feat: enable serverside unbundling

johnstonmatt · johnstonmatt · commit 3eedb2c66bf4 · 2025-11-03T14:07:49.000-04:00
diff --git a/cmd/functions.go b/cmd/functions.go
@@ -49,7 +49,7 @@ var (
 		Long:  "Download the source code for a Function from the linked Supabase project.",
 		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return download.Run(cmd.Context(), args[0], flags.ProjectRef, useLegacyBundle, afero.NewOsFs())
+			return download.Run(cmd.Context(), args[0], flags.ProjectRef, useLegacyBundle, useApi, useDocker, afero.NewOsFs())
 		},
 	}
 
@@ -154,6 +154,9 @@ func init() {
 	cobra.CheckErr(functionsServeCmd.Flags().MarkHidden("all"))
 	functionsDownloadCmd.Flags().StringVar(&flags.ProjectRef, "project-ref", "", "Project ref of the Supabase project.")
 	functionsDownloadCmd.Flags().BoolVar(&useLegacyBundle, "legacy-bundle", false, "Use legacy bundling mechanism.")
+	functionsDownloadCmd.Flags().BoolVar(&useApi, "use-api", false, "Use Management API to unbundle functions server-side.")
+	functionsDownloadCmd.Flags().BoolVar(&useDocker, "use-docker", false, "Use Docker to unbundle functions client-side.")
+	functionsDownloadCmd.MarkFlagsMutuallyExclusive("use-api", "use-docker", "legacy-bundle")
 	functionsCmd.AddCommand(functionsListCmd)
 	functionsCmd.AddCommand(functionsDeleteCmd)
 	functionsCmd.AddCommand(functionsDeployCmd)
diff --git a/internal/functions/download/download.go b/internal/functions/download/download.go
@@ -6,6 +6,8 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"mime"
+	"mime/multipart"
 	"net/http"
 	"os"
 	"os/exec"
@@ -112,15 +114,35 @@ func downloadFunction(ctx context.Context, projectRef, slug, extractScriptPath s
 	return nil
 }
 
-func Run(ctx context.Context, slug string, projectRef string, useLegacyBundle bool, fsys afero.Fs) error {
+func Run(ctx context.Context, slug string, projectRef string, useLegacyBundle bool, useApi bool, useDocker bool, fsys afero.Fs) error {
+	// Sanity check
+	if err := flags.LoadConfig(fsys); err != nil {
+		return err
+	}
+
 	if useLegacyBundle {
 		return RunLegacy(ctx, slug, projectRef, fsys)
 	}
-	// 1. Sanity check
-	if err := flags.LoadConfig(fsys); err != nil {
-		return err
+
+	if useApi {
+		// Use server-side unbundling with multipart/form-data
+		return downloadWithServerSideUnbundle(ctx, slug, projectRef, fsys)
 	}
-	// 2. Download eszip to temp file
+
+	if useDocker {
+		// download eszip file for client-side unbundling with edge-runtime
+		return downloadWithDockerUnbundle(ctx, slug, projectRef, fsys)
+	}
+
+	// Default: Try Docker first, fallback to server-side unbundling if Docker is not available
+	if utils.IsDockerRunning(ctx) {
+		return downloadWithDockerUnbundle(ctx, slug, projectRef, fsys)
+	}
+	fmt.Fprintln(os.Stderr, utils.Yellow("WARNING:"), "Docker is not running, falling back to server-side unbundling")
+	return downloadWithServerSideUnbundle(ctx, slug, projectRef, fsys)
+}
+
+func downloadWithDockerUnbundle(ctx context.Context, slug string, projectRef string, fsys afero.Fs) error {
 	eszipPath, err := downloadOne(ctx, slug, projectRef, fsys)
 	if err != nil {
 		return err
@@ -238,3 +260,138 @@ deno_version = 2
 func suggestLegacyBundle(slug string) string {
 	return fmt.Sprintf("\nIf your function is deployed using CLI < 1.120.0, trying running %s instead.", utils.Aqua("supabase functions download --legacy-bundle "+slug))
 }
+
+func downloadWithServerSideUnbundle(ctx context.Context, slug, projectRef string, fsys afero.Fs) error {
+	fmt.Fprintln(os.Stderr, "Downloading "+utils.Bold(slug))
+
+	// Request multipart/form-data response using RequestEditorFn
+	resp, err := utils.GetSupabase().V1GetAFunctionBody(ctx, projectRef, slug, func(ctx context.Context, req *http.Request) error {
+		req.Header.Set("Accept", "multipart/form-data")
+		return nil
+	})
+	if err != nil {
+		return errors.Errorf("failed to download function: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, err := io.ReadAll(resp.Body)
+		if err != nil {
+			return errors.Errorf("Error status %d: %w", resp.StatusCode, err)
+		}
+		return errors.Errorf("Error status %d: %s", resp.StatusCode, string(body))
+	}
+
+	// Parse the multipart response
+	mediaType, params, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+	if err != nil {
+		return errors.Errorf("failed to parse content type: %w", err)
+	}
+
+	if !strings.HasPrefix(mediaType, "multipart/") {
+		return errors.Errorf("expected multipart response, got %s", mediaType)
+	}
+
+	// Create function directory
+	funcDir := filepath.Join(utils.FunctionsDir, slug)
+
+	if err := utils.MkdirIfNotExistFS(fsys, funcDir); err != nil {
+		return err
+	}
+
+	// Parse multipart form
+	mr := multipart.NewReader(resp.Body, params["boundary"])
+	for {
+		part, err := mr.NextPart()
+		if errors.Is(err, io.EOF) {
+			break
+		}
+		if err != nil {
+			return errors.Errorf("failed to read multipart: %w", err)
+		}
+
+		// Determine the relative path from headers to preserve directory structure.
+		relPath, err := resolvedPartPath(slug, part) // always starts with :slug
+		if err != nil {
+			return err
+		}
+
+		// result of invalid or missing filename but we're letting it slide
+		if relPath == "" {
+			fmt.Fprintln(utils.GetDebugLogger(), "Skipping part without filename")
+			continue
+		}
+
+		filePath, err := joinWithinDir(funcDir, relPath)
+		if err != nil {
+			return err
+		}
+
+		if err := utils.MkdirIfNotExistFS(fsys, filepath.Dir(filePath)); err != nil {
+			return err
+		}
+		if err := afero.WriteReader(fsys, filePath, part); err != nil {
+			return errors.Errorf("failed to write file: %w", err)
+		}
+	}
+
+	fmt.Println("Downloaded Function " + utils.Aqua(slug) + " from project " + utils.Aqua(projectRef) + ".")
+	return nil
+}
+
+// parse multipart part headers to read and sanitize relative file path for writing
+func resolvedPartPath(slug string, part *multipart.Part) (string, error) {
+	// dedicated header to specify relative path, not expected to be used
+	if relPath := part.Header.Get("Supabase-Path"); relPath != "" {
+		return normalizeRelativePath(slug, relPath), nil
+	}
+
+	// part.FileName() does not allow us to handle relative paths, so we parse Content-Disposition manually
+	cd := part.Header.Get("Content-Disposition")
+	if cd == "" {
+		return "", nil
+	}
+
+	_, params, err := mime.ParseMediaType(cd)
+	if err != nil {
+		return "", errors.Errorf("failed to parse content disposition: %w", err)
+	}
+
+	if filename := params["filename"]; filename != "" {
+		return normalizeRelativePath(slug, filename), nil
+	}
+	return "", nil
+}
+
+// remove leading source/ or :slug/
+func normalizeRelativePath(slug, raw string) string {
+	cleaned := path.Clean(raw)
+	if after, ok := strings.CutPrefix(cleaned, "source/"); ok {
+		cleaned = after
+	} else if after, ok := strings.CutPrefix(cleaned, slug+"/"); ok {
+		cleaned = after
+	} else if cleaned == slug {
+		// If the path is exactly :slug, skip it
+		cleaned = ""
+	}
+	return cleaned
+}
+
+// joinWithinDir safely joins base and rel ensuring the result stays within base directory
+func joinWithinDir(base, rel string) (string, error) {
+	cleanRel := filepath.Clean(rel)
+	// Be forgiving: treat a rooted path as relative to base (e.g. "/foo" -> "foo")
+	if filepath.IsAbs(cleanRel) {
+		cleanRel = strings.TrimLeft(cleanRel, "/\\")
+	}
+	if cleanRel == ".." || strings.HasPrefix(cleanRel, "../") {
+		return "", errors.Errorf("invalid file path outside function directory: %s", rel)
+	}
+	joined := filepath.Join(base, cleanRel)
+	cleanJoined := filepath.Clean(joined)
+	cleanBase := filepath.Clean(base)
+	if cleanJoined != cleanBase && !strings.HasPrefix(cleanJoined, cleanBase+"/") {
+		return "", errors.Errorf("refusing to write outside function directory: %s", rel)
+	}
+	return joined, nil
+}
diff --git a/internal/functions/download/download_test.go b/internal/functions/download/download_test.go
@@ -5,8 +5,12 @@ import (
 	"errors"
 	"fmt"
 	"log"
+	"mime/multipart"
 	"net/http"
+	"net/textproto"
 	"os"
+	"path/filepath"
+	"strings"
 	"testing"
 
 	"github.com/h2non/gock"
@@ -61,7 +65,7 @@ func TestDownloadCommand(t *testing.T) {
 			Get("/v1/projects/" + project + "/functions/" + slug + "/body").
 			Reply(http.StatusOK)
 		// Run test
-		err = Run(context.Background(), slug, project, true, fsys)
+		err = Run(context.Background(), slug, project, true, false, false, fsys)
 		// Check error
 		assert.NoError(t, err)
 		assert.Empty(t, apitest.ListUnmatchedRequests())
@@ -73,7 +77,7 @@ func TestDownloadCommand(t *testing.T) {
 		// Setup valid project ref
 		project := apitest.RandomProjectRef()
 		// Run test
-		err := Run(context.Background(), "@", project, true, fsys)
+		err := Run(context.Background(), "@", project, true, false, false, fsys)
 		// Check error
 		assert.ErrorContains(t, err, "Invalid Function name.")
 	})
@@ -84,7 +88,7 @@ func TestDownloadCommand(t *testing.T) {
 		// Setup valid project ref
 		project := apitest.RandomProjectRef()
 		// Run test
-		err := Run(context.Background(), slug, project, true, fsys)
+		err := Run(context.Background(), slug, project, true, false, false, fsys)
 		// Check error
 		assert.ErrorContains(t, err, "operation not permitted")
 	})
@@ -98,7 +102,7 @@ func TestDownloadCommand(t *testing.T) {
 		_, err := fsys.Create(utils.DenoPathOverride)
 		require.NoError(t, err)
 		// Run test
-		err = Run(context.Background(), slug, project, true, afero.NewReadOnlyFs(fsys))
+		err = Run(context.Background(), slug, project, true, false, false, afero.NewReadOnlyFs(fsys))
 		// Check error
 		assert.ErrorContains(t, err, "operation not permitted")
 	})
@@ -121,7 +125,7 @@ func TestDownloadCommand(t *testing.T) {
 			Reply(http.StatusNotFound).
 			JSON(map[string]string{"message": "Function not found"})
 		// Run test
-		err = Run(context.Background(), slug, project, true, fsys)
+		err = Run(context.Background(), slug, project, true, false, false, fsys)
 		// Check error
 		assert.ErrorContains(t, err, "Function test-func does not exist on the Supabase project.")
 	})
@@ -235,3 +239,132 @@ func TestGetMetadata(t *testing.T) {
 		assert.Nil(t, meta)
 	})
 }
+
+func TestNormalizeRelativePath(t *testing.T) {
+	t.Parallel()
+
+	t.Run("returns cleaned relative path", func(t *testing.T) {
+		got := normalizeRelativePath("test-func", "src/index.ts")
+		assert.Equal(t, filepath.Join("src", "index.ts"), got)
+	})
+
+	t.Run("strips slug prefix", func(t *testing.T) {
+		got := normalizeRelativePath("test-func", "test-func/index.ts")
+		assert.Equal(t, "index.ts", got)
+	})
+
+	t.Run("strips source prefix", func(t *testing.T) {
+		got := normalizeRelativePath("test-func", "source/index.ts")
+		assert.Equal(t, "index.ts", got)
+	})
+
+	t.Run("skips slug directory itself", func(t *testing.T) {
+		got := normalizeRelativePath("test-func", "test-func")
+		assert.Equal(t, "", got)
+	})
+}
+
+func TestResolvedPartPath(t *testing.T) {
+	t.Parallel()
+
+	newPart := func(headers map[string]string) *multipart.Part {
+		mh := make(textproto.MIMEHeader, len(headers))
+		for k, v := range headers {
+			mh.Set(k, v)
+		}
+		return &multipart.Part{Header: mh}
+	}
+
+	t.Run("returns path from Supabase header", func(t *testing.T) {
+		part := newPart(map[string]string{
+			"Supabase-Path": "dir/file.ts",
+		})
+		got, err := resolvedPartPath("test-func", part)
+		require.NoError(t, err)
+		assert.Equal(t, filepath.Join("dir", "file.ts"), got)
+	})
+
+	t.Run("returns filename from content disposition", func(t *testing.T) {
+		part := newPart(map[string]string{
+			"Content-Disposition": `form-data; name="file"; filename="test-func/index.ts"`,
+		})
+		got, err := resolvedPartPath("test-func", part)
+		require.NoError(t, err)
+		assert.Equal(t, "index.ts", got)
+	})
+
+	t.Run("returns filename from editor-originated content disposition", func(t *testing.T) {
+		part := newPart(map[string]string{
+			"Content-Disposition": `form-data; name="file"; filename="source/index.ts"`,
+		})
+		got, err := resolvedPartPath("test-func", part)
+		require.NoError(t, err)
+		assert.Equal(t, "index.ts", got)
+	})
+
+	t.Run("writes file of arbitrary depth to slug directory", func(t *testing.T) {
+		part := newPart(map[string]string{
+			"Content-Disposition": `form-data; name="file"; filename="test-func/dir/subdir/file.ts"`,
+		})
+		got, err := resolvedPartPath("test-func", part)
+		require.NoError(t, err)
+		assert.Equal(t, filepath.Join("dir", "subdir", "file.ts"), got)
+	})
+
+	t.Run("returns empty when no filename provided", func(t *testing.T) {
+		part := newPart(map[string]string{
+			"Content-Disposition": `form-data; name="file"`,
+		})
+		got, err := resolvedPartPath("test-func", part)
+		require.NoError(t, err)
+		assert.Equal(t, "", got)
+	})
+
+	t.Run("returns error on invalid content disposition", func(t *testing.T) {
+		part := newPart(map[string]string{
+			"Content-Disposition": `form-data; filename="unterminated`,
+		})
+		got, err := resolvedPartPath("test-func", part)
+		require.ErrorContains(t, err, "failed to parse content disposition")
+		assert.Equal(t, "", got)
+	})
+}
+
+func TestJoinWithinDir(t *testing.T) {
+	t.Parallel()
+
+	base := filepath.Join(os.TempDir(), "base-dir")
+
+	t.Run("joins path within base directory", func(t *testing.T) {
+		got, err := joinWithinDir(base, filepath.Join("sub", "file.ts"))
+		require.NoError(t, err)
+		assert.True(t, strings.HasPrefix(filepath.Clean(got), filepath.Clean(base)+"/") || filepath.Clean(got) == filepath.Clean(base))
+	})
+
+	t.Run("treats leading slash as relative to base", func(t *testing.T) {
+		got, err := joinWithinDir(base, "/foo/bar.ts")
+		require.NoError(t, err)
+		assert.True(t, strings.HasPrefix(filepath.Clean(got), filepath.Clean(base)+"/"))
+		assert.Equal(t, filepath.Join(filepath.Clean(base), "foo", "bar.ts"), filepath.Clean(got))
+	})
+
+	t.Run("rejects absolute path", func(t *testing.T) {
+		abs := "/" + filepath.Join("etc", "passwd")
+		got, err := joinWithinDir(base, abs)
+		require.NoError(t, err)
+		assert.True(t, strings.HasPrefix(filepath.Clean(got), filepath.Clean(base)+"/"))
+	})
+
+	t.Run("rejects parent directory traversal", func(t *testing.T) {
+		got, err := joinWithinDir(base, filepath.Join("..", "escape"))
+		require.Error(t, err)
+		assert.Equal(t, "", got)
+	})
+
+	t.Run("accepts traversal within base directory", func(t *testing.T) {
+		base = os.TempDir()
+		got, err := joinWithinDir(base, filepath.Join("some", "..", "file.ts"))
+		require.NoError(t, err)
+		assert.Equal(t, filepath.Join(base, "file.ts"), got)
+	})
+}
