no-mistakes 0.11.1 → 0.12.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "no-mistakes",
-  "version": "0.11.1",
+  "version": "0.12.1",
   "description": "Static codebase analysis tools for TS/JS dependencies, dependents, and symbols",
   "license": "MIT",
   "repository": {

package/report-types.d.ts

@@ -49,6 +49,73 @@ export interface ServerRoutesReport {
   diagnostics: unknown[];
 }
 
+export type FetchSourceType =
+  | "page"
+  | "layout"
+  | "loading"
+  | "error"
+  | "template"
+  | "route"
+  | "module";
+
+export type CacheKind =
+  | "none"
+  | "fetch-cache"
+  | "fetch-next-revalidate"
+  | "fetch-next-tags"
+  | "react-cache"
+  | "cache"
+  | "unstable-cache";
+
+export interface FetchOccurrence {
+  path: string;
+  rawPath: string;
+  method: string;
+  file: string;
+  line: number;
+  side: "server" | "client";
+  rsc: boolean;
+  cached: boolean;
+  cacheKind: CacheKind;
+  cachedFunction?: string;
+  dynamic: boolean;
+  unsupported: boolean;
+  functionName?: string;
+  conditional: boolean;
+  inPromiseAll: boolean;
+  errorHandled: boolean;
+  sourceType: FetchSourceType;
+}
+
+export interface FetchRouteReport {
+  route: string;
+  file: string;
+  apiCalls: FetchOccurrence[];
+}
+
+export interface FetchSummary {
+  totalRoutes: number;
+  routesWithApiCalls: number;
+  totalApiCalls: number;
+  uniqueApiCalls: number;
+  duplicateApiCalls: number;
+  dynamicApiCalls: number;
+  cachedApiCalls: number;
+  clientApiCalls: number;
+  serverApiCalls: number;
+  rscApiCalls: number;
+  conditionalApiCalls: number;
+  parallelApiCalls: number;
+  errorHandledApiCalls: number;
+}
+
+export interface FetchReport {
+  summary: FetchSummary;
+  routes: FetchRouteReport[];
+  duplicates: unknown[];
+  unsupported: unknown[];
+}
+
 export interface ReactComponentFacts {
   name: string;
   file: string;

package/scripts/install/assets.js

@@ -2,7 +2,28 @@
 
 const { basename } = require("node:path");
 
-function assetName(binName, version, target, assetExtension) {
+function assetName(binNameOrOptions, version, target, assetExtension) {
+  if (
+    typeof binNameOrOptions === "object" &&
+    binNameOrOptions !== null &&
+    !Array.isArray(binNameOrOptions)
+  ) {
+    return assetNameFromOptions(binNameOrOptions);
+  }
+  return assetNameFromLegacyArgs(binNameOrOptions, version, target, assetExtension);
+}
+
+function assetNameFromLegacyArgs(binName, version, target, assetExtension) {
+  return assetNameFromOptions({ binName, version, target, assetExtension });
+}
+
+function assetNameFromOptions({ binName, version, target, assetExtension }) {
+  if (typeof binName !== "string" || typeof version !== "string" || typeof target !== "string") {
+    throw new TypeError(
+      "assetName requires (binName, version, target) or an equivalent options object.",
+    );
+  }
+
   const ext = assetExtension ?? (target.endsWith("windows-msvc") ? ".exe" : "");
   return `${binName}-v${version}-${target}${ext}`;
 }

package/scripts/install/download.js

@@ -9,8 +9,9 @@ const { fileURLToPath } = require("node:url");
 
 const DOWNLOAD_TIMEOUT_MS = 30_000;
 
-function download(url, destination, redirects = 0) {
-  if (url.startsWith("file://")) {
+function download(url, destination, redirects = 0, validateUrl = () => {}) {
+  validateUrl(url);
+  if (isFileUrl(url)) {
     return copyFile(fileURLToPath(url), destination);
   }
 
@@ -20,6 +21,9 @@ function download(url, destination, redirects = 0) {
       await pipeline(response, createWriteStream(destination));
     },
     redirects,
+    { http, https },
+    DOWNLOAD_TIMEOUT_MS,
+    validateUrl,
   );
 }
 
@@ -29,8 +33,15 @@ function request(
   redirects = 0,
   clients = { http, https },
   timeoutMs = DOWNLOAD_TIMEOUT_MS,
+  validateUrl = () => {},
 ) {
   return new Promise((resolve, reject) => {
+    try {
+      validateUrl(url);
+    } catch (error) {
+      reject(error);
+      return;
+    }
     const client = url.startsWith("http://") ? clients.http : clients.https;
     const req = client.get(url, (response) => {
       if (isRedirectStatus(response.statusCode)) {
@@ -49,6 +60,7 @@ function request(
           redirects + 1,
           clients,
           timeoutMs,
+          validateUrl,
         ).then(resolve, reject);
         return;
       }
@@ -73,25 +85,42 @@ function isRedirectStatus(statusCode) {
   return [301, 302, 303, 307, 308].includes(statusCode);
 }
 
-async function fetchText(url) {
-  if (url.startsWith("file://")) {
+async function fetchText(url, validateUrl = () => {}) {
+  validateUrl(url);
+
+  if (isFileUrl(url)) {
     return readFile(fileURLToPath(url), "utf8");
   }
   const chunks = [];
   let totalLength = 0;
   const MAX_LENGTH = 1024 * 1024;
-  await request(url, async (response) => {
-    for await (const chunk of response) {
-      totalLength += chunk.length;
-      if (totalLength > MAX_LENGTH) {
-        throw new Error(`Response exceeded maximum size of ${MAX_LENGTH} bytes`);
+  await request(
+    url,
+    async (response) => {
+      for await (const chunk of response) {
+        totalLength += chunk.length;
+        if (totalLength > MAX_LENGTH) {
+          throw new Error(`Response exceeded maximum size of ${MAX_LENGTH} bytes`);
+        }
+        chunks.push(chunk);
       }
-      chunks.push(chunk);
-    }
-  });
+    },
+    0,
+    { http, https },
+    DOWNLOAD_TIMEOUT_MS,
+    validateUrl,
+  );
   return Buffer.concat(chunks).toString("utf8");
 }
 
+function isFileUrl(url) {
+  try {
+    return new URL(url).protocol === "file:";
+  } catch {
+    return false;
+  }
+}
+
 module.exports = {
   download,
   fetchText,

package/scripts/install/installer.js

@@ -52,19 +52,25 @@ async function install(binName, repository, options = {}) {
     return destination;
   }
 
-  const asset = assetName(binName, version, target, options.assetExtension);
-  const baseUrl = options.baseUrl || releaseBaseUrl(repository, version, options.envVar);
+  const asset = assetName({ binName, version, target, assetExtension: options.assetExtension });
+  const baseUrl = normalizeBaseUrl(
+    options.baseUrl || releaseBaseUrl(repository, version, options.envVar),
+  );
+  validateReleaseBaseUrl(baseUrl, repository, { enforcePath: true });
+  const validateReleaseDownloadUrl = (url) =>
+    validateReleaseBaseUrl(url, repository, { enforcePath: false });
+
   const temp = `${destination}.tmp-${process.pid}`;
 
   await mkdir(vendorDir, { recursive: true });
 
   try {
     console.log(`Downloading ${binName} v${version} for ${target}...`);
-    await download(`${baseUrl}/${asset}`, temp);
+    await download(`${baseUrl}/${asset}`, temp, 0, validateReleaseDownloadUrl);
 
     let checksumText;
     try {
-      checksumText = await fetchText(`${baseUrl}/${asset}.sha256`);
+      checksumText = await fetchText(`${baseUrl}/${asset}.sha256`, validateReleaseDownloadUrl);
     } catch (e) {
       throw new Error(`Failed to fetch checksum for ${asset}: ${e.message}`);
     }
@@ -85,6 +91,84 @@ async function install(binName, repository, options = {}) {
   }
 }
 
+function normalizeBaseUrl(baseUrl) {
+  const url = String(baseUrl);
+  if (url.endsWith("://")) {
+    return url;
+  }
+  return url.replace(/\/+$/, "");
+}
+
+function validateReleaseBaseUrl(baseUrl, repository, options = {}) {
+  const enforcePath = options.enforcePath ?? true;
+  const allowedPublicHost = "github.com";
+  const allowedRedirectHostSuffixes = ["githubusercontent.com"];
+  const allowedLocalHosts = ["127.0.0.1", "example.test"];
+  const publicPathPrefix = `/${repository.toLowerCase()}/releases/download`;
+
+  let parsedUrl;
+  try {
+    parsedUrl = new URL(baseUrl);
+  } catch {
+    throw new Error(`Invalid release base URL: ${baseUrl}. It must be a valid absolute URL.`);
+  }
+
+  if (parsedUrl.protocol === "file:") {
+    if (
+      parsedUrl.username ||
+      parsedUrl.password ||
+      parsedUrl.pathname.startsWith("//") ||
+      !String(baseUrl).toLowerCase().startsWith("file:///")
+    ) {
+      throw new Error(
+        `Untrusted base URL: ${baseUrl}. File URLs must use canonical 'file:///path/to/asset' form and must not include credentials.`,
+      );
+    }
+    return;
+  }
+  if (parsedUrl.username || parsedUrl.password) {
+    throw new Error(`Untrusted base URL: ${baseUrl}. Credentials are not allowed in URLs.`);
+  }
+
+  const hostname = parsedUrl.hostname.toLowerCase();
+  const isLocalHost = allowedLocalHosts.includes(hostname);
+  if (isLocalHost) {
+    if (parsedUrl.protocol !== "http:" && parsedUrl.protocol !== "https:") {
+      throw new Error(`Untrusted base URL: ${baseUrl}. Expected http: or https: protocol.`);
+    }
+  } else if (parsedUrl.protocol !== "https:") {
+    throw new Error(`Untrusted base URL: ${baseUrl}. Expected https: protocol.`);
+  }
+
+  if (enforcePath && hostname !== allowedPublicHost && !isLocalHost) {
+    throw new Error(
+      `Untrusted base URL: ${baseUrl}. When enforcePath is enabled, expected base URL host ${allowedPublicHost} unless host is a local testing host.`,
+    );
+  }
+
+  const isAllowedHost =
+    hostname === allowedPublicHost ||
+    allowedLocalHosts.includes(hostname) ||
+    allowedRedirectHostSuffixes.some(
+      (suffix) => hostname === suffix || hostname.endsWith(`.${suffix}`),
+    );
+  if (!isAllowedHost) {
+    throw new Error(
+      `Untrusted base URL: ${baseUrl}. Allowed hosts are: ${[allowedPublicHost, ...allowedLocalHosts, ...allowedRedirectHostSuffixes.map((suffix) => `*.${suffix}`)].join(", ")}.`,
+    );
+  }
+
+  if (
+    enforcePath &&
+    !isLocalHost &&
+    !parsedUrl.pathname.toLowerCase().startsWith(`${publicPathPrefix}/`)
+  ) {
+    throw new Error(
+      `Untrusted GitHub repository in base URL: ${baseUrl}. For github.com, expected base URL prefix ${publicPathPrefix}.`,
+    );
+  }
+}
+
 function isPlaceholder(path) {
   let fd;
   try {
@@ -121,4 +205,5 @@ module.exports = {
   isPlaceholder,
   sha256,
   unsupportedPlatformMessage,
+  validateReleaseBaseUrl,
 };