takos-actions-engine 1.0.0

package/src/parser/evaluator-builtins.ts

@@ -0,0 +1,315 @@
+/**
+ * Built-in function implementations for the expression evaluator
+ */
+import { createHash } from 'node:crypto';
+import { lstatSync, readdirSync, readFileSync } from 'node:fs';
+import { isAbsolute, relative, resolve } from 'node:path';
+
+import { MAX_FROM_JSON_SIZE } from '../constants.js';
+import type { ExecutionContext } from '../workflow-models.js';
+
+const GLOB_PATTERN_CHARS = /[*?[\]]/;
+const REGEXP_META_CHARS = /[|\\{}()[\]^$+?.]/g;
+
+function normalizePathLike(value: string): string {
+  return value.replace(/\\/g, '/').replace(/^\.\//, '').replace(/^\/+/, '');
+}
+
+function containsGlobPattern(pattern: string): boolean {
+  return GLOB_PATTERN_CHARS.test(pattern);
+}
+
+function globToRegExp(pattern: string): RegExp {
+  const normalized = normalizePathLike(pattern);
+  let regex = '^';
+
+  for (let i = 0; i < normalized.length; i++) {
+    const char = normalized[i];
+
+    if (char === '*') {
+      if (normalized[i + 1] === '*') {
+        regex += '.*';
+        i++;
+      } else {
+        regex += '[^/]*';
+      }
+      continue;
+    }
+
+    if (char === '?') {
+      regex += '[^/]';
+      continue;
+    }
+
+    regex += char.replace(REGEXP_META_CHARS, '\\$&');
+  }
+
+  regex += '$';
+  return new RegExp(regex);
+}
+
+function isInsideWorkspace(workspace: string, targetPath: string): boolean {
+  const relativePath = relative(workspace, targetPath);
+  return (
+    relativePath === '' ||
+    (!relativePath.startsWith('..') && !isAbsolute(relativePath))
+  );
+}
+
+function collectWorkspaceFiles(workspace: string): string[] {
+  const files: string[] = [];
+  const queue = [workspace];
+
+  while (queue.length > 0) {
+    const currentDir = queue.pop();
+    if (!currentDir) {
+      continue;
+    }
+
+    let entries;
+    try {
+      entries = readdirSync(currentDir, { withFileTypes: true });
+    } catch {
+      continue;
+    }
+
+    for (const entry of entries) {
+      const absolutePath = resolve(currentDir, entry.name);
+      if (entry.isDirectory()) {
+        queue.push(absolutePath);
+        continue;
+      }
+      if (!entry.isFile()) {
+        continue;
+      }
+
+      const relativePath = normalizePathLike(relative(workspace, absolutePath));
+      if (relativePath.length > 0) {
+        files.push(relativePath);
+      }
+    }
+  }
+
+  files.sort();
+  return files;
+}
+
+function resolveWorkspaceFile(
+  workspace: string,
+  fileOrRelativePath: string
+): string | null {
+  const absolutePath = isAbsolute(fileOrRelativePath)
+    ? resolve(fileOrRelativePath)
+    : resolve(workspace, fileOrRelativePath);
+
+  if (!isInsideWorkspace(workspace, absolutePath)) {
+    return null;
+  }
+
+  try {
+    if (!lstatSync(absolutePath).isFile()) {
+      return null;
+    }
+  } catch {
+    return null;
+  }
+
+  return normalizePathLike(relative(workspace, absolutePath));
+}
+
+function hashFileSha256(filePath: string): string | null {
+  try {
+    const content = readFileSync(filePath);
+    return createHash('sha256').update(content).digest('hex');
+  } catch {
+    return null;
+  }
+}
+
+export function fnContains(args: unknown[]): boolean {
+  const [search, item] = args;
+  if (typeof search === 'string') {
+    return search.toLowerCase().includes(String(item).toLowerCase());
+  }
+  if (Array.isArray(search)) {
+    return search.includes(item);
+  }
+  return false;
+}
+
+export function fnStartsWith(args: unknown[]): boolean {
+  const [str, searchStr] = args;
+  return String(str).toLowerCase().startsWith(String(searchStr).toLowerCase());
+}
+
+export function fnEndsWith(args: unknown[]): boolean {
+  const [str, searchStr] = args;
+  return String(str).toLowerCase().endsWith(String(searchStr).toLowerCase());
+}
+
+export function fnFormat(args: unknown[]): string {
+  const [template, ...values] = args;
+  if (template === null || template === undefined) {
+    return '';
+  }
+  let result = String(template);
+  for (let i = 0; i < values.length; i++) {
+    result = result.split(`{${i}}`).join(String(values[i]));
+  }
+  return result;
+}
+
+export function fnJoin(args: unknown[]): string {
+  const [arr, separator = ','] = args;
+  if (Array.isArray(arr)) {
+    return arr.join(String(separator));
+  }
+  return String(arr);
+}
+
+export function fnToJSON(args: unknown[]): string {
+  return JSON.stringify(args[0]);
+}
+
+export function fnFromJSON(args: unknown[]): unknown {
+  const str = String(args[0]);
+  // Limit input size to prevent OOM from attacker-controlled JSON strings
+  if (str.length > MAX_FROM_JSON_SIZE) {
+    return null;
+  }
+  try {
+    return JSON.parse(str);
+  } catch {
+    return null;
+  }
+}
+
+export function fnHashFiles(args: unknown[], context: ExecutionContext): string {
+  const includePatterns: string[] = [];
+  const excludePatterns: string[] = [];
+
+  for (const arg of args) {
+    if (typeof arg !== 'string') {
+      continue;
+    }
+
+    const pattern = arg.trim();
+    if (pattern.length === 0) {
+      continue;
+    }
+
+    if (pattern.startsWith('!') && pattern.length > 1) {
+      excludePatterns.push(pattern.slice(1));
+    } else {
+      includePatterns.push(pattern);
+    }
+  }
+
+  if (includePatterns.length === 0) {
+    return '';
+  }
+
+  return evaluateHashFiles(includePatterns, excludePatterns, context);
+}
+
+function evaluateHashFiles(
+  includePatterns: string[],
+  excludePatterns: string[],
+  context: ExecutionContext
+): string {
+  const workspace = resolve(context.github.workspace || process.cwd());
+  const files = collectMatchedHashFiles(
+    workspace,
+    includePatterns,
+    excludePatterns
+  );
+  if (files.length === 0) {
+    return '';
+  }
+
+  const fileHashes = hashFiles(workspace, files);
+  if (fileHashes.length === 0) {
+    return '';
+  }
+  if (fileHashes.length === 1) {
+    return fileHashes[0];
+  }
+
+  const aggregate = createHash('sha256');
+  for (const fileHash of fileHashes) {
+    aggregate.update(fileHash);
+  }
+  return aggregate.digest('hex');
+}
+
+function collectMatchedHashFiles(
+  workspace: string,
+  includePatterns: string[],
+  excludePatterns: string[]
+): string[] {
+  const matchedFiles = new Set<string>();
+  let workspaceFiles: string[] | undefined;
+
+  const applyPattern = (pattern: string, include: boolean): void => {
+    if (containsGlobPattern(pattern)) {
+      workspaceFiles ??= collectWorkspaceFiles(workspace);
+      const regexp = globToRegExp(pattern);
+      for (const file of workspaceFiles) {
+        if (regexp.test(file)) {
+          if (include) {
+            matchedFiles.add(file);
+          } else {
+            matchedFiles.delete(file);
+          }
+        }
+      }
+      return;
+    }
+
+    const file = resolveWorkspaceFile(workspace, pattern);
+    if (!file) {
+      return;
+    }
+    if (include) {
+      matchedFiles.add(file);
+    } else {
+      matchedFiles.delete(file);
+    }
+  };
+
+  for (const pattern of includePatterns) {
+    applyPattern(pattern, true);
+  }
+  for (const pattern of excludePatterns) {
+    applyPattern(pattern, false);
+  }
+
+  return [...matchedFiles].sort();
+}
+
+function hashFiles(workspace: string, files: string[]): string[] {
+  const fileHashes: string[] = [];
+  for (const file of files) {
+    const fileHash = hashFileSha256(resolve(workspace, file));
+    if (fileHash) {
+      fileHashes.push(fileHash);
+    }
+  }
+  return fileHashes;
+}
+
+export function fnSuccess(context: ExecutionContext): boolean {
+  return context.job.status === 'success';
+}
+
+export function fnAlways(): boolean {
+  return true;
+}
+
+export function fnCancelled(context: ExecutionContext): boolean {
+  return context.job.status === 'cancelled';
+}
+
+export function fnFailure(context: ExecutionContext): boolean {
+  return context.job.status === 'failure';
+}

package/src/parser/evaluator.ts

@@ -0,0 +1,333 @@
+/**
+ * Expression evaluator
+ * Handles parsing and evaluation of tokenized GitHub Actions expressions
+ */
+import {
+  MAX_EVALUATE_CALLS,
+  MAX_PARSE_ACCESS_DEPTH,
+} from '../constants.js';
+import type { ExecutionContext } from '../workflow-models.js';
+import { ExpressionError } from './tokenizer.js';
+import type { Token, TokenType } from './tokenizer.js';
+import {
+  fnContains,
+  fnStartsWith,
+  fnEndsWith,
+  fnFormat,
+  fnJoin,
+  fnToJSON,
+  fnFromJSON,
+  fnHashFiles,
+  fnSuccess,
+  fnAlways,
+  fnCancelled,
+  fnFailure,
+} from './evaluator-builtins.js';
+
+const BLOCKED_PROPERTY_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
+const COMPARISON_OPERATORS = new Set(['==', '!=', '<', '>', '<=', '>=']);
+
+/**
+ * Simple expression parser and evaluator
+ */
+export class ExpressionEvaluator {
+  private readonly tokens: Token[];
+  private pos: number;
+  private readonly context: ExecutionContext;
+  private readonly expression: string;
+  private evaluateCallCount: number;
+  private readonly contextMap: Readonly<Record<string, unknown>>;
+
+  constructor(tokens: Token[], context: ExecutionContext, expression: string) {
+    this.tokens = tokens;
+    this.pos = 0;
+    this.context = context;
+    this.expression = expression;
+    this.evaluateCallCount = 0;
+    this.contextMap = {
+      github: context.github,
+      env: context.env,
+      vars: context.vars,
+      secrets: context.secrets,
+      runner: context.runner,
+      job: context.job,
+      steps: context.steps,
+      needs: context.needs,
+      strategy: context.strategy,
+      matrix: context.matrix,
+      inputs: context.inputs,
+    };
+  }
+
+  private current(): Token {
+    return this.tokens[this.pos];
+  }
+
+  private advance(): Token {
+    const token = this.current();
+    this.pos++;
+    return token;
+  }
+
+  private match(type: TokenType): boolean {
+    if (this.current().type === type) {
+      this.advance();
+      return true;
+    }
+    return false;
+  }
+
+  private expect(type: TokenType): Token {
+    const token = this.current();
+    if (token.type !== type) {
+      throw new ExpressionError(
+        `Expected ${type} but got ${token.type}`,
+        this.tokenSource()
+      );
+    }
+    return this.advance();
+  }
+
+  private tokenSource(): string {
+    return this.tokens.map((t) => t.raw).join('');
+  }
+
+  private getIdentifierValue(token: Token): string {
+    if (token.type !== 'identifier' || typeof token.value !== 'string') {
+      const valueType = token.value === null ? 'null' : typeof token.value;
+      throw new ExpressionError(
+        `Expected identifier token with string value but got ${token.type}(${valueType})`,
+        this.expression
+      );
+    }
+    return token.value;
+  }
+
+  /**
+   * Parse and evaluate expression
+   */
+  evaluate(): unknown {
+    this.evaluateCallCount++;
+    if (this.evaluateCallCount > MAX_EVALUATE_CALLS) {
+      throw new ExpressionError(
+        `Expression evaluate call limit exceeded: ${MAX_EVALUATE_CALLS}`,
+        this.expression
+      );
+    }
+    return this.parseOr();
+  }
+
+  private parseOr(): unknown {
+    let left = this.parseAnd();
+    while (this.current().value === '||') {
+      this.advance();
+      const right = this.parseAnd();
+      left = this.toBoolean(left) || this.toBoolean(right);
+    }
+    return left;
+  }
+
+  private parseAnd(): unknown {
+    let left = this.parseComparison();
+    while (this.current().value === '&&') {
+      this.advance();
+      const right = this.parseComparison();
+      left = this.toBoolean(left) && this.toBoolean(right);
+    }
+    return left;
+  }
+
+  private parseComparison(): unknown {
+    const left = this.parseUnary();
+    const op = this.current().value;
+    if (typeof op === 'string' && COMPARISON_OPERATORS.has(op)) {
+      this.advance();
+      const right = this.parseUnary();
+      return this.compare(left, op, right);
+    }
+    return left;
+  }
+
+  private parseUnary(): unknown {
+    if (this.current().value === '!') {
+      this.advance();
+      const value = this.parseUnary();
+      return !this.toBoolean(value);
+    }
+    return this.parseAccess();
+  }
+
+  private checkAccessDepth(depth: number): void {
+    if (depth > MAX_PARSE_ACCESS_DEPTH) {
+      throw new ExpressionError(
+        `Expression access depth limit exceeded: ${MAX_PARSE_ACCESS_DEPTH}`,
+        this.expression
+      );
+    }
+  }
+
+  private parseAccess(): unknown {
+    let value = this.parsePrimary();
+    let depth = 0;
+
+    while (true) {
+      if (this.match('dot')) {
+        this.checkAccessDepth(++depth);
+        const prop = this.getIdentifierValue(this.expect('identifier'));
+        value = this.getProperty(value, prop);
+      } else if (this.match('lbracket')) {
+        this.checkAccessDepth(++depth);
+        const index = this.evaluate();
+        this.expect('rbracket');
+        value = this.getProperty(value, index);
+      } else {
+        break;
+      }
+    }
+
+    return value;
+  }
+
+  private parsePrimary(): unknown {
+    const token = this.current();
+
+    if (token.type === 'string' || token.type === 'number' || token.type === 'boolean') {
+      this.advance();
+      return token.value;
+    }
+    if (token.type === 'null') {
+      this.advance();
+      return null;
+    }
+
+    if (token.type === 'identifier') {
+      const name = this.getIdentifierValue(this.advance());
+
+      // Check if it's a function call
+      if (this.current().type === 'lparen') {
+        return this.parseFunction(name);
+      }
+
+      // Context variable
+      return this.getContextValue(name);
+    }
+
+    if (token.type === 'lparen') {
+      this.advance();
+      const value = this.evaluate();
+      this.expect('rparen');
+      return value;
+    }
+
+    throw new ExpressionError(
+      `Unexpected token: ${token.type}`,
+      this.tokenSource()
+    );
+  }
+
+  private parseFunction(name: string): unknown {
+    this.expect('lparen');
+    const args: unknown[] = [];
+
+    if (this.current().type !== 'rparen') {
+      args.push(this.evaluate());
+      while (this.match('comma')) {
+        args.push(this.evaluate());
+      }
+    }
+
+    this.expect('rparen');
+    return this.callFunction(name, args);
+  }
+
+  private getContextValue(name: string): unknown {
+    return this.contextMap[name];
+  }
+
+  private getProperty(obj: unknown, key: unknown): unknown {
+    if (obj === null || obj === undefined) {
+      return undefined;
+    }
+    const keyString = String(key);
+    if (BLOCKED_PROPERTY_KEYS.has(keyString)) {
+      return undefined;
+    }
+    if (typeof obj === 'object') {
+      return (obj as Record<string, unknown>)[keyString];
+    }
+    return undefined;
+  }
+
+  private compare(left: unknown, op: string, right: unknown): boolean {
+    if (op === '==' || op === '!=') {
+      return op === '==' ? left === right : left !== right;
+    }
+
+    const NUMERIC_OPERATORS: Record<string, (l: number, r: number) => boolean> = {
+      '<': (l, r) => l < r,
+      '>': (l, r) => l > r,
+      '<=': (l, r) => l <= r,
+      '>=': (l, r) => l >= r,
+    };
+
+    const numericOp = NUMERIC_OPERATORS[op];
+    if (!numericOp) {
+      throw new ExpressionError(
+        `Unknown comparison operator: ${op}`,
+        this.expression
+      );
+    }
+
+    const l = Number(left);
+    const r = Number(right);
+    if (Number.isNaN(l) || Number.isNaN(r)) {
+      throw new ExpressionError(
+        `Comparison operator '${op}' received a NaN operand`,
+        this.expression
+      );
+    }
+    return numericOp(l, r);
+  }
+
+  private toBoolean(value: unknown): boolean {
+    if (value === null || value === undefined || value === '') {
+      return false;
+    }
+    if (typeof value === 'boolean') {
+      return value;
+    }
+    if (typeof value === 'number') {
+      return value !== 0;
+    }
+    if (typeof value === 'string') {
+      return value.length > 0;
+    }
+    return true;
+  }
+
+  private callFunction(name: string, args: unknown[]): unknown {
+    const FUNCTIONS: Record<string, () => unknown> = {
+      'contains': () => fnContains(args),
+      'startsWith': () => fnStartsWith(args),
+      'endsWith': () => fnEndsWith(args),
+      'format': () => fnFormat(args),
+      'join': () => fnJoin(args),
+      'toJSON': () => fnToJSON(args),
+      'fromJSON': () => fnFromJSON(args),
+      'hashFiles': () => fnHashFiles(args, this.context),
+      'success': () => fnSuccess(this.context),
+      'always': () => fnAlways(),
+      'cancelled': () => fnCancelled(this.context),
+      'failure': () => fnFailure(this.context),
+    };
+
+    const fn = FUNCTIONS[name];
+    if (!fn) {
+      throw new ExpressionError(
+        `Unknown function: ${name}`,
+        this.tokenSource()
+      );
+    }
+    return fn();
+  }
+}