Files
2026-07-13 13:39:12 +08:00

275 lines
12 KiB
JavaScript

#!/usr/bin/env node
// scripts/check/check-error-helper.mjs
// Gate Hard Rule #12 (error sanitization): error responses/results built in
// open-sse/executors/ and open-sse/handlers/ MUST route through the helpers in
// open-sse/utils/error.ts (buildErrorBody / errorResponse / sanitizeErrorMessage /
// sanitizeUpstreamDetails / makeExecutorErrorResult / formatProviderError / …) so
// raw err.stack / err.message / upstream body.error.message never reach a client.
//
// The risk: a file that builds its own `new Response(JSON.stringify({ error: {
// message: err.message } }))` (or a result object with `error: <raw msg>`) and does
// NOT import the sanitizer leaks stack traces / absolute paths / upstream internals.
// CodeQL's js/stack-trace-exposure does not understand the custom sanitizer, so this
// static gate is the canonical enforcement. See docs/security/ERROR_SANITIZATION.md.
//
// Conservative by design: a file is flagged ONLY when it both (a) appears to forward
// a RAW error value into a response/result body AND (b) imports nothing from a
// utils/error path. Files that import the helper are trusted (the `body.error.message`
// they reference is the sanitized output of buildErrorBody, not raw upstream).
import fs from "node:fs";
import path from "node:path";
import { pathToFileURL } from "node:url";
import { assertNoStale } from "./lib/allowlist.mjs";
const cwd = process.cwd();
// Directories to scan (Hard Rule #12 applies to ALL error-response-building surfaces).
// 6A.8: expanded from executors+handlers to include MCP server tools and API route files.
const SCAN_DIRS = [
path.join(cwd, "open-sse/executors"),
path.join(cwd, "open-sse/handlers"),
path.join(cwd, "open-sse/mcp-server"),
];
// Glob-style pattern for API route files under src/app/api/ (matched by path test below).
const IS_API_ROUTE = /^src\/app\/api\/.+\/route\.tsx?$/;
// Pre-existing violators frozen so the gate is green NOW and blocks only NEW leaks.
// Each entry is a real Rule #12 gap (raw err.message forwarded into a response body
// with no utils/error import) and should become a tracked cleanup issue: route the
// message through sanitizeErrorMessage()/buildErrorBody()/makeExecutorErrorResult().
// Do NOT add new entries without a justification — that defeats the gate.
export const KNOWN_MISSING_ERROR_HELPER = new Set([
// --- original open-sse/executors + handlers scope (pre-6A.8) ---
// --- 6A.8 expanded scope: src/app/api/**/route.ts pre-existing violations ---
// TODO(6A.8): pre-existing, triage — route through buildErrorBody()/sanitizeErrorMessage()
]);
// Import specifiers that count as "uses the error helper" (path ends in utils/error).
const ERROR_HELPER_IMPORT =
/\bfrom\s*["'](?:\.{1,2}\/)*(?:open-sse\/)?utils\/error(?:\.[tj]s)?["']|@omniroute\/open-sse\/utils\/error/;
// A caught-error identifier whose .message/.stack is RAW (not sanitized): the leading
// token must be exactly `err` / `error` / `e` (optionally `(err as Error)` cast), and
// NOT preceded by a member access — so `event.error.message` (an upstream-event read)
// does not match, only our own caught `err.message` / `error.stack` / `(err as …).msg`.
// The `(?<![.\w])` lookbehind is non-consuming so it works mid-template (e.g. `${err…`).
const RAW_ERR = String.raw`(?:\((?:err|error|e)\s+as\s+[^)]+\)|(?<![.\w])(?:err|error|e))\.(?:message|stack)\b`;
// Lines that are internal sinks (never reach the client) — excluded so the gate does
// not false-positive on logging, DB audit rows, thrown Errors, or rejected promises.
const INTERNAL_SINK =
/\b(?:log\??\.\w+\??\.?\(|console\.\w+\(|saveCallLog\s*\(|reqLogger\.|throw\s+new\s+\w*Error|reject\s*\(|\.error\??\.\(|finish\s*\()/;
// Internal-sink CALL openers — when a raw-error field sits inside one of these calls'
// argument object (e.g. `saveCallLog({ … error: err.message … })`), it is a DB audit
// row / log entry, not a client response. Matched against the line that opens the
// nearest still-unclosed call enclosing the flagged line.
const INTERNAL_SINK_CALL =
/\b(?:saveCallLog|log\??\.\w+|console\.\w+|reqLogger\.\w+)\s*\(\s*\{?\s*$/;
// A line that is constructing a client-facing response/result body.
const RESPONSE_LINE =
/new\s+Response\s*\(|\bresponse\s*:|\berrResp\s*\(|\bmakeErrorResponse\s*\(|\berrorResponse\s*\(/;
function walk(dir, acc = []) {
if (!fs.existsSync(dir)) return acc;
for (const e of fs.readdirSync(dir, { withFileTypes: true })) {
const p = path.join(dir, e.name);
if (e.isDirectory()) walk(p, acc);
else if (/\.tsx?$/.test(e.name) && !/\.test\.tsx?$/.test(e.name)) acc.push(p);
}
return acc;
}
// A raw caught-error value assigned to / interpolated into a `message:`/`error:` field.
const RAW_ERR_FIELD = new RegExp(String.raw`\b(?:message|error)\s*:\s*` + RAW_ERR);
const RAW_ERR_FIELD_INTERP = new RegExp(
String.raw`\b(?:message|error)\s*:\s*[\`"'][^\n]*\$\{[^}]*` + RAW_ERR
);
// A raw caught-error value interpolated anywhere on a line that also builds a Response.
const RAW_ERR_INTERP = new RegExp(String.raw`\$\{[^}]*` + RAW_ERR);
// Upstream `body.error.message` forwarded into a field without a sanitize call.
const RAW_BODY_ERR = /\b(?:message|error)\s*:\s*[^,}\n]*\bbody\.error\.message\b/;
// A response-builder CALL that takes a message argument (client-facing). A tainted
// local variable (assigned from a raw error) passed here is a leak.
const RESPONSE_BUILDER_CALL =
/\b(?:errResp|makeErrorResponse|errorResponse)\s*\(|\bresponse\s*:\s*(?:errResp|makeErrorResponse|errorResponse|new\s+Response)\s*\(/;
// `const|let <id> = <expr containing a raw caught-error>` — a tainted local holding a
// raw, unsanitized error string. Captures the variable name for downstream tracking.
const TAINT_DECL = new RegExp(
String.raw`\b(?:const|let|var)\s+([A-Za-z_$][\w$]*)\s*=\s*[^;\n]*` + RAW_ERR
);
/**
* Does this source forward a RAW error value into a CLIENT-FACING response/result body?
*
* Line-anchored + sink-aware so it does not false-positive on logging, DB audit rows
* (saveCallLog), thrown Errors, rejected promises, or parsed upstream-event reads.
*
* A line is a violation when, after skipping internal-sink lines, it either:
* - assigns/interpolates a raw caught-error into a `message:`/`error:` field, or
* - interpolates a raw caught-error AND is itself a Response/result-builder line, or
* - forwards upstream `body.error.message` into a field without sanitizing, or
* - passes a TAINTED local (a var assigned from a raw error, never sanitized) into a
* response-builder call (errResp / makeErrorResponse / errorResponse / new Response).
*/
function forwardsRawError(source) {
const lines = source.split("\n").map((l) => l.replace(/\/\/.*$/, ""));
// Pass 1: collect tainted local variables (raw error, no sanitize on the line).
const tainted = new Set();
for (const line of lines) {
if (INTERNAL_SINK.test(line)) continue;
const m = line.match(TAINT_DECL);
if (m && !/sanitize/i.test(line)) tainted.add(m[1]);
}
const taintedUse =
tainted.size > 0 ? new RegExp(String.raw`\b(?:${[...tainted].join("|")})\b`) : null;
// Pass 2: scan for leak lines.
for (let i = 0; i < lines.length; i++) {
const line = lines[i];
if (!line.trim()) continue;
if (INTERNAL_SINK.test(line)) continue; // log / audit / throw / reject
if (TAINT_DECL.test(line)) continue; // the assignment itself is not the leak
const directLeak =
RAW_ERR_FIELD.test(line) ||
RAW_ERR_FIELD_INTERP.test(line) ||
(RAW_ERR_INTERP.test(line) && RESPONSE_LINE.test(line)) ||
// Multi-line OpenAI error envelope: a raw-error interpolation that sits inside
// an enclosing `error: {` / `message:` field of a `new Response(` body.
(RAW_ERR_INTERP.test(line) && enclosedByErrorResponseBody(lines, i)) ||
(RAW_BODY_ERR.test(line) && !/sanitize/i.test(line));
const taintedLeak =
taintedUse !== null && RESPONSE_BUILDER_CALL.test(line) && taintedUse.test(line);
// The raw error reaches a client body unless it lives inside an internal-sink
// call's argument object (saveCallLog / log / console / reqLogger).
if ((directLeak || taintedLeak) && !enclosedByInternalSinkCall(lines, i)) return true;
}
return false;
}
/**
* Walk back from `idx`, tracking net brace/paren depth, to find the line that opens
* the call enclosing `idx`. Returns true if that opener is an internal-sink call.
* Bounded lookback (sink-call argument objects are small) keeps this cheap.
*/
function enclosedByInternalSinkCall(lines, idx) {
let depth = 0;
for (let j = idx; j >= 0 && idx - j < 80; j--) {
const l = lines[j].replace(/\/\/.*$/, "");
for (let k = l.length - 1; k >= 0; k--) {
const ch = l[k];
if (ch === ")" || ch === "}") depth++;
else if (ch === "(" || ch === "{") {
if (depth === 0) {
// Unbalanced opener at this position — the enclosing construct starts here.
return INTERNAL_SINK_CALL.test(l.slice(0, k + 1));
}
depth--;
}
}
}
return false;
}
// Field opener that is part of an OpenAI-style error envelope (`error: {` / `message:`).
const ERROR_FIELD_OPENER = /\b(?:error|message)\s*:\s*[`{]?\s*$/;
/**
* Walk back from `idx` to the nearest enclosing `{`/`(` opener; if it opens an error
* envelope field (`error: {` / `message:`) AND a `new Response(` / `response:` builder
* appears just above it, the raw error reaches a client error body. Conservative: only
* the canonical error-envelope shape qualifies (not `content:` / data fields).
*/
function enclosedByErrorResponseBody(lines, idx) {
let depth = 0;
for (let j = idx; j >= 0 && idx - j < 80; j--) {
const l = lines[j].replace(/\/\/.*$/, "");
for (let k = l.length - 1; k >= 0; k--) {
const ch = l[k];
if (ch === ")" || ch === "}") depth++;
else if (ch === "(" || ch === "{") {
if (depth === 0) {
if (!ERROR_FIELD_OPENER.test(l.slice(0, k + 1))) return false;
// Confirm a Response builder sits in the few lines above the envelope.
const window = lines.slice(Math.max(0, j - 8), j + 1).join("\n");
return /new\s+Response\s*\(|\bresponse\s*:/.test(window);
}
depth--;
}
}
}
return false;
}
export function findErrorHelperViolations(files, allowlist) {
const violations = [];
for (const { path: rel, source } of files) {
if (allowlist.has(rel)) continue;
if (ERROR_HELPER_IMPORT.test(source)) continue; // trusts the helper
if (forwardsRawError(source)) violations.push(rel);
}
return violations;
}
function collectFiles() {
const files = [];
// Standard scan dirs (open-sse/executors, handlers, mcp-server).
for (const dir of SCAN_DIRS) {
for (const p of walk(dir)) {
files.push({
path: path.relative(cwd, p).replace(/\\/g, "/"),
source: fs.readFileSync(p, "utf8"),
});
}
}
// 6A.8: also scan all src/app/api/**/route.ts files.
const apiRoot = path.join(cwd, "src/app/api");
for (const p of walk(apiRoot)) {
const rel = path.relative(cwd, p).replace(/\\/g, "/");
if (IS_API_ROUTE.test(rel)) {
files.push({ path: rel, source: fs.readFileSync(p, "utf8") });
}
}
return files;
}
function main() {
const files = collectFiles();
// 6A.8: stale-allowlist enforcement.
// Compute live violations WITHOUT the allowlist so we can detect entries that are
// now stale (the violation was fixed, but the freeze entry was not removed).
const liveViolations = findErrorHelperViolations(files, new Set());
assertNoStale(KNOWN_MISSING_ERROR_HELPER, liveViolations, "check-error-helper");
// Suppress known pre-existing violations so only NEW leaks fail the gate.
const violations = findErrorHelperViolations(files, KNOWN_MISSING_ERROR_HELPER);
if (violations.length) {
console.error(
`[check-error-helper] ${violations.length} file(s) build an error response/result with a ` +
`raw err.message/err.stack/body.error.message but do NOT import open-sse/utils/error:\n` +
violations.map((v) => " ✗ " + v).join("\n") +
`\n → route the message through buildErrorBody()/sanitizeErrorMessage()/` +
`makeExecutorErrorResult() (see docs/security/ERROR_SANITIZATION.md), or — if it is a ` +
`false positive — add it to KNOWN_MISSING_ERROR_HELPER with a justification.`
);
process.exit(1);
}
if (process.exitCode === 1) return; // stale entries already logged
console.log(
`[check-error-helper] OK (${files.length} files scanned, ${KNOWN_MISSING_ERROR_HELPER.size} known-missing frozen)`
);
}
if (import.meta.url === pathToFileURL(process.argv[1] || "").href) main();