typescript-virtual-container 1.3.3 → 1.4.0

package/src/SSHMimic/executor.ts

@@ -4,54 +4,13 @@ import type { CommandMode, CommandResult, ShellEnv } from "../types/commands";
 import type {
 	Pipeline,
 	PipelineCommand,
-	Script,
 	Statement,
 } from "../types/pipeline";
 import type { VirtualShell } from "../VirtualShell";
 
 // ── Script executor (handles &&/||/;) ────────────────────────────────────────
 
-export async function executeScript(
-	script: Script,
-	authUser: string,
-	hostname: string,
-	mode: CommandMode,
-	cwd: string,
-	shell: VirtualShell,
-	env: ShellEnv,
-): Promise<CommandResult> {
-	if (!script.isValid)
-		return { stderr: script.error || "Syntax error", exitCode: 1 };
-
-	let lastResult: CommandResult = { exitCode: 0 };
 
-	for (const stmt of script.statements) {
-		// Decide whether to run this statement based on previous op
-		lastResult = await executePipeline(
-			stmt.pipeline,
-			authUser,
-			hostname,
-			mode,
-			cwd,
-			shell,
-			env,
-		);
-		env.lastExitCode = lastResult.exitCode ?? 0;
-
-		// Propagate session-control signals
-		if (
-			lastResult.closeSession ||
-			lastResult.switchUser ||
-			lastResult.nextCwd
-		) {
-			break;
-		}
-	}
-
-	return lastResult;
-}
-
-/** Execute statements connected by &&/||/; */
 export async function executeStatements(
 	statements: Statement[],
 	authUser: string,
@@ -62,6 +21,8 @@ export async function executeStatements(
 	env: ShellEnv,
 ): Promise<CommandResult> {
 	let last: CommandResult = { exitCode: 0 };
+	const accumulatedStdout: string[] = [];
+	let currentCwd = cwd; // track cwd changes from cd, su, etc.
 	let i = 0;
 
 	while (i < statements.length) {
@@ -71,13 +32,26 @@ export async function executeStatements(
 			authUser,
 			hostname,
 			mode,
-			cwd,
+			currentCwd,
 			shell,
 			env,
 		);
 		env.lastExitCode = last.exitCode ?? 0;
 
-		if (last.closeSession || last.switchUser) return last;
+		// Propagate cwd changes (cd, su -l, etc.)
+		if (last.nextCwd && (last.exitCode ?? 0) === 0) {
+			currentCwd = last.nextCwd;
+		}
+
+		// Collect stdout from each statement (for echo a; echo b → "a\nb\n")
+		if (last.stdout) accumulatedStdout.push(last.stdout);
+
+		if (last.closeSession || last.switchUser) {
+			return {
+				...last,
+				stdout: accumulatedStdout.join("") || last.stdout,
+			};
+		}
 
 		const op = stmt.op;
 		if (!op || op === ";") {
@@ -95,7 +69,10 @@ export async function executeStatements(
 		}
 		i++;
 	}
-	return last;
+	// Merge accumulated stdout (for "echo a; echo b" → "a\nb\n")
+	const merged = accumulatedStdout.join("");
+	// Preserve the deepest cwd change across the whole pipeline
+	return { ...last, stdout: merged || last.stdout, nextCwd: currentCwd !== cwd ? currentCwd : undefined };
 }
 
 // ── Pipeline executor ─────────────────────────────────────────────────────────

package/src/SSHMimic/index.ts

@@ -21,6 +21,11 @@ import { loadOrCreateHostKey } from "./hostKey";
  */
 const perf: PerfLogger = createPerfLogger("SshMimic");
 
+// ── Dev-mode logger ───────────────────────────────────────────────────────────
+const DEV = !!process.env.DEV_MODE;
+const devLog = DEV ? console.log.bind(console) : () => {};
+
+
 interface RateLimitEntry {
 	attempts: number;
 	lockedUntil: number;
@@ -152,9 +157,6 @@ class SshMimic extends EventEmitter {
 					// ── Password auth ──────────────────────────────────────
 					if (ctx.method === "password") {
 						if (!shell.users.hasPassword(candidateUser)) {
-							console.log(
-								`User ${candidateUser} has no password set, allowing login without verification`,
-							);
 							authUser = candidateUser;
 							sessionId = shell.users.registerSession(
 								authUser,
@@ -297,7 +299,7 @@ class SshMimic extends EventEmitter {
 		return new Promise<number>((resolve, reject) => {
 			this.server?.once("error", (err: unknown) => reject(err));
 			this.server?.listen(this.port, "0.0.0.0", () => {
-				console.log(`SSH Mimic listening on port ${this.port}`);
+				devLog(`SSH Mimic listening on port ${this.port}`);
 				this.emit("start", { port: this.port });
 				resolve(this.port);
 			});
@@ -311,7 +313,7 @@ class SshMimic extends EventEmitter {
 		perf.mark("stop");
 		if (this.server) {
 			this.server.close(() => {
-				console.log("SSH Mimic stopped");
+				devLog("SSH Mimic stopped");
 				this.emit("stop");
 			});
 		}

package/src/SSHMimic/sftp.ts

@@ -10,6 +10,13 @@ import type VirtualFileSystem from "../VirtualFileSystem";
 import { VirtualShell } from "../VirtualShell";
 import type { VirtualUserManager } from "../VirtualUserManager";
 import { loadOrCreateHostKey } from "./hostKey";
+// ── Dev-mode logger — silent in production ────────────────────────────────────
+const DEV = !!process.env.DEV_MODE;
+const devLog  = DEV ? console.log.bind(console)  : () => {};
+const devWarn = DEV ? console.warn.bind(console) : () => {};
+const devErr  = DEV ? console.error.bind(console): () => {};
+
+
 
 const SFTP_STATUS_CODE = {
 	OK: 0,
@@ -218,7 +225,7 @@ export class SftpMimic extends EventEmitter {
 
 				// Add error handling for the client
 				client.on("error", (error: unknown) => {
-					console.error(`[SFTP] Client error:`, error);
+					devErr(`[SFTP] Client error:`, error);
 				});
 
 				const acceptSession = (username: string): void => {
@@ -248,7 +255,7 @@ export class SftpMimic extends EventEmitter {
 					const candidateUser = ctx.username || "root";
 					remoteAddress = (ctx as { ip?: string }).ip ?? remoteAddress;
 
-					console.log(
+					devLog(
 						`[SFTP] Auth attempt: user=${candidateUser}, method=${ctx.method}, ip=${remoteAddress}`,
 					);
 
@@ -326,7 +333,7 @@ export class SftpMimic extends EventEmitter {
 
 						// Add error handling for the session
 						session.on("error", (error: unknown) => {
-							console.error(
+							devErr(
 								`[SFTP] Session error for user=${authUser}:`,
 								error,
 							);
@@ -349,7 +356,7 @@ export class SftpMimic extends EventEmitter {
 					address && typeof address === "object" && "port" in address
 						? address.port
 						: this.port;
-				console.log(`SFTP Mimic listening on port ${actualPort}`);
+				devLog(`SFTP Mimic listening on port ${actualPort}`);
 				this.emit("start", { port: actualPort });
 				resolve(actualPort as number);
 			});
@@ -360,7 +367,7 @@ export class SftpMimic extends EventEmitter {
 		perf.mark("stop");
 		if (this.server) {
 			this.server.close(() => {
-				console.log("SFTP Mimic stopped");
+				devLog("SFTP Mimic stopped");
 				this.emit("stop");
 			});
 		}
@@ -452,7 +459,7 @@ export class SftpMimic extends EventEmitter {
 
 			// Security: Confine to home directory
 			if (!this.isPathWithinHome(targetPath, authUser)) {
-				console.warn(
+				devWarn(
 					`[SFTP] Path traversal attempt blocked: user=${authUser}, path=${targetPath}`,
 				);
 				sftp.status(reqid, SFTP_STATUS_CODE.PERMISSION_DENIED);
@@ -507,7 +514,7 @@ export class SftpMimic extends EventEmitter {
 				});
 				sftp.handle(reqid, handle);
 			} catch (error) {
-				console.error("SFTP OPEN error:", error);
+				devErr("SFTP OPEN error:", error);
 				sftp.status(reqid, SFTP_STATUS_CODE.FAILURE);
 			}
 		});
@@ -580,7 +587,7 @@ export class SftpMimic extends EventEmitter {
 					getVfs().writeFile(entry.path, entry.buffer);
 					void getVfs().flushMirror();
 				} catch (error) {
-					console.error("SFTP CLOSE write error:", error);
+					devErr("SFTP CLOSE write error:", error);
 					sftp.status(reqid, SFTP_STATUS_CODE.FAILURE);
 					this.closeHandle(handle);
 					return;
@@ -596,7 +603,7 @@ export class SftpMimic extends EventEmitter {
 
 			// Security: Confine to home directory
 			if (!this.isPathWithinHome(targetPath, authUser)) {
-				console.warn(
+				devWarn(
 					`[SFTP] Path traversal attempt blocked: user=${authUser}, path=${targetPath}`,
 				);
 				sftp.status(reqid, SFTP_STATUS_CODE.PERMISSION_DENIED);
@@ -649,7 +656,7 @@ export class SftpMimic extends EventEmitter {
 
 			// Security: Confine to home directory
 			if (!this.isPathWithinHome(targetPath, authUser)) {
-				console.warn(
+				devWarn(
 					`[SFTP] Path traversal attempt blocked: user=${authUser}, path=${targetPath}`,
 				);
 				sftp.status(reqid, SFTP_STATUS_CODE.PERMISSION_DENIED);
@@ -669,7 +676,7 @@ export class SftpMimic extends EventEmitter {
 
 			// Security: Confine to home directory
 			if (!this.isPathWithinHome(targetPath, authUser)) {
-				console.warn(
+				devWarn(
 					`[SFTP] Path traversal attempt blocked: user=${authUser}, path=${targetPath}`,
 				);
 				sftp.status(reqid, SFTP_STATUS_CODE.PERMISSION_DENIED);
@@ -711,7 +718,7 @@ export class SftpMimic extends EventEmitter {
 
 				// Security: Confine to home directory
 				if (!this.isPathWithinHome(targetPath, authUser)) {
-					console.warn(
+					devWarn(
 						`[SFTP] Path traversal attempt blocked: user=${authUser}, path=${targetPath}`,
 					);
 					sftp.status(reqid, SFTP_STATUS_CODE.PERMISSION_DENIED);
@@ -734,7 +741,7 @@ export class SftpMimic extends EventEmitter {
 
 			// Security: Confine to home directory
 			if (!this.isPathWithinHome(normalized, authUser)) {
-				console.warn(
+				devWarn(
 					`[SFTP] Path traversal attempt blocked: user=${authUser}, path=${normalized}`,
 				);
 				sftp.status(reqid, SFTP_STATUS_CODE.PERMISSION_DENIED);
@@ -762,7 +769,7 @@ export class SftpMimic extends EventEmitter {
 
 			// Security: Confine to home directory
 			if (!this.isPathWithinHome(targetPath, authUser)) {
-				console.warn(
+				devWarn(
 					`[SFTP] Path traversal attempt blocked: user=${authUser}, path=${targetPath}`,
 				);
 				sftp.status(reqid, SFTP_STATUS_CODE.PERMISSION_DENIED);
@@ -783,7 +790,7 @@ export class SftpMimic extends EventEmitter {
 
 			// Security: Confine to home directory
 			if (!this.isPathWithinHome(targetPath, authUser)) {
-				console.warn(
+				devWarn(
 					`[SFTP] Path traversal attempt blocked: user=${authUser}, path=${targetPath}`,
 				);
 				sftp.status(reqid, SFTP_STATUS_CODE.PERMISSION_DENIED);
@@ -804,7 +811,7 @@ export class SftpMimic extends EventEmitter {
 
 			// Security: Confine to home directory
 			if (!this.isPathWithinHome(targetPath, authUser)) {
-				console.warn(
+				devWarn(
 					`[SFTP] Path traversal attempt blocked: user=${authUser}, path=${targetPath}`,
 				);
 				sftp.status(reqid, SFTP_STATUS_CODE.PERMISSION_DENIED);
@@ -829,7 +836,7 @@ export class SftpMimic extends EventEmitter {
 				!this.isPathWithinHome(fromPath, authUser) ||
 				!this.isPathWithinHome(toPath, authUser)
 			) {
-				console.warn(
+				devWarn(
 					`[SFTP] Path traversal attempt blocked: user=${authUser}, from=${fromPath}, to=${toPath}`,
 				);
 				sftp.status(reqid, SFTP_STATUS_CODE.PERMISSION_DENIED);
@@ -854,21 +861,21 @@ export class SftpMimic extends EventEmitter {
 		});
 
 		sftp.on("error", (error: Error) => {
-			console.error(`[SFTP] Stream error for user=${authUser}:`, error);
+			devErr(`[SFTP] Stream error for user=${authUser}:`, error);
 		});
 
 		sftp.on("close", () => {
-			console.log(`[SFTP] Stream closed for user=${authUser}`);
+			devLog(`[SFTP] Stream closed for user=${authUser}`);
 			this.handles.clear();
 		});
 
 		sftp.on("end", () => {
-			console.log(`[SFTP] end event for user=${authUser}`);
+			devLog(`[SFTP] end event for user=${authUser}`);
 			this.handles.clear();
 		});
 
 		sftp.on("END", () => {
-			console.log(`[SFTP] END event for user=${authUser}`);
+			devLog(`[SFTP] END event for user=${authUser}`);
 			this.handles.clear();
 		});
 	}

package/src/VirtualShell/shell.ts

@@ -15,7 +15,7 @@ import {
 } from "../modules/shellRuntime";
 import { buildLoginBanner } from "../SSHMimic/loginBanner";
 import { buildPrompt } from "../SSHMimic/prompt";
-import type { ShellEnv } from "../types/commands";
+import type { CommandResult, ShellEnv } from "../types/commands";
 import type { ShellStream } from "../types/streams";
 import type VirtualFileSystem from "../VirtualFileSystem";
 
@@ -33,6 +33,11 @@ interface PendingSudo {
 	loginShell: boolean;
 	prompt: string;
 	buffer: string;
+	mode?: "sudo" | "passwd" | "confirm";
+	onPassword?: (input: string, shell: VirtualShell) => Promise<{
+		result: CommandResult | null;
+		nextPrompt?: string;
+	}>;
 }
 
 export function startShell(
@@ -110,6 +115,11 @@ export function startShell(
 		commandLine: string | null;
 		loginShell: boolean;
 		prompt: string;
+		mode?: "sudo" | "passwd" | "confirm";
+		onPassword?: (input: string, shell: VirtualShell) => Promise<{
+			result: CommandResult | null;
+			nextPrompt?: string;
+		}>;
 	}): void {
 		pendingSudo = {
 			...challenge,
@@ -135,7 +145,9 @@ export function startShell(
 
 		if (!challenge.commandLine) {
 			authUser = challenge.targetUser;
-			cwd = `/home/${authUser}`;
+			if (challenge.loginShell) {
+				cwd = `/home/${authUser}`;
+			}
 			shell.users.updateSession(sessionId, authUser, remoteAddress);
 			stream.write("\r\n");
 			renderLine();
@@ -443,11 +455,29 @@ export function startShell(
 				}
 
 				if (ch === "\r" || ch === "\n") {
-					const password = pendingSudo.buffer;
+					const typed = pendingSudo.buffer;
 					pendingSudo.buffer = "";
+
+					// ── Generic onPassword handler (passwd / confirm modes) ────
+					if (pendingSudo.onPassword) {
+						const { result, nextPrompt } = await pendingSudo.onPassword(typed, shell);
+						stream.write("\r\n");
+						if (result !== null) {
+							pendingSudo = null;
+							if (result.stdout) stream.write(result.stdout.replace(/\n/g, "\r\n"));
+							if (result.stderr) stream.write(result.stderr.replace(/\n/g, "\r\n"));
+							renderLine();
+						} else {
+							if (nextPrompt) pendingSudo.prompt = nextPrompt;
+							stream.write(pendingSudo.prompt);
+						}
+						return;
+					}
+
+					// ── Default sudo mode — verify current user's password ─────
 					const valid = shell.users.verifyPassword(
 						pendingSudo.username,
-						password,
+						typed,
 					);
 					await finishSudoPrompt(valid);
 					return;

package/src/VirtualShell/shellParser.ts

@@ -5,6 +5,7 @@ import type {
 	Statement,
 	LogicalOp,
 } from "../types/pipeline";
+import { tokenizeCommand } from "../utils/tokenize";
 
 // ── Public API ───────────────────────────────────────────────────────────────
 
@@ -25,7 +26,7 @@ export function parseScript(rawInput: string): Script {
 	}
 }
 
-/** Legacy compat: parse a single pipeline (no &&/||/;) */
+/** Parse a single pipeline string (no &&/||/;) into a `Pipeline` object. */
 export function parseShellPipeline(rawInput: string): Pipeline {
 	const trimmed = rawInput.trim();
 	if (!trimmed) return { commands: [], isValid: true };
@@ -39,49 +40,6 @@ export function parseShellPipeline(rawInput: string): Pipeline {
 
 // ── Variable & tilde expansion ────────────────────────────────────────────────
 
-/**
- * Expand ~ and $VAR / ${VAR} / ${VAR:-default} / $(cmd placeholder) in a
- * token, given the current env vars and home path.
- * Command substitution $(…) is NOT executed here — it's left as a marker so
- * the executor can handle it.
- */
-export function expandToken(
-	token: string,
-	env: Record<string, string>,
-	authUser: string,
-	lastExitCode = 0,
-): string {
-	// tilde expansion
-	token = token.replace(/^~(\/|$)/, `/home/${authUser}$1`);
-
-	// $? special var
-	token = token.replace(/\$\?/g, String(lastExitCode));
-	// $$ PID (mock)
-	token = token.replace(/\$\$/g, "1");
-	// $# argc (0 for interactive)
-	token = token.replace(/\$#/g, "0");
-
-	// ${VAR:-default} and ${VAR:+value}
-	token = token.replace(
-		/\$\{([^}:]+):-([^}]*)\}/g,
-		(_, name, def) => env[name] ?? def,
-	);
-	token = token.replace(/\$\{([^}:]+):\+([^}]*)\}/g, (_, name, val) =>
-		env[name] ? val : "",
-	);
-
-	// ${VAR}
-	token = token.replace(/\$\{([^}]+)\}/g, (_, name) => env[name] ?? "");
-
-	// $VAR (greedy: match longest valid identifier)
-	token = token.replace(
-		/\$([A-Za-z_][A-Za-z0-9_]*)/g,
-		(_, name) => env[name] ?? "",
-	);
-
-	return token;
-}
-
 /**
  * Expand glob patterns (*, ?, [abc]) against a list of entries.
  * Returns the original pattern if no match.
@@ -299,62 +257,3 @@ function parseCommandWithRedirections(token: string): PipelineCommand {
 	return { name, args: cmdParts.slice(1), inputFile, outputFile, appendOutput };
 }
 
-function tokenizeCommand(input: string): string[] {
-	const tokens: string[] = [];
-	let current = "";
-	let inQ = false;
-	let qChar = "";
-	let i = 0;
-
-	while (i < input.length) {
-		const ch = input[i]!;
-		const next = input[i + 1];
-
-		if ((ch === '"' || ch === "'") && !inQ) {
-			inQ = true;
-			qChar = ch;
-			i++;
-			continue;
-		}
-		if (inQ && ch === qChar) {
-			inQ = false;
-			qChar = "";
-			i++;
-			continue;
-		}
-		if (inQ) {
-			current += ch;
-			i++;
-			continue;
-		}
-
-		if (ch === " ") {
-			if (current) {
-				tokens.push(current);
-				current = "";
-			}
-			i++;
-			continue;
-		}
-
-		if ((ch === ">" || ch === "<") && !inQ) {
-			if (current) {
-				tokens.push(current);
-				current = "";
-			}
-			if (ch === ">" && next === ">") {
-				tokens.push(">>");
-				i += 2;
-			} else {
-				tokens.push(ch);
-				i++;
-			}
-			continue;
-		}
-
-		current += ch;
-		i++;
-	}
-	if (current) tokens.push(current);
-	return tokens;
-}

package/src/VirtualUserManager/index.ts

@@ -1,4 +1,4 @@
-import { createHash, randomBytes, randomUUID, scryptSync } from "node:crypto";
+import { createHash, randomBytes, randomUUID, scryptSync, timingSafeEqual } from "node:crypto";
 import { EventEmitter } from "node:events";
 import * as path from "node:path";
 import type { PerfLogger } from "../utils/perfLogger";
@@ -99,15 +99,15 @@ export class VirtualUserManager extends EventEmitter {
 		// 	this.users.set(currentUser, this.createRecord(currentUser, userPassword));
 		// 	this.sudoers.add(currentUser);
 		// 	changed = true;
-
-		// 	const homePath = `/home/${currentUser}`;
-		// 	if (!this.vfs.exists(homePath)) {
-		// 		this.vfs.mkdir(homePath, 0o755);
-		// 		this.vfs.writeFile(
-		// 			`${homePath}/README.txt`,
-		// 			`Welcome to the virtual environment, ${currentUser}`,
-		// 		);
-		// 	}
+		// }
+		
+		// const homePath = `/home/root`;
+		// if (!this.vfs.exists(homePath)) {
+		// 	this.vfs.mkdir(homePath, 0o755);
+		// 	this.vfs.writeFile(
+		// 		`${homePath}/README.txt`,
+		// 		`Welcome to the virtual environment, root`,
+		// 	);
 		// }
 
 		if (changed) {
@@ -239,10 +239,22 @@ export class VirtualUserManager extends EventEmitter {
 		perf.mark("verifyPassword");
 		const record = this.users.get(username);
 		if (!record) {
+			// Perform a dummy hash to avoid timing leakage on unknown usernames
+			this.hashPassword(password, "");
 			return false;
 		}
 
-		return this.hashPassword(password) === record.passwordHash;
+		const computed = this.hashPassword(password, record.salt);
+		const expected = record.passwordHash;
+		// timingSafeEqual prevents timing-based password oracle attacks
+		try {
+			const a = Buffer.from(computed, "hex");
+			const b = Buffer.from(expected, "hex");
+			if (a.length !== b.length) return false;
+			return timingSafeEqual(a, b);
+		} catch {
+			return computed === expected;
+		}
 	}
 
 	/**
@@ -617,7 +629,8 @@ export class VirtualUserManager extends EventEmitter {
 	}
 
 	private createRecord(username: string, password: string): VirtualUserRecord {
-		const cacheKey = `${username}:${password}`;
+		// Cache key is a hash of the inputs — never store plaintext password in memory
+		const cacheKey = createHash("sha256").update(username).update(":").update(password).digest("hex");
 		const cached = VirtualUserManager.recordCache.get(cacheKey);
 		if (cached) {
 			return cached;
@@ -627,7 +640,8 @@ export class VirtualUserManager extends EventEmitter {
 		const record = {
 			username,
 			salt,
-			passwordHash: this.hashPassword(password),
+			// Hash uses the generated salt — verifyPassword must use record.salt
+			passwordHash: this.hashPassword(password, salt),
 		};
 
 		VirtualUserManager.recordCache.set(cacheKey, record);
@@ -644,11 +658,12 @@ export class VirtualUserManager extends EventEmitter {
 	 */
 	public hasPassword(username: string): boolean {
 		perf.mark("hasPassword");
-		if (this.getPasswordHash(username) === this.hashPassword("")) {
-			return false;
-		}
 		const record = this.users.get(username);
-		return !!record && !!record.passwordHash;
+		if (!record) return false;
+		// Empty password hash computed with the record's own salt
+		const emptyHash = this.hashPassword("", record.salt);
+		if (record.passwordHash === emptyHash) return false;
+		return !!record.passwordHash;
 	}
 
 	/**
@@ -660,12 +675,21 @@ export class VirtualUserManager extends EventEmitter {
 	 * @param password Plaintext password string.
 	 * @returns Hex-encoded hash string.
 	 */
-	public hashPassword(password: string): string {
+	/**
+	 * Hash a password with an optional salt.
+	 * When salt is provided (verify path), the same salt is used for a
+	 * deterministic hash. When omitted (create path), an empty salt is used
+	 * for backward compat — callers should pass the stored salt on verify.
+	 */
+	public hashPassword(password: string, salt = ""): string {
 		if (VirtualUserManager.fastPasswordHash) {
-			return createHash("sha256").update(`${password}`).digest("hex");
+			return createHash("sha256")
+				.update(salt)
+				.update(password)
+				.digest("hex");
 		}
 
-		return scryptSync(password, "", 32).toString("hex");
+		return scryptSync(password, salt || "", 32).toString("hex");
 	}
 
 	private validateUsername(username: string): void {