Merge remote-tracking branch 'upstream/main' into renovate/all

Author: konard

docs/pr-screenshots/issue-250/terminal-local-image-proof.png

@@ -1,3 +1,5 @@
+import { fileURLToPath } from "node:url"
+
 export type TerminalImageFetchPlan =
   | {
     readonly _tag: "InvalidTerminalImageFetch"
@@ -23,6 +25,21 @@ const controlCharRange = `${String.fromCodePoint(0)}-${String.fromCodePoint(0x1F
 const deleteChar = String.fromCodePoint(0x7F)
 const invalidCharacterPattern = new RegExp(String.raw`[\s${controlCharRange}${deleteChar}]`, "u")
 const traversalPattern = /(?:^|\/)(?:\.|\.\.)(?=\/|$)/u
+const urlSchemePattern = /^[A-Za-z][A-Za-z0-9+.-]*:/u
+const fileUrlPattern = /^file:\/\//iu
+const encodedPathSeparatorPattern = /%(?:2f|5c)/iu
+const fileUrlBackslashPattern = /\\/u
+const fileUrlTraversalPattern = /(?:^|[\\/])(?:\.|%2e)(?:(?:\.|%2e))?(?=[\\/]|$)/iu
+
+type TerminalImagePathNormalization =
+  | {
+    readonly _tag: "InvalidTerminalImagePath"
+    readonly message: string
+  }
+  | {
+    readonly _tag: "ValidTerminalImagePath"
+    readonly path: string
+  }
 
 const lowercaseExtension = (path: string): string | null => {
   const lastDot = path.lastIndexOf(".")
@@ -32,26 +49,85 @@ const lowercaseExtension = (path: string): string | null => {
   return path.slice(lastDot + 1).toLowerCase()
 }
 
+const rawFileUrlPathname = (path: string): string => {
+  const withoutScheme = path.slice("file://".length)
+  const pathStart = withoutScheme.indexOf("/")
+  if (pathStart < 0) {
+    return ""
+  }
+  const pathAndSuffix = withoutScheme.slice(pathStart)
+  const queryStart = pathAndSuffix.indexOf("?")
+  const hashStart = pathAndSuffix.indexOf("#")
+  if (queryStart < 0 && hashStart < 0) {
+    return pathAndSuffix
+  }
+  if (queryStart < 0) {
+    return pathAndSuffix.slice(0, hashStart)
+  }
+  if (hashStart < 0) {
+    return pathAndSuffix.slice(0, queryStart)
+  }
+  return pathAndSuffix.slice(0, Math.min(queryStart, hashStart))
+}
+
+const normalizeTerminalImagePath = (path: string): TerminalImagePathNormalization => {
+  if (!urlSchemePattern.test(path)) {
+    return { _tag: "ValidTerminalImagePath", path }
+  }
+  if (!fileUrlPattern.test(path)) {
+    return { _tag: "InvalidTerminalImagePath", message: "Only file:// image URLs are supported." }
+  }
+
+  const rawPathname = rawFileUrlPathname(path)
+  if (fileUrlTraversalPattern.test(rawPathname)) {
+    return { _tag: "InvalidTerminalImagePath", message: "Image path must not contain '.' or '..' segments." }
+  }
+  if (encodedPathSeparatorPattern.test(rawPathname) || fileUrlBackslashPattern.test(rawPathname)) {
+    return {
+      _tag: "InvalidTerminalImagePath",
+      message: "Image file URL must not contain encoded or backslash path separators."
+    }
+  }
+
+  try {
+    const url = new URL(path)
+    if (url.protocol !== "file:" || (url.hostname !== "" && url.hostname !== "localhost")) {
+      return { _tag: "InvalidTerminalImagePath", message: "Image file URL must point to a local path." }
+    }
+    if (url.search.length > 0 || url.hash.length > 0) {
+      return { _tag: "InvalidTerminalImagePath", message: "Image file URL must not include query or fragment." }
+    }
+    return { _tag: "ValidTerminalImagePath", path: fileURLToPath(url, { windows: false }) }
+  } catch {
+    return { _tag: "InvalidTerminalImagePath", message: "Image file URL is invalid." }
+  }
+}
+
 export const planTerminalImageFetch = (path: string): TerminalImageFetchPlan => {
   if (typeof path !== "string" || path.length === 0) {
     return { _tag: "InvalidTerminalImageFetch", message: "Image path is required." }
   }
-  if (!path.startsWith("/")) {
+  const normalized = normalizeTerminalImagePath(path)
+  if (normalized._tag === "InvalidTerminalImagePath") {
+    return { _tag: "InvalidTerminalImageFetch", message: normalized.message }
+  }
+  const containerPath = normalized.path
+  if (!containerPath.startsWith("/")) {
     return { _tag: "InvalidTerminalImageFetch", message: "Image path must be absolute." }
   }
-  if (invalidCharacterPattern.test(path)) {
+  if (invalidCharacterPattern.test(containerPath)) {
     return { _tag: "InvalidTerminalImageFetch", message: "Image path contains invalid characters." }
   }
-  if (traversalPattern.test(path)) {
+  if (traversalPattern.test(containerPath)) {
     return { _tag: "InvalidTerminalImageFetch", message: "Image path must not contain '.' or '..' segments." }
   }
-  const extension = lowercaseExtension(path)
+  const extension = lowercaseExtension(containerPath)
   if (extension === null) {
     return { _tag: "InvalidTerminalImageFetch", message: "Image path must include a file extension." }
   }
   const mediaType = supportedExtensionMediaTypes.get(extension)
   if (mediaType === undefined) {
     return { _tag: "InvalidTerminalImageFetch", message: `Unsupported image extension: .${extension}` }
   }
-  return { _tag: "ValidTerminalImageFetch", containerPath: path, mediaType }
+  return { _tag: "ValidTerminalImageFetch", containerPath, mediaType }
 }

packages/api/src/services/terminal-image-fetch-core.ts

@@ -3,14 +3,22 @@ import { describe, expect, it } from "@effect/vitest"
 import { planTerminalImageFetch } from "../src/services/terminal-image-fetch-core.js"
 
 describe("terminal image fetch core", () => {
-  it("accepts an absolute path with a supported image extension", () => {
+  it("continues to accept an absolute path with a supported image extension", () => {
     expect(planTerminalImageFetch("/tmp/issue232-main.png")).toEqual({
       _tag: "ValidTerminalImageFetch",
       containerPath: "/tmp/issue232-main.png",
       mediaType: "image/png"
     })
   })
 
+  it("accepts a file URL and normalizes it to an absolute container path", () => {
+    expect(planTerminalImageFetch("file:///tmp/phantom-e2e.tuhl98/wallet-step-after-password.png")).toEqual({
+      _tag: "ValidTerminalImageFetch",
+      containerPath: "/tmp/phantom-e2e.tuhl98/wallet-step-after-password.png",
+      mediaType: "image/png"
+    })
+  })
+
   it("maps each supported extension to its media type", () => {
     expect(planTerminalImageFetch("/a.jpg")).toMatchObject({ mediaType: "image/jpeg" })
     expect(planTerminalImageFetch("/a.jpeg")).toMatchObject({ mediaType: "image/jpeg" })
@@ -33,6 +41,13 @@ describe("terminal image fetch core", () => {
     })
   })
 
+  it("rejects non-file URLs", () => {
+    expect(planTerminalImageFetch("https://example.com/tmp/photo.png")).toEqual({
+      _tag: "InvalidTerminalImageFetch",
+      message: "Only file:// image URLs are supported."
+    })
+  })
+
   it("rejects whitespace and control characters", () => {
     expect(planTerminalImageFetch("/tmp/has space.png")).toMatchObject({
       _tag: "InvalidTerminalImageFetch"
@@ -51,6 +66,32 @@ describe("terminal image fetch core", () => {
     })
   })
 
+  it("rejects traversal segments in file URLs before URL normalization", () => {
+    expect(planTerminalImageFetch("file:///tmp/../etc/photo.png")).toMatchObject({
+      _tag: "InvalidTerminalImageFetch",
+      message: "Image path must not contain '.' or '..' segments."
+    })
+    expect(planTerminalImageFetch("file:///tmp/%2E%2E/etc/photo.png")).toMatchObject({
+      _tag: "InvalidTerminalImageFetch",
+      message: "Image path must not contain '.' or '..' segments."
+    })
+  })
+
+  it("rejects unsafe file URL forms", () => {
+    expect(planTerminalImageFetch("file://example.com/tmp/photo.png")).toMatchObject({
+      _tag: "InvalidTerminalImageFetch",
+      message: "Image file URL must point to a local path."
+    })
+    expect(planTerminalImageFetch("file:///tmp/photo.png?download=1")).toMatchObject({
+      _tag: "InvalidTerminalImageFetch",
+      message: "Image file URL must not include query or fragment."
+    })
+    expect(planTerminalImageFetch("file:///tmp/%2Fetc/photo.png")).toMatchObject({
+      _tag: "InvalidTerminalImageFetch",
+      message: "Image file URL must not contain encoded or backslash path separators."
+    })
+  })
+
   it("rejects unsupported extensions", () => {
     expect(planTerminalImageFetch("/tmp/file.bmp")).toMatchObject({
       _tag: "InvalidTerminalImageFetch"

packages/api/tests/terminal-image-fetch-core.test.ts

@@ -0,0 +1,13 @@
+import type { ApiEvent } from "./api.js"
+
+export const readEventPayloadString = (
+  event: ApiEvent,
+  key: string
+): string | null => {
+  const payload = event.payload
+  if (payload === null || typeof payload !== "object" || Array.isArray(payload)) {
+    return null
+  }
+  const value = Object.entries(payload).find(([name]) => name === key)?.[1]
+  return typeof value === "string" ? value : null
+}

packages/app/src/web/actions-event-payload.ts

@@ -3,25 +3,14 @@ import { Either } from "effect"
 
 import { createProjectDraftFromInputs } from "../docker-git/menu-create-shared.js"
 import type { CreateInputs } from "../docker-git/menu-types.js"
+import { readEventPayloadString } from "./actions-event-payload.js"
 import { appendOutputLine, appendOutputLineHandler, notifyProjectEventRateLimit } from "./actions-output.js"
 import { type BrowserActionContext, withBusy } from "./actions-shared.js"
 import { ProjectDetailsSchema } from "./api-schema.js"
 import { type ApiEvent, loadProjectDetails, type ProjectDetails, startCreateProject } from "./api.js"
 import { openProjectEventStream } from "./project-events.js"
 import { outputScreen, projectPickerScreen } from "./screen.js"
 
-const readEventPayloadString = (
-  event: ApiEvent,
-  key: string
-): string | null => {
-  const payload = event.payload
-  if (payload === null || typeof payload !== "object" || Array.isArray(payload)) {
-    return null
-  }
-  const value = Object.entries(payload).find(([name]) => name === key)?.[1]
-  return typeof value === "string" ? value : null
-}
-
 const readCreatedProjectId = (event: ApiEvent): string | null =>
   event.type === "project.created" ? readEventPayloadString(event, "projectId") : null
 

packages/app/src/web/actions-project-create.ts

@@ -1,5 +1,6 @@
 import { openSelectedProjectBrowser } from "./actions-browser.js"
 import { openSelectedProjectDatabaseEditor } from "./actions-databases.js"
+import { readEventPayloadString } from "./actions-event-payload.js"
 import { appendOutputLine, appendOutputLineHandler, notifyProjectEventRateLimit } from "./actions-output.js"
 import { openSelectedProjectPort } from "./actions-port-forwards.js"
 import {
@@ -13,9 +14,9 @@ import {
 } from "./actions-shared.js"
 import { loadSelectedProjectTasks } from "./actions-tasks.js"
 import {
+  type ApiEvent,
   applyAllProjects,
   applyProject,
-  type ApiEvent,
   deleteProject,
   downAllProjects,
   downProject,
@@ -79,41 +80,33 @@ const resolveProjectTerminalKey = (
 }
 
 const randomHex = (bytes: number): string => {
-  const getRandomValues = globalThis.crypto?.getRandomValues
-  if (typeof getRandomValues === "function") {
-    const values = new Uint8Array(bytes)
-    getRandomValues.call(globalThis.crypto, values)
-    return Array.from(values, (value) => value.toString(16).padStart(2, "0")).join("")
-  }
-
-  let fallback = ""
-  while (fallback.length < bytes * 2) {
-    fallback += Math.floor(Math.random() * 0x1_0000_0000)
-      .toString(16)
-      .padStart(8, "0")
-  }
-  return fallback.slice(0, bytes * 2)
+  const values = new Uint8Array(bytes)
+  globalThis.crypto.getRandomValues(values)
+  return Array.from(values, (value) => value.toString(16).padStart(2, "0")).join("")
 }
 
 const createPendingTerminalSessionId = (): string => {
-  const randomUUID = globalThis.crypto?.randomUUID
-  if (typeof randomUUID === "function") {
-    return randomUUID.call(globalThis.crypto)
+  if (Reflect.has(globalThis.crypto, "randomUUID")) {
+    return globalThis.crypto.randomUUID()
   }
 
   return `pending-${Date.now().toString(16)}-${randomHex(8)}`
 }
 
-const readEventPayloadString = (
-  event: ApiEvent,
-  key: string
-): string | null => {
-  const payload = event.payload
-  if (payload === null || typeof payload !== "object" || Array.isArray(payload)) {
-    return null
-  }
-  const value = Object.entries(payload).find(([name]) => name === key)?.[1]
-  return typeof value === "string" ? value : null
+type ProjectActiveTerminalSessionArgs = Omit<
+  Parameters<typeof buildProjectActiveTerminalSession>[0],
+  "onExit" | "onReady"
+>
+
+const addProjectTerminalSession = (
+  context: BrowserActionContext,
+  args: ProjectActiveTerminalSessionArgs
+) => {
+  context.addTerminalSession(buildProjectActiveTerminalSession({
+    ...args,
+    onExit: context.reloadDashboard,
+    onReady: context.reloadDashboard
+  }))
 }
 
 const readTerminalSessionCreatedId = (
@@ -188,6 +181,11 @@ export const connectProjectById = (
     stream?.close()
     stream = null
   }
+  const showPendingTerminalError = (error: string) => {
+    pendingSessionFinalized = true
+    appendOutputLine(context, `[error] ${error}`)
+    context.addTerminalSession(renderPendingTerminalSession(error, "error"))
+  }
   const attachCreatedSession = (sessionId: string) => {
     if (attachedSessionId !== null) {
       return
@@ -198,23 +196,19 @@ export const connectProjectById = (
       effect: loadProjectTerminalSession(resolvedProjectKey, sessionId),
       label: "Attaching SSH terminal",
       onFailure: (error) => {
-        pendingSessionFinalized = true
-        appendOutputLine(context, `[error] ${error}`)
-        context.addTerminalSession(renderPendingTerminalSession(error, "error"))
+        showPendingTerminalError(error)
         closeStream()
       },
       onSuccess: (session) => {
         pendingSessionFinalized = true
         context.reloadDashboard()
         context.closeTerminalSession(pendingSessionId)
-        context.addTerminalSession(buildProjectActiveTerminalSession({
-          onExit: context.reloadDashboard,
-          onReady: context.reloadDashboard,
+        addProjectTerminalSession(context, {
           projectDisplayName,
           projectId,
           projectKey: resolvedProjectKey,
           session
-        }))
+        })
         context.setMessage(`Project is ready. SSH terminal is connecting for ${projectDisplayName}.`)
         closeStream()
       }
@@ -225,9 +219,7 @@ export const connectProjectById = (
     effect: startProjectTerminalSession(resolvedProjectKey, pendingSessionId),
     label: "Opening SSH terminal",
     onFailure: (error) => {
-      pendingSessionFinalized = true
-      appendOutputLine(context, `[error] ${error}`)
-      context.addTerminalSession(renderPendingTerminalSession(error, "error"))
+      showPendingTerminalError(error)
     },
     onSuccess: (accepted) => {
       appendOutputLine(context, `[ssh.prepare] SSH terminal request accepted (${accepted.requestId})`)
@@ -237,9 +229,7 @@ export const connectProjectById = (
         onEvent: (event) => {
           const failure = readTerminalStartupFailure(event, accepted.requestId)
           if (failure !== null) {
-            pendingSessionFinalized = true
-            appendOutputLine(context, `[error] ${failure}`)
-            context.addTerminalSession(renderPendingTerminalSession(failure, "error"))
+            showPendingTerminalError(failure)
             context.setMessage(failure)
             closeStream()
             return
@@ -306,14 +296,12 @@ export const attachProjectTerminalById = (
     effect: loadProjectTerminalSession(resolvedProjectKey, sessionId),
     label: "Attaching SSH terminal",
     onSuccess: (session) => {
-      context.addTerminalSession(buildProjectActiveTerminalSession({
-        onExit: context.reloadDashboard,
-        onReady: context.reloadDashboard,
+      addProjectTerminalSession(context, {
         projectDisplayName,
         projectId,
         projectKey: resolvedProjectKey,
         session
-      }))
+      })
       context.setMessage(`Attached SSH terminal for ${projectDisplayName}.`)
     }
   })

packages/app/src/web/actions-projects.ts

@@ -23,8 +23,9 @@ import type {
 export type ProjectSummary = Schema.Schema.Type<typeof ProjectSummarySchema>
 export type ProjectDetails = Schema.Schema.Type<typeof ProjectDetailsSchema>
 export type CreateProjectAcceptedResponse = Schema.Schema.Type<typeof CreateProjectAcceptedResponseSchema>
-export type StartProjectTerminalSessionAccepted =
-  Schema.Schema.Type<typeof StartProjectTerminalSessionAcceptedResponseSchema>
+export type StartProjectTerminalSessionAccepted = Schema.Schema.Type<
+  typeof StartProjectTerminalSessionAcceptedResponseSchema
+>
 export type ProjectPortForward = Schema.Schema.Type<typeof ProjectPortForwardSchema>
 export type ProjectBrowserSession = Schema.Schema.Type<typeof ProjectBrowserSessionSchema>
 export type ProjectDatabaseForward = Schema.Schema.Type<typeof ProjectDatabaseForwardSchema>