gitnexus 1.6.4-rc.57 → 1.6.4-rc.59

package/dist/server/api.js

@@ -744,16 +744,28 @@ export const createServer = async (port, host = '127.0.0.1') => {
                 // 1. Delete the .gitnexus index/storage directory
                 const storagePath = getStoragePath(entry.path);
                 await fs.rm(storagePath, { recursive: true, force: true }).catch(() => { });
-                // 2. Delete the cloned repo dir if it lives under ~/.gitnexus/repos/
-                const cloneDir = getCloneDir(entry.name);
+                // 2. Delete the cloned repo dir if it lives under ~/.gitnexus/repos/.
+                // getCloneDir now throws on names that are not filesystem-safe (e.g.
+                // local repos registered with names like "my project" or "org/repo").
+                // Such repos legitimately have no clone dir, so treat the rejection as
+                // "nothing to clean up" rather than letting it fail the delete handler.
+                let cloneDir = null;
                 try {
-                    const stat = await fs.stat(cloneDir);
-                    if (stat.isDirectory()) {
-                        await fs.rm(cloneDir, { recursive: true, force: true });
-                    }
+                    cloneDir = getCloneDir(entry.name);
                 }
                 catch {
-                    /* clone dir may not exist (local repos) */
+                    /* repo name not eligible for a clone dir (local repo) */
+                }
+                if (cloneDir) {
+                    try {
+                        const stat = await fs.stat(cloneDir);
+                        if (stat.isDirectory()) {
+                            await fs.rm(cloneDir, { recursive: true, force: true });
+                        }
+                    }
+                    catch {
+                        /* clone dir may not exist */
+                    }
                 }
                 // 3. Unregister from the global registry
                 const { unregisterRepo } = await import('../storage/repo-manager.js');

package/dist/server/git-clone.d.ts

@@ -4,7 +4,13 @@
  * Shallow-clones repositories into ~/.gitnexus/repos/{name}/.
  * If already cloned, does git pull instead.
  */
-/** Extract the repository name from a git URL (HTTPS or SSH). */
+/**
+ * Extract the repository name from a git URL (HTTPS or SSH).
+ *
+ * Throws if the URL does not yield a filesystem-safe last segment. A name
+ * like `..` or `foo/bar` would otherwise let `getCloneDir(name)` escape the
+ * clone root via path traversal.
+ */
 export declare function extractRepoName(url: string): string;
 /** Get the clone target directory for a repo name. */
 export declare function getCloneDir(repoName: string): string;
@@ -18,9 +24,76 @@ export interface CloneProgress {
     phase: 'cloning' | 'pulling';
     message: string;
 }
+/**
+ * Build the `git clone` argument list for a given URL and target directory.
+ *
+ * The `--` separator is non-negotiable: it stops git from parsing a URL that
+ * starts with `--` (e.g. `--upload-pack=evil`) as an option flag, which would
+ * otherwise execute an attacker-chosen subprocess (CodeQL
+ * js/second-order-command-line-injection, alerts #166/#167).
+ *
+ * Exported so the separator placement is testable without mocking spawn.
+ */
+export declare function buildCloneArgs(url: string, targetDir: string): string[];
+/**
+ * Normalize a git URL into a comparable form.
+ *
+ * Two URLs are considered the same repository when their normalized forms
+ * are identical: lowercased hostname, no trailing `.git`, no trailing
+ * slashes on the path, default port stripped. Path comparison stays
+ * case-sensitive because that's how Git hosts treat the path component on
+ * the wire (case-folding GitHub's web UI is a separate convenience).
+ *
+ * Returns the original input if URL parsing fails — the caller can still
+ * compare with the literal string for non-URL forms (e.g. SSH `git@host:`).
+ */
+export declare function normalizeGitUrlForCompare(url: string): string;
+/**
+ * Read `remote.origin.url` from an existing clone using `git config --get`.
+ *
+ * Returns `null` if the config key is absent, the spawn fails, or the
+ * directory isn't a git repository. The caller decides what a missing
+ * remote means for its threat model — for cloneOrPull, a missing remote
+ * on an existing clone is treated as a refuse-to-pull condition.
+ */
+export declare function getRemoteOriginUrl(cwd: string): Promise<string | null>;
+/**
+ * Verify that an existing clone's `remote.origin.url` matches the requested
+ * URL (after normalization). Throws on mismatch or missing remote.
+ *
+ * Closes the wrong-repo silent-analysis vector that Codex's adversarial
+ * review on PR #1325 surfaced: clone dirs are keyed by URL basename, so a
+ * request for `https://gitlab.example/attacker/repo.git` would otherwise
+ * collide with an existing `~/.gitnexus/repos/repo` cloned from a different
+ * origin and `git pull --ff-only` would silently succeed against the wrong
+ * remote.
+ *
+ * Exported so the comparison logic is testable in isolation against any
+ * tmpdir-based fixture, without needing to populate CLONE_ROOT.
+ */
+export declare function assertRemoteMatchesRequestedUrl(targetDir: string, requestedUrl: string): Promise<void>;
 /**
  * Clone or pull a git repository.
  * If targetDir doesn't exist: git clone --depth 1
- * If targetDir exists with .git: git pull --ff-only
+ * If targetDir exists with .git: git pull --ff-only (after verifying the
+ * existing clone's remote.origin matches the requested URL).
+ *
+ * Security:
+ *   - targetDir must resolve inside CLONE_ROOT (~/.gitnexus/repos/). The
+ *     path.relative containment barrier below is the inline canonical idiom
+ *     CodeQL's js/path-injection sanitizer recognizes.
+ *   - validateGitUrl runs unconditionally on the requested URL — both the
+ *     clone path and the pull path. An earlier shape only validated on the
+ *     clone branch; an existing clone with the same basename let an
+ *     attacker's URL skip the SSRF / scheme / private-IP checks (Codex
+ *     adversarial review on PR #1325).
+ *   - When the target already has `.git`, the existing clone's
+ *     remote.origin.url is fetched and compared (normalized) to the
+ *     requested URL. Refuses to pull if they differ — this closes the
+ *     wrong-repo silent-analysis vector where two URLs sharing a basename
+ *     would collide on the same on-disk clone dir.
+ *   - The git URL is passed after a `--` separator so a value beginning with
+ *     `--` (e.g. `--upload-pack=evil`) cannot be interpreted as a git option
+ *     (CodeQL js/second-order-command-line-injection).
  */
 export declare function cloneOrPull(url: string, targetDir: string, onProgress?: (progress: CloneProgress) => void): Promise<string>;

package/dist/server/git-clone.js

@@ -9,15 +9,43 @@ import path from 'path';
 import os from 'os';
 import fs from 'fs/promises';
 import { isIP } from 'net';
-/** Extract the repository name from a git URL (HTTPS or SSH). */
+/** Root directory for all cloned repositories. Targets must resolve inside this. */
+const CLONE_ROOT = path.resolve(path.join(os.homedir(), '.gitnexus', 'repos'));
+// A valid git repository name is filesystem-safe: alphanumerics plus `. _ -`.
+// Rejecting anything else (including `..`, `/`, `\`, shell metacharacters)
+// guarantees getCloneDir(repoName) cannot escape CLONE_ROOT regardless of
+// how the caller derived repoName.
+const REPO_NAME_PATTERN = /^[a-zA-Z0-9._-]+$/;
+/**
+ * Extract the repository name from a git URL (HTTPS or SSH).
+ *
+ * Throws if the URL does not yield a filesystem-safe last segment. A name
+ * like `..` or `foo/bar` would otherwise let `getCloneDir(name)` escape the
+ * clone root via path traversal.
+ */
 export function extractRepoName(url) {
-    const cleaned = url.replace(/\/+$/, '');
-    const lastSegment = cleaned.split(/[/:]/).pop() || 'unknown';
-    return lastSegment.replace(/\.git$/, '');
+    // Strip trailing slashes without a regex to avoid polynomial-ReDoS on
+    // pathological inputs like `https://x.com/y` + '/'.repeat(1e6). CodeQL's
+    // js/polynomial-redos flagged `/\/+$/` here.
+    let end = url.length;
+    while (end > 0 && url.charCodeAt(end - 1) === 47 /* '/' */)
+        end--;
+    const cleaned = url.slice(0, end);
+    const lastSegment = cleaned.split(/[/:]/).pop() || '';
+    const stripped = lastSegment.endsWith('.git') ? lastSegment.slice(0, -4) : lastSegment;
+    if (!stripped || stripped === '.' || stripped === '..' || !REPO_NAME_PATTERN.test(stripped)) {
+        throw new Error('Could not extract a valid repository name from URL');
+    }
+    return stripped;
 }
 /** Get the clone target directory for a repo name. */
 export function getCloneDir(repoName) {
-    return path.join(os.homedir(), '.gitnexus', 'repos', repoName);
+    // Re-validate at the boundary even though extractRepoName already checked —
+    // callers may pass a repoName from another source (test fixtures, scripts).
+    if (!repoName || repoName === '.' || repoName === '..' || !REPO_NAME_PATTERN.test(repoName)) {
+        throw new Error('Invalid repository name');
+    }
+    return path.join(CLONE_ROOT, repoName);
 }
 // Cloud metadata hostnames that must never be reachable via user-supplied URLs
 const BLOCKED_HOSTNAMES = new Set([
@@ -161,24 +189,181 @@ function assertNotPrivateIPv4(ip) {
         throw new Error('Cloning from private/internal addresses is not allowed');
     }
 }
+/**
+ * Build the `git clone` argument list for a given URL and target directory.
+ *
+ * The `--` separator is non-negotiable: it stops git from parsing a URL that
+ * starts with `--` (e.g. `--upload-pack=evil`) as an option flag, which would
+ * otherwise execute an attacker-chosen subprocess (CodeQL
+ * js/second-order-command-line-injection, alerts #166/#167).
+ *
+ * Exported so the separator placement is testable without mocking spawn.
+ */
+export function buildCloneArgs(url, targetDir) {
+    return ['clone', '--depth', '1', '--', url, targetDir];
+}
+/**
+ * Normalize a git URL into a comparable form.
+ *
+ * Two URLs are considered the same repository when their normalized forms
+ * are identical: lowercased hostname, no trailing `.git`, no trailing
+ * slashes on the path, default port stripped. Path comparison stays
+ * case-sensitive because that's how Git hosts treat the path component on
+ * the wire (case-folding GitHub's web UI is a separate convenience).
+ *
+ * Returns the original input if URL parsing fails — the caller can still
+ * compare with the literal string for non-URL forms (e.g. SSH `git@host:`).
+ */
+export function normalizeGitUrlForCompare(url) {
+    // Strip trailing slashes and a trailing `.git` for both URL and SSH forms.
+    let trimmed = url;
+    while (trimmed.length > 0 && trimmed[trimmed.length - 1] === '/') {
+        trimmed = trimmed.slice(0, -1);
+    }
+    if (trimmed.endsWith('.git'))
+        trimmed = trimmed.slice(0, -4);
+    try {
+        const parsed = new URL(trimmed);
+        parsed.hostname = parsed.hostname.toLowerCase();
+        // strip default ports
+        if ((parsed.protocol === 'https:' && parsed.port === '443') ||
+            (parsed.protocol === 'http:' && parsed.port === '80')) {
+            parsed.port = '';
+        }
+        // Strip credentials — never material to repo identity, and including
+        // them would let two equivalent URLs (with/without basic auth) compare
+        // unequal.
+        parsed.username = '';
+        parsed.password = '';
+        // Recompose without trailing slash on the path.
+        let pathname = parsed.pathname;
+        while (pathname.length > 1 && pathname[pathname.length - 1] === '/') {
+            pathname = pathname.slice(0, -1);
+        }
+        parsed.pathname = pathname;
+        return `${parsed.protocol}//${parsed.hostname}${parsed.port ? ':' + parsed.port : ''}${parsed.pathname}`;
+    }
+    catch {
+        // Non-URL forms (e.g. `git@github.com:owner/repo`) — return the trimmed
+        // form lowercased on the hostname-ish prefix. SSH-form normalization
+        // is best-effort; exact-string compare is sufficient for the threat
+        // model (mismatched origins still differ at the literal level).
+        return trimmed.toLowerCase();
+    }
+}
+/**
+ * Read `remote.origin.url` from an existing clone using `git config --get`.
+ *
+ * Returns `null` if the config key is absent, the spawn fails, or the
+ * directory isn't a git repository. The caller decides what a missing
+ * remote means for its threat model — for cloneOrPull, a missing remote
+ * on an existing clone is treated as a refuse-to-pull condition.
+ */
+export function getRemoteOriginUrl(cwd) {
+    return new Promise((resolve) => {
+        const proc = spawn('git', ['config', '--get', 'remote.origin.url'], {
+            cwd,
+            stdio: ['ignore', 'pipe', 'pipe'],
+            env: { ...process.env, GIT_TERMINAL_PROMPT: '0' },
+        });
+        let stdout = '';
+        proc.stdout.on('data', (chunk) => {
+            stdout += chunk;
+        });
+        proc.on('close', (code) => {
+            if (code === 0 && stdout.trim()) {
+                resolve(stdout.trim());
+            }
+            else {
+                resolve(null);
+            }
+        });
+        proc.on('error', () => resolve(null));
+    });
+}
+/**
+ * Verify that an existing clone's `remote.origin.url` matches the requested
+ * URL (after normalization). Throws on mismatch or missing remote.
+ *
+ * Closes the wrong-repo silent-analysis vector that Codex's adversarial
+ * review on PR #1325 surfaced: clone dirs are keyed by URL basename, so a
+ * request for `https://gitlab.example/attacker/repo.git` would otherwise
+ * collide with an existing `~/.gitnexus/repos/repo` cloned from a different
+ * origin and `git pull --ff-only` would silently succeed against the wrong
+ * remote.
+ *
+ * Exported so the comparison logic is testable in isolation against any
+ * tmpdir-based fixture, without needing to populate CLONE_ROOT.
+ */
+export async function assertRemoteMatchesRequestedUrl(targetDir, requestedUrl) {
+    const remoteUrl = await getRemoteOriginUrl(targetDir);
+    if (remoteUrl === null) {
+        throw new Error(`Existing clone at ${targetDir} has no remote.origin — refusing to pull`);
+    }
+    if (normalizeGitUrlForCompare(remoteUrl) !== normalizeGitUrlForCompare(requestedUrl)) {
+        throw new Error(`Existing clone at ${targetDir} has remote ${remoteUrl}, not the requested URL ${requestedUrl}`);
+    }
+}
 /**
  * Clone or pull a git repository.
  * If targetDir doesn't exist: git clone --depth 1
- * If targetDir exists with .git: git pull --ff-only
+ * If targetDir exists with .git: git pull --ff-only (after verifying the
+ * existing clone's remote.origin matches the requested URL).
+ *
+ * Security:
+ *   - targetDir must resolve inside CLONE_ROOT (~/.gitnexus/repos/). The
+ *     path.relative containment barrier below is the inline canonical idiom
+ *     CodeQL's js/path-injection sanitizer recognizes.
+ *   - validateGitUrl runs unconditionally on the requested URL — both the
+ *     clone path and the pull path. An earlier shape only validated on the
+ *     clone branch; an existing clone with the same basename let an
+ *     attacker's URL skip the SSRF / scheme / private-IP checks (Codex
+ *     adversarial review on PR #1325).
+ *   - When the target already has `.git`, the existing clone's
+ *     remote.origin.url is fetched and compared (normalized) to the
+ *     requested URL. Refuses to pull if they differ — this closes the
+ *     wrong-repo silent-analysis vector where two URLs sharing a basename
+ *     would collide on the same on-disk clone dir.
+ *   - The git URL is passed after a `--` separator so a value beginning with
+ *     `--` (e.g. `--upload-pack=evil`) cannot be interpreted as a git option
+ *     (CodeQL js/second-order-command-line-injection).
  */
 export async function cloneOrPull(url, targetDir, onProgress) {
-    const exists = await fs.access(path.join(targetDir, '.git')).then(() => true, () => false);
+    // Containment barrier — inline with the canonical path.relative idiom so
+    // CodeQL recognizes the sanitizer at every following filesystem and
+    // subprocess sink. The same `safeTarget` is used for every downstream
+    // path operation — no reassignment that the analyzer could lose track of.
+    //
+    // Limitation: this is a lexical containment check, not a realpath check.
+    // If an attacker can place a symlink under CLONE_ROOT pointing outside it,
+    // the lexical check passes but the clone lands at the symlink target. That
+    // requires pre-existing local write access to CLONE_ROOT, so the threat
+    // model considers it out of scope; CodeQL js/path-injection accepts the
+    // lexical form. Tracked as a follow-up if defense-in-depth is needed.
+    const safeTarget = path.resolve(targetDir);
+    const rel = path.relative(CLONE_ROOT, safeTarget);
+    if (rel === '' || rel.startsWith('..') || path.isAbsolute(rel)) {
+        throw new Error(`Clone target must be a subdirectory of ${CLONE_ROOT}`);
+    }
+    // Always validate the requested URL — the prior shape only ran this in
+    // the clone branch, leaving the pull branch as an SSRF / blocked-host
+    // bypass when an existing clone shared the basename of an attacker URL.
+    validateGitUrl(url);
+    const exists = await fs.access(path.join(safeTarget, '.git')).then(() => true, () => false);
     if (exists) {
+        // Confirm the existing clone is actually the same repository the caller
+        // requested. Without this check, a pull would silently succeed against
+        // whatever remote the dir was originally cloned from.
+        await assertRemoteMatchesRequestedUrl(safeTarget, url);
         onProgress?.({ phase: 'pulling', message: 'Pulling latest changes...' });
-        await runGit(['pull', '--ff-only'], targetDir);
+        await runGit(['pull', '--ff-only'], safeTarget);
     }
     else {
-        validateGitUrl(url);
-        await fs.mkdir(path.dirname(targetDir), { recursive: true });
+        await fs.mkdir(path.dirname(safeTarget), { recursive: true });
         onProgress?.({ phase: 'cloning', message: `Cloning ${url}...` });
-        await runGit(['clone', '--depth', '1', url, targetDir]);
+        await runGit(buildCloneArgs(url, safeTarget));
     }
-    return targetDir;
+    return safeTarget;
 }
 function runGit(args, cwd) {
     return new Promise((resolve, reject) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "gitnexus",
-  "version": "1.6.4-rc.57",
+  "version": "1.6.4-rc.59",
   "description": "Graph-powered code intelligence for AI agents. Index any codebase, query via MCP or CLI.",
   "author": "Abhigyan Patwari",
   "license": "PolyForm-Noncommercial-1.0.0",
@@ -53,7 +53,7 @@
   },
   "dependencies": {
     "@huggingface/transformers": "^4.1.0",
-    "@ladybugdb/core": "^0.16.0",
+    "@ladybugdb/core": "^0.16.1",
     "@modelcontextprotocol/sdk": "^1.0.0",
     "@scarf/scarf": "^1.4.0",
     "cli-progress": "^3.12.0",