gitnexus 1.6.8-rc.43 → 1.6.8-rc.45

package/dist/server/api.d.ts

@@ -72,5 +72,22 @@ export declare const handleFileRequest: (req: {
 export declare const handleQueryRequest: (req: express.Request, res: express.Response, resolveRepo: (repoName?: string) => Promise<{
     storagePath: string;
 } | undefined>) => Promise<void>;
+/**
+ * Validate the optional `token` field of POST /api/analyze. Returns an
+ * { status, error } to send, or null when the token is absent or valid.
+ *
+ * The token is a GitHub PAT: charset-restricted (blocks CRLF header
+ * smuggling), length-bounded (1–256), and bound to github.com using the SAME
+ * GITHUB_TOKEN_HOSTS allowlist + hostname parse as resolveGitCredential, so a
+ * token the API accepts is exactly the one buildGitEnv will inject — and one
+ * it rejects is never sent off github.com.
+ *
+ * Exported for unit tests (the route validation is otherwise only reachable
+ * by booting the server).
+ */
+export declare function validateAnalyzeToken(repoToken: unknown, repoUrl: unknown): {
+    status: number;
+    error: string;
+} | null;
 export declare const createServer: (port: number, host?: string) => Promise<void>;
 export {};

package/dist/server/api.js

@@ -23,7 +23,7 @@ import { mountMCPEndpoints } from './mcp-http.js';
 import { fileURLToPath } from 'url';
 import { JobManager } from './analyze-job.js';
 import { assertString, escapeRegExp, BadRequestError, createRouteLimiter } from './validation.js';
-import { extractRepoName, getCloneDir, cloneOrPull } from './git-clone.js';
+import { extractRepoName, getCloneDir, cloneOrPull, warnIfInsecureAzureConfig, GITHUB_TOKEN_HOSTS, } from './git-clone.js';
 import { createAnalyzeUploadHandler } from './analyze-upload.js';
 import { createLocalhostOriginGuard, normalizeBoundHost } from './middleware.js';
 import { createLaunchAnalysisWorker } from './analyze-launch.js';
@@ -580,7 +580,45 @@ export const handleQueryRequest = async (req, res, resolveRepo) => {
         res.status(500).json({ error: err.message || 'Query failed' });
     }
 };
+/**
+ * Validate the optional `token` field of POST /api/analyze. Returns an
+ * { status, error } to send, or null when the token is absent or valid.
+ *
+ * The token is a GitHub PAT: charset-restricted (blocks CRLF header
+ * smuggling), length-bounded (1–256), and bound to github.com using the SAME
+ * GITHUB_TOKEN_HOSTS allowlist + hostname parse as resolveGitCredential, so a
+ * token the API accepts is exactly the one buildGitEnv will inject — and one
+ * it rejects is never sent off github.com.
+ *
+ * Exported for unit tests (the route validation is otherwise only reachable
+ * by booting the server).
+ */
+export function validateAnalyzeToken(repoToken, repoUrl) {
+    if (repoToken === undefined)
+        return null;
+    if (typeof repoToken !== 'string')
+        return { status: 400, error: '"token" must be a string' };
+    if (repoToken.length === 0 || repoToken.length > 256)
+        return { status: 400, error: '"token" length must be between 1 and 256' };
+    if (!/^[A-Za-z0-9._~+/=-]+$/.test(repoToken))
+        return { status: 400, error: '"token" contains invalid characters' };
+    if (!repoUrl || typeof repoUrl !== 'string')
+        return { status: 400, error: '"token" requires "url"' };
+    let tokenHost;
+    try {
+        tokenHost = new URL(repoUrl).hostname.toLowerCase();
+    }
+    catch {
+        return { status: 400, error: '"url" must be a valid URL when "token" is provided' };
+    }
+    if (!GITHUB_TOKEN_HOSTS.has(tokenHost))
+        return { status: 400, error: '"token" is only supported for github.com URLs' };
+    return null;
+}
 export const createServer = async (port, host = '127.0.0.1') => {
+    // Surface a cleartext Azure DevOps PAT config at boot (operators rarely
+    // read per-request logs). Warn-only — http:// self-hosted stays supported.
+    warnIfInsecureAzureConfig();
     const app = express();
     app.disable('x-powered-by');
     // Trust X-Forwarded-* headers only when the connection comes from the
@@ -1272,7 +1310,7 @@ export const createServer = async (port, host = '127.0.0.1') => {
     // POST /api/analyze — start a new analysis job
     app.post('/api/analyze', createRouteLimiter({ limit: 10 }), requireLocalhostOrigin, async (req, res) => {
         try {
-            const { url: repoUrl, path: repoLocalPath, force, embeddings, dropEmbeddings } = req.body;
+            const { url: repoUrl, path: repoLocalPath, force, embeddings, dropEmbeddings, token: repoToken, } = req.body;
             // Input type validation
             if (repoUrl !== undefined && typeof repoUrl !== 'string') {
                 res.status(400).json({ error: '"url" must be a string' });
@@ -1286,6 +1324,13 @@ export const createServer = async (port, host = '127.0.0.1') => {
                 res.status(400).json({ error: 'Provide "url" (git URL) or "path" (local path)' });
                 return;
             }
+            // Token: optional, restricted charset to prevent header smuggling
+            // (CRLF), bound length, and bound to github.com (see validateAnalyzeToken).
+            const tokenError = validateAnalyzeToken(repoToken, repoUrl);
+            if (tokenError) {
+                res.status(tokenError.status).json({ error: tokenError.error });
+                return;
+            }
             // Path validation. The previous `normalize !== resolve` guard was inert
             // (both collapse `..` identically) and only false-rejected trailing
             // slashes, so it is dropped. Analyzing a local path the operator names
@@ -1302,9 +1347,20 @@ export const createServer = async (port, host = '127.0.0.1') => {
                 return;
             }
             const job = jobManager.createJob({ repoUrl, repoPath: repoLocalPath });
-            // If job was already running (dedup), just return its id
+            // If job was already running (dedup), just return its id. The token is
+            // not part of the dedup identity and is never stored on the job, so a
+            // token on THIS request had no effect — the existing job already
+            // cloned (or is cloning) with whatever credentials its originating
+            // request supplied. Surface `tokenIgnored` so an authenticated caller
+            // isn't misled into thinking their PAT took effect on a reused job.
             if (job.status !== 'queued') {
-                res.status(202).json({ jobId: job.id, status: job.status });
+                const body = {
+                    jobId: job.id,
+                    status: job.status,
+                };
+                if (repoToken !== undefined)
+                    body.tokenIgnored = true;
+                res.status(202).json(body);
                 return;
             }
             // Mark as active synchronously to prevent race with concurrent requests
@@ -1326,7 +1382,7 @@ export const createServer = async (port, host = '127.0.0.1') => {
                             jobManager.updateJob(job.id, {
                                 progress: { phase: progress.phase, percent: 5, message: progress.message },
                             });
-                        });
+                        }, repoToken ? { token: repoToken } : undefined);
                     }
                     if (!targetPath) {
                         throw new Error('No target path resolved');

package/dist/server/git-clone.d.ts

@@ -35,6 +35,25 @@ export interface CloneProgress {
  *
  * Exported so the separator placement is testable without mocking spawn.
  */
+/**
+ * Detect Azure DevOps URLs — both self-hosted (via AZURE_DEVOPS_URL env)
+ * and cloud (dev.azure.com / *.visualstudio.com).
+ *
+ * Self-hosted Azure DevOps Server instances use arbitrary hostnames
+ * (e.g. `http://tfs.corp.example/Collection/Project/_git/Repo`), so the
+ * function checks `AZURE_DEVOPS_URL` first. Cloud addresses are a
+ * hardcoded fallback so PAT injection works out-of-the-box for
+ * dev.azure.com without extra configuration.
+ */
+export declare function isAzureDevOpsUrl(url: string): boolean;
+/**
+ * One-time startup warning when AZURE_DEVOPS_URL is configured over cleartext
+ * http:// — the Azure DevOps PAT would then be sent unencrypted on every
+ * clone. Self-hosted instances that only serve http are still supported (we
+ * do not refuse), but operators rarely read request-time logs, so surface it
+ * at boot too. Call once from server startup.
+ */
+export declare function warnIfInsecureAzureConfig(): void;
 export declare function buildCloneArgs(url: string, targetDir: string): string[];
 /**
  * Normalize a git URL into a comparable form.
@@ -97,4 +116,25 @@ export declare function assertRemoteMatchesRequestedUrl(targetDir: string, reque
  *     `--` (e.g. `--upload-pack=evil`) cannot be interpreted as a git option
  *     (CodeQL js/second-order-command-line-injection).
  */
-export declare function cloneOrPull(url: string, targetDir: string, onProgress?: (progress: CloneProgress) => void): Promise<string>;
+export declare function cloneOrPull(url: string, targetDir: string, onProgress?: (progress: CloneProgress) => void, options?: {
+    token?: string;
+}): Promise<string>;
+/**
+ * Hosts the per-request GitHub PAT may be sent to. Exported so the
+ * /api/analyze boundary check and this injection-site check share one
+ * allowlist (they must agree, or a token accepted by the API could be
+ * silently dropped — or worse — at injection).
+ */
+export declare const GITHUB_TOKEN_HOSTS: ReadonlySet<string>;
+/**
+ * Build the spawn env for `git`. Suppresses credential prompts and, when a
+ * credential resolves (see resolveGitCredential), injects a single
+ * host-scoped Authorization header via the `GIT_CONFIG_*` env protocol
+ * (git ≥2.31) so credentials never appear in argv or the URL. Appends after
+ * any existing `GIT_CONFIG_COUNT` rather than overwriting it. Exported for
+ * unit tests.
+ */
+export declare function buildGitEnv(baseEnv: NodeJS.ProcessEnv, options?: {
+    token?: string;
+    url?: string;
+}): NodeJS.ProcessEnv;

package/dist/server/git-clone.js

@@ -197,6 +197,60 @@ function assertNotPrivateIPv4(ip) {
  *
  * Exported so the separator placement is testable without mocking spawn.
  */
+/**
+ * Detect Azure DevOps URLs — both self-hosted (via AZURE_DEVOPS_URL env)
+ * and cloud (dev.azure.com / *.visualstudio.com).
+ *
+ * Self-hosted Azure DevOps Server instances use arbitrary hostnames
+ * (e.g. `http://tfs.corp.example/Collection/Project/_git/Repo`), so the
+ * function checks `AZURE_DEVOPS_URL` first. Cloud addresses are a
+ * hardcoded fallback so PAT injection works out-of-the-box for
+ * dev.azure.com without extra configuration.
+ */
+export function isAzureDevOpsUrl(url) {
+    try {
+        // Strip a single trailing dot: `dev.azure.com.` is a valid absolute FQDN
+        // that resolves to the same host, so it must match too.
+        const host = new URL(url).hostname.toLowerCase().replace(/\.$/, '');
+        // Self-hosted: match against the configured base URL.
+        const configuredBase = process.env.AZURE_DEVOPS_URL;
+        if (configuredBase) {
+            try {
+                const baseHost = new URL(configuredBase).hostname.toLowerCase().replace(/\.$/, '');
+                if (host === baseHost)
+                    return true;
+            }
+            catch {
+                /* invalid AZURE_DEVOPS_URL — fall through to cloud check */
+            }
+        }
+        // Cloud fallback.
+        return host === 'dev.azure.com' || host.endsWith('.visualstudio.com');
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * One-time startup warning when AZURE_DEVOPS_URL is configured over cleartext
+ * http:// — the Azure DevOps PAT would then be sent unencrypted on every
+ * clone. Self-hosted instances that only serve http are still supported (we
+ * do not refuse), but operators rarely read request-time logs, so surface it
+ * at boot too. Call once from server startup.
+ */
+export function warnIfInsecureAzureConfig() {
+    const base = process.env.AZURE_DEVOPS_URL;
+    if (!base)
+        return;
+    try {
+        if (new URL(base).protocol === 'http:') {
+            logger.warn('AZURE_DEVOPS_URL is configured over cleartext http:// — the Azure DevOps PAT will be sent unencrypted. Prefer https:// where your instance supports it.');
+        }
+    }
+    catch {
+        /* invalid AZURE_DEVOPS_URL — isAzureDevOpsUrl already tolerates this */
+    }
+}
 export function buildCloneArgs(url, targetDir) {
     return ['clone', '--depth', '1', '--', url, targetDir];
 }
@@ -327,7 +381,7 @@ export async function assertRemoteMatchesRequestedUrl(targetDir, requestedUrl) {
  *     `--` (e.g. `--upload-pack=evil`) cannot be interpreted as a git option
  *     (CodeQL js/second-order-command-line-injection).
  */
-export async function cloneOrPull(url, targetDir, onProgress) {
+export async function cloneOrPull(url, targetDir, onProgress, options) {
     // Containment barrier — inline with the canonical path.relative idiom so
     // CodeQL recognizes the sanitizer at every following filesystem and
     // subprocess sink. The same `safeTarget` is used for every downstream
@@ -355,28 +409,160 @@ export async function cloneOrPull(url, targetDir, onProgress) {
         // whatever remote the dir was originally cloned from.
         await assertRemoteMatchesRequestedUrl(safeTarget, url);
         onProgress?.({ phase: 'pulling', message: 'Pulling latest changes...' });
-        await runGit(['pull', '--ff-only'], safeTarget);
+        await runGit(['pull', '--ff-only'], safeTarget, { token: options?.token, url });
     }
     else {
         await fs.mkdir(path.dirname(safeTarget), { recursive: true });
         onProgress?.({ phase: 'cloning', message: `Cloning ${url}...` });
-        await runGit(buildCloneArgs(url, safeTarget));
+        await runGit(buildCloneArgs(url, safeTarget), undefined, { token: options?.token, url });
     }
     return safeTarget;
 }
-function runGit(args, cwd) {
+/**
+ * Hosts the per-request GitHub PAT may be sent to. Exported so the
+ * /api/analyze boundary check and this injection-site check share one
+ * allowlist (they must agree, or a token accepted by the API could be
+ * silently dropped — or worse — at injection).
+ */
+export const GITHUB_TOKEN_HOSTS = new Set(['github.com', 'www.github.com']);
+/**
+ * Resolve at most ONE git credential for a clone/pull, by server-side policy
+ * keyed on the clone host against a fixed allowlist (never a free-form user
+ * toggle):
+ *   1. a per-request GitHub PAT — only for hosts in GITHUB_TOKEN_HOSTS;
+ *   2. else the server's AZURE_DEVOPS_PAT — only for Azure DevOps hosts;
+ *   3. else none.
+ * The two host sets are disjoint, so at most one credential ever applies; the
+ * GitHub token taking precedence is deterministic for the pathological case
+ * where AZURE_DEVOPS_URL is itself configured to a github.com host. Returns
+ * the base64 of the Basic-auth `user:secret` pair, or undefined.
+ *
+ * Security note (re CodeQL js/user-controlled-bypass): the clone URL is
+ * user-controlled and selects WHICH credential applies, but it cannot
+ * redirect a credential to an arbitrary host — the host is matched against
+ * fixed server-side allowlists (GITHUB_TOKEN_HOSTS, isAzureDevOpsUrl's
+ * dev.azure.com/*.visualstudio.com/configured AZURE_DEVOPS_URL), and the
+ * emitted header is host-scoped (buildExtraHeaderKey). A URL outside the
+ * allowlists yields no credential. The selection is therefore server-policy,
+ * not a bypass the user can steer.
+ */
+function resolveGitCredential(options) {
+    const url = options?.url;
+    if (!url)
+        return undefined;
+    let host;
+    try {
+        host = new URL(url).hostname.toLowerCase();
+    }
+    catch {
+        return undefined;
+    }
+    // 1. Per-request GitHub PAT — github.com only (mirrors the /api/analyze
+    //    host-bind so the user's token is never sent off github.com).
+    if (options.token && GITHUB_TOKEN_HOSTS.has(host)) {
+        return Buffer.from(`x-access-token:${options.token}`).toString('base64');
+    }
+    // 2. Server-configured Azure DevOps PAT — Azure hosts only.
+    const azurePat = process.env.AZURE_DEVOPS_PAT;
+    if (azurePat && isAzureDevOpsUrl(url)) {
+        return Buffer.from(`:${azurePat}`).toString('base64');
+    }
+    return undefined;
+}
+/**
+ * Build the host-scoped git config key `http.<origin+path>.extraHeader` from
+ * the raw clone URL, so the Authorization header is attached only to the
+ * intended origin (and its clone sub-requests like /info/refs), never a
+ * redirect target. Derived from the SAME raw URL git clones from — not the
+ * normalize-for-compare form, which strips `.git` and would desync the key
+ * from the wire URL and silently disable the header. Userinfo/query/fragment
+ * are dropped (not part of git's URL match) and control characters stripped
+ * (git rejects a newline in a config key outright).
+ */
+function buildExtraHeaderKey(url) {
+    let scoped;
+    try {
+        const u = new URL(url);
+        u.username = '';
+        u.password = '';
+        u.search = '';
+        u.hash = '';
+        scoped = `${u.protocol}//${u.host}${u.pathname}`;
+    }
+    catch {
+        return undefined;
+    }
+    scoped = scoped.replace(/[\r\n\0]/g, '');
+    return `http.${scoped}.extraHeader`;
+}
+/**
+ * Warn (do not block) when a credential is about to be sent over cleartext
+ * http://. Base64 is encoding, not encryption, so an on-path observer can
+ * read the PAT. We keep http:// working for self-hosted Azure DevOps Server.
+ */
+function warnIfCleartextCredential(url) {
+    if (!url)
+        return;
+    try {
+        const u = new URL(url);
+        if (u.protocol === 'http:') {
+            logger.warn(`Sending a git credential over cleartext http:// (${u.host}) — base64 is not encryption. Prefer https:// where the host supports it.`);
+        }
+    }
+    catch {
+        /* resolver already validated the URL */
+    }
+}
+/**
+ * Build the spawn env for `git`. Suppresses credential prompts and, when a
+ * credential resolves (see resolveGitCredential), injects a single
+ * host-scoped Authorization header via the `GIT_CONFIG_*` env protocol
+ * (git ≥2.31) so credentials never appear in argv or the URL. Appends after
+ * any existing `GIT_CONFIG_COUNT` rather than overwriting it. Exported for
+ * unit tests.
+ */
+export function buildGitEnv(baseEnv, options) {
+    const env = {
+        ...baseEnv,
+        // Prevent git from prompting for credentials (hangs the process)
+        GIT_TERMINAL_PROMPT: '0',
+        // Ensure no credential helper tries to open a GUI prompt
+        GIT_ASKPASS: process.platform === 'win32' ? 'echo' : '/bin/true',
+        // Scrub git's HTTP/transport trace vars: if inherited from the parent
+        // process they dump every request header — including the injected
+        // Authorization header — to stderr, which runGit captures and logs.
+        // `undefined` makes child_process omit the key from the child env.
+        GIT_TRACE: undefined,
+        GIT_TRACE_CURL: undefined,
+        GIT_TRACE_PACKET: undefined,
+        GIT_CURL_VERBOSE: undefined,
+    };
+    const credential = resolveGitCredential(options);
+    const key = options?.url ? buildExtraHeaderKey(options.url) : undefined;
+    if (credential && key) {
+        // Append after any GIT_CONFIG_* the operator already set, so we never
+        // clobber their git config (e.g. an enforced http.sslVerify).
+        const existing = Number.parseInt(env.GIT_CONFIG_COUNT ?? '', 10);
+        const base = Number.isInteger(existing) && existing > 0 ? existing : 0;
+        env.GIT_CONFIG_COUNT = String(base + 1);
+        env[`GIT_CONFIG_KEY_${base}`] = key;
+        env[`GIT_CONFIG_VALUE_${base}`] = `Authorization: Basic ${credential}`;
+        warnIfCleartextCredential(options?.url);
+    }
+    return env;
+}
+// `options` carries the inputs the credential resolver needs: a per-request
+// GitHub `token` and the clone `url`. buildGitEnv injects at most ONE
+// host-scoped Authorization header (GitHub PAT for github.com, else the
+// server's AZURE_DEVOPS_PAT for Azure hosts) via the GIT_CONFIG_* protocol —
+// never in argv. See resolveGitCredential / buildExtraHeaderKey.
+function runGit(args, cwd, options) {
     return new Promise((resolve, reject) => {
         const proc = spawn('git', args, {
             cwd,
             stdio: ['ignore', 'pipe', 'pipe'],
             windowsHide: true,
-            env: {
-                ...process.env,
-                // Prevent git from prompting for credentials (hangs the process)
-                GIT_TERMINAL_PROMPT: '0',
-                // Ensure no credential helper tries to open a GUI prompt
-                GIT_ASKPASS: process.platform === 'win32' ? 'echo' : '/bin/true',
-            },
+            env: buildGitEnv(process.env, options),
         });
         let stderr = '';
         proc.stderr.on('data', (chunk) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "gitnexus",
-  "version": "1.6.8-rc.43",
+  "version": "1.6.8-rc.45",
   "description": "Graph-powered code intelligence for AI agents. Index any codebase, query via MCP or CLI.",
   "author": "Abhigyan Patwari",
   "license": "PolyForm-Noncommercial-1.0.0",