i18ntk 2.3.8 → 2.5.0

package/utils/security-check-improved.js

@@ -1,393 +0,0 @@
-#!/usr/bin/env node
-
-/**
- * i18ntk Security Check Utility - IMPROVED VERSION
- * Performs comprehensive security validation before build/publish
- * Enhanced to intelligently distinguish between safe and dangerous requires
- */
-
-const fs = require('fs');
-const path = require('path');
-const crypto = require('crypto');
-
-class SecurityChecker {
-  constructor() {
-    this.issues = [];
-    this.warnings = [];
-    this.projectRoot = path.resolve(__dirname, '..');
-  }
-
-  log(message, type = 'info') {
-    const timestamp = new Date().toISOString();
-    const colors = {
-      error: '\x1b[31m',
-      warning: '\x1b[33m',
-      success: '\x1b[32m',
-      info: '\x1b[36m',
-      reset: '\x1b[0m'
-    };
-    console.log(`${colors[type]}[${timestamp}] ${message}${colors.reset}`);
-  }
-
-  addIssue(message, file = null, line = null) {
-    this.issues.push({ message, file, line, type: 'error' });
-  }
-
-  addWarning(message, file = null, line = null) {
-    this.warnings.push({ message, file, line, type: 'warning' });
-  }
-
-  async checkFileExists(filePath) {
-    try {
-      await fs.promises.access(filePath);
-      return true;
-    } catch {
-      return false;
-    }
-  }
-
-  async readFile(filePath) {
-    try {
-      return await fs.promises.readFile(filePath, 'utf8');
-    } catch (error) {
-      this.addIssue(`Cannot read file: ${filePath}`, filePath);
-      return null;
-    }
-  }
-
-  async checkPackageJson() {
-    this.log('Checking package.json security...');
-
-    const packageJsonPath = path.join(this.projectRoot, 'package.json');
-    const content = await this.readFile(packageJsonPath);
-
-    if (!content) return;
-
-    try {
-      const pkg = JSON.parse(content);
-
-      // Check for dangerous scripts
-      const dangerousScripts = ['preinstall', 'postinstall', 'preuninstall', 'postuninstall'];
-      const scripts = pkg.scripts || {};
-
-      for (const script of dangerousScripts) {
-        if (scripts[script]) {
-          this.addWarning(`Potentially dangerous script found: ${script}`, packageJsonPath);
-        }
-      }
-
-      // Check dependencies for known vulnerabilities (basic check)
-      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
-      for (const [dep, version] of Object.entries(allDeps || {})) {
-        if (version.includes('*') || version.includes('latest')) {
-          this.addWarning(`Unpinned dependency version: ${dep}@${version}`, packageJsonPath);
-        }
-      }
-
-      // Verify security scripts exist
-      const requiredScripts = ['security:check', 'security:test', 'security:audit'];
-      for (const script of requiredScripts) {
-        if (!scripts[script]) {
-          this.addIssue(`Missing required security script: ${script}`, packageJsonPath);
-        }
-      }
-
-    } catch (error) {
-      this.addIssue(`Invalid JSON in package.json: ${error.message}`, packageJsonPath);
-    }
-  }
-
-  async checkSecurityUtils() {
-    this.log('Checking SecurityUtils implementation...');
-
-    const securityUtilsPath = path.join(this.projectRoot, 'utils/security.js');
-    if (!(await this.checkFileExists(securityUtilsPath))) {
-      this.addIssue('SecurityUtils file not found', securityUtilsPath);
-      return;
-    }
-
-    const content = await this.readFile(securityUtilsPath);
-    if (!content) return;
-
-    // Check for required security methods
-    const requiredMethods = [
-      'safeReadFileSync',
-      'safeExistsSync',
-      'safeWriteFileSync',
-      'validatePath',
-      'sanitizeInput',
-      'safeParseJSON'
-    ];
-
-    for (const method of requiredMethods) {
-      if (!content.includes(method)) {
-        this.addIssue(`Missing security method: ${method}`, securityUtilsPath);
-      }
-    }
-
-    // Check for dangerous code execution patterns in SecurityUtils itself.
-    // Direct fs usage is expected here because this module provides vetted wrappers.
-    const dangerousPatterns = [
-      /eval\s*\(/g,
-      /Function\s*\(/g
-    ];
-
-    for (const pattern of dangerousPatterns) {
-      const matches = content.match(pattern);
-      if (matches) {
-        this.addWarning(`Potentially unsafe pattern found: ${pattern}`, securityUtilsPath);
-      }
-    }
-  }
-
-  async checkSourceFiles() {
-    this.log('Checking source files for security issues...');
-
-    const sourceDirs = ['main', 'utils', 'scripts', 'settings'];
-    const excludeFiles = ['security.js', 'security-fixed.js', 'security-check.js', 'security-check-improved.js'];
-
-    for (const dir of sourceDirs) {
-      const dirPath = path.join(this.projectRoot, dir);
-      if (!(await this.checkFileExists(dirPath))) continue;
-
-      try {
-        const files = await fs.promises.readdir(dirPath);
-        for (const file of files) {
-          if (!file.endsWith('.js') || excludeFiles.includes(file)) continue;
-
-          const filePath = path.join(dirPath, file);
-          const content = await this.readFile(filePath);
-          if (!content) continue;
-
-          await this.analyzeFileSecurity(filePath, content);
-        }
-      } catch (error) {
-        this.addIssue(`Cannot read directory: ${dirPath}`, dirPath);
-      }
-    }
-  }
-
-  async analyzeFileSecurity(filePath, content) {
-    const lines = content.split('\n');
-
-    lines.forEach((line, index) => {
-      // Check for direct fs operations
-      if (line.includes('fs.readFileSync(') && !line.includes('SecurityUtils')) {
-        this.addIssue('Direct fs.readFileSync usage (use SecurityUtils.safeReadFileSync)', filePath, index + 1);
-      }
-      if (line.includes('fs.writeFileSync(') && !line.includes('SecurityUtils')) {
-        this.addIssue('Direct fs.writeFileSync usage (use SecurityUtils.safeWriteFileSync)', filePath, index + 1);
-      }
-      if (line.includes('fs.existsSync(') && !line.includes('SecurityUtils')) {
-        this.addIssue('Direct fs.existsSync usage (use SecurityUtils.safeExistsSync)', filePath, index + 1);
-      }
-
-      // Check for dangerous patterns
-      if (line.includes('eval(') || line.includes('Function(')) {
-        this.addIssue('Dangerous code execution pattern detected', filePath, index + 1);
-      }
-
-      // Check for unsafe require patterns - be more intelligent
-      if (line.includes('require(')) {
-        this.analyzeRequireStatement(line, filePath, index + 1);
-      }
-    });
-  }
-
-  analyzeRequireStatement(line, filePath, lineNumber) {
-    // Extract the require path
-    const requireMatch = line.match(/require\s*\(\s*['"`]([^'"`]+)['"`]\s*\)/);
-    if (!requireMatch) return;
-
-    const requirePath = requireMatch[1];
-
-    // Skip safe built-in modules
-    // Note: child_process is intentionally excluded to keep runtime zero-shell
-    const safeBuiltins = ['fs', 'path', 'crypto', 'os', 'util', 'events', 'stream', 'buffer', 'http', 'https', 'url', 'querystring'];
-    if (safeBuiltins.includes(requirePath)) {
-      return; // Safe built-in module
-    }
-
-    // Skip safe relative requires within project structure
-    if (requirePath.startsWith('../') || requirePath.startsWith('./')) {
-      // Check if it's going too far up (more than 2 levels)
-      const upLevels = (requirePath.match(/\.\.\//g) || []).length;
-      if (upLevels > 2) {
-        this.addWarning('Deep relative require (more than 2 levels up)', filePath, lineNumber);
-      }
-      // Otherwise, relative requires within project are generally safe
-      return;
-    }
-
-    // Check for dynamic requires (variables)
-    if (requirePath.includes('${') || requirePath.includes('+') || requirePath.includes('variable')) {
-      this.addIssue('Dynamic require statement detected (potential security risk)', filePath, lineNumber);
-      return;
-    }
-
-    // Check for absolute paths outside node_modules
-    if (requirePath.startsWith('/') && !requirePath.includes('node_modules')) {
-      this.addWarning('Absolute path require outside node_modules', filePath, lineNumber);
-      return;
-    }
-
-    // Check for suspicious patterns
-    const suspiciousPatterns = [
-      /\.\./,                    // path traversal
-      /^~/,                      // home directory shorthand
-      /\$(HOME|USER)\b/,         // shell env expansions
-      /^[a-z][a-z0-9+.-]*:/i     // URL/protocol-like require targets
-    ];
-    for (const pattern of suspiciousPatterns) {
-      if (pattern.test(requirePath)) {
-        this.addIssue(`Suspicious require path pattern: ${pattern}`, filePath, lineNumber);
-        return;
-      }
-    }
-
-    // If we get here, it's likely a safe npm package require
-    // No action needed for legitimate package requires
-  }
-
-  async checkFilePermissions() {
-    this.log('Checking file permissions...');
-
-    // POSIX permission checks are noisy/non-actionable on Windows.
-    if (process.platform === 'win32') {
-      return;
-    }
-
-    const criticalFiles = [
-      'utils/security.js',
-      'tests/security.test.js',
-      'package.json'
-    ];
-
-    for (const file of criticalFiles) {
-      const filePath = path.join(this.projectRoot, file);
-      if (!(await this.checkFileExists(filePath))) {
-        this.addIssue(`Critical file not found: ${file}`, filePath);
-        continue;
-      }
-
-      try {
-        const stats = await fs.promises.stat(filePath);
-        const permissions = (stats.mode & parseInt('777', 8)).toString(8);
-
-        // Check if file is writable by group or others
-        if (permissions[1] !== '0' || permissions[2] !== '0') {
-          this.addWarning(`File has overly permissive permissions: ${file} (${permissions})`, filePath);
-        }
-      } catch (error) {
-        this.addIssue(`Cannot check permissions for: ${file}`, filePath);
-      }
-    }
-  }
-
-  async checkDependencies() {
-    this.log('Checking for dependency vulnerabilities...');
-
-    const packageJsonPath = path.join(this.projectRoot, 'package.json');
-    const content = await this.readFile(packageJsonPath);
-
-    if (!content) return;
-
-    try {
-      const pkg = JSON.parse(content);
-      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
-
-      // Check for zero dependencies claim
-      if (Object.keys(allDeps || {}).length > 0) {
-        this.addWarning('Package claims zero dependencies but has dependencies in package.json');
-      }
-
-      // Check for suspicious dependency names
-      const suspiciousDeps = ['malicious', 'hack', 'exploit', 'trojan'];
-      for (const dep of Object.keys(allDeps || {})) {
-        for (const suspicious of suspiciousDeps) {
-          if (dep.toLowerCase().includes(suspicious)) {
-            this.addIssue(`Suspicious dependency name: ${dep}`);
-          }
-        }
-      }
-    } catch (error) {
-      this.addIssue(`Cannot parse package.json: ${error.message}`, packageJsonPath);
-    }
-  }
-
-  async run() {
-    this.log('Starting i18ntk Security Check (IMPROVED VERSION)...', 'info');
-
-    try {
-      await this.checkPackageJson();
-      await this.checkSecurityUtils();
-      await this.checkSourceFiles();
-      await this.checkFilePermissions();
-      await this.checkDependencies();
-
-      // Generate report
-      this.generateReport();
-
-      // Final status with detailed counts
-      const totalIssues = this.issues.length + this.warnings.length;
-      if (this.issues.length > 0) {
-        this.log(`Security check FAILED: ${this.issues.length} critical issues, ${this.warnings.length} warnings found`, 'error');
-        this.log(`Total: ${totalIssues} issues detected`, 'error');
-        // Ensure output is flushed before exit
-        await new Promise(resolve => setImmediate(resolve));
-        process.exit(1);
-      } else if (this.warnings.length > 0) {
-        this.log('Security check PASSED: No critical issues found', 'success');
-        this.log(`${this.warnings.length} warnings found (non-blocking)`, 'warning');
-        this.log(`Total: ${totalIssues} issues detected`, 'warning');
-      } else {
-        this.log('Security check PASSED: No issues found', 'success');
-      }
-    } catch (error) {
-      this.log(`Security check failed with error: ${error.message}`, 'error');
-      console.error('Stack trace:', error.stack);
-      process.exit(1);
-    }
-  }
-
-  generateReport() {
-    if (this.issues.length === 0 && this.warnings.length === 0) {
-      return;
-    }
-
-    console.log('\n=== SECURITY CHECK REPORT (IMPROVED) ===\n');
-
-    if (this.issues.length > 0) {
-      console.log('🔴 CRITICAL ISSUES:');
-      this.issues.forEach(issue => {
-        console.log(`  • ${issue.message}`);
-        if (issue.file) {
-          console.log(`    File: ${issue.file}${issue.line ? `:${issue.line}` : ''}`);
-        }
-      });
-      console.log('');
-    }
-
-    if (this.warnings.length > 0) {
-      console.log('🟡 WARNINGS:');
-      this.warnings.forEach(warning => {
-        console.log(`  • ${warning.message}`);
-        if (warning.file) {
-          console.log(`    File: ${warning.file}${warning.line ? `:${warning.line}` : ''}`);
-        }
-      });
-      console.log('');
-    }
-  }
-}
-
-// Run security check if called directly
-if (require.main === module) {
-  const checker = new SecurityChecker();
-  checker.run().catch(error => {
-    console.error('Security check failed:', error);
-    process.exit(1);
-  });
-}
-
-module.exports = SecurityChecker;

package/utils/security-config.js

@@ -1,239 +0,0 @@
-/**
- * Security Configuration Utility
- * Provides secure configuration management for the i18n Management Toolkit
- */
-
-const crypto = require('crypto');
-const fs = require('fs');
-const path = require('path');
-
-class SecurityConfig {
-    constructor() {
-        this.configDir = path.resolve(__dirname, '..');
-        this.configPath = path.join(this.configDir, 'security-config.json');
-        this.securityDefaults = {
-            pin: {
-                minLength: 4,
-                maxLength: 32,
-                requireStrongPin: true,
-                maxAttempts: 3,
-                lockDuration: 300000, // 5 minutes
-                algorithm: 'scrypt'
-            },
-            encryption: {
-                algorithm: 'aes-256-gcm',
-                keyLength: 32,
-                ivLength: 12,
-                authTagLength: 16
-            },
-            audit: {
-                enabled: true,
-                logLevel: 'info',
-                retentionDays: 30
-            }
-        };
-    }
-
-    /**
-     * Generate secure configuration with settings-based configuration
-     */
-    generateSecureConfig(settings = {}) {
-        const config = {
-            ...this.securityDefaults,
-            secrets: {
-                adminPin: settings.adminPin || null,
-                encryptionKey: settings.encryptionKey || this.generateSecureKey(),
-                jwtSecret: settings.jwtSecret || this.generateSecureKey()
-            },
-            security: {
-                ...this.securityDefaults,
-                environment: 'production',
-                disableWeakPinWarning: settings.disableWeakPinWarning === true
-            }
-        };
-
-        return config;
-    }
-
-    /**
-     * Generate cryptographically secure random key
-     */
-    generateSecureKey(length = 32) {
-        return crypto.randomBytes(length).toString('hex');
-    }
-
-    /**
-     * Validate security configuration
-     */
-    validateSecurityConfig(config) {
-        const errors = [];
-
-        // PIN validation
-        if (config.secrets?.adminPin) {
-            if (config.secrets.adminPin.length < config.security.pin.minLength) {
-                errors.push(`PIN must be at least ${config.security.pin.minLength} characters`);
-            }
-            if (this.isWeakPin(config.secrets.adminPin)) {
-                errors.push('PIN appears to be weak - consider using a stronger PIN');
-            }
-        }
-
-        // Encryption key validation
-        if (config.secrets?.encryptionKey) {
-            if (config.secrets.encryptionKey.length < 64) { // 32 bytes hex encoded
-                errors.push('Encryption key must be at least 32 bytes (64 hex chars)');
-            }
-        }
-
-        return {
-            valid: errors.length === 0,
-            errors
-        };
-    }
-
-    /**
-     * Check if PIN is weak
-     */
-    isWeakPin(pin) {
-        const weakPatterns = [
-            /^\d{1,4}$/,           // Only 1-4 digits
-            /^(.)\1+$/,           // All same characters
-            '1234', '0000', '1111', '2222', '3333', '4444',
-            '5555', '6666', '7777', '8888', '9999', 'password',
-            'admin', 'root', '123456', '654321', 'qwerty'
-        ];
-
-        return weakPatterns.some(pattern => {
-            if (typeof pattern === 'string') {
-                return pin.toLowerCase().includes(pattern);
-            }
-            return pattern.test(pin);
-        });
-    }
-
-    /**
-     * Create secure configuration file
-     */
-    createSecureConfig() {
-        const config = this.generateSecureConfig();
-        const validation = this.validateSecurityConfig(config);
-
-        if (!validation.valid) {
-            throw new Error(`Invalid security configuration: ${validation.errors.join(', ')}`);
-        }
-
-        // Ensure config directory exists
-        const configDir = path.dirname(this.configPath);
-        if (!SecurityUtils.safeExistsSync(configDir)) {
-            fs.mkdirSync(configDir, { recursive: true });
-        }
-
-        // Remove actual secrets from config file (use env vars)
-        const safeConfig = {
-            ...config,
-            secrets: {
-                adminPin: config.secrets.adminPin ? '***' : null,
-                encryptionKey: '***',
-                jwtSecret: '***'
-            }
-        };
-
-        SecurityUtils.safeWriteFileSync(this.configPath, JSON.stringify(safeConfig, null, 2));
-        
-        return {
-            configPath: this.configPath,
-            validation
-        };
-    }
-
-    /**
-     * Load and validate existing configuration
-     */
-    loadSecurityConfig() {
-        if (!SecurityUtils.safeExistsSync(this.configPath)) {
-            return this.createSecureConfig();
-        }
-
-        try {
-            const config = JSON.parse(SecurityUtils.safeReadFileSync(this.configPath, path.dirname(this.configPath), 'utf8'));
-            const validation = this.validateSecurityConfig(config);
-            
-            return {
-                config,
-                validation,
-                configPath: this.configPath
-            };
-        } catch (error) {
-            throw new Error(`Failed to load security configuration: ${error.message}`);
-        }
-    }
-
-    /**
-     * Rotate encryption keys (advanced operation)
-     */
-    rotateEncryptionKeys() {
-        console.warn('⚠️  Key rotation is an advanced operation. Ensure you have backups.');
-        
-        const newKey = this.generateSecureKey();
-        const timestamp = new Date().toISOString();
-        
-        // Create backup of old config
-        if (SecurityUtils.safeExistsSync(this.configPath)) {
-            fs.copyFileSync(this.configPath, `${this.configPath}.backup.${timestamp}`);
-        }
-
-        // Update configuration with new keys
-        const config = this.generateSecureConfig();
-        config.secrets.encryptionKey = newKey;
-        config.secrets.jwtSecret = this.generateSecureKey();
-        config.lastKeyRotation = timestamp;
-
-        this.createSecureConfig();
-        
-        return {
-            oldKeyBackup: `${this.configPath}.backup.${timestamp}`,
-            newKeysGenerated: true,
-            timestamp
-        };
-    }
-}
-
-// Export for benchmark usage
-async function validateConfiguration(config) {
-  const validator = new SecurityConfig();
-  
-  // Simulate validation processing
-  const start = Date.now();
-  
-  // Basic validation for benchmark purposes
-  const errors = [];
-  
-  if (!config.languages || !Array.isArray(config.languages) || config.languages.length === 0) {
-    errors.push('languages must be a non-empty array');
-  }
-  
-  if (!config.sourceDir || typeof config.sourceDir !== 'string') {
-    errors.push('sourceDir must be a string');
-  }
-  
-  if (config.adminPin && typeof config.adminPin !== 'string') {
-    errors.push('adminPin must be a string');
-  }
-  
-  // Simulate processing delay based on config complexity
-  const complexity = (config.languages?.length || 0) * 2;
-  await new Promise(resolve => setTimeout(resolve, complexity));
-  
-  const end = Date.now();
-  
-  return {
-    valid: errors.length === 0,
-    errors,
-    validationTime: end - start
-  };
-}
-
-module.exports = {
-  SecurityConfig,
-  validateConfiguration
-};