veryfront 0.1.241 → 0.1.243

package/esm/src/oauth/token-store/memory.js

@@ -1,5 +1,12 @@
-/** How long an OAuth state nonce remains valid (10 minutes). */
-const STATE_EXPIRATION_MS = 10 * 60 * 1_000;
+/** State expiry window: reject any state older than this (10 minutes). */
+const STATE_EXPIRY_MS = 10 * 60 * 1_000;
+/**
+ * In-memory TokenStore keyed by `(serviceId, userId)`.
+ *
+ * Suitable for development and tests. For production use a persistent store
+ * (Redis, Postgres, ...) keyed the same way. Never share a single slot per
+ * service across users — see VULN-AUTH-2.
+ */
 export class MemoryTokenStore {
     tokens = new Map();
     states = new Map();
@@ -7,48 +14,55 @@ export class MemoryTokenStore {
     constructor(projectId = "default") {
         this.projectId = projectId;
     }
-    scopedKey(serviceId) {
-        return `${this.projectId}:${serviceId}`;
+    scopedKey(serviceId, userId) {
+        return `${this.projectId}:${serviceId}:${userId}`;
     }
-    async getTokens(serviceId) {
-        return this.tokens.get(this.scopedKey(serviceId)) ?? null;
+    getTokens(serviceId, userId) {
+        return Promise.resolve(this.tokens.get(this.scopedKey(serviceId, userId)) ?? null);
     }
-    async setTokens(serviceId, tokens) {
-        this.tokens.set(this.scopedKey(serviceId), tokens);
+    setTokens(serviceId, userId, tokens) {
+        this.tokens.set(this.scopedKey(serviceId, userId), tokens);
+        return Promise.resolve();
     }
-    async clearTokens(serviceId) {
-        this.tokens.delete(this.scopedKey(serviceId));
+    clearTokens(serviceId, userId) {
+        this.tokens.delete(this.scopedKey(serviceId, userId));
+        return Promise.resolve();
     }
-    async getState(state) {
-        const storedState = this.states.get(state);
-        if (!storedState)
-            return null;
-        if (Date.now() - storedState.createdAt > STATE_EXPIRATION_MS) {
-            this.states.delete(state);
-            return null;
-        }
-        return storedState;
-    }
-    async setState(storedState) {
-        this.states.set(storedState.state, storedState);
+    setState(state, meta) {
+        this.states.set(state, meta);
         this.cleanupExpiredStates();
+        return Promise.resolve();
     }
-    async clearState(state) {
+    /**
+     * Atomically read and delete state (one-shot). Returns null for unknown or
+     * expired entries. Expired entries are removed on read.
+     */
+    consumeState(state) {
+        const meta = this.states.get(state);
+        if (!meta)
+            return Promise.resolve(null);
         this.states.delete(state);
+        if (Date.now() - meta.createdAt > STATE_EXPIRY_MS) {
+            return Promise.resolve(null);
+        }
+        return Promise.resolve(meta);
     }
     cleanupExpiredStates() {
         const now = Date.now();
-        for (const [state, storedState] of this.states) {
-            if (now - storedState.createdAt > STATE_EXPIRATION_MS) {
+        for (const [state, meta] of this.states) {
+            if (now - meta.createdAt > STATE_EXPIRY_MS) {
                 this.states.delete(state);
             }
         }
     }
+    /** List connected slots as `${serviceId}:${userId}` strings (test/debug aid). */
     getConnectedServices() {
-        return [...this.tokens.keys()];
+        const prefix = `${this.projectId}:`;
+        return [...this.tokens.keys()].map((key) => key.startsWith(prefix) ? key.slice(prefix.length) : key);
     }
-    isConnected(serviceId) {
-        const tokens = this.tokens.get(this.scopedKey(serviceId));
+    /** Whether a given user has usable tokens for a service. */
+    isConnected(serviceId, userId) {
+        const tokens = this.tokens.get(this.scopedKey(serviceId, userId));
         if (!tokens)
             return false;
         const isExpired = tokens.expiresAt != null && Date.now() > tokens.expiresAt;

package/esm/src/oauth/types.d.ts

@@ -1,11 +1,37 @@
 export type { AuthorizationUrlOptions, OAuthProviderConfig, OAuthServiceConfig, OAuthState, OAuthTokens, TokenExchangeOptions, TokenExchangeResult, } from "./schemas/index.js";
-import type { OAuthState, OAuthTokens } from "./schemas/index.js";
+import type { OAuthTokens } from "./schemas/index.js";
+/**
+ * Persisted OAuth state row. Created when init handler starts a flow and
+ * consumed exactly once by the callback handler.
+ *
+ * `userId` binds the flow to the authenticated user who initiated it so the
+ * resulting tokens are stored in that user's slot (not a shared one).
+ */
+export interface StoredOAuthState {
+    userId: string;
+    serviceId: string;
+    codeVerifier?: string;
+    redirectUri?: string;
+    scopes?: string[];
+    createdAt: number;
+    metadata?: Record<string, unknown>;
+}
+/**
+ * TokenStore is keyed by `(serviceId, userId)` — tokens are per-user.
+ *
+ * Using a single-slot-per-service store is a vulnerability: the last OAuth
+ * completion overwrites all others, so an attacker who starts and finishes
+ * an OAuth flow with their own account can cause server-side code to act
+ * on the attacker's account. Callers MUST pass `userId` from authenticated
+ * session context.
+ */
 export interface TokenStore {
-    getTokens(serviceId: string): Promise<OAuthTokens | null>;
-    setTokens(serviceId: string, tokens: OAuthTokens): Promise<void>;
-    clearTokens(serviceId: string): Promise<void>;
-    getState(state: string): Promise<OAuthState | null>;
-    setState(state: OAuthState): Promise<void>;
-    clearState(state: string): Promise<void>;
+    getTokens(serviceId: string, userId: string): Promise<OAuthTokens | null>;
+    setTokens(serviceId: string, userId: string, tokens: OAuthTokens): Promise<void>;
+    clearTokens(serviceId: string, userId: string): Promise<void>;
+    /** Persist a new OAuth state row for the initiating user. */
+    setState(state: string, meta: StoredOAuthState): Promise<void>;
+    /** Atomically read and delete state. Returns null if unknown/expired. */
+    consumeState(state: string): Promise<StoredOAuthState | null>;
 }
 //# sourceMappingURL=types.d.ts.map

package/esm/src/oauth/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/src/oauth/types.ts"],"names":[],"mappings":"AACA,YAAY,EACV,uBAAuB,EACvB,mBAAmB,EACnB,kBAAkB,EAClB,UAAU,EACV,WAAW,EACX,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAElE,MAAM,WAAW,UAAU;IACzB,SAAS,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC1D,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACjE,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9C,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACpD,QAAQ,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3C,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1C"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/src/oauth/types.ts"],"names":[],"mappings":"AACA,YAAY,EACV,uBAAuB,EACvB,mBAAmB,EACnB,kBAAkB,EAClB,UAAU,EACV,WAAW,EACX,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAEtD;;;;;;GAMG;AACH,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,UAAU;IACzB,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC1E,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACjF,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9D,6DAA6D;IAC7D,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/D,yEAAyE;IACzE,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAAC;CAC/D"}

package/esm/src/platform/compat/framework-source-resolver.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"framework-source-resolver.d.ts","sourceRoot":"","sources":["../../../../src/src/platform/compat/framework-source-resolver.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAIpD,eAAO,MAAM,cAAc,QAA4C,CAAC;AACxE,eAAO,MAAM,iBAAiB,QAA8B,CAAC;AAC7D,eAAO,MAAM,0BAA0B,QAAgD,CAAC;AAExF,eAAO,MAAM,mCAAmC,6HAatC,CAAC;AAEX,MAAM,WAAW,yBAAyB;IACxC,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACvC;AAED,MAAM,WAAW,2BAA2B;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iCAAiC;IAChD,UAAU,CAAC,EAAE,yBAAyB,CAAC;IACvC,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC/B,oBAAoB,CAAC,EAAE,OAAO,CAAC;CAChC;AAED,MAAM,WAAW,2CAA2C;IAC1D,UAAU,CAAC,EAAE,yBAAyB,CAAC;IACvC,MAAM,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAC5C,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAChC;AAED,wBAAgB,4BAA4B,CAAC,eAAe,GAAE,MAAM,EAAO,GAAG,MAAM,EAAE,CAarF;AAED,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAG3D;AAuCD,wBAAsB,0BAA0B,CAC9C,sBAAsB,EAAE,MAAM,EAC9B,OAAO,GAAE,iCAAsC,GAC9C,OAAO,CAAC,2BAA2B,GAAG,IAAI,CAAC,CA+B7C;AAED,wBAAsB,oCAAoC,CACxD,SAAS,EAAE,MAAM,EACjB,cAAc,EAAE,MAAM,EACtB,OAAO,GAAE,2CAAgD,GACxD,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CA6CxB"}
+{"version":3,"file":"framework-source-resolver.d.ts","sourceRoot":"","sources":["../../../../src/src/platform/compat/framework-source-resolver.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AA2BpD,eAAO,MAAM,cAAc,QAA4C,CAAC;AACxE,eAAO,MAAM,iBAAiB,QAA8B,CAAC;AAC7D,eAAO,MAAM,0BAA0B,QAAgD,CAAC;AAExF,eAAO,MAAM,mCAAmC,6HAatC,CAAC;AAEX,MAAM,WAAW,yBAAyB;IACxC,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACvC;AAED,MAAM,WAAW,2BAA2B;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iCAAiC;IAChD,UAAU,CAAC,EAAE,yBAAyB,CAAC;IACvC,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC/B,oBAAoB,CAAC,EAAE,OAAO,CAAC;CAChC;AAED,MAAM,WAAW,2CAA2C;IAC1D,UAAU,CAAC,EAAE,yBAAyB,CAAC;IACvC,MAAM,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAC5C,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAChC;AAED,wBAAgB,4BAA4B,CAAC,eAAe,GAAE,MAAM,EAAO,GAAG,MAAM,EAAE,CAarF;AAED,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAG3D;AAuCD,wBAAsB,0BAA0B,CAC9C,sBAAsB,EAAE,MAAM,EAC9B,OAAO,GAAE,iCAAsC,GAC9C,OAAO,CAAC,2BAA2B,GAAG,IAAI,CAAC,CAwC7C;AAED,wBAAsB,oCAAoC,CACxD,SAAS,EAAE,MAAM,EACjB,cAAc,EAAE,MAAM,EACtB,OAAO,GAAE,2CAAgD,GACxD,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CA6CxB"}

package/esm/src/platform/compat/framework-source-resolver.js

@@ -1,6 +1,31 @@
 import { join } from "./path/index.js";
+import { isWithinDirectory } from "../../security/path-validation.js";
 import { createFileSystem } from "./fs.js";
 import { getFrameworkRoot, getFrameworkRootFromMeta } from "./vfs-paths.js";
+/**
+ * Reject candidate paths that contain traversal indicators — plain `..`,
+ * NUL, or any percent-encoded variant (including multiply-encoded forms such
+ * as `%252e` or `%25252e`). The public `/_vf_modules/...` route reaches this
+ * resolver, so a malicious basePath like
+ * `_veryfront/%2e%2e%2fsecret.ts` would otherwise be joined with the
+ * framework lookupDir and escape it.
+ */
+function hasDangerousSegments(candidate) {
+    if (candidate.includes("\0"))
+        return true;
+    // Plain-text traversal (post URL-decode).
+    if (/(^|[/\\])\.\.([/\\]|$)/.test(candidate))
+        return true;
+    // Any occurrence of a percent sign is treated as suspicious: this resolver
+    // is called with inputs taken from URL path segments which have already
+    // been decoded once upstream. A lingering `%` means the attacker
+    // double-encoded the input, or that decoding missed a sequence — either
+    // way, refuse to probe the filesystem. Framework source paths never
+    // legitimately contain `%`.
+    if (candidate.includes("%"))
+        return true;
+    return false;
+}
 export const FRAMEWORK_ROOT = getFrameworkRootFromMeta(globalThis[Symbol.for("import-meta-ponyfill-esmodule")](import.meta).url);
 export const FRAMEWORK_SRC_DIR = join(FRAMEWORK_ROOT, "src");
 export const FRAMEWORK_EMBEDDED_SRC_DIR = join(FRAMEWORK_ROOT, "dist", "framework-src");
@@ -67,6 +92,11 @@ async function findExistingFrameworkCandidate(candidatePath, options = {}) {
     return null;
 }
 export async function resolveFrameworkSourcePath(relativePathWithoutExt, options = {}) {
+    // VULN-FS-3: Reject any candidate containing traversal indicators
+    // (plain or percent-encoded) before joining with the framework lookup dir.
+    // The public /_vf_modules/... route reaches this function with user input.
+    if (hasDangerousSegments(relativePathWithoutExt))
+        return null;
     const fs = options.fileSystem ?? createFileSystem();
     const lookupDirs = getFrameworkSourceLookupDirs(options.extraLookupDirs);
     const extensions = options.extensions ?? DEFAULT_FRAMEWORK_SOURCE_EXTENSIONS;
@@ -78,6 +108,10 @@ export async function resolveFrameworkSourcePath(relativePathWithoutExt, options
         for (const candidate of candidates) {
             for (const ext of extensions) {
                 const candidatePath = join(lookupDir, candidate + ext);
+                // Defence in depth: even if the candidate passed the textual gate
+                // above, confirm the joined path is physically within the lookup dir.
+                if (!isWithinDirectory(lookupDir, candidatePath))
+                    continue;
                 try {
                     const stat = await fs.stat(candidatePath);
                     if (stat.isFile) {

package/esm/src/routing/api/module-loader/loader.d.ts

@@ -1,6 +1,17 @@
 import type { APIRoute, LoadModuleOptions } from "./types.js";
 import type { FileSystem } from "../../../platform/compat/fs.js";
 export { toCjsDestructureBindings } from "./loader-helpers.js";
+/**
+ * Generates a CJS module loader shim for compiled Deno binaries.
+ *
+ * In compiled binaries, `createRequire()` can resolve module paths and load
+ * built-in modules (fs, path, etc.), but cannot load CJS files from disk
+ * (loadMaybeCjs fails with "path not found"). This shim works around that
+ * limitation by using `Deno.readTextFileSync` to read CJS files and
+ * `new Function` to evaluate them in a proper CJS wrapper with require,
+ * exports, module, __filename, and __dirname bindings.
+ */
+export declare function generateCompiledBinaryRequireShim(projectDir: string): string;
 export declare function loadHandlerModule(options: LoadModuleOptions): Promise<APIRoute | null>;
 export declare function getNodeExternalPackagesToResolve(userDeps: Map<string, string>): string[];
 export declare function resolveNodePackageToFileUrl(projectDir: string, packageName: string, fs: FileSystem, pathToFileURL: typeof import("node:url").pathToFileURL): Promise<string | null>;

package/esm/src/routing/api/module-loader/loader.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../../../../src/src/routing/api/module-loader/loader.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAI9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gCAAgC,CAAC;AAkBjE,OAAO,EAAE,wBAAwB,EAAE,MAAM,qBAAqB,CAAC;AAgI/D,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAyBtF;AAuaD,wBAAgB,gCAAgC,CAAC,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,EAAE,CAUxF;AAED,wBAAsB,2BAA2B,CAC/C,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,EAAE,EAAE,UAAU,EACd,aAAa,EAAE,cAAc,UAAU,EAAE,aAAa,GACrD,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAoBxB;AAED,wBAAsB,uBAAuB,CAC3C,UAAU,EAAE,MAAM,EAClB,EAAE,EAAE,UAAU,GACb,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC,CAW9C;AAED,wBAAsB,0BAA0B,CAC9C,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM,EAClB,EAAE,EAAE,UAAU,EACd,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAC5B,OAAO,CAAC,MAAM,CAAC,CA6EjB;AAED,wBAAgB,qCAAqC,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAqB1E;AAED,wBAAgB,0CAA0C,CACxD,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAC5B,MAAM,CAoDR;AAED,wBAAsB,+BAA+B,CACnD,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM,EAClB,EAAE,EAAE,UAAU,EACd,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAC5B,OAAO,CAAC,MAAM,CAAC,CA0BjB;AAED,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAgBlE"}
+{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../../../../src/src/routing/api/module-loader/loader.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAI9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gCAAgC,CAAC;AAkBjE,OAAO,EAAE,wBAAwB,EAAE,MAAM,qBAAqB,CAAC;AAqD/D;;;;;;;;;GASG;AACH,wBAAgB,iCAAiC,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CA+E5E;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAyBtF;AAuaD,wBAAgB,gCAAgC,CAAC,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,EAAE,CAUxF;AAED,wBAAsB,2BAA2B,CAC/C,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,EAAE,EAAE,UAAU,EACd,aAAa,EAAE,cAAc,UAAU,EAAE,aAAa,GACrD,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAoBxB;AAED,wBAAsB,uBAAuB,CAC3C,UAAU,EAAE,MAAM,EAClB,EAAE,EAAE,UAAU,GACb,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC,CAW9C;AAED,wBAAsB,0BAA0B,CAC9C,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM,EAClB,EAAE,EAAE,UAAU,EACd,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAC5B,OAAO,CAAC,MAAM,CAAC,CA6EjB;AAED,wBAAgB,qCAAqC,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAqB1E;AAED,wBAAgB,0CAA0C,CACxD,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAC5B,MAAM,CAoDR;AAED,wBAAsB,+BAA+B,CACnD,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM,EAClB,EAAE,EAAE,UAAU,EACd,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAC5B,OAAO,CAAC,MAAM,CAAC,CA0BjB;AAED,wBAAgB,6BAA6B,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAgBlE"}

package/esm/src/routing/api/module-loader/loader.js

@@ -73,7 +73,7 @@ async function readProjectDependencies(projectDir, fs) {
  * `new Function` to evaluate them in a proper CJS wrapper with require,
  * exports, module, __filename, and __dirname bindings.
  */
-function generateCompiledBinaryRequireShim(projectDir) {
+export function generateCompiledBinaryRequireShim(projectDir) {
     const builtinSet = JSON.stringify(NODE_BUILTINS);
     const safeProjectDir = JSON.stringify(projectDir + "/package.json");
     const safeProjectRoot = JSON.stringify(pathHelper.resolve(projectDir));
@@ -83,6 +83,12 @@ import { dirname as __vf_dirname, resolve as __vf_resolve } from "node:path";
 var __vf_builtinRequire = __vf_createRequire(${safeProjectDir});
 var __vf_builtinSet = new Set(${builtinSet});
 var __vf_projectRoot = ${safeProjectRoot};
+// VULN-FS-5: Canonicalize the project root so containment checks using
+// Deno.realPathSync(resolved) compare canonical-vs-canonical. Without this,
+// when the project itself is opened via a symlink, the realpath'd resolved
+// module path has a different prefix than the non-canonical projectRoot and
+// legitimate dependencies would be rejected.
+try { __vf_projectRoot = Deno.realPathSync(__vf_projectRoot); } catch (_) { /* expected: projectRoot may not exist at shim init in some environments */ }
 var __vf_cache = Object.create(null);
 function __vf_assertContained(resolved) {
   var norm = __vf_resolve(resolved).replace(/\\\\/g, "/");
@@ -105,10 +111,20 @@ function __vf_loadCjs(id, parentDir) {
         try { Deno.statSync(resolved + exts[i]); resolved += exts[i]; break; } catch (_) { /* expected: probing file extensions */ }
       }
     }
-    __vf_assertContained(resolved);
   } else {
     resolved = __vf_builtinRequire.resolve(id);
   }
+  // VULN-FS-5: Always assert containment after resolution (both branches),
+  // then re-canonicalize via realPathSync to resist symlinked node_modules
+  // entries that could point outside the project root.
+  __vf_assertContained(resolved);
+  try {
+    var real = Deno.realPathSync(resolved);
+    __vf_assertContained(real);
+    resolved = real;
+  } catch (_) {
+    /* expected: realPathSync fails for non-existent paths — assertContained above already held */
+  }
   if (resolved in __vf_cache) return __vf_cache[resolved];
   var code = Deno.readTextFileSync(resolved);
   if (resolved.endsWith(".json")) {

package/esm/src/server/handlers/dev/dashboard/api.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"api.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/handlers/dev/dashboard/api.ts"],"names":[],"mappings":"AA2BA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AA2CrD,wBAAgB,kBAAkB,CAChC,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,cAAc,GAClB,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,GAAG,QAAQ,GAAG,IAAI,CAgE5C"}
+{"version":3,"file":"api.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/handlers/dev/dashboard/api.ts"],"names":[],"mappings":"AA4BA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAwDrD,wBAAgB,kBAAkB,CAChC,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,cAAc,GAClB,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,GAAG,QAAQ,GAAG,IAAI,CAgE5C"}

package/esm/src/server/handlers/dev/dashboard/api.js

@@ -17,16 +17,29 @@ import { isRSCEnabled } from "../../../../utils/feature-flags.js";
 import { getEnvironmentConfig } from "../../../../config/environment-config.js";
 import { getErrorCollector } from "../../../../observability/error-collector.js";
 import { getLogBuffer } from "../../../../observability/log-buffer.js";
+import { validatePathSync } from "../../../../security/index.js";
 import { ReloadNotifier } from "../../../reload-notifier.js";
 const WORKFLOW_EXECUTION_TIMEOUT_MS = 30_000;
-/** Validate a relative path for directory traversal and null bytes.
- *  Note: searchParams.get() already percent-decodes, so no extra decoding needed. */
-function isValidRelativePath(path) {
-    if (path.includes("\0"))
-        return false;
-    if (path.includes(".."))
-        return false;
-    return true;
+/**
+ * Validate a relative path against the project directory.
+ *
+ * Uses `validatePathSync` in strict mode (rejects absolute paths, null bytes,
+ * `..` traversal, and any resolved path that escapes `baseDir`).
+ *
+ * Note: `searchParams.get()` already percent-decodes; no extra decoding needed
+ * (double-decoding would itself be a vulnerability).
+ *
+ * Returns the canonicalized absolute path on success, or `null` when invalid.
+ */
+function validateRelativePath(path, projectDir) {
+    const result = validatePathSync(path, {
+        baseDir: projectDir,
+        allowAbsolute: false,
+        level: "strict",
+    });
+    if (!result.valid || !result.canonicalPath)
+        return null;
+    return result.canonicalPath;
 }
 const JSON_HEADERS = {
     "Content-Type": "application/json",
@@ -353,9 +366,16 @@ async function handleListFiles(req, ctx) {
     if (!projectDir)
         return errorResponse("No project directory configured", 500);
     const relativePath = new URL(req.url).searchParams.get("path") ?? "";
-    if (!isValidRelativePath(relativePath))
-        return errorResponse("Invalid path", 400);
-    const fullPath = relativePath ? `${projectDir}/${relativePath}` : projectDir;
+    let fullPath;
+    if (relativePath === "") {
+        fullPath = projectDir;
+    }
+    else {
+        const canonical = validateRelativePath(relativePath, projectDir);
+        if (canonical === null)
+            return errorResponse("Invalid path", 400);
+        fullPath = canonical;
+    }
     try {
         const files = [];
         for await (const entry of adapter.fs.readDir(fullPath)) {
@@ -386,10 +406,11 @@ async function handleReadFileContent(req, ctx) {
     const relativePath = new URL(req.url).searchParams.get("path") ?? "";
     if (!relativePath)
         return errorResponse("path parameter is required", 400);
-    if (!isValidRelativePath(relativePath))
+    const canonical = validateRelativePath(relativePath, projectDir);
+    if (canonical === null)
         return errorResponse("Invalid path", 400);
     try {
-        const content = await adapter.fs.readFile(`${projectDir}/${relativePath}`);
+        const content = await adapter.fs.readFile(canonical);
         const extension = relativePath.split(".").pop() ?? "";
         if (!TEXT_EXTENSIONS.has(extension.toLowerCase())) {
             return jsonResponse({

package/esm/src/server/handlers/dev/files/esbuild-plugins.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"esbuild-plugins.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/handlers/dev/files/esbuild-plugins.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAA6B,MAAM,EAAe,MAAM,SAAS,CAAC;AAG9E,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uCAAuC,CAAC;AAG5E,OAAO,EAGL,KAAK,eAAe,EACrB,MAAM,sCAAsC,CAAC;AAkB9C,gFAAgF;AAChF,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,GAAG,MAAM,CA6C1F;AAKD,UAAU,yBAAyB;IACjC,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,eAAe,CAAC;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC3C;AA+DD,kFAAkF;AAClF,wBAAgB,wBAAwB,CACtC,OAAO,GAAE,yBAAyB,GAAG,OAAe,GACnD,MAAM,CAqER;AAED,wBAAgB,wBAAwB,IAAI,MAAM,CAUjD"}
+{"version":3,"file":"esbuild-plugins.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/handlers/dev/files/esbuild-plugins.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAA6B,MAAM,EAAe,MAAM,SAAS,CAAC;AAG9E,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uCAAuC,CAAC;AAQ5E,OAAO,EAGL,KAAK,eAAe,EACrB,MAAM,sCAAsC,CAAC;AAkB9C,gFAAgF;AAChF,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,GAAG,MAAM,CAyF1F;AAKD,UAAU,yBAAyB;IACjC,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,eAAe,CAAC;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC3C;AA+DD,kFAAkF;AAClF,wBAAgB,wBAAwB,CACtC,OAAO,GAAE,yBAAyB,GAAG,OAAe,GACnD,MAAM,CAqER;AAED,wBAAgB,wBAAwB,IAAI,MAAM,CAUjD"}

package/esm/src/server/handlers/dev/files/esbuild-plugins.js

@@ -1,5 +1,5 @@
 import { NETWORK_ERROR } from "../../../../errors/index.js";
-import { getDirectory, joinPath } from "../../../../utils/path-utils.js";
+import { getDirectory, isWithinDirectory, joinPath, normalizePath, } from "../../../../utils/path-utils.js";
 import { computeIntegrity, createLockfileManager, } from "../../../../utils/import-lockfile.js";
 import { importMapOwnsSpecifier, mergeBrowserImportMapImports, } from "../../../../utils/import-map.js";
 import { serverLogger } from "../../../../utils/logger/index.js";
@@ -20,16 +20,40 @@ export function createRelativeFsPlugin(projectDir, adapter) {
         setup(build) {
             const exts = [".tsx", ".ts", ".jsx", ".js", ".mjs"];
             build.onResolve({ filter: /^(\.?\.?\/|\/)\/*/ }, async (args) => {
-                const basedir = args.importer ? getDirectory(args.importer) : projectDir;
-                const candidate = args.path.startsWith("/")
+                // VULN-FS-6: NUL bytes are never legitimate in module paths.
+                if (args.path.includes("\0")) {
+                    return {
+                        errors: [{ text: `Import path contains NUL byte: ${args.path}`, location: null }],
+                    };
+                }
+                const basedir = args.resolveDir ||
+                    (args.importer ? getDirectory(args.importer) : projectDir);
+                // normalizePath collapses `./` and `foo/../` segments produced by
+                // `joinPath` so downstream `adapter.fs.stat` lookups match the file
+                // system's canonical key. Still inside the containment check below.
+                const candidate = normalizePath(args.path.startsWith("/")
                     ? joinPath(projectDir, args.path)
-                    : joinPath(basedir, args.path);
+                    : joinPath(basedir, args.path));
+                // VULN-FS-6: refuse anything that, after joining, escapes the project
+                // root. esbuild plugins fire per-import; an entry file with
+                // `import "../../../../etc/hostname"` would otherwise embed the file.
+                if (!isWithinDirectory(projectDir, candidate)) {
+                    return {
+                        errors: [{
+                                text: `Import escapes project directory: ${args.path}`,
+                                location: null,
+                            }],
+                    };
+                }
                 const candidates = [candidate];
                 for (const ext of exts)
                     candidates.push(candidate + ext);
                 for (const ext of exts)
                     candidates.push(joinPath(candidate, `index${ext}`));
                 for (const f of candidates) {
+                    // Defence in depth: each extension probe must also stay inside.
+                    if (!isWithinDirectory(projectDir, f))
+                        continue;
                     try {
                         const st = await adapter.fs.stat(f);
                         if (st.isFile)
@@ -42,6 +66,23 @@ export function createRelativeFsPlugin(projectDir, adapter) {
                 return undefined;
             });
             build.onLoad({ filter: /\.(tsx?|jsx?|mjs)$/ }, async (args) => {
+                // VULN-FS-6: belt-and-braces — reject any onLoad call whose path
+                // escapes the project root or carries a NUL byte. onResolve already
+                // gates this, but esbuild can call onLoad with paths produced by
+                // other plugins or namespaces.
+                if (args.path.includes("\0")) {
+                    return {
+                        errors: [{ text: `Load path contains NUL byte: ${args.path}`, location: null }],
+                    };
+                }
+                if (!isWithinDirectory(projectDir, args.path)) {
+                    return {
+                        errors: [{
+                                text: `Load path escapes project directory: ${args.path}`,
+                                location: null,
+                            }],
+                    };
+                }
                 try {
                     const contents = await adapter.fs.readFile(args.path);
                     return { contents, loader: getLoaderForPath(args.path) };

package/esm/src/utils/version-constant.d.ts

@@ -1,2 +1,2 @@
-export declare const VERSION = "0.1.241";
+export declare const VERSION = "0.1.243";
 //# sourceMappingURL=version-constant.d.ts.map

package/esm/src/utils/version-constant.js

@@ -1,3 +1,3 @@
 // Keep in sync with deno.json version.
 // scripts/release.ts updates this constant during releases.
-export const VERSION = "0.1.241";
+export const VERSION = "0.1.243";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "veryfront",
-  "version": "0.1.241",
+  "version": "0.1.243",
   "description": "The simplest way to build AI-powered apps",
   "keywords": [
     "react",