npm - opencode-landstrip - Versions diffs - 0.14.0 → 0.14.1 - Mend

opencode-landstrip 0.14.0 → 0.14.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/index.ts +57 -12
package/package.json +1 -1

package/index.ts CHANGED Viewed

@@ -58,7 +58,7 @@ interface SandboxPermissionDecision {
 type ToastVariant = 'info' | 'success' | 'warning' | 'error';
-const LANDSTRIP_VERSION = [0, 14, 0] as const;
+const LANDSTRIP_VERSION = [0, 14, 5] as const;
 const REQUIRED_LANDSTRIP_VERSION = LANDSTRIP_VERSION.join('.');
 const LANDSTRIP_OPERATIONS = new Set<'read' | 'write'>(['read', 'write']);
 const SUPPORTED_PLATFORMS = new Set<NodeJS.Platform>(['linux', 'darwin', 'win32']);
@@ -101,6 +101,38 @@ function canonicalizePath(filePath: string, baseDirectory: string): string {
   }
 }
+/**
+ * Translates an absolute glob pattern to a regular expression using standard
+ * path semantics: `**` crosses directory boundaries (and `**/` may match zero
+ * segments), while a single `*` is confined to one path segment.
+ */
+function globToRegExp(globPattern: string): RegExp {
+  let regex = '';
+  for (let i = 0; i < globPattern.length; i++) {
+    const char = globPattern[i];
+    if (char === '*') {
+      if (globPattern[i + 1] === '*') {
+        i++;
+        if (globPattern[i + 1] === '/') {
+          i++;
+          regex += '(?:.*/)?';
+        } else {
+          regex += '.*';
+        }
+      } else {
+        regex += '[^/]*';
+      }
+    } else if (/[.+^${}()|[\]\\]/.test(char)) {
+      regex += `\\${char}`;
+    } else {
+      regex += char;
+    }
+  }
+  return new RegExp(`^${regex}$`);
+}
 function matchesPattern(filePath: string, patterns: string[], baseDirectory: string): boolean {
   const abs = canonicalizePath(filePath, baseDirectory);
@@ -110,8 +142,7 @@ function matchesPattern(filePath: string, patterns: string[], baseDirectory: str
       : canonicalizePath(pattern, baseDirectory);
     if (pattern.includes('*')) {
-      const escaped = absPattern.replace(/[.+^${}()|[\]\\]/g, '\\$&').replace(/\*/g, '.*');
-      return new RegExp(`^${escaped}$`).test(abs);
+      return globToRegExp(absPattern).test(abs);
     }
     const sep = absPattern.endsWith('/') ? '' : '/';
@@ -271,10 +302,6 @@ function evaluateReadPermission(
 ): SandboxPermissionDecision {
   const filePath = canonicalizePath(path, baseDirectory);
-  if (!shouldPromptForRead(filePath, effectiveAllowRead, baseDirectory)) {
-    return { status: 'allow', kind: 'read', resource: filePath, message: '' };
-  }
   if (isBlockedByDenyRead(filePath, config, baseDirectory)) {
     return {
       status: 'deny',
@@ -284,6 +311,10 @@ function evaluateReadPermission(
     };
   }
+  if (!shouldPromptForRead(filePath, effectiveAllowRead, baseDirectory)) {
+    return { status: 'allow', kind: 'read', resource: filePath, message: '' };
+  }
   return {
     status: 'ask',
     kind: 'read',
@@ -300,10 +331,6 @@ function evaluateWritePermission(
 ): SandboxPermissionDecision {
   const filePath = canonicalizePath(path, baseDirectory);
-  if (!shouldPromptForWrite(filePath, effectiveAllowWrite, baseDirectory)) {
-    return { status: 'allow', kind: 'write', resource: filePath, message: '' };
-  }
   if (matchesPattern(filePath, config.filesystem.denyWrite, baseDirectory)) {
     return {
       status: 'deny',
@@ -313,6 +340,10 @@ function evaluateWritePermission(
     };
   }
+  if (!shouldPromptForWrite(filePath, effectiveAllowWrite, baseDirectory)) {
+    return { status: 'allow', kind: 'write', resource: filePath, message: '' };
+  }
   return {
     status: 'ask',
     kind: 'write',
@@ -325,7 +356,7 @@ function evaluateDomainPermission(
   domain: string,
   config: SandboxConfig,
 ): SandboxPermissionDecision {
-  if (config.network.allowNetwork || domainMatchesAny(domain, config.network.allowedDomains)) {
+  if (config.network.allowNetwork) {
     return { status: 'allow', kind: 'domain', resource: domain, message: '' };
   }
@@ -338,6 +369,10 @@ function evaluateDomainPermission(
     };
   }
+  if (domainMatchesAny(domain, config.network.allowedDomains)) {
+    return { status: 'allow', kind: 'domain', resource: domain, message: '' };
+  }
   return {
     status: 'ask',
     kind: 'domain',
@@ -547,10 +582,15 @@ function startProxy(config: SandboxConfig): Promise<{ port: number; stop: () =>
       return;
     }
+    let connected = false;
     const upstream = connectNet(endpoint.port, endpoint.host, () => {
+      connected = true;
       client.write('HTTP/1.1 200 Connection Established\r\n\r\n');
       pipeSockets(client, upstream, rest);
     });
+    upstream.on('error', () => {
+      if (!connected) denyProxyRequest(client, '502 Bad Gateway');
+    });
   }
   async function handleHttp(client: Socket, headerText: string, rest: Buffer): Promise<void> {
@@ -589,10 +629,15 @@ function startProxy(config: SandboxConfig): Promise<{ port: number; stop: () =>
     const rewrittenHeader = lines
       .filter((line) => !line.toLowerCase().startsWith('proxy-connection:'))
       .join('\r\n');
+    let connected = false;
     const upstream = connectNet(port, url.hostname, () => {
+      connected = true;
       upstream.write(`${rewrittenHeader}\r\n\r\n`);
       pipeSockets(client, upstream, rest);
     });
+    upstream.on('error', () => {
+      if (!connected) denyProxyRequest(client, '502 Bad Gateway');
+    });
   }
   function handleClient(client: Socket): void {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "opencode-landstrip",
-  "version": "0.14.0",
+  "version": "0.14.1",
   "description": "Landlock-based sandboxing for opencode with landstrip",
   "keywords": [
     "landlock",