mpx-scan 1.2.1 → 1.3.0

package/bin/cli.js

@@ -47,14 +47,14 @@ program
   .option('--full', 'Run all checks (Pro only)')
   .option('--json', 'Output as JSON (machine-readable)')
   .option('--brief', 'Brief output (one-line summary)')
-  .option('--quiet, -q', 'Minimal output (results only, no banners)')
+  .option('-q, --quiet', 'Minimal output (results only, no banners)')
   .option('--no-color', 'Disable colored output')
   .option('--batch', 'Batch mode: read URLs from stdin (one per line)')
   .option('--schema', 'Output JSON schema describing all commands and flags')
   .option('--fix <platform>', `Generate fix config for platform (${PLATFORMS.join(', ')})`)
   .option('--timeout <seconds>', 'Connection timeout', '10')
   .option('--ci', 'CI/CD mode: exit 1 if score below threshold')
-  .option('--min-score <score>', 'Minimum score for CI mode (default: 70)', '70')
+  .option('--min-score <score>', 'Minimum score for CI mode', '70')
   .action(async (url, options) => {
     // Handle --schema flag
     if (options.schema) {
@@ -89,6 +89,31 @@ async function runSingleScan(url, options) {
   }
 
   try {
+    // BUG-03: Validate --fix platform BEFORE scanning (exits 2 for invalid platforms)
+    if (options.fix) {
+      if (!PLATFORMS.includes(options.fix)) {
+        if (jsonMode) {
+          console.log(JSON.stringify({ error: `Invalid platform: "${options.fix}". Valid platforms: ${PLATFORMS.join(', ')}`, code: 'ERR_BAD_ARGS' }, null, 2));
+        } else {
+          console.error(chalk.red.bold(`\n❌ Invalid platform: "${options.fix}"`));
+          console.error(chalk.yellow(`Valid platforms: ${PLATFORMS.join(', ')}`));
+          console.error('');
+        }
+        return EXIT.BAD_ARGS;
+      }
+    }
+
+    // Validate timeout
+    const timeoutVal = parseInt(options.timeout);
+    if (isNaN(timeoutVal) || timeoutVal < 0) {
+      if (jsonMode) {
+        console.log(JSON.stringify({ error: 'Invalid --timeout value. Must be a non-negative number.', code: 'ERR_BAD_ARGS' }, null, 2));
+      } else {
+        console.error(chalk.red.bold('\n❌ Invalid --timeout value. Must be a non-negative number.'));
+      }
+      return EXIT.BAD_ARGS;
+    }
+    
     // Check license and rate limits
     const license = getLicense();
     const rateLimit = checkRateLimit();
@@ -159,9 +184,29 @@ async function runSingleScan(url, options) {
       console.log(formatReport(results, { ...options, quiet: quietMode }));
     }
     
+    // Check if core scanners errored with network issues (DNS failure, connection refused, etc.)
+    const coreScanners = ['headers', 'ssl'];
+    const coreErrored = coreScanners.every(name => {
+      const section = results.sections[name];
+      if (!section) return false;
+      return section.checks.some(c => c.status === 'error' && 
+        /ENOTFOUND|ECONNREFUSED|ETIMEDOUT|ECONNRESET|network/i.test(c.message || ''));
+    });
+    if (coreErrored) {
+      return EXIT.NETWORK_ERROR;
+    }
+    
     // Determine exit code based on findings
     if (options.ci) {
       const minScore = parseInt(options.minScore);
+      if (isNaN(minScore)) {
+        if (jsonMode) {
+          console.log(JSON.stringify({ error: 'Invalid --min-score value', code: 'ERR_BAD_ARGS' }, null, 2));
+        } else {
+          console.error(chalk.red.bold('\n❌ Invalid --min-score value. Must be a number.'));
+        }
+        return EXIT.BAD_ARGS;
+      }
       const percentage = Math.round((results.score / results.maxScore) * 100);
       if (percentage < minScore) {
         if (!jsonMode && !options.brief && !quietMode) {
@@ -169,6 +214,7 @@ async function runSingleScan(url, options) {
         }
         return EXIT.ISSUES_FOUND;
       }
+      return EXIT.SUCCESS;
     }
     
     // Exit 1 if there are failures, 0 if clean
@@ -362,6 +408,79 @@ program
     console.log('');
   });
 
+// Update subcommand
+program
+  .command('update')
+  .description('Check for updates and optionally install the latest version')
+  .option('--check', 'Only check for updates (do not install)')
+  .option('--json', 'Machine-readable JSON output')
+  .action(async (options, cmd) => {
+    const { checkForUpdate, performUpdate } = require('../src/update');
+    const jsonMode = options.json || cmd.parent?.opts()?.json;
+
+    try {
+      const info = checkForUpdate();
+
+      if (jsonMode) {
+        const output = {
+          current: info.current,
+          latest: info.latest,
+          updateAvailable: info.updateAvailable,
+          isGlobal: info.isGlobal
+        };
+
+        if (!options.check && info.updateAvailable) {
+          try {
+            const result = performUpdate(info.isGlobal);
+            output.updated = true;
+            output.newVersion = result.version;
+          } catch (err) {
+            output.updated = false;
+            output.error = err.message;
+          }
+        }
+
+        console.log(JSON.stringify(output, null, 2));
+        process.exit(EXIT.SUCCESS);
+        return;
+      }
+
+      // Human-readable output
+      if (!info.updateAvailable) {
+        console.log('');
+        console.log(chalk.green.bold(`✓ mpx-scan v${info.current} is up to date`));
+        console.log('');
+        process.exit(EXIT.SUCCESS);
+        return;
+      }
+
+      console.log('');
+      console.log(chalk.yellow.bold(`⬆ Update available: v${info.current} → v${info.latest}`));
+
+      if (options.check) {
+        console.log(chalk.gray(`Run ${chalk.cyan('mpx-scan update')} to install`));
+        console.log('');
+        process.exit(EXIT.SUCCESS);
+        return;
+      }
+
+      console.log(chalk.gray(`Installing v${info.latest}${info.isGlobal ? ' (global)' : ''}...`));
+
+      const result = performUpdate(info.isGlobal);
+      console.log(chalk.green.bold(`✓ Updated to v${result.version}`));
+      console.log('');
+      process.exit(EXIT.SUCCESS);
+    } catch (err) {
+      if (jsonMode) {
+        console.log(JSON.stringify({ error: err.message, code: 'ERR_UPDATE' }, null, 2));
+      } else {
+        console.error(chalk.red.bold('\n❌ Update check failed:'), err.message);
+        console.error('');
+      }
+      process.exit(EXIT.NETWORK_ERROR);
+    }
+  });
+
 // MCP subcommand
 program
   .command('mcp')

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mpx-scan",
-  "version": "1.2.1",
+  "version": "1.3.0",
   "description": "Professional website security scanner CLI. Check headers, SSL, cookies, DNS, and get actionable fix suggestions. Part of the Mesaplex developer toolchain.",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -7,6 +7,8 @@
  * Zero external dependencies for scanning (only chalk/commander for CLI)
  */
 
+const https = require('https');
+const http = require('http');
 const { scanHeaders } = require('./scanners/headers');
 const { scanSSL } = require('./scanners/ssl');
 const { scanCookies } = require('./scanners/cookies');
@@ -30,8 +32,58 @@ const SCANNER_TIERS = {
  * @param {object} options - Scan options
  * @returns {object} Structured scan report
  */
+/**
+ * Quick connectivity check — throws a network error if the host is unreachable.
+ * Used to provide exit code 4 (NETWORK_ERROR) early instead of silently returning error checks.
+ */
+function checkConnectivity(parsedUrl, timeoutMs) {
+  return new Promise((resolve, reject) => {
+    const protocol = parsedUrl.protocol === 'https:' ? https : http;
+    const timer = setTimeout(() => {
+      req && req.destroy();
+      const err = new Error(`ETIMEDOUT: Connection to ${parsedUrl.hostname} timed out`);
+      err.code = 'ETIMEDOUT';
+      reject(err);
+    }, timeoutMs);
+
+    const req = protocol.request({
+      hostname: parsedUrl.hostname,
+      port: parsedUrl.port || (parsedUrl.protocol === 'https:' ? 443 : 80),
+      path: parsedUrl.pathname || '/',
+      method: 'HEAD',
+      timeout: timeoutMs,
+      headers: { 'User-Agent': 'mpx-scan/1.2.1 Security Scanner' },
+      rejectUnauthorized: false,
+    }, (res) => {
+      clearTimeout(timer);
+      res.resume();
+      resolve();
+    });
+
+    req.on('error', (err) => {
+      clearTimeout(timer);
+      if (err.code === 'ENOTFOUND' || err.code === 'ECONNREFUSED' || err.code === 'ETIMEDOUT' || err.code === 'ECONNRESET') {
+        reject(err);
+      } else {
+        resolve(); // Other errors (like SSL) are fine — host is reachable
+      }
+    });
+
+    req.on('timeout', () => {
+      req.destroy();
+      clearTimeout(timer);
+      const err = new Error(`ETIMEDOUT: Connection to ${parsedUrl.hostname} timed out`);
+      err.code = 'ETIMEDOUT';
+      reject(err);
+    });
+
+    req.end();
+  });
+}
+
 async function scan(url, options = {}) {
   const startTime = Date.now();
+  const timeoutMs = options.timeout || 10000;
   
   // Normalize URL
   if (!url.startsWith('http://') && !url.startsWith('https://')) {
@@ -39,6 +91,9 @@ async function scan(url, options = {}) {
   }
   
   const parsedUrl = new URL(url);
+  
+  // BUG-02: Pre-scan connectivity check — throws network error → CLI maps to exit 4
+  await checkConnectivity(parsedUrl, Math.min(timeoutMs, 10000));
   const results = {
     url: parsedUrl.href,
     hostname: parsedUrl.hostname,
@@ -75,10 +130,21 @@ async function scan(url, options = {}) {
   
   const enabledScanners = allScanners.filter(s => allowedScanners.includes(s.name));
 
+  // BUG-05: Wrap each scanner in a timeout race to prevent hanging on closed ports
+  const scannerTimeout = timeoutMs + 5000; // Give scanners a bit extra beyond the connect timeout
+
   // Run scanners concurrently
   const scanPromises = enabledScanners.map(async (scanner) => {
     try {
-      const result = await scanner.fn(parsedUrl, options);
+      // BUG-05: Race scanner against timeout to prevent indefinite hang on closed ports
+      const timeoutPromise = new Promise((_, reject) => {
+        const t = setTimeout(() => {
+          reject(new Error(`Scanner timed out after ${scannerTimeout}ms`));
+        }, scannerTimeout);
+        // Allow process to exit even if timer is pending
+        if (t.unref) t.unref();
+      });
+      const result = await Promise.race([scanner.fn(parsedUrl, options), timeoutPromise]);
       return { name: scanner.name, weight: scanner.weight, result };
     } catch (err) {
       return { 

package/src/reporters/json.js

@@ -4,10 +4,12 @@
  * Machine-readable output for CI/CD pipelines
  */
 
+const pkg = require('../../package.json');
+
 function formatJSON(results, pretty = false) {
   const output = {
     mpxScan: {
-      version: '1.0.0',
+      version: pkg.version,
       scannedAt: results.scannedAt,
       scanDuration: results.scanDuration
     },

package/src/reporters/terminal.js

@@ -34,6 +34,11 @@ const GRADE_COLORS = {
 function formatReport(results, options = {}) {
   const lines = [];
   
+  // Quiet mode: results only, no banners or decoration
+  if (options.quiet) {
+    return formatQuiet(results);
+  }
+  
   // Header
   lines.push('');
   lines.push(chalk.bold.cyan('┌─────────────────────────────────────────────────────────────┐'));
@@ -137,4 +142,25 @@ function capitalize(str) {
     .trim();
 }
 
+function formatQuiet(results) {
+  const lines = [];
+  const gradeColor = GRADE_COLORS[results.grade] || 'gray';
+  const percentage = Math.round((results.score / results.maxScore) * 100);
+  
+  lines.push(chalk.bold[gradeColor](results.grade) + chalk.gray(` (${percentage}/100)`) + 
+             ` — ${chalk.green(results.summary.passed + ' passed')} ${chalk.yellow(results.summary.warnings + ' warnings')} ${chalk.red(results.summary.failed + ' failed')}`);
+  
+  for (const [name, section] of Object.entries(results.sections)) {
+    for (const check of section.checks) {
+      if (check.status === 'fail' || check.status === 'warn') {
+        const icon = STATUS_ICONS[check.status];
+        const color = STATUS_COLORS[check.status];
+        lines.push(chalk[color](`  ${icon} ${check.name}: ${check.message || ''}`));
+      }
+    }
+  }
+  
+  return lines.join('\n');
+}
+
 module.exports = { formatReport, formatBrief };

package/src/scanners/dns.js

@@ -13,6 +13,19 @@
 const dns = require('dns');
 const { Resolver } = dns.promises;
 
+/**
+ * BUG-12: Wrap a DNS promise in a race against a timeout to prevent indefinite hangs.
+ */
+function withTimeout(promise, ms, label) {
+  return Promise.race([
+    promise,
+    new Promise((_, reject) => {
+      const t = setTimeout(() => reject(new Error(`DNS timeout for ${label}`)), ms);
+      if (t.unref) t.unref();
+    })
+  ]);
+}
+
 async function scanDNS(parsedUrl, options = {}) {
   const checks = [];
   let score = 0;
@@ -25,11 +38,13 @@ async function scanDNS(parsedUrl, options = {}) {
   
   const resolver = new Resolver();
   resolver.setServers(['8.8.8.8', '1.1.1.1']); // Use public DNS
+  
+  const dnsTimeout = options.timeout ? Math.min(options.timeout, 10000) : 10000;
 
   // --- SPF Record ---
   maxScore += 1;
   try {
-    const txtRecords = await resolver.resolveTxt(rootDomain);
+    const txtRecords = await withTimeout(resolver.resolveTxt(rootDomain), dnsTimeout, `TXT ${rootDomain}`);
     const spf = txtRecords.flat().find(r => r.startsWith('v=spf1'));
     if (spf) {
       const hasAll = /[-~?+]all/.test(spf);
@@ -54,7 +69,7 @@ async function scanDNS(parsedUrl, options = {}) {
   // --- DMARC Record ---
   maxScore += 1;
   try {
-    const dmarcRecords = await resolver.resolveTxt(`_dmarc.${rootDomain}`);
+    const dmarcRecords = await withTimeout(resolver.resolveTxt(`_dmarc.${rootDomain}`), dnsTimeout, `DMARC ${rootDomain}`);
     const dmarc = dmarcRecords.flat().find(r => r.startsWith('v=DMARC1'));
     if (dmarc) {
       const policy = (dmarc.match(/p=(\w+)/) || [])[1] || 'none';
@@ -82,7 +97,7 @@ async function scanDNS(parsedUrl, options = {}) {
   // --- CAA Records ---
   maxScore += 0.5;
   try {
-    const caaRecords = await resolver.resolveCaa(rootDomain);
+    const caaRecords = await withTimeout(resolver.resolveCaa(rootDomain), dnsTimeout, `CAA ${rootDomain}`);
     if (caaRecords && caaRecords.length > 0) {
       const issuers = caaRecords.filter(r => r.tag === 'issue').map(r => r.value);
       checks.push({ name: 'CAA Records', status: 'pass', message: `Restricts certificate issuance to: ${issuers.join(', ')}`, value: issuers.join(', ') });
@@ -100,7 +115,7 @@ async function scanDNS(parsedUrl, options = {}) {
 
   // --- MX Records (informational) ---
   try {
-    const mxRecords = await resolver.resolveMx(rootDomain);
+    const mxRecords = await withTimeout(resolver.resolveMx(rootDomain), dnsTimeout, `MX ${rootDomain}`);
     if (mxRecords && mxRecords.length > 0) {
       const mxList = mxRecords.sort((a, b) => a.priority - b.priority).map(r => `${r.exchange} (${r.priority})`);
       checks.push({ name: 'MX Records', status: 'info', message: `Mail servers: ${mxList.join(', ')}`, value: mxList.join(', ') });

package/src/scanners/redirects.js

@@ -38,7 +38,7 @@ async function scanRedirects(parsedUrl, options = {}) {
       
       const result = await followRedirect(testUrl, options);
       
-      if (result.redirectsToExternal) {
+      if (result.redirectsToExternal && !result.isSameDomain) {
         vulnParams.push({ param, redirectedTo: result.location });
         return { param, vulnerable: true };
       } else {
@@ -81,7 +81,7 @@ function followRedirect(testUrl, options = {}) {
     const protocol = testUrl.protocol === 'https:' ? https : http;
     let resolved = false;
     const done = (val) => { if (!resolved) { resolved = true; resolve(val); } };
-    const timer = setTimeout(() => done({ redirectsToExternal: false }), timeout + 1000);
+    const timer = setTimeout(() => { req && req.destroy(); done({ redirectsToExternal: false }); }, timeout);
 
     const req = protocol.request(testUrl.href, {
       method: 'GET',
@@ -96,13 +96,13 @@ function followRedirect(testUrl, options = {}) {
         const location = res.headers.location;
         try {
           const redirectTarget = new URL(location, testUrl.href);
-          // Check if redirect goes to our test domain OR any external domain
-          // that wasn't the original host (indicates the param controls redirect target)
           const originalHost = testUrl.hostname;
-          const isExternal = redirectTarget.hostname !== originalHost && 
-                            (redirectTarget.hostname.includes('evil.example.com') ||
-                             redirectTarget.href.includes('evil.example.com'));
-          done({ redirectsToExternal: isExternal, location });
+          // Only flag if redirect target is exactly the evil test domain
+          const isExternal = redirectTarget.hostname === 'evil.example.com';
+          // Skip flagging apex→www redirects (same root domain)
+          const getRootDomain = h => h.split('.').slice(-2).join('.');
+          const isSameDomain = getRootDomain(redirectTarget.hostname) === getRootDomain(originalHost);
+          done({ redirectsToExternal: isExternal, isSameDomain, location });
         } catch {
           done({ redirectsToExternal: false });
         }

package/src/schema.js

@@ -175,6 +175,19 @@ function getSchema() {
       deactivate: {
         description: 'Deactivate Pro license and return to free tier',
         usage: 'mpx-scan deactivate'
+      },
+      update: {
+        description: 'Check for updates and optionally install the latest version',
+        usage: 'mpx-scan update [--check] [--json]',
+        flags: {
+          '--check': { description: 'Only check for updates (do not install)', default: false },
+          '--json': { description: 'Machine-readable JSON output', default: false }
+        },
+        examples: [
+          { command: 'mpx-scan update', description: 'Check and install updates' },
+          { command: 'mpx-scan update --check', description: 'Just check for updates' },
+          { command: 'mpx-scan update --check --json', description: 'Check for updates (JSON output)' }
+        ]
       }
     },
     scanners: {

package/src/update.js

@@ -0,0 +1,68 @@
+/**
+ * Update Command
+ * 
+ * Checks npm for the latest version of mpx-scan and offers to update.
+ */
+
+const { execSync } = require('child_process');
+const pkg = require('../package.json');
+
+/**
+ * Check npm registry for latest version
+ * @returns {object} { current, latest, updateAvailable, isGlobal }
+ */
+function checkForUpdate() {
+  const current = pkg.version;
+  
+  let latest;
+  try {
+    latest = execSync('npm view mpx-scan version', { encoding: 'utf8', timeout: 10000 }).trim();
+  } catch (err) {
+    throw new Error('Failed to check npm registry: ' + (err.message || 'unknown error'));
+  }
+  
+  const updateAvailable = latest !== current && compareVersions(latest, current) > 0;
+  
+  // Detect if installed globally
+  let isGlobal = false;
+  try {
+    const globalDir = execSync('npm root -g', { encoding: 'utf8', timeout: 5000 }).trim();
+    isGlobal = __dirname.startsWith(globalDir) || process.argv[1]?.includes('node_modules/.bin');
+  } catch {
+    // Can't determine, assume local
+  }
+  
+  return { current, latest, updateAvailable, isGlobal };
+}
+
+/**
+ * Perform the update
+ * @param {boolean} isGlobal - Install globally
+ * @returns {object} { success, version }
+ */
+function performUpdate(isGlobal) {
+  const cmd = isGlobal ? 'npm install -g mpx-scan@latest' : 'npm install mpx-scan@latest';
+  try {
+    execSync(cmd, { encoding: 'utf8', timeout: 60000, stdio: 'pipe' });
+    // Verify
+    const newVersion = execSync('npm view mpx-scan version', { encoding: 'utf8', timeout: 10000 }).trim();
+    return { success: true, version: newVersion };
+  } catch (err) {
+    throw new Error('Update failed: ' + (err.message || 'unknown error'));
+  }
+}
+
+/**
+ * Compare semver strings. Returns >0 if a > b, <0 if a < b, 0 if equal.
+ */
+function compareVersions(a, b) {
+  const pa = a.split('.').map(Number);
+  const pb = b.split('.').map(Number);
+  for (let i = 0; i < 3; i++) {
+    if ((pa[i] || 0) > (pb[i] || 0)) return 1;
+    if ((pa[i] || 0) < (pb[i] || 0)) return -1;
+  }
+  return 0;
+}
+
+module.exports = { checkForUpdate, performUpdate, compareVersions };