npm - slicejs-web-framework - Versions diffs - 2.4.8 → 3.1.0 - Mend

slicejs-web-framework 2.4.8 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (229) hide show

package/.worktrees/public-env-browser-exposure/api/middleware/securityMiddleware.js ADDED Viewed

@@ -0,0 +1,253 @@
+// api/middleware/securityMiddleware.js
+import path from 'path';
+/**
+ * Middleware de seguridad para prevenir acceso directo malicioso
+ * pero permitir que la aplicación cargue sus dependencias normalmente
+ */
+export function securityMiddleware(options = {}) {
+  const {
+    allowedExtensions = ['.js', '.css', '.html', '.json', '.svg', '.png', '.jpg', '.jpeg', '.gif', '.woff', '.woff2', '.ttf'],
+    blockedPaths = [
+      '/node_modules',
+      '/package.json',
+      '/package-lock.json',
+      '/.env',
+      '/.git'
+    ],
+    allowPublicAssets = true
+  } = options;
+  return (req, res, next) => {
+    const requestPath = req.path;
+    // 1. Bloquear acceso a rutas definitivamente sensibles (configuración, dependencias)
+    const isBlockedPath = blockedPaths.some(blocked =>
+      requestPath.startsWith(blocked) || requestPath.includes(blocked)
+    );
+    if (isBlockedPath) {
+      console.warn(`🚫 Blocked access to sensitive path: ${requestPath}`);
+      return res.status(403).json({
+        error: 'Forbidden',
+        message: 'Access to this resource is not allowed',
+        path: requestPath
+      });
+    }
+    // 2. Permitir acceso a assets públicos
+    if (allowPublicAssets) {
+      const publicPaths = ['/assets', '/public', '/images', '/styles'];
+      const isPublicAsset = publicPaths.some(publicPath =>
+        requestPath.startsWith(publicPath)
+      );
+      if (isPublicAsset) {
+        return next();
+      }
+    }
+    // 3. Validar extensiones de archivo
+    const fileExtension = path.extname(requestPath).toLowerCase();
+    if (fileExtension && !allowedExtensions.includes(fileExtension)) {
+      console.warn(`🚫 Blocked file type: ${requestPath}`);
+      return res.status(403).json({
+        error: 'Forbidden',
+        message: 'File type not allowed',
+        extension: fileExtension
+      });
+    }
+    // 4. Prevenir path traversal attacks
+    const normalizedPath = path.normalize(requestPath);
+    if (normalizedPath.includes('..') || normalizedPath.includes('~')) {
+      console.warn(`🚫 Path traversal attempt: ${requestPath}`);
+      return res.status(403).json({
+        error: 'Forbidden',
+        message: 'Invalid path',
+        path: requestPath
+      });
+    }
+    // Todo está bien, continuar
+    next();
+  };
+}
+/**
+ * Middleware específico para proteger archivos del framework Slice.js
+ * PERMITE acceso cuando viene desde la propia aplicación (Referer válido)
+ * BLOQUEA acceso directo desde navegador o herramientas externas
+ */
+export function sliceFrameworkProtection(options = {}) {
+  const {
+    port = 3000,
+    strictMode = false,
+    allowedDomains = [] // Dominios personalizados permitidos
+  } = options;
+  return (req, res, next) => {
+    const requestPath = req.path;
+    // Rutas del framework que requieren verificación
+    const frameworkPaths = [
+      '/Slice/Components/Structural',
+      '/Slice/Core',
+      '/Slice/Services'
+    ];
+    const isFrameworkFile = frameworkPaths.some(fwPath =>
+      requestPath.startsWith(fwPath)
+    );
+    if (!isFrameworkFile) {
+      return next();
+    }
+    // Verificar el origen de la petición
+    const referer = req.get('Referer') || req.get('Referrer');
+    const origin = req.get('Origin');
+    const host = req.get('Host');
+    // Construir lista de orígenes válidos dinámicamente
+    const validOrigins = [
+      `http://localhost:${port}`,
+      `http://127.0.0.1:${port}`,
+      `http://0.0.0.0:${port}`,
+      `https://localhost:${port}`,
+      ...allowedDomains // Dominios personalizados del usuario
+    ];
+    // Si hay un Host header, agregarlo automáticamente
+    if (host) {
+      validOrigins.push(`http://${host}`);
+      validOrigins.push(`https://${host}`);
+    }
+    // Verificar si la petición viene de un origen válido
+    const hasValidReferer = referer && validOrigins.some(valid => referer.startsWith(valid));
+    const hasValidOrigin = origin && validOrigins.some(valid => origin === valid);
+    const isSameHost = host && referer && referer.includes(host);
+    // Permitir si viene desde la aplicación
+    if (hasValidReferer || hasValidOrigin || isSameHost) {
+      return next();
+    }
+    // En modo estricto, bloquear todo acceso sin referer válido
+    if (strictMode) {
+      console.warn(`🚫 Blocked direct framework file access: ${requestPath}`);
+      return res.status(403).json({
+        error: 'Framework Protection',
+        message: 'Direct access to Slice.js framework files is blocked',
+        tip: 'Framework files must be loaded through the application',
+        path: requestPath
+      });
+    }
+    // En modo normal (desarrollo), permitir pero advertir
+    console.warn(`⚠️  Framework file accessed without valid referer: ${requestPath}`);
+    next();
+  };
+}
+/**
+ * Middleware para logging de peticiones sospechosas
+ */
+export function suspiciousRequestLogger() {
+  const suspiciousPatterns = [
+    /\.\.\//, // Path traversal
+    /~/, // Home directory access
+    /\.env/, // Environment files
+    /\.git/, // Git files
+    /package\.json/, // Package files
+    /package-lock\.json/,
+    /node_modules/, // Dependencies
+  ];
+  return (req, res, next) => {
+    const requestPath = req.path;
+    const isSuspicious = suspiciousPatterns.some(pattern =>
+      pattern.test(requestPath)
+    );
+    if (isSuspicious) {
+      const clientIp = req.ip || req.connection.remoteAddress;
+      console.warn(`⚠️  Suspicious request: ${requestPath} from ${clientIp}`);
+    }
+    next();
+  };
+}
+/**
+ * Middleware para bloquear acceso directo vía navegador (typing en la URL)
+ * pero permitir peticiones desde scripts (fetch, import, etc.)
+ */
+export function directAccessProtection(options = {}) {
+  const { protectedPaths = [] } = options;
+  return (req, res, next) => {
+    const requestPath = req.path;
+    const isProtectedPath = protectedPaths.some(protectedPath =>
+      requestPath.startsWith(protectedPath)
+    );
+    if (!isProtectedPath) {
+      return next();
+    }
+    // Detectar acceso directo:
+    // - No tiene Referer (usuario escribió la URL directamente)
+    // - Accept header indica navegación HTML
+    const referer = req.get('Referer');
+    const accept = req.get('Accept') || '';
+    const isDirectBrowserAccess = !referer && accept.includes('text/html');
+    if (isDirectBrowserAccess) {
+      console.warn(`🚫 Blocked direct browser access: ${requestPath}`);
+      return res.status(403).send(`
+        <!DOCTYPE html>
+        <html>
+        <head>
+          <title>Access Denied</title>
+          <style>
+            body {
+              font-family: system-ui;
+              max-width: 600px;
+              margin: 100px auto;
+              padding: 20px;
+            }
+            h1 { color: #d32f2f; }
+            code {
+              background: #f5f5f5;
+              padding: 2px 6px;
+              border-radius: 3px;
+            }
+          </style>
+        </head>
+        <body>
+          <h1>🚫 Direct Access Denied</h1>
+          <p>This file cannot be accessed directly.</p>
+          <p>Path: <code>${requestPath}</code></p>
+          <p>Framework files are automatically loaded by the application.</p>
+          <p><a href="/">← Return to application</a></p>
+        </body>
+        </html>
+      `);
+    }
+    next();
+  };
+}
+export default {
+  securityMiddleware,
+  sliceFrameworkProtection,
+  suspiciousRequestLogger,
+  directAccessProtection
+};

package/.worktrees/public-env-browser-exposure/api/tests/public-env-resolver.test.js ADDED Viewed

@@ -0,0 +1,193 @@
+import test from 'node:test';
+import assert from 'node:assert/strict';
+import { mkdtemp, rm, writeFile } from 'node:fs/promises';
+import path from 'node:path';
+import { tmpdir } from 'node:os';
+const resolverModulePath = new URL('../utils/publicEnvResolver.js', import.meta.url);
+async function withTempEnvFile(contents, callback) {
+   const dir = await mkdtemp(path.join(tmpdir(), 'slice-public-env-'));
+   const envFilePath = path.join(dir, '.env');
+   try {
+      await writeFile(envFilePath, contents, 'utf8');
+      await callback(envFilePath);
+   } finally {
+      await rm(dir, { recursive: true, force: true });
+   }
+}
+test('resolvePublicEnv filters only SLICE_PUBLIC_ keys', async () => {
+   const { resolvePublicEnv } = await import(resolverModulePath.href);
+   await withTempEnvFile(
+      ['SLICE_PUBLIC_FROM_FILE=file-visible', 'PRIVATE_KEY=hidden-file-value', 'SLICE_API_URL=hidden-file-api-url'].join('\n'),
+      async (envFilePath) => {
+         const payload = resolvePublicEnv({
+            mode: 'development',
+            envFilePath,
+            processEnv: {
+               SLICE_PUBLIC_FROM_PROCESS: 'process-visible',
+               SECRET_TOKEN: 'hidden-process-token',
+               NODE_ENV: 'development',
+            },
+         });
+         assert.equal(payload.mode, 'development');
+         assert.deepEqual(payload.env, {
+            SLICE_PUBLIC_FROM_FILE: 'file-visible',
+            SLICE_PUBLIC_FROM_PROCESS: 'process-visible',
+         });
+      }
+   );
+});
+test('resolvePublicEnv uses process.env values over .env values', async () => {
+   const { resolvePublicEnv } = await import(resolverModulePath.href);
+   await withTempEnvFile('SLICE_PUBLIC_API_URL=https://from-file.example', async (envFilePath) => {
+      const payload = resolvePublicEnv({
+         mode: 'development',
+         envFilePath,
+         processEnv: {
+            SLICE_PUBLIC_API_URL: 'https://from-process.example',
+         },
+      });
+      assert.equal(payload.mode, 'development');
+      assert.equal(payload.env.SLICE_PUBLIC_API_URL, 'https://from-process.example');
+   });
+});
+test('resolvePublicEnv warns about suspicious public key names without exposing values', async () => {
+   const { resolvePublicEnv } = await import(resolverModulePath.href);
+   const warnings = [];
+   const logger = {
+      warn: (...args) => warnings.push(args.map(String).join(' ')),
+   };
+   await withTempEnvFile('SLICE_PUBLIC_API_KEY=super-secret-value', async (envFilePath) => {
+      const payload = resolvePublicEnv({
+         mode: 'development',
+         envFilePath,
+         processEnv: {},
+         logger,
+      });
+      assert.equal(payload.mode, 'development');
+      assert.equal(payload.env.SLICE_PUBLIC_API_KEY, 'super-secret-value');
+      assert.equal(warnings.length, 1);
+      assert.match(warnings[0], /SLICE_PUBLIC_API_KEY/);
+      assert.doesNotMatch(warnings[0], /super-secret-value/);
+   });
+});
+test('resolvePublicEnv warns once when suspicious key appears in .env and processEnv', async () => {
+   const { resolvePublicEnv } = await import(resolverModulePath.href);
+   const warnings = [];
+   const logger = {
+      warn: (...args) => warnings.push(args.map(String).join(' ')),
+   };
+   await withTempEnvFile('SLICE_PUBLIC_API_KEY=from-file-secret', async (envFilePath) => {
+      const payload = resolvePublicEnv({
+         mode: 'development',
+         envFilePath,
+         processEnv: {
+            SLICE_PUBLIC_API_KEY: 'from-process-secret',
+         },
+         logger,
+      });
+      assert.equal(payload.env.SLICE_PUBLIC_API_KEY, 'from-process-secret');
+      assert.equal(warnings.length, 1);
+      assert.match(warnings[0], /SLICE_PUBLIC_API_KEY/);
+      assert.doesNotMatch(warnings[0], /from-file-secret|from-process-secret/);
+   });
+});
+test('resolvePublicEnv parses first key when .env starts with BOM', async () => {
+   const { resolvePublicEnv } = await import(resolverModulePath.href);
+   await withTempEnvFile('\uFEFFSLICE_PUBLIC_TITLE=Slice App', async (envFilePath) => {
+      const payload = resolvePublicEnv({
+         mode: 'development',
+         envFilePath,
+         processEnv: {},
+      });
+      assert.equal(payload.env.SLICE_PUBLIC_TITLE, 'Slice App');
+   });
+});
+test('resolvePublicEnv strips inline comments for unquoted values', async () => {
+   const { resolvePublicEnv } = await import(resolverModulePath.href);
+   await withTempEnvFile('SLICE_PUBLIC_ORIGIN=https://slice.dev # dev origin', async (envFilePath) => {
+      const payload = resolvePublicEnv({
+         mode: 'development',
+         envFilePath,
+         processEnv: {},
+      });
+      assert.equal(payload.env.SLICE_PUBLIC_ORIGIN, 'https://slice.dev');
+   });
+});
+test('resolvePublicEnv strips trailing comments after quoted values', async () => {
+   const { resolvePublicEnv } = await import(resolverModulePath.href);
+   await withTempEnvFile('SLICE_PUBLIC_X="value" # comment', async (envFilePath) => {
+      const payload = resolvePublicEnv({
+         mode: 'development',
+         envFilePath,
+         processEnv: {},
+      });
+      assert.equal(payload.env.SLICE_PUBLIC_X, 'value');
+   });
+});
+test('createPublicEnvProvider caches in production and recomputes in development', async () => {
+   const { createPublicEnvProvider } = await import(resolverModulePath.href);
+   await withTempEnvFile('SLICE_PUBLIC_COUNTER=from-file', async (envFilePath) => {
+      let processValue = 'first-value';
+      const processEnv = {
+         get SLICE_PUBLIC_COUNTER() {
+            return processValue;
+         },
+      };
+      const productionProvider = createPublicEnvProvider({
+         mode: 'production',
+         envFilePath,
+         processEnv,
+      });
+      assert.equal(typeof productionProvider.getPayload, 'function');
+      const firstProduction = productionProvider.getPayload();
+      processValue = 'second-value';
+      const secondProduction = productionProvider.getPayload();
+      assert.equal(firstProduction.mode, 'production');
+      assert.equal(firstProduction.env.SLICE_PUBLIC_COUNTER, 'first-value');
+      assert.equal(secondProduction.env.SLICE_PUBLIC_COUNTER, 'first-value');
+      const developmentProvider = createPublicEnvProvider({
+         mode: 'development',
+         envFilePath,
+         processEnv,
+      });
+      assert.equal(typeof developmentProvider.getPayload, 'function');
+      const firstDevelopment = developmentProvider.getPayload();
+      processValue = 'third-value';
+      const secondDevelopment = developmentProvider.getPayload();
+      assert.equal(firstDevelopment.mode, 'development');
+      assert.equal(firstDevelopment.env.SLICE_PUBLIC_COUNTER, 'second-value');
+      assert.equal(secondDevelopment.env.SLICE_PUBLIC_COUNTER, 'third-value');
+   });
+});

package/.worktrees/public-env-browser-exposure/api/utils/publicEnvResolver.js ADDED Viewed

@@ -0,0 +1,117 @@
+import { readFileSync, existsSync } from 'node:fs';
+const PUBLIC_PREFIX = 'SLICE_PUBLIC_';
+const SUSPICIOUS_TERMS = ['SECRET', 'TOKEN', 'PASSWORD', 'PRIVATE', 'API_KEY', 'ACCESS_KEY', 'CREDENTIAL'];
+function parseEnvFile(envFilePath) {
+   if (!envFilePath || !existsSync(envFilePath)) {
+      return {};
+   }
+   const fileContent = readFileSync(envFilePath, 'utf8').replace(/^\uFEFF/, '');
+   const parsed = {};
+   const lines = fileContent.split(/\r?\n/);
+   for (const rawLine of lines) {
+      const line = rawLine.trim();
+      if (!line || line.startsWith('#')) {
+         continue;
+      }
+      const equalsIndex = line.indexOf('=');
+      if (equalsIndex === -1) {
+         continue;
+      }
+      let key = line.slice(0, equalsIndex).trim();
+      if (!key) {
+         continue;
+      }
+      if (key.startsWith('export ')) {
+         key = key.slice('export '.length).trim();
+      }
+      let value = line.slice(equalsIndex + 1).trim();
+      const quotedWithOptionalCommentMatch = value.match(/^(["'])(.*?)\1(?:\s+#.*)?$/);
+      if (quotedWithOptionalCommentMatch) {
+         value = quotedWithOptionalCommentMatch[2];
+      } else {
+         value = value.replace(/\s+#.*$/, '').trimEnd();
+      }
+      parsed[key] = value;
+   }
+   return parsed;
+}
+function warnSuspiciousKey(key, logger, warnedKeys) {
+   const upperKey = key.toUpperCase();
+   const isSuspicious = SUSPICIOUS_TERMS.some((term) => upperKey.includes(term));
+   if (isSuspicious && !warnedKeys.has(key) && logger && typeof logger.warn === 'function') {
+      logger.warn(`[slice-env] Suspicious public environment key detected: ${key}`);
+      warnedKeys.add(key);
+   }
+}
+function buildPublicPayload({ envFromFile, processEnv, logger }) {
+   const env = {};
+   const warnedKeys = new Set();
+   for (const [key, value] of Object.entries(envFromFile)) {
+      if (key.startsWith(PUBLIC_PREFIX)) {
+         env[key] = String(value ?? '');
+         warnSuspiciousKey(key, logger, warnedKeys);
+      }
+   }
+   for (const [key, value] of Object.entries(processEnv || {})) {
+      if (key.startsWith(PUBLIC_PREFIX)) {
+         env[key] = String(value ?? '');
+         warnSuspiciousKey(key, logger, warnedKeys);
+      }
+   }
+   return env;
+}
+export function resolvePublicEnv({ mode, envFilePath, processEnv = process.env, logger = console }) {
+   const envFromFile = parseEnvFile(envFilePath);
+   const env = buildPublicPayload({
+      envFromFile,
+      processEnv,
+      logger,
+   });
+   return {
+      mode,
+      env,
+   };
+}
+export function createPublicEnvProvider({ mode, envFilePath, processEnv = process.env, logger = console }) {
+   if (mode === 'production') {
+      let cachedPayload;
+      return {
+         getPayload() {
+            if (!cachedPayload) {
+               cachedPayload = resolvePublicEnv({ mode, envFilePath, processEnv, logger });
+            }
+            return cachedPayload;
+         },
+      };
+   }
+   return {
+      getPayload() {
+         return resolvePublicEnv({ mode, envFilePath, processEnv, logger });
+      },
+   };
+}

package/.worktrees/public-env-browser-exposure/package.json ADDED Viewed

@@ -0,0 +1,37 @@
+{
+  "name": "slicejs-web-framework",
+  "version": "3.0.0",
+  "description": "",
+  "engines": {
+    "node": ">=20"
+  },
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "slice:init": "node node_modules/slicejs-cli/client.js init",
+    "slice:create": "node node_modules/slicejs-cli/client.js component create",
+    "slice:delete": "node node_modules/slicejs-cli/client.js component delete",
+    "slice:list": "node node_modules/slicejs-cli/client.js component list",
+    "slice:start": "node api/index.js",
+    "format": "prettier --write \"**/*.js\"",
+    "run": "node api/index.js",
+    "development": "npm run",
+    "slice:modify": "node node_modules/slicejs-cli/client.js modify"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "ISC",
+  "type": "module",
+  "dependencies": {
+    "express": "^4.19.2"
+  },
+  "devDependencies": {
+    "prettier": "3.3.3"
+  },
+  "prettier": {
+    "trailingComma": "es5",
+    "tabWidth": 3,
+    "semi": true,
+    "singleQuote": true,
+    "printWidth": 120
+  }
+}