gitnexus 1.6.4-rc.55 → 1.6.4-rc.57

package/dist/core/ingestion/workers/worker-pool.js

@@ -235,12 +235,22 @@ export const createWorkerPool = (workerUrl, poolSize, options) => {
                         if (!settled) {
                             settled = true;
                             cleanup();
-                            activeWorkers--;
                             inFlightProgress[workerIndex] = 0;
                             const shouldContinue = requeueAfterTimeout(workerIndex, job, lastProgress);
-                            if (!shouldContinue)
+                            if (!shouldContinue) {
+                                activeWorkers--;
                                 return;
-                            await replaceWorker(workerIndex);
+                            }
+                            try {
+                                await replaceWorker(workerIndex);
+                            }
+                            catch (err) {
+                                void fail(err instanceof Error ? err : new Error(`Worker replacement failed: ${err}`));
+                                return;
+                            }
+                            finally {
+                                activeWorkers--;
+                            }
                             reportProgress();
                             runWorker(workerIndex);
                             maybeDone();

package/dist/server/api.d.ts

@@ -48,5 +48,25 @@ export declare const staticCacheControlSetHeaders: (res: express.Response, fileP
 export declare const registerWebUI: (app: express.Express, staticDir: string | null) => void;
 export declare const writeNdjsonRecord: (res: express.Response, record: GraphStreamRecord, signal?: AbortSignal) => Promise<void>;
 export declare const streamGraphNdjson: (res: express.Response, includeContent?: boolean, signal?: AbortSignal) => Promise<void>;
+/**
+ * Handle a GET /api/file request body. Extracted from createServer's route
+ * registration so it can be unit-tested without spinning up an HTTP server
+ * — calling app.get(...) inside a test triggers CodeQL's
+ * js/missing-rate-limiting query, which is appropriate for production
+ * route handlers but a false positive for tests of the handler logic.
+ *
+ * The function takes the express req and res (typed loosely so test code
+ * can pass minimal mocks) plus the resolved repo path. All path-traversal
+ * containment is done inline at the readFile sink with the canonical
+ * path.relative idiom for CodeQL js/path-injection recognition.
+ */
+export declare const handleFileRequest: (req: {
+    query: any;
+}, res: {
+    status: (code: number) => {
+        json: (body: any) => void;
+    };
+    json: (body: any) => void;
+}, repoPath: string) => Promise<void>;
 export declare const createServer: (port: number, host?: string) => Promise<void>;
 export {};

package/dist/server/api.js

@@ -450,6 +450,77 @@ const requestedRepo = (req) => {
     }
     return undefined;
 };
+/**
+ * Handle a GET /api/file request body. Extracted from createServer's route
+ * registration so it can be unit-tested without spinning up an HTTP server
+ * — calling app.get(...) inside a test triggers CodeQL's
+ * js/missing-rate-limiting query, which is appropriate for production
+ * route handlers but a false positive for tests of the handler logic.
+ *
+ * The function takes the express req and res (typed loosely so test code
+ * can pass minimal mocks) plus the resolved repo path. All path-traversal
+ * containment is done inline at the readFile sink with the canonical
+ * path.relative idiom for CodeQL js/path-injection recognition.
+ */
+export const handleFileRequest = async (req, res, repoPath) => {
+    try {
+        // Type-confusion guard — req.query.path is `string | string[] | ParsedQs`.
+        // Without this, an attacker could pass `?path=a&path=b` to bypass the
+        // length-bound traversal check below (CodeQL js/type-confusion-through-
+        // parameter-tampering, same class as the /api/grep critical fix).
+        const rawFilePath = req.query.path;
+        if (rawFilePath === undefined || rawFilePath === '') {
+            res.status(400).json({ error: 'Missing path' });
+            return;
+        }
+        const filePath = assertString(rawFilePath, 'path');
+        // Path-injection containment — inline at the sink with the canonical
+        // path.relative idiom that CodeQL's js/path-injection sanitizer
+        // recognizes. assertSafePath in validation.ts performs the equivalent
+        // check, but cross-module helpers are not followed by CodeQL's
+        // interprocedural analysis for path-traversal sanitization in JS, so
+        // the barrier must be visible inline at the readFile sink.
+        const repoRoot = path.resolve(repoPath);
+        const fullPath = path.resolve(repoRoot, filePath);
+        const fullRel = path.relative(repoRoot, fullPath);
+        if (fullRel.startsWith('..') || path.isAbsolute(fullRel)) {
+            res.status(403).json({ error: 'Path traversal denied' });
+            return;
+        }
+        const raw = await fs.readFile(fullPath, 'utf-8');
+        // Optional line-range support: ?startLine=10&endLine=50
+        // Returns only the requested slice (0-indexed), plus metadata.
+        const startLine = req.query.startLine !== undefined ? Number(req.query.startLine) : undefined;
+        const endLine = req.query.endLine !== undefined ? Number(req.query.endLine) : undefined;
+        if (startLine !== undefined && Number.isFinite(startLine)) {
+            const lines = raw.split('\n');
+            const start = Math.max(0, startLine);
+            const end = endLine !== undefined && Number.isFinite(endLine)
+                ? Math.min(lines.length, endLine + 1)
+                : lines.length;
+            res.json({
+                content: lines.slice(start, end).join('\n'),
+                startLine: start,
+                endLine: end - 1,
+                totalLines: lines.length,
+            });
+        }
+        else {
+            res.json({ content: raw, totalLines: raw.split('\n').length });
+        }
+    }
+    catch (err) {
+        if (err.code === 'ENOENT') {
+            res.status(404).json({ error: 'File not found' });
+        }
+        else {
+            // statusFromError returns err.status for BadRequestError / ForbiddenError
+            // (assertString → 400 on array-form ?path=a&path=b; ForbiddenError → 403
+            // on traversal). Falls back to 500 for unrecognized failures.
+            res.status(statusFromError(err)).json({ error: err.message || 'Failed to read file' });
+        }
+    }
+};
 export const createServer = async (port, host = '127.0.0.1') => {
     const app = express();
     app.disable('x-powered-by');
@@ -915,54 +986,12 @@ export const createServer = async (port, host = '127.0.0.1') => {
     });
     // Read file — with path traversal guard
     app.get('/api/file', async (req, res) => {
-        try {
-            const entry = await resolveRepo(requestedRepo(req));
-            if (!entry) {
-                res.status(404).json({ error: 'Repository not found' });
-                return;
-            }
-            const filePath = req.query.path;
-            if (!filePath) {
-                res.status(400).json({ error: 'Missing path' });
-                return;
-            }
-            // Prevent path traversal — resolve and verify the path stays within the repo root
-            const repoRoot = path.resolve(entry.path);
-            const fullPath = path.resolve(repoRoot, filePath);
-            if (!fullPath.startsWith(repoRoot + path.sep) && fullPath !== repoRoot) {
-                res.status(403).json({ error: 'Path traversal denied' });
-                return;
-            }
-            const raw = await fs.readFile(fullPath, 'utf-8');
-            // Optional line-range support: ?startLine=10&endLine=50
-            // Returns only the requested slice (0-indexed), plus metadata.
-            const startLine = req.query.startLine !== undefined ? Number(req.query.startLine) : undefined;
-            const endLine = req.query.endLine !== undefined ? Number(req.query.endLine) : undefined;
-            if (startLine !== undefined && Number.isFinite(startLine)) {
-                const lines = raw.split('\n');
-                const start = Math.max(0, startLine);
-                const end = endLine !== undefined && Number.isFinite(endLine)
-                    ? Math.min(lines.length, endLine + 1)
-                    : lines.length;
-                res.json({
-                    content: lines.slice(start, end).join('\n'),
-                    startLine: start,
-                    endLine: end - 1,
-                    totalLines: lines.length,
-                });
-            }
-            else {
-                res.json({ content: raw, totalLines: raw.split('\n').length });
-            }
-        }
-        catch (err) {
-            if (err.code === 'ENOENT') {
-                res.status(404).json({ error: 'File not found' });
-            }
-            else {
-                res.status(500).json({ error: err.message || 'Failed to read file' });
-            }
+        const entry = await resolveRepo(requestedRepo(req));
+        if (!entry) {
+            res.status(404).json({ error: 'Repository not found' });
+            return;
         }
+        await handleFileRequest(req, res, entry.path);
     });
     // Grep — regex search across file contents in the indexed repo
     // Uses filesystem-based search for memory efficiency (never loads all files into memory)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "gitnexus",
-  "version": "1.6.4-rc.55",
+  "version": "1.6.4-rc.57",
   "description": "Graph-powered code intelligence for AI agents. Index any codebase, query via MCP or CLI.",
   "author": "Abhigyan Patwari",
   "license": "PolyForm-Noncommercial-1.0.0",