i18ntk 2.3.8 → 2.5.0

package/utils/security.js

@@ -1,93 +1,94 @@
-const path = require('path');
-const fs = require('fs');
-const crypto = require('crypto');
-const { logger } = require('./logger');
-
-const INTERNAL_MANIFEST_CACHE = {
-  initialized: false,
-  roots: new Set()
-};
-
-function findPackageRoot(startDir) {
-  let current = path.resolve(startDir || process.cwd());
-  while (true) {
-    const manifest = path.join(current, 'package.json');
-    if (fs.existsSync(manifest)) {
-      return current;
-    }
-    const parent = path.dirname(current);
-    if (parent === current) {
-      return null;
-    }
-    current = parent;
-  }
-}
-
-function initializeInternalRoots() {
-  if (INTERNAL_MANIFEST_CACHE.initialized) {
-    return INTERNAL_MANIFEST_CACHE.roots;
-  }
-
-  INTERNAL_MANIFEST_CACHE.initialized = true;
-  const roots = INTERNAL_MANIFEST_CACHE.roots;
-  const candidates = [
-    process.cwd(),
-    path.resolve(__dirname, '..'),
-    findPackageRoot(process.cwd()),
-    findPackageRoot(path.resolve(__dirname, '..'))
-  ].filter(Boolean);
-
-  for (const candidate of candidates) {
-    roots.add(path.resolve(candidate));
-  }
-
-  const custom = String(process.env.I18NTK_INTERNAL_PATH_PREFIXES || '')
-    .split(',')
-    .map((entry) => entry.trim())
-    .filter(Boolean);
-  for (const prefix of custom) {
-    roots.add(path.resolve(prefix));
-  }
-
-  return roots;
-}
-
-function normalizeForCompare(value) {
-  return String(value || '').replace(/\\/g, '/').toLowerCase();
-}
-
-function isPathInside(root, target) {
-  const normalizedRoot = normalizeForCompare(path.resolve(root));
-  const normalizedTarget = normalizeForCompare(path.resolve(target));
-  return normalizedTarget === normalizedRoot || normalizedTarget.startsWith(`${normalizedRoot}/`);
-}
-
-function isInternalPath(inputPath) {
-  if (!inputPath || typeof inputPath !== 'string') {
-    return false;
-  }
-  const roots = initializeInternalRoots();
-  const absolute = path.resolve(inputPath);
-  for (const root of roots) {
-    if (isPathInside(root, absolute)) {
-      return true;
-    }
-  }
-  return false;
-}
-
-function detectDangerReason(filePath) {
-  if (/\.\.(\/|\\|$)/.test(filePath)) return 'Contains parent directory traversal segments';
-  if (/(^|[\/\\])~([\/\\]|$)/.test(filePath)) return 'Contains home-directory shorthand';
-  if (/\$\{/.test(filePath)) return 'Contains variable expansion token';
-  if (/`/.test(filePath)) return 'Contains command substitution token';
-  if (/[|;&<>]/.test(filePath)) return 'Contains shell metacharacters';
-  return null;
-}
-
-
-// Lazy load i18n to prevent initialization race conditions
-let i18n;
+const path = require('path');
+const fs = require('fs');
+const crypto = require('crypto');
+const { logger } = require('./logger');
+const { envManager } = require('./env-manager');
+
+const INTERNAL_MANIFEST_CACHE = {
+  initialized: false,
+  roots: new Set()
+};
+
+function findPackageRoot(startDir) {
+  let current = path.resolve(startDir || process.cwd());
+  while (true) {
+    const manifest = path.join(current, 'package.json');
+    if (fs.existsSync(manifest)) {
+      return current;
+    }
+    const parent = path.dirname(current);
+    if (parent === current) {
+      return null;
+    }
+    current = parent;
+  }
+}
+
+function initializeInternalRoots() {
+  if (INTERNAL_MANIFEST_CACHE.initialized) {
+    return INTERNAL_MANIFEST_CACHE.roots;
+  }
+
+  INTERNAL_MANIFEST_CACHE.initialized = true;
+  const roots = INTERNAL_MANIFEST_CACHE.roots;
+  const candidates = [
+    process.cwd(),
+    path.resolve(__dirname, '..'),
+    findPackageRoot(process.cwd()),
+    findPackageRoot(path.resolve(__dirname, '..'))
+  ].filter(Boolean);
+
+  for (const candidate of candidates) {
+    roots.add(path.resolve(candidate));
+  }
+
+  const custom = String(envManager.get('I18NTK_INTERNAL_PATH_PREFIXES') || '')
+    .split(',')
+    .map((entry) => entry.trim())
+    .filter(Boolean);
+  for (const prefix of custom) {
+    roots.add(path.resolve(prefix));
+  }
+
+  return roots;
+}
+
+function normalizeForCompare(value) {
+  return String(value || '').replace(/\\/g, '/').toLowerCase();
+}
+
+function isPathInside(root, target) {
+  const normalizedRoot = normalizeForCompare(path.resolve(root));
+  const normalizedTarget = normalizeForCompare(path.resolve(target));
+  return normalizedTarget === normalizedRoot || normalizedTarget.startsWith(`${normalizedRoot}/`);
+}
+
+function isInternalPath(inputPath) {
+  if (!inputPath || typeof inputPath !== 'string') {
+    return false;
+  }
+  const roots = initializeInternalRoots();
+  const absolute = path.resolve(inputPath);
+  for (const root of roots) {
+    if (isPathInside(root, absolute)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+function detectDangerReason(filePath) {
+  if (/\.\.(\/|\\|$)/.test(filePath)) return 'Contains parent directory traversal segments';
+  if (/(^|[\/\\])~([\/\\]|$)/.test(filePath)) return 'Contains home-directory shorthand';
+  if (/\$\{/.test(filePath)) return 'Contains variable expansion token';
+  if (/`/.test(filePath)) return 'Contains command substitution token';
+  if (/[|;&<>]/.test(filePath)) return 'Contains shell metacharacters';
+  return null;
+}
+
+
+// Lazy load i18n to prevent initialization race conditions
+let i18n;
 function getI18n() {
   if (!i18n) {
     try {
@@ -141,13 +142,13 @@ static _logging = false;
       SecurityUtils._operationStack = new Set();
     }
 
-    if (SecurityUtils._operationStack.has(operationName)) {
-      SecurityUtils.logSecurityEvent('Recursion detected while performing secure operation', 'warn', {
-        operation: operationName,
-        source: 'internal'
-      });
-      return null;
-    }
+    if (SecurityUtils._operationStack.has(operationName)) {
+      SecurityUtils.logSecurityEvent('Recursion detected while performing secure operation', 'warn', {
+        operation: operationName,
+        source: 'internal'
+      });
+      return null;
+    }
 
     SecurityUtils._operationStack.add(operationName);
 
@@ -157,15 +158,15 @@ static _logging = false;
       let hasResult = false;
       let timeoutId = null;
 
-      timeoutId = setTimeout(() => {
-        if (!hasResult) {
-          SecurityUtils.logSecurityEvent('Secure operation timeout', 'warn', {
-            operation: operationName,
-            timeoutMs,
-            source: 'internal'
-          });
-        }
-      }, timeoutMs);
+      timeoutId = setTimeout(() => {
+        if (!hasResult) {
+          SecurityUtils.logSecurityEvent('Secure operation timeout', 'warn', {
+            operation: operationName,
+            timeoutMs,
+            source: 'internal'
+          });
+        }
+      }, timeoutMs);
 
       // Execute operation synchronously
       result = operation();
@@ -177,12 +178,12 @@ static _logging = false;
 
       return result;
     } catch (error) {
-      SecurityUtils.logSecurityEvent('Secure operation error', 'error', {
-        operation: operationName,
-        error: error.message,
-        source: 'internal'
-      });
-      return null;
+      SecurityUtils.logSecurityEvent('Secure operation error', 'error', {
+        operation: operationName,
+        error: error.message,
+        source: 'internal'
+      });
+      return null;
     } finally {
       SecurityUtils._operationStack.delete(operationName);
     }
@@ -194,40 +195,40 @@ static _logging = false;
    * @param {string} level - Log level (info, warn, error)
    * @param {object} details - Additional details
    */
-  static logSecurityEvent(event, level = 'info', details = {}) {
-    if (SecurityUtils._logging) {
-      return;
-    }
-
-    SecurityUtils._logging = true;
-    try {
-      const debugMode = logger.isDebugMode();
-      const explicitSecurityLogs = process.env.I18NTK_ENABLE_SECURITY_LOGS === 'true';
-      const source = details && details.source ? String(details.source).toLowerCase() : 'internal';
-      const levelName = String(level || 'info').toLowerCase();
-      const normalizedLevel = levelName === 'warning' ? 'warn' : levelName;
-
-      // Security warnings from internal paths are noise during builds.
-      if (!debugMode && !explicitSecurityLogs && source !== 'user') {
-        return;
-      }
-
-      logger.security(normalizedLevel, event, {
-        ...details,
-        pid: process.pid,
-        nodeVersion: process.version
-      });
-    } finally {
-      SecurityUtils._logging = false;
-    }
-  }
+  static logSecurityEvent(event, level = 'info', details = {}) {
+    if (SecurityUtils._logging) {
+      return;
+    }
+
+    SecurityUtils._logging = true;
+    try {
+      const debugMode = logger.isDebugMode();
+      const explicitSecurityLogs = envManager.getBoolean('I18NTK_ENABLE_SECURITY_LOGS');
+      const source = details && details.source ? String(details.source).toLowerCase() : 'internal';
+      const levelName = String(level || 'info').toLowerCase();
+      const normalizedLevel = levelName === 'warning' ? 'warn' : levelName;
+
+      // Security warnings from internal paths are noise during builds.
+      if (!debugMode && !explicitSecurityLogs && source !== 'user') {
+        return;
+      }
+
+      logger.security(normalizedLevel, event, {
+        ...details,
+        pid: process.pid,
+        nodeVersion: process.version
+      });
+    } finally {
+      SecurityUtils._logging = false;
+    }
+  }
 
   // Add other static methods here...
-  static validatePath(filePath, basePath = process.cwd(), verbose = false) {
-    const i18n = getI18n();
-    const useI18n = i18n && i18n.isInitialized && typeof i18n.t === 'function';
-
-    try {
+  static validatePath(filePath, basePath = process.cwd(), verbose = false) {
+    const i18n = getI18n();
+    const useI18n = i18n && i18n.isInitialized && typeof i18n.t === 'function';
+
+    try {
     // Check against whitelist patterns for our own package artifacts
     if (SecurityUtils.PACKAGE_ARTIFACT_WHITELIST.some(pattern => pattern.test(filePath))) {
     return filePath;
@@ -247,42 +248,42 @@ static _logging = false;
         return null;
       }
 
-      const isWindowsAbsolute = /^[A-Z]:[\/\\]/i.test(filePath);
-      const isUnixAbsolute = filePath.startsWith('/') || filePath.startsWith('\\');
-      const isAbsolutePath = isWindowsAbsolute || isUnixAbsolute;
-      const dangerousReason = detectDangerReason(filePath);
-      const source = isInternalPath(filePath) ? 'internal' : 'user';
-
-      if (isAbsolutePath && isInternalPath(filePath)) {
-        return path.resolve(filePath);
-      }
-
-      // For absolute paths, defer trust decision to base-path containment checks below,
-      // but still reject obvious shell/injection markers.
-      if (isAbsolutePath && dangerousReason) {
-        const message = useI18n
-          ? i18n.t('security.pathTraversalAttempt')
-          : 'Path traversal attempt';
-        SecurityUtils.logSecurityEvent(message, 'warning', {
-          inputPath: filePath,
-          reason: dangerousReason,
-          source
-        });
-        return null;
-      }
-
-      // Check for obvious dangerous patterns first for relative paths
-      if (!isAbsolutePath && !SecurityUtils.isSafePath(filePath)) {
-        const message = useI18n
-          ? i18n.t('security.pathTraversalAttempt')
-          : 'Path traversal attempt';
-        SecurityUtils.logSecurityEvent(message, 'warning', {
-          inputPath: filePath,
-          reason: dangerousReason || 'Contains unsafe path segments',
-          source
-        });
-        return null;
-      }
+      const isWindowsAbsolute = /^[A-Z]:[\/\\]/i.test(filePath);
+      const isUnixAbsolute = filePath.startsWith('/') || filePath.startsWith('\\');
+      const isAbsolutePath = isWindowsAbsolute || isUnixAbsolute;
+      const dangerousReason = detectDangerReason(filePath);
+      const source = isInternalPath(filePath) ? 'internal' : 'user';
+
+      if (isAbsolutePath && isInternalPath(filePath)) {
+        return path.resolve(filePath);
+      }
+
+      // For absolute paths, defer trust decision to base-path containment checks below,
+      // but still reject obvious shell/injection markers.
+      if (isAbsolutePath && dangerousReason) {
+        const message = useI18n
+          ? i18n.t('security.pathTraversalAttempt')
+          : 'Path traversal attempt';
+        SecurityUtils.logSecurityEvent(message, 'warning', {
+          inputPath: filePath,
+          reason: dangerousReason,
+          source
+        });
+        return null;
+      }
+
+      // Check for obvious dangerous patterns first for relative paths
+      if (!isAbsolutePath && !SecurityUtils.isSafePath(filePath)) {
+        const message = useI18n
+          ? i18n.t('security.pathTraversalAttempt')
+          : 'Path traversal attempt';
+        SecurityUtils.logSecurityEvent(message, 'warning', {
+          inputPath: filePath,
+          reason: dangerousReason || 'Contains unsafe path segments',
+          source
+        });
+        return null;
+      }
 
       // Resolve base and target paths
       const base = fs.realpathSync(basePath);
@@ -297,47 +298,47 @@ static _logging = false;
       }
 
       // Check for actual path traversal (going outside the base directory)
-      const relativePath = path.relative(base, finalPath);
-      if (relativePath.startsWith('..')) {
-        const message = useI18n
-          ? i18n.t('security.pathTraversalAttempt')
-          : 'Path traversal attempt';
-        SecurityUtils.logSecurityEvent(message, 'warning', {
-          inputPath: filePath,
-          resolvedPath: finalPath,
-          basePath: base,
-          relativePath: relativePath,
-          source
-        });
-        return null;
-      }
+      const relativePath = path.relative(base, finalPath);
+      if (relativePath === '..' || relativePath.startsWith(`..${path.sep}`) || path.isAbsolute(relativePath)) {
+        const message = useI18n
+          ? i18n.t('security.pathTraversalAttempt')
+          : 'Path traversal attempt';
+        SecurityUtils.logSecurityEvent(message, 'warning', {
+          inputPath: filePath,
+          resolvedPath: finalPath,
+          basePath: base,
+          relativePath: relativePath,
+          source
+        });
+        return null;
+      }
 
       // Allow absolute paths that resolve within the project structure
       // The isSafePath check above already filtered out dangerous absolute paths
 
       if (verbose) {
-        const successMsg = useI18n
-          ? i18n.t('security.pathValidated')
-          : 'Path validated';
-        SecurityUtils.logSecurityEvent(successMsg, 'info', {
-          inputPath: filePath,
-          resolvedPath: finalPath,
-          source
-        });
-      }
-      return finalPath;
+        const successMsg = useI18n
+          ? i18n.t('security.pathValidated')
+          : 'Path validated';
+        SecurityUtils.logSecurityEvent(successMsg, 'info', {
+          inputPath: filePath,
+          resolvedPath: finalPath,
+          source
+        });
+      }
+      return finalPath;
     } catch (error) {
       const message = useI18n
         ? i18n.t('security.pathValidationError')
         : 'Path validation error';
-      SecurityUtils.logSecurityEvent(message, 'error', {
-        inputPath: filePath,
-        error: error.message,
-        source: isInternalPath(filePath) ? 'internal' : 'user'
-      });
-      return null;
-    }
-  }
+      SecurityUtils.logSecurityEvent(message, 'error', {
+        inputPath: filePath,
+        error: error.message,
+        source: isInternalPath(filePath) ? 'internal' : 'user'
+      });
+      return null;
+    }
+  }
 
   static safeExistsSync(filePath, basePath, timeoutMs = 3000) {
     return this.withTimeoutSync(() => {
@@ -567,25 +568,26 @@ static _logging = false;
   const resolvedBase = path.resolve(basePath);
   const joinedPath = path.join(resolvedBase, ...paths);
   const resolvedPath = path.resolve(joinedPath);
+  const relativePath = path.relative(resolvedBase, resolvedPath);
   
   // Ensure the final path is within the base directory
-  if (!resolvedPath.startsWith(resolvedBase)) {
-  SecurityUtils.logSecurityEvent('Path traversal attempt detected in safeJoin', 'error', {
-  basePath,
-  paths,
-  resolvedPath,
-  source: 'internal'
-  });
-  return false;
-  }
+  if (relativePath === '..' || relativePath.startsWith(`..${path.sep}`) || path.isAbsolute(relativePath)) {
+  SecurityUtils.logSecurityEvent('Path traversal attempt detected in safeJoin', 'error', {
+  basePath,
+  paths,
+  resolvedPath,
+  source: 'internal'
+  });
+  return false;
+  }
   return resolvedPath;
   } catch (error) {
-  SecurityUtils.logSecurityEvent('Error in safeJoin', 'error', {
-  basePath,
-  paths,
-  error: error.message,
-  source: 'internal'
-  });
+  SecurityUtils.logSecurityEvent('Error in safeJoin', 'error', {
+  basePath,
+  paths,
+  error: error.message,
+  source: 'internal'
+  });
   return false;
   }
   }
@@ -633,12 +635,12 @@ static _logging = false;
     ];
 
     // Allow absolute paths that are within the project structure
-    if (filePath.startsWith('/') || filePath.startsWith('\\')) {
-      // Treat raw Unix-style absolute input as dangerous by default in this helper.
-      // `validatePath` can still permit absolute paths if they resolve within basePath.
-      const hasDangerousPatterns = dangerousPatterns.slice(1).some(pattern => pattern.test(filePath));
-      return !hasDangerousPatterns;
-    }
+    if (filePath.startsWith('/') || filePath.startsWith('\\')) {
+      // Treat raw Unix-style absolute input as dangerous by default in this helper.
+      // `validatePath` can still permit absolute paths if they resolve within basePath.
+      const hasDangerousPatterns = dangerousPatterns.slice(1).some(pattern => pattern.test(filePath));
+      return !hasDangerousPatterns;
+    }
 
     return !dangerousPatterns.some(pattern => pattern.test(filePath));
   }