npm - termbeam - Versions diffs - 1.2.8 → 1.2.10 - Mend

termbeam 1.2.8 → 1.2.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -128,7 +128,9 @@ Environment variables: `PORT`, `TERMBEAM_PASSWORD`, `TERMBEAM_CWD`, `TERMBEAM_LO
 TermBeam auto-generates a password and creates a tunnel by default, so your terminal is protected out of the box. By default, the server binds to `127.0.0.1` (localhost only). Use `--lan` or `--host 0.0.0.0` to allow LAN access, or `--no-tunnel` to disable the tunnel.
-Auth uses secure httpOnly cookies with 24-hour expiry, login is rate-limited to 5 attempts per minute, and security headers (X-Frame-Options, X-Content-Type-Options, etc.) are set on all responses. The QR code on startup embeds a share token for password-free login — the token is reusable within its 5-minute validity window, which handles tunnel proxy retries and link preview services. API clients that can't use cookies can authenticate with an `Authorization: Bearer <password>` header. See the [Security Guide](https://dorlugasigal.github.io/TermBeam/security/) for more.
+Auth uses secure httpOnly cookies with 24-hour expiry, login is rate-limited to 5 attempts per minute, and security headers (X-Frame-Options, X-Content-Type-Options, etc.) are set on all responses. The QR code on startup embeds a share token for password-free login — the token is reusable within its 5-minute validity window, which handles tunnel proxy retries and link preview services. API clients that can't use cookies can authenticate with an `Authorization: Bearer <password>` header.
+For the full threat model, safe usage guidance, and a quick safety checklist, see [SECURITY.md](SECURITY.md). For detailed security feature documentation, see the [Security Guide](https://dorlugasigal.github.io/TermBeam/security/).
 ## Contributing

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "termbeam",
-  "version": "1.2.8",
+  "version": "1.2.10",
   "description": "Beam your terminal to any device — mobile-optimized web terminal with multi-session support",
   "main": "src/server.js",
   "bin": {

package/public/terminal.html CHANGED Viewed

@@ -3203,23 +3203,7 @@
         }
         async function handlePaste() {
-          // Try clipboard API for text first (most common), then images, then fallback to modal
-          if (navigator.clipboard && navigator.clipboard.readText) {
-            try {
-              const text = await navigator.clipboard.readText();
-              if (text) {
-                const ms = managed.get(activeId);
-                if (ms && ms.ws && ms.ws.readyState === 1) {
-                  ms.ws.send(JSON.stringify({ type: 'input', data: text }));
-                  showToast('Pasted!');
-                }
-                return;
-              }
-            } catch (err) {
-              console.warn('clipboard.readText failed:', err.message);
-            }
-          }
-          // Image paste: try clipboard.read() only if readText didn't work
+          // Try image first via clipboard.read()
           if (navigator.clipboard && navigator.clipboard.read) {
             try {
               const items = await navigator.clipboard.read();
@@ -3237,8 +3221,9 @@
                   const data = await res.json();
                   const ms = managed.get(activeId);
                   if (ms && ms.ws && ms.ws.readyState === 1) {
-                    ms.ws.send(JSON.stringify({ type: 'input', data: data.path + ' ' }));
-                    showToast('Image pasted: ' + data.path.split(/[/\\]/).pop());
+                    ms.ws.send(
+                      JSON.stringify({ type: 'input', data: (data.path || data.url) + ' ' }),
+                    );
                   }
                   return;
                 }
@@ -3247,6 +3232,22 @@
               console.warn('clipboard.read failed:', err.message);
             }
           }
+          // Text paste
+          if (navigator.clipboard && navigator.clipboard.readText) {
+            try {
+              const text = await navigator.clipboard.readText();
+              if (text) {
+                const ms = managed.get(activeId);
+                if (ms && ms.ws && ms.ws.readyState === 1) {
+                  ms.ws.send(JSON.stringify({ type: 'input', data: text }));
+                  showToast('Pasted!');
+                }
+                return;
+              }
+            } catch (err) {
+              console.warn('clipboard.readText failed:', err.message);
+            }
+          }
           openPasteModal();
         }
@@ -3392,36 +3393,44 @@
       // ===== Image Paste =====
       function setupImagePaste() {
-        document.addEventListener('paste', async (e) => {
-          const items = e.clipboardData && e.clipboardData.items;
-          if (!items) return;
-          for (const item of items) {
-            if (item.type.startsWith('image/')) {
-              e.preventDefault();
-              const blob = item.getAsFile();
-              if (!blob) return;
-              try {
-                const res = await fetch('/api/upload', {
-                  method: 'POST',
-                  headers: { 'Content-Type': item.type },
-                  body: blob,
-                });
-                if (!res.ok) throw new Error('Upload failed');
-                const data = await res.json();
-                const ms = managed.get(activeId);
-                if (ms && ms.ws && ms.ws.readyState === 1) {
-                  ms.ws.send(JSON.stringify({ type: 'input', data: data.path + ' ' }));
-                  showToast('Image pasted: ' + data.path.split(/[/\\]/).pop());
+        // Use capture phase so we intercept before xterm.js pastes a file path as text
+        document.addEventListener(
+          'paste',
+          async (e) => {
+            const items = e.clipboardData && e.clipboardData.items;
+            if (!items) return;
+            for (const item of items) {
+              if (item.type.startsWith('image/')) {
+                e.preventDefault();
+                e.stopPropagation();
+                const blob = item.getAsFile();
+                if (!blob) return;
+                try {
+                  const res = await fetch('/api/upload', {
+                    method: 'POST',
+                    headers: { 'Content-Type': item.type },
+                    body: blob,
+                    credentials: 'same-origin',
+                  });
+                  if (!res.ok) throw new Error('Upload failed');
+                  const data = await res.json();
+                  const ms = managed.get(activeId);
+                  if (ms && ms.ws && ms.ws.readyState === 1) {
+                    ms.ws.send(
+                      JSON.stringify({ type: 'input', data: (data.path || data.url) + ' ' }),
+                    );
+                  }
+                } catch (err) {
+                  showToast('Image paste failed');
                 }
-              } catch (err) {
-                showToast('Image paste failed');
+                return;
               }
-              return;
             }
-          }
-        });
+          },
+          true,
+        );
       }
       // ===== New Session Modal =====

package/src/auth.js CHANGED Viewed

@@ -86,26 +86,25 @@ function createAuth(password) {
     const token = crypto.randomBytes(32).toString('hex');
     const expiry = Date.now() + 5 * 60 * 1000;
     shareTokens.set(token, expiry); // 5 minute expiry
-    log.info(`Share: created ${token.slice(0, 8)}… (expires in 5m)`);
+    log.info('Share: created new token (expires in 5m)');
+    log.debug(`Share: token expires at ${new Date(expiry).toISOString()}`);
     return token;
   }
   function validateShareToken(token) {
     const expiry = shareTokens.get(token);
-    const tag = token.slice(0, 8);
     if (!expiry) {
-      log.warn(`Share: unknown token ${tag}…`);
+      log.warn('Share: unknown token presented');
       return false;
     }
     const remaining = Math.round((expiry - Date.now()) / 1000);
     if (remaining <= 0) {
       shareTokens.delete(token);
-      log.warn(`Share: expired token ${tag}…`);
+      log.warn('Share: expired token presented');
       return false;
     }
-    const min = Math.floor(remaining / 60);
-    const sec = remaining % 60;
-    log.info(`Share: valid token ${tag}… (${min}m ${sec}s remaining)`);
+    shareTokens.delete(token);
+    log.info('share token consumed');
     return true;
   }
@@ -145,8 +144,8 @@ function createAuth(password) {
       authAttempts.set(ip, recent);
       return res.status(401).json({ error: 'unauthorized' });
     }
-    if (req.accepts('html')) return res.redirect('/login');
-    res.status(401).json({ error: 'unauthorized' });
+    if (req.path.startsWith('/api/')) return res.status(401).json({ error: 'unauthorized' });
+    res.redirect('/login');
   }
   function rateLimit(req, res, next) {

package/src/routes.js CHANGED Viewed

@@ -7,7 +7,31 @@ const { detectShells } = require('./shells');
 const log = require('./logger');
 const PUBLIC_DIR = path.join(__dirname, '..', 'public');
-const uploadedFiles = [];
+const uploadedFiles = new Map(); // id -> filepath
+const IMAGE_SIGNATURES = [
+  { type: 'image/png', bytes: [0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a] },
+  { type: 'image/jpeg', bytes: [0xff, 0xd8, 0xff] },
+  { type: 'image/gif', bytes: [0x47, 0x49, 0x46, 0x38] },
+  { type: 'image/webp', offset: 8, bytes: [0x57, 0x45, 0x42, 0x50] },
+  { type: 'image/bmp', bytes: [0x42, 0x4d] },
+];
+function validateMagicBytes(buffer, contentType) {
+  const sig = IMAGE_SIGNATURES.find((s) => s.type === contentType);
+  if (!sig) return true; // unknown type, skip validation
+  const offset = sig.offset || 0;
+  if (buffer.length < offset + sig.bytes.length) return false;
+  const match = sig.bytes.every((b, i) => buffer[offset + i] === b);
+  if (!match) return false;
+  // WebP requires RIFF header at offset 0
+  if (contentType === 'image/webp') {
+    const riff = [0x52, 0x49, 0x46, 0x46];
+    if (buffer.length < 4) return false;
+    return riff.every((b, i) => buffer[i] === b);
+  }
+  return true;
+}
 function setupRoutes(app, { auth, sessions, config, state }) {
   // Serve static files (manifest.json, sw.js, icons, etc.)
@@ -204,6 +228,10 @@ function setupRoutes(app, { auth, sessions, config, state }) {
       if (!buffer.length) {
         return res.status(400).json({ error: 'No image data' });
       }
+      if (!validateMagicBytes(buffer, contentType)) {
+        log.warn(`Upload rejected: content-type "${contentType}" does not match file signature`);
+        return res.status(400).json({ error: 'File content does not match declared image type' });
+      }
       const ext =
         {
           'image/png': '.png',
@@ -212,12 +240,13 @@ function setupRoutes(app, { auth, sessions, config, state }) {
           'image/webp': '.webp',
           'image/bmp': '.bmp',
         }[contentType] || '.png';
-      const filename = `termbeam-${crypto.randomUUID()}${ext}`;
+      const id = crypto.randomUUID();
+      const filename = `termbeam-${id}${ext}`;
       const filepath = path.join(os.tmpdir(), filename);
       fs.writeFileSync(filepath, buffer);
-      uploadedFiles.push(filepath);
+      uploadedFiles.set(id, filepath);
       log.info(`Upload: ${filename} (${buffer.length} bytes)`);
-      res.json({ path: filepath });
+      res.json({ id, url: `/uploads/${id}`, path: filepath });
     });
     req.on('error', (err) => {
@@ -226,6 +255,17 @@ function setupRoutes(app, { auth, sessions, config, state }) {
     });
   });
+  // Serve uploaded files by opaque ID
+  app.get('/uploads/:id', auth.middleware, (req, res) => {
+    const filepath = uploadedFiles.get(req.params.id);
+    if (!filepath) return res.status(404).json({ error: 'not found' });
+    if (!fs.existsSync(filepath)) {
+      uploadedFiles.delete(req.params.id);
+      return res.status(404).json({ error: 'not found' });
+    }
+    res.sendFile(filepath);
+  });
   // Directory listing for folder browser
   app.get('/api/dirs', auth.middleware, (req, res) => {
     const query = req.query.q || config.cwd + path.sep;
@@ -248,7 +288,7 @@ function setupRoutes(app, { auth, sessions, config, state }) {
 }
 function cleanupUploadedFiles() {
-  for (const filepath of uploadedFiles) {
+  for (const [id, filepath] of uploadedFiles) {
     try {
       if (fs.existsSync(filepath)) {
         fs.unlinkSync(filepath);
@@ -257,7 +297,7 @@ function cleanupUploadedFiles() {
       log.error(`Failed to cleanup ${filepath}: ${err.message}`);
     }
   }
-  uploadedFiles.length = 0;
+  uploadedFiles.clear();
 }
 module.exports = { setupRoutes, cleanupUploadedFiles };