i18ntk 3.2.0 → 4.0.0

package/utils/translate/safe-network.js

@@ -0,0 +1,280 @@
+const https = require('https');
+const { URL } = require('url');
+const { logger } = require('../logger');
+
+const MAX_RESPONSE_SIZE = 100 * 1024;
+const ALLOWED_HOSTS = ['translate.googleapis.com', 'api-free.deepl.com', 'api.deepl.com', 'libretranslate.com'];
+const ALLOWED_PATHS = ['/translate_a/single', '/v2/translate', '/translate'];
+const USER_AGENT = 'i18ntk/3.3.0';
+
+function isEnabled(value) {
+  return ['1', 'true', 'yes', 'on'].includes(String(value || '').trim().toLowerCase());
+}
+
+function isPrivateIPv4(hostname) {
+  const parts = String(hostname || '').split('.');
+  if (parts.length !== 4) return false;
+
+  const bytes = parts.map((part) => {
+    if (!/^\d+$/.test(part)) return null;
+    const value = Number(part);
+    return value >= 0 && value <= 255 ? value : null;
+  });
+  if (bytes.some((part) => part === null)) return false;
+
+  const [a, b] = bytes;
+  return a === 10
+    || a === 127
+    || (a === 172 && b >= 16 && b <= 31)
+    || (a === 192 && b === 168)
+    || (a === 169 && b === 254)
+    || a === 0;
+}
+
+function isPrivateHost(hostname) {
+  const normalized = String(hostname || '').trim().toLowerCase().replace(/^\[|\]$/g, '').replace(/\.$/, '');
+  return normalized === 'localhost'
+    || normalized.endsWith('.localhost')
+    || normalized === '::1'
+    || normalized.startsWith('fe80:')
+    || normalized.startsWith('fc')
+    || normalized.startsWith('fd')
+    || isPrivateIPv4(normalized);
+}
+
+function redactUrlForLog(urlString) {
+  try {
+    const parsed = new URL(urlString);
+    parsed.search = '';
+    parsed.hash = '';
+    return parsed.toString();
+  } catch (e) {
+    return '[invalid-url]';
+  }
+}
+
+function validateUrl(urlString, options = {}) {
+  if (!urlString || typeof urlString !== 'string') {
+    return { valid: false, error: 'InvalidUrl', message: 'URL must be a non-empty string' };
+  }
+
+  try {
+    const parsed = new URL(urlString);
+
+    if (parsed.protocol !== 'https:') {
+      return { valid: false, error: 'ProtocolError', message: 'Only HTTPS protocol is supported' };
+    }
+
+    const allowPrivateHosts = options.allowPrivateHosts || isEnabled(process.env.I18NTK_ALLOW_PRIVATE_TRANSLATE_URLS);
+    if (!allowPrivateHosts && isPrivateHost(parsed.hostname)) {
+      return {
+        valid: false,
+        error: 'PrivateHostNotAllowed',
+        message: `Host "${parsed.hostname}" is private or local. Set I18NTK_ALLOW_PRIVATE_TRANSLATE_URLS=1 only for trusted local testing.`,
+      };
+    }
+
+    const allowedHosts = options.allowedHosts || ALLOWED_HOSTS;
+    const allowedPaths = options.allowedPaths || ALLOWED_PATHS;
+
+    if (!allowedHosts.includes(parsed.hostname)) {
+      return { valid: false, error: 'HostNotAllowed', message: `Host "${parsed.hostname}" is not in the allowed list` };
+    }
+
+    if (!allowedPaths.includes(parsed.pathname)) {
+      return { valid: false, error: 'PathNotAllowed', message: `Path "${parsed.pathname}" is not in the allowed list` };
+    }
+
+    const suspiciousParams = ['redirect', 'callback', 'jsonp', 'script', 'src', 'eval', 'exec', 'url'];
+    for (const key of parsed.searchParams.keys()) {
+      const lower = key.toLowerCase();
+      if (suspiciousParams.some((s) => lower.includes(s))) {
+        return { valid: false, error: 'SuspiciousParam', message: `Query parameter "${key}" is not allowed` };
+      }
+      const value = parsed.searchParams.get(key);
+      if (value && (value.includes('<script') || value.includes('javascript:') || value.includes('data:'))) {
+        return { valid: false, error: 'SuspiciousParamValue', message: `Query parameter "${key}" contains potentially dangerous content` };
+      }
+    }
+
+    return { valid: true, url: parsed };
+  } catch (e) {
+    return { valid: false, error: 'UrlParseError', message: `Failed to parse URL: ${e.message}` };
+  }
+}
+
+function safeHttpGet(urlString, timeout = 15000) {
+  return new Promise((resolve) => {
+    const validation = validateUrl(urlString);
+    if (!validation.valid) {
+      logger.security('warn', 'Network request blocked by safe-network', {
+        url: redactUrlForLog(urlString),
+        reason: validation.error,
+        detail: validation.message,
+      });
+      resolve({ ok: false, error: validation.error, message: validation.message });
+      return;
+    }
+
+    const req = https.get(urlString, { headers: { 'User-Agent': USER_AGENT } }, (res) => {
+      let data = '';
+      let sizeExceeded = false;
+
+      res.on('data', (chunk) => {
+        if (data.length + chunk.length > MAX_RESPONSE_SIZE) {
+          if (!sizeExceeded) {
+            sizeExceeded = true;
+            req.destroy();
+            logger.security('warn', 'Network response size limit exceeded', {
+              url: redactUrlForLog(urlString),
+              limit: MAX_RESPONSE_SIZE,
+            });
+            resolve({ ok: false, error: 'ResponseTooLarge', message: `Response exceeds ${MAX_RESPONSE_SIZE} bytes limit` });
+          }
+          return;
+        }
+        data += chunk;
+      });
+
+      res.on('end', () => {
+        if (sizeExceeded) return;
+        try {
+          const parsed = JSON.parse(data);
+          logger.security('info', 'Network request completed', {
+            status: res.statusCode,
+            responseLength: data.length,
+          });
+          resolve({ ok: true, data: parsed, status: res.statusCode });
+        } catch (e) {
+          logger.security('warn', 'Network response parse error', {
+            status: res.statusCode,
+            responseLength: data.length,
+          });
+          resolve({ ok: false, error: 'ParseError', raw: data.substring(0, 500), status: res.statusCode });
+        }
+      });
+    });
+
+    req.setTimeout(timeout, () => {
+      req.destroy();
+      logger.security('warn', 'Network request timed out', { timeoutMs: timeout });
+      resolve({ ok: false, error: 'TimeoutError', message: 'Request timed out' });
+    });
+
+    req.on('error', (e) => {
+      logger.security('warn', 'Network request error', {
+        code: e.code,
+        message: e.message,
+      });
+      resolve({ ok: false, error: e.code || 'NetworkError', message: e.message });
+    });
+  });
+}
+
+function safeHttpPost(urlString, body, options = {}) {
+  const timeout = options.timeout || 15000;
+
+  return new Promise((resolve) => {
+    const validation = validateUrl(urlString, {
+      allowedHosts: options.allowedHosts,
+      allowedPaths: options.allowedPaths,
+      allowPrivateHosts: options.allowPrivateHosts,
+    });
+    if (!validation.valid) {
+      logger.security('warn', 'Network request blocked by safe-network', {
+        url: redactUrlForLog(urlString),
+        reason: validation.error,
+        detail: validation.message,
+      });
+      resolve({ ok: false, error: validation.error, message: validation.message });
+      return;
+    }
+
+    const payload = typeof body === 'string' ? body : JSON.stringify(body || {});
+    const headers = {
+      'User-Agent': USER_AGENT,
+      'Content-Type': options.contentType || 'application/json',
+      'Content-Length': Buffer.byteLength(payload),
+      ...(options.headers || {}),
+    };
+
+    const req = https.request(validation.url, { method: 'POST', headers }, (res) => {
+      let data = '';
+      let sizeExceeded = false;
+
+      res.on('data', (chunk) => {
+        if (data.length + chunk.length > MAX_RESPONSE_SIZE) {
+          if (!sizeExceeded) {
+            sizeExceeded = true;
+            req.destroy();
+            logger.security('warn', 'Network response size limit exceeded', {
+              url: redactUrlForLog(urlString),
+              limit: MAX_RESPONSE_SIZE,
+            });
+            resolve({ ok: false, error: 'ResponseTooLarge', message: `Response exceeds ${MAX_RESPONSE_SIZE} bytes limit` });
+          }
+          return;
+        }
+        data += chunk;
+      });
+
+      res.on('end', () => {
+        if (sizeExceeded) return;
+        try {
+          const parsed = JSON.parse(data || '{}');
+          logger.security('info', 'Network request completed', {
+            status: res.statusCode,
+            responseLength: data.length,
+          });
+          resolve({ ok: res.statusCode >= 200 && res.statusCode < 300, data: parsed, status: res.statusCode });
+        } catch (e) {
+          logger.security('warn', 'Network response parse error', {
+            status: res.statusCode,
+            responseLength: data.length,
+          });
+          resolve({ ok: false, error: 'ParseError', raw: data.substring(0, 500), status: res.statusCode });
+        }
+      });
+    });
+
+    req.setTimeout(timeout, () => {
+      req.destroy();
+      logger.security('warn', 'Network request timed out', { timeoutMs: timeout });
+      resolve({ ok: false, error: 'TimeoutError', message: 'Request timed out' });
+    });
+
+    req.on('error', (e) => {
+      logger.security('warn', 'Network request error', {
+        code: e.code,
+        message: e.message,
+      });
+      resolve({ ok: false, error: e.code || 'NetworkError', message: e.message });
+    });
+
+    req.write(payload);
+    req.end();
+  });
+}
+
+function buildGoogleTranslateUrl(text, sourceLang, targetLang) {
+  const params = new URLSearchParams({
+    client: 'gtx',
+    sl: sourceLang,
+    tl: targetLang,
+    dt: 't',
+    q: text,
+  });
+  return `https://translate.googleapis.com/translate_a/single?${params.toString()}`;
+}
+
+module.exports = {
+  safeHttpGet,
+  safeHttpPost,
+  buildGoogleTranslateUrl,
+  validateUrl,
+  isPrivateHost,
+  redactUrlForLog,
+  MAX_RESPONSE_SIZE,
+  ALLOWED_HOSTS,
+  ALLOWED_PATHS,
+};

package/utils/watch-locales.js

@@ -1,36 +1,183 @@
-const fs = require('fs');
-const path = require('path');
-const SecurityUtils = require('./security');
-
-function watchDirectory(dir, callback, watchers) {
-  if (!SecurityUtils.safeExistsSync(dir, path.dirname(dir))) return;
-  const watcher = fs.watch(dir, (event, filename) => {
-    if (filename && filename.endsWith('.json')) {
-      callback(path.join(dir, filename));
-    }
-  });
-  watchers.push(watcher);
-
-  try {
-    const items = SecurityUtils.safeReaddirSync(dir, path.dirname(dir), { withFileTypes: true });
-    if (items) {
-      items.forEach(entry => {
-        if (entry.isDirectory()) {
-          watchDirectory(path.join(dir, entry.name), callback, watchers);
-        }
-      });
-    }
-  } catch (_) {
-    // Cannot read directory contents
-  }
-}
-
-function watchLocales(dirs, onChange) {
-  const directories = Array.isArray(dirs) ? dirs : [dirs];
-  const watchers = [];
-  directories.forEach(d => watchDirectory(path.resolve(d), onChange, watchers));
-  console.log(`Watching for changes in: ${directories.join(', ')}`);
-  return () => watchers.forEach(w => w.close());
-}
-
-module.exports = watchLocales;
+const fs = require('fs');
+const path = require('path');
+const EventEmitter = require('events');
+const crypto = require('crypto');
+const SecurityUtils = require('./security');
+
+const DEFAULT_DEBOUNCE_MS = 300;
+const DEFAULT_MAX_DIRECTORIES = 50;
+
+function sha256File(filePath) {
+  try {
+    const content = SecurityUtils.safeReadFileSync(filePath, path.dirname(filePath));
+    if (content === null || content === undefined) return null;
+    return crypto.createHash('sha256').update(content).digest('hex');
+  } catch (_) {
+    return null;
+  }
+}
+
+function watchDirectory(dir, emitter, watchers, options = {}) {
+  const {
+    debounceMs = DEFAULT_DEBOUNCE_MS,
+    hashTracking = true,
+    watchState = { count: 0, maxDirectories: DEFAULT_MAX_DIRECTORIES }
+  } = options;
+
+  if (!SecurityUtils.safeExistsSync(dir, path.dirname(dir))) return;
+  if (watchState.count >= watchState.maxDirectories) {
+    emitter.emit('error', new Error(`Maximum watched directories (${watchState.maxDirectories}) exceeded`));
+    return;
+  }
+
+  const fileHashes = new Map();
+  const debounceTimers = new Map();
+
+  if (hashTracking) {
+    try {
+      const items = SecurityUtils.safeReaddirSync(dir, path.dirname(dir), { withFileTypes: true });
+      if (items) {
+        for (const entry of items) {
+          if (entry.isFile() && entry.name.endsWith('.json')) {
+            const fullPath = path.join(dir, entry.name);
+            const h = sha256File(fullPath);
+            if (h) fileHashes.set(fullPath, h);
+          }
+        }
+      }
+    } catch (_) { /* initial read may fail */ }
+  }
+
+  let watcher;
+  try {
+    watcher = fs.watch(dir, (event, filename) => {
+      if (!filename || !filename.endsWith('.json')) return;
+
+      const fullPath = path.join(dir, filename);
+      const validated = SecurityUtils.validatePath(fullPath, path.dirname(dir));
+      if (!validated) return;
+
+      if (debounceTimers.has(fullPath)) {
+        clearTimeout(debounceTimers.get(fullPath));
+      }
+
+      debounceTimers.set(fullPath, setTimeout(() => {
+        debounceTimers.delete(fullPath);
+
+        try {
+          if (event === 'rename') {
+            if (SecurityUtils.safeExistsSync(fullPath, path.dirname(fullPath))) {
+              if (hashTracking) {
+                const h = sha256File(fullPath);
+                if (h) fileHashes.set(fullPath, h);
+              }
+              emitter.emit('add', fullPath);
+            } else {
+              fileHashes.delete(fullPath);
+              emitter.emit('unlink', fullPath);
+            }
+          } else if (event === 'change') {
+            if (hashTracking) {
+              const newHash = sha256File(fullPath);
+              const oldHash = fileHashes.get(fullPath);
+              if (newHash && newHash === oldHash) return;
+              if (newHash) fileHashes.set(fullPath, newHash);
+            }
+            emitter.emit('change', fullPath);
+          }
+        } catch (err) {
+          emitter.emit('error', err);
+        }
+      }, debounceMs));
+    });
+
+    watcher.on('error', (err) => {
+      emitter.emit('error', err);
+    });
+  } catch (err) {
+    emitter.emit('error', err);
+    return;
+  }
+
+  watchers.push({ watcher, path: dir });
+  watchState.count++;
+
+  try {
+    const items = SecurityUtils.safeReaddirSync(dir, path.dirname(dir), { withFileTypes: true });
+    if (items) {
+      for (const entry of items) {
+        if (entry.isDirectory()) {
+          watchDirectory(path.join(dir, entry.name), emitter, watchers, options);
+        }
+      }
+    }
+  } catch (_) {
+    // Cannot read directory contents
+  }
+}
+
+function watchLocales(dirs, onChange, options = {}) {
+  const directories = Array.isArray(dirs) ? dirs : [dirs];
+  const emitter = new EventEmitter();
+  emitter.on('error', () => {});
+  const watchers = [];
+
+  // Backward-compatible onChange callback
+  if (typeof onChange === 'function') {
+    emitter.on('change', onChange);
+    emitter.on('add', onChange);
+  }
+
+  const {
+    debounceMs = DEFAULT_DEBOUNCE_MS,
+    hashTracking = true,
+    maxDirectories = DEFAULT_MAX_DIRECTORIES
+  } = (typeof onChange === 'object' && onChange !== null) ? onChange : options;
+
+  const watchState = { count: 0, maxDirectories };
+  for (const d of directories) {
+    if (watchState.count >= watchState.maxDirectories) {
+      emitter.emit('error', new Error(`Maximum watched directories (${watchState.maxDirectories}) exceeded`));
+      break;
+    }
+
+    const resolved = path.resolve(d);
+    const validated = SecurityUtils.validatePath(resolved, process.cwd());
+    if (!validated) {
+      emitter.emit('error', new Error(`Path validation failed for: ${d}`));
+      continue;
+    }
+
+    const projectRoot = path.resolve(process.cwd());
+    const rel = path.relative(projectRoot, validated);
+    if (rel.startsWith('..')) {
+      emitter.emit('error', new Error(`Directory outside project root: ${d}`));
+      continue;
+    }
+
+    watchDirectory(validated, emitter, watchers, { debounceMs, hashTracking, watchState });
+  }
+
+  const stop = () => {
+    for (const entry of watchers) {
+      try { entry.watcher.close(); } catch (_) { /* ignore */ }
+    }
+    watchers.length = 0;
+    emitter.removeAllListeners();
+  };
+
+  stop.stop = stop;
+  stop.emitter = emitter;
+  stop.on = emitter.on.bind(emitter);
+  stop.once = emitter.once.bind(emitter);
+  stop.off = emitter.off ? emitter.off.bind(emitter) : emitter.removeListener.bind(emitter);
+  stop.emit = emitter.emit.bind(emitter);
+  stop.removeListener = emitter.removeListener.bind(emitter);
+  stop.removeAllListeners = emitter.removeAllListeners.bind(emitter);
+  stop.getWatchedPaths = () => watchers.map(w => w.path);
+  stop.getDebounceMs = () => debounceMs;
+
+  return stop;
+}
+
+module.exports = watchLocales;