UNPKG

termcode

Version:

Superior terminal AI coding agent with enterprise-grade security, intelligent error recovery, performance monitoring, and plugin system - Advanced Claude Code alternative

github.com/dhrxv8/TermCoder

dhrxv8/TermCoder

172 lines (171 loc) 6.24 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
import { spawn } from "node:child_process"; import path from "node:path"; import { CFG } from "../config.js"; // Dangerous command patterns to block const DANGEROUS_PATTERNS = [ /rm\s+-rf?\s+[\/~]/, // rm -rf / or ~/ /sudo/, // sudo commands /su\b/, // su commands /passwd/, // password changes /chmod\s+777/, // chmod 777 />\s*\/dev\/null/, // redirects that might hide output /curl.*\|\s*sh/, // pipe curl to shell /wget.*\|\s*sh/, // pipe wget to shell /eval/, // eval commands /exec/, // exec commands ]; const ALLOWED_COMMANDS = new Set([ // Package managers & build tools "npm", "pnpm", "yarn", "bun", "node", "uv", "python", "python3", "pip", "pipx", "poetry", "go", "cargo", "rustc", "tsc", "javac", "mvn", "gradle", // Test runners "pytest", "npx", "jest", "vitest", "mocha", "karma", // Linters & formatters "eslint", "prettier", "ruff", "flake8", "black", "isort", "golangci-lint", "clippy", "rustfmt", // VCS (limited) "git", // Safe utilities "which", "where", "echo", "cat", "ls", "pwd", "whoami", ]); function validateCommand(cmd) { if (cmd.length === 0) { return { valid: false, error: "Empty command" }; } const bin = cmd[0]; const fullCommand = cmd.join(" "); // Check if command is in allow list if (!ALLOWED_COMMANDS.has(bin)) { return { valid: false, error: `Command not allowed: ${bin}. Allowed: ${Array.from(ALLOWED_COMMANDS).join(", ")}` }; } // Check for dangerous patterns for (const pattern of DANGEROUS_PATTERNS) { if (pattern.test(fullCommand)) { return { valid: false, error: `Command contains dangerous pattern: ${fullCommand}` }; } } // Additional git safety checks if (bin === "git") { const subCommand = cmd[1]; const dangerousGitCommands = ["push", "pull", "fetch", "clone", "remote"]; if (dangerousGitCommands.includes(subCommand)) { return { valid: false, error: `Dangerous git command blocked: git ${subCommand}. Use TermCode's built-in git workflow instead.` }; } } return { valid: true }; } export async function runShell(cmd, cwd, stdin) { // Use enhanced security sandbox for validation and execution try { // Import sandbox here to avoid circular dependencies const { sandbox } = await import("../security/sandbox.js"); const result = await sandbox.execute(cmd, cwd, stdin); if (result.ok) { return { ok: true, data: result.data }; } else if (result.blocked) { return { ok: false, error: `Security: ${result.blocked}` }; } else { return { ok: false, error: result.error || "Shell execution failed" }; } } catch (error) { // Fallback to legacy validation if sandbox fails const validation = validateCommand(cmd); if (!validation.valid) { return { ok: false, error: validation.error }; } // Ensure working directory is safe (no directory traversal) const resolvedCwd = path.resolve(cwd); if (!resolvedCwd.startsWith(path.resolve(process.cwd()))) { return { ok: false, error: "Working directory outside project bounds" }; } // Fallback to legacy execution return legacyExecute(cmd, resolvedCwd, stdin); } } function legacyExecute(cmd, resolvedCwd, stdin) { return new Promise((resolve) => { const bin = cmd[0]; const args = cmd.slice(1); // Use spawn with shell: false for better security const child = spawn(bin, args, { cwd: resolvedCwd, shell: false, stdio: [stdin ? "pipe" : "ignore", "pipe", "pipe"], // Enable stdin if provided env: { ...process.env, // Remove potentially dangerous environment variables PATH: process.env.PATH, HOME: process.env.HOME, USER: process.env.USER, PWD: resolvedCwd, // Clear shell-related variables SHELL: undefined, BASH_ENV: undefined, ENV: undefined } }); let stdout = ""; let stderr = ""; let killed = false; const timer = setTimeout(() => { killed = true; child.kill("SIGKILL"); resolve({ ok: false, error: `Command timed out after ${CFG.SHELL_TIMEOUT_MS}ms` }); }, CFG.SHELL_TIMEOUT_MS); child.stdout?.on("data", (data) => { stdout += String(data); // Prevent memory exhaustion from large outputs if (stdout.length > 1024 * 1024) { // 1MB limit child.kill("SIGKILL"); clearTimeout(timer); resolve({ ok: false, error: "Output too large (>1MB)" }); } }); child.stderr?.on("data", (data) => { stderr += String(data); // Prevent memory exhaustion from large outputs if (stderr.length > 1024 * 1024) { // 1MB limit child.kill("SIGKILL"); clearTimeout(timer); resolve({ ok: false, error: "Error output too large (>1MB)" }); } }); child.on("error", (error) => { if (!killed) { clearTimeout(timer); resolve({ ok: false, error: `Failed to start command: ${error.message}` }); } }); child.on("close", (code, signal) => { if (!killed) { clearTimeout(timer); resolve({ ok: true, data: { code: code ?? -1, stdout: stdout.trim(), stderr: stderr.trim() } }); } }); // Send stdin if provided if (stdin && child.stdin) { child.stdin.write(stdin); child.stdin.end(); } }); }