typescript-virtual-container 1.2.4 → 1.2.6

package/src/SSHMimic/executor.ts

@@ -1,13 +1,79 @@
 import { runCommand as runSingleCommand } from "../commands";
 import { resolvePath } from "../commands/helpers";
-import type { CommandMode, CommandResult } from "../types/commands";
-import type { Pipeline, PipelineCommand } from "../types/pipeline";
+import type { CommandMode, CommandResult, ShellEnv } from "../types/commands";
+import type { Pipeline, PipelineCommand, Script, Statement } from "../types/pipeline";
 import type { VirtualShell } from "../VirtualShell";
 
-/**
- * Execute a parsed pipeline, chaining commands and handling redirections.
- * Manages stdout/stderr flow between commands and file I/O.
- */
+// ── Script executor (handles &&/||/;) ────────────────────────────────────────
+
+export async function executeScript(
+	script: Script,
+	authUser: string,
+	hostname: string,
+	mode: CommandMode,
+	cwd: string,
+	shell: VirtualShell,
+	env: ShellEnv,
+): Promise<CommandResult> {
+	if (!script.isValid) return { stderr: script.error || "Syntax error", exitCode: 1 };
+
+	let lastResult: CommandResult = { exitCode: 0 };
+
+	for (const stmt of script.statements) {
+		// Decide whether to run this statement based on previous op
+		lastResult = await executePipeline(stmt.pipeline, authUser, hostname, mode, cwd, shell, env);
+		env.lastExitCode = lastResult.exitCode ?? 0;
+
+		// Propagate session-control signals
+		if (lastResult.closeSession || lastResult.switchUser || lastResult.nextCwd) {
+			break;
+		}
+	}
+
+	return lastResult;
+}
+
+/** Execute statements connected by &&/||/; */
+export async function executeStatements(
+	statements: Statement[],
+	authUser: string,
+	hostname: string,
+	mode: CommandMode,
+	cwd: string,
+	shell: VirtualShell,
+	env: ShellEnv,
+): Promise<CommandResult> {
+	let last: CommandResult = { exitCode: 0 };
+	let i = 0;
+
+	while (i < statements.length) {
+		const stmt = statements[i]!;
+		last = await executePipeline(stmt.pipeline, authUser, hostname, mode, cwd, shell, env);
+		env.lastExitCode = last.exitCode ?? 0;
+
+		if (last.closeSession || last.switchUser) return last;
+
+		const op = stmt.op;
+		if (!op || op === ";") {
+			// always run next
+		} else if (op === "&&") {
+			if ((last.exitCode ?? 0) !== 0) {
+				// skip until next ; or end
+				while (i < statements.length && statements[i]?.op === "&&") i++;
+			}
+		} else if (op === "||") {
+			if ((last.exitCode ?? 0) === 0) {
+				// skip until next ; or end
+				while (i < statements.length && statements[i]?.op === "||") i++;
+			}
+		}
+		i++;
+	}
+	return last;
+}
+
+// ── Pipeline executor ─────────────────────────────────────────────────────────
+
 export async function executePipeline(
 	pipeline: Pipeline,
 	authUser: string,
@@ -15,37 +81,26 @@ export async function executePipeline(
 	mode: CommandMode,
 	cwd: string,
 	shell: VirtualShell,
+	env?: ShellEnv,
 ): Promise<CommandResult> {
-	if (pipeline.commands.length === 0) {
-		return { exitCode: 0 };
-	}
+	if (!pipeline.isValid) return { stderr: pipeline.error || "Syntax error", exitCode: 1 };
+	if (pipeline.commands.length === 0) return { exitCode: 0 };
+
+	const shellEnv: ShellEnv = env ?? { vars: {}, lastExitCode: 0 };
 
 	if (pipeline.commands.length === 1) {
-		// Single command with possible redirections
 		return executeSingleCommandWithRedirections(
 			pipeline.commands[0] as PipelineCommand,
-			authUser,
-			hostname,
-			mode,
-			cwd,
-			shell,
+			authUser, hostname, mode, cwd, shell, shellEnv,
 		);
 	}
 
-	// Multiple commands in a pipeline
 	return executePipelineChain(
 		pipeline.commands as PipelineCommand[],
-		authUser,
-		hostname,
-		mode,
-		cwd,
-		shell,
+		authUser, hostname, mode, cwd, shell, shellEnv,
 	);
 }
 
-/**
- * Execute a single command with input/output redirections
- */
 async function executeSingleCommandWithRedirections(
 	cmd: PipelineCommand,
 	authUser: string,
@@ -53,66 +108,37 @@ async function executeSingleCommandWithRedirections(
 	mode: CommandMode,
 	cwd: string,
 	shell: VirtualShell,
+	env: ShellEnv,
 ): Promise<CommandResult> {
-	// Prepare input if input file specified
 	let stdin: string | undefined;
 	if (cmd.inputFile) {
 		const inputPath = resolvePath(cwd, cmd.inputFile);
-		try {
-			stdin = shell.vfs.readFile(inputPath);
-		} catch {
-			return {
-				stderr: `cat: ${cmd.inputFile}: No such file or directory`,
-				exitCode: 1,
-			};
-		}
+		try { stdin = shell.vfs.readFile(inputPath); }
+		catch { return { stderr: `${cmd.inputFile}: No such file or directory`, exitCode: 1 }; }
 	}
 
-	// Build raw input for the command
 	const rawInput = [cmd.name, ...cmd.args].join(" ");
+	const result = await runSingleCommand(rawInput, authUser, hostname, mode, cwd, shell, stdin, env);
 
-	// Run the command with potential input
-	const result = await runSingleCommand(
-		rawInput,
-		authUser,
-		hostname,
-		mode,
-		cwd,
-		shell,
-		stdin,
-	);
-
-	// Handle output redirection
 	if (cmd.outputFile) {
 		const outputPath = resolvePath(cwd, cmd.outputFile);
 		const output = result.stdout || "";
 		try {
 			if (cmd.appendOutput) {
-				try {
-					const existing = shell.vfs.readFile(outputPath);
-					shell.writeFileAsUser(authUser, outputPath, existing + output);
-				} catch {
-					shell.writeFileAsUser(authUser, outputPath, output);
-				}
+				const existing = (() => { try { return shell.vfs.readFile(outputPath); } catch { return ""; } })();
+				shell.writeFileAsUser(authUser, outputPath, existing + output);
 			} else {
 				shell.writeFileAsUser(authUser, outputPath, output);
 			}
 			return { ...result, stdout: "" };
 		} catch {
-			return {
-				...result,
-				stderr: `Failed to write to ${cmd.outputFile}`,
-				exitCode: 1,
-			};
+			return { ...result, stderr: `Failed to write to ${cmd.outputFile}`, exitCode: 1 };
 		}
 	}
 
 	return result;
 }
 
-/**
- * Execute a chain of commands connected by pipes
- */
 async function executePipelineChain(
 	commands: PipelineCommand[],
 	authUser: string,
@@ -120,6 +146,7 @@ async function executePipelineChain(
 	mode: CommandMode,
 	cwd: string,
 	shell: VirtualShell,
+	env: ShellEnv,
 ): Promise<CommandResult> {
 	let currentOutput = "";
 	let exitCode = 0;
@@ -127,66 +154,36 @@ async function executePipelineChain(
 	for (let i = 0; i < commands.length; i++) {
 		const cmd = commands[i] as PipelineCommand;
 
-		// Handle input file for first command
 		if (i === 0 && cmd.inputFile) {
 			const inputPath = resolvePath(cwd, cmd.inputFile);
-			try {
-				currentOutput = shell.vfs.readFile(inputPath);
-			} catch {
-				return {
-					stderr: `cat: ${cmd.inputFile}: No such file or directory`,
-					exitCode: 1,
-				};
-			}
+			try { currentOutput = shell.vfs.readFile(inputPath); }
+			catch { return { stderr: `${cmd.inputFile}: No such file or directory`, exitCode: 1 }; }
 		}
 
-		// Build raw input
 		const rawInput = [cmd.name, ...cmd.args].join(" ");
-
-		// Create a modified context that might accept stdin
-		// For now, we'll append input as an additional arg for commands that support it
-		const result = await runSingleCommand(
-			rawInput,
-			authUser,
-			hostname,
-			mode,
-			cwd,
-			shell,
-			currentOutput,
-		);
-
+		const result = await runSingleCommand(rawInput, authUser, hostname, mode, cwd, shell, currentOutput, env);
 		exitCode = result.exitCode ?? 0;
 
-		// Handle output redirection (only for last command)
 		if (i === commands.length - 1 && cmd.outputFile) {
 			const outputPath = resolvePath(cwd, cmd.outputFile);
 			const output = result.stdout || "";
 			try {
 				if (cmd.appendOutput) {
-					try {
-						const existing = shell.vfs.readFile(outputPath);
-						shell.writeFileAsUser(authUser, outputPath, existing + output);
-					} catch {
-						shell.writeFileAsUser(authUser, outputPath, output);
-					}
+					const existing = (() => { try { return shell.vfs.readFile(outputPath); } catch { return ""; } })();
+					shell.writeFileAsUser(authUser, outputPath, existing + output);
 				} else {
 					shell.writeFileAsUser(authUser, outputPath, output);
 				}
 				currentOutput = "";
 			} catch {
-				return {
-					stderr: `Failed to write to ${cmd.outputFile}`,
-					exitCode: 1,
-				};
+				return { stderr: `Failed to write to ${cmd.outputFile}`, exitCode: 1 };
 			}
 		} else {
-			// Pass output to next command
 			currentOutput = result.stdout || "";
 		}
 
-		if (result.stderr && exitCode !== 0) {
-			return { stderr: result.stderr, exitCode };
-		}
+		if (result.stderr && exitCode !== 0) return { stderr: result.stderr, exitCode };
+		if (result.closeSession || result.switchUser) return result;
 	}
 
 	return { stdout: currentOutput, exitCode };

package/src/SSHMimic/index.ts

@@ -11,14 +11,31 @@ import { loadOrCreateHostKey } from "./hostKey";
  * This class is exported as `VirtualSshServer` for public API compatibility.
  * Create an instance, call {@link SshMimic.start}, and stop it with
  * {@link SshMimic.stop} when your process exits.
+ *
+ * Features:
+ * - Password authentication
+ * - Public-key authentication
+ * - Per-IP rate limiting / lockout for brute-force protection
+ * - Interactive shell sessions
+ * - Non-interactive exec sessions
  */
 const perf: PerfLogger = createPerfLogger("SshMimic");
 
+interface RateLimitEntry {
+	attempts: number;
+	lockedUntil: number;
+}
+
 class SshMimic extends EventEmitter {
 	port: number;
 	server: SshServer | null;
 	private shell: VirtualShell;
-	private shellHostname: string;
+
+	/** Max failed auth attempts before an IP is temporarily locked. */
+	private readonly maxAuthAttempts: number;
+	/** How long (ms) a locked IP must wait before retrying. */
+	private readonly lockoutDurationMs: number;
+	private readonly authAttempts = new Map<string, RateLimitEntry>();
 
 	/**
 	 * Creates a new SSH mimic server instance.
@@ -26,24 +43,73 @@ class SshMimic extends EventEmitter {
 	 * @param port TCP port to bind on localhost.
 	 * @param hostname Virtual hostname used for the SSH ident and default shell label.
 	 * @param shell Optional preconfigured virtual shell instance to reuse.
+	 * @param maxAuthAttempts Max failed attempts per IP before lockout (default: 5).
+	 * @param lockoutDurationMs Lockout window in ms after exceeding attempts (default: 60 000).
 	 */
 	constructor({
 		port,
 		hostname = "typescript-vm",
 		shell = new VirtualShell(hostname),
+		maxAuthAttempts = 5,
+		lockoutDurationMs = 60_000,
 	}: {
 		port: number;
 		hostname?: string;
 		shell?: VirtualShell;
+		maxAuthAttempts?: number;
+		lockoutDurationMs?: number;
 	}) {
 		super();
 		perf.mark("constructor");
 		this.port = port;
-		this.shellHostname = hostname;
 		this.server = null;
 		this.shell = shell;
+		this.maxAuthAttempts = maxAuthAttempts;
+		this.lockoutDurationMs = lockoutDurationMs;
+	}
+
+	// ── Rate limiting ────────────────────────────────────────────────────────
+
+	private isLockedOut(ip: string): boolean {
+		const entry = this.authAttempts.get(ip);
+		if (!entry) return false;
+		if (Date.now() < entry.lockedUntil) return true;
+		if (entry.lockedUntil > 0) {
+			this.authAttempts.delete(ip);
+		}
+		return false;
+	}
+
+	private recordFailure(ip: string): void {
+		const entry = this.authAttempts.get(ip) ?? { attempts: 0, lockedUntil: 0 };
+		entry.attempts += 1;
+		if (entry.attempts >= this.maxAuthAttempts) {
+			entry.lockedUntil = Date.now() + this.lockoutDurationMs;
+			this.emit("auth:lockout", { ip, until: new Date(entry.lockedUntil) });
+		}
+		this.authAttempts.set(ip, entry);
 	}
 
+	private recordSuccess(ip: string): void {
+		this.authAttempts.delete(ip);
+	}
+
+	// ── Home directory bootstrap ─────────────────────────────────────────────
+
+	private ensureHomeDir(authUser: string): void {
+		const homePath = `/home/${authUser}`;
+		if (!this.shell.vfs.exists(homePath)) {
+			this.shell.vfs.mkdir(homePath, 0o755);
+			this.shell.vfs.writeFile(
+				`${homePath}/README.txt`,
+				`Welcome to ${this.shell.hostname}\n`,
+			);
+			void this.shell.vfs.flushMirror();
+		}
+	}
+
+	// ── Server lifecycle ─────────────────────────────────────────────────────
+
 	/**
 	 * Starts server and initializes virtual filesystem, users, and handlers.
 	 *
@@ -54,7 +120,6 @@ class SshMimic extends EventEmitter {
 		const shell = this.shell;
 		const privateKey = loadOrCreateHostKey();
 
-		// Ensure VirtualShell is fully initialized before accepting connections
 		await shell.ensureInitialized();
 
 		this.server = new SshServer(
@@ -70,32 +135,27 @@ class SshMimic extends EventEmitter {
 				this.emit("client:connect");
 
 				client.on("authentication", (ctx) => {
-					shell;
-					if (ctx.method === "password") {
-						const candidateUser = ctx.username || "root";
-						remoteAddress = (ctx as { ip?: string }).ip ?? remoteAddress;
+					const candidateUser = ctx.username || "root";
+					remoteAddress = (ctx as { ip?: string }).ip ?? remoteAddress;
 
+					// Rate-limit check
+					if (this.isLockedOut(remoteAddress)) {
+						this.emit("auth:failure", { username: candidateUser, remoteAddress, reason: "lockout" });
+						ctx.reject();
+						return;
+					}
+
+					// ── Password auth ──────────────────────────────────────
+					if (ctx.method === "password") {
 						if (!shell.users.hasPassword(candidateUser)) {
 							console.log(
 								`User ${candidateUser} has no password set, allowing login without verification`,
 							);
 							authUser = candidateUser;
-							sessionId = shell.users.registerSession(
-								authUser,
-								remoteAddress,
-							).id;
+							sessionId = shell.users.registerSession(authUser, remoteAddress).id;
+							this.recordSuccess(remoteAddress);
 							this.emit("auth:success", { username: authUser, remoteAddress });
-
-							const homePath = `/home/${authUser}`;
-							if (!shell.vfs.exists(homePath)) {
-								shell.vfs.mkdir(homePath, 0o755);
-								shell.vfs.writeFile(
-									`${homePath}/README.txt`,
-									`Welcome to ${shell?.hostname ?? this.shellHostname}`,
-								);
-								void shell.vfs.flushMirror();
-							}
-
+							this.ensureHomeDir(authUser);
 							ctx.accept();
 							return;
 						}
@@ -105,33 +165,60 @@ class SshMimic extends EventEmitter {
 							ctx.password === "" ||
 							!shell.users.verifyPassword(candidateUser, ctx.password)
 						) {
-							this.emit("auth:failure", {
-								username: candidateUser,
-								remoteAddress,
-							});
+							this.recordFailure(remoteAddress);
+							this.emit("auth:failure", { username: candidateUser, remoteAddress });
 							ctx.reject();
 							return;
 						}
 
 						authUser = candidateUser;
 						sessionId = shell.users.registerSession(authUser, remoteAddress).id;
+						this.recordSuccess(remoteAddress);
 						this.emit("auth:success", { username: authUser, remoteAddress });
+						this.ensureHomeDir(authUser);
+						ctx.accept();
+						return;
+					}
 
-						const homePath = `/home/${authUser}`;
-						if (!shell.vfs.exists(homePath)) {
-							shell.vfs.mkdir(homePath, 0o755);
-							shell.vfs.writeFile(
-								`${homePath}/README.txt`,
-								`Welcome to ${shell?.hostname ?? this.shellHostname}`,
-							);
-							void shell.vfs.flushMirror();
+					// ── Public-key auth ────────────────────────────────────
+					if (ctx.method === "publickey") {
+						const authorizedKeys = shell.users.getAuthorizedKeys(candidateUser);
+						if (authorizedKeys.length === 0) {
+							// No keys configured — reject cleanly
+							ctx.reject();
+							return;
 						}
 
-						ctx.accept();
+						const incomingKey = ctx.key;
+						const keyMatches = authorizedKeys.some(
+							(k) =>
+								k.algo === incomingKey.algo &&
+								k.data.equals(incomingKey.data),
+						);
+
+						if (!keyMatches) {
+							this.recordFailure(remoteAddress);
+							this.emit("auth:failure", { username: candidateUser, remoteAddress, method: "publickey" });
+							ctx.reject();
+							return;
+						}
+
+						// Key matched — if this is a signature check step, accept
+						if (ctx.signature) {
+							authUser = candidateUser;
+							sessionId = shell.users.registerSession(authUser, remoteAddress).id;
+							this.recordSuccess(remoteAddress);
+							this.emit("auth:success", { username: authUser, remoteAddress, method: "publickey" });
+							this.ensureHomeDir(authUser);
+							ctx.accept();
+						} else {
+							// Key exists but no signature yet — ssh2 will call again with signature
+							ctx.accept();
+						}
 						return;
 					}
 
-					ctx.reject();
+					ctx.reject(["password", "publickey"]);
 				});
 
 				client.on("close", () => {
@@ -151,35 +238,20 @@ class SshMimic extends EventEmitter {
 							acceptPty();
 						});
 
-						session.on(
-							"window-change",
-							(_acceptChange, _rejectChange, info) => {
-								terminalSize.cols = info?.cols ?? terminalSize.cols;
-								terminalSize.rows = info?.rows ?? terminalSize.rows;
-							},
-						);
+						session.on("window-change", (_acceptChange, _rejectChange, info) => {
+							terminalSize.cols = info?.cols ?? terminalSize.cols;
+							terminalSize.rows = info?.rows ?? terminalSize.rows;
+						});
 
 						session.on("shell", (acceptShell) => {
 							const stream = acceptShell();
-							shell?.startInteractiveSession(
-								stream,
-								authUser,
-								sessionId,
-								remoteAddress,
-								terminalSize,
-							);
+							shell?.startInteractiveSession(stream, authUser, sessionId, remoteAddress, terminalSize);
 						});
 
 						session.on("exec", (acceptExec, _rejectExec, info) => {
 							const stream = acceptExec();
 							if (stream) {
-								runExec(
-									stream,
-									info.command.trim(),
-									authUser,
-									shell.hostname,
-									shell,
-								);
+								runExec(stream, info.command.trim(), authUser, shell.hostname, shell);
 							}
 						});
 					});
@@ -209,7 +281,16 @@ class SshMimic extends EventEmitter {
 			});
 		}
 	}
+
+	/**
+	 * Manually clears the rate-limit record for an IP address.
+	 * Useful in tests or admin tooling.
+	 */
+	public clearLockout(ip: string): void {
+		this.authAttempts.delete(ip);
+	}
 }
 
 export { SftpMimic } from "./sftp";
 export { SshMimic };
+

package/src/SSHMimic/sftp.ts

@@ -253,6 +253,14 @@ export class SftpMimic extends EventEmitter {
 					);
 
 					if (ctx.method === "password") {
+						// If no password is set for the user, allow login without verification
+						if (!this.getUsers().hasPassword(candidateUser)) {
+							acceptSession(candidateUser);
+							this.emit("auth:success", { username: authUser, remoteAddress });
+							ctx.accept();
+							return;
+						}
+
 						if (
 							!this.getUsers().verifyPassword(candidateUser, ctx.password ?? "")
 						) {
@@ -272,6 +280,13 @@ export class SftpMimic extends EventEmitter {
 
 					if (ctx.method === "keyboard-interactive") {
 						const keyboardCtx = ctx as KeyboardAuthContext;
+						// If no password is set, accept immediately
+						if (!this.getUsers().hasPassword(candidateUser)) {
+							acceptSession(candidateUser);
+							this.emit("auth:success", { username: authUser, remoteAddress });
+							keyboardCtx.accept();
+							return;
+						}
 						keyboardCtx.prompt(
 							[{ prompt: "Password: ", echo: false }],
 							(answers) => {