git-watchtower 1.10.17 → 1.10.19

package/bin/git-watchtower.js

@@ -368,6 +368,14 @@ const cliArgs = parseCliArgs(process.argv.slice(2), {
   onHelp: (v) => { console.log(getHelpText(v)); process.exit(0); },
 });
 
+if (cliArgs.errors.length > 0) {
+  for (const err of cliArgs.errors) {
+    console.error(`Error: ${err}`);
+  }
+  console.error('\nRun git-watchtower --help for usage information.');
+  process.exit(1);
+}
+
 // Configuration - these will be set after config is loaded
 let SERVER_MODE = 'static';      // 'static' | 'command' | 'none'
 let NO_SERVER = false;            // Derived from SERVER_MODE === 'none'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "git-watchtower",
-  "version": "1.10.17",
+  "version": "1.10.19",
   "description": "Terminal-based Git branch monitor with activity sparklines and optional dev server with live reload",
   "main": "bin/git-watchtower.js",
   "bin": {

package/src/cli/args.js

@@ -22,6 +22,7 @@ const { version: PACKAGE_VERSION } = require('../../package.json');
  * @property {boolean} casino - Enable casino mode
  * @property {boolean} web - Enable web dashboard mode
  * @property {number|null} webPort - Web dashboard port override
+ * @property {string[]} errors - Validation errors encountered during parsing
  */
 
 /**
@@ -55,6 +56,8 @@ function parseArgs(argv, options = {}) {
     // Actions
     init: false,
     casino: false,
+    // Parsing errors
+    errors: [],
   };
 
   for (let i = 0; i < args.length; i++) {
@@ -63,21 +66,33 @@ function parseArgs(argv, options = {}) {
       const mode = args[i + 1];
       if (['static', 'command', 'none'].includes(mode)) {
         result.mode = mode;
+      } else {
+        result.errors.push(`Invalid value for ${args[i]}: "${mode || ''}" (expected: static, command, none)`);
       }
       i++;
     } else if (args[i] === '--port' || args[i] === '-p') {
       const portValue = parseInt(args[i + 1], 10);
       if (!isNaN(portValue) && portValue > 0 && portValue < 65536) {
         result.port = portValue;
+      } else {
+        result.errors.push(`Invalid value for ${args[i]}: "${args[i + 1] || ''}" (expected: port number 1-65535)`);
       }
       i++;
     } else if (args[i] === '--no-server' || args[i] === '-n') {
       result.noServer = true;
     } else if (args[i] === '--static-dir') {
-      result.staticDir = args[i + 1];
+      if (args[i + 1] && !args[i + 1].startsWith('-')) {
+        result.staticDir = args[i + 1];
+      } else {
+        result.errors.push(`Missing value for ${args[i]}`);
+      }
       i++;
     } else if (args[i] === '--command' || args[i] === '-c') {
-      result.command = args[i + 1];
+      if (args[i + 1] !== undefined) {
+        result.command = args[i + 1];
+      } else {
+        result.errors.push(`Missing value for ${args[i]}`);
+      }
       i++;
     } else if (args[i] === '--restart-on-switch') {
       result.restartOnSwitch = true;
@@ -86,7 +101,11 @@ function parseArgs(argv, options = {}) {
     }
     // Git settings
     else if (args[i] === '--remote' || args[i] === '-r') {
-      result.remote = args[i + 1];
+      if (args[i + 1] && !args[i + 1].startsWith('-')) {
+        result.remote = args[i + 1];
+      } else {
+        result.errors.push(`Missing value for ${args[i]}`);
+      }
       i++;
     } else if (args[i] === '--auto-pull') {
       result.autoPull = true;
@@ -96,6 +115,8 @@ function parseArgs(argv, options = {}) {
       const interval = parseInt(args[i + 1], 10);
       if (!isNaN(interval) && interval > 0) {
         result.pollInterval = interval;
+      } else {
+        result.errors.push(`Invalid value for ${args[i]}: "${args[i + 1] || ''}" (expected: positive integer in ms)`);
       }
       i++;
     }
@@ -108,6 +129,8 @@ function parseArgs(argv, options = {}) {
       const count = parseInt(args[i + 1], 10);
       if (!isNaN(count) && count > 0) {
         result.visibleBranches = count;
+      } else {
+        result.errors.push(`Invalid value for ${args[i]}: "${args[i + 1] || ''}" (expected: positive integer)`);
       }
       i++;
     } else if (args[i] === '--casino') {
@@ -120,6 +143,8 @@ function parseArgs(argv, options = {}) {
       const webPortValue = parseInt(args[i + 1], 10);
       if (!isNaN(webPortValue) && webPortValue > 0 && webPortValue < 65536) {
         result.webPort = webPortValue;
+      } else {
+        result.errors.push(`Invalid value for ${args[i]}: "${args[i + 1] || ''}" (expected: port number 1-65535)`);
       }
       i++;
     }
@@ -135,6 +160,10 @@ function parseArgs(argv, options = {}) {
         options.onHelp(PACKAGE_VERSION);
       }
     }
+    // Unknown flag
+    else if (args[i].startsWith('-')) {
+      result.errors.push(`Unknown option: ${args[i]}`);
+    }
   }
   return result;
 }

package/src/server/coordinator.js

@@ -26,6 +26,13 @@ const crypto = require('crypto');
  */
 const WATCHTOWER_DIR = path.join(os.homedir(), '.watchtower');
 
+/**
+ * Maximum IPC receive buffer size (1 MiB). Connections that exceed
+ * this without a complete newline-delimited message are dropped to
+ * prevent unbounded memory growth from malformed or malicious peers.
+ */
+const MAX_IPC_BUFFER = 1024 * 1024;
+
 /**
  * Lock file path
  */
@@ -268,6 +275,10 @@ class Coordinator {
 
     socket.on('data', (data) => {
       buffer += data.toString();
+      if (buffer.length > MAX_IPC_BUFFER) {
+        socket.destroy();
+        return;
+      }
       let newlineIdx;
       while ((newlineIdx = buffer.indexOf('\n')) !== -1) {
         const line = buffer.slice(0, newlineIdx);
@@ -413,6 +424,10 @@ class Worker {
 
       this.socket.on('data', (data) => {
         this._buffer += data.toString();
+        if (this._buffer.length > MAX_IPC_BUFFER) {
+          this.socket.destroy();
+          return;
+        }
         let idx;
         while ((idx = this._buffer.indexOf('\n')) !== -1) {
           const line = this._buffer.slice(0, idx);