mastercontroller 1.3.1 → 1.3.3

package/.claude/settings.local.json

@@ -5,7 +5,12 @@
       "Bash(mv:*)",
       "Bash(node -e:*)",
       "Bash(find:*)",
-      "Bash(node -c:*)"
+      "Bash(node -c:*)",
+      "Bash(grep:*)",
+      "Bash(ls:*)",
+      "Bash(git checkout:*)",
+      "Bash(perl -i -pe:*)",
+      "Bash(node test-circular-dependency.js:*)"
     ],
     "deny": [],
     "ask": []

package/MasterAction.js

@@ -1,7 +1,6 @@
 
 // version 0.0.23
 
-var master = require('./MasterControl');
 var fileserver = require('fs');
 var toolClass =  require('./MasterTools');
 var tempClass =  require('./MasterTemplate');
@@ -26,9 +25,18 @@ const { validator, validateRequestBody, sanitizeObject } = require('./security/M
 const { sanitizeUserHTML, escapeHTML } = require('./security/MasterSanitizer');
 
 class MasterAction{
-	
+
+	// Lazy-load master to avoid circular dependency
+	// Static getter ensures single instance (Singleton pattern - Google style)
+	static get _master() {
+		if (!MasterAction.__masterCache) {
+			MasterAction.__masterCache = require('./MasterControl');
+		}
+		return MasterAction.__masterCache;
+	}
+
 	getView(location, data){
-		var actionUrl =  master.root + location;
+		var actionUrl =  MasterAction._master.root + location;
 		const fileResult = safeReadFile(fileserver, actionUrl);
 
 		if (!fileResult.success) {
@@ -46,22 +54,72 @@ class MasterAction{
 
 
 	returnJson(data){
-		var json = JSON.stringify(data);
-		if (!this.__response._headerSent) {
-			this.__response.writeHead(200, {'Content-Type': 'application/json'});
-			this.__response.end(json);
+		try {
+			const json = JSON.stringify(data);
+			// FIXED: Check both _headerSent and headersSent for compatibility
+			if (!this.__response._headerSent && !this.__response.headersSent) {
+				this.__response.writeHead(200, {'Content-Type': 'application/json'});
+				this.__response.end(json);
+			} else {
+				logger.warn({
+					code: 'MC_WARN_HEADERS_SENT',
+					message: 'Attempted to send JSON but headers already sent'
+				});
+			}
+		} catch (error) {
+			logger.error({
+				code: 'MC_ERR_JSON_SEND',
+				message: 'Failed to send JSON response',
+				error: error.message,
+				stack: error.stack
+			});
 		}
 	}
 
 	// location starts from the view folder. Ex: partialViews/fileName.html
 	returnPartialView(location, data){
-		var actionUrl = master.root + location;
-		var getAction = fileserver.readFileSync(actionUrl, 'utf8');
-		if(master.overwrite.isTemplate){
-			return master.overwrite.templateRender( data, "returnPartialView");
+		// SECURITY: Validate path to prevent traversal attacks
+		if (!location || location.includes('..') || location.includes('~') || path.isAbsolute(location)) {
+			logger.warn({
+				code: 'MC_SECURITY_PATH_TRAVERSAL',
+				message: 'Path traversal attempt blocked in returnPartialView',
+				path: location
+			});
+			this.returnError(400, 'Invalid path');
+			return '';
 		}
-		else{
-			return temp.htmlBuilder(getAction, data);
+
+		const actionUrl = path.resolve(master.root, location);
+
+		// SECURITY: Ensure resolved path is within app root
+		if (!actionUrl.startsWith(master.root)) {
+			logger.warn({
+				code: 'MC_SECURITY_PATH_TRAVERSAL',
+				message: 'Path traversal blocked in returnPartialView',
+				requestedPath: location,
+				resolvedPath: actionUrl
+			});
+			this.returnError(403, 'Forbidden');
+			return '';
+		}
+
+		try {
+			const getAction = fileserver.readFileSync(actionUrl, 'utf8');
+			if(master.overwrite.isTemplate){
+				return master.overwrite.templateRender( data, "returnPartialView");
+			}
+			else{
+				return temp.htmlBuilder(getAction, data);
+			}
+		} catch (error) {
+			logger.error({
+				code: 'MC_ERR_PARTIAL_VIEW',
+				message: 'Failed to read partial view',
+				path: location,
+				error: error.message
+			});
+			this.returnError(404, 'View not found');
+			return '';
 		}
 	}
 
@@ -112,21 +170,34 @@ class MasterAction{
 
 	// redirects to another action inside the same controller = does not reload the page
 	redirectToAction(namespace, action, type, data, components){
+		// FIXED: Declare variables before if/else to avoid undefined reference
+		const resp = this.__requestObject.response;
+		const req = this.__requestObject.request;
 
-		var requestObj = {
+		const requestObj = {
 			toController : namespace,
 			toAction : action,
 			type : type,
 			params : data
-		}
+		};
+
 		if(components){
-			var resp = this.__requestObject.response;
-			var req = this.__requestObject.request;
-			master.router.currentRoute = {root : `${master.root}/components/${namespace}`, toController : namespace, toAction : action, response : resp, request: req };
+			master.router.currentRoute = {
+				root : `${master.root}/components/${namespace}`,
+				toController : namespace,
+				toAction : action,
+				response : resp,
+				request: req
+			};
 		}else{
-			master.router.currentRoute = {root : `${master.root}/${namespace}`, toController : namespace, toAction : action, response : resp, request: req };
+			master.router.currentRoute = {
+				root : `${master.root}/${namespace}`,
+				toController : namespace,
+				toAction : action,
+				response : resp,
+				request: req
+			};
 		}
-		
 
 		master.router._call(requestObj);
 	}
@@ -176,11 +247,45 @@ class MasterAction{
 	}
 
 	returnViewWithoutEngine(location){
-		var actionUrl =  master.root + location;
-		var masterView = fileserver.readFileSync(actionUrl, 'utf8');
-		if (!this.__requestObject.response._headerSent) {
-			this.__requestObject.response.writeHead(200, {'Content-Type': 'text/html'});
-			this.__requestObject.response.end(masterView);
+		// SECURITY: Validate path to prevent traversal attacks
+		if (!location || location.includes('..') || location.includes('~') || path.isAbsolute(location)) {
+			logger.warn({
+				code: 'MC_SECURITY_PATH_TRAVERSAL',
+				message: 'Path traversal attempt blocked in returnViewWithoutEngine',
+				path: location
+			});
+			this.returnError(400, 'Invalid path');
+			return;
+		}
+
+		const actionUrl = path.resolve(master.root, location);
+
+		// SECURITY: Ensure resolved path is within app root
+		if (!actionUrl.startsWith(master.root)) {
+			logger.warn({
+				code: 'MC_SECURITY_PATH_TRAVERSAL',
+				message: 'Path traversal blocked in returnViewWithoutEngine',
+				requestedPath: location,
+				resolvedPath: actionUrl
+			});
+			this.returnError(403, 'Forbidden');
+			return;
+		}
+
+		try {
+			const masterView = fileserver.readFileSync(actionUrl, 'utf8');
+			if (!this.__requestObject.response._headerSent) {
+				this.__requestObject.response.writeHead(200, {'Content-Type': 'text/html'});
+				this.__requestObject.response.end(masterView);
+			}
+		} catch (error) {
+			logger.error({
+				code: 'MC_ERR_VIEW_READ',
+				message: 'Failed to read view file',
+				path: location,
+				error: error.message
+			});
+			this.returnError(404, 'View not found');
 		}
 	}
 
@@ -448,6 +553,7 @@ class MasterAction{
   /**
    * Require HTTPS for this action
    * Usage: if (!this.requireHTTPS()) return;
+   * FIXED: Uses configured hostname, not unvalidated Host header
    */
   requireHTTPS() {
     if (!this.isSecure()) {
@@ -457,7 +563,23 @@ class MasterAction{
         path: this.__requestObject.pathName
       });
 
-      const httpsUrl = `https://${this.__requestObject.request.headers.host}${this.__requestObject.pathName}`;
+      // SECURITY FIX: Never use Host header from request (open redirect vulnerability)
+      // Use configured hostname instead
+      const configuredHost = master.env?.server?.hostname || 'localhost';
+      const httpsPort = master.env?.server?.httpsPort || 443;
+      const port = httpsPort === 443 ? '' : `:${httpsPort}`;
+
+      // Validate configured host exists
+      if (!configuredHost || configuredHost === 'localhost') {
+        logger.error({
+          code: 'MC_CONFIG_MISSING_HOSTNAME',
+          message: 'requireHTTPS called but no hostname configured in master.env.server.hostname'
+        });
+        this.returnError(500, 'Server misconfiguration');
+        return false;
+      }
+
+      const httpsUrl = `https://${configuredHost}${port}${this.__requestObject.pathName}`;
       this.redirectTo(httpsUrl);
       return false;
     }
@@ -484,5 +606,14 @@ class MasterAction{
 
 }
 
+// Export for MasterControl and register after event loop (prevents circular dependency)
+// This is the Lazy Registration pattern used by Spring Framework, Angular, Google Guice
+module.exports = MasterAction;
 
-master.extendController(MasterAction);
+// Use setImmediate to register after master is fully loaded
+setImmediate(() => {
+	const master = require('./MasterControl');
+	if (master && master.extendController) {
+		master.extendController(MasterAction);
+	}
+});

package/MasterActionFilters.js

@@ -1,98 +1,218 @@
-// version 1.7
-var master = require('./MasterControl');
-
-var _beforeActionFunc = {
-    namespace :   "",
-    actionList : "",
-    callBack : "",
-    that : ""
-};
-var _afterActionFunc = {
-    namespace :   "",
-    actionList : "",
-    callBack : "",
-    that : ""
-};
-var emit = "";
+// version 2.0 - FIXED: Instance-level filters, async support, multiple filters
+const { logger } = require('./error/MasterErrorLogger');
 
 class MasterActionFilters {
 
-    // add function to list
-    beforeAction(actionlist, func){
-        if (typeof func === 'function') {
-            _beforeActionFunc = {
-                namespace : this.__namespace,
-                actionList : actionlist,
-                callBack : func,
-                that : this
-            };
-        }
-        else{
-            master.error.log("beforeAction callback not a function", "warn");
-        }
- 
-    }
-
-    // add function to list
-    afterAction(actionlist, func){
-        if (typeof func === 'function') {
-            _afterActionFunc = {
-                namespace : this.__namespace,
-                actionList : actionlist,
-                callBack : func,
-                that : this
-            };
-        }
-        else{
-            master.error.log("afterAction callback not a function", "warn");
-        }
- 
-    }
-    
-    // check to see if that controller has a before Action method.
-    __hasBeforeAction(obj, request){
-        var flag = false;
-        if(_beforeActionFunc.namespace === obj.__namespace){
-            for (var a = 0; a < _beforeActionFunc.actionList.length; a++) { 
-                var action = request.toAction.replace(/\s/g, '');
-                var incomingAction = _beforeActionFunc.actionList[a].replace(/\s/g, '');
-                if(incomingAction === action){
-                    flag = true;
-                }
-            }
-        }
-        return flag;
-    }
-
-    __callBeforeAction(obj, request, emitter) {
-            if(_beforeActionFunc.namespace === obj.__namespace){
-                _beforeActionFunc.actionList.forEach(action => {
-                    var action = action.replace(/\s/g, '');
-                    var reqAction = request.toAction.replace(/\s/g, '');
-                    if(action === reqAction){
-                        emit = emitter;
-                        // call function inside controller 
-                        _beforeActionFunc.callBack.call(_beforeActionFunc.that, request);
-                    }
-                });
-            };
-     }
-
-     __callAfterAction(obj, request) {
-            if(_afterActionFunc.namespace === obj.__namespace){
-                _afterActionFunc.actionList.forEach(action => {
-                        var action = action.replace(/\s/g, '');
-                        var reqAction = request.toAction.replace(/\s/g, '');
-                        if(action === reqAction){
-                            _afterActionFunc.callBack.call(_afterActionFunc.that, request);
-                        }
-                    });
-            };
-     }
-
-     next(){
-        emit.emit("controller");
-     }
+	// Lazy-load master to avoid circular dependency (Google-style Singleton pattern)
+	static get _master() {
+		if (!MasterActionFilters.__masterCache) {
+			MasterActionFilters.__masterCache = require('./MasterControl');
+		}
+		return MasterActionFilters.__masterCache;
+	}
+
+	constructor() {
+		// FIXED: Instance-level storage instead of module-level
+		// Each controller gets its own filter arrays
+		this._beforeActionFilters = [];
+		this._afterActionFilters = [];
+	}
+
+	// Register a before action filter
+	// FIXED: Adds to array instead of overwriting
+	beforeAction(actionlist, func){
+		if (typeof func !== 'function') {
+			master.error.log("beforeAction callback not a function", "warn");
+			return;
+		}
+
+		// FIXED: Push to array, don't overwrite
+		this._beforeActionFilters.push({
+			namespace: this.__namespace,
+			actionList: Array.isArray(actionlist) ? actionlist : [actionlist],
+			callBack: func,
+			that: this
+		});
+	}
+
+	// Register an after action filter
+	// FIXED: Adds to array instead of overwriting
+	afterAction(actionlist, func){
+		if (typeof func !== 'function') {
+			master.error.log("afterAction callback not a function", "warn");
+			return;
+		}
+
+		// FIXED: Push to array, don't overwrite
+		this._afterActionFilters.push({
+			namespace: this.__namespace,
+			actionList: Array.isArray(actionlist) ? actionlist : [actionlist],
+			callBack: func,
+			that: this
+		});
+	}
+
+	// Check if controller has before action filters for this action
+	__hasBeforeAction(obj, request){
+		if (!this._beforeActionFilters || this._beforeActionFilters.length === 0) {
+			return false;
+		}
+
+		return this._beforeActionFilters.some(filter => {
+			if (filter.namespace !== obj.__namespace) {
+				return false;
+			}
+
+			const requestAction = request.toAction.replace(/\s/g, '');
+			return filter.actionList.some(action => {
+				const filterAction = action.replace(/\s/g, '');
+				return filterAction === requestAction;
+			});
+		});
+	}
+
+	// Execute all matching before action filters
+	// FIXED: Async support, error handling, timeout protection, no variable shadowing
+	async __callBeforeAction(obj, request, emitter) {
+		if (!this._beforeActionFilters || this._beforeActionFilters.length === 0) {
+			return;
+		}
+
+		// Find all matching filters
+		const requestAction = request.toAction.replace(/\s/g, '');
+		const matchingFilters = this._beforeActionFilters.filter(filter => {
+			if (filter.namespace !== obj.__namespace) {
+				return false;
+			}
+
+			return filter.actionList.some(actionName => {
+				const normalizedAction = actionName.replace(/\s/g, '');
+				return normalizedAction === requestAction;
+			});
+		});
+
+		// Execute all matching filters in order
+		for (const filter of matchingFilters) {
+			try {
+				// FIXED: Add timeout protection (5 seconds default)
+				await this._executeWithTimeout(
+					filter.callBack,
+					filter.that,
+					[request],
+					emitter,
+					5000
+				);
+			} catch (error) {
+				// FIXED: Proper error handling
+				logger.error({
+					code: 'MC_FILTER_ERROR',
+					message: 'Error in beforeAction filter',
+					namespace: filter.namespace,
+					action: requestAction,
+					error: error.message,
+					stack: error.stack
+				});
+
+				// Send error response
+				const res = request.response;
+				if (res && !res._headerSent && !res.headersSent) {
+					res.writeHead(500, { 'Content-Type': 'application/json' });
+					res.end(JSON.stringify({
+						error: 'Internal Server Error',
+						message: master.environmentType === 'development' ? error.message : 'Filter execution failed'
+					}));
+				}
+
+				// Don't continue to other filters if one fails
+				throw error;
+			}
+		}
+	}
+
+	// Execute all matching after action filters
+	// FIXED: Async support, error handling, no variable shadowing
+	async __callAfterAction(obj, request) {
+		if (!this._afterActionFilters || this._afterActionFilters.length === 0) {
+			return;
+		}
+
+		// Find all matching filters
+		const requestAction = request.toAction.replace(/\s/g, '');
+		const matchingFilters = this._afterActionFilters.filter(filter => {
+			if (filter.namespace !== obj.__namespace) {
+				return false;
+			}
+
+			return filter.actionList.some(actionName => {
+				const normalizedAction = actionName.replace(/\s/g, '');
+				return normalizedAction === requestAction;
+			});
+		});
+
+		// Execute all matching filters in order
+		for (const filter of matchingFilters) {
+			try {
+				// FIXED: Add timeout protection (5 seconds default)
+				await this._executeWithTimeout(
+					filter.callBack,
+					filter.that,
+					[request],
+					null,
+					5000
+				);
+			} catch (error) {
+				// FIXED: Proper error handling
+				logger.error({
+					code: 'MC_FILTER_ERROR',
+					message: 'Error in afterAction filter',
+					namespace: filter.namespace,
+					action: requestAction,
+					error: error.message,
+					stack: error.stack
+				});
+
+				// After filters don't stop execution, just log
+			}
+		}
+	}
+
+	// FIXED: Execute function with timeout protection
+	async _executeWithTimeout(func, context, args, emitter, timeout) {
+		// Store emitter in context for next() call
+		if (emitter) {
+			context.__filterEmitter = emitter;
+		}
+
+		return Promise.race([
+			// Execute the filter
+			Promise.resolve(func.call(context, ...args)),
+			// Timeout promise
+			new Promise((_, reject) =>
+				setTimeout(() => reject(new Error(`Filter timeout after ${timeout}ms`)), timeout)
+			)
+		]);
+	}
+
+	// FIXED: Request-scoped next() function
+	next(){
+		if (this.__filterEmitter) {
+			this.__filterEmitter.emit("controller");
+		} else {
+			logger.warn({
+				code: 'MC_FILTER_WARN',
+				message: 'next() called but no emitter available',
+				namespace: this.__namespace
+			});
+		}
+	}
 }
 
-master.extendController( MasterActionFilters);
+// Export and lazy register (prevents circular dependency - Spring/Angular pattern)
+module.exports = MasterActionFilters;
+
+setImmediate(() => {
+	const master = require('./MasterControl');
+	if (master && master.extendController) {
+		master.extendController(MasterActionFilters);
+	}
+});