veryfront 0.1.241 → 0.1.243

package/src/src/routing/api/module-loader/loader.ts

@@ -91,7 +91,7 @@ async function readProjectDependencies(
  * `new Function` to evaluate them in a proper CJS wrapper with require,
  * exports, module, __filename, and __dirname bindings.
  */
-function generateCompiledBinaryRequireShim(projectDir: string): string {
+export function generateCompiledBinaryRequireShim(projectDir: string): string {
   const builtinSet = JSON.stringify(NODE_BUILTINS);
   const safeProjectDir = JSON.stringify(projectDir + "/package.json");
   const safeProjectRoot = JSON.stringify(pathHelper.resolve(projectDir));
@@ -102,6 +102,12 @@ import { dirname as __vf_dirname, resolve as __vf_resolve } from "node:path";
 var __vf_builtinRequire = __vf_createRequire(${safeProjectDir});
 var __vf_builtinSet = new Set(${builtinSet});
 var __vf_projectRoot = ${safeProjectRoot};
+// VULN-FS-5: Canonicalize the project root so containment checks using
+// Deno.realPathSync(resolved) compare canonical-vs-canonical. Without this,
+// when the project itself is opened via a symlink, the realpath'd resolved
+// module path has a different prefix than the non-canonical projectRoot and
+// legitimate dependencies would be rejected.
+try { __vf_projectRoot = Deno.realPathSync(__vf_projectRoot); } catch (_) { /* expected: projectRoot may not exist at shim init in some environments */ }
 var __vf_cache = Object.create(null);
 function __vf_assertContained(resolved) {
   var norm = __vf_resolve(resolved).replace(/\\\\/g, "/");
@@ -124,10 +130,20 @@ function __vf_loadCjs(id, parentDir) {
         try { Deno.statSync(resolved + exts[i]); resolved += exts[i]; break; } catch (_) { /* expected: probing file extensions */ }
       }
     }
-    __vf_assertContained(resolved);
   } else {
     resolved = __vf_builtinRequire.resolve(id);
   }
+  // VULN-FS-5: Always assert containment after resolution (both branches),
+  // then re-canonicalize via realPathSync to resist symlinked node_modules
+  // entries that could point outside the project root.
+  __vf_assertContained(resolved);
+  try {
+    var real = Deno.realPathSync(resolved);
+    __vf_assertContained(real);
+    resolved = real;
+  } catch (_) {
+    /* expected: realPathSync fails for non-existent paths — assertContained above already held */
+  }
   if (resolved in __vf_cache) return __vf_cache[resolved];
   var code = Deno.readTextFileSync(resolved);
   if (resolved.endsWith(".json")) {

package/src/src/server/handlers/dev/dashboard/api.ts

@@ -24,17 +24,31 @@ import { isRSCEnabled } from "../../../../utils/feature-flags.js";
 import { getEnvironmentConfig } from "../../../../config/environment-config.js";
 import { getErrorCollector } from "../../../../observability/error-collector.js";
 import { getLogBuffer } from "../../../../observability/log-buffer.js";
+import { validatePathSync } from "../../../../security/index.js";
 import { ReloadNotifier } from "../../../reload-notifier.js";
 import type { HandlerContext } from "../../types.js";
 
 const WORKFLOW_EXECUTION_TIMEOUT_MS = 30_000;
 
-/** Validate a relative path for directory traversal and null bytes.
- *  Note: searchParams.get() already percent-decodes, so no extra decoding needed. */
-function isValidRelativePath(path: string): boolean {
-  if (path.includes("\0")) return false;
-  if (path.includes("..")) return false;
-  return true;
+/**
+ * Validate a relative path against the project directory.
+ *
+ * Uses `validatePathSync` in strict mode (rejects absolute paths, null bytes,
+ * `..` traversal, and any resolved path that escapes `baseDir`).
+ *
+ * Note: `searchParams.get()` already percent-decodes; no extra decoding needed
+ * (double-decoding would itself be a vulnerability).
+ *
+ * Returns the canonicalized absolute path on success, or `null` when invalid.
+ */
+function validateRelativePath(path: string, projectDir: string): string | null {
+  const result = validatePathSync(path, {
+    baseDir: projectDir,
+    allowAbsolute: false,
+    level: "strict",
+  });
+  if (!result.valid || !result.canonicalPath) return null;
+  return result.canonicalPath;
 }
 
 const JSON_HEADERS = {
@@ -397,9 +411,15 @@ async function handleListFiles(req: Request, ctx: HandlerContext): Promise<Respo
   if (!projectDir) return errorResponse("No project directory configured", 500);
 
   const relativePath = new URL(req.url).searchParams.get("path") ?? "";
-  if (!isValidRelativePath(relativePath)) return errorResponse("Invalid path", 400);
 
-  const fullPath = relativePath ? `${projectDir}/${relativePath}` : projectDir;
+  let fullPath: string;
+  if (relativePath === "") {
+    fullPath = projectDir;
+  } else {
+    const canonical = validateRelativePath(relativePath, projectDir);
+    if (canonical === null) return errorResponse("Invalid path", 400);
+    fullPath = canonical;
+  }
 
   try {
     const files: Array<{ name: string; type: "file" | "directory"; path: string }> = [];
@@ -433,10 +453,12 @@ async function handleReadFileContent(req: Request, ctx: HandlerContext): Promise
 
   const relativePath = new URL(req.url).searchParams.get("path") ?? "";
   if (!relativePath) return errorResponse("path parameter is required", 400);
-  if (!isValidRelativePath(relativePath)) return errorResponse("Invalid path", 400);
+
+  const canonical = validateRelativePath(relativePath, projectDir);
+  if (canonical === null) return errorResponse("Invalid path", 400);
 
   try {
-    const content = await adapter.fs.readFile(`${projectDir}/${relativePath}`);
+    const content = await adapter.fs.readFile(canonical);
     const extension = relativePath.split(".").pop() ?? "";
 
     if (!TEXT_EXTENSIONS.has(extension.toLowerCase())) {

package/src/src/server/handlers/dev/files/esbuild-plugins.ts

@@ -2,7 +2,12 @@ import type { OnLoadArgs, OnResolveArgs, Plugin, PluginBuild } from "esbuild";
 import { NETWORK_ERROR } from "../../../../errors/index.js";
 // Direct import from base.ts to avoid circular dependency through barrel
 import type { RuntimeAdapter } from "../../../../platform/adapters/base.js";
-import { getDirectory, joinPath } from "../../../../utils/path-utils.js";
+import {
+  getDirectory,
+  isWithinDirectory,
+  joinPath,
+  normalizePath,
+} from "../../../../utils/path-utils.js";
 
 import {
   computeIntegrity,
@@ -34,16 +39,43 @@ export function createRelativeFsPlugin(projectDir: string, adapter: RuntimeAdapt
       const exts = [".tsx", ".ts", ".jsx", ".js", ".mjs"];
 
       build.onResolve({ filter: /^(\.?\.?\/|\/)\/*/ }, async (args: OnResolveArgs) => {
-        const basedir = args.importer ? getDirectory(args.importer) : projectDir;
-        const candidate = args.path.startsWith("/")
-          ? joinPath(projectDir, args.path)
-          : joinPath(basedir, args.path);
+        // VULN-FS-6: NUL bytes are never legitimate in module paths.
+        if (args.path.includes("\0")) {
+          return {
+            errors: [{ text: `Import path contains NUL byte: ${args.path}`, location: null }],
+          };
+        }
+
+        const basedir = args.resolveDir ||
+          (args.importer ? getDirectory(args.importer) : projectDir);
+        // normalizePath collapses `./` and `foo/../` segments produced by
+        // `joinPath` so downstream `adapter.fs.stat` lookups match the file
+        // system's canonical key. Still inside the containment check below.
+        const candidate = normalizePath(
+          args.path.startsWith("/")
+            ? joinPath(projectDir, args.path)
+            : joinPath(basedir, args.path),
+        );
+
+        // VULN-FS-6: refuse anything that, after joining, escapes the project
+        // root. esbuild plugins fire per-import; an entry file with
+        // `import "../../../../etc/hostname"` would otherwise embed the file.
+        if (!isWithinDirectory(projectDir, candidate)) {
+          return {
+            errors: [{
+              text: `Import escapes project directory: ${args.path}`,
+              location: null,
+            }],
+          };
+        }
 
         const candidates: string[] = [candidate];
         for (const ext of exts) candidates.push(candidate + ext);
         for (const ext of exts) candidates.push(joinPath(candidate, `index${ext}`));
 
         for (const f of candidates) {
+          // Defence in depth: each extension probe must also stay inside.
+          if (!isWithinDirectory(projectDir, f)) continue;
           try {
             const st = await adapter.fs.stat(f);
             if (st.isFile) return { path: f };
@@ -56,6 +88,23 @@ export function createRelativeFsPlugin(projectDir: string, adapter: RuntimeAdapt
       });
 
       build.onLoad({ filter: /\.(tsx?|jsx?|mjs)$/ }, async (args: OnLoadArgs) => {
+        // VULN-FS-6: belt-and-braces — reject any onLoad call whose path
+        // escapes the project root or carries a NUL byte. onResolve already
+        // gates this, but esbuild can call onLoad with paths produced by
+        // other plugins or namespaces.
+        if (args.path.includes("\0")) {
+          return {
+            errors: [{ text: `Load path contains NUL byte: ${args.path}`, location: null }],
+          };
+        }
+        if (!isWithinDirectory(projectDir, args.path)) {
+          return {
+            errors: [{
+              text: `Load path escapes project directory: ${args.path}`,
+              location: null,
+            }],
+          };
+        }
         try {
           const contents = await adapter.fs.readFile(args.path);
           return { contents, loader: getLoaderForPath(args.path) };

package/src/src/utils/version-constant.ts

@@ -1,3 +1,3 @@
 // Keep in sync with deno.json version.
 // scripts/release.ts updates this constant during releases.
-export const VERSION = "0.1.241";
+export const VERSION = "0.1.243";