kiro-mobile-bridge 1.0.7 → 1.0.10

package/src/utils/hash.js

@@ -0,0 +1,34 @@
+/**
+ * Hash utilities for content change detection
+ * 
+ * NOTE: MD5 is used here for change detection only, NOT for security purposes.
+ * MD5 is fast and sufficient for detecting content changes in snapshots.
+ * Do NOT use these functions for password hashing, authentication, or any security-sensitive operations.
+ */
+import crypto from 'crypto';
+
+/**
+ * Generate a unique ID from a string (e.g., WebSocket URL)
+ * Used for cascade identification, not security
+ * @param {string} input - String to hash
+ * @returns {string} - 8-character hash ID
+ */
+export function generateId(input) {
+  if (typeof input !== 'string' || !input) {
+    return crypto.randomBytes(4).toString('hex');
+  }
+  return crypto.createHash('md5').update(input).digest('hex').substring(0, 8);
+}
+
+/**
+ * Compute MD5 hash for change detection
+ * Used to detect content changes in snapshots, not for security
+ * @param {string} content - Content to hash
+ * @returns {string} - Full MD5 hash
+ */
+export function computeHash(content) {
+  if (typeof content !== 'string') {
+    return '';
+  }
+  return crypto.createHash('md5').update(content).digest('hex');
+}

package/src/utils/network.js

@@ -0,0 +1,64 @@
+/**
+ * Network utilities
+ */
+import { networkInterfaces } from 'os';
+
+/**
+ * Get local IP address for LAN access
+ * Returns the first non-internal IPv4 address found.
+ * 
+ * NOTE: On systems with multiple network interfaces, this returns the first one found.
+ * For more control, consider using environment variables or configuration.
+ * 
+ * @returns {string} - Local IP or 'localhost' if no suitable interface found
+ */
+export function getLocalIP() {
+  const interfaces = networkInterfaces();
+  
+  // Prioritize common interface names
+  const priorityInterfaces = ['eth0', 'en0', 'wlan0', 'Wi-Fi', 'Ethernet'];
+  
+  // First, try priority interfaces
+  for (const name of priorityInterfaces) {
+    const ifaces = interfaces[name];
+    if (ifaces) {
+      for (const iface of ifaces) {
+        if (iface.family === 'IPv4' && !iface.internal) {
+          return iface.address;
+        }
+      }
+    }
+  }
+  
+  // Fallback: return first non-internal IPv4
+  for (const name of Object.keys(interfaces)) {
+    for (const iface of interfaces[name]) {
+      if (iface.family === 'IPv4' && !iface.internal) {
+        return iface.address;
+      }
+    }
+  }
+  
+  return 'localhost';
+}
+
+/**
+ * Get all available local IP addresses
+ * Useful for debugging or when user needs to choose interface
+ * 
+ * @returns {Array<{name: string, address: string}>} - Array of interface names and addresses
+ */
+export function getAllLocalIPs() {
+  const interfaces = networkInterfaces();
+  const results = [];
+  
+  for (const name of Object.keys(interfaces)) {
+    for (const iface of interfaces[name]) {
+      if (iface.family === 'IPv4' && !iface.internal) {
+        results.push({ name, address: iface.address });
+      }
+    }
+  }
+  
+  return results;
+}

package/src/utils/security.js

@@ -0,0 +1,160 @@
+/**
+ * Security utilities for input validation and sanitization
+ * Prevents path traversal, XSS, and other security vulnerabilities
+ */
+import path from 'path';
+
+/**
+ * Validate that a file path resolves within an allowed root directory
+ * Prevents path traversal attacks (e.g., ../../etc/passwd)
+ * 
+ * @param {string} filePath - The file path to validate (can be relative or absolute)
+ * @param {string} rootDir - The allowed root directory
+ * @returns {{valid: boolean, resolvedPath: string|null, error: string|null}}
+ */
+export function validatePathWithinRoot(filePath, rootDir) {
+  if (!filePath || typeof filePath !== 'string') {
+    return { valid: false, resolvedPath: null, error: 'Invalid file path' };
+  }
+  
+  if (!rootDir || typeof rootDir !== 'string') {
+    return { valid: false, resolvedPath: null, error: 'Invalid root directory' };
+  }
+  
+  try {
+    // Normalize and resolve both paths to absolute paths
+    const normalizedRoot = path.resolve(rootDir);
+    const resolvedPath = path.resolve(rootDir, filePath);
+    
+    // Ensure the resolved path starts with the root directory
+    // Add path.sep to prevent matching partial directory names
+    // e.g., /home/user vs /home/username
+    const rootWithSep = normalizedRoot.endsWith(path.sep) 
+      ? normalizedRoot 
+      : normalizedRoot + path.sep;
+    
+    if (!resolvedPath.startsWith(rootWithSep) && resolvedPath !== normalizedRoot) {
+      return { 
+        valid: false, 
+        resolvedPath: null, 
+        error: 'Path traversal detected: path resolves outside allowed directory' 
+      };
+    }
+    
+    return { valid: true, resolvedPath, error: null };
+  } catch (err) {
+    return { valid: false, resolvedPath: null, error: `Path validation error: ${err.message}` };
+  }
+}
+
+/**
+ * Escape a string for safe inclusion in JavaScript code
+ * Handles all special characters that could break string literals or enable injection
+ * 
+ * @param {string} str - The string to escape
+ * @returns {string} - Escaped string safe for JS inclusion
+ */
+export function escapeForJavaScript(str) {
+  if (typeof str !== 'string') {
+    return '';
+  }
+  
+  return str
+    .replace(/\\/g, '\\\\')     // Backslashes first (must be first!)
+    .replace(/'/g, "\\'")        // Single quotes
+    .replace(/"/g, '\\"')        // Double quotes
+    .replace(/`/g, '\\`')        // Backticks (template literals)
+    .replace(/\$/g, '\\$')       // Dollar signs (template literal interpolation)
+    .replace(/\n/g, '\\n')       // Newlines
+    .replace(/\r/g, '\\r')       // Carriage returns
+    .replace(/\t/g, '\\t')       // Tabs
+    .replace(/\0/g, '\\0')       // Null bytes
+    .replace(/\u2028/g, '\\u2028')  // Line separator
+    .replace(/\u2029/g, '\\u2029'); // Paragraph separator
+}
+
+/**
+ * Validate and sanitize click info object
+ * Ensures all properties are of expected types and within reasonable limits
+ * 
+ * @param {object} clickInfo - The click info object to validate
+ * @returns {{valid: boolean, sanitized: object|null, error: string|null}}
+ */
+export function sanitizeClickInfo(clickInfo) {
+  if (!clickInfo || typeof clickInfo !== 'object') {
+    return { valid: false, sanitized: null, error: 'Click info must be an object' };
+  }
+  
+  const sanitized = {};
+  
+  // String properties with max length
+  const stringProps = [
+    { name: 'tag', maxLength: 50 },
+    { name: 'text', maxLength: 200 },
+    { name: 'ariaLabel', maxLength: 200 },
+    { name: 'role', maxLength: 50 },
+    { name: 'className', maxLength: 500 },
+    { name: 'tabLabel', maxLength: 100 },
+    { name: 'parentTabLabel', maxLength: 100 },
+    { name: 'filePath', maxLength: 500 },
+    { name: 'toggleId', maxLength: 100 }
+  ];
+  
+  for (const { name, maxLength } of stringProps) {
+    if (clickInfo[name] !== undefined) {
+      if (typeof clickInfo[name] !== 'string') {
+        sanitized[name] = String(clickInfo[name]).substring(0, maxLength);
+      } else {
+        sanitized[name] = clickInfo[name].substring(0, maxLength);
+      }
+    }
+  }
+  
+  // Boolean properties
+  const boolProps = [
+    'isTab', 'isCloseButton', 'isToggle', 'isModelSelector', 'isModelOption',
+    'isSendButton', 'isFileLink', 'isNotificationButton', 'isIconButton', 'isHistoryItem'
+  ];
+  
+  for (const name of boolProps) {
+    if (clickInfo[name] !== undefined) {
+      sanitized[name] = Boolean(clickInfo[name]);
+    }
+  }
+  
+  return { valid: true, sanitized, error: null };
+}
+
+/**
+ * Validate message text for injection
+ * 
+ * @param {string} message - The message to validate
+ * @returns {{valid: boolean, error: string|null}}
+ */
+export function validateMessage(message) {
+  if (!message || typeof message !== 'string') {
+    return { valid: false, error: 'Message must be a non-empty string' };
+  }
+  
+  if (message.length > 50000) {
+    return { valid: false, error: 'Message exceeds maximum length (50000 characters)' };
+  }
+  
+  return { valid: true, error: null };
+}
+
+/**
+ * Sanitize a file path by removing null bytes and normalizing
+ * Does NOT validate path traversal - use validatePathWithinRoot for that
+ * 
+ * @param {string} filePath - The file path to sanitize
+ * @returns {string} - Sanitized file path
+ */
+export function sanitizeFilePath(filePath) {
+  if (typeof filePath !== 'string') {
+    return '';
+  }
+  
+  // Remove null bytes which can be used to bypass security checks
+  return filePath.replace(/\0/g, '');
+}