i18ntk 1.10.1 → 2.0.2

package/utils/missing-key-validator.js

@@ -775,14 +775,14 @@ class MissingKeyValidator {
   }
 
   async validateLanguageKeys(language) {
-    const localePath = path.join(this.projectRoot, 'ui-locales', `${language}.json`);
+    const localePath = path.join(this.projectRoot, 'resources', 'i18n', 'ui-locales', `${language}.json`);
     
-    if (!fs.existsSync(localePath)) {
+    if (!SecurityUtils.safeExistsSync(localePath)) {
       return this.requiredKeys; // All keys missing if file doesn't exist
     }
     
     try {
-      const localeData = JSON.parse(fs.readFileSync(localePath, 'utf8'));
+      const localeData = JSON.parse(SecurityUtils.safeReadFileSync(localePath, 'utf8'));
       const existingKeys = Object.keys(localeData);
       
       return this.requiredKeys.filter(key => !existingKeys.includes(key));
@@ -807,7 +807,7 @@ class MissingKeyValidator {
     };
 
     const reportPath = path.join(__dirname, 'missing-keys-report.json');
-    fs.writeFileSync(reportPath, JSON.stringify(report, null, 2));
+    SecurityUtils.safeWriteFileSync(reportPath, JSON.stringify(report, null, 2));
     
     console.log('\n📊 Missing Keys Report:');
     console.log(`Total Languages: ${report.summary.totalLanguages}`);
@@ -837,7 +837,7 @@ class MissingKeyValidator {
     });
 
     const templatePath = path.join(__dirname, 'translation-template.json');
-    fs.writeFileSync(templatePath, JSON.stringify(template, null, 2));
+    SecurityUtils.safeWriteFileSync(templatePath, JSON.stringify(template, null, 2));
     
     console.log(`Translation template saved to: ${templatePath}`);
     return template;

package/utils/plugin-loader.js

@@ -1,13 +1,31 @@
-const path = require('path');
-
-function loadOptionalModule(name, cwd = process.cwd()) {
-  try {
-    const resolved = require.resolve(name, { paths: [cwd] });
-    return require(resolved);
- } catch {
-    return null;
-  }
-}
+function loadOptionalModule(name) {
+  // Security hardening: allow only known built-in optional plugins.
+  // This avoids dynamic runtime require of arbitrary package names.
+  const builtinPlugins = {
+    regex: () => require('./extractors/regex'),
+    'i18ntk-extractor-regex': () => require('./extractors/regex')
+  };
+
+  const direct = builtinPlugins[name];
+  if (direct) {
+    try {
+      return direct();
+    } catch {
+      return null;
+    }
+  }
+
+  // Sanitize the module name to prevent path traversal
+  const sanitizedName = name.replace(/[^a-zA-Z0-9@/_-]/g, '');
+  if (sanitizedName !== name) {
+    // If the name was changed, it was invalid
+    return null;
+  }
+
+  // Unknown optional modules are disabled by default.
+  // Register plugins programmatically through PluginLoader.registerPlugin instead.
+  return null;
+}
 class PluginLoader {
   constructor() {
     this.plugins = {};
@@ -28,4 +46,4 @@ class PluginLoader {
 }
 
 module.exports = PluginLoader;
-module.exports.loadOptionalModule = loadOptionalModule;
+module.exports.loadOptionalModule = loadOptionalModule;

package/utils/prompt.js

@@ -1,9 +1,6 @@
-const readline = require('node:readline');
-const { stdin: input, stdout: output } = require('node:process');
+const readline = require('readline');
+const { logger } = require('./logger');
 
-/**
- * Simple prompt utility for CLI interactions
- */
 class Prompt {
   constructor() {
     this.rl = readline.createInterface({
@@ -26,60 +23,33 @@ class Prompt {
 
   async confirm(questionText, defaultValue = false) {
     const answer = await this.question(`${questionText} (${defaultValue ? 'Y/n' : 'y/N'}) `);
-    const answer = await this.question(`${message} (${defaultValue ? 'Y/n' : 'y/N'}): `);
-    return answer ? answer.toLowerCase().startsWith('y') : defaultValue;
-  }
-
-  async select(message, choices, defaultIndex = 0) {
-    logger.log(`\n${message}:`);
-  async confirm(question, defaultValue = false) {
-    const answer = await this.question(`${question} (${defaultValue ? 'Y/n' : 'y/N'}) `);
     if (answer === '') return defaultValue;
     return /^y|yes$/i.test(answer);
   }
 
-  /**
-   * Present a list of choices and let the user select one
-   * @param {string} question - The question to ask
-   * @param {Array<string>} choices - Array of choices
-   * @returns {Promise<string>} The selected choice
-   */
-  async list(question, choices) {
-    if (!choices || !choices.length) {
-      throw new Error('No choices provided');
-    }
-
-    console.log(question);
+  async select(questionText, choices, defaultIndex = 0) {
+    logger.log(`\n${questionText}:`);
     choices.forEach((choice, index) => {
-      console.log(`  ${index + 1}. ${choice}`);
+      logger.log(`  ${index + 1}. ${choice}`);
     });
 
     while (true) {
-      const answer = await this.question(`Select an option (1-${choices.length}): `);
-      const index = parseInt(answer.trim(), 10) - 1;
-      
-      if (index >= 0 && index < choices.length) {
-        return choices[index];
+      const answer = await this.question(`\nSelect an option (1-${choices.length}): `);
+      const selected = parseInt(answer, 10) - 1;
+      if (!isNaN(selected) && selected >= 0 && selected < choices.length) {
+        return selected;
       }
-      
-      console.log('Invalid selection. Please try again.');
+      logger.log('Invalid selection. Please try again.');
     }
   }
 
-  /**
-   * Close the readline interface
-   */
-  close() {
-    this.rl.close();
+  async input(questionText, defaultValue = '') {
+    const answer = await this.question(`${questionText}${defaultValue ? ` [${defaultValue}]` : ''}: `);
+    return answer || defaultValue;
   }
 }
 
-// Create a singleton instance
 const prompt = new Prompt();
-
-// Handle process termination
-process.on('exit', () => {
-  prompt.close();
-});
+process.on('exit', () => prompt.close());
 
 module.exports = prompt;

package/utils/safe-json.js

@@ -0,0 +1,40 @@
+// utils/safe-json.js
+const { readFile } = require('fs/promises');
+
+function stripBOM(s) {
+  if (typeof s === 'string' && s.charCodeAt(0) === 0xFEFF) return s.slice(1);
+  return s;
+}
+
+/**
+ * Safe JSON load with guardrails.
+ * - Max file size (default 1MB)
+ * - BOM stripping
+ * - Single, typed error (no loops)
+ */
+async function readJsonSafe(filePath, { maxBytes = 1_000_000 } = {}) {
+  const buf = await readFile(filePath);
+  if (buf.length === 0) {
+    const err = new Error('Empty JSON file');
+    err.code = 'EJSONEMPTY';
+    err.path = filePath;
+    throw err;
+  }
+  if (buf.length > maxBytes) {
+    const err = new Error(`JSON too large (${buf.length} bytes)`);
+    err.code = 'EJSONTOOBIG';
+    err.path = filePath;
+    throw err;
+  }
+  try {
+    return JSON.parse(stripBOM(buf.toString('utf8')));
+  } catch (e) {
+    const err = new Error(`Invalid JSON`);
+    err.code = 'EJSONPARSE';
+    err.path = filePath;
+    err.cause = e;
+    throw err;
+  }
+}
+
+module.exports = { readJsonSafe };

package/utils/secure-errors.js

@@ -76,7 +76,7 @@ function secureErrorHandler(options = {}) {
   const config = { ...defaults, ...options };
   
   // Ensure log directory exists
-  if (config.logFilePath && !fs.existsSync(path.dirname(config.logFilePath))) {
+  if (config.logFilePath && !SecurityUtils.safeExistsSync(path.dirname(config.logFilePath))) {
     try {
       fs.mkdirSync(path.dirname(config.logFilePath), { recursive: true });
     } catch (e) {
@@ -126,12 +126,12 @@ function secureErrorHandler(options = {}) {
 
       // Log to console
       if (typeof config.logFunction === 'function') {
-        config.logFunction(JSON.stringify(logEntry, null, 2));
+        SecurityUtils.safeWriteFileSync(config.logFilePath, JSON.stringify(logEntry, null, 2));
       }
 
       // Log to file if configured
       if (config.logFilePath) {
-        fs.appendFileSync(
+        SecurityUtils.safeWriteFileSync(
           config.logFilePath,
           JSON.stringify(logEntry) + '\n',
           'utf8'

package/utils/security-check-improved.js

@@ -0,0 +1,390 @@
+#!/usr/bin/env node
+
+/**
+ * i18ntk Security Check Utility - IMPROVED VERSION
+ * Performs comprehensive security validation before build/publish
+ * Enhanced to intelligently distinguish between safe and dangerous requires
+ */
+
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+
+class SecurityChecker {
+  constructor() {
+    this.issues = [];
+    this.warnings = [];
+    this.projectRoot = path.resolve(__dirname, '..');
+  }
+
+  log(message, type = 'info') {
+    const timestamp = new Date().toISOString();
+    const colors = {
+      error: '\x1b[31m',
+      warning: '\x1b[33m',
+      success: '\x1b[32m',
+      info: '\x1b[36m',
+      reset: '\x1b[0m'
+    };
+    console.log(`${colors[type]}[${timestamp}] ${message}${colors.reset}`);
+  }
+
+  addIssue(message, file = null, line = null) {
+    this.issues.push({ message, file, line, type: 'error' });
+  }
+
+  addWarning(message, file = null, line = null) {
+    this.warnings.push({ message, file, line, type: 'warning' });
+  }
+
+  async checkFileExists(filePath) {
+    try {
+      await fs.promises.access(filePath);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+
+  async readFile(filePath) {
+    try {
+      return await fs.promises.readFile(filePath, 'utf8');
+    } catch (error) {
+      this.addIssue(`Cannot read file: ${filePath}`, filePath);
+      return null;
+    }
+  }
+
+  async checkPackageJson() {
+    this.log('Checking package.json security...');
+
+    const packageJsonPath = path.join(this.projectRoot, 'package.json');
+    const content = await this.readFile(packageJsonPath);
+
+    if (!content) return;
+
+    try {
+      const pkg = JSON.parse(content);
+
+      // Check for dangerous scripts
+      const dangerousScripts = ['preinstall', 'postinstall', 'preuninstall', 'postuninstall'];
+      const scripts = pkg.scripts || {};
+
+      for (const script of dangerousScripts) {
+        if (scripts[script]) {
+          this.addWarning(`Potentially dangerous script found: ${script}`, packageJsonPath);
+        }
+      }
+
+      // Check dependencies for known vulnerabilities (basic check)
+      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+      for (const [dep, version] of Object.entries(allDeps || {})) {
+        if (version.includes('*') || version.includes('latest')) {
+          this.addWarning(`Unpinned dependency version: ${dep}@${version}`, packageJsonPath);
+        }
+      }
+
+      // Verify security scripts exist
+      const requiredScripts = ['security:check', 'security:test', 'security:audit'];
+      for (const script of requiredScripts) {
+        if (!scripts[script]) {
+          this.addIssue(`Missing required security script: ${script}`, packageJsonPath);
+        }
+      }
+
+    } catch (error) {
+      this.addIssue(`Invalid JSON in package.json: ${error.message}`, packageJsonPath);
+    }
+  }
+
+  async checkSecurityUtils() {
+    this.log('Checking SecurityUtils implementation...');
+
+    const securityUtilsPath = path.join(this.projectRoot, 'utils/security.js');
+    if (!(await this.checkFileExists(securityUtilsPath))) {
+      this.addIssue('SecurityUtils file not found', securityUtilsPath);
+      return;
+    }
+
+    const content = await this.readFile(securityUtilsPath);
+    if (!content) return;
+
+    // Check for required security methods
+    const requiredMethods = [
+      'safeReadFileSync',
+      'safeExistsSync',
+      'safeWriteFileSync',
+      'validatePath',
+      'sanitizeInput',
+      'safeParseJSON'
+    ];
+
+    for (const method of requiredMethods) {
+      if (!content.includes(method)) {
+        this.addIssue(`Missing security method: ${method}`, securityUtilsPath);
+      }
+    }
+
+    // Check for dangerous patterns (excluding the overly broad require pattern)
+    const dangerousPatterns = [
+      /fs\.readFileSync\s*\(/g,
+      /fs\.writeFileSync\s*\(/g,
+      /fs\.existsSync\s*\(/g,
+      /eval\s*\(/g,
+      /Function\s*\(/g
+    ];
+
+    for (const pattern of dangerousPatterns) {
+      const matches = content.match(pattern);
+      if (matches) {
+        this.addWarning(`Potentially unsafe pattern found: ${pattern}`, securityUtilsPath);
+      }
+    }
+  }
+
+  async checkSourceFiles() {
+    this.log('Checking source files for security issues...');
+
+    const sourceDirs = ['main', 'utils', 'scripts', 'settings'];
+    const excludeFiles = ['security.js', 'security-fixed.js', 'security-check.js', 'security-check-improved.js'];
+
+    for (const dir of sourceDirs) {
+      const dirPath = path.join(this.projectRoot, dir);
+      if (!(await this.checkFileExists(dirPath))) continue;
+
+      try {
+        const files = await fs.promises.readdir(dirPath);
+        for (const file of files) {
+          if (!file.endsWith('.js') || excludeFiles.includes(file)) continue;
+
+          const filePath = path.join(dirPath, file);
+          const content = await this.readFile(filePath);
+          if (!content) continue;
+
+          await this.analyzeFileSecurity(filePath, content);
+        }
+      } catch (error) {
+        this.addIssue(`Cannot read directory: ${dirPath}`, dirPath);
+      }
+    }
+  }
+
+  async analyzeFileSecurity(filePath, content) {
+    const lines = content.split('\n');
+
+    lines.forEach((line, index) => {
+      // Check for direct fs operations
+      if (line.includes('fs.readFileSync(') && !line.includes('SecurityUtils')) {
+        this.addIssue('Direct fs.readFileSync usage (use SecurityUtils.safeReadFileSync)', filePath, index + 1);
+      }
+      if (line.includes('fs.writeFileSync(') && !line.includes('SecurityUtils')) {
+        this.addIssue('Direct fs.writeFileSync usage (use SecurityUtils.safeWriteFileSync)', filePath, index + 1);
+      }
+      if (line.includes('fs.existsSync(') && !line.includes('SecurityUtils')) {
+        this.addIssue('Direct fs.existsSync usage (use SecurityUtils.safeExistsSync)', filePath, index + 1);
+      }
+
+      // Check for dangerous patterns
+      if (line.includes('eval(') || line.includes('Function(')) {
+        this.addIssue('Dangerous code execution pattern detected', filePath, index + 1);
+      }
+
+      // Check for unsafe require patterns - be more intelligent
+      if (line.includes('require(')) {
+        this.analyzeRequireStatement(line, filePath, index + 1);
+      }
+    });
+  }
+
+  analyzeRequireStatement(line, filePath, lineNumber) {
+    // Extract the require path
+    const requireMatch = line.match(/require\s*\(\s*['"`]([^'"`]+)['"`]\s*\)/);
+    if (!requireMatch) return;
+
+    const requirePath = requireMatch[1];
+
+    // Skip safe built-in modules
+    // Note: child_process is intentionally excluded to keep runtime zero-shell
+    const safeBuiltins = ['fs', 'path', 'crypto', 'os', 'util', 'events', 'stream', 'buffer', 'http', 'https', 'url', 'querystring'];
+    if (safeBuiltins.includes(requirePath)) {
+      return; // Safe built-in module
+    }
+
+    // Skip safe relative requires within project structure
+    if (requirePath.startsWith('../') || requirePath.startsWith('./')) {
+      // Check if it's going too far up (more than 2 levels)
+      const upLevels = (requirePath.match(/\.\.\//g) || []).length;
+      if (upLevels > 2) {
+        this.addWarning('Deep relative require (more than 2 levels up)', filePath, lineNumber);
+      }
+      // Otherwise, relative requires within project are generally safe
+      return;
+    }
+
+    // Check for dynamic requires (variables)
+    if (requirePath.includes('${') || requirePath.includes('+') || requirePath.includes('variable')) {
+      this.addIssue('Dynamic require statement detected (potential security risk)', filePath, lineNumber);
+      return;
+    }
+
+    // Check for absolute paths outside node_modules
+    if (requirePath.startsWith('/') && !requirePath.includes('node_modules')) {
+      this.addWarning('Absolute path require outside node_modules', filePath, lineNumber);
+      return;
+    }
+
+    // Check for suspicious patterns
+    const suspiciousPatterns = [
+      /\.\./,                    // path traversal
+      /^~/,                      // home directory shorthand
+      /\$(HOME|USER)\b/,         // shell env expansions
+      /^[a-z][a-z0-9+.-]*:/i     // URL/protocol-like require targets
+    ];
+    for (const pattern of suspiciousPatterns) {
+      if (pattern.test(requirePath)) {
+        this.addIssue(`Suspicious require path pattern: ${pattern}`, filePath, lineNumber);
+        return;
+      }
+    }
+
+    // If we get here, it's likely a safe npm package require
+    // No action needed for legitimate package requires
+  }
+
+  async checkFilePermissions() {
+    this.log('Checking file permissions...');
+
+    const criticalFiles = [
+      'utils/security.js',
+      'tests/security.test.js',
+      'package.json'
+    ];
+
+    for (const file of criticalFiles) {
+      const filePath = path.join(this.projectRoot, file);
+      if (!(await this.checkFileExists(filePath))) {
+        this.addIssue(`Critical file not found: ${file}`, filePath);
+        continue;
+      }
+
+      try {
+        const stats = await fs.promises.stat(filePath);
+        const permissions = (stats.mode & parseInt('777', 8)).toString(8);
+
+        // Check if file is writable by group or others
+        if (permissions[1] !== '0' || permissions[2] !== '0') {
+          this.addWarning(`File has overly permissive permissions: ${file} (${permissions})`, filePath);
+        }
+      } catch (error) {
+        this.addIssue(`Cannot check permissions for: ${file}`, filePath);
+      }
+    }
+  }
+
+  async checkDependencies() {
+    this.log('Checking for dependency vulnerabilities...');
+
+    const packageJsonPath = path.join(this.projectRoot, 'package.json');
+    const content = await this.readFile(packageJsonPath);
+
+    if (!content) return;
+
+    try {
+      const pkg = JSON.parse(content);
+      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+
+      // Check for zero dependencies claim
+      if (Object.keys(allDeps || {}).length > 0) {
+        this.addWarning('Package claims zero dependencies but has dependencies in package.json');
+      }
+
+      // Check for suspicious dependency names
+      const suspiciousDeps = ['malicious', 'hack', 'exploit', 'trojan'];
+      for (const dep of Object.keys(allDeps || {})) {
+        for (const suspicious of suspiciousDeps) {
+          if (dep.toLowerCase().includes(suspicious)) {
+            this.addIssue(`Suspicious dependency name: ${dep}`);
+          }
+        }
+      }
+    } catch (error) {
+      this.addIssue(`Cannot parse package.json: ${error.message}`, packageJsonPath);
+    }
+  }
+
+  async run() {
+    this.log('Starting i18ntk Security Check (IMPROVED VERSION)...', 'info');
+
+    try {
+      await this.checkPackageJson();
+      await this.checkSecurityUtils();
+      await this.checkSourceFiles();
+      await this.checkFilePermissions();
+      await this.checkDependencies();
+
+      // Generate report
+      this.generateReport();
+
+      // Final status with detailed counts
+      const totalIssues = this.issues.length + this.warnings.length;
+      if (this.issues.length > 0) {
+        this.log(`Security check FAILED: ${this.issues.length} critical issues, ${this.warnings.length} warnings found`, 'error');
+        this.log(`Total: ${totalIssues} issues detected`, 'error');
+        // Ensure output is flushed before exit
+        await new Promise(resolve => setImmediate(resolve));
+        process.exit(1);
+      } else if (this.warnings.length > 0) {
+        this.log('Security check PASSED: No critical issues found', 'success');
+        this.log(`${this.warnings.length} warnings found (non-blocking)`, 'warning');
+        this.log(`Total: ${totalIssues} issues detected`, 'warning');
+      } else {
+        this.log('Security check PASSED: No issues found', 'success');
+      }
+    } catch (error) {
+      this.log(`Security check failed with error: ${error.message}`, 'error');
+      console.error('Stack trace:', error.stack);
+      process.exit(1);
+    }
+  }
+
+  generateReport() {
+    if (this.issues.length === 0 && this.warnings.length === 0) {
+      return;
+    }
+
+    console.log('\n=== SECURITY CHECK REPORT (IMPROVED) ===\n');
+
+    if (this.issues.length > 0) {
+      console.log('🔴 CRITICAL ISSUES:');
+      this.issues.forEach(issue => {
+        console.log(`  • ${issue.message}`);
+        if (issue.file) {
+          console.log(`    File: ${issue.file}${issue.line ? `:${issue.line}` : ''}`);
+        }
+      });
+      console.log('');
+    }
+
+    if (this.warnings.length > 0) {
+      console.log('🟡 WARNINGS:');
+      this.warnings.forEach(warning => {
+        console.log(`  • ${warning.message}`);
+        if (warning.file) {
+          console.log(`    File: ${warning.file}${warning.line ? `:${warning.line}` : ''}`);
+        }
+      });
+      console.log('');
+    }
+  }
+}
+
+// Run security check if called directly
+if (require.main === module) {
+  const checker = new SecurityChecker();
+  checker.run().catch(error => {
+    console.error('Security check failed:', error);
+    process.exit(1);
+  });
+}
+
+module.exports = SecurityChecker;

package/utils/security-config.js

@@ -124,7 +124,7 @@ class SecurityConfig {
 
         // Ensure config directory exists
         const configDir = path.dirname(this.configPath);
-        if (!fs.existsSync(configDir)) {
+        if (!SecurityUtils.safeExistsSync(configDir)) {
             fs.mkdirSync(configDir, { recursive: true });
         }
 
@@ -138,7 +138,7 @@ class SecurityConfig {
             }
         };
 
-        fs.writeFileSync(this.configPath, JSON.stringify(safeConfig, null, 2));
+        SecurityUtils.safeWriteFileSync(this.configPath, JSON.stringify(safeConfig, null, 2));
         
         return {
             configPath: this.configPath,
@@ -150,12 +150,12 @@ class SecurityConfig {
      * Load and validate existing configuration
      */
     loadSecurityConfig() {
-        if (!fs.existsSync(this.configPath)) {
+        if (!SecurityUtils.safeExistsSync(this.configPath)) {
             return this.createSecureConfig();
         }
 
         try {
-            const config = JSON.parse(fs.readFileSync(this.configPath, 'utf8'));
+            const config = JSON.parse(SecurityUtils.safeReadFileSync(this.configPath, path.dirname(this.configPath), 'utf8'));
             const validation = this.validateSecurityConfig(config);
             
             return {
@@ -178,7 +178,7 @@ class SecurityConfig {
         const timestamp = new Date().toISOString();
         
         // Create backup of old config
-        if (fs.existsSync(this.configPath)) {
+        if (SecurityUtils.safeExistsSync(this.configPath)) {
             fs.copyFileSync(this.configPath, `${this.configPath}.backup.${timestamp}`);
         }