mdv-live 0.3.1 → 0.3.3

package/src/api/file.js

@@ -6,45 +6,102 @@ import fs from 'fs/promises';
 import { createReadStream } from 'fs';
 import path from 'path';
 import mime from 'mime-types';
+import WebSocket from 'ws';
 import { getFileType } from '../utils/fileTypes.js';
 import { renderFile } from '../rendering/index.js';
 import { validatePath } from '../utils/path.js';
 
+/**
+ * Validate path and resolve to full path
+ * @param {string} relativePath - Relative path to validate
+ * @param {string} rootDir - Root directory
+ * @returns {{ valid: boolean, fullPath: string }} Validation result with full path
+ */
+function resolveAndValidate(relativePath, rootDir) {
+  if (!relativePath || !validatePath(relativePath, rootDir)) {
+    return { valid: false, fullPath: '' };
+  }
+  return { valid: true, fullPath: path.join(rootDir, relativePath) };
+}
+
 /**
  * Broadcast tree_update to all WebSocket clients
  * @param {Express} app - Express app instance
+ * @returns {void}
  */
 function broadcastTreeUpdate(app) {
   const wss = app.locals.wss;
-  if (wss) {
-    const message = JSON.stringify({ type: 'tree_update' });
-    wss.clients.forEach(client => {
-      if (client.readyState === 1) { // WebSocket.OPEN
-        client.send(message);
-      }
-    });
+  if (!wss) return;
+
+  const message = JSON.stringify({ type: 'tree_update' });
+  for (const client of wss.clients) {
+    if (client.readyState === WebSocket.OPEN) {
+      client.send(message);
+    }
+  }
+}
+
+/**
+ * Build download URL for a file
+ * @param {string} relativePath - Relative path to file
+ * @returns {string} Download URL
+ */
+function buildDownloadUrl(relativePath) {
+  return `/api/download?path=${encodeURIComponent(relativePath)}`;
+}
+
+/**
+ * Build response for binary files with appropriate media URLs
+ * @param {string} name - File name
+ * @param {object} fileType - File type info
+ * @param {string} downloadUrl - Download URL
+ * @returns {object} Response object
+ */
+function buildBinaryFileResponse(name, fileType, downloadUrl) {
+  const response = {
+    name,
+    fileType: fileType.type,
+    icon: fileType.icon,
+    downloadUrl
+  };
+
+  switch (fileType.type) {
+    case 'image':
+      response.imageUrl = downloadUrl;
+      break;
+    case 'pdf':
+      response.pdfUrl = downloadUrl;
+      break;
+    case 'video':
+    case 'audio':
+      response.mediaUrl = downloadUrl;
+      break;
   }
+
+  return response;
 }
 
 /**
  * Setup file routes
  * @param {Express} app - Express app instance
+ * @returns {void}
  */
 export function setupFileRoutes(app) {
+  const { rootDir } = app.locals;
+
   // Get file content
   app.get('/api/file', async (req, res) => {
-    try {
-      const { path: relativePath } = req.query;
-      if (!relativePath) {
-        return res.status(400).json({ error: 'Path is required' });
-      }
+    const { path: relativePath } = req.query;
+    const { valid, fullPath } = resolveAndValidate(relativePath, rootDir);
 
-      // Security check (must use relativePath, not fullPath)
-      if (!validatePath(relativePath, app.locals.rootDir)) {
-        return res.status(403).json({ error: 'Access denied' });
-      }
+    if (!relativePath) {
+      return res.status(400).json({ error: 'Path is required' });
+    }
+    if (!valid) {
+      return res.status(403).json({ error: 'Access denied' });
+    }
 
-      const fullPath = path.join(app.locals.rootDir, relativePath);
+    try {
       const stats = await fs.stat(fullPath);
       if (stats.isDirectory()) {
         return res.status(400).json({ error: 'Cannot read directory' });
@@ -53,33 +110,13 @@ export function setupFileRoutes(app) {
       const fileType = getFileType(relativePath);
       const name = path.basename(relativePath);
 
-      // Handle binary files
       if (fileType.binary) {
-        return res.json({
-          name,
-          fileType: fileType.type,
-          icon: fileType.icon,
-          downloadUrl: `/api/download?path=${encodeURIComponent(relativePath)}`,
-          // Special URLs for media types
-          ...(fileType.type === 'image' && {
-            imageUrl: `/api/download?path=${encodeURIComponent(relativePath)}`
-          }),
-          ...(fileType.type === 'pdf' && {
-            pdfUrl: `/api/download?path=${encodeURIComponent(relativePath)}`
-          }),
-          ...(['video', 'audio'].includes(fileType.type) && {
-            mediaUrl: `/api/download?path=${encodeURIComponent(relativePath)}`
-          })
-        });
+        const downloadUrl = buildDownloadUrl(relativePath);
+        return res.json(buildBinaryFileResponse(name, fileType, downloadUrl));
       }
 
-      // Read and render text files
       const rendered = await renderFile(fullPath);
-
-      res.json({
-        name,
-        ...rendered
-      });
+      res.json({ name, ...rendered });
     } catch (err) {
       if (err.code === 'ENOENT') {
         return res.status(404).json({ error: 'File not found' });
@@ -90,18 +127,17 @@ export function setupFileRoutes(app) {
 
   // Save file content
   app.post('/api/file', async (req, res) => {
-    try {
-      const { path: relativePath, content } = req.body;
-      if (!relativePath) {
-        return res.status(400).json({ error: 'Path is required' });
-      }
+    const { path: relativePath, content } = req.body;
+    const { valid, fullPath } = resolveAndValidate(relativePath, rootDir);
 
-      // Security check (must use relativePath, not fullPath)
-      if (!validatePath(relativePath, app.locals.rootDir)) {
-        return res.status(403).json({ error: 'Access denied' });
-      }
+    if (!relativePath) {
+      return res.status(400).json({ error: 'Path is required' });
+    }
+    if (!valid) {
+      return res.status(403).json({ error: 'Access denied' });
+    }
 
-      const fullPath = path.join(app.locals.rootDir, relativePath);
+    try {
       await fs.writeFile(fullPath, content, 'utf-8');
       broadcastTreeUpdate(app);
       res.json({ success: true });
@@ -112,18 +148,17 @@ export function setupFileRoutes(app) {
 
   // Delete file or directory
   app.delete('/api/file', async (req, res) => {
-    try {
-      const { path: relativePath } = req.query;
-      if (!relativePath) {
-        return res.status(400).json({ error: 'Path is required' });
-      }
+    const { path: relativePath } = req.query;
+    const { valid, fullPath } = resolveAndValidate(relativePath, rootDir);
 
-      // Security check (must use relativePath, not fullPath)
-      if (!validatePath(relativePath, app.locals.rootDir)) {
-        return res.status(403).json({ error: 'Access denied' });
-      }
+    if (!relativePath) {
+      return res.status(400).json({ error: 'Path is required' });
+    }
+    if (!valid) {
+      return res.status(403).json({ error: 'Access denied' });
+    }
 
-      const fullPath = path.join(app.locals.rootDir, relativePath);
+    try {
       const stats = await fs.stat(fullPath);
       if (stats.isDirectory()) {
         await fs.rm(fullPath, { recursive: true });
@@ -143,18 +178,17 @@ export function setupFileRoutes(app) {
 
   // Create directory
   app.post('/api/mkdir', async (req, res) => {
-    try {
-      const { path: relativePath } = req.body;
-      if (!relativePath) {
-        return res.status(400).json({ error: 'Path is required' });
-      }
+    const { path: relativePath } = req.body;
+    const { valid, fullPath } = resolveAndValidate(relativePath, rootDir);
 
-      // Security check (must use relativePath, not fullPath)
-      if (!validatePath(relativePath, app.locals.rootDir)) {
-        return res.status(403).json({ error: 'Access denied' });
-      }
+    if (!relativePath) {
+      return res.status(400).json({ error: 'Path is required' });
+    }
+    if (!valid) {
+      return res.status(403).json({ error: 'Access denied' });
+    }
 
-      const fullPath = path.join(app.locals.rootDir, relativePath);
+    try {
       await fs.mkdir(fullPath, { recursive: true });
       broadcastTreeUpdate(app);
       res.json({ success: true });
@@ -165,21 +199,21 @@ export function setupFileRoutes(app) {
 
   // Move/rename file or directory
   app.post('/api/move', async (req, res) => {
-    try {
-      const { source, destination } = req.body;
-      if (!source || !destination) {
-        return res.status(400).json({ error: 'Source and destination are required' });
-      }
+    const { source, destination } = req.body;
 
-      // Security check (must use relative paths, not full paths)
-      if (!validatePath(source, app.locals.rootDir) ||
-          !validatePath(destination, app.locals.rootDir)) {
-        return res.status(403).json({ error: 'Access denied' });
-      }
+    if (!source || !destination) {
+      return res.status(400).json({ error: 'Source and destination are required' });
+    }
+
+    const sourceResult = resolveAndValidate(source, rootDir);
+    const destResult = resolveAndValidate(destination, rootDir);
 
-      const sourcePath = path.join(app.locals.rootDir, source);
-      const destPath = path.join(app.locals.rootDir, destination);
-      await fs.rename(sourcePath, destPath);
+    if (!sourceResult.valid || !destResult.valid) {
+      return res.status(403).json({ error: 'Access denied' });
+    }
+
+    try {
+      await fs.rename(sourceResult.fullPath, destResult.fullPath);
       broadcastTreeUpdate(app);
       res.json({ success: true });
     } catch (err) {
@@ -190,47 +224,42 @@ export function setupFileRoutes(app) {
   // Download file (with Range Request support for video/audio streaming)
   app.get('/api/download', async (req, res) => {
     const { path: relativePath } = req.query;
+    const { valid, fullPath } = resolveAndValidate(relativePath, rootDir);
+
     if (!relativePath) {
       return res.status(400).json({ error: 'Path is required' });
     }
-
-    // Security check (must use relativePath, not fullPath)
-    if (!validatePath(relativePath, app.locals.rootDir)) {
+    if (!valid) {
       return res.status(403).json({ error: 'Access denied' });
     }
 
-    const fullPath = path.join(app.locals.rootDir, relativePath);
-
     try {
       const stat = await fs.stat(fullPath);
       if (!stat.isFile()) {
         return res.status(400).json({ error: 'Not a file' });
       }
 
-      const fileSize = stat.size;
-      const range = req.headers.range;
-
-      if (range) {
-        // Range Request対応（動画/音声ストリーミング用）
-        const parts = range.replace(/bytes=/, '').split('-');
-        const start = parseInt(parts[0], 10);
-        const end = parts[1] ? parseInt(parts[1], 10) : fileSize - 1;
-        const chunkSize = end - start + 1;
-
-        const mimeType = mime.lookup(fullPath) || 'application/octet-stream';
-        res.writeHead(206, {
-          'Content-Range': `bytes ${start}-${end}/${fileSize}`,
-          'Accept-Ranges': 'bytes',
-          'Content-Length': chunkSize,
-          'Content-Type': mimeType,
-        });
-
-        const stream = createReadStream(fullPath, { start, end });
-        stream.pipe(res);
-      } else {
-        // 通常のファイル送信
-        res.sendFile(fullPath);
+      const rangeHeader = req.headers.range;
+      if (!rangeHeader) {
+        return res.sendFile(fullPath);
       }
+
+      // Range Request for video/audio streaming
+      const fileSize = stat.size;
+      const parts = rangeHeader.replace(/bytes=/, '').split('-');
+      const start = parseInt(parts[0], 10);
+      const end = parts[1] ? parseInt(parts[1], 10) : fileSize - 1;
+      const chunkSize = end - start + 1;
+      const mimeType = mime.lookup(fullPath) || 'application/octet-stream';
+
+      res.writeHead(206, {
+        'Content-Range': `bytes ${start}-${end}/${fileSize}`,
+        'Accept-Ranges': 'bytes',
+        'Content-Length': chunkSize,
+        'Content-Type': mimeType,
+      });
+
+      createReadStream(fullPath, { start, end }).pipe(res);
     } catch (err) {
       if (err.code === 'ENOENT') {
         return res.status(404).json({ error: 'File not found' });

package/src/api/pdf.js

@@ -5,23 +5,29 @@
 
 import { exec } from 'child_process';
 import { promisify } from 'util';
+import fs from 'fs/promises';
 import path from 'path';
-import fs from 'fs';
 import { fileURLToPath } from 'url';
+import { validatePath } from '../utils/path.js';
 
 const execAsync = promisify(exec);
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = path.dirname(__filename);
-
-// Get path to local marp-cli binary
-const marpBin = path.join(__dirname, '..', '..', 'node_modules', '.bin', 'marp');
+const marpBin = path.join(
+  path.dirname(fileURLToPath(import.meta.url)),
+  '..',
+  '..',
+  'node_modules',
+  '.bin',
+  'marp'
+);
 
 /**
  * Setup PDF export routes
  * @param {Express} app - Express application
+ * @returns {void}
  */
 export function setupPdfRoutes(app) {
-  // Export Marp presentation to PDF
+  const { rootDir } = app.locals;
+
   app.post('/api/pdf/export', async (req, res) => {
     const { filePath } = req.body;
 
@@ -29,43 +35,34 @@ export function setupPdfRoutes(app) {
       return res.status(400).json({ error: 'filePath is required' });
     }
 
-    const rootDir = app.locals.rootDir;
-    const fullPath = path.join(rootDir, filePath);
-
-    // Security check: ensure path is within rootDir
-    const resolvedPath = path.resolve(fullPath);
-    if (!resolvedPath.startsWith(rootDir)) {
+    if (!validatePath(filePath, rootDir)) {
       return res.status(403).json({ error: 'Access denied' });
     }
 
-    // Check if file exists
-    if (!fs.existsSync(resolvedPath)) {
+    const fullPath = path.join(rootDir, filePath);
+
+    try {
+      await fs.access(fullPath);
+    } catch {
       return res.status(404).json({ error: 'File not found' });
     }
 
-    // Generate output path (same directory, .pdf extension)
-    const outputPath = resolvedPath.replace(/\.md$/, '.pdf');
+    const outputPath = fullPath.replace(/\.md$/, '.pdf');
     const outputFileName = path.basename(outputPath);
+    const command = `"${marpBin}" "${fullPath}" -o "${outputPath}" --allow-local-files --no-stdin`;
 
     try {
-      // Run marp-cli using local binary (faster than npx)
-      // --no-stdin prevents waiting for stdin input
-      const command = `"${marpBin}" "${resolvedPath}" -o "${outputPath}" --allow-local-files --no-stdin`;
       await execAsync(command, { timeout: 60000 });
-
-      // Send PDF as download
       res.download(outputPath, outputFileName, (err) => {
         if (err) {
           console.error('Download error:', err);
         }
-        // Optionally delete the PDF after download
-        // fs.unlinkSync(outputPath);
       });
-    } catch (error) {
-      console.error('PDF export error:', error);
+    } catch (err) {
+      console.error('PDF export error:', err);
       res.status(500).json({
         error: 'PDF export failed',
-        details: error.message
+        details: err.message
       });
     }
   });

package/src/api/tree.js

@@ -5,7 +5,32 @@
 import fs from 'fs/promises';
 import path from 'path';
 import { getFileType } from '../utils/fileTypes.js';
-import { validatePath } from '../utils/path.js';
+import { getRelativePath, validatePath } from '../utils/path.js';
+
+const IGNORED_PATTERNS = new Set(['node_modules', '__pycache__']);
+const MAX_INITIAL_DEPTH = 1;
+
+/**
+ * Check if an entry should be ignored
+ * @param {string} name - Entry name
+ * @returns {boolean} True if should be ignored
+ */
+function shouldIgnore(name) {
+  return name.startsWith('.') || IGNORED_PATTERNS.has(name);
+}
+
+/**
+ * Sort entries: directories first, then files, alphabetically
+ * @param {fs.Dirent} a - First entry
+ * @param {fs.Dirent} b - Second entry
+ * @returns {number} Sort order
+ */
+function sortEntries(a, b) {
+  const aIsDir = a.isDirectory();
+  const bIsDir = b.isDirectory();
+  if (aIsDir !== bIsDir) return aIsDir ? -1 : 1;
+  return a.name.localeCompare(b.name);
+}
 
 /**
  * Build file tree for a directory
@@ -16,50 +41,32 @@ import { validatePath } from '../utils/path.js';
  */
 export async function buildFileTree(dirPath, rootDir, depth = 0) {
   const items = [];
-  const maxInitialDepth = 1; // Only expand first level initially
 
   try {
     const entries = await fs.readdir(dirPath, { withFileTypes: true });
-
-    // Sort: directories first, then files, alphabetically
-    entries.sort((a, b) => {
-      if (a.isDirectory() && !b.isDirectory()) return -1;
-      if (!a.isDirectory() && b.isDirectory()) return 1;
-      return a.name.localeCompare(b.name);
-    });
+    entries.sort(sortEntries);
 
     for (const entry of entries) {
-      // Skip hidden files and common ignore patterns
-      if (entry.name.startsWith('.')) continue;
-      if (entry.name === 'node_modules') continue;
-      if (entry.name === '__pycache__') continue;
+      if (shouldIgnore(entry.name)) continue;
 
       const fullPath = path.join(dirPath, entry.name);
-      const relativePath = path.relative(rootDir, fullPath).split(path.sep).join('/');
+      const relativePath = getRelativePath(fullPath, rootDir);
 
       if (entry.isDirectory()) {
-        const item = {
+        const shouldLoadChildren = depth < MAX_INITIAL_DEPTH;
+        items.push({
           type: 'directory',
           name: entry.name,
           path: relativePath,
-          children: [],
-          loaded: false
-        };
-
-        // Load children for first level
-        if (depth < maxInitialDepth) {
-          item.children = await buildFileTree(fullPath, rootDir, depth + 1);
-          item.loaded = true;
-        }
-
-        items.push(item);
+          children: shouldLoadChildren ? await buildFileTree(fullPath, rootDir, depth + 1) : [],
+          loaded: shouldLoadChildren
+        });
       } else {
-        const fileType = getFileType(entry.name);
         items.push({
           type: 'file',
           name: entry.name,
           path: relativePath,
-          icon: fileType.icon
+          icon: getFileType(entry.name).icon
         });
       }
     }

package/src/api/upload.js

@@ -2,29 +2,41 @@
  * File upload API routes
  */
 
-import multer from 'multer';
 import fs from 'fs/promises';
+import multer from 'multer';
 import path from 'path';
+
 import { validatePath } from '../utils/path.js';
 
+const FILE_SIZE_LIMIT = 100 * 1024 * 1024; // 100MB
+
+/**
+ * Sanitize filename to prevent path traversal and remove control characters
+ * @param {string} originalName - Original filename from upload
+ * @returns {string} Sanitized filename
+ */
+function sanitizeFilename(originalName) {
+  const baseName = path.basename(originalName);
+  const sanitized = baseName.replace(/[\x00-\x1f]/g, '');
+  return sanitized || 'unnamed';
+}
+
 /**
  * Setup upload routes
  * @param {Express} app - Express app instance
+ * @returns {void}
  */
 export function setupUploadRoutes(app) {
-  // Configure multer for file uploads
   const storage = multer.diskStorage({
     destination: async (req, file, cb) => {
       const targetPath = req.body.path || '';
 
-      // Security check: validate relative path before joining
       if (!validatePath(targetPath, app.locals.rootDir)) {
         return cb(new Error('Access denied'));
       }
 
       const fullPath = path.join(app.locals.rootDir, targetPath);
 
-      // Ensure directory exists
       try {
         await fs.mkdir(fullPath, { recursive: true });
         cb(null, fullPath);
@@ -33,37 +45,26 @@ export function setupUploadRoutes(app) {
       }
     },
     filename: (req, file, cb) => {
-      // パストラバーサル防止: ベース名のみ使用
-      const safeName = path.basename(file.originalname);
-      // null byteや制御文字を除去
-      const sanitized = safeName.replace(/[\x00-\x1f]/g, '');
-      cb(null, sanitized || 'unnamed');
+      cb(null, sanitizeFilename(file.originalname));
     }
   });
 
   const upload = multer({
     storage,
-    limits: {
-      fileSize: 100 * 1024 * 1024 // 100MB limit
-    }
+    limits: { fileSize: FILE_SIZE_LIMIT }
   });
 
-  // Upload files
   app.post('/api/upload', upload.array('files'), (req, res) => {
-    try {
-      if (!req.files || req.files.length === 0) {
-        return res.status(400).json({ error: 'No files uploaded' });
-      }
+    if (!req.files || req.files.length === 0) {
+      return res.status(400).json({ error: 'No files uploaded' });
+    }
 
-      const uploaded = req.files.map(f => ({
-        name: f.originalname,
-        size: f.size
-      }));
+    const uploaded = req.files.map(file => ({
+      name: file.originalname,
+      size: file.size
+    }));
 
-      res.json({ success: true, files: uploaded });
-    } catch (err) {
-      res.status(500).json({ error: err.message });
-    }
+    res.json({ success: true, files: uploaded });
   });
 }