Add raycast-rsync-extension extension #24401
Conversation
- test: Add end-to-end tests for Rsync command options, validating flag inclusion and command structure for various transfer scenarios. - feat: Add Rsync options for file transfer configuration, including human-readable sizes, progress display, and deletion of extraneous files. Update transfer execution to support real-time progress updates and enhance user feedback with formatted output messages. - refactor: Migrate from SCP to Rsync for file transfer extension, enhancing performance and features. Update documentation and commands accordingly. - test: Add end-to-end tests for browsing functionality, validating remote paths and host configurations - feat: Add browsing functionality for remote files via SSH, including UI components and file listing logic - chore: Update @types/react to version 19.0.10 and add overrides in package.json - chore: Add initial CHANGELOG.md documenting the SCP File Transfer extension release and features - chore: Update package version to 1.0.0 and switch from pnpm to npm in README installation instructions - fix: Update file selection instructions and clean up whitespace in upload component and tests - fix: Improve error handling in file selection process, adding specific handling for Finder not being frontmost - feat: Implement popToRoot functionality to close extension after successful download and upload - chore: Add LICENSE file and update README with testing instructions and license details - feat: Add ESLint configuration and refactor code for improved readability and consistency - fix: Update icon path and standardize command titles in package.json - test: Add end-to-end tests for download and upload workflows, including validation and error handling - feat: Improve logging and error messages in download process and path validation - feat: Enhance logging and error messages in upload process and path validation - feat: Improve error handling and logging in SSH config parser - feat: Enhance error handling in SCP execution with user-friendly messages - test: Add unit tests for FileList component logic - feat: Add FileList component for displaying files - feat: Add download and upload command components - test: Add unit tests for SCP command builder functionality - feat: Implement SCP command builder and executor for file transfers - test: Add comprehensive unit tests for validation utilities - feat: Add validation utility functions for paths and SSH config - test: Add comprehensive unit tests for SSH config parser - test: Add Vitest testing framework configuration - docs: Update package manager from npm to pnpm - feat: Add SSH config parser utility - feat: Add server configuration and transfer types - Initialize Raycast SCP extension project
|
Congratulations on your new Raycast extension! 🚀 Due to our current reduced availability, the initial review may take up to 10-15 business days. Once the PR is approved and merged, the extension will be available on our Store. |
- feat: Update package name to raycast-rsync-extension, add React dependency, and enhance SSH config parsing with caching for improved performance and error handling. - feat: Refactor copy actions in RemoteFileList to use a unified Action component, enhancing code consistency and user feedback with clipboard integration. - feat: Enhance copy actions in RemoteFileList with success toasts and navigation, improving user feedback when copying file paths and names.
Greptile OverviewGreptile SummaryThis PR introduces a Raycast extension for rsync-based file transfers with SSH config integration. While the extension demonstrates good structure with comprehensive testing (117 tests) and solid error handling patterns, it has critical security vulnerabilities that must be addressed before merging. Critical Issues🚨 Shell Command Injection Vulnerabilities
❌ Missing Browse Command Export
Store Requirements Issues📸 Missing Metadata Folder
⚙️ Duplicated Preferences
Positive Aspects
RecommendationThis PR cannot be merged in its current state due to critical security vulnerabilities. The shell injection issues pose a serious security risk to users and must be fixed. Additionally, the missing browse command export will cause immediate runtime failures. Confidence Score: 0/5
Important Files ChangedFile Analysis
|
| export { default as upload } from "./upload"; | ||
|
|
||
| // Export download command | ||
| export { default as download } from "./download"; |
There was a problem hiding this comment.
the browse command is not exported from index.tsx, but it's declared in package.json at line 27-32. This will cause a runtime error when users try to use the "Browse Remote Files" command.
| export { default as download } from "./download"; | |
| // Export download command | |
| export { default as download } from "./download"; | |
| // Export browse command | |
| export { default as browse } from "./browse"; |
There was a problem hiding this comment.
"Browse Remote Files" is added.
| if (direction === TransferDirection.UPLOAD) { | ||
| // Upload: rsync -e "ssh -F ~/.ssh/config" [flags] {localPath} {hostAlias}:{remotePath} | ||
| return `${baseCommand} ${localPath} ${hostAlias}:${remotePath}`; | ||
| } else { | ||
| // Download: rsync -e "ssh -F ~/.ssh/config" [flags] {hostAlias}:{remotePath} {localPath} | ||
| return `${baseCommand} ${hostAlias}:${remotePath} ${localPath}`; | ||
| } |
There was a problem hiding this comment.
shell command injection vulnerability - localPath, remotePath, and hostAlias are directly interpolated into shell commands without proper escaping. A malicious path like /tmp/test; rm -rf / would execute arbitrary commands.
The validation in validation.ts only checks for control characters (0x00-0x1F), but does NOT prevent shell metacharacters like semicolons, backticks, pipes, dollar signs, etc.
You need to properly escape or quote these values before passing them to the shell. Consider using a library like shell-escape or manually escaping shell metacharacters.
|
|
||
| // Use ls -lAh for detailed listing with human-readable sizes | ||
| // -l: long format, -A: all files except . and .., -h: human-readable sizes | ||
| const command = `ssh -F ${configPath} ${hostAlias} "ls -lAh ${remotePath}"`; |
There was a problem hiding this comment.
shell command injection vulnerability - remotePath is directly interpolated into the SSH command without proper escaping. A path like ~; malicious_command would execute arbitrary commands on the local system before attempting SSH connection.
The same security issue exists here as in rsync.ts - paths must be properly shell-escaped before being used in command strings.
| const [humanReadable, setHumanReadable] = useState<boolean>(true); | ||
| const [showProgress, setShowProgress] = useState<boolean>(true); | ||
| const [deleteExtraneous, setDeleteExtraneous] = useState<boolean>(false); |
There was a problem hiding this comment.
the rsync options (humanReadable, showProgress, deleteExtraneous) are duplicated across upload.tsx and download.tsx commands. Per Raycast extension guidelines, when preferences apply to multiple related commands, prefer creating unified global settings in package.json rather than duplicating the same preference across individual commands.
Consider adding these as global preferences in package.json that all commands can access via getPreferenceValues().
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
There was a problem hiding this comment.
A global rsync preference in introduced.
| "commands": [ | ||
| { | ||
| "name": "upload", | ||
| "title": "Upload Files Via Rsync", | ||
| "description": "Upload local files to a remote server using rsync", | ||
| "mode": "view" | ||
| }, | ||
| { | ||
| "name": "download", | ||
| "title": "Download Files Via Rsync", | ||
| "description": "Download files from a remote server using rsync", | ||
| "mode": "view" | ||
| }, | ||
| { | ||
| "name": "browse", | ||
| "title": "Browse Remote Files", | ||
| "description": "Browse and list files on a remote server", | ||
| "mode": "view" | ||
| } | ||
| ], |
There was a problem hiding this comment.
this extension has view-type commands but is missing the required metadata/ folder with Raycast-styled screenshots. According to the extension guidelines, extensions with view-type commands must include a metadata folder containing professional screenshots.
You need to:
- Create a
metadata/folder in the extension root - Add Raycast-styled screenshots showing the extension's UI
- Follow the screenshot guidelines at https://developers.raycast.com/basics/prepare-an-extension-for-store#screenshots
- feat: Add metadata folder with Raycast extension screenshots - feat: Enhance Rsync options in file transfer forms by adding user-configurable settings for human-readable sizes, progress display, and deletion of extraneous files. Update form handling to utilize these options during transfer execution. - feat: Implement tilde expansion handling in SSH commands to enhance path usability and security. Add tests to validate correct command generation for paths starting with ~ and standalone ~. - feat: Implement tilde expansion for local paths in Rsync command builder, enhancing usability for both upload and download scenarios. Add corresponding tests to validate the new functionality. - fix: Ensure local destination paths for downloads have a trailing slash to create directories correctly. Update tests to reflect this normalization for both download and upload scenarios. - feat: Introduce global Rsync preferences for file transfer options, allowing users to configure human-readable sizes, progress display, and deletion of extraneous files through the extension preferences. Update transfer execution to utilize these global settings. - feat: Add browsing command to Rsync extension, update documentation to reflect three main commands, and introduce test setup and mock for improved testing capabilities. - feat: Implement shell escaping for Rsync command inputs to prevent command injection vulnerabilities and enhance security. Update tests to validate escaping behavior for various input scenarios.
Description
This PR introduces a comprehensive Raycast extension for file transfer using rsync with SSH config integration. The extension provides three main commands for seamless file management between local and remote servers.
Key Features
Technical Highlights
~/.ssh/configfor seamless host selection-h(human-readable): Display file sizes in KB, MB, GB format-P(progress): Real-time progress updates with transfer speed and remaining time--delete: Synchronize deletions (optional, use with caution)-Pflag is enabledTesting
Screencast
ScreenRecording.mov
Checklist
npm run buildand tested this distribution build in Raycastassetsfolder are used by the extension itselfREADMEare placed outside of themetadatafolder