typescript-virtual-container 1.3.4 → 1.4.1

package/src/VirtualShell/shellParser.ts

@@ -5,6 +5,7 @@ import type {
 	Statement,
 	LogicalOp,
 } from "../types/pipeline";
+import { tokenizeCommand } from "../utils/tokenize";
 
 // ── Public API ───────────────────────────────────────────────────────────────
 
@@ -25,7 +26,7 @@ export function parseScript(rawInput: string): Script {
 	}
 }
 
-/** Legacy compat: parse a single pipeline (no &&/||/;) */
+/** Parse a single pipeline string (no &&/||/;) into a `Pipeline` object. */
 export function parseShellPipeline(rawInput: string): Pipeline {
 	const trimmed = rawInput.trim();
 	if (!trimmed) return { commands: [], isValid: true };
@@ -39,49 +40,6 @@ export function parseShellPipeline(rawInput: string): Pipeline {
 
 // ── Variable & tilde expansion ────────────────────────────────────────────────
 
-/**
- * Expand ~ and $VAR / ${VAR} / ${VAR:-default} / $(cmd placeholder) in a
- * token, given the current env vars and home path.
- * Command substitution $(…) is NOT executed here — it's left as a marker so
- * the executor can handle it.
- */
-export function expandToken(
-	token: string,
-	env: Record<string, string>,
-	authUser: string,
-	lastExitCode = 0,
-): string {
-	// tilde expansion
-	token = token.replace(/^~(\/|$)/, `/home/${authUser}$1`);
-
-	// $? special var
-	token = token.replace(/\$\?/g, String(lastExitCode));
-	// $$ PID (mock)
-	token = token.replace(/\$\$/g, "1");
-	// $# argc (0 for interactive)
-	token = token.replace(/\$#/g, "0");
-
-	// ${VAR:-default} and ${VAR:+value}
-	token = token.replace(
-		/\$\{([^}:]+):-([^}]*)\}/g,
-		(_, name, def) => env[name] ?? def,
-	);
-	token = token.replace(/\$\{([^}:]+):\+([^}]*)\}/g, (_, name, val) =>
-		env[name] ? val : "",
-	);
-
-	// ${VAR}
-	token = token.replace(/\$\{([^}]+)\}/g, (_, name) => env[name] ?? "");
-
-	// $VAR (greedy: match longest valid identifier)
-	token = token.replace(
-		/\$([A-Za-z_][A-Za-z0-9_]*)/g,
-		(_, name) => env[name] ?? "",
-	);
-
-	return token;
-}
-
 /**
  * Expand glob patterns (*, ?, [abc]) against a list of entries.
  * Returns the original pattern if no match.
@@ -299,62 +257,3 @@ function parseCommandWithRedirections(token: string): PipelineCommand {
 	return { name, args: cmdParts.slice(1), inputFile, outputFile, appendOutput };
 }
 
-function tokenizeCommand(input: string): string[] {
-	const tokens: string[] = [];
-	let current = "";
-	let inQ = false;
-	let qChar = "";
-	let i = 0;
-
-	while (i < input.length) {
-		const ch = input[i]!;
-		const next = input[i + 1];
-
-		if ((ch === '"' || ch === "'") && !inQ) {
-			inQ = true;
-			qChar = ch;
-			i++;
-			continue;
-		}
-		if (inQ && ch === qChar) {
-			inQ = false;
-			qChar = "";
-			i++;
-			continue;
-		}
-		if (inQ) {
-			current += ch;
-			i++;
-			continue;
-		}
-
-		if (ch === " ") {
-			if (current) {
-				tokens.push(current);
-				current = "";
-			}
-			i++;
-			continue;
-		}
-
-		if ((ch === ">" || ch === "<") && !inQ) {
-			if (current) {
-				tokens.push(current);
-				current = "";
-			}
-			if (ch === ">" && next === ">") {
-				tokens.push(">>");
-				i += 2;
-			} else {
-				tokens.push(ch);
-				i++;
-			}
-			continue;
-		}
-
-		current += ch;
-		i++;
-	}
-	if (current) tokens.push(current);
-	return tokens;
-}

package/src/VirtualUserManager/index.ts

@@ -1,4 +1,4 @@
-import { createHash, randomBytes, randomUUID, scryptSync } from "node:crypto";
+import { createHash, randomBytes, randomUUID, scryptSync, timingSafeEqual } from "node:crypto";
 import { EventEmitter } from "node:events";
 import * as path from "node:path";
 import type { PerfLogger } from "../utils/perfLogger";
@@ -101,14 +101,14 @@ export class VirtualUserManager extends EventEmitter {
 		// 	changed = true;
 		// }
 		
-		const homePath = `/home/root`;
-		if (!this.vfs.exists(homePath)) {
-			this.vfs.mkdir(homePath, 0o755);
-			this.vfs.writeFile(
-				`${homePath}/README.txt`,
-				`Welcome to the virtual environment, root`,
-			);
-		}
+		// const homePath = `/home/root`;
+		// if (!this.vfs.exists(homePath)) {
+		// 	this.vfs.mkdir(homePath, 0o755);
+		// 	this.vfs.writeFile(
+		// 		`${homePath}/README.txt`,
+		// 		`Welcome to the virtual environment, root`,
+		// 	);
+		// }
 
 		if (changed) {
 			await this.persist();
@@ -239,10 +239,22 @@ export class VirtualUserManager extends EventEmitter {
 		perf.mark("verifyPassword");
 		const record = this.users.get(username);
 		if (!record) {
+			// Perform a dummy hash to avoid timing leakage on unknown usernames
+			this.hashPassword(password, "");
 			return false;
 		}
 
-		return this.hashPassword(password) === record.passwordHash;
+		const computed = this.hashPassword(password, record.salt);
+		const expected = record.passwordHash;
+		// timingSafeEqual prevents timing-based password oracle attacks
+		try {
+			const a = Buffer.from(computed, "hex");
+			const b = Buffer.from(expected, "hex");
+			if (a.length !== b.length) return false;
+			return timingSafeEqual(a, b);
+		} catch {
+			return computed === expected;
+		}
 	}
 
 	/**
@@ -617,7 +629,8 @@ export class VirtualUserManager extends EventEmitter {
 	}
 
 	private createRecord(username: string, password: string): VirtualUserRecord {
-		const cacheKey = `${username}:${password}`;
+		// Cache key is a hash of the inputs — never store plaintext password in memory
+		const cacheKey = createHash("sha256").update(username).update(":").update(password).digest("hex");
 		const cached = VirtualUserManager.recordCache.get(cacheKey);
 		if (cached) {
 			return cached;
@@ -627,7 +640,8 @@ export class VirtualUserManager extends EventEmitter {
 		const record = {
 			username,
 			salt,
-			passwordHash: this.hashPassword(password),
+			// Hash uses the generated salt — verifyPassword must use record.salt
+			passwordHash: this.hashPassword(password, salt),
 		};
 
 		VirtualUserManager.recordCache.set(cacheKey, record);
@@ -644,11 +658,12 @@ export class VirtualUserManager extends EventEmitter {
 	 */
 	public hasPassword(username: string): boolean {
 		perf.mark("hasPassword");
-		if (this.getPasswordHash(username) === this.hashPassword("")) {
-			return false;
-		}
 		const record = this.users.get(username);
-		return !!record && !!record.passwordHash;
+		if (!record) return false;
+		// Empty password hash computed with the record's own salt
+		const emptyHash = this.hashPassword("", record.salt);
+		if (record.passwordHash === emptyHash) return false;
+		return !!record.passwordHash;
 	}
 
 	/**
@@ -660,12 +675,21 @@ export class VirtualUserManager extends EventEmitter {
 	 * @param password Plaintext password string.
 	 * @returns Hex-encoded hash string.
 	 */
-	public hashPassword(password: string): string {
+	/**
+	 * Hash a password with an optional salt.
+	 * When salt is provided (verify path), the same salt is used for a
+	 * deterministic hash. When omitted (create path), an empty salt is used
+	 * for backward compat — callers should pass the stored salt on verify.
+	 */
+	public hashPassword(password: string, salt = ""): string {
 		if (VirtualUserManager.fastPasswordHash) {
-			return createHash("sha256").update(`${password}`).digest("hex");
+			return createHash("sha256")
+				.update(salt)
+				.update(password)
+				.digest("hex");
 		}
 
-		return scryptSync(password, "", 32).toString("hex");
+		return scryptSync(password, salt || "", 32).toString("hex");
 	}
 
 	private validateUsername(username: string): void {

package/src/commands/adduser.ts

@@ -1,30 +1,103 @@
-import type { ShellModule } from "../types/commands";
+import type { CommandResult, ShellModule } from "../types/commands";
+import type { VirtualShell } from "../VirtualShell";
 
 /**
- * Add a new user to the virtual user database.
- * @category users
- * @params ["<username> <password>"]
- * @returns ShellModule
+ * Add a new user interactively.
+ *
+ * Usage: `adduser <username>`
+ *
+ * Prompts for:
+ *   New password: ****
+ *   Retype new password: ****
+ *
+ * Mirrors the real `adduser` behaviour — password is never passed on the
+ * command line. Root-only.
  */
 export const adduserCommand: ShellModule = {
 	name: "adduser",
 	description: "Add a new user",
 	category: "users",
-	params: ["<username> <password>"],
-	run: async ({ authUser, shell, args }) => {
+	params: ["<username>"],
+	run: ({ authUser, shell, args }) => {
 		if (authUser !== "root") {
-			return { stderr: "adduser: permission denied", exitCode: 1 };
+			return { stderr: "adduser: permission denied\n", exitCode: 1 };
 		}
 
-		const [username, password] = args;
-		if (!username || !password) {
+		const username = args[0];
+		if (!username) {
 			return {
-				stderr: "adduser: usage: adduser <username> <password>",
+				stderr: "Usage: adduser <username>\n",
 				exitCode: 1,
 			};
 		}
 
-		await shell.users.addUser(username, password);
-		return { stdout: `adduser: user '${username}' created`, exitCode: 0 };
+		// Reject if user already exists
+		if (shell.users.listUsers().includes(username)) {
+			return {
+				stderr: `adduser: user '${username}' already exists\n`,
+				exitCode: 1,
+			};
+		}
+
+		let newPassword = "";
+		type Step = "new" | "retype";
+		let step: Step = "new";
+
+		const onPassword = async (
+			input: string,
+			sh: VirtualShell,
+		): Promise<{ result: CommandResult | null; nextPrompt?: string }> => {
+			if (step === "new") {
+				if (input.length < 1) {
+					return {
+						result: {
+							stderr: "adduser: password cannot be empty\n",
+							exitCode: 1,
+						},
+					};
+				}
+				newPassword = input;
+				step = "retype";
+				return { result: null, nextPrompt: "Retype new password: " };
+			}
+
+			// step === "retype"
+			if (input !== newPassword) {
+				return {
+					result: {
+						stderr: "adduser: passwords do not match — user not created\n",
+						exitCode: 1,
+					},
+				};
+			}
+
+			await sh.users.addUser(username, newPassword);
+			return {
+				result: {
+					stdout: `${[
+						`Adding user '${username}' ...`,
+						`Adding new group '${username}' (1001) ...`,
+						`Adding new user '${username}' (1001) with group '${username}' ...`,
+						`Creating home directory '/home/${username}' ...`,
+						`passwd: password set for '${username}'`,
+						`adduser: done.`,
+					].join("\n")}\n`,
+					exitCode: 0,
+				},
+			};
+		};
+
+		return {
+			sudoChallenge: {
+				username,
+				targetUser: username,
+				commandLine: null,
+				loginShell: false,
+				prompt: "New password: ",
+				mode: "passwd",
+				onPassword,
+			},
+			exitCode: 0,
+		};
 	},
 };

package/src/commands/alias.ts

@@ -41,6 +41,11 @@ export const aliasCommand: ShellModule = {
 	},
 };
 
+/**
+ * Remove shell aliases.
+ * @category shell
+ * @params ["<name...>"]
+ */
 export const unaliasCommand: ShellModule = {
 	name: "unalias",
 	description: "Remove alias definitions",

package/src/commands/apt.ts

@@ -162,6 +162,11 @@ export const aptCommand: ShellModule = {
 	},
 };
 
+/**
+ * Query the package cache and retrieve package information.
+ * @category package
+ * @params ["<search|show|policy> [pkg]"]
+ */
 export const aptCacheCommand: ShellModule = {
 	name: "apt-cache",
 	description: "Query the package cache",

package/src/commands/awk.ts

@@ -1,44 +1,169 @@
 import type { ShellModule } from "../types/commands";
 import { getFlag } from "./command-helpers";
+import { resolvePath, assertPathAccess } from "./helpers";
 
 /**
- * Minimal `awk`-like pattern scanner (supports simple print patterns).
- * @category text
- * @params ["[-F <sep>] '<program>' [file]"]
+ * Minimal awk-like pattern scanner.
  *
- * Supported program patterns:
- * - `print $N` (e.g. `print $1`, `print $2, $3`, `print $0`)
- * - `{print $N}` (e.g. `{print $1}`, `{print $2, $3}`, `{print $0}`)
- *
- * The field separator can be set with `-F` (default is space, which splits on any whitespace).
+ * Supported:
+ *   - `NR==N` pattern (line number condition)
+ *   - `NF` (number of fields)
+ *   - `/regex/` pattern
+ *   - `{ print $N, $M, ... }` action
+ *   - `{ print }` / `{ print $0 }`
+ *   - `BEGIN { ... }` and `END { ... }` blocks (no side effects)
+ *   - `$NF` (last field)
+ *   - `-F sep` field separator
  */
 export const awkCommand: ShellModule = {
 	name: "awk",
-	description: "Pattern scanning and processing language (minimal)",
+	description: "Pattern scanning and processing language",
 	category: "text",
 	params: ["[-F <sep>] '<program>' [file]"],
-	run: ({ args, stdin }) => {
+	run: ({ authUser, args, stdin, cwd, shell }) => {
 		const sep = (getFlag(args, ["-F"]) as string | undefined) ?? " ";
-		const prog = args.find((a) => !a.startsWith("-") && a !== sep);
+		const nonFlagArgs = args.filter((a) => !a.startsWith("-") && a !== sep);
+		const prog = nonFlagArgs[0];
+		const fileArg = nonFlagArgs[1];
+
 		if (!prog) return { stderr: "awk: no program", exitCode: 1 };
 
-		// Only support print $N and {print $N} patterns
-		const printMatch = prog.match(/^\{?\s*print\s+([^}]+)\s*\}?$/);
-		if (!printMatch)
-			return { stderr: `awk: unsupported program: ${prog}`, exitCode: 1 };
-
-		const fields = printMatch[1]!.split(/\s*,\s*/).map((f) => f.trim());
-		const lines = (stdin ?? "").split("\n").filter(Boolean);
-		const out = lines.map((line) => {
-			const parts = line.split(sep === " " ? /\s+/ : sep);
-			return fields
-				.map((f) => {
-					if (f === "$0") return line;
-					const n = parseInt(f.replace("$", ""), 10);
-					return Number.isNaN(n) ? f.replace(/"/g, "") : (parts[n - 1] ?? "");
-				})
-				.join(sep === " " ? "\t" : sep);
-		});
-		return { stdout: out.join("\n"), exitCode: 0 };
+		let input = stdin ?? "";
+		if (fileArg) {
+			const filePath = resolvePath(cwd, fileArg);
+			try {
+				assertPathAccess(authUser, filePath, "awk");
+				input = shell.vfs.readFile(filePath);
+			} catch {
+				return { stderr: `awk: ${fileArg}: No such file or directory`, exitCode: 1 };
+			}
+		}
+
+		const lines = input.split("\n");
+		// Remove empty last element if input ends with \n
+		if (lines[lines.length - 1] === "") lines.pop();
+
+		// Parse program into clauses: [pattern, action]
+		type Clause = { pattern: string; action: string };
+		const clauses: Clause[] = [];
+
+		const progTrim = prog.trim();
+
+		// Handle single unbraced pattern (NR==2, /regex/)
+		if (!progTrim.startsWith("{") && !progTrim.includes("{")) {
+			clauses.push({ pattern: progTrim, action: "print $0" });
+		} else {
+			// Parse "pattern { action } pattern2 { action2 }"
+			const clauseRe = /([^{]*)\{([^}]*)\}/g;
+			let m2 = clauseRe.exec(progTrim);
+			while (m2 !== null) {
+				clauses.push({ pattern: m2[1]!.trim(), action: m2[2]!.trim() });
+				m2 = clauseRe.exec(progTrim);
+			}
+			if (clauses.length === 0) {
+				clauses.push({ pattern: "", action: progTrim.replace(/[{}]/g, "").trim() });
+			}
+		}
+
+		const out: string[] = [];
+
+		// BEGIN / END
+		const beginClause = clauses.find((c) => c.pattern === "BEGIN");
+		const endClause   = clauses.find((c) => c.pattern === "END");
+		const mainClauses = clauses.filter((c) => c.pattern !== "BEGIN" && c.pattern !== "END");
+
+		function splitFields(line: string): string[] {
+			if (sep === " ") return line.trim().split(/\s+/).filter(Boolean);
+			return line.split(sep);
+		}
+
+		function evalAction(action: string, line: string, nr: number): void {
+			const parts = splitFields(line);
+			const nf = parts.length;
+
+			// Expand variables
+			const resolve = (expr: string): string => {
+				expr = expr.trim();
+				if (expr === "NR") return String(nr);
+				if (expr === "NF") return String(nf);
+				if (expr === "$0") return line;
+				if (expr === "$NF") return parts[nf - 1] ?? "";
+				if (/^\$\d+$/.test(expr)) return parts[parseInt(expr.slice(1), 10) - 1] ?? "";
+				// Arithmetic NR+1, NF-1
+				const arith = expr.replace(/\bNR\b/g, String(nr)).replace(/\bNF\b/g, String(nf));
+				if (/^[\d\s+\-*/()]+$/.test(arith)) {
+					// biome-ignore lint/security/noGlobalEval: safe arithmetic — input contains only digits and operators after variable substitution
+					try { return String(Function(`"use strict"; return (${arith});`)()); } catch {}  				}
+				return expr.replace(/"/g, "");
+			};
+
+			const stmts = action.split(";").map((s) => s.trim()).filter(Boolean);
+			for (const stmt of stmts) {
+				if (stmt === "print" || stmt === "print $0") {
+					out.push(line);
+				} else if (stmt.startsWith("print ")) {
+					const args2 = stmt.slice(6).split(/\s*,\s*/);
+					out.push(args2.map(resolve).join("\t"));
+				}
+			}
+		}
+
+		function matchPattern(pattern: string, line: string, nr: number): boolean {
+			if (!pattern) return true;
+			if (pattern === "1") return true;
+
+			// NR==N or NR>N etc.
+			const nrCond = pattern.match(/^NR\s*([=!<>]=?|==)\s*(\d+)$/);
+			if (nrCond) {
+				const op = nrCond[1]!;
+				const val = parseInt(nrCond[2]!, 10);
+				switch (op) {
+					case "==": return nr === val;
+					case "!=": return nr !== val;
+					case ">":  return nr > val;
+					case ">=": return nr >= val;
+					case "<":  return nr < val;
+					case "<=": return nr <= val;
+				}
+			}
+
+			// NR%N==M
+			const nrMod = pattern.match(/^NR%(\d+)==(\d+)$/);
+			if (nrMod) {
+				return nr % parseInt(nrMod[1]!, 10) === parseInt(nrMod[2]!, 10);
+			}
+
+			// /regex/ pattern
+			if (pattern.startsWith("/") && pattern.endsWith("/")) {
+				try {
+					return new RegExp(pattern.slice(1, -1)).test(line);
+				} catch { return false; }
+			}
+
+			// $N~/regex/
+			const fieldMatch = pattern.match(/^\$(\d+)~\/(.*)\/$/);
+			if (fieldMatch) {
+				const parts = splitFields(line);
+				const field = parts[parseInt(fieldMatch[1]!, 10) - 1] ?? "";
+				try { return new RegExp(fieldMatch[2]!).test(field); } catch { return false; }
+			}
+
+			return false;
+		}
+
+		if (beginClause) evalAction(beginClause.action, "", 0);
+
+		for (let nr = 1; nr <= lines.length; nr++) {
+			const line = lines[nr - 1]!;
+			for (const clause of mainClauses) {
+				if (matchPattern(clause.pattern, line, nr)) {
+					evalAction(clause.action, line, nr);
+				}
+			}
+		}
+
+		if (endClause) evalAction(endClause.action, "", lines.length + 1);
+
+		return { stdout: out.join("\n") + (out.length > 0 ? "\n" : ""), exitCode: 0 };
 	},
 };

package/src/commands/cd.ts

@@ -19,10 +19,6 @@ export const cdCommand: ShellModule = {
 			return { stderr: `cd: not a directory: ${target}`, exitCode: 1 };
 		}
 
-		if (mode === "exec") {
-			return { exitCode: 0 };
-		}
-
 		return { nextCwd: target, exitCode: 0 };
 	},
 };

package/src/commands/clear.ts

@@ -1,5 +1,10 @@
 import type { ShellModule } from "../types/commands";
 
+/**
+ * Clear the terminal screen.
+ * @category shell
+ * @params []
+ */
 export const clearCommand: ShellModule = {
 	name: "clear",
 	description: "Clear the terminal screen",

package/src/commands/command-helpers.ts

@@ -15,11 +15,20 @@ function matchFlagToken(
 		return { matched: true, inlineValue: null };
 	}
 
+	// --flag=value style
 	const prefix = `${flag}=`;
 	if (token.startsWith(prefix)) {
 		return { matched: true, inlineValue: token.slice(prefix.length) };
 	}
 
+	// Short flag inline value: -f2, -d: (single char flag like -f, -d, -n)
+	// Only applies to single-char flags (-X), not long flags (--flag)
+	if (flag.length === 2 && flag.startsWith("-") && !flag.startsWith("--")) {
+		if (token.startsWith(flag) && token.length > flag.length) {
+			return { matched: true, inlineValue: token.slice(flag.length) };
+		}
+	}
+
 	return { matched: false, inlineValue: null };
 }
 

package/src/commands/curl.ts

@@ -97,7 +97,8 @@ export const curlCommand: ShellModule = {
 
 		let response: Response;
 		try {
-			response = await fetch(url, fetchOpts);
+			const urlWithHttp = url.startsWith("http://") || url.startsWith("https://") ? url : `http://${url}`;
+			response = await fetch(urlWithHttp, fetchOpts);
 		} catch (err) {
 			const msg = err instanceof Error ? err.message : String(err);
 			return {

package/src/commands/declare.ts

@@ -1,6 +1,11 @@
 import type { ShellModule } from "../types/commands";
 import { ifFlag } from "./command-helpers";
 
+/**
+ * Declare variables and give them attributes (integer, readonly, export, array).
+ * @category shell
+ * @params ["[-i] [-r] [-x] [-a] [name[=value]...]"]
+ */
 export const declareCommand: ShellModule = {
 	name: "declare",
 	aliases: ["local", "typeset"],