gitnexus 1.6.4-rc.54 → 1.6.4-rc.55

package/dist/core/ingestion/model/resolve.js

@@ -132,17 +132,25 @@ export function c3Linearize(classId, parentMap, cache, inProgress) {
         }
         // Add the direct parents list as the final sequence
         const sequences = [...parentLinearizations, [...directParents]];
+        const heads = new Uint32Array(sequences.length); // head pointer per sequence
         const result = [];
+        // Tail-count map: how many sequences contain this id at index > head.
+        // O(1) membership check replaces O(n) indexOf scans.
+        const tailCount = new Map();
+        for (const seq of sequences) {
+            for (let i = 1; i < seq.length; i++) {
+                tailCount.set(seq[i], (tailCount.get(seq[i]) ?? 0) + 1);
+            }
+        }
+        let remaining = sequences.reduce((n, s) => n + s.length, 0);
         let inconsistent = false;
-        while (sequences.some((s) => s.length > 0)) {
-            // Find a good head: one that doesn't appear in the tail of any other sequence
+        while (remaining > 0) {
             let head = null;
-            for (const seq of sequences) {
-                if (seq.length === 0)
+            for (let si = 0; si < sequences.length; si++) {
+                if (heads[si] >= sequences[si].length)
                     continue;
-                const candidate = seq[0];
-                const inTail = sequences.some((other) => other.length > 1 && other.indexOf(candidate, 1) !== -1);
-                if (!inTail) {
+                const candidate = sequences[si][heads[si]];
+                if ((tailCount.get(candidate) ?? 0) === 0) {
                     head = candidate;
                     break;
                 }
@@ -152,10 +160,22 @@ export function c3Linearize(classId, parentMap, cache, inProgress) {
                 break;
             }
             result.push(head);
-            // Remove the chosen head from all sequences
-            for (const seq of sequences) {
-                if (seq.length > 0 && seq[0] === head) {
-                    seq.shift();
+            // Advance head pointers past the chosen head; update tail counts
+            for (let si = 0; si < sequences.length; si++) {
+                if (heads[si] >= sequences[si].length)
+                    continue;
+                if (sequences[si][heads[si]] === head) {
+                    heads[si]++;
+                    remaining--;
+                    // promoted was in this sequence's active tail; now it's the new head — remove from tailCount
+                    if (heads[si] < sequences[si].length) {
+                        const promoted = sequences[si][heads[si]];
+                        const prev = tailCount.get(promoted);
+                        if (prev <= 1)
+                            tailCount.delete(promoted);
+                        else
+                            tailCount.set(promoted, prev - 1);
+                    }
                 }
             }
         }

package/dist/server/api.js

@@ -25,6 +25,7 @@ import { mountMCPEndpoints } from './mcp-http.js';
 import { fork } from 'child_process';
 import { fileURLToPath, pathToFileURL } from 'url';
 import { JobManager } from './analyze-job.js';
+import { assertString, escapeRegExp, BadRequestError } from './validation.js';
 import { extractRepoName, getCloneDir, cloneOrPull } from './git-clone.js';
 const _require = createRequire(import.meta.url);
 const pkg = _require('../../package.json');
@@ -429,6 +430,10 @@ const mountSSEProgress = (app, routePath, jm) => {
     });
 };
 const statusFromError = (err) => {
+    // Validation helpers throw BadRequestError / ForbiddenError with a typed
+    // .status field — honor it before falling back to message-string matching.
+    if (err instanceof BadRequestError)
+        return err.status;
     const msg = String(err?.message ?? '');
     if (msg.includes('No indexed repositories') || msg.includes('not found'))
         return 404;
@@ -968,20 +973,33 @@ export const createServer = async (port, host = '127.0.0.1') => {
                 res.status(404).json({ error: 'Repository not found' });
                 return;
             }
-            const pattern = req.query.pattern;
-            if (!pattern) {
+            // Type-confusion guard (CodeQL js/type-confusion-through-parameter-tampering):
+            // req.query.pattern is `string | string[] | ParsedQs` — without an explicit
+            // type check, the `.length` guard below counts array elements instead of
+            // characters, allowing arbitrarily long patterns through.
+            const rawPattern = req.query.pattern;
+            if (rawPattern === undefined) {
                 res.status(400).json({ error: 'Missing "pattern" query parameter' });
                 return;
             }
-            // ReDoS protection: reject overly long or dangerous patterns
+            const pattern = assertString(rawPattern, 'pattern');
+            if (pattern.length === 0) {
+                res.status(400).json({ error: 'Missing "pattern" query parameter' });
+                return;
+            }
+            // Length cap: applies to both literal and regex modes as a defense-in-depth
+            // bound against pathological input.
             if (pattern.length > 200) {
                 res.status(400).json({ error: 'Pattern too long (max 200 characters)' });
                 return;
             }
-            // Validate regex syntax
+            // Treat user input as a literal substring in all cases to prevent
+            // regex-injection/ReDoS via attacker-controlled regex syntax.
+            const effectivePattern = escapeRegExp(pattern);
+            // Validate regex syntax (catches both opt-in user regex and any escapeRegExp bug)
             let regex;
             try {
-                regex = new RegExp(pattern, 'gim');
+                regex = new RegExp(effectivePattern, 'gim');
             }
             catch {
                 res.status(400).json({ error: 'Invalid regex pattern' });
@@ -1025,7 +1043,7 @@ export const createServer = async (port, host = '127.0.0.1') => {
             res.json({ results });
         }
         catch (err) {
-            res.status(500).json({ error: err.message || 'Grep failed' });
+            res.status(statusFromError(err)).json({ error: err.message || 'Grep failed' });
         }
     });
     // List all processes

package/dist/server/validation.d.ts

@@ -0,0 +1,60 @@
+/**
+ * Server-side input validation helpers.
+ *
+ * Convention: helpers throw BadRequestError (or its 403 subclass ForbiddenError)
+ * when user input fails validation. Existing route handlers wrap their bodies in
+ * try/catch and translate the error to res.status(err.status).json({error: err.message}).
+ * This pattern was chosen over an asyncHandler middleware to stay compatible with
+ * Express 4's non-propagation of async-thrown errors and to match the existing
+ * try/catch shape used throughout api.ts.
+ *
+ * Scope (this PR — U1 of the security remediation plan):
+ *   - assertString:      closes js/type-confusion-through-parameter-tampering (api.ts:1118)
+ *   - assertSafePath:    consolidates the path-traversal guard from api.ts:1067-1077
+ *                        for reuse across other path-injection findings (U2/U3)
+ *   - escapeRegExp:      utility for upcoming regex-injection fix at /api/grep (U5)
+ *
+ * Helpers added in later units (U3 git-clone hardening, U4 rate-limiting) live
+ * in this module too but are introduced with the dependency they require.
+ */
+/**
+ * Thrown by validation helpers when user input is rejected.
+ * Routes catch via existing try/catch and convert with err.status / err.message.
+ */
+export declare class BadRequestError extends Error {
+    readonly status: number;
+    constructor(message: string, status?: number);
+}
+export declare class ForbiddenError extends BadRequestError {
+    constructor(message: string);
+}
+/**
+ * Type guard for HTTP request parameters that must be a single string.
+ *
+ * Express's req.query and req.body parsers return `string | string[] | ParsedQs`
+ * for any field, but route handlers commonly cast to `string` and operate on
+ * `.length`. When the caller passes the same key twice (?x=a&x=b) the value
+ * arrives as an array, and a `.length` check intended for the string ends up
+ * counting array elements — bypassing length-based guards (CodeQL
+ * js/type-confusion-through-parameter-tampering, alert at api.ts:1118).
+ *
+ * @throws BadRequestError when value is not a string (array, object, undefined, etc.)
+ */
+export declare function assertString(value: unknown, fieldName: string): string;
+/**
+ * Resolve a user-supplied relative path against an allowed root and verify it
+ * stays inside that root. Mirrors the existing guard at api.ts:1067-1077.
+ *
+ * Returns the absolute resolved path. Rejects empty paths, null bytes, and
+ * paths that resolve outside the root (e.g., `../../../etc/passwd`).
+ *
+ * @throws BadRequestError when the path is empty or contains a null byte
+ * @throws ForbiddenError when the resolved path escapes the root
+ */
+export declare function assertSafePath(rawPath: string, root: string): string;
+/**
+ * Escape regex metacharacters in a user-supplied string so it can be safely
+ * embedded as a literal in `new RegExp(...)`. Used by /api/grep's literal mode
+ * and any future endpoint that constructs a regex from caller input.
+ */
+export declare function escapeRegExp(input: string): string;

package/dist/server/validation.js

@@ -0,0 +1,91 @@
+/**
+ * Server-side input validation helpers.
+ *
+ * Convention: helpers throw BadRequestError (or its 403 subclass ForbiddenError)
+ * when user input fails validation. Existing route handlers wrap their bodies in
+ * try/catch and translate the error to res.status(err.status).json({error: err.message}).
+ * This pattern was chosen over an asyncHandler middleware to stay compatible with
+ * Express 4's non-propagation of async-thrown errors and to match the existing
+ * try/catch shape used throughout api.ts.
+ *
+ * Scope (this PR — U1 of the security remediation plan):
+ *   - assertString:      closes js/type-confusion-through-parameter-tampering (api.ts:1118)
+ *   - assertSafePath:    consolidates the path-traversal guard from api.ts:1067-1077
+ *                        for reuse across other path-injection findings (U2/U3)
+ *   - escapeRegExp:      utility for upcoming regex-injection fix at /api/grep (U5)
+ *
+ * Helpers added in later units (U3 git-clone hardening, U4 rate-limiting) live
+ * in this module too but are introduced with the dependency they require.
+ */
+import path from 'node:path';
+/**
+ * Thrown by validation helpers when user input is rejected.
+ * Routes catch via existing try/catch and convert with err.status / err.message.
+ */
+export class BadRequestError extends Error {
+    status;
+    constructor(message, status = 400) {
+        super(message);
+        this.name = 'BadRequestError';
+        this.status = status;
+    }
+}
+export class ForbiddenError extends BadRequestError {
+    constructor(message) {
+        super(message, 403);
+        this.name = 'ForbiddenError';
+    }
+}
+/**
+ * Type guard for HTTP request parameters that must be a single string.
+ *
+ * Express's req.query and req.body parsers return `string | string[] | ParsedQs`
+ * for any field, but route handlers commonly cast to `string` and operate on
+ * `.length`. When the caller passes the same key twice (?x=a&x=b) the value
+ * arrives as an array, and a `.length` check intended for the string ends up
+ * counting array elements — bypassing length-based guards (CodeQL
+ * js/type-confusion-through-parameter-tampering, alert at api.ts:1118).
+ *
+ * @throws BadRequestError when value is not a string (array, object, undefined, etc.)
+ */
+export function assertString(value, fieldName) {
+    if (typeof value !== 'string') {
+        if (Array.isArray(value)) {
+            throw new BadRequestError(`Parameter "${fieldName}" must be a single string, got an array`);
+        }
+        throw new BadRequestError(`Parameter "${fieldName}" must be a string`);
+    }
+    return value;
+}
+/**
+ * Resolve a user-supplied relative path against an allowed root and verify it
+ * stays inside that root. Mirrors the existing guard at api.ts:1067-1077.
+ *
+ * Returns the absolute resolved path. Rejects empty paths, null bytes, and
+ * paths that resolve outside the root (e.g., `../../../etc/passwd`).
+ *
+ * @throws BadRequestError when the path is empty or contains a null byte
+ * @throws ForbiddenError when the resolved path escapes the root
+ */
+export function assertSafePath(rawPath, root) {
+    if (rawPath.length === 0) {
+        throw new BadRequestError('Path must not be empty');
+    }
+    if (rawPath.includes('\0')) {
+        throw new BadRequestError('Path must not contain null bytes');
+    }
+    const resolvedRoot = path.resolve(root);
+    const fullPath = path.resolve(resolvedRoot, rawPath);
+    if (fullPath !== resolvedRoot && !fullPath.startsWith(resolvedRoot + path.sep)) {
+        throw new ForbiddenError('Path traversal denied');
+    }
+    return fullPath;
+}
+/**
+ * Escape regex metacharacters in a user-supplied string so it can be safely
+ * embedded as a literal in `new RegExp(...)`. Used by /api/grep's literal mode
+ * and any future endpoint that constructs a regex from caller input.
+ */
+export function escapeRegExp(input) {
+    return input.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "gitnexus",
-  "version": "1.6.4-rc.54",
+  "version": "1.6.4-rc.55",
   "description": "Graph-powered code intelligence for AI agents. Index any codebase, query via MCP or CLI.",
   "author": "Abhigyan Patwari",
   "license": "PolyForm-Noncommercial-1.0.0",