tlc-claude-code 1.4.9 → 1.5.2

package/server/lib/input-validator.js

@@ -0,0 +1,360 @@
+/**
+ * Input Validator Module
+ *
+ * Input sanitization and validation patterns for secure code generation
+ */
+
+const path = require('path');
+
+/**
+ * Create an input validator
+ * @param {Object} options - Validator options
+ * @returns {Object} Validator instance
+ */
+function createInputValidator(options = {}) {
+  return {
+    rules: {
+      maxLength: options.rules?.maxLength || 10000,
+      ...options.rules,
+    },
+  };
+}
+
+/**
+ * Sanitize a string input
+ * @param {string} input - Input string
+ * @param {Object} options - Sanitization options
+ * @returns {string} Sanitized string
+ */
+function sanitizeString(input, options = {}) {
+  if (input === null || input === undefined) {
+    return '';
+  }
+
+  let result = String(input);
+
+  // Remove null bytes
+  result = result.replace(/\x00/g, '');
+
+  // Trim whitespace
+  result = result.trim();
+
+  // Normalize unicode
+  if (options.normalize) {
+    result = result.normalize('NFC');
+  }
+
+  // Escape HTML entities
+  if (options.escapeHtml) {
+    result = result
+      .replace(/&/g, '&')
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;')
+      .replace(/"/g, '&quot;')
+      .replace(/'/g, '&#x27;');
+  }
+
+  // Enforce max length
+  if (options.maxLength && result.length > options.maxLength) {
+    result = result.substring(0, options.maxLength);
+  }
+
+  return result;
+}
+
+/**
+ * Validate email address
+ * @param {string} email - Email to validate
+ * @returns {Object} Validation result
+ */
+function validateEmail(email) {
+  if (!email) {
+    return { valid: false, error: 'Email is required' };
+  }
+
+  // Reject dangerous characters
+  if (/["<>]/.test(email)) {
+    return { valid: false, error: 'Email contains invalid characters' };
+  }
+
+  // RFC 5322 compliant regex (simplified)
+  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+
+  if (!emailRegex.test(email)) {
+    return { valid: false, error: 'Invalid email format' };
+  }
+
+  return { valid: true };
+}
+
+/**
+ * Validate file path
+ * @param {string} filePath - Path to validate
+ * @param {Object} options - Validation options
+ * @returns {Object} Validation result
+ */
+function validatePath(filePath, options = {}) {
+  const { basePath } = options;
+
+  if (!filePath) {
+    return { valid: false, error: 'Path is required' };
+  }
+
+  // Check for null bytes
+  if (filePath.includes('\x00')) {
+    return { valid: false, error: 'Path contains null bytes' };
+  }
+
+  // Normalize the path
+  const normalized = path.normalize(filePath);
+
+  // Check for path traversal
+  if (filePath.includes('..') && basePath) {
+    const resolved = path.resolve(basePath, filePath);
+    const baseResolved = path.resolve(basePath);
+
+    if (!resolved.startsWith(baseResolved + path.sep) && resolved !== baseResolved) {
+      return { valid: false, error: 'Path traversal detected' };
+    }
+  }
+
+  // Check if within base path (for absolute paths)
+  if (basePath && path.isAbsolute(filePath)) {
+    const resolved = path.resolve(filePath);
+    const baseResolved = path.resolve(basePath);
+
+    if (!resolved.startsWith(baseResolved + path.sep) && resolved !== baseResolved) {
+      return { valid: false, error: 'Path is outside allowed directory' };
+    }
+  }
+
+  return { valid: true, normalized };
+}
+
+/**
+ * Validate URL
+ * @param {string} url - URL to validate
+ * @param {Object} options - Validation options
+ * @returns {Object} Validation result
+ */
+function validateUrl(url, options = {}) {
+  if (!url) {
+    return { valid: false, error: 'URL is required' };
+  }
+
+  // Check dangerous protocols
+  const dangerousProtocols = ['javascript:', 'data:', 'vbscript:'];
+  const lowerUrl = url.toLowerCase();
+
+  for (const protocol of dangerousProtocols) {
+    if (lowerUrl.startsWith(protocol)) {
+      return { valid: false, error: `Dangerous protocol: ${protocol}` };
+    }
+  }
+
+  try {
+    const parsed = new URL(url);
+
+    // Check allowed hosts
+    if (options.allowedHosts && options.allowedHosts.length > 0) {
+      if (!options.allowedHosts.includes(parsed.hostname)) {
+        return { valid: false, error: 'Host not in allowed list' };
+      }
+    }
+
+    // Block private IP addresses
+    if (options.blockPrivate) {
+      const privatePatterns = [
+        /^192\.168\./,
+        /^10\./,
+        /^172\.(1[6-9]|2[0-9]|3[0-1])\./,
+        /^127\./,
+        /^localhost$/i,
+      ];
+
+      for (const pattern of privatePatterns) {
+        if (pattern.test(parsed.hostname)) {
+          return { valid: false, error: 'Private IP addresses are blocked' };
+        }
+      }
+    }
+
+    return { valid: true };
+  } catch {
+    return { valid: false, error: 'Invalid URL format' };
+  }
+}
+
+/**
+ * Check for SQL injection patterns
+ * @param {string} input - Input to check
+ * @returns {Object} Detection result
+ */
+function preventSqlInjection(input) {
+  if (!input) {
+    return { dangerous: false, patterns: [] };
+  }
+
+  const patterns = [];
+
+  // Check for common SQL injection patterns
+  const sqlPatterns = [
+    { regex: /['"]\s*;\s*--/i, name: 'comment-injection' },
+    { regex: /'\s*OR\s+['"]?\d+['"]?\s*=\s*['"]?\d+/i, name: 'or-injection' },
+    { regex: /UNION\s+SELECT/i, name: 'union-injection' },
+    { regex: /DROP\s+TABLE/i, name: 'drop-table' },
+    { regex: /DELETE\s+FROM/i, name: 'delete-injection' },
+    { regex: /INSERT\s+INTO/i, name: 'insert-injection' },
+    { regex: /EXEC\s*\(/i, name: 'exec-injection' },
+    { regex: /xp_cmdshell/i, name: 'cmdshell-injection' },
+  ];
+
+  for (const { regex, name } of sqlPatterns) {
+    if (regex.test(input)) {
+      patterns.push(name);
+    }
+  }
+
+  // Check for string concatenation in queries
+  if (/["']\s*\+\s*["']?[^"']*["']?/.test(input)) {
+    patterns.push('string-concatenation');
+  }
+
+  const dangerous = patterns.length > 0;
+
+  return {
+    dangerous,
+    patterns,
+    suggestion: 'Use parameterized queries instead of string concatenation',
+  };
+}
+
+/**
+ * Check for command injection patterns
+ * @param {string} input - Input to check
+ * @returns {Object} Detection result
+ */
+function preventCommandInjection(input) {
+  if (!input) {
+    return { dangerous: false, safePattern: null };
+  }
+
+  const dangerous = [
+    /[;&|]/, // Command chaining
+    /\|/, // Pipe
+    /`/, // Backtick substitution
+    /\$\(/, // $() substitution
+    />\s*\//, // Output redirection
+    /<\s*\//, // Input redirection
+    /\n/, // Newline
+    /\r/, // Carriage return
+  ].some((pattern) => pattern.test(input));
+
+  return {
+    dangerous,
+    safePattern: 'Use allowlist validation for filenames and escape shell arguments',
+  };
+}
+
+/**
+ * Generate validation code
+ * @param {Object} options - Generation options
+ * @returns {string} Generated code
+ */
+function generateValidationCode(options = {}) {
+  const { type, language = 'javascript', includeErrors = false, rules = {} } = options;
+
+  const generators = {
+    javascript: {
+      email: () => `
+function validateEmail(email) {
+  const regex = /^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$/;
+  if (!regex.test(email)) {
+    ${includeErrors ? 'return { valid: false, error: "Invalid email format" };' : 'return false;'}
+  }
+  ${includeErrors ? 'return { valid: true };' : 'return true;'}
+}`,
+      path: () => `
+function validatePath(filePath, basePath) {
+  const path = require('path');
+  const resolved = path.resolve(basePath, filePath);
+  if (!resolved.startsWith(path.resolve(basePath))) {
+    ${includeErrors ? 'return { valid: false, error: "Path traversal detected" };' : 'return false;'}
+  }
+  ${includeErrors ? 'return { valid: true };' : 'return true;'}
+}`,
+      custom: () => `
+function validate(input) {
+  ${rules.minLength ? `if (input.length < ${rules.minLength}) return false;` : ''}
+  ${rules.maxLength ? `if (input.length > ${rules.maxLength}) return false;` : ''}
+  ${rules.pattern ? `if (!/${rules.pattern}/.test(input)) return false;` : ''}
+  return true;
+}`,
+    },
+    typescript: {
+      email: () => `
+function validateEmail(email: string): { valid: boolean; error?: string } {
+  const regex = /^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$/;
+  if (!regex.test(email)) {
+    return { valid: false, error: "Invalid email format" };
+  }
+  return { valid: true };
+}`,
+      path: () => `
+function validatePath(filePath: string, basePath: string): { valid: boolean; error?: string } {
+  const path = require('path');
+  const resolved = path.resolve(basePath, filePath);
+  if (!resolved.startsWith(path.resolve(basePath))) {
+    return { valid: false, error: "Path traversal detected" };
+  }
+  return { valid: true };
+}`,
+      custom: () => `
+function validate(input: string): boolean {
+  ${rules.minLength ? `if (input.length < ${rules.minLength}) return false;` : ''}
+  ${rules.maxLength ? `if (input.length > ${rules.maxLength}) return false;` : ''}
+  ${rules.pattern ? `if (!/${rules.pattern}/.test(input)) return false;` : ''}
+  return true;
+}`,
+    },
+    python: {
+      email: () => `
+import re
+
+def validate_email(email: str) -> dict:
+    pattern = r'^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$'
+    if not re.match(pattern, email):
+        return {"valid": False, "error": "Invalid email format"}
+    return {"valid": True}`,
+      path: () => `
+import os
+
+def validate_path(file_path: str, base_path: str) -> dict:
+    resolved = os.path.abspath(os.path.join(base_path, file_path))
+    if not resolved.startswith(os.path.abspath(base_path)):
+        return {"valid": False, "error": "Path traversal detected"}
+    return {"valid": True}`,
+      custom: () => `
+def validate(input: str) -> bool:
+    ${rules.minLength ? `if len(input) < ${rules.minLength}: return False` : ''}
+    ${rules.maxLength ? `if len(input) > ${rules.maxLength}: return False` : ''}
+    return True`,
+    },
+  };
+
+  const lang = generators[language] || generators.javascript;
+  const gen = lang[type] || lang.email;
+
+  return gen();
+}
+
+module.exports = {
+  createInputValidator,
+  sanitizeString,
+  validateEmail,
+  validatePath,
+  validateUrl,
+  preventSqlInjection,
+  preventCommandInjection,
+  generateValidationCode,
+};

package/server/lib/input-validator.test.js

@@ -0,0 +1,295 @@
+/**
+ * Input Validator Tests
+ *
+ * Input sanitization and validation patterns for secure code generation
+ */
+
+const { describe, it, beforeEach } = require('node:test');
+const assert = require('node:assert');
+
+const {
+  createInputValidator,
+  sanitizeString,
+  validateEmail,
+  validatePath,
+  validateUrl,
+  preventSqlInjection,
+  preventCommandInjection,
+  generateValidationCode,
+} = require('./input-validator.js');
+
+describe('Input Validator', () => {
+  let validator;
+
+  beforeEach(() => {
+    validator = createInputValidator();
+  });
+
+  describe('createInputValidator', () => {
+    it('creates validator with default config', () => {
+      assert.ok(validator);
+      assert.ok(validator.rules);
+    });
+
+    it('accepts custom rules', () => {
+      const custom = createInputValidator({
+        rules: {
+          maxLength: 100,
+        },
+      });
+
+      assert.strictEqual(custom.rules.maxLength, 100);
+    });
+  });
+
+  describe('sanitizeString', () => {
+    it('removes null bytes', () => {
+      const result = sanitizeString('hello\x00world');
+
+      assert.strictEqual(result, 'helloworld');
+    });
+
+    it('trims whitespace', () => {
+      const result = sanitizeString('  hello  ');
+
+      assert.strictEqual(result, 'hello');
+    });
+
+    it('escapes HTML entities', () => {
+      const result = sanitizeString('<script>alert("xss")</script>', { escapeHtml: true });
+
+      assert.ok(!result.includes('<script>'));
+      assert.ok(result.includes('&lt;'));
+    });
+
+    it('enforces max length', () => {
+      const result = sanitizeString('a'.repeat(1000), { maxLength: 100 });
+
+      assert.strictEqual(result.length, 100);
+    });
+
+    it('handles unicode normalization', () => {
+      const result = sanitizeString('café', { normalize: true });
+
+      assert.ok(result.includes('caf'));
+    });
+  });
+
+  describe('validateEmail', () => {
+    it('accepts valid email', () => {
+      const result = validateEmail('user@example.com');
+
+      assert.ok(result.valid);
+    });
+
+    it('rejects invalid email', () => {
+      const result = validateEmail('not-an-email');
+
+      assert.strictEqual(result.valid, false);
+      assert.ok(result.error);
+    });
+
+    it('rejects email with dangerous characters', () => {
+      const result = validateEmail('user"@example.com');
+
+      assert.strictEqual(result.valid, false);
+    });
+
+    it('handles internationalized domains', () => {
+      const result = validateEmail('user@münchen.de');
+
+      assert.ok(result.valid);
+    });
+  });
+
+  describe('validatePath', () => {
+    it('accepts valid path', () => {
+      const result = validatePath('/var/data/file.txt', { basePath: '/var/data' });
+
+      assert.ok(result.valid);
+    });
+
+    it('rejects path traversal', () => {
+      const result = validatePath('/var/data/../etc/passwd', { basePath: '/var/data' });
+
+      assert.strictEqual(result.valid, false);
+      assert.ok(result.error.includes('traversal'));
+    });
+
+    it('rejects null bytes in path', () => {
+      const result = validatePath('/var/data/file.txt\x00.jpg', { basePath: '/var/data' });
+
+      assert.strictEqual(result.valid, false);
+    });
+
+    it('normalizes path before validation', () => {
+      const result = validatePath('/var/data/./subdir/../file.txt', { basePath: '/var/data' });
+
+      assert.ok(result.valid);
+      assert.strictEqual(result.normalized, '/var/data/file.txt');
+    });
+
+    it('rejects paths outside base', () => {
+      const result = validatePath('/etc/passwd', { basePath: '/var/data' });
+
+      assert.strictEqual(result.valid, false);
+    });
+  });
+
+  describe('validateUrl', () => {
+    it('accepts valid HTTPS URL', () => {
+      const result = validateUrl('https://example.com/path');
+
+      assert.ok(result.valid);
+    });
+
+    it('rejects javascript protocol', () => {
+      const result = validateUrl('javascript:alert(1)');
+
+      assert.strictEqual(result.valid, false);
+      assert.ok(result.error.includes('protocol'));
+    });
+
+    it('rejects data protocol', () => {
+      const result = validateUrl('data:text/html,<script>alert(1)</script>');
+
+      assert.strictEqual(result.valid, false);
+    });
+
+    it('validates allowed hosts', () => {
+      const result = validateUrl('https://evil.com', {
+        allowedHosts: ['example.com', 'trusted.com'],
+      });
+
+      assert.strictEqual(result.valid, false);
+    });
+
+    it('blocks private IP addresses', () => {
+      const result = validateUrl('http://192.168.1.1', { blockPrivate: true });
+
+      assert.strictEqual(result.valid, false);
+    });
+  });
+
+  describe('preventSqlInjection', () => {
+    it('detects SQL injection patterns', () => {
+      const result = preventSqlInjection("'; DROP TABLE users; --");
+
+      assert.ok(result.dangerous);
+      assert.ok(result.patterns.length > 0);
+    });
+
+    it('allows safe strings', () => {
+      const result = preventSqlInjection('John Doe');
+
+      assert.strictEqual(result.dangerous, false);
+    });
+
+    it('detects union-based injection', () => {
+      const result = preventSqlInjection('1 UNION SELECT * FROM users');
+
+      assert.ok(result.dangerous);
+    });
+
+    it('generates parameterized query suggestion', () => {
+      const result = preventSqlInjection("user_id = '" + "123" + "'");
+
+      assert.ok(result.suggestion);
+      assert.ok(result.suggestion.includes('parameterized'));
+    });
+  });
+
+  describe('preventCommandInjection', () => {
+    it('detects command chaining', () => {
+      const result = preventCommandInjection('file.txt; rm -rf /');
+
+      assert.ok(result.dangerous);
+    });
+
+    it('detects pipe injection', () => {
+      const result = preventCommandInjection('file.txt | cat /etc/passwd');
+
+      assert.ok(result.dangerous);
+    });
+
+    it('detects backtick injection', () => {
+      const result = preventCommandInjection('`cat /etc/passwd`');
+
+      assert.ok(result.dangerous);
+    });
+
+    it('detects $() injection', () => {
+      const result = preventCommandInjection('$(cat /etc/passwd)');
+
+      assert.ok(result.dangerous);
+    });
+
+    it('allows safe filenames', () => {
+      const result = preventCommandInjection('document.pdf');
+
+      assert.strictEqual(result.dangerous, false);
+    });
+
+    it('suggests safe alternatives', () => {
+      const result = preventCommandInjection('user-input');
+
+      assert.ok(result.safePattern);
+    });
+  });
+
+  describe('generateValidationCode', () => {
+    it('generates JavaScript validation function', () => {
+      const code = generateValidationCode({
+        type: 'email',
+        language: 'javascript',
+      });
+
+      assert.ok(code.includes('function'));
+      assert.ok(code.includes('email'));
+    });
+
+    it('generates TypeScript validation function', () => {
+      const code = generateValidationCode({
+        type: 'email',
+        language: 'typescript',
+      });
+
+      assert.ok(code.includes('string'));
+      assert.ok(code.includes(':'));
+    });
+
+    it('generates Python validation function', () => {
+      const code = generateValidationCode({
+        type: 'email',
+        language: 'python',
+      });
+
+      assert.ok(code.includes('def'));
+    });
+
+    it('includes error messages', () => {
+      const code = generateValidationCode({
+        type: 'path',
+        language: 'javascript',
+        includeErrors: true,
+      });
+
+      assert.ok(code.includes('error') || code.includes('Error'));
+    });
+
+    it('generates validation for custom rules', () => {
+      const code = generateValidationCode({
+        type: 'custom',
+        language: 'javascript',
+        rules: {
+          minLength: 8,
+          maxLength: 100,
+          pattern: '^[a-zA-Z0-9]+$',
+        },
+      });
+
+      assert.ok(code.includes('8'));
+      assert.ok(code.includes('100'));
+    });
+  });
+});