npm - git-watchtower - Versions diffs - 2.1.14 → 2.1.16 - Mend

git-watchtower 2.1.14 → 2.1.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/bin/git-watchtower.js +62 -14
package/package.json +1 -1
package/src/server/coordinator.js +33 -2
package/src/utils/monitor-lock.js +9 -1

package/bin/git-watchtower.js CHANGED Viewed

@@ -881,6 +881,50 @@ let errorToastTimeout = null;
 // Shape: { type: 'switch', branch: string } | { type: 'pull' } | null
 let pendingDirtyOperation = null;
+/**
+ * Setter for pendingDirtyOperation that refuses to overwrite an
+ * already-pending operation. Returns true if the assignment succeeded,
+ * false if a different operation was already pending and the caller
+ * should skip its follow-up (e.g. the showStashConfirm modal).
+ *
+ * Why this matters: process.stdin's 'data' listener is async, so two
+ * near-simultaneous keypresses spawn concurrent handler bodies. If the
+ * user presses Enter (switch) and then 'p' (pull) within the ~100 ms
+ * it takes hasUncommittedChanges to await, both bodies reach the
+ * dirty-repo branch and the second one's pendingDirtyOperation
+ * silently clobbers the first. The user then sees a stash-confirm
+ * modal labeled "pull" even though they pressed Enter, and the
+ * original switch intent is lost. Refusing the overwrite preserves
+ * the first user action and surfaces the conflict via the activity
+ * log rather than dropping intent on the floor.
+ *
+ * Note: the check + assignment here is synchronous, so JavaScript's
+ * single-threaded event loop guarantees no interleaving — two callers
+ * will see consistent state.
+ *
+ * @param {{type: 'switch', branch: string} | {type: 'pull'} | null} op
+ * @returns {boolean} true if assigned, false if refused (already pending)
+ */
+function setPendingDirtyOp(op) {
+  if (op !== null && pendingDirtyOperation !== null) {
+    addLog(
+      `Another operation already pending (${pendingDirtyOperation.type}) — resolve the stash dialog first`,
+      'warning',
+    );
+    return false;
+  }
+  pendingDirtyOperation = op;
+  return true;
+}
+/**
+ * Clear pendingDirtyOperation. Symmetric with setPendingDirtyOp so all
+ * mutations route through the same surface.
+ */
+function clearPendingDirtyOp() {
+  pendingDirtyOperation = null;
+}
 // Cached environment info (populated once at startup, doesn't change during session)
 let cachedEnv = null; // { hasGh, hasGlab, ghAuthed, glabAuthed, webUrlBase, platform }
@@ -1524,8 +1568,9 @@ async function switchToBranch(branchName, recordHistory = true) {
     const isDirty = await hasUncommittedChanges();
     if (isDirty) {
       addLog(`Cannot switch: uncommitted changes in working directory`, 'error');
-      pendingDirtyOperation = { type: 'switch', branch: branchName };
-      showStashConfirm(`switch to ${branchName}`);
+      if (setPendingDirtyOp({ type: 'switch', branch: branchName })) {
+        showStashConfirm(`switch to ${branchName}`);
+      }
       telemetry.capture('dirty_repo_encountered');
       return { success: false, reason: 'dirty' };
     }
@@ -1563,7 +1608,7 @@ async function switchToBranch(branchName, recordHistory = true) {
     addLog(`Switched to ${safeBranchName}`, 'success');
     telemetry.capture('branch_switched');
     branchSwitchCount++;
-    pendingDirtyOperation = null;
+    clearPendingDirtyOp();
     // Restart server if configured (command mode)
     if (SERVER_MODE === 'command' && RESTART_ON_SWITCH && serverProcess) {
@@ -1583,8 +1628,9 @@ async function switchToBranch(branchName, recordHistory = true) {
       );
     } else if (errMsg.includes('local changes') || errMsg.includes('overwritten')) {
       addLog(`Cannot switch: local changes would be overwritten`, 'error');
-      pendingDirtyOperation = { type: 'switch', branch: branchName };
-      showStashConfirm(`switch to ${branchName}`);
+      if (setPendingDirtyOp({ type: 'switch', branch: branchName })) {
+        showStashConfirm(`switch to ${branchName}`);
+      }
     } else {
       addLog(`Failed to switch: ${errMsg}`, 'error');
       showErrorToast(
@@ -1618,8 +1664,9 @@ async function undoLastSwitch() {
     if (await hasUncommittedChanges()) {
       addLog('Cannot undo: uncommitted changes in working directory', 'error');
-      pendingDirtyOperation = { type: 'switch', branch: lastSwitch.from };
-      showStashConfirm(`undo to detached HEAD ${hash}`);
+      if (setPendingDirtyOp({ type: 'switch', branch: lastSwitch.from })) {
+        showStashConfirm(`undo to detached HEAD ${hash}`);
+      }
       return { success: false, reason: 'dirty' };
     }
@@ -1632,7 +1679,7 @@ async function undoLastSwitch() {
       });
       addLog(`Undone: detached HEAD at ${hash}`, 'success');
       branchSwitchCount++;
-      pendingDirtyOperation = null;
+      clearPendingDirtyOp();
       notifyClients();
       return { success: true };
     } catch (e) {
@@ -1699,7 +1746,7 @@ async function pullCurrentBranch() {
       }
       addLog(`Pulled ${REMOTE_NAME}/${branch}${summary}`, 'success');
     }
-    pendingDirtyOperation = null;
+    clearPendingDirtyOp();
     notifyClients();
     return { success: true };
   } catch (e) {
@@ -1707,8 +1754,9 @@ async function pullCurrentBranch() {
     addLog(`Pull failed: ${errMsg}`, 'error');
     if (errMsg.includes('local changes') || errMsg.includes('overwritten') || errMsg.includes('uncommitted changes')) {
-      pendingDirtyOperation = { type: 'pull' };
-      showStashConfirm('pull');
+      if (setPendingDirtyOp({ type: 'pull' })) {
+        showStashConfirm('pull');
+      }
     } else if (isMergeConflict(errMsg)) {
       store.setState({ hasMergeConflict: true });
       showErrorToast(
@@ -1747,7 +1795,7 @@ async function stashAndRetry() {
     return;
   }
-  pendingDirtyOperation = null;
+  clearPendingDirtyOp();
   hideErrorToast();
   hideStashConfirm();
@@ -2830,7 +2878,7 @@ function setupKeyboardInput() {
           await stashAndRetry();
         } else {
           addLog('Stash cancelled — handle changes manually', 'info');
-          pendingDirtyOperation = null;
+          clearPendingDirtyOp();
         }
         return;
       }
@@ -2844,7 +2892,7 @@ function setupKeyboardInput() {
       if (key === '\u001b') { // Escape — cancel
         hideStashConfirm();
         addLog('Stash cancelled — handle changes manually', 'info');
-        pendingDirtyOperation = null;
+        clearPendingDirtyOp();
         render();
         return;
       }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "git-watchtower",
-  "version": "2.1.14",
+  "version": "2.1.16",
   "description": "Terminal-based Git branch monitor with activity sparklines and optional dev server with live reload",
   "main": "bin/git-watchtower.js",
   "bin": {

package/src/server/coordinator.js CHANGED Viewed

@@ -81,11 +81,28 @@ const LOCK_FILE = path.join(WATCHTOWER_DIR, 'web.lock');
 const SOCKET_PATH = path.join(WATCHTOWER_DIR, 'web.sock');
 /**
- * Ensure the ~/.watchtower directory exists.
+ * Ensure the ~/.watchtower directory exists, restricted to the owner.
+ *
+ * The directory hosts the lock file and the Unix-domain IPC socket;
+ * both should only be reachable by the user running git-watchtower.
+ * On Linux, connect() to a Unix socket requires read+execute on the
+ * containing directory, so 0o700 is sufficient defense-in-depth even
+ * when the socket file itself ends up world-readable due to umask.
+ *
+ * mkdirSync's mode argument only applies when the directory is being
+ * created — it has no effect on a pre-existing dir. We chmod after
+ * the create check so installs that ran before this fix get migrated
+ * to the tighter mode on next launch.
  */
 function ensureDir() {
   if (!fs.existsSync(WATCHTOWER_DIR)) {
-    fs.mkdirSync(WATCHTOWER_DIR, { recursive: true });
+    fs.mkdirSync(WATCHTOWER_DIR, { recursive: true, mode: 0o700 });
+  }
+  try {
+    fs.chmodSync(WATCHTOWER_DIR, 0o700);
+  } catch (e) {
+    // chmod may fail on Windows or filesystems without POSIX perms; the
+    // permission semantics don't apply there anyway, so silently skip.
   }
 }
@@ -290,6 +307,20 @@ class Coordinator {
       });
       this.ipcServer.listen(this.socketPath, () => {
+        // Defense-in-depth: tighten the socket file's own perms after
+        // bind. Node's net.Server.listen() creates the socket file with
+        // perms derived from umask, which on shared workstations
+        // (umask 0022) yields 0o755 — world-readable. Linux ignores
+        // socket-file perms for connect() (the directory's perms are
+        // authoritative), but BSD honours them and other tooling may
+        // surface them in audit reports. Setting 0o600 explicitly
+        // matches the 0o700 directory perms set in ensureDir().
+        try {
+          fs.chmodSync(this.socketPath, 0o600);
+        } catch (e) {
+          // Non-POSIX filesystem or Windows — perm semantics don't
+          // apply, skip silently.
+        }
         resolve();
       });
     });

package/src/utils/monitor-lock.js CHANGED Viewed

@@ -52,8 +52,16 @@ function lockFilePath(repoRoot) {
 }
 function ensureDir() {
+  // 0o700 keeps lock files (which contain pids and the cwd of running
+  // git-watchtower instances) unreadable to other local users. See
+  // src/server/coordinator.js for the rationale and Windows note.
   if (!fs.existsSync(WATCHTOWER_DIR)) {
-    fs.mkdirSync(WATCHTOWER_DIR, { recursive: true });
+    fs.mkdirSync(WATCHTOWER_DIR, { recursive: true, mode: 0o700 });
+  }
+  try {
+    fs.chmodSync(WATCHTOWER_DIR, 0o700);
+  } catch (e) {
+    // chmod may fail on Windows / non-POSIX filesystems; skip silently.
   }
 }