These currently work in a way that's different from what eslint expects,
so disable it. At some point it would be good if it could check them
(and if the tests could run on CI) but right now they just make a lot of
noise.
Removes or disables the following eslint errors/warnings:
/puter/packages/backend/src/api/filesystem/FlagParam.js
33:19 error 'APIError' is not defined no-undef
47:19 error 'APIError' is not defined no-undef
58:15 error 'APIError' is not defined no-undef
/puter/packages/backend/src/api/filesystem/StringParam.js
32:19 error 'APIError' is not defined no-undef
39:13 error 'APIError' is not defined no-undef
46:19 error 'APIError' is not defined no-undef
/puter/packages/backend/src/filesystem/FilesystemService.js
141:17 warning Unexpected 'debugger' statement no-debugger
366:21 error 'services' is not defined no-undef
/puter/packages/backend/src/filesystem/batch/BatchExecutor.js
121:21 error Do not assign to the exception parameter no-ex-assign
/puter/packages/backend/src/filesystem/hl_operations/hl_data_read.js
44:19 error 'APIError' is not defined no-undef
47:22 error 'chkperm' is not defined no-undef
48:19 error 'APIError' is not defined no-undef
51:29 error 'LLRead' is not defined no-undef
54:13 error 'version_id' is not defined no-undef
88:35 error 'PassThrough' is not defined no-undef
/puter/packages/backend/src/filesystem/hl_operations/hl_mkdir.js
68:49 error 'fs' is not defined no-undef
/puter/packages/backend/src/filesystem/hl_operations/hl_move.js
102:33 error 'get_user' is not defined no-undef
104:35 error 'get_user' is not defined no-undef
110:33 error 'df' is not defined no-undef
/puter/packages/backend/src/filesystem/hl_operations/hl_read.js
54:13 error 'stream' is constant no-const-assign
/puter/packages/backend/src/filesystem/hl_operations/hl_stat.js
40:37 error 'APIError' is not defined no-undef
/puter/packages/backend/src/filesystem/lib/PuterPath.js
67:5 error Expected to return a value in getter 'hasRelativePortion' getter-return
/puter/packages/backend/src/filesystem/ll_operations/ll_copy_idea.js
53:21 error 'UploadProgressTracker' is not defined no-undef
73:17 error 'PuterS3StorageStrategy' is not defined no-undef
137:22 error 'LLFilesystemOperation' is not defined no-undef
/puter/packages/backend/src/filesystem/ll_operations/ll_read.js
102:65 error 'offset' is not defined no-undef
102:73 error 'offset' is not defined no-undef
102:80 error 'length' is not defined no-undef
/puter/packages/backend/src/filesystem/ll_operations/ll_rmnode.js
43:23 error 'APIError' is not defined no-undef
/puter/packages/backend/src/filesystem/storage/SystemFSEntryService.js
101:26 error '_path' is not defined no-undef
/puter/packages/backend/src/filesystem/validation.js
27:29 error Unexpected control character(s) in regular expression: \x00, \x1f no-control-regex
28:29 error Unexpected control character(s) in regular expression: \x00, \x1f no-control-regex
28:31 error Unnecessary escape character: \/ no-useless-escape
When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.
## Steps To Reproduce & PoC
```js
const axios = require('axios');
axios.get('http://127.0.0.1:10081/', {
headers: {
'AuThorization': 'Rear Test',
'ProXy-AuthoriZation': 'Rear Test',
'coOkie': 't=1'
}
})
.then((response) => {
console.log(response);
})
```
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.
```diff
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
```
CWE-200
`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N`
CVE-2024-28849
Gives CommandProviders a `complete(query, {ctx})` method where they can provide completed command names, and then make use of this in CommandCompleter.
Supported CommandProvider sources:
- Shell built-ins (was supported previously)
- PATH executables (when running under Node)
- Puter app names (when running in Puter)
Script filenames are not yet supported.
`../bin/foo` should only find `foo` relative to the current working
directory, not to directories in PATH.
Also switch to using the Node path library since PathCommandProvider is
Node-only, and this means getting the correct path separator and
delimiter values on Windows.
BetterReader.read_with_cancel() returns both the read promise, and a
function that can be used to cancel the read. A cancelled read is
placed back into the BetterReader's chunk buffer, to be consumed by the
next user that requests a read.
This is used by Coupler so that when the coupler is closed, its pending
read() call does not consume the next batch of input.
This fixes the problem we were having with child applications consuming
one chunk of stdin after they are closed, meaning the first key you
press after an app exits would disappear.
Co-authored-by: KernelDeimos <eric.alex.dube@gmail.com>
After launching an app, if successful, we connect stdio streams to it,
and wait for it to exit before we return to the prompt.
stdio is implemented as regular AppConnection messages:
- stdin: `{ $: 'stdin', data: Uint8Array }` from phoenix -> child
- stdout: `{ $: 'stdout', data: Uint8Array }` from child -> phoenix
Terminal and Phoenix now communicate with each other using the same
style, instead of 'input' and 'output' messages. This will help with
eventually running subshells.
SIGINT currently is not sent. We also suffer from the same "one more
read from stdin happens after app exits" bug that's in
PathCommandProvider where I copied the stdin code from.
Apps are not required to use the Puter SDK. If they don't, then we can
still launch them, close them, and listen to their close event, but are
unable to send messages to them.
This brings Phoenix's minimum required version from 20.x down to 16.x.
ReadableStream.from() is deemed experimental, and requires Node 20.x
(or at least, something higher than 18.x). This was the only code that
made us require version 20.x.
ReadableStream and WritableStream are available from Node 16.5, but
require that they be explicitly imported.
