openmagic 0.43.1 → 0.43.2

package/README.md

@@ -184,6 +184,7 @@ npx openmagic --port 3000
 
 - **Origin change** -- Your app runs on `:3000` but you access it via `:4567`. This can break OAuth redirect URIs, `localStorage` isolation, and Service Worker scope. Most dev setups work fine, but if your app checks `window.location.origin`, you may need to adjust your dev config.
 - **CSP via meta tags** -- OpenMagic strips CSP response headers so the toolbar script can load, but `<meta>` tag CSP can't be modified at the proxy level and may still block it.
+- **Same-page trust boundary** -- The toolbar runs inside your proxied development page so it can inspect selected DOM elements. Do not use OpenMagic with untrusted third-party scripts running in that page.
 - **Not for production** -- This is a dev tool. Don't deploy the proxy to production.
 
 ---

package/dist/cli.js

@@ -214,7 +214,7 @@ import {
   closeSync,
   renameSync as renameSync2
 } from "fs";
-import { join as join3, resolve, relative, dirname, extname } from "path";
+import { join as join3, resolve, relative, dirname, extname, parse } from "path";
 import { tmpdir } from "os";
 import { createHash } from "crypto";
 var IGNORED_DIRS = /* @__PURE__ */ new Set([
@@ -250,19 +250,41 @@ var IGNORED_EXTENSIONS = /* @__PURE__ */ new Set([
 ]);
 function isPathSafe(filePath, roots) {
   const resolved = resolve(filePath);
-  let real;
-  try {
-    real = realpathSync(resolved);
-  } catch {
-    real = resolved;
-  }
   return roots.some((root) => {
     const resolvedRoot = resolve(root);
+    let realRoot;
+    try {
+      realRoot = realpathSync(resolvedRoot);
+    } catch {
+      return false;
+    }
     const rel = relative(resolvedRoot, resolved);
-    const realRel = relative(resolvedRoot, real);
-    return !rel.startsWith("..") && !rel.startsWith("/") && !rel.startsWith("\\") && (!realRel.startsWith("..") && !realRel.startsWith("/") && !realRel.startsWith("\\"));
+    if (isOutsideRelative(rel)) return false;
+    const existingPath = nearestExistingPath(resolved);
+    if (!existingPath) return false;
+    let real;
+    try {
+      real = realpathSync(existingPath);
+    } catch {
+      return false;
+    }
+    const realRel = relative(realRoot, real);
+    return !isOutsideRelative(realRel);
   });
 }
+function isOutsideRelative(relPath) {
+  return relPath === ".." || relPath.startsWith(`..${"/"}`) || relPath.startsWith(`..${"\\"}`) || relPath.startsWith("/") || relPath.startsWith("\\");
+}
+function nearestExistingPath(filePath) {
+  let current = resolve(filePath);
+  const root = parse(current).root;
+  while (!existsSync3(current)) {
+    const parent = dirname(current);
+    if (parent === current || current === root) return null;
+    current = parent;
+  }
+  return current;
+}
 var fileMetadata = /* @__PURE__ */ new Map();
 function readFileSafe(filePath, roots) {
   if (!isPathSafe(filePath, roots)) {
@@ -346,6 +368,24 @@ function writeFileSafe(filePath, content, roots) {
     return { ok: false, error: `Failed to write file: ${e.message}` };
   }
 }
+function deleteFileSafe(filePath, roots) {
+  if (!isPathSafe(filePath, roots)) {
+    return { ok: false, error: "Path is outside allowed roots" };
+  }
+  try {
+    if (!existsSync3(filePath)) {
+      return { ok: true };
+    }
+    const stat = lstatSync(filePath);
+    if (!stat.isFile()) {
+      return { ok: false, error: "Can only delete regular files" };
+    }
+    unlinkSync(filePath);
+    return { ok: true };
+  } catch (e) {
+    return { ok: false, error: `Failed to delete file: ${e.message}` };
+  }
+}
 var MAX_LIST_ENTRIES = 2e3;
 function listFiles(rootPath, roots, maxDepth = 4) {
   if (!isPathSafe(rootPath, roots)) {
@@ -2127,7 +2167,7 @@ function attachOpenMagic(httpServer, roots) {
     if (!req.url?.startsWith("/__openmagic__/")) return false;
     const urlPath = req.url.split("?")[0];
     if (urlPath === "/__openmagic__/toolbar.js") {
-      serveToolbarBundle(res);
+      serveToolbarBundle(res, getSessionToken());
       return true;
     }
     if (urlPath === "/__openmagic__/health") {
@@ -2144,7 +2184,7 @@ function attachOpenMagic(httpServer, roots) {
   const clientStates = /* @__PURE__ */ new WeakMap();
   wss.on("connection", (ws, req) => {
     const origin = req.headers.origin || "";
-    if (origin && !origin.startsWith("http://localhost") && !origin.startsWith("http://127.0.0.1")) {
+    if (!isAllowedWsOrigin(origin)) {
       ws.close(4003, "Forbidden origin");
       return;
     }
@@ -2252,6 +2292,24 @@ async function handleMessage(ws, msg, state, roots) {
       }
       break;
     }
+    case "fs.delete": {
+      const payload = msg.payload;
+      if (!payload?.path) {
+        sendError(ws, "invalid_payload", "Missing path", msg.id);
+        break;
+      }
+      const deleteResult = deleteFileSafe(payload.path, roots);
+      if (!deleteResult.ok) {
+        sendError(ws, "fs_error", deleteResult.error || "Delete failed", msg.id);
+      } else {
+        send(ws, {
+          id: msg.id,
+          type: "fs.deleted",
+          payload: { path: payload.path, ok: true }
+        });
+      }
+      break;
+    }
     case "fs.undo": {
       const payload = msg.payload;
       if (!payload?.path) {
@@ -2406,6 +2464,15 @@ async function handleMessage(ws, msg, state, roots) {
       sendError(ws, "unknown_type", `Unknown message type: ${msg.type}`, msg.id);
   }
 }
+function isAllowedWsOrigin(origin) {
+  if (!origin) return true;
+  try {
+    const parsed = new URL(origin);
+    return parsed.hostname === "localhost" || parsed.hostname === "127.0.0.1" || parsed.hostname === "::1" || parsed.hostname === "[::1]";
+  } catch {
+    return false;
+  }
+}
 function send(ws, msg) {
   if (ws.readyState === WebSocket.OPEN) {
     ws.send(JSON.stringify(msg));
@@ -2414,7 +2481,7 @@ function send(ws, msg) {
 function sendError(ws, code, message, id) {
   send(ws, { id: id || "error", type: "error", payload: { code, message } });
 }
-function serveToolbarBundle(res) {
+function serveToolbarBundle(res, token) {
   const bundlePaths = [
     join4(__dirname, "toolbar", "index.global.js"),
     join4(__dirname, "..", "dist", "toolbar", "index.global.js")
@@ -2428,7 +2495,8 @@ function serveToolbarBundle(res) {
           "Access-Control-Allow-Origin": "*",
           "Cache-Control": "no-cache"
         });
-        res.end(content);
+        res.end(`const __OPENMAGIC_TOKEN__=${JSON.stringify(token)};
+${content}`);
         return;
       }
     } catch {
@@ -2439,7 +2507,8 @@ function serveToolbarBundle(res) {
     "Content-Type": "application/javascript",
     "Access-Control-Allow-Origin": "*"
   });
-  res.end(`(function(){var d=document.createElement("div");d.style.cssText="position:fixed;bottom:20px;right:20px;background:#1a1a2e;color:#e94560;padding:16px 24px;border-radius:12px;font-family:system-ui;font-size:14px;z-index:2147483647;box-shadow:0 4px 24px rgba(0,0,0,0.3);";d.textContent="OpenMagic: Toolbar bundle not found.";document.body.appendChild(d);})();`);
+  res.end(`const __OPENMAGIC_TOKEN__=${JSON.stringify(token)};
+(function(){var d=document.createElement("div");d.style.cssText="position:fixed;bottom:20px;right:20px;background:#1a1a2e;color:#e94560;padding:16px 24px;border-radius:12px;font-family:system-ui;font-size:14px;z-index:2147483647;box-shadow:0 4px 24px rgba(0,0,0,0.3);";d.textContent="OpenMagic: Toolbar bundle not found.";document.body.appendChild(d);})();`);
 }
 
 // src/proxy.ts
@@ -2560,7 +2629,8 @@ ${toolbarScript}
   return server;
 }
 function buildInjectionScript(token) {
-  return `<script src="/__openmagic__/toolbar.js?v=${Date.now()}" data-openmagic="true" data-openmagic-token="${token}" defer></script>`;
+  void token;
+  return `<script src="/__openmagic__/toolbar.js?v=${Date.now()}" data-openmagic="true" defer></script>`;
 }
 
 // src/detect.ts
@@ -3479,10 +3549,28 @@ async function offerToStartDevServer(expectedPort) {
         const http = require("http");
         const fs = require("fs");
         const path = require("path");
-        const mimes = {".html":"text/html",".css":"text/css",".js":"application/javascript",".json":"application/json",".png":"image/png",".jpg":"image/jpeg",".svg":"image/svg+xml",".ico":"image/x-icon",".gif":"image/gif",".woff2":"font/woff2",".woff":"font/woff"};
+        const root = path.resolve(${JSON.stringify(process.cwd())});
+        const mimes = {".html":"text/html",".css":"text/css",".js":"application/javascript",".json":"application/json",".png":"image/png",".jpg":"image/jpeg",".jpeg":"image/jpeg",".svg":"image/svg+xml",".ico":"image/x-icon",".gif":"image/gif",".webp":"image/webp",".woff2":"font/woff2",".woff":"font/woff"};
+        function resolveRequestPath(reqUrl) {
+          let pathname;
+          try {
+            const rawPath = (reqUrl || "/").split(/[?#]/, 1)[0];
+            const decodedRawPath = decodeURIComponent(rawPath);
+            if (decodedRawPath.split(/[\\\\/]+/).includes("..")) return null;
+            pathname = new URL(reqUrl || "/", "http://localhost").pathname;
+            pathname = decodeURIComponent(pathname);
+          } catch {
+            return null;
+          }
+          if (pathname === "/") pathname = "/index.html";
+          const candidate = path.resolve(root, "." + pathname);
+          const rel = path.relative(root, candidate);
+          if (rel === ".." || rel.startsWith("../") || rel.startsWith("..\\\\") || path.isAbsolute(rel)) return null;
+          return candidate;
+        }
         http.createServer((req, res) => {
-          let p = path.join(${JSON.stringify(process.cwd())}, req.url === "/" ? "/index.html" : req.url);
-          try { p = decodeURIComponent(p); } catch {}
+          const p = resolveRequestPath(req.url);
+          if (!p) { res.writeHead(403); res.end("Forbidden"); return; }
           fs.readFile(p, (err, data) => {
             if (err) { res.writeHead(404); res.end("Not found"); return; }
             const ext = path.extname(p).toLowerCase();