feat(terminal): 添加bun-pty类型定义并修复pty调用

refactor(security): 重构路径检测逻辑并优化测试用例

style(test): 调整测试文件导入顺序

Author: echoVic

packages/cli/src/server/routes/terminal.ts

@@ -41,7 +41,6 @@ async function spawnPty(
 ): Promise<IPtyProcess> {
   if (isBunRuntime()) {
     // Use bun-pty in Bun runtime
-    // @ts-expect-error bun-pty is only available in Bun runtime
     const { spawn } = await import('bun-pty');
     const ptyProcess = spawn(command, args, {
       name: 'xterm-256color',
@@ -51,7 +50,7 @@ async function spawnPty(
     return {
       pid: ptyProcess.pid,
       write: (data: string) => ptyProcess.write(data),
-      resize: (cols: number, rows: number) => ptyProcess.resize({ cols, rows }),
+      resize: (cols: number, rows: number) => ptyProcess.resize(cols, rows),
       kill: () => ptyProcess.kill(),
       onData: (callback: (data: string) => void) => ptyProcess.onData(callback),
       onExit: (callback: (exitInfo: { exitCode: number }) => void) => ptyProcess.onExit(callback),

packages/cli/src/types/bun-pty.d.ts

@@ -0,0 +1,20 @@
+declare module 'bun-pty' {
+  export function spawn(
+    command: string,
+    args: string[],
+    options: {
+      name?: string;
+      cwd?: string;
+      env?: Record<string, string>;
+      cols?: number;
+      rows?: number;
+    }
+  ): {
+    pid: number;
+    write(data: string): void;
+    resize(cols: number, rows: number): void;
+    kill(signal?: string): void;
+    onData(callback: (data: string) => void): void;
+    onExit(callback: (exitInfo: { exitCode: number }) => void): void;
+  };
+}

packages/cli/tests/security/path-traversal.test.ts

@@ -1,7 +1,7 @@
-import { describe, it, expect, beforeEach, afterEach } from 'vitest';
 import path from 'node:path';
-import { setupTestEnvironment } from '../support/helpers/setupTestEnvironment.js';
+import { afterEach, beforeEach, describe, expect, it } from 'vitest';
 import type { TestEnvironment } from '../support/helpers/setupTestEnvironment.js';
+import { setupTestEnvironment } from '../support/helpers/setupTestEnvironment.js';
 
 describe('路径遍历攻击防护', () => {
   let env: TestEnvironment;
@@ -52,6 +52,26 @@ describe('路径遍历攻击防护', () => {
   });
 
   describe('绝对路径限制', () => {
+    const isWithinProject = (projectRoot: string, targetPath: string) => {
+      if (
+        !path.isAbsolute(targetPath) &&
+        path.win32.isAbsolute(targetPath) &&
+        process.platform !== 'win32'
+      ) {
+        return false;
+      }
+
+      const resolvedProject = path.resolve(projectRoot);
+      const resolvedTarget = path.resolve(targetPath);
+      const projectPrefix = resolvedProject.endsWith(path.sep)
+        ? resolvedProject
+        : `${resolvedProject}${path.sep}`;
+
+      return (
+        resolvedTarget === resolvedProject || resolvedTarget.startsWith(projectPrefix)
+      );
+    };
+
     it('应该检测项目目录外的绝对路径', () => {
       const projectRoot = env.projectDir;
       const outsidePaths = [
@@ -62,9 +82,7 @@ describe('路径遍历攻击防护', () => {
       ];
 
       for (const outsidePath of outsidePaths) {
-        const resolvedPath = path.resolve(outsidePath);
-        const isWithinProject = resolvedPath.startsWith(projectRoot);
-        expect(isWithinProject).toBe(false);
+        expect(isWithinProject(projectRoot, outsidePath)).toBe(false);
       }
     });
 
@@ -77,8 +95,7 @@ describe('路径遍历攻击防护', () => {
       ];
 
       for (const insidePath of insidePaths) {
-        const isWithinProject = insidePath.startsWith(projectRoot);
-        expect(isWithinProject).toBe(true);
+        expect(isWithinProject(projectRoot, insidePath)).toBe(true);
       }
     });
   });