i18ntk 2.3.7 → 2.4.0

package/utils/security.js

@@ -1,26 +1,93 @@
-const path = require('path');
-const fs = require('fs');
-const crypto = require('crypto');
-
-
-// Lazy load configManager to avoid circular dependency
-let configManager;
-let configManagerLoadAttempted = false;
-function getConfigManager() {
-  if (!configManager && !configManagerLoadAttempted) {
-    configManagerLoadAttempted = true;
-    try {
-      configManager = require('./config-manager');
-    } catch (error) {
-      // Return null if config-manager can't be loaded
-      return null;
-    }
-  }
-  return configManager;
-}
-
-// Lazy load i18n to prevent initialization race conditions
-let i18n;
+const path = require('path');
+const fs = require('fs');
+const crypto = require('crypto');
+const { logger } = require('./logger');
+
+const INTERNAL_MANIFEST_CACHE = {
+  initialized: false,
+  roots: new Set()
+};
+
+function findPackageRoot(startDir) {
+  let current = path.resolve(startDir || process.cwd());
+  while (true) {
+    const manifest = path.join(current, 'package.json');
+    if (fs.existsSync(manifest)) {
+      return current;
+    }
+    const parent = path.dirname(current);
+    if (parent === current) {
+      return null;
+    }
+    current = parent;
+  }
+}
+
+function initializeInternalRoots() {
+  if (INTERNAL_MANIFEST_CACHE.initialized) {
+    return INTERNAL_MANIFEST_CACHE.roots;
+  }
+
+  INTERNAL_MANIFEST_CACHE.initialized = true;
+  const roots = INTERNAL_MANIFEST_CACHE.roots;
+  const candidates = [
+    process.cwd(),
+    path.resolve(__dirname, '..'),
+    findPackageRoot(process.cwd()),
+    findPackageRoot(path.resolve(__dirname, '..'))
+  ].filter(Boolean);
+
+  for (const candidate of candidates) {
+    roots.add(path.resolve(candidate));
+  }
+
+  const custom = String(process.env.I18NTK_INTERNAL_PATH_PREFIXES || '')
+    .split(',')
+    .map((entry) => entry.trim())
+    .filter(Boolean);
+  for (const prefix of custom) {
+    roots.add(path.resolve(prefix));
+  }
+
+  return roots;
+}
+
+function normalizeForCompare(value) {
+  return String(value || '').replace(/\\/g, '/').toLowerCase();
+}
+
+function isPathInside(root, target) {
+  const normalizedRoot = normalizeForCompare(path.resolve(root));
+  const normalizedTarget = normalizeForCompare(path.resolve(target));
+  return normalizedTarget === normalizedRoot || normalizedTarget.startsWith(`${normalizedRoot}/`);
+}
+
+function isInternalPath(inputPath) {
+  if (!inputPath || typeof inputPath !== 'string') {
+    return false;
+  }
+  const roots = initializeInternalRoots();
+  const absolute = path.resolve(inputPath);
+  for (const root of roots) {
+    if (isPathInside(root, absolute)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+function detectDangerReason(filePath) {
+  if (/\.\.(\/|\\|$)/.test(filePath)) return 'Contains parent directory traversal segments';
+  if (/(^|[\/\\])~([\/\\]|$)/.test(filePath)) return 'Contains home-directory shorthand';
+  if (/\$\{/.test(filePath)) return 'Contains variable expansion token';
+  if (/`/.test(filePath)) return 'Contains command substitution token';
+  if (/[|;&<>]/.test(filePath)) return 'Contains shell metacharacters';
+  return null;
+}
+
+
+// Lazy load i18n to prevent initialization race conditions
+let i18n;
 function getI18n() {
   if (!i18n) {
     try {
@@ -74,11 +141,13 @@ static _logging = false;
       SecurityUtils._operationStack = new Set();
     }
 
-    if (SecurityUtils._operationStack.has(operationName)) {
-      const i18n = getI18n();
-      SecurityUtils.logSecurityEvent(i18n.t('security.recursion_detected', { operation: operationName }), 'error');
-      return null;
-    }
+    if (SecurityUtils._operationStack.has(operationName)) {
+      SecurityUtils.logSecurityEvent('Recursion detected while performing secure operation', 'warn', {
+        operation: operationName,
+        source: 'internal'
+      });
+      return null;
+    }
 
     SecurityUtils._operationStack.add(operationName);
 
@@ -88,12 +157,15 @@ static _logging = false;
       let hasResult = false;
       let timeoutId = null;
 
-      timeoutId = setTimeout(() => {
-        if (!hasResult) {
-          const i18n = getI18n();
-          SecurityUtils.logSecurityEvent(i18n.t('security.operation_timeout', { operation: operationName }), 'warning');
-        }
-      }, timeoutMs);
+      timeoutId = setTimeout(() => {
+        if (!hasResult) {
+          SecurityUtils.logSecurityEvent('Secure operation timeout', 'warn', {
+            operation: operationName,
+            timeoutMs,
+            source: 'internal'
+          });
+        }
+      }, timeoutMs);
 
       // Execute operation synchronously
       result = operation();
@@ -105,12 +177,12 @@ static _logging = false;
 
       return result;
     } catch (error) {
-    const i18n = getI18n();
-    SecurityUtils.logSecurityEvent('Operation error', 'error', {
-    operation: operationName,
-    error: error.message
-    });
-    return null;
+      SecurityUtils.logSecurityEvent('Secure operation error', 'error', {
+        operation: operationName,
+        error: error.message,
+        source: 'internal'
+      });
+      return null;
     } finally {
       SecurityUtils._operationStack.delete(operationName);
     }
@@ -122,60 +194,40 @@ static _logging = false;
    * @param {string} level - Log level (info, warn, error)
    * @param {object} details - Additional details
    */
-  static logSecurityEvent(event, level = 'info', details = {}) {
-  // Prevent recursive logging which can occur during configuration loading
-  if (SecurityUtils._logging) {
-  return;
-  }
-  
-  SecurityUtils._logging = true;
-  try {
-  const cfg = getConfigManager()?.getConfig?.() || {};
-  const envLevel = (process.env.SECURITY_LOG_LEVEL || process.env.I18NTK_SECURITY_LOG_LEVEL || '').toLowerCase();
-  const configLevel = (cfg.security?.logLevel || cfg.security?.audit?.logLevel || '').toLowerCase();
-  
-  // Check for debug mode
-  const debugMode = process.env.I18N_DEBUG === 'true' || process.env.DEBUG === 'true';
-  const currentLevel = debugMode ? 'info' : (envLevel || configLevel || 'warn');
-
-      const levels = { error: 0, warn: 1, warning: 1, info: 2 };
-      const messageLevel = levels[level.toLowerCase()] ?? 2;
-      const allowedLevel = levels[currentLevel] ?? 1;
-      if (messageLevel > allowedLevel) {
-        return;
-      }
-
-      const timestamp = new Date().toISOString();
-      const logEntry = {
-        timestamp,
-        level,
-        event,
-        details: {
-          ...details,
-          pid: process.pid,
-          nodeVersion: process.version
-        }
-      };
-
-      const message = `[SECURITY ${level.toUpperCase()}] ${timestamp}: ${event}`;
-      if (level === 'error') {
-        console.error(message, details);
-      } else if (level === 'warn' || level === 'warning') {
-        console.warn(message, details);
-      } else {
-        console.log(message, details);
-      }
-    } finally {
-      SecurityUtils._logging = false;
-    }
-  }
+  static logSecurityEvent(event, level = 'info', details = {}) {
+    if (SecurityUtils._logging) {
+      return;
+    }
+
+    SecurityUtils._logging = true;
+    try {
+      const debugMode = logger.isDebugMode();
+      const explicitSecurityLogs = process.env.I18NTK_ENABLE_SECURITY_LOGS === 'true';
+      const source = details && details.source ? String(details.source).toLowerCase() : 'internal';
+      const levelName = String(level || 'info').toLowerCase();
+      const normalizedLevel = levelName === 'warning' ? 'warn' : levelName;
+
+      // Security warnings from internal paths are noise during builds.
+      if (!debugMode && !explicitSecurityLogs && source !== 'user') {
+        return;
+      }
+
+      logger.security(normalizedLevel, event, {
+        ...details,
+        pid: process.pid,
+        nodeVersion: process.version
+      });
+    } finally {
+      SecurityUtils._logging = false;
+    }
+  }
 
   // Add other static methods here...
-  static validatePath(filePath, basePath = process.cwd(), verbose = false) {
-    const i18n = getI18n();
-    const useI18n = i18n && i18n.isInitialized && typeof i18n.t === 'function';
-
-    try {
+  static validatePath(filePath, basePath = process.cwd(), verbose = false) {
+    const i18n = getI18n();
+    const useI18n = i18n && i18n.isInitialized && typeof i18n.t === 'function';
+
+    try {
     // Check against whitelist patterns for our own package artifacts
     if (SecurityUtils.PACKAGE_ARTIFACT_WHITELIST.some(pattern => pattern.test(filePath))) {
     return filePath;
@@ -195,17 +247,42 @@ static _logging = false;
         return null;
       }
 
-      // Check for obvious dangerous patterns first
-      if (!SecurityUtils.isSafePath(filePath)) {
-        const message = useI18n
-          ? i18n.t('security.pathTraversalAttempt')
-          : 'Path traversal attempt';
-        SecurityUtils.logSecurityEvent(message, 'warning', {
-          inputPath: filePath,
-          reason: 'Contains dangerous patterns'
-        });
-        return null;
-      }
+      const isWindowsAbsolute = /^[A-Z]:[\/\\]/i.test(filePath);
+      const isUnixAbsolute = filePath.startsWith('/') || filePath.startsWith('\\');
+      const isAbsolutePath = isWindowsAbsolute || isUnixAbsolute;
+      const dangerousReason = detectDangerReason(filePath);
+      const source = isInternalPath(filePath) ? 'internal' : 'user';
+
+      if (isAbsolutePath && isInternalPath(filePath)) {
+        return path.resolve(filePath);
+      }
+
+      // For absolute paths, defer trust decision to base-path containment checks below,
+      // but still reject obvious shell/injection markers.
+      if (isAbsolutePath && dangerousReason) {
+        const message = useI18n
+          ? i18n.t('security.pathTraversalAttempt')
+          : 'Path traversal attempt';
+        SecurityUtils.logSecurityEvent(message, 'warning', {
+          inputPath: filePath,
+          reason: dangerousReason,
+          source
+        });
+        return null;
+      }
+
+      // Check for obvious dangerous patterns first for relative paths
+      if (!isAbsolutePath && !SecurityUtils.isSafePath(filePath)) {
+        const message = useI18n
+          ? i18n.t('security.pathTraversalAttempt')
+          : 'Path traversal attempt';
+        SecurityUtils.logSecurityEvent(message, 'warning', {
+          inputPath: filePath,
+          reason: dangerousReason || 'Contains unsafe path segments',
+          source
+        });
+        return null;
+      }
 
       // Resolve base and target paths
       const base = fs.realpathSync(basePath);
@@ -220,44 +297,47 @@ static _logging = false;
       }
 
       // Check for actual path traversal (going outside the base directory)
-      const relativePath = path.relative(base, finalPath);
-      if (relativePath.startsWith('..')) {
-        const message = useI18n
-          ? i18n.t('security.pathTraversalAttempt')
-          : 'Path traversal attempt';
-        SecurityUtils.logSecurityEvent(message, 'warning', {
-          inputPath: filePath,
-          resolvedPath: finalPath,
-          basePath: base,
-          relativePath: relativePath
-        });
-        return null;
-      }
+      const relativePath = path.relative(base, finalPath);
+      if (relativePath.startsWith('..')) {
+        const message = useI18n
+          ? i18n.t('security.pathTraversalAttempt')
+          : 'Path traversal attempt';
+        SecurityUtils.logSecurityEvent(message, 'warning', {
+          inputPath: filePath,
+          resolvedPath: finalPath,
+          basePath: base,
+          relativePath: relativePath,
+          source
+        });
+        return null;
+      }
 
       // Allow absolute paths that resolve within the project structure
       // The isSafePath check above already filtered out dangerous absolute paths
 
       if (verbose) {
-        const successMsg = useI18n
-          ? i18n.t('security.pathValidated')
-          : 'Path validated';
-        SecurityUtils.logSecurityEvent(successMsg, 'info', {
-          inputPath: filePath,
-          resolvedPath: finalPath
-        });
-      }
-      return finalPath;
+        const successMsg = useI18n
+          ? i18n.t('security.pathValidated')
+          : 'Path validated';
+        SecurityUtils.logSecurityEvent(successMsg, 'info', {
+          inputPath: filePath,
+          resolvedPath: finalPath,
+          source
+        });
+      }
+      return finalPath;
     } catch (error) {
       const message = useI18n
         ? i18n.t('security.pathValidationError')
         : 'Path validation error';
-      SecurityUtils.logSecurityEvent(message, 'error', {
-        inputPath: filePath,
-        error: error.message
-      });
-      return null;
-    }
-  }
+      SecurityUtils.logSecurityEvent(message, 'error', {
+        inputPath: filePath,
+        error: error.message,
+        source: isInternalPath(filePath) ? 'internal' : 'user'
+      });
+      return null;
+    }
+  }
 
   static safeExistsSync(filePath, basePath, timeoutMs = 3000) {
     return this.withTimeoutSync(() => {
@@ -489,21 +569,23 @@ static _logging = false;
   const resolvedPath = path.resolve(joinedPath);
   
   // Ensure the final path is within the base directory
-  if (!resolvedPath.startsWith(resolvedBase)) {
-  SecurityUtils.logSecurityEvent('Path traversal attempt detected in safeJoin', 'error', {
-  basePath,
-  paths,
-  resolvedPath
-  });
-  return false;
-  }
+  if (!resolvedPath.startsWith(resolvedBase)) {
+  SecurityUtils.logSecurityEvent('Path traversal attempt detected in safeJoin', 'error', {
+  basePath,
+  paths,
+  resolvedPath,
+  source: 'internal'
+  });
+  return false;
+  }
   return resolvedPath;
   } catch (error) {
-  SecurityUtils.logSecurityEvent('Error in safeJoin', 'error', {
-  basePath,
-  paths,
-  error: error.message
-  });
+  SecurityUtils.logSecurityEvent('Error in safeJoin', 'error', {
+  basePath,
+  paths,
+  error: error.message,
+  source: 'internal'
+  });
   return false;
   }
   }
@@ -551,11 +633,12 @@ static _logging = false;
     ];
 
     // Allow absolute paths that are within the project structure
-    if (filePath.startsWith('/') || filePath.startsWith('\\')) {
-      // Allow absolute paths but check for dangerous patterns
-      const hasDangerousPatterns = dangerousPatterns.slice(1).some(pattern => pattern.test(filePath));
-      return !hasDangerousPatterns;
-    }
+    if (filePath.startsWith('/') || filePath.startsWith('\\')) {
+      // Treat raw Unix-style absolute input as dangerous by default in this helper.
+      // `validatePath` can still permit absolute paths if they resolve within basePath.
+      const hasDangerousPatterns = dangerousPatterns.slice(1).some(pattern => pattern.test(filePath));
+      return !hasDangerousPatterns;
+    }
 
     return !dangerousPatterns.some(pattern => pattern.test(filePath));
   }