === 0x7f || code === 0x85 || code === 0x2028 || code === 0x2029) return true;
+  }
+  return false;
+}
+
+/** Collapse any control/separator character to a space — last-resort guard at render time. */
+function sanitizeCrontabComment(value: string): string {
+  let out = "";
+  for (const ch of value) {
+    const code = ch.charCodeAt(0);
+    out += code < 0x20 || code === 0x7f || code === 0x85 || code === 0x2028 || code === 0x2029 ? " " : ch;
+  }
+  return out.replace(/ {2,}/g, " ").trim();
+}
+
+/**
+ * Validate every field of an entry that `renderManagedBlock` interpolates into
+ * the crontab — not just the label. The EXECUTABLE line embeds `cron` and `id`
+ * raw, and `schedule install` renders entries straight from schedules.json, so
+ * a hand-edited (or otherwise tampered) entry with a newline in cron/id/profile
+ * would inject a live crontab line. Refuse to render a tampered entry rather
+ * than emit it. (Well-formed entries never trip this: cron is parser-validated,
+ * id is an fnv1a hex hash, label is guarded at add-time.)
+ */
+function assertRenderableEntry(profile: string, entry: ScheduleEntry): void {
+  const fields: Array<[string, string]> = [
+    ["profile", profile],
+    ["cron", entry.cron],
+    ["id", entry.id],
+    ["label", entry.label],
+    ...entry.argv.map((token, i) => [`argv[${i}]`, token] as [string, string]),
+  ];
+  for (const [name, value] of fields) {
+    if (hasControlChar(value)) {
+      throw new Error(
+        `Refusing to render schedule entry ${entry.id}: its ${name} contains a newline or control character. ` +
+          "The schedules.json store has been tampered with or corrupted — repair it before installing.",
+      );
+    }
+  }
+}
+
 /**
  * Split a `schedule add "<command>"` string into argv, honoring single and
  * double quotes (no escapes, no expansion — this is tokenization, not shell).
@@ -206,7 +275,13 @@ const CRON_FIELD_SPECS = [
 ] as const;
 
 export function parseCron(expression: string): CronExpression {
-  const fields = expression.trim().split(/\s+/);
+  // Reject non-ASCII whitespace and control chars: JS \s splits on U+00A0,
+  // U+3000, etc., but Vixie cron's field separator is only space/tab. A source
+  // carrying them would parse here yet be misparsed or rejected by `crontab -`.
+  if (hasControlChar(expression) || /[^\x20-\x7e]/.test(expression)) {
+    throw new Error(`Invalid cron expression "${expression}": only ASCII characters, space, and tab are allowed.`);
+  }
+  const fields = expression.trim().split(/[ \t]+/);
   if (fields.length !== 5) {
     throw new Error(
       `Invalid cron expression "${expression}": expected 5 fields ` +
@@ -559,13 +634,28 @@ export function renderManagedBlock(
   entries: ScheduleEntry[],
   cliInvocation: string,
 ): string {
+  // cliInvocation is spliced raw into the executable line; it is built from
+  // process.execPath, the script path, and FSGTM_HOME (cli.ts), so a newline in
+  // FSGTM_HOME would inject a crontab line. Validate it like the entry fields —
+  // single-quote shell-escaping does NOT defend cron's line parser.
+  if (hasControlChar(cliInvocation)) {
+    throw new Error(
+      "Refusing to render the managed crontab: the resolved CLI invocation (node path, script path, " +
+        "or FSGTM_HOME) contains a newline or control character. Check $FSGTM_HOME.",
+    );
+  }
   const { open, close } = crontabSentinels(profile);
   const lines = [
     open,
     "# Managed by `fullstackgtm schedule install` — replaced wholesale on re-install; do not edit.",
   ];
   for (const entry of entries) {
-    lines.push(`# ${entry.label} (${entry.id}): ${entry.argv.join(" ")}`);
+    // Refuse to render any entry whose interpolated fields carry a control char
+    // — the executable line below embeds cron/id raw, so a tampered store could
+    // otherwise inject a live crontab line. The comment line is additionally
+    // sanitized so a benign-but-messy label can't break it.
+    assertRenderableEntry(profile, entry);
+    lines.push(sanitizeCrontabComment(`# ${entry.label} (${entry.id}): ${entry.argv.join(" ")}`));
     lines.push(`${entry.cron} ${cliInvocation} schedule run ${entry.id} --profile ${profile} --trigger cron`);
   }
   lines.push(close);