caruso 0.5.4 → 0.6.2

data/lib/caruso/cli.rb

@@ -20,8 +20,10 @@ module Caruso
       fetcher = Caruso::Fetcher.new(url, ref: options[:ref])
 
       # For Git repos, clone/update the cache (skip in test mode to allow fake URLs)
-      if (source == "github" || url.match?(/\Ahttps?:/) || url.match?(%r{[^/]+/[^/]+})) && !ENV["CARUSO_TESTING_SKIP_CLONE"]
-        fetcher.clone_git_repo({"url" => url, "source" => source})
+      # Fixed ReDoS: Use anchored regex and limit input length to prevent catastrophic backtracking
+      is_owner_repo = url.length < 256 && url.match?(%r{\A[^/]+/[^/]+\z})
+      if (source == "github" || url.match?(/\Ahttps?:/) || is_owner_repo) && !ENV["CARUSO_TESTING_SKIP_CLONE"]
+        fetcher.clone_git_repo({ "url" => url, "source" => source })
       end
 
       # Read marketplace name from marketplace.json
@@ -49,27 +51,30 @@ module Caruso
       end
     end
 
-    desc "remove NAME", "Remove a marketplace"
-    def remove(name)
+    desc "remove NAME_OR_URL", "Remove a marketplace"
+    def remove(name_or_url)
       config_manager = load_config
+      marketplaces = config_manager.list_marketplaces
 
-      # Remove from config
-      config_manager.remove_marketplace(name)
-
-      # Remove from registry
-      registry = Caruso::MarketplaceRegistry.new
-      marketplace = registry.get_marketplace(name)
-      if marketplace
-        cache_dir = marketplace["install_location"]
-        registry.remove_marketplace(name)
-
-        # Inform about cache directory
-        if Dir.exist?(cache_dir)
-          puts "Cache directory still exists at: #{cache_dir}"
-          puts "Run 'rm -rf #{cache_dir}' to delete it if desired."
+      # Try to find by name first
+      if marketplaces.key?(name_or_url)
+        name = name_or_url
+      else
+        # Try to find by URL
+        # We need to check exact match or maybe normalized match
+        match = marketplaces.find { |_, details| details["url"] == name_or_url || details["url"].chomp(".git") == name_or_url }
+        if match
+          name = match[0]
+        else
+          puts "Marketplace '#{name_or_url}' not found."
+          return
         end
       end
 
+      # Use Remover to handle cleanup
+      remover = Caruso::Remover.new(config_manager)
+      remover.remove_marketplace(name)
+
       puts "Removed marketplace '#{name}'"
     end
 
@@ -86,14 +91,14 @@ module Caruso
       end
 
       puts "Marketplace: #{name}"
-      puts "  Source: #{marketplace['source']}" if marketplace['source']
+      puts "  Source: #{marketplace['source']}" if marketplace["source"]
       puts "  URL: #{marketplace['url']}"
       puts "  Location: #{marketplace['install_location']}"
       puts "  Last Updated: #{marketplace['last_updated']}"
-      puts "  Ref: #{marketplace['ref']}" if marketplace['ref']
+      puts "  Ref: #{marketplace['ref']}" if marketplace["ref"]
 
       # Check if directory actually exists
-      if Dir.exist?(marketplace['install_location'])
+      if Dir.exist?(marketplace["install_location"])
         puts "  Status: ✓ Cached locally"
       else
         puts "  Status: ✗ Cache directory missing"
@@ -105,12 +110,12 @@ module Caruso
       config_manager = load_config
       marketplaces = config_manager.list_marketplaces
 
+      if marketplaces.empty?
+        puts "No marketplaces configured. Use 'caruso marketplace add <url>' to get started."
+        return
+      end
       if name
         # Update specific marketplace
-        if marketplaces.empty?
-          puts "No marketplaces configured. Use 'caruso marketplace add <url>' to get started."
-          return
-        end
 
         marketplace_details = config_manager.get_marketplace_details(name)
         unless marketplace_details
@@ -121,7 +126,8 @@ module Caruso
 
         puts "Updating marketplace '#{name}'..."
         begin
-          fetcher = Caruso::Fetcher.new(marketplace_details["url"], marketplace_name: name, ref: marketplace_details["ref"])
+          fetcher = Caruso::Fetcher.new(marketplace_details["url"], marketplace_name: name,
+                                                                    ref: marketplace_details["ref"])
           fetcher.update_cache
           puts "Updated marketplace '#{name}'"
         rescue StandardError => e
@@ -129,25 +135,19 @@ module Caruso
         end
       else
         # Update all marketplaces
-        if marketplaces.empty?
-          puts "No marketplaces configured. Use 'caruso marketplace add <url>' to get started."
-          return
-        end
 
         puts "Updating all marketplaces..."
         success_count = 0
         error_count = 0
 
         marketplaces.each do |marketplace_name, details|
-          begin
-            puts "  Updating #{marketplace_name}..."
-            fetcher = Caruso::Fetcher.new(details["url"], marketplace_name: marketplace_name, ref: details["ref"])
-            fetcher.update_cache
-            success_count += 1
-          rescue StandardError => e
-            puts "  Error updating #{marketplace_name}: #{e.message}"
-            error_count += 1
-          end
+          puts "  Updating #{marketplace_name}..."
+          fetcher = Caruso::Fetcher.new(details["url"], marketplace_name: marketplace_name, ref: details["ref"])
+          fetcher.update_cache
+          success_count += 1
+        rescue StandardError => e
+          puts "  Error updating #{marketplace_name}: #{e.message}"
+          error_count += 1
         end
 
         puts "\nUpdated #{success_count} marketplace(s)" + (error_count.positive? ? " (#{error_count} failed)" : "")
@@ -263,15 +263,9 @@ module Caruso
       end
 
       puts "Removing #{plugin_key}..."
-      files_to_remove = config_manager.remove_plugin(plugin_key)
 
-      files_to_remove.each do |file|
-        full_path = File.join(config_manager.project_dir, file)
-        if File.exist?(full_path)
-          File.delete(full_path)
-          puts "  Deleted #{file}"
-        end
-      end
+      remover = Caruso::Remover.new(config_manager)
+      remover.remove_plugin(plugin_key)
 
       puts "Uninstalled #{plugin_key}."
     end
@@ -323,14 +317,12 @@ module Caruso
         error_count = 0
 
         installed_plugins.each do |key, plugin_data|
-          begin
-            puts "  Updating #{key}..."
-            update_single_plugin(key, plugin_data, config_manager)
-            success_count += 1
-          rescue StandardError => e
-            puts "  Error updating #{key}: #{e.message}"
-            error_count += 1
-          end
+          puts "  Updating #{key}..."
+          update_single_plugin(key, plugin_data, config_manager)
+          success_count += 1
+        rescue StandardError => e
+          puts "  Error updating #{key}: #{e.message}"
+          error_count += 1
         end
 
         puts "\nUpdated #{success_count} plugin(s)" + (error_count.positive? ? " (#{error_count} failed)" : "")
@@ -377,7 +369,7 @@ module Caruso
     desc "outdated", "Show plugins with available updates"
     def outdated
       config_manager = load_config
-      target_dir = config_manager.full_target_path
+      config_manager.full_target_path
 
       installed_plugins = config_manager.list_plugins
 
@@ -389,7 +381,7 @@ module Caruso
       puts "Checking for updates..."
       outdated_plugins = []
 
-      marketplaces = config_manager.list_marketplaces
+      config_manager.list_marketplaces
 
       installed_plugins.each do |key, plugin_data|
         marketplace_name = plugin_data["marketplace"]
@@ -399,7 +391,8 @@ module Caruso
         next unless marketplace_details
 
         begin
-          fetcher = Caruso::Fetcher.new(marketplace_details["url"], marketplace_name: marketplace_name, ref: marketplace_details["ref"])
+          Caruso::Fetcher.new(marketplace_details["url"], marketplace_name: marketplace_name,
+                                                          ref: marketplace_details["ref"])
           # For now, we'll just report that updates might be available
           # Full version comparison would require version tracking in marketplace.json
           outdated_plugins << {
@@ -438,7 +431,8 @@ module Caruso
       end
 
       # Update marketplace cache first
-      fetcher = Caruso::Fetcher.new(marketplace_details["url"], marketplace_name: marketplace_name, ref: marketplace_details["ref"])
+      fetcher = Caruso::Fetcher.new(marketplace_details["url"], marketplace_name: marketplace_name,
+                                                                ref: marketplace_details["ref"])
       fetcher.update_cache
 
       # Parse plugin name from key (plugin@marketplace)

data/lib/caruso/config_manager.rb

@@ -150,6 +150,23 @@ module Caruso
       save_project_config(data)
     end
 
+    def remove_marketplace_with_plugins(marketplace_name)
+      files_to_remove = []
+
+      # Find and remove all plugins associated with this marketplace
+      installed_plugins = list_plugins
+      installed_plugins.each do |plugin_key, details|
+        if details["marketplace"] == marketplace_name
+          files_to_remove.concat(remove_plugin(plugin_key))
+        end
+      end
+
+      # Remove the marketplace itself
+      remove_marketplace(marketplace_name)
+
+      files_to_remove.uniq
+    end
+
     def list_marketplaces
       load_project_config["marketplaces"] || {}
     end
@@ -167,6 +184,7 @@ module Caruso
 
     def load_project_config
       return {} unless File.exist?(@project_config_path)
+
       JSON.parse(File.read(@project_config_path))
     rescue JSON::ParserError
       {}
@@ -178,6 +196,7 @@ module Caruso
 
     def load_local_config
       return {} unless File.exist?(@local_config_path)
+
       JSON.parse(File.read(@local_config_path))
     rescue JSON::ParserError
       {}

data/lib/caruso/fetcher.rb

@@ -5,6 +5,9 @@ require "faraday"
 require "fileutils"
 require "uri"
 require "git"
+require_relative "safe_file"
+require_relative "safe_dir"
+require_relative "path_sanitizer"
 
 module Caruso
   class Fetcher
@@ -49,7 +52,7 @@ module Caruso
     end
 
     def update_cache
-      return unless Dir.exist?(cache_dir)
+      return unless SafeDir.exist?(cache_dir)
 
       Dir.chdir(cache_dir) do
         git = Git.open(".")
@@ -61,7 +64,7 @@ module Caruso
       end
 
       @registry.update_timestamp(@marketplace_name)
-    rescue => e
+    rescue StandardError => e
       handle_git_error(e)
     end
 
@@ -69,10 +72,10 @@ module Caruso
       url = source_config["url"] || source_config["repo"]
       url = "https://github.com/#{url}.git" if source_config["source"] == "github" && !url.match?(/\Ahttps?:/)
 
-      repo_name = URI.parse(url).path.split("/").last.sub(".git", "")
+      URI.parse(url).path.split("/").last.sub(".git", "")
       target_path = cache_dir
 
-      unless Dir.exist?(target_path)
+      unless SafeDir.exist?(target_path)
         # Clone the repository
         FileUtils.mkdir_p(File.dirname(target_path))
         Git.clone(url, target_path)
@@ -105,7 +108,7 @@ module Caruso
     def load_marketplace
       if local_path?
         # If marketplace_uri is a directory, find marketplace.json in it
-        if File.directory?(@marketplace_uri)
+        if SafeDir.exist?(@marketplace_uri)
           json_path = File.join(@marketplace_uri, ".claude-plugin", "marketplace.json")
           json_path = File.join(@marketplace_uri, "marketplace.json") unless File.exist?(json_path)
 
@@ -122,7 +125,7 @@ module Caruso
           @base_dir = File.dirname(@base_dir)
         end
 
-        JSON.parse(File.read(@marketplace_uri))
+        JSON.parse(SafeFile.read(@marketplace_uri))
       elsif github_repo?
         # Clone repo and read marketplace.json from it
         repo_path = clone_git_repo("url" => @marketplace_uri, "source" => "github")
@@ -138,7 +141,7 @@ module Caruso
         @marketplace_uri = json_path
         @base_dir = repo_path # Base dir is the repo root, regardless of where json is
 
-        JSON.parse(File.read(json_path))
+        JSON.parse(SafeFile.read(json_path))
       else
         response = Faraday.get(@marketplace_uri)
         JSON.parse(response.body)
@@ -146,6 +149,10 @@ module Caruso
     end
 
     def github_repo?
+      # Fixed ReDoS: Add length check to prevent catastrophic backtracking
+      # GitHub URLs and owner/repo format should be reasonably short
+      return false if @marketplace_uri.length > 512
+
       @marketplace_uri.match?(%r{\Ahttps://github\.com/[^/]+/[^/]+}) ||
         @marketplace_uri.match?(%r{\A[^/]+/[^/]+\z}) # owner/repo format
     end
@@ -153,7 +160,25 @@ module Caruso
     def fetch_plugin(plugin)
       source = plugin["source"]
       plugin_path = resolve_plugin_path(source)
-      return [] unless plugin_path && Dir.exist?(plugin_path)
+      return [] unless plugin_path
+
+      # Validate that plugin_path is safe before using it
+      # resolve_plugin_path returns paths from trusted sources:
+      # - cache_dir (under ~/.caruso/marketplaces/)
+      # - validated local paths relative to @base_dir
+      # However, we still validate to ensure no path traversal
+      begin
+        # For paths under ~/.caruso, validate against home directory
+        # For local paths, they're already validated in resolve_plugin_path
+        if plugin_path.start_with?(File.join(Dir.home, ".caruso"))
+          PathSanitizer.sanitize_path(plugin_path, base_dir: File.join(Dir.home, ".caruso"))
+        end
+      rescue PathSanitizer::PathTraversalError => e
+        warn "Invalid plugin path '#{plugin_path}': #{e.message}"
+        return []
+      end
+
+      return [] unless SafeDir.exist?(plugin_path)
 
       # Start with default directories
       files = find_steering_files(plugin_path)
@@ -186,7 +211,12 @@ module Caruso
     end
 
     def find_steering_files(plugin_path)
-      Dir.glob(File.join(plugin_path, "{commands,agents,skills}/**/*.md")).reject do |file|
+      # Validate plugin_path before using it in glob
+      # This is safe because plugin_path comes from resolve_plugin_path which returns trusted paths
+      # (either from cache_dir which is under ~/.caruso, or validated local paths)
+      glob_pattern = PathSanitizer.safe_join(plugin_path, "{commands,agents,skills}", "**", "*.md")
+
+      SafeDir.glob(glob_pattern, base_dir: plugin_path).reject do |file|
         basename = File.basename(file).downcase
         ["readme.md", "license.md"].include?(basename)
       end
@@ -199,16 +229,23 @@ module Caruso
 
       files = []
       paths.each do |path|
-        # Resolve the path relative to plugin_path
-        full_path = File.expand_path(path, plugin_path)
+        # Resolve and sanitize the path relative to plugin_path
+        # This ensures the path stays within plugin_path boundaries
+        begin
+          full_path = PathSanitizer.sanitize_path(File.expand_path(path, plugin_path), base_dir: plugin_path)
+        rescue PathSanitizer::PathTraversalError => e
+          warn "Skipping path outside plugin directory '#{path}': #{e.message}"
+          next
+        end
 
         # Handle both files and directories
         if File.file?(full_path) && full_path.end_with?(".md")
           basename = File.basename(full_path).downcase
           files << full_path unless ["readme.md", "license.md"].include?(basename)
-        elsif Dir.exist?(full_path)
-          # Find all .md files in this directory
-          Dir.glob(File.join(full_path, "**/*.md")).each do |file|
+        elsif SafeDir.exist?(full_path, base_dir: plugin_path)
+          # Find all .md files in this directory using safe_join
+          glob_pattern = PathSanitizer.safe_join(full_path, "**", "*.md")
+          SafeDir.glob(glob_pattern, base_dir: plugin_path).each do |file|
             basename = File.basename(file).downcase
             files << file unless ["readme.md", "license.md"].include?(basename)
           end

data/lib/caruso/marketplace_registry.rb

@@ -15,7 +15,7 @@ module Caruso
     def add_marketplace(name, url, install_location, ref: nil, source: "git")
       data = load_registry
       data[name] = {
-        "source" => source,  # github, git, url, local, directory
+        "source" => source, # github, git, url, local, directory
         "url" => url,
         "install_location" => install_location,
         "last_updated" => Time.now.iso8601,
@@ -51,7 +51,7 @@ module Caruso
 
     # Enhancement #3: Schema validation
     def validate_marketplace_entry(entry)
-      required = ["url", "install_location", "last_updated"]
+      required = %w[url install_location last_updated]
       missing = required - entry.keys
 
       unless missing.empty?
@@ -71,7 +71,7 @@ module Caruso
       data = JSON.parse(File.read(@registry_path))
 
       # Validate each entry
-      data.each do |name, entry|
+      data.each_value do |entry|
         validate_marketplace_entry(entry)
       end
 

data/lib/caruso/path_sanitizer.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require "pathname"
+
+module Caruso
+  # PathSanitizer provides utilities to validate and sanitize file paths
+  # to prevent path traversal attacks and ensure paths stay within expected boundaries
+  module PathSanitizer
+    class PathTraversalError < StandardError; end
+
+    # Validates that a path doesn't contain path traversal sequences
+    # and stays within the expected base directory
+    #
+    # @param path [String] The path to validate
+    # @param base_dir [String] Optional base directory to validate against
+    # @return [String] The validated, normalized path
+    # @raise [PathTraversalError] if path contains traversal sequences or escapes base_dir
+    def self.sanitize_path(path, base_dir: nil)
+      return nil if path.nil? || path.empty?
+
+      # Normalize the path to resolve any . or .. components
+      normalized_path = Pathname.new(path).expand_path
+
+      # If base_dir is provided, ensure the path stays within it
+      if base_dir
+        normalized_base = Pathname.new(base_dir).expand_path
+
+        # Check if path is within base using relative_path_from
+        # This will raise ArgumentError if path is not within base
+        begin
+          relative = normalized_path.relative_path_from(normalized_base)
+          # Check that the relative path doesn't start with ..
+          if relative.to_s.start_with?("..")
+            raise PathTraversalError, "Path escapes base directory: #{path}"
+          end
+        rescue ArgumentError
+          # Paths on different drives/volumes
+          raise PathTraversalError, "Path is not within base directory: #{path}"
+        end
+      end
+
+      normalized_path.to_s
+    end
+
+    # Safely joins path components, ensuring no traversal attacks
+    #
+    # @param base [String] The base directory
+    # @param *parts [String] Path components to join
+    # @return [String] The sanitized joined path
+    # @raise [PathTraversalError] if result would escape base directory
+    def self.safe_join(base, *parts)
+      # Join the parts
+      joined = File.join(base, *parts)
+
+      # Validate the result stays within base
+      sanitize_path(joined, base_dir: base)
+    end
+  end
+end

data/lib/caruso/remover.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require_relative "marketplace_registry"
+
+module Caruso
+  class Remover
+    attr_reader :config_manager
+
+    def initialize(config_manager)
+      @config_manager = config_manager
+    end
+
+    def remove_marketplace(name)
+      # 1. Remove from config and get associated plugin files
+      # This updates both project config (plugins) and local config (files)
+      files_to_remove = config_manager.remove_marketplace_with_plugins(name)
+
+      # 2. Delete the actual files
+      delete_files(files_to_remove)
+
+      # 3. Clean up registry cache
+      remove_from_registry(name)
+    end
+
+    def remove_plugin(name)
+      # 1. Remove from config
+      files_to_remove = config_manager.remove_plugin(name)
+
+      # 2. Delete files
+      delete_files(files_to_remove)
+    end
+
+    private
+
+    def delete_files(files)
+      files.each do |file|
+        full_path = File.join(config_manager.project_dir, file)
+        if File.exist?(full_path)
+          File.delete(full_path)
+          puts "  Deleted #{file}"
+        end
+      end
+    end
+
+    def remove_from_registry(name)
+      registry = Caruso::MarketplaceRegistry.new
+      marketplace = registry.get_marketplace(name)
+      return unless marketplace
+
+      cache_dir = marketplace["install_location"]
+      registry.remove_marketplace(name)
+
+      # Inform about cache directory
+      return unless Dir.exist?(cache_dir)
+
+      puts "Cache directory still exists at: #{cache_dir}"
+      puts "Run 'rm -rf #{cache_dir}' to delete it if desired."
+    end
+  end
+end

data/lib/caruso/safe_dir.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require_relative "path_sanitizer"
+
+module Caruso
+  class SafeDir
+    class Error < StandardError; end
+    class SecurityError < Error; end
+
+    # Safely checks if a directory exists
+    #
+    # @param path [String] The path to check
+    # @param base_dir [String] Optional base directory to restrict access to
+    # @return [Boolean] true if directory exists and is safe
+    def self.exist?(path, base_dir: nil)
+      safe_path = sanitize(path, base_dir)
+      Dir.exist?(safe_path)
+    rescue SecurityError
+      false
+    end
+
+    # Safely globs files
+    #
+    # @param pattern [String] The glob pattern
+    # @param base_dir [String] Optional base directory to restrict access to
+    # @return [Array<String>] Matching file paths
+    def self.glob(pattern, base_dir: nil)
+      # For glob, we need to be careful. Ideally we validate the base of the pattern.
+      # If pattern contains wildcards, we can't easily sanitize the whole string as a path.
+      # So we rely on the caller to have constructed the pattern safely (e.g. using safe_join).
+      # But we can still check if the resolved paths are safe if base_dir is provided.
+
+      Dir.glob(pattern).select do |path|
+        if base_dir
+          begin
+            PathSanitizer.sanitize_path(path, base_dir: base_dir)
+            true
+          rescue PathSanitizer::PathTraversalError
+            false
+          end
+        else
+          true
+        end
+      end
+    end
+
+    def self.sanitize(path, base_dir)
+      PathSanitizer.sanitize_path(path, base_dir: base_dir)
+    rescue PathSanitizer::PathTraversalError => e
+      raise SecurityError, "Invalid directory path: #{e.message}"
+    end
+    private_class_method :sanitize
+  end
+end

data/lib/caruso/safe_file.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require_relative "path_sanitizer"
+
+module Caruso
+  class SafeFile
+    class Error < StandardError; end
+    class NotFoundError < Error; end
+    class SecurityError < Error; end
+
+    # Safely reads a file from the filesystem
+    #
+    # @param path [String] The path to the file to read
+    # @param base_dir [String] Optional base directory to restrict access to
+    # @return [String] The file content
+    # @raise [NotFoundError] if the file does not exist or is not a file
+    # @raise [SecurityError] if the path is unsafe or outside base_dir
+    def self.read(path, base_dir: nil)
+      # 1. Sanitize and validate path
+      begin
+        safe_path = PathSanitizer.sanitize_path(path, base_dir: base_dir)
+      rescue PathSanitizer::PathTraversalError => e
+        raise SecurityError, "Invalid file path: #{e.message}"
+      end
+
+      # 2. Check existence and type
+      unless File.exist?(safe_path)
+        raise NotFoundError, "File not found: #{path}"
+      end
+
+      unless File.file?(safe_path)
+        raise NotFoundError, "Path is not a regular file: #{path}"
+      end
+
+      # 3. Read content
+      File.read(safe_path)
+    end
+  end
+end

data/lib/caruso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Caruso
-  VERSION = "0.5.4"
+  VERSION = "0.6.2"
 end

data/lib/caruso.rb

@@ -1,10 +1,13 @@
 # frozen_string_literal: true
 
+require_relative "caruso/safe_file"
+require_relative "caruso/safe_dir"
 require_relative "caruso/version"
 require_relative "caruso/config_manager"
 require_relative "caruso/fetcher"
 require_relative "caruso/adapter"
 require_relative "caruso/marketplace_registry"
+require_relative "caruso/remover"
 
 require_relative "caruso/cli"