npm - git-watchtower - Versions diffs - 1.14.16 → 1.14.17 - Mend

git-watchtower 1.14.16 → 1.14.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/bin/git-watchtower.js CHANGED Viewed

@@ -842,7 +842,7 @@ const { parseDiffStats, stash: gitStash, stashPop: gitStashPop } = require('../s
 // Server process command parsing and static server utilities
 const { parseCommand } = require('../src/server/process');
-const { getMimeType, injectLiveReload } = require('../src/server/static');
+const { getMimeType, injectLiveReload, resolveStaticPath } = require('../src/server/static');
 // State (non-store globals)
 let previousBranchStates = new Map(); // branch name -> commit hash
@@ -2225,52 +2225,67 @@ function createStaticServer() {
   }
   pathname = path.normalize(pathname).replace(/^(\.\.[\/\\])+/, '');
-  let filePath = path.join(STATIC_DIR, pathname);
+  const candidate = path.join(STATIC_DIR, pathname);
-  // Security: ensure resolved path stays within STATIC_DIR to prevent path traversal.
-  // Use realpath to follow symlinks — without this, a symlink inside STATIC_DIR
-  // pointing outside would bypass the startsWith check.
-  const resolvedStaticDir = path.resolve(STATIC_DIR);
-  let resolvedPath = path.resolve(filePath);
-  try {
-    resolvedPath = fs.realpathSync(resolvedPath);
-  } catch {
-    // File doesn't exist — path.resolve is sufficient since there's no symlink to follow.
-  }
+  // Realpath the static root once per request. A failure here means the
+  // install is broken (missing dir, bad permissions) — fall back to the
+  // resolved-but-not-realpath'd form so the request still gets a 403
+  // from resolveStaticPath rather than crashing.
   let realStaticDir;
   try {
-    realStaticDir = fs.realpathSync(resolvedStaticDir);
+    realStaticDir = fs.realpathSync(path.resolve(STATIC_DIR));
   } catch (e) {
-    // STATIC_DIR comes from our own package layout, so a realpath failure
-    // means the install is broken (missing dir, permissions, etc.) — worth
-    // diagnosing. Fall back to the unresolved path so the request still
-    // gets its 403 rather than crashing.
     telemetry.captureError(e);
-    realStaticDir = resolvedStaticDir;
+    realStaticDir = path.resolve(STATIC_DIR);
   }
-  if (!resolvedPath.startsWith(realStaticDir + path.sep) && resolvedPath !== realStaticDir) {
+  const send403 = () => {
     res.writeHead(403, { 'Content-Type': 'text/html' });
     res.end('<h1>403 Forbidden</h1>');
     addServerLog(`GET ${logPath} → 403 (path traversal blocked)`, true);
-    return;
-  }
+  };
-  if (fs.existsSync(filePath) && fs.statSync(filePath).isDirectory()) {
-    filePath = path.join(filePath, 'index.html');
-  }
+  const send404 = () => {
+    res.writeHead(404, { 'Content-Type': 'text/html' });
+    res.end('<h1>404 Not Found</h1>');
+    addServerLog(`GET ${logPath} → 404`, true);
+  };
-  if (!fs.existsSync(filePath)) {
-    if (fs.existsSync(filePath + '.html')) {
-      filePath = filePath + '.html';
+  // All downstream reads go through `finalPath` — the realpath-resolved
+  // target from resolveStaticPath(). Using the pre-realpath candidate
+  // opens a TOCTOU window where a symlink inside STATIC_DIR could be
+  // swapped between the containment check and the fs.readFile to point
+  // outside the root.
+  let finalPath = null;
+  const initial = resolveStaticPath(candidate, realStaticDir);
+  if (initial.status === 'forbidden') { send403(); return; }
+  if (initial.status === 'ok') {
+    // Directory requests resolve the index.html *inside the realpath'd*
+    // directory. Without this second realpath+check, a symlinked dir
+    // whose target pointed outside would serve its attacker-controlled
+    // index.html through our root check.
+    if (fs.statSync(initial.path).isDirectory()) {
+      const indexResult = resolveStaticPath(
+        path.join(initial.path, 'index.html'),
+        realStaticDir,
+      );
+      if (indexResult.status === 'forbidden') { send403(); return; }
+      if (indexResult.status === 'ok') finalPath = indexResult.path;
+      // 'missing' → fall through to 404 (no .html fallback for dirs)
     } else {
-      res.writeHead(404, { 'Content-Type': 'text/html' });
-      res.end('<h1>404 Not Found</h1>');
-      addServerLog(`GET ${logPath} → 404`, true);
-      return;
+      finalPath = initial.path;
     }
+  } else {
+    // 'missing' — try the `foo` → `foo.html` convenience fallback.
+    const htmlFallback = resolveStaticPath(candidate + '.html', realStaticDir);
+    if (htmlFallback.status === 'forbidden') { send403(); return; }
+    if (htmlFallback.status === 'ok') finalPath = htmlFallback.path;
   }
-  serveFile(res, filePath, logPath);
+  if (!finalPath) { send404(); return; }
+  serveFile(res, finalPath, logPath);
   });
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "git-watchtower",
-  "version": "1.14.16",
+  "version": "1.14.17",
   "description": "Terminal-based Git branch monitor with activity sparklines and optional dev server with live reload",
   "main": "bin/git-watchtower.js",
   "bin": {

package/src/server/static.js CHANGED Viewed

@@ -3,6 +3,9 @@
  * @module server/static
  */
+const fs = require('fs');
+const path = require('path');
 /**
  * MIME type mapping by file extension.
  */
@@ -63,9 +66,61 @@ function injectLiveReload(html) {
   return html;
 }
+/**
+ * Resolve a static-server request candidate to a safe, realpath'd path
+ * inside the static root.
+ *
+ * The critical property: the returned `path` is the realpath-resolved
+ * target, so all downstream file reads operate on the same bytes the
+ * containment check approved. Previously the server would realpath the
+ * candidate for the 403 check but then read the pre-realpath path — a
+ * TOCTOU window where a symlink inside the static dir could be swapped
+ * between check and read to point outside the root.
+ *
+ * Contract:
+ * - 'ok'        → the candidate exists inside `realStaticDir`; serve `path`.
+ * - 'missing'   → the candidate resolves (or would resolve) inside the
+ *                 root but doesn't exist. Callers can try an extension
+ *                 fallback (e.g. `.html`) or return 404.
+ * - 'forbidden' → the candidate resolves outside the root, via symlink
+ *                 or via path traversal like `../../etc/passwd`. Return
+ *                 403; do not attempt fallbacks, since the attacker
+ *                 controls the request.
+ *
+ * @param {string} candidate - Unresolved absolute path (e.g.
+ *   `path.join(STATIC_DIR, pathname)`).
+ * @param {string} realStaticDir - The realpath'd absolute path of the
+ *   static root. Callers should cache this per-request.
+ * @returns {{ status: 'ok', path: string } | { status: 'missing' } | { status: 'forbidden' }}
+ */
+function resolveStaticPath(candidate, realStaticDir) {
+  const resolvedCandidate = path.resolve(candidate);
+  let realPath;
+  let exists;
+  try {
+    realPath = fs.realpathSync(resolvedCandidate);
+    exists = true;
+  } catch (_) {
+    // Doesn't exist. Fall back to the normalized form so path-traversal
+    // attempts against non-existent files (`../../etc/passwd`) still get
+    // rejected with 403 instead of silently 404'ing.
+    realPath = resolvedCandidate;
+    exists = false;
+  }
+  if (realPath !== realStaticDir && !realPath.startsWith(realStaticDir + path.sep)) {
+    return { status: 'forbidden' };
+  }
+  if (!exists) {
+    return { status: 'missing' };
+  }
+  return { status: 'ok', path: realPath };
+}
 module.exports = {
   MIME_TYPES,
   getMimeType,
   LIVE_RELOAD_SCRIPT,
   injectLiveReload,
+  resolveStaticPath,
 };