Refactor runtime specs with security fixes and Python support (#104)

- Fix Python runtime to properly extract module names after -m flag (unsed at present as only npx and uvx are supported)
- Add security validation to block remote git+ and HTTP sources in NPX
- Refactor specs into focused extractor functions for better maintainability
- Add comprehensive test coverage for all runtime package extractors
- Improve error handling with specific messages for different failure scenarios

[!] This prevents potential security issues where NPX could load arbitrary remote packages and fixes broken Python module extraction.

Author: peteski22

internal/runtime/spec.go

@@ -5,116 +5,148 @@ import (
 	"strings"
 )
 
+type pkgExtractor func(args []string) (string, error)
+
+type flagNameSet map[string]struct{}
+
 type Spec struct {
 	ShouldIgnoreFlag   func(string) bool
 	ExtractPackageName func([]string) (string, error)
 }
 
+func NewSpec(ignoreFlags flagNameSet, extractor pkgExtractor) Spec {
+	return Spec{
+		ShouldIgnoreFlag: func(flagName string) bool {
+			_, ok := ignoreFlags[flagName]
+			return ok
+		},
+		ExtractPackageName: extractor,
+	}
+}
+
 func Specs() map[Runtime]Spec {
 	return map[Runtime]Spec{
-		Docker: {
-			ShouldIgnoreFlag: func(flag string) bool {
-				switch flag {
-				case "--rm", "--name", "--volume", "-v", "--network", "--detach", "-d", "-i":
-					return true
+		Docker: NewSpec(dockerIgnoreFlags(), dockerPackageExtractor()),
+		NPX:    NewSpec(flagNameSet{"-y": {}}, npxPackageExtractor()),
+		UVX:    NewSpec(flagNameSet{"--from": {}}, uvxPackageExtractor()),
+		Python: NewSpec(flagNameSet{"-m": {}}, pythonPackageExtractor()),
+	}
+}
+
+func dockerIgnoreFlags() flagNameSet {
+	return flagNameSet{
+		"-d":        {},
+		"--detach":  {},
+		"-i":        {},
+		"--name":    {},
+		"--network": {},
+		"--rm":      {},
+		"-v":        {},
+		"--volume":  {},
+	}
+}
+
+func dockerPackageExtractor() pkgExtractor {
+	return func(args []string) (string, error) {
+		skip := true
+		skipNext := false
+
+		flagsWithValues := flagNameSet{
+			"-e":        {},
+			"--env":     {},
+			"-p":        {},
+			"--name":    {},
+			"--network": {},
+			"-v":        {},
+			"--volume":  {},
+		}
+
+		for i := 0; i < len(args); i++ {
+			arg := args[i]
+
+			if skip {
+				if arg == "run" {
+					skip = false
 				}
-				return false
-			},
-			ExtractPackageName: func(args []string) (string, error) {
-				skip := true
-				skipNext := false
-
-				// Flags that take a value (e.g. --name greptime)
-				flagsWithValues := map[string]struct{}{
-					"-e":        {},
-					"--env":     {},
-					"-p":        {},
-					"-v":        {},
-					"--volume":  {},
-					"--name":    {},
-					"--network": {},
+				continue
+			}
+
+			if skipNext {
+				skipNext = false
+				continue
+			}
+
+			if strings.HasPrefix(arg, "-") {
+				if _, ok := flagsWithValues[arg]; ok {
+					skipNext = true
 				}
+				continue
+			}
 
-				for i := 0; i < len(args); i++ {
-					arg := args[i]
+			return arg, nil
+		}
 
-					if skip {
-						if arg == "run" {
-							skip = false
-						}
-						continue
-					}
+		return "", fmt.Errorf("no %s image found", Docker)
+	}
+}
 
-					if skipNext {
-						skipNext = false
-						continue
-					}
+func npxPackageExtractor() pkgExtractor {
+	return func(args []string) (string, error) {
+		for _, arg := range args {
+			if strings.HasPrefix(arg, "-") {
+				continue
+			}
+			normalizedArg := strings.ToLower(arg)
+			if strings.HasPrefix(normalizedArg, "git+") || strings.HasPrefix(normalizedArg, "https://") {
+				return "", fmt.Errorf("remote sources are unsupported")
+			}
+			return arg, nil
+		}
+		return "", fmt.Errorf("no %s package found", NPX)
+	}
+}
 
-					if strings.HasPrefix(arg, "-") {
-						_, takesValue := flagsWithValues[arg]
-						skipNext = takesValue
-						continue
-					}
+func uvxPackageExtractor() pkgExtractor {
+	return func(args []string) (string, error) {
+		for i := 0; i < len(args); i++ {
+			arg := strings.TrimSpace(args[i])
 
-					return arg, nil
+			if arg == "--from" && i+1 < len(args) {
+				next := strings.ToLower(strings.TrimSpace(args[i+1]))
+				if strings.HasPrefix(next, "git+") {
+					return "", fmt.Errorf("remote git repositories are unsupported")
 				}
-
-				return "", fmt.Errorf("no %s image found", Docker)
-			},
-		},
-		NPX: {
-			ShouldIgnoreFlag: func(flag string) bool {
-				return flag == "-y"
-			},
-			ExtractPackageName: func(args []string) (string, error) {
-				// First non-flag value
-				for _, arg := range args {
-					if !strings.HasPrefix(arg, "-") {
-						return arg, nil
-					}
+				if strings.HasPrefix(next, "https://") {
+					return "", fmt.Errorf("arbitrary HTTP repositories are unsupported")
 				}
-				return "", fmt.Errorf("no %s package found", NPX)
-			},
-		},
-		UVX: {
-			ShouldIgnoreFlag: func(flag string) bool {
-				switch flag {
-				case "--from":
-					return true
+
+				i++ // Skip the next value
+				continue
+			}
+
+			if !strings.HasPrefix(arg, "-") {
+				return arg, nil
+			}
+		}
+
+		return "", fmt.Errorf("no %s package found", UVX)
+	}
+}
+
+func pythonPackageExtractor() pkgExtractor {
+	return func(args []string) (string, error) {
+		for i, arg := range args {
+			if arg == "-m" {
+				if i+1 >= len(args) {
+					return "", fmt.Errorf("missing module name after -m")
 				}
-				return false
-			},
-			ExtractPackageName: func(args []string) (string, error) {
-				for i := 0; i < len(args); i++ {
-					arg := strings.TrimSpace(args[i])
-					nextIndex := i + 1
-					if args[i] == "--from" && nextIndex < len(args) {
-						nextArg := strings.TrimSpace(args[nextIndex])
-						if strings.HasPrefix(nextArg, "git+") {
-							return "", fmt.Errorf("remote git repositories are unsupported")
-						}
-						if strings.HasPrefix(nextArg, "https://") {
-							return "", fmt.Errorf("arbitrary HTTP repositories are unsupported")
-						}
-
-						i++ // Skip next value.
-						continue
-					}
-					if !strings.HasPrefix(arg, "-") {
-						return arg, nil
-					}
+				next := args[i+1]
+				if strings.HasPrefix(next, "-") {
+					return "", fmt.Errorf("invalid module name after -m: %s", next)
 				}
-				return "", fmt.Errorf("no %s package found", UVX)
-			},
-		},
-		Python: {
-			ShouldIgnoreFlag: func(flag string) bool {
-				return flag == "-m"
-			},
-			ExtractPackageName: func(args []string) (string, error) {
-				// No clear package name? Could return empty or static
-				return "", nil
-			},
-		},
+				return next, nil
+			}
+		}
+		return "", fmt.Errorf("no %s module found", Python)
 	}
 }