reposec 0.1.0

package/SECURITY.md

@@ -0,0 +1,29 @@
+# Security Policy
+
+## Supported Versions
+
+RepoSec is pre-1.0 software. Security fixes are provided for the latest release on the `main` branch.
+
+| Version | Supported |
+| --- | --- |
+| `main` | Yes |
+| `< 0.1.0` | No |
+
+## Reporting a Vulnerability
+
+Please report suspected vulnerabilities through GitHub Security Advisories:
+
+https://github.com/zanesense/reposec/security/advisories/new
+
+If GitHub Security Advisories are unavailable, email security@zanesense.dev with a clear description, affected component, reproduction steps, and any relevant proof of concept.
+
+Do not open a public issue for vulnerabilities that could put users or repositories at risk.
+
+## Response Timeline
+
+- Initial acknowledgement: within 2 business days.
+- Triage and severity assessment: within 5 business days.
+- Remediation target for confirmed high or critical issues: within 14 calendar days.
+- Remediation target for confirmed medium or low issues: within 30 calendar days.
+
+We will keep reporters updated if investigation or remediation needs more time.

package/bin/reposec.mjs

@@ -0,0 +1,20 @@
+#!/usr/bin/env node
+import { spawnSync } from "node:child_process";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { createRequire } from "node:module";
+
+const require = createRequire(import.meta.url);
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const tsxCli = require.resolve("tsx/cli");
+const entrypoint = path.join(__dirname, "..", "scripts", "reposec-cli.mts");
+const result = spawnSync(process.execPath, [tsxCli, entrypoint, ...process.argv.slice(2)], {
+  stdio: "inherit",
+});
+
+if (result.error) {
+  console.error(result.error.message);
+  process.exit(1);
+}
+
+process.exit(result.status ?? 1);

package/lib/baseline.ts

@@ -0,0 +1,100 @@
+import type { Finding, RepoFile } from "./types";
+
+interface BaselineJson {
+  ignore?: Array<
+    | string
+    | {
+        id?: string;
+        fingerprint?: string;
+        file?: string;
+        line?: number;
+        title?: string;
+      }
+  >;
+}
+
+function parseIgnoreLines(content: string): string[] {
+  return content
+    .split(/\r?\n/)
+    .map((line) => line.trim())
+    .filter((line) => line && !line.startsWith("#"));
+}
+
+function parseBaselineJson(content: string): BaselineJson | null {
+  try {
+    const parsed = JSON.parse(content) as BaselineJson;
+    if (!parsed || !Array.isArray(parsed.ignore)) return null;
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+
+function findingLocation(finding: Finding): string | null {
+  if (!finding.file) return null;
+  return finding.line ? `${finding.file}:${finding.line}` : finding.file;
+}
+
+function matchesStringToken(finding: Finding, token: string): boolean {
+  return (
+    finding.id === token ||
+    finding.fingerprint === token ||
+    finding.file === token ||
+    findingLocation(finding) === token ||
+    finding.title === token
+  );
+}
+
+export function applyRepoBaseline(
+  findings: Finding[],
+  files: RepoFile[],
+): { findings: Finding[]; suppressed: number } {
+  const tokens = new Set<string>();
+  const structured: NonNullable<BaselineJson["ignore"]> = [];
+
+  for (const file of files) {
+    if (file.path === ".reposecignore") {
+      for (const token of parseIgnoreLines(file.content)) tokens.add(token);
+    }
+    if (file.path === "reposec-baseline.json" || file.path === ".reposec-baseline.json") {
+      const parsed = parseBaselineJson(file.content);
+      if (!parsed) continue;
+      for (const item of parsed.ignore ?? []) {
+        if (typeof item === "string") tokens.add(item);
+        else structured.push(item);
+      }
+    }
+  }
+
+  if (tokens.size === 0 && structured.length === 0) {
+    return { findings, suppressed: 0 };
+  }
+
+  const kept: Finding[] = [];
+  let suppressed = 0;
+  for (const finding of findings) {
+    let ignore = false;
+    for (const token of tokens) {
+      if (matchesStringToken(finding, token)) {
+        ignore = true;
+        break;
+      }
+    }
+    if (!ignore) {
+      for (const item of structured) {
+        if (typeof item === "string") continue;
+        if (item.id && item.id !== finding.id) continue;
+        if (item.fingerprint && item.fingerprint !== finding.fingerprint) continue;
+        if (item.file && item.file !== finding.file) continue;
+        if (typeof item.line === "number" && item.line !== finding.line) continue;
+        if (item.title && item.title !== finding.title) continue;
+        ignore = true;
+        break;
+      }
+    }
+    if (ignore) suppressed++;
+    else kept.push(finding);
+  }
+
+  return { findings: kept, suppressed };
+}

package/lib/client-bundle.ts

@@ -0,0 +1,202 @@
+import { promises as dns } from "node:dns";
+import net from "node:net";
+import type { RepoFile } from "./types";
+
+const MAX_HTML_BYTES = 750_000;
+const MAX_ASSET_BYTES = 1_500_000;
+const MAX_SCRIPT_ASSETS = 30;
+const MAX_SOURCE_MAPS = 10;
+const FETCH_TIMEOUT_MS = 8_000;
+
+function isPrivateIpv4(address: string): boolean {
+  const parts = address.split(".").map((part) => Number(part));
+  if (parts.length !== 4 || parts.some((n) => !Number.isInteger(n))) return true;
+  const [a, b] = parts;
+  return (
+    a === 10 ||
+    a === 127 ||
+    a === 0 ||
+    (a === 169 && b === 254) ||
+    (a === 172 && b >= 16 && b <= 31) ||
+    (a === 192 && b === 168)
+  );
+}
+
+function isPrivateIpv6(address: string): boolean {
+  const lower = address.toLowerCase();
+  return (
+    lower === "::1" ||
+    lower.startsWith("fc") ||
+    lower.startsWith("fd") ||
+    lower.startsWith("fe80:")
+  );
+}
+
+function isBlockedHostname(hostname: string): boolean {
+  const lower = hostname.toLowerCase();
+  return (
+    lower === "localhost" ||
+    lower.endsWith(".localhost") ||
+    lower.endsWith(".local") ||
+    lower.endsWith(".internal")
+  );
+}
+
+async function assertPublicHttpsUrl(raw: string): Promise<URL | null> {
+  if (!raw.trim()) return null;
+  const trimmed = raw.trim();
+  const normalized = /^[a-z][a-z0-9+.-]*:/i.test(trimmed)
+    ? trimmed
+    : `https://${trimmed}`;
+  let url: URL;
+  try {
+    url = new URL(normalized);
+  } catch {
+    return null;
+  }
+  const allowInsecureTestScan =
+    process.env.REPOSEC_TEST_ALLOW_INSECURE_BUNDLE_SCAN === "1";
+  if (url.protocol !== "https:" && !(allowInsecureTestScan && url.protocol === "http:")) {
+    return null;
+  }
+  if (url.username || url.password) return null;
+  if (!allowInsecureTestScan && isBlockedHostname(url.hostname)) return null;
+
+  const ipVersion = net.isIP(url.hostname);
+  if (!allowInsecureTestScan && ipVersion === 4 && isPrivateIpv4(url.hostname)) return null;
+  if (!allowInsecureTestScan && ipVersion === 6 && isPrivateIpv6(url.hostname)) return null;
+
+  if (!allowInsecureTestScan && ipVersion === 0) {
+    try {
+      const addresses = await dns.lookup(url.hostname, { all: true });
+      if (addresses.length === 0) return null;
+      for (const addr of addresses) {
+        if (addr.family === 4 && isPrivateIpv4(addr.address)) return null;
+        if (addr.family === 6 && isPrivateIpv6(addr.address)) return null;
+      }
+    } catch {
+      return null;
+    }
+  }
+  return url;
+}
+
+function fetchWithTimeout(url: URL): Promise<Response> {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+  return fetch(url, {
+    cache: "no-store",
+    headers: { "User-Agent": "RepoSec-Client-Bundle-Scanner" },
+    redirect: "follow",
+    signal: controller.signal,
+  }).finally(() => clearTimeout(timeout));
+}
+
+async function fetchText(url: URL, maxBytes: number): Promise<string | null> {
+  try {
+    const res = await fetchWithTimeout(url);
+    if (!res.ok) return null;
+    const contentLength = Number(res.headers.get("content-length") ?? "0");
+    if (contentLength > maxBytes) return null;
+    const text = await res.text();
+    if (text.length > maxBytes) return text.slice(0, maxBytes);
+    return text;
+  } catch {
+    return null;
+  }
+}
+
+function uniqueUrls(urls: URL[]): URL[] {
+  const seen = new Set<string>();
+  const out: URL[] = [];
+  for (const url of urls) {
+    const key = url.href;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    out.push(url);
+  }
+  return out;
+}
+
+function discoverScriptUrls(html: string, pageUrl: URL): URL[] {
+  const urls: URL[] = [];
+  const attrPattern =
+    /<(?:script|link)\b[^>]+(?:src|href)\s*=\s*["']([^"']+)["'][^>]*>/gi;
+  let match: RegExpExecArray | null;
+  while ((match = attrPattern.exec(html)) !== null) {
+    const raw = match[1];
+    if (!raw || raw.startsWith("data:") || raw.startsWith("blob:")) continue;
+    let url: URL;
+    try {
+      url = new URL(raw, pageUrl);
+    } catch {
+      continue;
+    }
+    const lower = url.pathname.toLowerCase();
+    const tag = match[0].toLowerCase();
+    const isScript =
+      tag.startsWith("<script") ||
+      tag.includes('rel="modulepreload"') ||
+      tag.includes("rel='modulepreload'") ||
+      tag.includes('rel="preload"') ||
+      tag.includes("rel='preload'");
+    if (!isScript) continue;
+    if (!lower.endsWith(".js") && !lower.endsWith(".mjs")) continue;
+    urls.push(url);
+  }
+  return uniqueUrls(urls).slice(0, MAX_SCRIPT_ASSETS);
+}
+
+function discoverSourceMapUrl(js: string, assetUrl: URL): URL | null {
+  const match = js.match(/\/\/# sourceMappingURL=([^\s]+)/);
+  if (!match?.[1]) return null;
+  if (match[1].startsWith("data:")) return null;
+  try {
+    return new URL(match[1], assetUrl);
+  } catch {
+    return null;
+  }
+}
+
+function syntheticPath(url: URL): string {
+  const pieces = url.pathname.split("/").filter(Boolean);
+  const last = pieces.at(-1) || "asset.js";
+  const dir = pieces.slice(-4, -1).join("/");
+  const path = dir ? `${dir}/${last}` : last;
+  return `client-bundle/${url.hostname}/${path}`;
+}
+
+export async function fetchClientBundleFiles(
+  rawSiteUrl: string | null | undefined,
+): Promise<RepoFile[]> {
+  if (!rawSiteUrl) return [];
+  const pageUrl = await assertPublicHttpsUrl(rawSiteUrl);
+  if (!pageUrl) return [];
+
+  const html = await fetchText(pageUrl, MAX_HTML_BYTES);
+  if (!html) return [];
+
+  const scripts = discoverScriptUrls(html, pageUrl);
+  const files: RepoFile[] = [];
+  const sourceMapUrls: URL[] = [];
+
+  for (const scriptUrl of scripts) {
+    const safeUrl = await assertPublicHttpsUrl(scriptUrl.href);
+    if (!safeUrl) continue;
+    const content = await fetchText(safeUrl, MAX_ASSET_BYTES);
+    if (!content) continue;
+    files.push({ path: syntheticPath(safeUrl), content });
+    const mapUrl = discoverSourceMapUrl(content, safeUrl);
+    if (mapUrl) sourceMapUrls.push(mapUrl);
+  }
+
+  for (const mapUrl of uniqueUrls(sourceMapUrls).slice(0, MAX_SOURCE_MAPS)) {
+    const safeUrl = await assertPublicHttpsUrl(mapUrl.href);
+    if (!safeUrl) continue;
+    const content = await fetchText(safeUrl, MAX_ASSET_BYTES);
+    if (!content) continue;
+    files.push({ path: syntheticPath(safeUrl), content });
+  }
+
+  return files;
+}