npm - termbeam - Versions diffs - 1.8.0 → 1.8.1 - Mend

termbeam 1.8.0 → 1.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md CHANGED Viewed

@@ -8,6 +8,7 @@
 [![npm downloads](https://img.shields.io/npm/dm/termbeam.svg)](https://www.npmjs.com/package/termbeam)
 [![CI](https://github.com/dorlugasigal/TermBeam/actions/workflows/ci.yml/badge.svg)](https://github.com/dorlugasigal/TermBeam/actions/workflows/ci.yml)
 [![Coverage](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/dorlugasigal/TermBeam/coverage-data/endpoint.json)](https://github.com/dorlugasigal/TermBeam/actions/workflows/ci.yml)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/dorlugasigal/TermBeam/badge)](https://securityscorecards.dev/viewer/?uri=github.com/dorlugasigal/TermBeam)
 [![Node.js](https://img.shields.io/node/v/termbeam.svg)](https://nodejs.org/)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "termbeam",
-  "version": "1.8.0",
+  "version": "1.8.1",
   "description": "Beam your terminal to any device — mobile-optimized web terminal with multi-session support",
   "main": "src/server.js",
   "bin": {
@@ -68,13 +68,17 @@
   "dependencies": {
     "cookie-parser": "^1.4.7",
     "express": "^5.2.1",
+    "express-rate-limit": "^8.2.1",
     "node-pty": "^1.1.0",
     "qrcode": "^1.5.4",
     "ws": "^8.19.0"
   },
   "devDependencies": {
+    "@eslint/js": "^9.39.3",
     "@playwright/test": "^1.58.2",
     "c8": "^11.0.0",
+    "eslint": "^10.0.2",
+    "eslint-plugin-security": "^4.0.0",
     "husky": "^9.1.7",
     "lint-staged": "^16.2.7",
     "prettier": "^3.8.1"

package/src/interactive.js CHANGED Viewed

@@ -85,7 +85,7 @@ async function runInteractiveSetup(baseConfig) {
   let passwordMode = 'auto';
   if (pwChoice.index === 0) {
     config.password = crypto.randomBytes(16).toString('base64url');
-    console.log(dim(`  Generated password: ${config.password}`));
+    process.stdout.write(dim(`  Generated password: ${config.password}`) + '\n');
   } else if (pwChoice.index === 1) {
     passwordMode = 'custom';
     config.password = await ask(rl, 'Enter password:');
@@ -99,7 +99,7 @@ async function runInteractiveSetup(baseConfig) {
   }
   decisions.push({
     label: 'Password',
-    value: config.password == null ? yellow('disabled') : '••••••••',
+    value: config.password === null ? yellow('disabled') : '••••••••',
   });
   // Step 2: Port
@@ -164,7 +164,7 @@ async function runInteractiveSetup(baseConfig) {
     if (config.publicTunnel && !config.password) {
       console.log(yellow('  ⚠ Public tunnels require password authentication.'));
       config.password = crypto.randomBytes(16).toString('base64url');
-      console.log(dim(`  Auto-generated password: ${config.password}`));
+      process.stdout.write(dim(`  Auto-generated password: ${config.password}`) + '\n');
       passwordMode = 'auto';
       // Update the password decision
       decisions[0] = { label: 'Password', value: '••••••••' };
@@ -212,7 +212,7 @@ async function runInteractiveSetup(baseConfig) {
   showProgress(4);
   console.log(bold('\n── Configuration Summary ──────────────────'));
   console.log(
-    `  Password:      ${config.password == null ? yellow('disabled') : cyan('••••••••')}`,
+    `  Password:      ${config.password === null ? yellow('disabled') : cyan('••••••••')}`,
   );
   console.log(`  Port:          ${cyan(String(config.port))}`);
   console.log(

package/src/prompts.js CHANGED Viewed

@@ -19,11 +19,11 @@ const dim = (t) => color('2', t);
  * If `defaultValue` is provided, it's shown in brackets and used when the user presses Enter.
  */
 function ask(rl, question, defaultValue) {
-  const suffix = defaultValue != null ? ` ${dim(`[${defaultValue}]`)} ` : ' ';
+  const suffix = defaultValue != null ? ` ${dim(`[${defaultValue}]`)} ` : ' '; // eslint-disable-line eqeqeq
   return new Promise((resolve) => {
     rl.question(`${question}${suffix}`, (answer) => {
       const trimmed = answer.trim();
-      resolve(trimmed || (defaultValue != null ? String(defaultValue) : ''));
+      resolve(trimmed || (defaultValue != null ? String(defaultValue) : '')); // eslint-disable-line eqeqeq
     });
   });
 }

package/src/routes.js CHANGED Viewed

@@ -5,10 +5,29 @@ const crypto = require('crypto');
 const express = require('express');
 const { detectShells } = require('./shells');
 const log = require('./logger');
+const rateLimit = require('express-rate-limit');
 const PUBLIC_DIR = path.join(__dirname, '..', 'public');
 const uploadedFiles = new Map(); // id -> filepath
+const pageRateLimit = rateLimit({
+  windowMs: 1 * 60 * 1000,
+  max: 120,
+  standardHeaders: true,
+  legacyHeaders: false,
+  handler: (_req, res) =>
+    res.status(429).json({ error: 'Too many requests, please try again later.' }),
+});
+const apiRateLimit = rateLimit({
+  windowMs: 1 * 60 * 1000,
+  max: 120,
+  standardHeaders: true,
+  legacyHeaders: false,
+  handler: (_req, res) =>
+    res.status(429).json({ error: 'Too many requests, please try again later.' }),
+});
 const IMAGE_SIGNATURES = [
   { type: 'image/png', bytes: [0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a] },
   { type: 'image/jpeg', bytes: [0xff, 0xd8, 0xff] },
@@ -74,7 +93,7 @@ function setupRoutes(app, { auth, sessions, config, state }) {
     if (!ott || !auth.password) return next();
     // Already authenticated (e.g. DevTunnel anti-phishing re-sent the request) — just redirect
     if (req.cookies.pty_token && auth.validateToken(req.cookies.pty_token)) {
-      return res.redirect(req.path);
+      return res.redirect(req.path === '/terminal' ? '/terminal' : '/');
     }
     if (auth.validateShareToken(ott)) {
       const token = auth.generateToken();
@@ -86,17 +105,17 @@ function setupRoutes(app, { auth, sessions, config, state }) {
       });
       log.info(`Auth: share-token auto-login from ${req.ip}`);
       // Redirect to the same path without ?ott= to keep the URL clean
-      return res.redirect(req.path);
+      return res.redirect(req.path === '/terminal' ? '/terminal' : '/');
     }
     log.warn(`Auth: invalid or expired share token from ${req.ip}`);
     next();
   }
   // Pages
-  app.get('/', autoLogin, auth.middleware, (_req, res) =>
+  app.get('/', pageRateLimit, autoLogin, auth.middleware, (_req, res) =>
     res.sendFile('index.html', { root: PUBLIC_DIR }),
   );
-  app.get('/terminal', autoLogin, auth.middleware, (_req, res) =>
+  app.get('/terminal', pageRateLimit, autoLogin, auth.middleware, (_req, res) =>
     res.sendFile('terminal.html', { root: PUBLIC_DIR }),
   );
@@ -109,11 +128,11 @@ function setupRoutes(app, { auth, sessions, config, state }) {
   });
   // Session API
-  app.get('/api/sessions', auth.middleware, (_req, res) => {
+  app.get('/api/sessions', apiRateLimit, auth.middleware, (_req, res) => {
     res.json(sessions.list());
   });
-  app.post('/api/sessions', auth.middleware, (req, res) => {
+  app.post('/api/sessions', apiRateLimit, auth.middleware, (req, res) => {
     const { name, shell, args: shellArgs, cwd, initialCommand, color, cols, rows } = req.body || {};
     // Validate shell field
@@ -125,6 +144,20 @@ function setupRoutes(app, { auth, sessions, config, state }) {
       }
     }
+    // Validate args field — must be an array of strings
+    if (shellArgs !== undefined) {
+      if (!Array.isArray(shellArgs) || !shellArgs.every((a) => typeof a === 'string')) {
+        return res.status(400).json({ error: 'args must be an array of strings' });
+      }
+    }
+    // Validate initialCommand field — must be a string
+    if (initialCommand !== undefined && initialCommand !== null) {
+      if (typeof initialCommand !== 'string') {
+        return res.status(400).json({ error: 'initialCommand must be a string' });
+      }
+    }
     // Validate cwd field
     if (cwd) {
       if (!path.isAbsolute(cwd)) {
@@ -139,16 +172,21 @@ function setupRoutes(app, { auth, sessions, config, state }) {
       }
     }
-    const id = sessions.create({
-      name: name || `Session ${sessions.sessions.size + 1}`,
-      shell: shell || config.defaultShell,
-      args: shellArgs || [],
-      cwd: cwd || config.cwd,
-      initialCommand: initialCommand || null,
-      color: color || null,
-      cols: typeof cols === 'number' && cols > 0 && cols <= 500 ? Math.floor(cols) : undefined,
-      rows: typeof rows === 'number' && rows > 0 && rows <= 200 ? Math.floor(rows) : undefined,
-    });
+    let id;
+    try {
+      id = sessions.create({
+        name: name || `Session ${sessions.sessions.size + 1}`,
+        shell: shell || config.defaultShell,
+        args: shellArgs || [],
+        cwd: cwd ? path.resolve(cwd) : config.cwd,
+        initialCommand: initialCommand ?? null,
+        color: color || null,
+        cols: typeof cols === 'number' && cols > 0 && cols <= 500 ? Math.floor(cols) : undefined,
+        rows: typeof rows === 'number' && rows > 0 && rows <= 200 ? Math.floor(rows) : undefined,
+      });
+    } catch (err) {
+      return res.status(400).json({ error: err.message || 'Failed to create session' });
+    }
     res.json({ id, url: `/terminal?id=${id}` });
   });
@@ -260,7 +298,7 @@ function setupRoutes(app, { auth, sessions, config, state }) {
   });
   // Serve uploaded files by opaque ID
-  app.get('/uploads/:id', auth.middleware, (req, res) => {
+  app.get('/uploads/:id', pageRateLimit, auth.middleware, (req, res) => {
     const filepath = uploadedFiles.get(req.params.id);
     if (!filepath) return res.status(404).json({ error: 'not found' });
     if (!fs.existsSync(filepath)) {
@@ -271,10 +309,10 @@ function setupRoutes(app, { auth, sessions, config, state }) {
   });
   // Directory listing for folder browser
-  app.get('/api/dirs', auth.middleware, (req, res) => {
+  app.get('/api/dirs', apiRateLimit, auth.middleware, (req, res) => {
     const query = req.query.q || config.cwd + path.sep;
     const endsWithSep = query.endsWith('/') || query.endsWith('\\');
-    const dir = endsWithSep ? query : path.dirname(query);
+    const dir = path.resolve(endsWithSep ? query : path.dirname(query));
     const prefix = endsWithSep ? '' : path.basename(query);
     try {
@@ -292,7 +330,7 @@ function setupRoutes(app, { auth, sessions, config, state }) {
 }
 function cleanupUploadedFiles() {
-  for (const [id, filepath] of uploadedFiles) {
+  for (const [_id, filepath] of uploadedFiles) {
     try {
       if (fs.existsSync(filepath)) {
         fs.unlinkSync(filepath);

package/src/server.js CHANGED Viewed

@@ -172,7 +172,7 @@ function createTermBeamServer(overrides = {}) {
           config.host === '0.0.0.0' || config.host === '::' || config.host === ip;
         state.shareBaseUrl = isLanReachable ? localUrl : `http://localhost:${config.port}`;
         const gn = '\x1b[38;5;114m'; // green
-        const dm = '\x1b[2m'; // dim
+        const _dm = '\x1b[2m'; // dim
         const bl = '\x1b[38;5;75m'; // light blue
@@ -220,7 +220,7 @@ function createTermBeamServer(overrides = {}) {
         }
         console.log(`  Scan the QR code or open: ${bl}${qrDisplayUrl}${rs}`);
-        if (config.password) console.log(`  Password: ${gn}${config.password}${rs}`);
+        if (config.password) process.stdout.write(`  Password: ${gn}${config.password}${rs}\n`);
         console.log('');
         resolve({ url: `http://localhost:${config.port}`, defaultId });

package/src/service.js CHANGED Viewed

@@ -1,4 +1,4 @@
-const { execFileSync, execFile } = require('child_process');
+const { execFileSync } = require('child_process');
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
@@ -237,7 +237,7 @@ async function actionInstall() {
   ]);
   if (pwChoice.index === 0) {
     config.password = crypto.randomBytes(16).toString('base64url');
-    console.log(dim(`  Generated password: ${config.password}`));
+    process.stdout.write(dim(`  Generated password: ${config.password}`) + '\n');
   } else if (pwChoice.index === 1) {
     config.password = await ask(rl, 'Enter password:');
     while (!config.password) {
@@ -297,7 +297,7 @@ async function actionInstall() {
     if (config.publicTunnel && config.password === false) {
       console.log(yellow('  ⚠ Public tunnels require password authentication.'));
       config.password = crypto.randomBytes(16).toString('base64url');
-      console.log(dim(`  Auto-generated password: ${config.password}`));
+      process.stdout.write(dim(`  Auto-generated password: ${config.password}`) + '\n');
     }
   } else if (accessChoice.index === 1) {
     // LAN mode: bind to all interfaces, no tunnel
@@ -352,7 +352,7 @@ async function actionInstall() {
   console.log(bold('\n── Configuration Summary ──────────────────'));
   console.log(`  Service name:  ${cyan(config.name)}`);
   console.log(
-    `  Password:      ${config.password === false ? yellow('disabled') : cyan(config.password)}`,
+    `  Password:      ${config.password === false ? yellow('disabled') : cyan('••••••••')}`,
   );
   console.log(`  Port:          ${cyan(String(config.port))}`);
   console.log(

package/src/sessions.js CHANGED Viewed

@@ -1,11 +1,12 @@
 const crypto = require('crypto');
+const path = require('path');
 const { execSync, exec } = require('child_process');
 const fs = require('fs');
 const pty = require('node-pty');
 const log = require('./logger');
 const { getGitInfo } = require('./git');
-function getProcessCwd(pid) {
+function _getProcessCwd(pid) {
   try {
     if (process.platform === 'linux') {
       return fs.readlinkSync(`/proc/${pid}/cwd`);
@@ -108,6 +109,24 @@ class SessionManager {
     cols = 120,
     rows = 30,
   }) {
+    // Defense-in-depth: reject shells with dangerous characters or relative paths
+    if (
+      typeof shell !== 'string' ||
+      !shell ||
+      /[;&|`$(){}\[\]!#~]/.test(shell) ||
+      (!path.isAbsolute(shell) && !shell.match(/^[a-zA-Z0-9._-]+(\.exe)?$/))
+    ) {
+      throw new Error('Invalid shell');
+    }
+    // Defense-in-depth: validate args and initialCommand types
+    if (!Array.isArray(args) || !args.every((a) => typeof a === 'string')) {
+      throw new Error('args must be an array of strings');
+    }
+    if (initialCommand !== null && typeof initialCommand !== 'string') {
+      throw new Error('initialCommand must be a string');
+    }
     const id = crypto.randomBytes(16).toString('hex');
     if (!color) {
       color = SESSION_COLORS[this.sessions.size % SESSION_COLORS.length];
@@ -209,7 +228,7 @@ class SessionManager {
   }
   shutdown() {
-    for (const [id, s] of this.sessions) {
+    for (const [_id, s] of this.sessions) {
       try {
         s.pty.kill();
       } catch {

package/src/tunnel.js CHANGED Viewed

@@ -67,7 +67,7 @@ function savePersistedTunnel(id) {
   );
 }
-function deletePersisted() {
+function _deletePersisted() {
   const persisted = loadPersistedTunnel();
   if (persisted) {
     try {
@@ -139,7 +139,7 @@ async function startTunnel(port, options = {}) {
         log.info('A code will be displayed — open the URL on any device to authenticate.');
         try {
           execFileSync(devtunnelCmd, ['user', 'login', '-d'], { stdio: 'inherit' });
-        } catch (loginErr) {
+        } catch (_loginErr) {
           log.error('');
           log.error('  DevTunnel login failed. To use tunnels, run:');
           log.error('    devtunnel user login');