@sentzunhat/zacatl
Version:
A modular, high-performance TypeScript microservice framework for Node.js, featuring layered architecture, dependency injection, and robust validation for building scalable APIs and distributed systems.
53 lines • 2.22 kB
JavaScript
;
Object.defineProperty(exports, "__esModule", { value: true });
exports.validateCommandSpec = void 0;
const error_1 = require("../../error/index.js");
const SUSPICIOUS_CHARS_RE = /[;&|`$<>!\\]/;
const validateCommandSpec = (spec, policy) => {
if (policy.allowlist && policy.allowlist.length > 0) {
if (!policy.allowlist.includes(spec.cmd)) {
throw new error_1.ValidationError({
message: `Command "${spec.cmd}" is not in the allowlist`,
component: 'CommandRunner',
operation: 'validateCommandSpec',
metadata: { cmd: spec.cmd, allowlist: policy.allowlist },
});
}
}
if (policy.denyPatterns && policy.denyPatterns.length > 0) {
for (const arg of spec.args) {
for (const pattern of policy.denyPatterns) {
if (new RegExp(pattern).test(arg)) {
throw new error_1.ValidationError({
message: `Argument "${arg}" matches deny pattern "${pattern}"`,
component: 'CommandRunner',
operation: 'validateCommandSpec',
metadata: { arg, pattern },
});
}
}
}
}
for (const arg of spec.args) {
if (SUSPICIOUS_CHARS_RE.test(arg)) {
throw new error_1.ValidationError({
message: `Argument "${arg}" contains a suspicious character`,
component: 'CommandRunner',
operation: 'validateCommandSpec',
metadata: { arg },
});
}
}
if (policy.cwdPrefix !== undefined && spec.cwd !== undefined) {
if (!spec.cwd.startsWith(policy.cwdPrefix)) {
throw new error_1.ValidationError({
message: `Working directory "${spec.cwd}" is outside the allowed prefix "${policy.cwdPrefix}"`,
component: 'CommandRunner',
operation: 'validateCommandSpec',
metadata: { cwd: spec.cwd, cwdPrefix: policy.cwdPrefix },
});
}
}
};
exports.validateCommandSpec = validateCommandSpec;
//# sourceMappingURL=policy.js.map