Merge pull request #370 from gnh1201/dev

Change the project name to WelsonJS.Toolkit to WelsonJS.Augmented

.appveyor.yml

@@ -15,25 +15,25 @@ environment:
       SIGNING_POLICY_SLUG: release-signing
 
 before_build:
-  - nuget restore WelsonJS.Toolkit
+  - nuget restore WelsonJS.Augmented
 
 build_script:
-  - msbuild "C:\projects\welsonjs\WelsonJS.Toolkit\WelsonJS.Toolkit.sln" /verbosity:minimal /logger:"C:\Program Files\AppVeyor\BuildAgent\Appveyor.MSBuildLogger.dll" /p:Configuration=%CONFIGURATION% /p:Platform="x86"
+  - msbuild "C:\projects\welsonjs\WelsonJS.Augmented\WelsonJS.Augmented.sln" /verbosity:minimal /logger:"C:\Program Files\AppVeyor\BuildAgent\Appveyor.MSBuildLogger.dll" /p:Configuration=%CONFIGURATION% /p:Platform="x86"
 
 after_build:
    - cmd: mkdir artifacts
-   #- cmd: xcopy /s /y WelsonJS.Toolkit\WelsonJS.Toolkit\bin\x86\%CONFIGURATION%\* artifacts\
-   - cmd: xcopy /s /y WelsonJS.Toolkit\WelsonJS.Service\bin\x86\%CONFIGURATION%\* artifacts\
-   - cmd: xcopy /s /y WelsonJS.Toolkit\WelsonJS.Launcher\bin\x86\%CONFIGURATION%\* artifacts\
-   - cmd: xcopy /s /y WelsonJS.Toolkit\Catswords.Phantomizer\bin\%CONFIGURATION%\netstandard2.0\* artifacts\
-   - cmd: nuget pack WelsonJS.Toolkit\WelsonJS.Toolkit\ -properties Configuration=%CONFIGURATION% -properties Platform=x86 -OutputDirectory artifacts\
+   #- cmd: xcopy /s /y WelsonJS.Augmented\WelsonJS.Toolkit\bin\x86\%CONFIGURATION%\* artifacts\
+   - cmd: xcopy /s /y WelsonJS.Augmented\WelsonJS.Service\bin\x86\%CONFIGURATION%\* artifacts\
+   - cmd: xcopy /s /y WelsonJS.Augmented\WelsonJS.Launcher\bin\x86\%CONFIGURATION%\* artifacts\
+   - cmd: xcopy /s /y WelsonJS.Augmented\Catswords.Phantomizer\bin\%CONFIGURATION%\netstandard2.0\* artifacts\
+   - cmd: nuget pack WelsonJS.Augmented\WelsonJS.Toolkit\ -properties Configuration=%CONFIGURATION% -properties Platform=x86 -OutputDirectory artifacts\
    - ps: Start-BitsTransfer -Source "https://catswords.blob.core.windows.net/welsonjs/welsonjs_setup_unsigned.exe" -Destination "artifacts\welsonjs_setup.exe"
    - ps: Start-BitsTransfer -Source "https://catswords.blob.core.windows.net/welsonjs/chakracore-build/x86_release/ChakraCore.dll" -Destination "artifacts\ChakraCore.dll"
    - cmd: 7z a artifacts.zip artifacts\*
 
 artifacts:
   - path: artifacts.zip
-    name: WelsonJS.Toolkit
+    name: WelsonJS.Augmented
 
 deploy:
 - provider: Webhook

.gitmodules

@@ -1,3 +1,3 @@
-[submodule "WelsonJS.Toolkit/ChakraCore"]
-	path = WelsonJS.Toolkit/ChakraCore
+[submodule "WelsonJS.NET/ChakraCore"]
+	path = WelsonJS.NET/ChakraCore
 	url = https://github.com/chakra-core/ChakraCore

WelsonJS.Augmented/Catswords.Phantomizer/AssemblyLoader.cs

@@ -38,14 +38,18 @@ namespace Catswords.Phantomizer
         public static string AppName { get; set; } = "Catswords";
         public static string IntegrityUrl { get; set; } = null;
 
-        // Hash whitelist (values only)
         private static HashSet<string> _integrityHashes = null;
         private static bool _integrityLoaded = false;
-        private static readonly object IntegritySyncRoot = new object();
-
-        private static readonly object SyncRoot = new object();
         private static bool _registered;
 
+        private static readonly object AllowSchemesSyncRoot = new object();
+        private static readonly object IntegritySyncRoot = new object();
+        private static readonly object SyncRoot = new object();
+
+        private static readonly HashSet<string> _allowSchemes = new HashSet<string>(StringComparer.OrdinalIgnoreCase) {
+            Uri.UriSchemeHttps
+        };
+
         private static readonly HttpClientHandler LegacyHttpHandler = new HttpClientHandler
         {
             AutomaticDecompression = DecompressionMethods.None
@@ -184,15 +188,9 @@ namespace Catswords.Phantomizer
                     if (string.IsNullOrWhiteSpace(BaseUrl))
                         throw new InvalidOperationException("BaseUrl must be configured before Register().");
 
-                    if (Uri.TryCreate(BaseUrl, UriKind.Absolute, out Uri uri))
-                    {
-                        if (uri.Scheme != Uri.UriSchemeHttps)
-                            throw new InvalidOperationException("BaseUrl must use HTTPS for security.");
-                    }
-                    else
-                    {
-                        throw new InvalidOperationException("BaseUrl is not a valid absolute URI.");
-                    }
+                    TryVerifyUrl(BaseUrl, out bool verified);
+                    if (!verified)
+                        throw new InvalidOperationException("BaseUrl verification failed.");
                 }
                 catch (Exception ex)
                 {
@@ -213,8 +211,9 @@ namespace Catswords.Phantomizer
         /// </summary>
         public static void LoadNativeModules(string ownerAssemblyName, Version version, IList<string> fileNames)
         {
-            if (string.IsNullOrWhiteSpace(BaseUrl))
-                throw new InvalidOperationException("AssemblyLoader.BaseUrl must be set before loading native modules.");
+            TryVerifyUrl(BaseUrl, out bool verified);
+            if (!verified)
+                throw new InvalidOperationException("BaseUrl verification failed.");
 
             if (ownerAssemblyName == null) throw new ArgumentNullException("ownerAssemblyName");
             if (version == null) throw new ArgumentNullException("version");
@@ -275,6 +274,43 @@ namespace Catswords.Phantomizer
             }
         }
 
+        /// <summary>
+        /// Adds an allowed URI scheme for assembly and module loading.
+        /// Only HTTP and HTTPS schemes are supported. HTTPS is the default.
+        /// Adding HTTP reduces security and will log a warning.
+        /// </summary>
+        /// <param name="scheme">The URI scheme to allow (e.g., "http" or "https"). Trailing colons are automatically removed.</param>
+        /// <exception cref="ArgumentNullException">Thrown when <paramref name="scheme"/> is null or whitespace.</exception>
+        /// <exception cref="ArgumentException">Thrown when the scheme is invalid or not HTTP/HTTPS.</exception>
+        /// <remarks>
+        /// This method is thread-safe and can be called before Register() or LoadNativeModules().
+        /// </remarks>
+        public static void AddAllowedUriScheme(string scheme)
+        {
+            if (string.IsNullOrWhiteSpace(scheme))
+                throw new ArgumentNullException(nameof(scheme));
+
+            int colonIndex = scheme.IndexOf(':');
+            if (colonIndex > -1)
+                scheme = scheme.Substring(0, colonIndex);
+
+            scheme = scheme.ToLowerInvariant();
+
+            if (!Uri.CheckSchemeName(scheme))
+                throw new ArgumentException("Invalid URI scheme name.", nameof(scheme));
+
+            if (!scheme.Equals(Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase) &&
+                    !scheme.Equals(Uri.UriSchemeHttp, StringComparison.OrdinalIgnoreCase))
+                throw new ArgumentException("Only HTTPS or HTTP schemes are supported.", nameof(scheme));
+
+            if (scheme.Equals(Uri.UriSchemeHttp, StringComparison.OrdinalIgnoreCase))
+                Trace.TraceWarning("Warning: Adding 'http' to allowed URI schemes reduces security.");
+
+            lock (AllowSchemesSyncRoot)
+            {
+                _allowSchemes.Add(scheme);
+            }
+        }
 
         public static void LoadNativeModules(Assembly asm, IList<string> fileNames)
         {
@@ -461,7 +497,7 @@ namespace Catswords.Phantomizer
                     }
                     catch (Exception ex)
                     {
-                       Trace.TraceInformation("Failed to delete temporary file {0}: {1}", tempFile, ex.Message);
+                        Trace.TraceInformation("Failed to delete temporary file {0}: {1}", tempFile, ex.Message);
                     }
                 }
             }
@@ -499,23 +535,17 @@ namespace Catswords.Phantomizer
 
                 try
                 {
-                    if (Uri.TryCreate(IntegrityUrl, UriKind.Absolute, out Uri uri))
-                    {
-                        if (uri.Scheme != Uri.UriSchemeHttps)
-                            throw new InvalidOperationException("IntegrityUrl must use HTTPS for security.");
+                    TryVerifyUrl(IntegrityUrl, out bool verified);
+                    if (!verified)
+                        throw new InvalidOperationException("IntegrityUrl verification failed.");
 
-                        using (var res = Http.GetAsync(uri).GetAwaiter().GetResult())
-                        {
-                            res.EnsureSuccessStatusCode();
-                            using (var stream = res.Content.ReadAsStreamAsync().GetAwaiter().GetResult())
-                            {
-                                doc = XDocument.Load(stream);
-                            }
-                        }
-                    }
-                    else
+                    using (var res = Http.GetAsync(IntegrityUrl).GetAwaiter().GetResult())
                     {
-                        throw new InvalidOperationException("IntegrityUrl is not a valid absolute URI.");
+                        res.EnsureSuccessStatusCode();
+                        using (var stream = res.Content.ReadAsStreamAsync().GetAwaiter().GetResult())
+                        {
+                            doc = XDocument.Load(stream);
+                        }
                     }
                 }
                 catch (Exception ex)
@@ -648,5 +678,43 @@ namespace Catswords.Phantomizer
                 return sb.ToString();
             }
         }
+
+        private static bool IsValidUriScheme(Uri uri)
+        {
+            if (uri == null)
+                return false;
+
+            lock (AllowSchemesSyncRoot)
+            {
+                return _allowSchemes.Contains(uri.Scheme);
+            }
+        }
+
+        private static void TryVerifyUrl(string url, out bool verified)
+        {
+            try
+            {
+                if (string.IsNullOrWhiteSpace(url))
+                    throw new InvalidOperationException("URL is null or empty.");
+
+                if (Uri.TryCreate(url, UriKind.Absolute, out Uri uri))
+                {
+                    if (!IsValidUriScheme(uri))
+                        throw new InvalidOperationException(
+                            $"URI scheme '{uri.Scheme}' is not allowed. Use AddAllowedUriScheme() to permit additional schemes.");
+                }
+                else
+                {
+                    throw new InvalidOperationException("Not a valid absolute URI.");
+                }
+
+                verified = true;
+            }
+            catch (Exception ex)
+            {
+                Trace.TraceError("URL verification failed for {0}: {1}", url, ex.Message);
+                verified = false;
+            }
+        }
     }
 }

WelsonJS.Augmented/Catswords.Phantomizer/Catswords.Phantomizer.csproj

@@ -10,7 +10,7 @@
     <PackageTags>loader</PackageTags>
     <Description>Catswords.Phantomizer is an HTTP-based dynamic-link library (DLL) loader designed for .NET applications. It allows your application to fetch and load assemblies directly from your CDN (Azure Blob, S3, Cloudflare R2, etc.) at runtime, with optional GZip compression support.</Description>
     <Copyright>Namhyeon Go, 2025 Catswords OSS and WelsonJS Contributors</Copyright>
-    <Version>1.0.0.1</Version>
+    <Version>1.0.0.2</Version>
   </PropertyGroup>
 
 </Project>

WelsonJS.Augmented/Catswords.Phantomizer/README.md

@@ -71,6 +71,7 @@ private static void InitializeAssemblyLoader()
     //loaderType.GetProperty("IntegrityUrl")?.SetValue(null, GetAppConfig("IntegrityUrl"));  // (Optional) Set the integrity URL
     loaderType.GetProperty("LoaderNamespace")?.SetValue(null, typeof(Program).Namespace);
     loaderType.GetProperty("AppName")?.SetValue(null, "WelsonJS");                       // Application name
+    //loaderType.GetMethod("AddAllowedUriScheme")?.Invoke(null, new object[] { Uri.UriSchemeHttp }); // (Optional) Allow insecure HTTP (not recommended)
     loaderType.GetMethod("Register")?.Invoke(null, null);
 
     var loadNativeModulesMethod = loaderType.GetMethod(
@@ -104,6 +105,7 @@ static void Main(string[] args)
     //AssemblyLoader.IntegrityUrl = GetAppConfig("AssemblyIntegrityUrl");  // (Optional) Set the integrity URL
     AssemblyLoader.LoaderNamespace = typeof(Program).Namespace;
     AssemblyLoader.AppName = "WelsonJS";
+    //AssemblyLoader.AddAllowedUriScheme(Uri.UriSchemeHttp); // (Optional) Allow insecure HTTP (not recommended)
     AssemblyLoader.Register();
 
     AssemblyLoader.LoadNativeModules(