coder
diff --git a/‎.github/ISSUE_TEMPLATE/1-bug.yaml
+1-1 b/‎.github/ISSUE_TEMPLATE/1-bug.yaml
+1-1
diff --git a/‎.github/actions/setup-tf/action.yaml
+1-1 b/‎.github/actions/setup-tf/action.yaml
+1-1
diff --git a/‎.github/workflows/ci.yaml
+4-4 b/‎.github/workflows/ci.yaml
+4-4
diff --git a/‎.github/workflows/dogfood.yaml
+1-1 b/‎.github/workflows/dogfood.yaml
+1-1
diff --git a/‎.github/workflows/release.yaml
+1-1 b/‎.github/workflows/release.yaml
+1-1
diff --git a/‎.github/workflows/scorecard.yml
+1-1 b/‎.github/workflows/scorecard.yml
+1-1
diff --git a/‎.github/workflows/security.yaml
+3-3 b/‎.github/workflows/security.yaml
+3-3
diff --git a/‎agent/agentcontainers/containers_dockercli.go
+7-6 b/‎agent/agentcontainers/containers_dockercli.go
+7-6
diff --git a/‎agent/agentcontainers/containers_internal_test.go
+14-6 b/‎agent/agentcontainers/containers_internal_test.go
+14-6
diff --git a/‎agent/agentcontainers/devcontainer_meta.go
+5 b/‎agent/agentcontainers/devcontainer_meta.go
+5
diff --git a/‎agent/api.go
+1 b/‎agent/api.go
+1
diff --git a/‎agent/ls.go
+181 b/‎agent/ls.go
+181
@@ -1,6 +1,6 @@
 name: "🐞 Bug"
 description: "File a bug report."
-title: "<title>"
+title: "bug: "
 labels: ["needs-triage"]
 body:
   - type: checkboxes
 
@@ -7,5 +7,5 @@ runs:
     - name: Install Terraform
       uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
       with:
-        terraform_version: 1.10.5
+        terraform_version: 1.11.0
         terraform_wrapper: false
@@ -178,7 +178,7 @@ jobs:
           echo "LINT_CACHE_DIR=$dir" >> $GITHUB_ENV
 
       - name: golangci-lint cache
-        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4.2.1
+        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
         with:
           path: |
             ${{ env.LINT_CACHE_DIR }}
@@ -188,7 +188,7 @@ jobs:
 
       # Check for any typos
       - name: Check for typos
-        uses: crate-ci/typos@212923e4ff05b7fc2294a204405eec047b807138 # v1.29.9
+        uses: crate-ci/typos@db35ee91e80fbb447f33b0e5fbddb24d2a1a884f # v1.29.10
         with:
           config: .github/workflows/typos.toml
 
@@ -1092,7 +1092,7 @@ jobs:
         uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
 
       - name: Download dylibs
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
           name: dylibs
           path: ./build
@@ -1236,7 +1236,7 @@ jobs:
           version: "2.5.1"
 
       - name: Get Cluster Credentials
-        uses: google-github-actions/get-gke-credentials@7a108e64ed8546fe38316b4086e91da13f4785e1 # v2.3.1
+        uses: google-github-actions/get-gke-credentials@d0cee45012069b163a631894b98904a9e6723729 # v2.3.3
         with:
           cluster_name: dogfood-v2
           location: us-central1-a
 
@@ -53,7 +53,7 @@ jobs:
         uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
 
       - name: Login to DockerHub
         if: github.ref == 'refs/heads/main'
 
@@ -286,7 +286,7 @@ jobs:
         uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
 
       - name: Download dylibs
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
           name: dylibs
           path: ./build
 
@@ -47,6 +47,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
+        uses: github/codeql-action/upload-sarif@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
         with:
           sarif_file: results.sarif
@@ -38,7 +38,7 @@ jobs:
         uses: ./.github/actions/setup-go
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
+        uses: github/codeql-action/init@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
         with:
           languages: go, javascript
 
@@ -48,7 +48,7 @@ jobs:
           rm Makefile
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
+        uses: github/codeql-action/analyze@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
 
       - name: Send Slack notification on failure
         if: ${{ failure() }}
@@ -144,7 +144,7 @@ jobs:
           severity: "CRITICAL,HIGH"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
+        uses: github/codeql-action/upload-sarif@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
         with:
           sarif_file: trivy-results.sarif
           category: "Trivy"
 
@@ -182,17 +182,18 @@ func devcontainerEnv(ctx context.Context, execer agentexec.Execer, container str
 	if !ok {
 		return nil, nil
 	}
-	meta := struct {
-		RemoteEnv map[string]string `json:"remoteEnv"`
-	}{}
+
+	meta := make([]DevContainerMeta, 0)
 	if err := json.Unmarshal([]byte(rawMeta), &meta); err != nil {
 		return nil, xerrors.Errorf("unmarshal devcontainer.metadata: %w", err)
 	}
 
 	// The environment variables are stored in the `remoteEnv` key.
-	env := make([]string, 0, len(meta.RemoteEnv))
-	for k, v := range meta.RemoteEnv {
-		env = append(env, fmt.Sprintf("%s=%s", k, v))
+	env := make([]string, 0)
+	for _, m := range meta {
+		for k, v := range m.RemoteEnv {
+			env = append(env, fmt.Sprintf("%s=%s", k, v))
+		}
 	}
 	slices.Sort(env)
 	return env, nil
 
@@ -53,7 +53,7 @@ func TestIntegrationDocker(t *testing.T) {
 		Cmd:        []string{"sleep", "infnity"},
 		Labels: map[string]string{
 			"com.coder.test":        testLabelValue,
-			"devcontainer.metadata": `{"remoteEnv": {"FOO": "bar", "MULTILINE": "foo\nbar\nbaz"}}`,
+			"devcontainer.metadata": `[{"remoteEnv": {"FOO": "bar", "MULTILINE": "foo\nbar\nbaz"}}]`,
 		},
 		Mounts:       []string{testTempDir + ":" + testTempDir},
 		ExposedPorts: []string{fmt.Sprintf("%d/tcp", testRandPort)},
@@ -437,38 +437,46 @@ func TestDockerEnvInfoer(t *testing.T) {
 	}{
 		{
 			image:  "busybox:latest",
-			labels: map[string]string{`devcontainer.metadata`: `{"remoteEnv": {"FOO": "bar", "MULTILINE": "foo\nbar\nbaz"}}`},
+			labels: map[string]string{`devcontainer.metadata`: `[{"remoteEnv": {"FOO": "bar", "MULTILINE": "foo\nbar\nbaz"}}]`},
 
 			expectedEnv:       []string{"FOO=bar", "MULTILINE=foo\nbar\nbaz"},
 			expectedUsername:  "root",
 			expectedUserShell: "/bin/sh",
 		},
 		{
 			image:             "busybox:latest",
-			labels:            map[string]string{`devcontainer.metadata`: `{"remoteEnv": {"FOO": "bar", "MULTILINE": "foo\nbar\nbaz"}}`},
+			labels:            map[string]string{`devcontainer.metadata`: `[{"remoteEnv": {"FOO": "bar", "MULTILINE": "foo\nbar\nbaz"}}]`},
 			expectedEnv:       []string{"FOO=bar", "MULTILINE=foo\nbar\nbaz"},
 			containerUser:     "root",
 			expectedUsername:  "root",
 			expectedUserShell: "/bin/sh",
 		},
 		{
 			image:             "codercom/enterprise-minimal:ubuntu",
-			labels:            map[string]string{`devcontainer.metadata`: `{"remoteEnv": {"FOO": "bar", "MULTILINE": "foo\nbar\nbaz"}}`},
+			labels:            map[string]string{`devcontainer.metadata`: `[{"remoteEnv": {"FOO": "bar", "MULTILINE": "foo\nbar\nbaz"}}]`},
 			expectedEnv:       []string{"FOO=bar", "MULTILINE=foo\nbar\nbaz"},
 			expectedUsername:  "coder",
 			expectedUserShell: "/bin/bash",
 		},
 		{
 			image:             "codercom/enterprise-minimal:ubuntu",
-			labels:            map[string]string{`devcontainer.metadata`: `{"remoteEnv": {"FOO": "bar", "MULTILINE": "foo\nbar\nbaz"}}`},
+			labels:            map[string]string{`devcontainer.metadata`: `[{"remoteEnv": {"FOO": "bar", "MULTILINE": "foo\nbar\nbaz"}}]`},
 			expectedEnv:       []string{"FOO=bar", "MULTILINE=foo\nbar\nbaz"},
 			containerUser:     "coder",
 			expectedUsername:  "coder",
 			expectedUserShell: "/bin/bash",
 		},
 		{
 			image:             "codercom/enterprise-minimal:ubuntu",
-			labels:            map[string]string{`devcontainer.metadata`: `{"remoteEnv": {"FOO": "bar", "MULTILINE": "foo\nbar\nbaz"}}`},
+			labels:            map[string]string{`devcontainer.metadata`: `[{"remoteEnv": {"FOO": "bar", "MULTILINE": "foo\nbar\nbaz"}}]`},
+			expectedEnv:       []string{"FOO=bar", "MULTILINE=foo\nbar\nbaz"},
+			containerUser:     "root",
+			expectedUsername:  "root",
+			expectedUserShell: "/bin/bash",
+		},
+		{
+			image:             "codercom/enterprise-minimal:ubuntu",
+			labels:            map[string]string{`devcontainer.metadata`: `[{"remoteEnv": {"FOO": "bar"}},{"remoteEnv": {"MULTILINE": "foo\nbar\nbaz"}}]`},
 			expectedEnv:       []string{"FOO=bar", "MULTILINE=foo\nbar\nbaz"},
 			containerUser:     "root",
 			expectedUsername:  "root",
 
@@ -0,0 +1,5 @@
+package agentcontainers
+
+type DevContainerMeta struct {
+	RemoteEnv map[string]string `json:"remoteEnv,omitempty"`
+}
@@ -41,6 +41,7 @@ func (a *agent) apiHandler() http.Handler {
 	r.Get("/api/v0/containers", ch.ServeHTTP)
 	r.Get("/api/v0/listening-ports", lp.handler)
 	r.Get("/api/v0/netcheck", a.HandleNetcheck)
+	r.Post("/api/v0/list-directory", a.HandleLS)
 	r.Get("/debug/logs", a.HandleHTTPDebugLogs)
 	r.Get("/debug/magicsock", a.HandleHTTPDebugMagicsock)
 	r.Get("/debug/magicsock/debug-logging/{state}", a.HandleHTTPMagicsockDebugLoggingState)
 
@@ -0,0 +1,181 @@
+package agent
+
+import (
+	"errors"
+	"net/http"
+	"os"
+	"path/filepath"
+	"regexp"
+	"runtime"
+	"strings"
+
+	"github.com/shirou/gopsutil/v4/disk"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/v2/coderd/httpapi"
+	"github.com/coder/coder/v2/codersdk"
+)
+
+var WindowsDriveRegex = regexp.MustCompile(`^[a-zA-Z]:\\$`)
+
+func (*agent) HandleLS(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	var query LSRequest
+	if !httpapi.Read(ctx, rw, r, &query) {
+		return
+	}
+
+	resp, err := listFiles(query)
+	if err != nil {
+		status := http.StatusInternalServerError
+		switch {
+		case errors.Is(err, os.ErrNotExist):
+			status = http.StatusNotFound
+		case errors.Is(err, os.ErrPermission):
+			status = http.StatusForbidden
+		default:
+		}
+		httpapi.Write(ctx, rw, status, codersdk.Response{
+			Message: err.Error(),
+		})
+		return
+	}
+
+	httpapi.Write(ctx, rw, http.StatusOK, resp)
+}
+
+func listFiles(query LSRequest) (LSResponse, error) {
+	var fullPath []string
+	switch query.Relativity {
+	case LSRelativityHome:
+		home, err := os.UserHomeDir()
+		if err != nil {
+			return LSResponse{}, xerrors.Errorf("failed to get user home directory: %w", err)
+		}
+		fullPath = []string{home}
+	case LSRelativityRoot:
+		if runtime.GOOS == "windows" {
+			if len(query.Path) == 0 {
+				return listDrives()
+			}
+			if !WindowsDriveRegex.MatchString(query.Path[0]) {
+				return LSResponse{}, xerrors.Errorf("invalid drive letter %q", query.Path[0])
+			}
+		} else {
+			fullPath = []string{"/"}
+		}
+	default:
+		return LSResponse{}, xerrors.Errorf("unsupported relativity type %q", query.Relativity)
+	}
+
+	fullPath = append(fullPath, query.Path...)
+	fullPathRelative := filepath.Join(fullPath...)
+	absolutePathString, err := filepath.Abs(fullPathRelative)
+	if err != nil {
+		return LSResponse{}, xerrors.Errorf("failed to get absolute path of %q: %w", fullPathRelative, err)
+	}
+
+	f, err := os.Open(absolutePathString)
+	if err != nil {
+		return LSResponse{}, xerrors.Errorf("failed to open directory %q: %w", absolutePathString, err)
+	}
+	defer f.Close()
+
+	stat, err := f.Stat()
+	if err != nil {
+		return LSResponse{}, xerrors.Errorf("failed to stat directory %q: %w", absolutePathString, err)
+	}
+
+	if !stat.IsDir() {
+		return LSResponse{}, xerrors.Errorf("path %q is not a directory", absolutePathString)
+	}
+
+	// `contents` may be partially populated even if the operation fails midway.
+	contents, _ := f.ReadDir(-1)
+	respContents := make([]LSFile, 0, len(contents))
+	for _, file := range contents {
+		respContents = append(respContents, LSFile{
+			Name:               file.Name(),
+			AbsolutePathString: filepath.Join(absolutePathString, file.Name()),
+			IsDir:              file.IsDir(),
+		})
+	}
+
+	absolutePath := pathToArray(absolutePathString)
+
+	return LSResponse{
+		AbsolutePath:       absolutePath,
+		AbsolutePathString: absolutePathString,
+		Contents:           respContents,
+	}, nil
+}
+
+func listDrives() (LSResponse, error) {
+	partitionStats, err := disk.Partitions(true)
+	if err != nil {
+		return LSResponse{}, xerrors.Errorf("failed to get partitions: %w", err)
+	}
+	contents := make([]LSFile, 0, len(partitionStats))
+	for _, a := range partitionStats {
+		// Drive letters on Windows have a trailing separator as part of their name.
+		// i.e. `os.Open("C:")` does not work, but `os.Open("C:\\")` does.
+		name := a.Mountpoint + string(os.PathSeparator)
+		contents = append(contents, LSFile{
+			Name:               name,
+			AbsolutePathString: name,
+			IsDir:              true,
+		})
+	}
+
+	return LSResponse{
+		AbsolutePath:       []string{},
+		AbsolutePathString: "",
+		Contents:           contents,
+	}, nil
+}
+
+func pathToArray(path string) []string {
+	out := strings.FieldsFunc(path, func(r rune) bool {
+		return r == os.PathSeparator
+	})
+	// Drive letters on Windows have a trailing separator as part of their name.
+	// i.e. `os.Open("C:")` does not work, but `os.Open("C:\\")` does.
+	if runtime.GOOS == "windows" && len(out) > 0 {
+		out[0] += string(os.PathSeparator)
+	}
+	return out
+}
+
+type LSRequest struct {
+	// e.g. [], ["repos", "coder"],
+	Path []string `json:"path"`
+	// Whether the supplied path is relative to the user's home directory,
+	// or the root directory.
+	Relativity LSRelativity `json:"relativity"`
+}
+
+type LSResponse struct {
+	AbsolutePath []string `json:"absolute_path"`
+	// Returned so clients can display the full path to the user, and
+	// copy it to configure file sync
+	// e.g. Windows: "C:\\Users\\coder"
+	//      Linux: "/home/coder"
+	AbsolutePathString string   `json:"absolute_path_string"`
+	Contents           []LSFile `json:"contents"`
+}
+
+type LSFile struct {
+	Name string `json:"name"`
+	// e.g. "C:\\Users\\coder\\hello.txt"
+	//      "/home/coder/hello.txt"
+	AbsolutePathString string `json:"absolute_path_string"`
+	IsDir              bool   `json:"is_dir"`
+}
+
+type LSRelativity string
+
+const (
+	LSRelativityRoot LSRelativity = "root"
+	LSRelativityHome LSRelativity = "home"
+)