yxorp 0.2.3 → 0.2.4

package/README.md

@@ -264,6 +264,14 @@ For more advanced patterns, see the [path-to-regexp documentation](https://githu
 
 ---
 
+### A Note on Script Security
+
+Mock and rewrite scripts (`"script": "./path/to/file.js"`) are loaded with Node's `require()` and run with the same privileges as Yxorp itself — full filesystem, network, and process access, with no sandboxing.
+
+Only point Yxorp at config files (and the scripts they reference) that you trust, the same way you'd treat any other local Node script. Don't load a config from an untrusted source.
+
+---
+
 ## Full Example
 
 Here's a complete config showing all features in action:

package/dist/middleware/bootstrap.middleware.d.ts

@@ -1,14 +1,15 @@
-import { IncomingMessage } from 'http';
+/// <reference types="node" />
+import { IncomingMessage, ServerResponse } from 'http';
 import { Middleware } from '../services/pipeline.service';
 import { RewriteRulesMatcher } from '../services/rules-matchers/rewrite-rules-matcher.service';
 import { MockRulesMatcher } from '../services/rules-matchers/mock-rules-matcher.service';
 import { LoggerService } from '../services/logger.service';
-export declare class BootstrapMiddleware implements Middleware<[req: IncomingMessage, res: any]> {
+export declare class BootstrapMiddleware implements Middleware<[req: IncomingMessage, res: ServerResponse]> {
     private rewriteRulesMatcher;
     private mockRulesMatcher;
     private logger;
     constructor(rewriteRulesMatcher: RewriteRulesMatcher, mockRulesMatcher: MockRulesMatcher, logger: LoggerService);
-    use(req: IncomingMessage, _res: any, next: () => void): void;
+    use(req: IncomingMessage, _res: ServerResponse, next: () => void): void;
     private setRewriteRule;
     private setMockRule;
     private setQueryParams;

package/dist/middleware/mock.middleware.js

@@ -7,7 +7,7 @@ exports.MockMiddleware = void 0;
 const mime_1 = __importDefault(require("mime"));
 const promises_1 = __importDefault(require("fs/promises"));
 const path_1 = __importDefault(require("path"));
-const request_timing_1 = require("../utils/request-timing");
+const access_log_1 = require("../utils/access-log");
 class MockMiddleware {
     constructor(logger) {
         this.logger = logger;
@@ -31,14 +31,14 @@ class MockMiddleware {
                     res.setHeader('content-type', 'application/json');
                     res.end(JSON.stringify({ error: `Mock script "${mockRule.script}" does not export a function` }));
                     this.logger.error(`Mock script "${fullPath}" does not export a function (module.exports = (req, res) => {...})`);
-                    this.logger.info(`mock         ${res.statusCode} ${req.method} ${req.url} ${(0, request_timing_1.elapsedMs)(req)}ms`);
+                    this.logger.info((0, access_log_1.formatAccessLog)('mock', res.statusCode, req));
                     return;
                 }
                 await handler(req, res);
                 if (!res.headersSent) {
                     res.setHeader('content-type', 'application/json');
                 }
-                this.logger.info(`mock         ${res.statusCode || 200} ${req.method} ${req.url} ${(0, request_timing_1.elapsedMs)(req)}ms`);
+                this.logger.info((0, access_log_1.formatAccessLog)('mock', res.statusCode || 200, req));
                 return;
             }
             if ('file' in mockRule) {
@@ -50,7 +50,7 @@ class MockMiddleware {
                 }
                 res.setHeader('content-length', file.length);
                 res.end(file);
-                this.logger.info(`mock         ${res.statusCode} ${req.method} ${req.url} ${(0, request_timing_1.elapsedMs)(req)}ms`);
+                this.logger.info((0, access_log_1.formatAccessLog)('mock', res.statusCode, req));
                 return;
             }
             next();
@@ -61,7 +61,7 @@ class MockMiddleware {
             // calling next() would send the request into ProxyMiddleware/httpProxy.web,
             // which would try to write to an already-finished response.
             if (res.headersSent) {
-                this.logger.info(`mock         ${res.statusCode} ${req.method} ${req.url} ${(0, request_timing_1.elapsedMs)(req)}ms`);
+                this.logger.info((0, access_log_1.formatAccessLog)('mock', res.statusCode, req));
                 if (!res.writableEnded) {
                     res.end();
                 }

package/dist/middleware/proxy.middleware.js

@@ -28,7 +28,16 @@ class ProxyMiddleware {
             prependPath: !target,
             target: target || proxyOptions.target,
         };
-        this.httpProxy.web(req, res, options).catch((error) => this.logger.error(error));
+        this.httpProxy.web(req, res, options).catch((error) => {
+            // httpxy rejects web()'s promise when the proxy has no 'error' listener
+            // (e.g. target ECONNREFUSED/DNS failure) — without this, the client
+            // would otherwise hang forever waiting for a response that never comes.
+            this.logger.error(error);
+            if (!res.headersSent) {
+                res.statusCode = 502;
+                res.end();
+            }
+        });
     }
 }
 exports.ProxyMiddleware = ProxyMiddleware;

package/dist/middleware/proxyRes.middleware.js

@@ -1,16 +1,18 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ProxyResMiddleware = void 0;
-const request_timing_1 = require("../utils/request-timing");
+const access_log_1 = require("../utils/access-log");
+const headers_1 = require("../utils/headers");
 class ProxyResMiddleware {
     constructor(logger) {
         this.logger = logger;
     }
     use(proxyRes, req, res) {
         try {
-            // Skip transfer-encoding since we reconstruct the body with known length
+            // Hop-by-hop headers (incl. transfer-encoding, since we reconstruct the
+            // body with a known length) must not be forwarded to the client.
             for (let key in proxyRes.headers) {
-                if (key === 'transfer-encoding')
+                if ((0, headers_1.isHopByHopHeader)(key, proxyRes.headers))
                     continue;
                 res.setHeader(key, proxyRes.headers[key]);
             }
@@ -24,7 +26,7 @@ class ProxyResMiddleware {
             // it sets req.rewriteLogged in both cases) — log here only for plain
             // pass-through, so every proxied request gets exactly one log line.
             if (!req.rewriteLogged) {
-                this.logger.info(`proxy         ${res.statusCode} ${req.method} ${req.url} ${(0, request_timing_1.elapsedMs)(req)}ms`);
+                this.logger.info((0, access_log_1.formatAccessLog)('proxy', res.statusCode, req));
             }
         }
         catch (e) {

package/dist/middleware/rewrite.middleware.js

@@ -7,7 +7,7 @@ exports.RewriteMiddleware = void 0;
 const http_encoding_1 = require("http-encoding");
 const promises_1 = __importDefault(require("fs/promises"));
 const path_1 = __importDefault(require("path"));
-const request_timing_1 = require("../utils/request-timing");
+const access_log_1 = require("../utils/access-log");
 class RewriteMiddleware {
     constructor(logger) {
         this.logger = logger;
@@ -62,7 +62,7 @@ class RewriteMiddleware {
      */
     logRewrite(req, proxyRes) {
         req.rewriteLogged = true;
-        this.logger.info(`rewrite       ${proxyRes.statusCode} ${req.method} ${req.url} ${(0, request_timing_1.elapsedMs)(req)}ms`);
+        this.logger.info((0, access_log_1.formatAccessLog)('rewrite', proxyRes.statusCode, req));
     }
 }
 exports.RewriteMiddleware = RewriteMiddleware;

package/dist/middleware/static.middleware.d.ts

@@ -24,6 +24,11 @@ export declare class StaticMiddleware implements Middleware<[req: IncomingMessag
      * than enumerating the entire tree just to find one file.
      */
     private resolveFile;
+    /**
+     * Confirms `filePath` is a regular file AND, after resolving symlinks on
+     * both sides, still lives inside `directory` — a symlink placed under
+     * `directory` that points outside it must not be served.
+     */
     private isFile;
     private findCaseInsensitive;
 }

package/dist/middleware/static.middleware.js

@@ -7,7 +7,7 @@ exports.StaticMiddleware = void 0;
 const path_1 = __importDefault(require("path"));
 const promises_1 = __importDefault(require("fs/promises"));
 const mime_1 = __importDefault(require("mime"));
-const request_timing_1 = require("../utils/request-timing");
+const access_log_1 = require("../utils/access-log");
 class StaticMiddleware {
     constructor(config, logger) {
         this.config = config;
@@ -37,7 +37,7 @@ class StaticMiddleware {
             }
             res.setHeader('content-length', file.length);
             res.end(file);
-            this.logger.info(`static        ${res.statusCode} ${req.method} ${req.url} ${(0, request_timing_1.elapsedMs)(req)}ms`);
+            this.logger.info((0, access_log_1.formatAccessLog)('static', res.statusCode, req));
         }
         catch (e) {
             this.logger.error(e);
@@ -75,7 +75,7 @@ class StaticMiddleware {
             return undefined;
         }
         const exactPath = path_1.default.join(directory, ...segments);
-        if (await this.isFile(exactPath)) {
+        if (await this.isFile(exactPath, directory)) {
             return exactPath;
         }
         if (!rule.caseInsensitive) {
@@ -89,12 +89,25 @@ class StaticMiddleware {
             }
             current = path_1.default.join(current, match);
         }
-        return (await this.isFile(current)) ? current : undefined;
+        return (await this.isFile(current, directory)) ? current : undefined;
     }
-    async isFile(filePath) {
+    /**
+     * Confirms `filePath` is a regular file AND, after resolving symlinks on
+     * both sides, still lives inside `directory` — a symlink placed under
+     * `directory` that points outside it must not be served.
+     */
+    async isFile(filePath, directory) {
         try {
             const stats = await promises_1.default.stat(filePath);
-            return stats.isFile();
+            if (!stats.isFile()) {
+                return false;
+            }
+            const [realFile, realDirectory] = await Promise.all([
+                promises_1.default.realpath(filePath),
+                promises_1.default.realpath(directory),
+            ]);
+            const relative = path_1.default.relative(realDirectory, realFile);
+            return !relative.startsWith('..') && !path_1.default.isAbsolute(relative);
         }
         catch {
             return false;

package/dist/services/config-watcher.js

@@ -5,9 +5,17 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.watchConfig = void 0;
 const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
 function watchConfig(configPath, onReload, onError) {
+    const dir = path_1.default.dirname(configPath);
+    const filename = path_1.default.basename(configPath);
     let debounceTimer = null;
-    return fs_1.default.watch(configPath, () => {
+    // Watch the parent directory rather than the file itself — editors that
+    // save via atomic rename (vim, etc.) replace the inode, after which
+    // fs.watch on the old file path stops firing.
+    return fs_1.default.watch(dir, (_eventType, changedFile) => {
+        if (changedFile && changedFile !== filename)
+            return;
         if (debounceTimer)
             return;
         debounceTimer = setTimeout(() => {

package/dist/services/config.service.d.ts

@@ -1,6 +1,6 @@
 import { YxorpConfig } from '../types/yxorp-config';
 export declare class Config {
-    private config;
+    private config?;
     set(config: YxorpConfig): void;
     get(): YxorpConfig;
 }

package/dist/services/config.service.js

@@ -6,6 +6,9 @@ class Config {
         this.config = config;
     }
     get() {
+        if (!this.config) {
+            throw new Error('Config has not been initialized — call set() before get()');
+        }
         return this.config;
     }
 }

package/dist/services/http-proxy.service.d.ts

@@ -2,13 +2,14 @@
 /// <reference types="node" />
 /// <reference types="node" />
 import { IncomingMessage, ServerResponse } from 'http';
+import { ProxyServer } from 'httpxy';
 import { Pipeline } from './pipeline.service';
 export declare class HttpProxy {
     private pipeline;
-    readonly on: (...args: any[]) => any;
+    readonly on: ProxyServer<IncomingMessage, ServerResponse>['on'];
     private proxy;
     constructor(pipeline: Pipeline<[proxyRes: IncomingMessage, req: IncomingMessage, res: ServerResponse]>);
     execute: (args_0: IncomingMessage, args_1: IncomingMessage, args_2: ServerResponse<IncomingMessage>) => Promise<void>;
-    web(req: IncomingMessage, res: ServerResponse, options?: Record<string, any>): any;
-    ws(req: IncomingMessage, socket: any, options: Record<string, any>, head?: Buffer): any;
+    web(req: IncomingMessage, res: ServerResponse, options?: Record<string, any>): Promise<void>;
+    ws(req: IncomingMessage, socket: any, options: Record<string, any>, head?: Buffer): Promise<void>;
 }

package/dist/services/rules-matchers/method-path-rules-matcher.d.ts

@@ -12,7 +12,7 @@ export interface MethodPathRule {
 export declare abstract class MethodPathRulesMatcher<T extends MethodPathRule> {
     protected abstract getRules(): T[];
     match(url: string, method: string): T | undefined;
-    params(url: string, rule: T): Object | undefined;
+    params(url: string, rule: T): Record<string, string> | undefined;
     /**
      * Finds the matching rule and its path params in a single pass — avoids
      * compiling/running the path-to-regexp matcher twice (once via `match()`,
@@ -20,7 +20,7 @@ export declare abstract class MethodPathRulesMatcher<T extends MethodPathRule> {
      */
     matchWithParams(url: string, method: string): {
         rule: T;
-        params: Object;
+        params: Record<string, string>;
     } | undefined;
     private find;
     private matchPath;

package/dist/services/yxorp-server.service.js

@@ -23,7 +23,7 @@ function createServer(config, logger, rewriteRulesMatcher, mockRulesMatcher, rem
     // 4. HttpServer wraps the server pipeline
     const server = new http_server_service_1.HttpServer(serverPipeline, logger);
     // 5. Attach proxy pipeline to proxyRes event
-    proxy.on('proxyRes', ((proxyRes, req, res) => {
+    proxy.on('proxyRes', (proxyRes, req, res) => {
         // proxy.execute() is async — an uncaught rejection here would otherwise
         // become an unhandled promise rejection and can crash the whole process,
         // leaving the client hanging with no response.
@@ -34,7 +34,7 @@ function createServer(config, logger, rewriteRulesMatcher, mockRulesMatcher, rem
                 res.end();
             }
         });
-    }));
+    });
     // 6. WebSocket upgrade handling
     server.addListener('upgrade', (req, socket, head) => {
         const url = req.url || '';

package/dist/utils/access-log.d.ts

@@ -0,0 +1,7 @@
+import { IncomingMessage } from 'http';
+/**
+ * Formats a single access-log line with the label column padded to a fixed
+ * width so entries from different middlewares (mock, rewrite, proxy,
+ * static) line up in the log output.
+ */
+export declare function formatAccessLog(label: string, statusCode: number | string | undefined, req: IncomingMessage): string;

package/dist/utils/access-log.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.formatAccessLog = void 0;
+const request_timing_1 = require("./request-timing");
+const LABEL_WIDTH = 8;
+/**
+ * Formats a single access-log line with the label column padded to a fixed
+ * width so entries from different middlewares (mock, rewrite, proxy,
+ * static) line up in the log output.
+ */
+function formatAccessLog(label, statusCode, req) {
+    return `${label.padEnd(LABEL_WIDTH)}${statusCode} ${req.method} ${req.url} ${(0, request_timing_1.elapsedMs)(req)}ms`;
+}
+exports.formatAccessLog = formatAccessLog;

package/dist/utils/headers.d.ts

@@ -0,0 +1,8 @@
+/// <reference types="node" />
+import { IncomingHttpHeaders } from 'http';
+/**
+ * RFC 2616 §13.5.1 hop-by-hop headers must not be forwarded between a proxy
+ * and its client — plus any header dynamically named in the `Connection`
+ * header's value.
+ */
+export declare function isHopByHopHeader(name: string, headers: IncomingHttpHeaders): boolean;

package/dist/utils/headers.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isHopByHopHeader = void 0;
+const HOP_BY_HOP_HEADERS = new Set([
+    'connection',
+    'keep-alive',
+    'proxy-authenticate',
+    'proxy-authorization',
+    'te',
+    'trailer',
+    'transfer-encoding',
+    'upgrade',
+]);
+/**
+ * RFC 2616 §13.5.1 hop-by-hop headers must not be forwarded between a proxy
+ * and its client — plus any header dynamically named in the `Connection`
+ * header's value.
+ */
+function isHopByHopHeader(name, headers) {
+    const lower = name.toLowerCase();
+    if (HOP_BY_HOP_HEADERS.has(lower)) {
+        return true;
+    }
+    const connection = headers.connection;
+    if (connection) {
+        const named = (Array.isArray(connection) ? connection.join(',') : connection)
+            .split(',')
+            .map((value) => value.trim().toLowerCase());
+        if (named.includes(lower)) {
+            return true;
+        }
+    }
+    return false;
+}
+exports.isHopByHopHeader = isHopByHopHeader;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "yxorp",
-  "version": "0.2.3",
+  "version": "0.2.4",
   "description": "A local reverse proxy for rewriting, mocking, and debugging API responses.",
   "files": [
     "dist/",
@@ -27,7 +27,6 @@
     "mime": "^3.0.0",
     "path-to-regexp": "^8.4.2",
     "qs": "^6.15.2",
-    "tslib": "^2.8.1",
     "winston": "^3.19.0"
   },
   "devDependencies": {