i18ntk 4.3.3 → 4.4.2

package/main/i18ntk-backup.js

@@ -356,25 +356,38 @@ async function cleanupOldBackups(backupDirPath) {
 }
 
 async function handleCreate(args) {
-  const dir = args._[1] || path.join(__dirname, '..', 'locales');
-  const outputDir = args.output || backupDir;
+  const rawSourceDir = args._[1] || path.join(__dirname, '..', 'locales');
+  const rawOutputDir = args.output || backupDir;
+
+  // Validate both paths against project root (cwd) for security
+  const sourceDir = path.resolve(rawSourceDir);
+  if (!SecurityUtils.validatePath(sourceDir, process.cwd())) {
+    throw new Error(`Source directory is outside the allowed project boundary.`);
+  }
+
+  const outputDir = path.resolve(rawOutputDir);
+  const validatedOutputDir = SecurityUtils.validatePath(outputDir, process.cwd());
+  if (!validatedOutputDir) {
+    throw new Error(`Output directory is outside the allowed project boundary.`);
+  }
+
   const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
   const backupName = `backup-${timestamp}.json`;
-  const backupPath = path.join(outputDir, backupName);
+  const backupPath = path.join(validatedOutputDir, backupName);
   const isIncremental = args.incremental !== 'false' && args.incremental !== false;
 
-  logger.debug(`Source directory: ${dir}`);
+  logger.debug(`Source directory: ${sourceDir}`);
   logger.debug(`Backup will be saved to: ${backupPath}`);
 
   try {
-    await fsp.mkdir(outputDir, { recursive: true });
-    logger.debug(`Created backup directory: ${outputDir}`);
+    SecurityUtils.safeMkdirSync(validatedOutputDir, process.cwd());
+    logger.debug(`Created backup directory: ${validatedOutputDir}`);
   } catch (err) {
     if (err.code !== 'EEXIST') {
       logger.error(`Failed to create backup directory: ${err.message}`);
       throw err;
     }
-    logger.debug(`Using existing backup directory: ${outputDir}`);
+    logger.debug(`Using existing backup directory: ${validatedOutputDir}`);
   }
 
   const sourceDir = path.resolve(dir);
@@ -463,7 +476,7 @@ async function handleCreate(args) {
     backupData[file] = content;
   }
 
-  await fsp.writeFile(backupPath, JSON.stringify(backupData, null, 2));
+  SecurityUtils.safeWriteFileSync(backupPath, JSON.stringify(backupData, null, 2), validatedOutputDir);
   const stats = await fsp.stat(backupPath);
 
   logger.success('Backup created successfully');
@@ -483,9 +496,11 @@ async function handleRestore(args) {
   }
 
   const backupPath = path.resolve(process.cwd(), backupFile);
-  const outputDir = args.output
-    ? path.resolve(process.cwd(), args.output)
-    : path.join(process.cwd(), 'restored');
+  const rawOutputDir = args.output || path.join(process.cwd(), 'restored');
+  const validatedOutputDir = SecurityUtils.validatePath(rawOutputDir, process.cwd());
+  if (!validatedOutputDir) {
+    throw new Error(`Restore output directory is outside the allowed project boundary.`);
+  }
 
   if (!SecurityUtils.safeExistsSync(backupPath, process.cwd())) {
     throw new Error(`Backup file not found: ${backupPath}`);
@@ -494,36 +509,38 @@ async function handleRestore(args) {
   logger.info('\nRestoring backup...');
 
   try {
-    const backupData = JSON.parse(await fsp.readFile(backupPath, 'utf8'));
+    const rawContent = SecurityUtils.safeReadFileSync(backupPath, process.cwd(), 'utf8');
+    if (!rawContent) throw new Error(`Could not read backup file: ${backupPath}`);
+    const backupData = JSON.parse(rawContent);
     const isIncremental = backupData._meta && backupData._meta.type === 'incremental';
 
     if (isIncremental) {
       const chain = await buildRestoreChain(backupPath, backupData);
-      await fsp.mkdir(outputDir, { recursive: true });
+      SecurityUtils.safeMkdirSync(validatedOutputDir, process.cwd());
 
-      const restoredFiles = new Set();
-      for (const entry of chain) {
-        for (const [file, content] of Object.entries(entry.data)) {
-          if (restoreBackupEntry(outputDir, file, content)) {
-            restoredFiles.add(file);
-          }
-        }
-      }
+      const restoredFiles = new Set();
+      for (const entry of chain) {
+        for (const [file, content] of Object.entries(entry.data)) {
+          if (restoreBackupEntry(validatedOutputDir, file, content)) {
+            restoredFiles.add(file);
+          }
+        }
+      }
 
       logger.success('Incremental backup restored successfully');
-      logger.info(`  ${restoredFiles.size} files restored across ${chain.length} backup(s) to: ${outputDir}`);
+      logger.info(`  ${restoredFiles.size} files restored across ${chain.length} backup(s) to: ${validatedOutputDir}`);
     } else {
-      await fsp.mkdir(outputDir, { recursive: true });
+      SecurityUtils.safeMkdirSync(validatedOutputDir, process.cwd());
 
-      let count = 0;
-      for (const [file, content] of Object.entries(backupData)) {
-        if (restoreBackupEntry(outputDir, file, content)) {
-          count++;
-        }
-      }
+      let count = 0;
+      for (const [file, content] of Object.entries(backupData)) {
+        if (restoreBackupEntry(validatedOutputDir, file, content)) {
+          count++;
+        }
+      }
 
       logger.success('Backup restored successfully');
-      logger.info(`  Restored ${count} files to: ${outputDir}`);
+      logger.info(`  Restored ${count} files to: ${validatedOutputDir}`);
     }
   } catch (error) {
     handleError(error);
@@ -532,37 +549,43 @@ async function handleRestore(args) {
 
 async function handleList() {
   try {
-    // Ensure backup directory exists
-    try {
-      await fsp.access(backupDir);
-    } catch (err) {
-      if (err.code === 'ENOENT') {
-        logger.warn('No backups found. The backup directory does not exist yet.');
-      } else {
-        logger.error(`Error accessing backup directory: ${err.message}`);
-      }
+    const validatedBackupDir = SecurityUtils.validatePath(backupDir, process.cwd());
+    if (!validatedBackupDir) {
+      logger.error('Backup directory is outside allowed project boundary.');
+      return;
+    }
+
+    if (!SecurityUtils.safeExistsSync(validatedBackupDir, process.cwd())) {
+      logger.warn('No backups found. The backup directory does not exist yet.');
+      return;
+    }
+
+    const files = SecurityUtils.safeReaddirSync(validatedBackupDir, process.cwd());
+    if (!files || files.length === 0) {
+      logger.warn('No valid backup files found in the backup directory.');
       return;
     }
 
-    const files = await fsp.readdir(backupDir);
     const backups = [];
-    
+
     for (const file of files) {
-      if (file.startsWith('backup-') && file.endsWith('.json')) {
+      if (Array.isArray(files) && file.startsWith('backup-') && file.endsWith('.json')) {
         try {
-          const filePath = path.join(backupDir, file);
-        const stats = await fsp.stat(filePath);
-          backups.push({
-            name: file,
-            path: filePath,
-            size: stats.size,
-            createdAt: stats.mtime
-          });
+          const filePath = path.join(validatedBackupDir, file);
+          const stats = SecurityUtils.safeStatSync(filePath, process.cwd());
+          if (stats) {
+            backups.push({
+              name: file,
+              path: filePath,
+              size: stats.size,
+              createdAt: stats.mtime
+            });
+          }
         } catch (err) {
           logger.warn(`Skipping invalid backup file ${file}: ${err.message}`);
         }
       }
-    }
+    }
     
     if (backups.length === 0) {
       logger.warn('No valid backup files found in the backup directory.');
@@ -610,7 +633,9 @@ async function handleVerify(args) {
   logger.info('\nVerifying backup...');
 
   try {
-    const data = JSON.parse(await fsp.readFile(backupPath, 'utf8'));
+    const rawContent = SecurityUtils.safeReadFileSync(backupPath, process.cwd(), 'utf8');
+    if (!rawContent) throw new Error(`Could not read backup file: ${backupPath}`);
+    const data = JSON.parse(rawContent);
 
     if (data._meta && data._meta.hashes) {
       logger.info('  Performing hash chain verification...');

package/main/i18ntk-complete.js

@@ -13,9 +13,9 @@
 
 
 const path = require('path');
+const fs = require('fs');
 const SecurityUtils = require('../utils/security');
-const { getUnifiedConfig, parseCommonArgs, displayHelp } = require('../utils/config-helper');
-const { loadTranslations, t } = require('../utils/i18n-helper');
+const { loadTranslations, t } = require('../utils/i18n-helper');
 const { getGlobalReadline, closeGlobalReadline } = require('../utils/cli');
 const SetupEnforcer = require('../utils/setup-enforcer');
 
@@ -559,12 +559,23 @@ class I18nCompletionTool {
       await this.initialize();
       
       if (args.sourceDir) {
-        this.config.sourceDir = args.sourceDir;
-        this.sourceDir = path.resolve(this.config.sourceDir);
+        const resolvedSourceDir = path.resolve(args.sourceDir);
+        const validatedSourceDir = SecurityUtils.validatePath(resolvedSourceDir, process.cwd());
+        if (!validatedSourceDir) {
+          console.error(t("complete.invalidSourceDir", { sourceDir: args.sourceDir }));
+          console.error(`Path validation failed — source directory is outside the allowed project boundary.`);
+          process.exit(1);
+        }
+        this.config.sourceDir = resolvedSourceDir;
+        this.sourceDir = validatedSourceDir;
       }
       
       if (args.sourceLanguage) {
-        this.config.sourceLanguage = args.sourceLanguage;
+        this.config.sourceLanguage = SecurityUtils.sanitizeInput(args.sourceLanguage, { 
+          allowedChars: /^[a-zA-Z0-9\-_]+$/, 
+          maxLength: 10,
+          removeHTML: true 
+        });
       }
       
       this.sourceLanguageDir = path.join(this.sourceDir, this.config.sourceLanguage);

package/main/i18ntk-scanner.js

@@ -33,6 +33,11 @@ const SetupEnforcer = require('../utils/setup-enforcer');
   }
 })();
 
+    console.error('Setup check failed:', error.message);
+    process.exit(1);
+  }
+})();
+
 loadTranslations();
 
 class I18nTextScanner {

package/main/i18ntk-translate.js

@@ -65,7 +65,7 @@ const {
 } = require('../utils/translate/protection');
 const { translateBatch, DEFAULT_CONCURRENCY, clampProviderConcurrency } = require('../utils/translate/api');
 const { collectLeaves, getLeaf, setLeaf, deepClone } = require('../utils/translate/traverse');
-const { generateReport, writeReport, formatSummaryLine } = require('../utils/translate/report');
+const { generateReport, writeReport, writeResidualReport, formatSummaryLine } = require('../utils/translate/report');
 const { analyzeEnglishContent } = require('../utils/validation-risk');
 const {
   confirmGlobalChoice,
@@ -834,15 +834,19 @@ function writeOutput(outputData, outputPath, bom) {
 }
 
 async function processFile(sourcePath, targetLang, args) {
-  const fileName = path.basename(sourcePath);
-  const targetDir = args.outputDir || path.join(path.dirname(path.dirname(sourcePath)), targetLang);
+  const resolvedSourcePath = path.resolve(process.cwd(), sourcePath);
+  const fileName = path.basename(resolvedSourcePath);
+  const targetDir = args.outputDir || path.join(path.dirname(path.dirname(resolvedSourcePath)), targetLang);
   const targetPath = path.join(targetDir, fileName);
   const runArgs = { ...args, targetLang };
 
   let sourceData;
   try {
-    const raw = SecurityUtils.safeReadFileSync(sourcePath, path.dirname(sourcePath), 'utf-8').replace(/^\uFEFF/, '');
-    sourceData = JSON.parse(raw);
+    const raw = SecurityUtils.safeReadFileSync(resolvedSourcePath, path.dirname(resolvedSourcePath), 'utf-8');
+    if (raw === null || raw === undefined) {
+      throw new Error('safe read returned no content');
+    }
+    sourceData = JSON.parse(raw.replace(/^\uFEFF/, ''));
   } catch (e) {
     console.error(`Error reading "${sourcePath}": ${e.message}`);
     return null;
@@ -934,7 +938,7 @@ async function processFile(sourcePath, targetLang, args) {
     console.log(`[${fileName}] Protecting terms from: ${protection.filePath}`);
   }
 
-  const manifestPath = createPlaceholderManifest(sourcePath, targetLang, toTranslate);
+  const manifestPath = createPlaceholderManifest(resolvedSourcePath, targetLang, toTranslate);
 
   const translateOptions = {
     sourceLang: runArgs.sourceLang,
@@ -996,7 +1000,7 @@ async function processFile(sourcePath, targetLang, args) {
   }
 
   if (residualUntranslated.length > 0) {
-    console.warn(`[${fileName}] Warning: ${residualUntranslated.length} values still look untranslated after retry. Rerun Auto Translate to capture leftovers.`);
+    console.warn(`[${fileName}] Warning: ${residualUntranslated.length} values still look untranslated after retry. A resume report will capture these keys.`);
   }
 
   console.log(`[${fileName}] Writing output.`);
@@ -1092,7 +1096,15 @@ async function run(args) {
 
   if (allResidualUntranslated.length > 0) {
     console.warn(`WARNING: ${allResidualUntranslated.length} values still look untranslated after Auto Translate.`);
-    console.warn('Rerun Auto Translate to capture leftovers, or review the values listed in the report.');
+    const residualReportPath = writeResidualReport(allResidualUntranslated, {
+      sourceFile: sourceFiles.length === 1 ? sourceFiles[0] : `${sourceFiles.length} files`,
+      targetLang: args.targetLang,
+    });
+    if (residualReportPath) {
+      console.warn(`Auto Translate resume report written: ${residualReportPath}`);
+    } else {
+      console.warn('Auto Translate could not write the resume report. Review the values listed in the report output.');
+    }
   }
 
   if (allSkippedKeys.length > 0 || allResidualUntranslated.length > 0 || args.reportFile || args.reportStdout) {