refactor: replace fs with secureFs for improved file handling

This commit updates various modules to utilize the secure file system operations from the secureFs module instead of the native fs module. Key changes include: - Replaced fs imports with secureFs in multiple route handlers and services to enhance security and consistency in file operations. - Added centralized validation for working directories in the sdk-options module to ensure all AI model invocations are secure. These changes aim to improve the security and maintainability of file handling across the application.
2026-02-02 08:33:36 +00:00 · 2025-12-21 01:32:26 -05:00
parent 2b5479ae0d
commit 077a63b03b
62 changed files with 4866 additions and 3350 deletions
--- a/apps/server/src/routes/workspace/routes/config.ts
+++ b/apps/server/src/routes/workspace/routes/config.ts
@@ -2,14 +2,11 @@
 * GET /config endpoint - Get workspace configuration status
 */

-import type { Request, Response } from "express";
-import fs from "fs/promises";
-import path from "path";
-import {
-  getAllowedRootDirectory,
-  getDataDirectory,
-} from "@automaker/platform";
-import { getErrorMessage, logError } from "../common.js";
+import type { Request, Response } from 'express';
+import * as secureFs from '../../../lib/secure-fs.js';
+import path from 'path';
+import { getAllowedRootDirectory, getDataDirectory } from '@automaker/platform';
+import { getErrorMessage, logError } from '../common.js';

 export function createConfigHandler() {
  return async (_req: Request, res: Response): Promise<void> => {
@@ -30,12 +27,12 @@ export function createConfigHandler() {
      // Check if the directory exists
      try {
        const resolvedWorkspaceDir = path.resolve(allowedRootDirectory);
-        const stats = await fs.stat(resolvedWorkspaceDir);
+        const stats = await secureFs.stat(resolvedWorkspaceDir);
        if (!stats.isDirectory()) {
          res.json({
            success: true,
            configured: false,
-            error: "ALLOWED_ROOT_DIRECTORY is not a valid directory",
+            error: 'ALLOWED_ROOT_DIRECTORY is not a valid directory',
          });
          return;
        }
@@ -50,11 +47,11 @@ export function createConfigHandler() {
        res.json({
          success: true,
          configured: false,
-          error: "ALLOWED_ROOT_DIRECTORY path does not exist",
+          error: 'ALLOWED_ROOT_DIRECTORY path does not exist',
        });
      }
    } catch (error) {
-      logError(error, "Get workspace config failed");
+      logError(error, 'Get workspace config failed');
      res.status(500).json({ success: false, error: getErrorMessage(error) });
    }
  };
--- a/apps/server/src/routes/workspace/routes/directories.ts
+++ b/apps/server/src/routes/workspace/routes/directories.ts
@@ -2,11 +2,11 @@
 * GET /directories endpoint - List directories in workspace
 */

-import type { Request, Response } from "express";
-import fs from "fs/promises";
-import path from "path";
-import { getAllowedRootDirectory } from "@automaker/platform";
-import { getErrorMessage, logError } from "../common.js";
+import type { Request, Response } from 'express';
+import * as secureFs from '../../../lib/secure-fs.js';
+import path from 'path';
+import { getAllowedRootDirectory } from '@automaker/platform';
+import { getErrorMessage, logError } from '../common.js';

 export function createDirectoriesHandler() {
  return async (_req: Request, res: Response): Promise<void> => {
@@ -16,7 +16,7 @@ export function createDirectoriesHandler() {
      if (!allowedRootDirectory) {
        res.status(400).json({
          success: false,
-          error: "ALLOWED_ROOT_DIRECTORY is not configured",
+          error: 'ALLOWED_ROOT_DIRECTORY is not configured',
        });
        return;
      }
@@ -25,23 +25,23 @@ export function createDirectoriesHandler() {

      // Check if directory exists
      try {
-        await fs.stat(resolvedWorkspaceDir);
+        await secureFs.stat(resolvedWorkspaceDir);
      } catch {
        res.status(400).json({
          success: false,
-          error: "Workspace directory path does not exist",
+          error: 'Workspace directory path does not exist',
        });
        return;
      }

      // Read directory contents
-      const entries = await fs.readdir(resolvedWorkspaceDir, {
+      const entries = await secureFs.readdir(resolvedWorkspaceDir, {
        withFileTypes: true,
      });

      // Filter to directories only and map to result format
      const directories = entries
-        .filter((entry) => entry.isDirectory() && !entry.name.startsWith("."))
+        .filter((entry) => entry.isDirectory() && !entry.name.startsWith('.'))
        .map((entry) => ({
          name: entry.name,
          path: path.join(resolvedWorkspaceDir, entry.name),
@@ -53,7 +53,7 @@ export function createDirectoriesHandler() {
        directories,
      });
    } catch (error) {
-      logError(error, "List workspace directories failed");
+      logError(error, 'List workspace directories failed');
      res.status(500).json({ success: false, error: getErrorMessage(error) });
    }
  };