gitnexus 1.6.4-rc.54 → 1.6.4-rc.56

package/dist/core/ingestion/model/resolve.js

@@ -132,17 +132,25 @@ export function c3Linearize(classId, parentMap, cache, inProgress) {
         }
         // Add the direct parents list as the final sequence
         const sequences = [...parentLinearizations, [...directParents]];
+        const heads = new Uint32Array(sequences.length); // head pointer per sequence
         const result = [];
+        // Tail-count map: how many sequences contain this id at index > head.
+        // O(1) membership check replaces O(n) indexOf scans.
+        const tailCount = new Map();
+        for (const seq of sequences) {
+            for (let i = 1; i < seq.length; i++) {
+                tailCount.set(seq[i], (tailCount.get(seq[i]) ?? 0) + 1);
+            }
+        }
+        let remaining = sequences.reduce((n, s) => n + s.length, 0);
         let inconsistent = false;
-        while (sequences.some((s) => s.length > 0)) {
-            // Find a good head: one that doesn't appear in the tail of any other sequence
+        while (remaining > 0) {
             let head = null;
-            for (const seq of sequences) {
-                if (seq.length === 0)
+            for (let si = 0; si < sequences.length; si++) {
+                if (heads[si] >= sequences[si].length)
                     continue;
-                const candidate = seq[0];
-                const inTail = sequences.some((other) => other.length > 1 && other.indexOf(candidate, 1) !== -1);
-                if (!inTail) {
+                const candidate = sequences[si][heads[si]];
+                if ((tailCount.get(candidate) ?? 0) === 0) {
                     head = candidate;
                     break;
                 }
@@ -152,10 +160,22 @@ export function c3Linearize(classId, parentMap, cache, inProgress) {
                 break;
             }
             result.push(head);
-            // Remove the chosen head from all sequences
-            for (const seq of sequences) {
-                if (seq.length > 0 && seq[0] === head) {
-                    seq.shift();
+            // Advance head pointers past the chosen head; update tail counts
+            for (let si = 0; si < sequences.length; si++) {
+                if (heads[si] >= sequences[si].length)
+                    continue;
+                if (sequences[si][heads[si]] === head) {
+                    heads[si]++;
+                    remaining--;
+                    // promoted was in this sequence's active tail; now it's the new head — remove from tailCount
+                    if (heads[si] < sequences[si].length) {
+                        const promoted = sequences[si][heads[si]];
+                        const prev = tailCount.get(promoted);
+                        if (prev <= 1)
+                            tailCount.delete(promoted);
+                        else
+                            tailCount.set(promoted, prev - 1);
+                    }
                 }
             }
         }

package/dist/server/api.d.ts

@@ -48,5 +48,25 @@ export declare const staticCacheControlSetHeaders: (res: express.Response, fileP
 export declare const registerWebUI: (app: express.Express, staticDir: string | null) => void;
 export declare const writeNdjsonRecord: (res: express.Response, record: GraphStreamRecord, signal?: AbortSignal) => Promise<void>;
 export declare const streamGraphNdjson: (res: express.Response, includeContent?: boolean, signal?: AbortSignal) => Promise<void>;
+/**
+ * Handle a GET /api/file request body. Extracted from createServer's route
+ * registration so it can be unit-tested without spinning up an HTTP server
+ * — calling app.get(...) inside a test triggers CodeQL's
+ * js/missing-rate-limiting query, which is appropriate for production
+ * route handlers but a false positive for tests of the handler logic.
+ *
+ * The function takes the express req and res (typed loosely so test code
+ * can pass minimal mocks) plus the resolved repo path. All path-traversal
+ * containment is done inline at the readFile sink with the canonical
+ * path.relative idiom for CodeQL js/path-injection recognition.
+ */
+export declare const handleFileRequest: (req: {
+    query: any;
+}, res: {
+    status: (code: number) => {
+        json: (body: any) => void;
+    };
+    json: (body: any) => void;
+}, repoPath: string) => Promise<void>;
 export declare const createServer: (port: number, host?: string) => Promise<void>;
 export {};

package/dist/server/api.js

@@ -25,6 +25,7 @@ import { mountMCPEndpoints } from './mcp-http.js';
 import { fork } from 'child_process';
 import { fileURLToPath, pathToFileURL } from 'url';
 import { JobManager } from './analyze-job.js';
+import { assertString, escapeRegExp, BadRequestError } from './validation.js';
 import { extractRepoName, getCloneDir, cloneOrPull } from './git-clone.js';
 const _require = createRequire(import.meta.url);
 const pkg = _require('../../package.json');
@@ -429,6 +430,10 @@ const mountSSEProgress = (app, routePath, jm) => {
     });
 };
 const statusFromError = (err) => {
+    // Validation helpers throw BadRequestError / ForbiddenError with a typed
+    // .status field — honor it before falling back to message-string matching.
+    if (err instanceof BadRequestError)
+        return err.status;
     const msg = String(err?.message ?? '');
     if (msg.includes('No indexed repositories') || msg.includes('not found'))
         return 404;
@@ -445,6 +450,77 @@ const requestedRepo = (req) => {
     }
     return undefined;
 };
+/**
+ * Handle a GET /api/file request body. Extracted from createServer's route
+ * registration so it can be unit-tested without spinning up an HTTP server
+ * — calling app.get(...) inside a test triggers CodeQL's
+ * js/missing-rate-limiting query, which is appropriate for production
+ * route handlers but a false positive for tests of the handler logic.
+ *
+ * The function takes the express req and res (typed loosely so test code
+ * can pass minimal mocks) plus the resolved repo path. All path-traversal
+ * containment is done inline at the readFile sink with the canonical
+ * path.relative idiom for CodeQL js/path-injection recognition.
+ */
+export const handleFileRequest = async (req, res, repoPath) => {
+    try {
+        // Type-confusion guard — req.query.path is `string | string[] | ParsedQs`.
+        // Without this, an attacker could pass `?path=a&path=b` to bypass the
+        // length-bound traversal check below (CodeQL js/type-confusion-through-
+        // parameter-tampering, same class as the /api/grep critical fix).
+        const rawFilePath = req.query.path;
+        if (rawFilePath === undefined || rawFilePath === '') {
+            res.status(400).json({ error: 'Missing path' });
+            return;
+        }
+        const filePath = assertString(rawFilePath, 'path');
+        // Path-injection containment — inline at the sink with the canonical
+        // path.relative idiom that CodeQL's js/path-injection sanitizer
+        // recognizes. assertSafePath in validation.ts performs the equivalent
+        // check, but cross-module helpers are not followed by CodeQL's
+        // interprocedural analysis for path-traversal sanitization in JS, so
+        // the barrier must be visible inline at the readFile sink.
+        const repoRoot = path.resolve(repoPath);
+        const fullPath = path.resolve(repoRoot, filePath);
+        const fullRel = path.relative(repoRoot, fullPath);
+        if (fullRel.startsWith('..') || path.isAbsolute(fullRel)) {
+            res.status(403).json({ error: 'Path traversal denied' });
+            return;
+        }
+        const raw = await fs.readFile(fullPath, 'utf-8');
+        // Optional line-range support: ?startLine=10&endLine=50
+        // Returns only the requested slice (0-indexed), plus metadata.
+        const startLine = req.query.startLine !== undefined ? Number(req.query.startLine) : undefined;
+        const endLine = req.query.endLine !== undefined ? Number(req.query.endLine) : undefined;
+        if (startLine !== undefined && Number.isFinite(startLine)) {
+            const lines = raw.split('\n');
+            const start = Math.max(0, startLine);
+            const end = endLine !== undefined && Number.isFinite(endLine)
+                ? Math.min(lines.length, endLine + 1)
+                : lines.length;
+            res.json({
+                content: lines.slice(start, end).join('\n'),
+                startLine: start,
+                endLine: end - 1,
+                totalLines: lines.length,
+            });
+        }
+        else {
+            res.json({ content: raw, totalLines: raw.split('\n').length });
+        }
+    }
+    catch (err) {
+        if (err.code === 'ENOENT') {
+            res.status(404).json({ error: 'File not found' });
+        }
+        else {
+            // statusFromError returns err.status for BadRequestError / ForbiddenError
+            // (assertString → 400 on array-form ?path=a&path=b; ForbiddenError → 403
+            // on traversal). Falls back to 500 for unrecognized failures.
+            res.status(statusFromError(err)).json({ error: err.message || 'Failed to read file' });
+        }
+    }
+};
 export const createServer = async (port, host = '127.0.0.1') => {
     const app = express();
     app.disable('x-powered-by');
@@ -910,54 +986,12 @@ export const createServer = async (port, host = '127.0.0.1') => {
     });
     // Read file — with path traversal guard
     app.get('/api/file', async (req, res) => {
-        try {
-            const entry = await resolveRepo(requestedRepo(req));
-            if (!entry) {
-                res.status(404).json({ error: 'Repository not found' });
-                return;
-            }
-            const filePath = req.query.path;
-            if (!filePath) {
-                res.status(400).json({ error: 'Missing path' });
-                return;
-            }
-            // Prevent path traversal — resolve and verify the path stays within the repo root
-            const repoRoot = path.resolve(entry.path);
-            const fullPath = path.resolve(repoRoot, filePath);
-            if (!fullPath.startsWith(repoRoot + path.sep) && fullPath !== repoRoot) {
-                res.status(403).json({ error: 'Path traversal denied' });
-                return;
-            }
-            const raw = await fs.readFile(fullPath, 'utf-8');
-            // Optional line-range support: ?startLine=10&endLine=50
-            // Returns only the requested slice (0-indexed), plus metadata.
-            const startLine = req.query.startLine !== undefined ? Number(req.query.startLine) : undefined;
-            const endLine = req.query.endLine !== undefined ? Number(req.query.endLine) : undefined;
-            if (startLine !== undefined && Number.isFinite(startLine)) {
-                const lines = raw.split('\n');
-                const start = Math.max(0, startLine);
-                const end = endLine !== undefined && Number.isFinite(endLine)
-                    ? Math.min(lines.length, endLine + 1)
-                    : lines.length;
-                res.json({
-                    content: lines.slice(start, end).join('\n'),
-                    startLine: start,
-                    endLine: end - 1,
-                    totalLines: lines.length,
-                });
-            }
-            else {
-                res.json({ content: raw, totalLines: raw.split('\n').length });
-            }
-        }
-        catch (err) {
-            if (err.code === 'ENOENT') {
-                res.status(404).json({ error: 'File not found' });
-            }
-            else {
-                res.status(500).json({ error: err.message || 'Failed to read file' });
-            }
+        const entry = await resolveRepo(requestedRepo(req));
+        if (!entry) {
+            res.status(404).json({ error: 'Repository not found' });
+            return;
         }
+        await handleFileRequest(req, res, entry.path);
     });
     // Grep — regex search across file contents in the indexed repo
     // Uses filesystem-based search for memory efficiency (never loads all files into memory)
@@ -968,20 +1002,33 @@ export const createServer = async (port, host = '127.0.0.1') => {
                 res.status(404).json({ error: 'Repository not found' });
                 return;
             }
-            const pattern = req.query.pattern;
-            if (!pattern) {
+            // Type-confusion guard (CodeQL js/type-confusion-through-parameter-tampering):
+            // req.query.pattern is `string | string[] | ParsedQs` — without an explicit
+            // type check, the `.length` guard below counts array elements instead of
+            // characters, allowing arbitrarily long patterns through.
+            const rawPattern = req.query.pattern;
+            if (rawPattern === undefined) {
+                res.status(400).json({ error: 'Missing "pattern" query parameter' });
+                return;
+            }
+            const pattern = assertString(rawPattern, 'pattern');
+            if (pattern.length === 0) {
                 res.status(400).json({ error: 'Missing "pattern" query parameter' });
                 return;
             }
-            // ReDoS protection: reject overly long or dangerous patterns
+            // Length cap: applies to both literal and regex modes as a defense-in-depth
+            // bound against pathological input.
             if (pattern.length > 200) {
                 res.status(400).json({ error: 'Pattern too long (max 200 characters)' });
                 return;
             }
-            // Validate regex syntax
+            // Treat user input as a literal substring in all cases to prevent
+            // regex-injection/ReDoS via attacker-controlled regex syntax.
+            const effectivePattern = escapeRegExp(pattern);
+            // Validate regex syntax (catches both opt-in user regex and any escapeRegExp bug)
             let regex;
             try {
-                regex = new RegExp(pattern, 'gim');
+                regex = new RegExp(effectivePattern, 'gim');
             }
             catch {
                 res.status(400).json({ error: 'Invalid regex pattern' });
@@ -1025,7 +1072,7 @@ export const createServer = async (port, host = '127.0.0.1') => {
             res.json({ results });
         }
         catch (err) {
-            res.status(500).json({ error: err.message || 'Grep failed' });
+            res.status(statusFromError(err)).json({ error: err.message || 'Grep failed' });
         }
     });
     // List all processes

package/dist/server/validation.d.ts

@@ -0,0 +1,60 @@
+/**
+ * Server-side input validation helpers.
+ *
+ * Convention: helpers throw BadRequestError (or its 403 subclass ForbiddenError)
+ * when user input fails validation. Existing route handlers wrap their bodies in
+ * try/catch and translate the error to res.status(err.status).json({error: err.message}).
+ * This pattern was chosen over an asyncHandler middleware to stay compatible with
+ * Express 4's non-propagation of async-thrown errors and to match the existing
+ * try/catch shape used throughout api.ts.
+ *
+ * Scope (this PR — U1 of the security remediation plan):
+ *   - assertString:      closes js/type-confusion-through-parameter-tampering (api.ts:1118)
+ *   - assertSafePath:    consolidates the path-traversal guard from api.ts:1067-1077
+ *                        for reuse across other path-injection findings (U2/U3)
+ *   - escapeRegExp:      utility for upcoming regex-injection fix at /api/grep (U5)
+ *
+ * Helpers added in later units (U3 git-clone hardening, U4 rate-limiting) live
+ * in this module too but are introduced with the dependency they require.
+ */
+/**
+ * Thrown by validation helpers when user input is rejected.
+ * Routes catch via existing try/catch and convert with err.status / err.message.
+ */
+export declare class BadRequestError extends Error {
+    readonly status: number;
+    constructor(message: string, status?: number);
+}
+export declare class ForbiddenError extends BadRequestError {
+    constructor(message: string);
+}
+/**
+ * Type guard for HTTP request parameters that must be a single string.
+ *
+ * Express's req.query and req.body parsers return `string | string[] | ParsedQs`
+ * for any field, but route handlers commonly cast to `string` and operate on
+ * `.length`. When the caller passes the same key twice (?x=a&x=b) the value
+ * arrives as an array, and a `.length` check intended for the string ends up
+ * counting array elements — bypassing length-based guards (CodeQL
+ * js/type-confusion-through-parameter-tampering, alert at api.ts:1118).
+ *
+ * @throws BadRequestError when value is not a string (array, object, undefined, etc.)
+ */
+export declare function assertString(value: unknown, fieldName: string): string;
+/**
+ * Resolve a user-supplied relative path against an allowed root and verify it
+ * stays inside that root. Mirrors the existing guard at api.ts:1067-1077.
+ *
+ * Returns the absolute resolved path. Rejects empty paths, null bytes, and
+ * paths that resolve outside the root (e.g., `../../../etc/passwd`).
+ *
+ * @throws BadRequestError when the path is empty or contains a null byte
+ * @throws ForbiddenError when the resolved path escapes the root
+ */
+export declare function assertSafePath(rawPath: string, root: string): string;
+/**
+ * Escape regex metacharacters in a user-supplied string so it can be safely
+ * embedded as a literal in `new RegExp(...)`. Used by /api/grep's literal mode
+ * and any future endpoint that constructs a regex from caller input.
+ */
+export declare function escapeRegExp(input: string): string;

package/dist/server/validation.js

@@ -0,0 +1,91 @@
+/**
+ * Server-side input validation helpers.
+ *
+ * Convention: helpers throw BadRequestError (or its 403 subclass ForbiddenError)
+ * when user input fails validation. Existing route handlers wrap their bodies in
+ * try/catch and translate the error to res.status(err.status).json({error: err.message}).
+ * This pattern was chosen over an asyncHandler middleware to stay compatible with
+ * Express 4's non-propagation of async-thrown errors and to match the existing
+ * try/catch shape used throughout api.ts.
+ *
+ * Scope (this PR — U1 of the security remediation plan):
+ *   - assertString:      closes js/type-confusion-through-parameter-tampering (api.ts:1118)
+ *   - assertSafePath:    consolidates the path-traversal guard from api.ts:1067-1077
+ *                        for reuse across other path-injection findings (U2/U3)
+ *   - escapeRegExp:      utility for upcoming regex-injection fix at /api/grep (U5)
+ *
+ * Helpers added in later units (U3 git-clone hardening, U4 rate-limiting) live
+ * in this module too but are introduced with the dependency they require.
+ */
+import path from 'node:path';
+/**
+ * Thrown by validation helpers when user input is rejected.
+ * Routes catch via existing try/catch and convert with err.status / err.message.
+ */
+export class BadRequestError extends Error {
+    status;
+    constructor(message, status = 400) {
+        super(message);
+        this.name = 'BadRequestError';
+        this.status = status;
+    }
+}
+export class ForbiddenError extends BadRequestError {
+    constructor(message) {
+        super(message, 403);
+        this.name = 'ForbiddenError';
+    }
+}
+/**
+ * Type guard for HTTP request parameters that must be a single string.
+ *
+ * Express's req.query and req.body parsers return `string | string[] | ParsedQs`
+ * for any field, but route handlers commonly cast to `string` and operate on
+ * `.length`. When the caller passes the same key twice (?x=a&x=b) the value
+ * arrives as an array, and a `.length` check intended for the string ends up
+ * counting array elements — bypassing length-based guards (CodeQL
+ * js/type-confusion-through-parameter-tampering, alert at api.ts:1118).
+ *
+ * @throws BadRequestError when value is not a string (array, object, undefined, etc.)
+ */
+export function assertString(value, fieldName) {
+    if (typeof value !== 'string') {
+        if (Array.isArray(value)) {
+            throw new BadRequestError(`Parameter "${fieldName}" must be a single string, got an array`);
+        }
+        throw new BadRequestError(`Parameter "${fieldName}" must be a string`);
+    }
+    return value;
+}
+/**
+ * Resolve a user-supplied relative path against an allowed root and verify it
+ * stays inside that root. Mirrors the existing guard at api.ts:1067-1077.
+ *
+ * Returns the absolute resolved path. Rejects empty paths, null bytes, and
+ * paths that resolve outside the root (e.g., `../../../etc/passwd`).
+ *
+ * @throws BadRequestError when the path is empty or contains a null byte
+ * @throws ForbiddenError when the resolved path escapes the root
+ */
+export function assertSafePath(rawPath, root) {
+    if (rawPath.length === 0) {
+        throw new BadRequestError('Path must not be empty');
+    }
+    if (rawPath.includes('\0')) {
+        throw new BadRequestError('Path must not contain null bytes');
+    }
+    const resolvedRoot = path.resolve(root);
+    const fullPath = path.resolve(resolvedRoot, rawPath);
+    if (fullPath !== resolvedRoot && !fullPath.startsWith(resolvedRoot + path.sep)) {
+        throw new ForbiddenError('Path traversal denied');
+    }
+    return fullPath;
+}
+/**
+ * Escape regex metacharacters in a user-supplied string so it can be safely
+ * embedded as a literal in `new RegExp(...)`. Used by /api/grep's literal mode
+ * and any future endpoint that constructs a regex from caller input.
+ */
+export function escapeRegExp(input) {
+    return input.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "gitnexus",
-  "version": "1.6.4-rc.54",
+  "version": "1.6.4-rc.56",
   "description": "Graph-powered code intelligence for AI agents. Index any codebase, query via MCP or CLI.",
   "author": "Abhigyan Patwari",
   "license": "PolyForm-Noncommercial-1.0.0",