Security hardening and code quality improvements

.github/workflows/spellcheck.yml

@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   spellcheck:
     runs-on: ubuntu-latest

SECURITY.md

@@ -13,7 +13,7 @@ We release patches for security vulnerabilities for the following versions:
 If you discover a security vulnerability, please do the following:
 
 1. **Do NOT** open a public issue
-2. Email security details to: [your-email@example.com]
+2. Use [GitHub Security Advisories](https://github.com/jongio/azd-extensions/security/advisories/new) to privately report a vulnerability
 3. Include:
    - Description of the vulnerability
    - Steps to reproduce

package.json

@@ -12,13 +12,15 @@
     "update-readme-versions": "node scripts/update-readme-versions.js"
   },
   "dependencies": {
-    "@jongio/azd-web-core": "^2.4.0",
-    "astro": "^5.17.1"
+    "@jongio/azd-web-core": "^2.4.1",
+    "astro": "^5.17.3"
   },
   "devDependencies": {
-    "@tailwindcss/vite": "^4.1.18",
-    "@types/node": "^25.2.1",
-    "tailwindcss": "^4.1.18",
+    "@tailwindcss/vite": "^4.2.1",
+    "@types/node": "^25.3.3",
+    "prettier": "^3.8.1",
+    "prettier-plugin-tailwindcss": "^0.7.2",
+    "tailwindcss": "^4.2.1",
     "typescript": "^5.9.3"
   },
   "repository": {

scripts/install-all.ps1

@@ -25,7 +25,8 @@ $registryUrl = "https://jongio.github.io/azd-extensions/registry.json"
 $extensions = @(
     @{ Name = "azd-app";     Id = "jongio.azd.app";     Path = Join-Path $parentDir "azd-app\cli" },
     @{ Name = "azd-copilot"; Id = "jongio.azd.copilot"; Path = Join-Path $parentDir "azd-copilot\cli" },
-    @{ Name = "azd-exec";    Id = "jongio.azd.exec";    Path = Join-Path $parentDir "azd-exec\cli" }
+    @{ Name = "azd-exec";    Id = "jongio.azd.exec";    Path = Join-Path $parentDir "azd-exec\cli" },
+    @{ Name = "azd-rest";    Id = "jongio.azd.rest";    Path = Join-Path $parentDir "azd-rest\cli" }
 )
 
 # Ensure the jongio extension source is registered

scripts/lib/semver.js

@@ -0,0 +1,49 @@
+/**
+ * Shared semver comparison utility for registry scripts.
+ *
+ * Handles strict major.minor.patch versions. Rejects pre-release suffixes
+ * and non-numeric components rather than silently degrading.
+ */
+
+/**
+ * Parse a semver string into its numeric components.
+ * Throws if any component is not a non-negative integer.
+ *
+ * @param {string} version - Semver string (e.g., "1.2.3")
+ * @returns {number[]} Array of [major, minor, patch]
+ */
+export function parseSemver(version) {
+  const parts = version.split('.');
+  const nums = parts.map((part, i) => {
+    const n = Number(part);
+    if (!Number.isInteger(n) || n < 0) {
+      throw new Error(
+        `Invalid semver component "${part}" at position ${i} in version "${version}"`
+      );
+    }
+    return n;
+  });
+  return nums;
+}
+
+/**
+ * Compare two semver strings (major.minor.patch) for sorting ascending.
+ * Returns negative if a < b, positive if a > b, 0 if equal.
+ *
+ * Throws on invalid version strings (pre-release suffixes, non-numeric parts)
+ * rather than silently producing incorrect sort order.
+ *
+ * @param {string} a - First version string
+ * @param {string} b - Second version string
+ * @returns {number} Comparison result for Array.sort()
+ */
+export function compareSemver(a, b) {
+  const pa = parseSemver(a);
+  const pb = parseSemver(b);
+  const len = Math.max(pa.length, pb.length);
+  for (let i = 0; i < len; i++) {
+    const diff = (pa[i] || 0) - (pb[i] || 0);
+    if (diff !== 0) return diff;
+  }
+  return 0;
+}

scripts/uninstall-all.ps1

@@ -15,7 +15,8 @@ $registrySource = "jongio"
 $extensions = @(
     @{ Name = "azd-app";     Id = "jongio.azd.app" },
     @{ Name = "azd-copilot"; Id = "jongio.azd.copilot" },
-    @{ Name = "azd-exec";    Id = "jongio.azd.exec" }
+    @{ Name = "azd-exec";    Id = "jongio.azd.exec" },
+    @{ Name = "azd-rest";    Id = "jongio.azd.rest" }
 )
 
 Write-Host "`n🗑️  Uninstalling all azd extensions...`n" -ForegroundColor Cyan

scripts/update-readme-versions.js

@@ -3,6 +3,7 @@
 import { readFileSync, writeFileSync } from 'fs';
 import { join, dirname } from 'path';
 import { fileURLToPath } from 'url';
+import { compareSemver } from './lib/semver.js';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const root = join(__dirname, '..');
@@ -19,18 +20,10 @@ for (const ext of registry.extensions) {
   const parts = ext.id.split('.');
   const repoName = parts.slice(1).join('-');
 
-  // Find highest version using semver-style comparison
+  // Find highest version using shared semver comparison
   const latest = ext.versions
     .map((v) => v.version)
-    .sort((a, b) => {
-      const pa = a.split('.').map(Number);
-      const pb = b.split('.').map(Number);
-      for (let i = 0; i < Math.max(pa.length, pb.length); i++) {
-        const diff = (pa[i] || 0) - (pb[i] || 0);
-        if (diff !== 0) return diff;
-      }
-      return 0;
-    })
+    .sort(compareSemver)
     .pop();
 
   if (latest) {
@@ -43,9 +36,12 @@ let readme = readFileSync(readmePath, 'utf8');
 let updated = readme;
 
 for (const [repoName, version] of latestVersions) {
+  // Escape regex special characters in repoName to prevent injection,
+  // then allow dash to also match dots (azd-app matches azd.app in table)
+  const escapedName = repoName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&').replace(/-/g, '[-.]');
   // Match table rows containing the repo name and update the version at the end
   const pattern = new RegExp(
-    `(\\|[^|]*${repoName.replace(/-/g, '[-\\\\.]')}[^|]*\\|[^|]*\\|)\\s*v?[0-9]+\\.[0-9]+\\.[0-9]+\\s*(\\|)`,
+    `(\\|[^|]*${escapedName}[^|]*\\|[^|]*\\|)\\s*v?[0-9]+\\.[0-9]+\\.[0-9]+\\s*(\\|)`,
     'g',
   );
   updated = updated.replace(pattern, `$1 v${version} $2`);

scripts/update-registry.js

@@ -8,36 +8,36 @@
 
 import { writeFileSync } from 'fs';
 import https from 'https';
+import { compareSemver } from './lib/semver.js';
 
 const REGISTRY_FILE = 'public/registry.json';
 
-/**
- * Compare two semver strings (major.minor.patch) for sorting ascending.
- * Returns negative if a < b, positive if a > b, 0 if equal.
- */
-function compareSemver(a, b) {
-  const pa = a.split('.').map(Number);
-  const pb = b.split('.').map(Number);
-  for (let i = 0; i < 3; i++) {
-    const diff = (pa[i] || 0) - (pb[i] || 0);
-    if (diff !== 0) return diff;
-  }
-  return 0;
-}
-
 /**
  * HEAD request with redirect following. Returns HTTP status code.
+ * Only follows redirects to HTTPS URLs to prevent downgrade attacks.
  */
 function headRequest(url, redirectCount = 0) {
   return new Promise((resolve, reject) => {
     if (redirectCount > 5) return resolve(0);
+    if (!url.startsWith('https://')) {
+      console.warn(`  ⚠ Refusing non-HTTPS URL: ${url}`);
+      return resolve(0);
+    }
     const req = https.request(url, { method: 'HEAD', timeout: 10_000 }, (res) => {
       if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
-        return headRequest(res.headers.location, redirectCount + 1).then(resolve).catch(reject);
+        const redirectTarget = new URL(res.headers.location, url).href;
+        if (!redirectTarget.startsWith('https://')) {
+          console.warn(`  ⚠ Refusing redirect to non-HTTPS URL: ${redirectTarget}`);
+          return resolve(0);
+        }
+        return headRequest(redirectTarget, redirectCount + 1).then(resolve).catch(reject);
       }
       resolve(res.statusCode);
     });
-    req.on('error', () => resolve(0));
+    req.on('error', (err) => {
+      console.warn(`  ⚠ HEAD request failed for ${url}: ${err.message}`);
+      resolve(0);
+    });
     req.on('timeout', () => {
       req.destroy();
       resolve(0);
@@ -54,8 +54,26 @@
   'https://raw.githubusercontent.com/jongio/azd-rest/refs/heads/main/registry.json',
 ];
 
+// Allowed hostname for artifact download URLs (GitHub releases only)
+const ALLOWED_ARTIFACT_HOST = 'github.com';
+
+/**
+ * Validate that an artifact URL points to an allowed domain.
+ * Prevents a compromised upstream registry from redirecting downloads
+ * to attacker-controlled infrastructure.
+ */
+function isAllowedArtifactUrl(url) {
+  try {
+    const parsed = new URL(url);
+    return parsed.protocol === 'https:' && parsed.hostname.endsWith(ALLOWED_ARTIFACT_HOST);
+  } catch {
+    return false;
+  }
+}
+
 /**
- * Fetch registry JSON from a URL
+ * Fetch registry JSON from a URL.
+ * Enforces a 5 MB size limit to prevent DoS from oversized responses.
  */
 async function fetchRegistry(url) {
   console.log(`Fetching ${url}...`);
@@ -65,7 +83,18 @@
     throw new Error(`Failed to fetch ${url}: ${response.statusText}`);
   }
 
-  return await response.json();
+  const MAX_REGISTRY_SIZE = 5 * 1024 * 1024; // 5 MB
+  const contentLength = response.headers.get('content-length');
+  if (contentLength && parseInt(contentLength, 10) > MAX_REGISTRY_SIZE) {
+    throw new Error(`Registry at ${url} exceeds maximum size of ${MAX_REGISTRY_SIZE} bytes`);
+  }
+
+  const text = await response.text();
+  if (text.length > MAX_REGISTRY_SIZE) {
+    throw new Error(`Registry at ${url} exceeds maximum size of ${MAX_REGISTRY_SIZE} bytes`);
+  }
+
+  return JSON.parse(text);
 }
 
 /**
@@ -120,20 +149,30 @@
           console.log(`  ⚠ Dropping ${ext.id}@${ver.version}: missing required platforms`);
           return false;
         }
-        // All artifact URLs must be valid HTTPS URLs
+        // All artifact URLs must be valid HTTPS URLs from allowed domains
         for (const [, artifact] of Object.entries(artifacts)) {
           if (!artifact.url || !artifact.url.startsWith('https://')) {
             console.log(`  ⚠ Dropping ${ext.id}@${ver.version}: non-HTTPS or missing artifact URL`);
             return false;
           }
+          if (!isAllowedArtifactUrl(artifact.url)) {
+            console.log(`  ⚠ Dropping ${ext.id}@${ver.version}: artifact URL from disallowed domain — ${artifact.url}`);
+            return false;
+          }
         }
-        // Must not have zero/placeholder checksums
+        // Must not have zero/placeholder checksums or weak hash algorithms
+        const ALLOWED_HASH_ALGORITHMS = ['sha256', 'sha384', 'sha512'];
         for (const [, artifact] of Object.entries(artifacts)) {
           const value = artifact.checksum?.value || '';
           if (/^0+$/.test(value)) {
             console.log(`  ⚠ Dropping ${ext.id}@${ver.version}: placeholder checksum`);
             return false;
           }
+          const algorithm = (artifact.checksum?.algorithm || '').toLowerCase();
+          if (algorithm && !ALLOWED_HASH_ALGORITHMS.includes(algorithm)) {
+            console.log(`  ⚠ Dropping ${ext.id}@${ver.version}: weak checksum algorithm "${algorithm}"`);
+            return false;
+          }
         }
         return true;
       });

scripts/validate-registry.js

@@ -16,7 +16,7 @@
 import { fileURLToPath } from 'url';
 import { dirname, resolve } from 'path';
 import https from 'https';
-import http from 'http';
+import { compareSemver } from './lib/semver.js';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
@@ -31,34 +31,32 @@
   'linux/arm64',
 ];
 
-const OPTIONAL_PLATFORMS = ['windows/arm64'];
+// Allowed hostname for artifact download URLs
+const ALLOWED_ARTIFACT_HOST = 'github.com';
+
+// Acceptable checksum algorithms (reject weak hashes like MD5, SHA1)
+const ALLOWED_HASH_ALGORITHMS = ['sha256', 'sha384', 'sha512'];
 
 const URL_TIMEOUT_MS = 10_000;
 const MAX_REDIRECTS = 5;
 
 // ── Helpers ──────────────────────────────────────────────────────────────────
 
-function compareSemver(a, b) {
-  const pa = a.split('.').map(Number);
-  const pb = b.split('.').map(Number);
-  for (let i = 0; i < 3; i++) {
-    const diff = (pa[i] || 0) - (pb[i] || 0);
-    if (diff !== 0) return diff;
-  }
-  return 0;
-}
-
 /**
- * Perform an HTTP(S) HEAD request, following redirects up to `maxRedirects`.
+ * Perform an HTTPS HEAD request, following redirects up to `maxRedirects`.
+ * Rejects redirects to non-HTTPS URLs to prevent downgrade attacks.
  * Resolves with the final status code or rejects on error / timeout.
  */
 function headRequest(url, maxRedirects = MAX_REDIRECTS) {
   return new Promise((resolvePromise, reject) => {
     const doRequest = (targetUrl, redirectsLeft) => {
       const parsedUrl = new URL(targetUrl);
-      const lib = parsedUrl.protocol === 'https:' ? https : http;
+      if (parsedUrl.protocol !== 'https:') {
+        reject(new Error(`Refusing non-HTTPS URL: ${targetUrl}`));
+        return;
+      }
 
-      const req = lib.request(
+      const req = https.request(
         targetUrl,
         { method: 'HEAD', timeout: URL_TIMEOUT_MS },
         (res) => {
@@ -139,6 +137,8 @@
       fail(`[${extId}@${latestVersion.version}] ${platform}: missing checksum`);
     } else if (!checksum.algorithm) {
       fail(`[${extId}@${latestVersion.version}] ${platform}: checksum missing algorithm`);
+    } else if (!ALLOWED_HASH_ALGORITHMS.includes(checksum.algorithm.toLowerCase())) {
+      fail(`[${extId}@${latestVersion.version}] ${platform}: weak checksum algorithm "${checksum.algorithm}" (allowed: ${ALLOWED_HASH_ALGORITHMS.join(', ')})`);
     } else if (!checksum.value) {
       fail(`[${extId}@${latestVersion.version}] ${platform}: checksum missing value`);
     } else if (/^0+$/.test(checksum.value)) {
@@ -165,6 +165,17 @@
         fail(
           `[${extId}@${ver.version}] ${platform}: non-HTTPS or missing URL — ${artifact.url || '(none)'}`
         );
+      } else {
+        try {
+          const parsed = new URL(artifact.url);
+          if (!parsed.hostname.endsWith(ALLOWED_ARTIFACT_HOST)) {
+            fail(
+              `[${extId}@${ver.version}] ${platform}: URL from disallowed domain — ${artifact.url}`
+            );
+          }
+        } catch {
+          fail(`[${extId}@${ver.version}] ${platform}: malformed URL — ${artifact.url}`);
+        }
       }
       const value = artifact.checksum?.value || '';
       if (/^0+$/.test(value)) {

scripts/watch-all.ps1

@@ -21,7 +21,8 @@ $parentDir = Split-Path -Parent $repoDir
 $extensions = @(
     @{ Name = "app";     Color = "Cyan";    Path = Join-Path $parentDir "azd-app\cli" },
     @{ Name = "copilot"; Color = "Magenta"; Path = Join-Path $parentDir "azd-copilot\cli" },
-    @{ Name = "exec";    Color = "Green";   Path = Join-Path $parentDir "azd-exec\cli" }
+    @{ Name = "exec";    Color = "Green";   Path = Join-Path $parentDir "azd-exec\cli" },
+    @{ Name = "rest";    Color = "Yellow";  Path = Join-Path $parentDir "azd-rest\cli" }
 )
 
 # Validate all repos exist before starting

src/components/ExtensionShowcase.astro

@@ -198,9 +198,9 @@ const { id, name, tagline, description, icon, website, repository, features, sce
       const command = (btn as HTMLElement).dataset.command || '';
       try {
         await navigator.clipboard.writeText(command);
-        btn.innerHTML = '<svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polyline points="20 6 9 17 4 12"/></svg>';
+        btn.innerHTML = '<svg aria-hidden="true" xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polyline points="20 6 9 17 4 12"/></svg>';
       } catch {
-        btn.innerHTML = '<svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></svg>';
+        btn.innerHTML = '<svg aria-hidden="true" xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></svg>';
       }
       setTimeout(() => { btn.innerHTML = originalHTML; copying = false; }, 1500);
     });

src/pages/index.astro

@@ -127,6 +127,7 @@ const installAzdTabs = [
   publishedDate="2025-11-09T20:22:39Z"
 >
   <Fragment slot="head">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; connect-src 'self'; base-uri 'self'; form-action 'none'; frame-ancestors 'none';" />
     <meta name="keywords" content="Azure, Azure Developer CLI, azd, azd extensions, azd app, azd exec, azd copilot, azd rest, Azure CLI, developer tools, Jon Gallant, jongio, Azure authentication, local development, AI assistant, REST API" />
     <meta name="robots" content="index, follow" />
     <link rel="icon" type="image/svg+xml" href="/azd-extensions/favicon.svg" />