@apitap/core 1.4.0 → 1.4.1

package/src/skill/ssrf.ts

@@ -73,8 +73,12 @@ export function validateUrl(urlString: string): ValidationResult {
     return { safe: false, reason: `URL targets IPv6 unique-local address: ${hostname}` };
   }
 
-  // IPv4 private ranges
-  const ipv4Match = hostname.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
+  // Normalize IP representations: decimal integer, octal, hex → dotted-decimal (M17 fix)
+  const normalizedIp = normalizeIpv4(hostname);
+  const ipToCheck = normalizedIp ?? hostname;
+
+  // IPv4 private/reserved ranges (M16: added CGNAT, IETF, benchmarking, reserved)
+  const ipv4Match = ipToCheck.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
   if (ipv4Match) {
     const [, a, b] = ipv4Match.map(Number);
     const first = Number(a);
@@ -104,11 +108,70 @@ export function validateUrl(urlString: string): ValidationResult {
     if (first === 169 && second === 254) {
       return { safe: false, reason: `URL targets link-local address: ${hostname}` };
     }
+    // 100.64.0.0/10 — CGNAT (RFC 6598), used in cloud/Tailscale
+    if (first === 100 && second >= 64 && second <= 127) {
+      return { safe: false, reason: `URL targets CGNAT address: ${hostname}` };
+    }
+    // 192.0.0.0/24 — IETF Protocol Assignments (RFC 6890)
+    if (first === 192 && second === 0 && Number(ipv4Match[3]) === 0) {
+      return { safe: false, reason: `URL targets IETF reserved address: ${hostname}` };
+    }
+    // 198.18.0.0/15 — Benchmarking (RFC 2544)
+    if (first === 198 && (second === 18 || second === 19)) {
+      return { safe: false, reason: `URL targets benchmarking address: ${hostname}` };
+    }
+    // 240.0.0.0/4 — Reserved/future use
+    if (first >= 240) {
+      return { safe: false, reason: `URL targets reserved address: ${hostname}` };
+    }
   }
 
   return { safe: true };
 }
 
+/**
+ * Normalize alternative IPv4 representations to dotted-decimal.
+ * Handles decimal integer (2130706433), octal (0177.0.0.1), and hex (0x7f.0.0.1).
+ * Returns null if hostname is not an IP address or can't be parsed.
+ */
+function normalizeIpv4(hostname: string): string | null {
+  // Already standard dotted-decimal
+  if (/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(hostname)) {
+    return hostname;
+  }
+
+  // Pure decimal integer (e.g. 2130706433 = 127.0.0.1)
+  if (/^\d+$/.test(hostname)) {
+    const num = parseInt(hostname, 10);
+    if (num >= 0 && num <= 0xFFFFFFFF) {
+      return `${(num >>> 24) & 0xFF}.${(num >>> 16) & 0xFF}.${(num >>> 8) & 0xFF}.${num & 0xFF}`;
+    }
+  }
+
+  // Dotted with octal (0-prefixed) or hex (0x-prefixed) octets
+  const parts = hostname.split('.');
+  if (parts.length === 4) {
+    const octets: number[] = [];
+    for (const part of parts) {
+      let val: number;
+      if (/^0x[0-9a-f]+$/i.test(part)) {
+        val = parseInt(part, 16);
+      } else if (/^0[0-7]+$/.test(part)) {
+        val = parseInt(part, 8);
+      } else if (/^\d+$/.test(part)) {
+        val = parseInt(part, 10);
+      } else {
+        return null; // Not an IP
+      }
+      if (val < 0 || val > 255) return null;
+      octets.push(val);
+    }
+    return octets.join('.');
+  }
+
+  return null;
+}
+
 /**
  * Check if a resolved IP address is in a private/reserved range.
  */
@@ -148,6 +211,10 @@ function isPrivateIp(ip: string): string | null {
   if (first === 192 && second === 168) return 'private (192.168.x)';
   if (first === 169 && second === 254) return 'link-local';
   if (first === 0) return 'unspecified';
+  // M16: additional reserved ranges
+  if (first === 100 && second >= 64 && second <= 127) return 'CGNAT (100.64/10)';
+  if (first === 198 && (second === 18 || second === 19)) return 'benchmarking (198.18/15)';
+  if (first >= 240) return 'reserved (240/4)';
 
   return null;
 }

package/src/skill/store.ts

@@ -37,7 +37,7 @@ export async function writeSkillFile(
   skill: SkillFile,
   skillsDir: string = DEFAULT_SKILLS_DIR,
 ): Promise<string> {
-  await mkdir(skillsDir, { recursive: true });
+  await mkdir(skillsDir, { recursive: true, mode: 0o700 });
   await ensureGitignore(skillsDir);
   const filePath = skillPath(skill.domain, skillsDir);
   await writeFile(filePath, JSON.stringify(skill, null, 2) + '\n', { mode: 0o600 });
@@ -47,7 +47,12 @@ export async function writeSkillFile(
 export async function readSkillFile(
   domain: string,
   skillsDir: string = DEFAULT_SKILLS_DIR,
-  options?: { verifySignature?: boolean; signingKey?: Buffer }
+  options?: {
+    verifySignature?: boolean;
+    signingKey?: Buffer;
+    /** Allow loading unsigned files without throwing. Tampered signed files still reject. */
+    trustUnsigned?: boolean;
+  }
 ): Promise<SkillFile | null> {
   // Validate domain before file I/O — path traversal should throw, not return null
   const path = skillPath(domain, skillsDir);
@@ -56,18 +61,31 @@ export async function readSkillFile(
     const raw = JSON.parse(content);
     const skill = validateSkillFile(raw);
 
-    // If verification requested, check signature
-    if (options?.verifySignature && options.signingKey) {
+    // Signature verification is ON by default (H1 fix)
+    const shouldVerify = options?.verifySignature !== false;
+    if (shouldVerify) {
+      // Auto-derive signing key if not provided
+      let signingKey = options?.signingKey;
+      if (!signingKey) {
+        const { deriveSigningKey } = await import('../auth/crypto.js');
+        const { getMachineId } = await import('../auth/manager.js');
+        const machineId = await getMachineId();
+        signingKey = deriveSigningKey(machineId);
+      }
+
       if (skill.provenance === 'imported') {
-        // Imported files had foreign signature stripped — can't verify, warn only
-        // Future: re-sign on import with local key
+        // Imported files had foreign signature stripped — can't verify
       } else if (!skill.signature) {
-        // Phase 2: warn for unsigned files, don't reject
-        // (user-created or pre-signing files are legitimately unsigned)
-        console.error(`[apitap] Warning: skill file for ${domain} is unsigned`);
+        // Unsigned files are rejected unless trustUnsigned is set
+        if (!options?.trustUnsigned) {
+          throw new Error(
+            `Skill file for ${domain} is unsigned and cannot be verified. ` +
+            `Re-capture or re-import the skill file, or use --trust-unsigned to load it.`
+          );
+        }
       } else {
         const { verifySignature } = await import('./signing.js');
-        if (!verifySignature(skill, options.signingKey)) {
+        if (!verifySignature(skill, signingKey)) {
           throw new Error(`Skill file signature verification failed for ${domain} — file may be tampered`);
         }
       }
@@ -96,7 +114,7 @@ export async function listSkillFiles(
     if (!file.endsWith('.json')) continue;
     const domain = file.replace(/\.json$/, '');
     if (!DOMAIN_RE.test(domain)) continue; // skip non-conforming filenames
-    const skill = await readSkillFile(domain, skillsDir);
+    const skill = await readSkillFile(domain, skillsDir, { trustUnsigned: true });
     if (skill) {
       summaries.push({
         domain: skill.domain,

package/src/skill/validate.ts

@@ -25,14 +25,26 @@ export function validateSkillFile(raw: unknown, options?: { checkSsrf?: boolean
   if (typeof obj.baseUrl !== 'string') {
     throw new Error('Missing baseUrl');
   }
+  let baseUrlHostname: string;
   try {
     const url = new URL(obj.baseUrl);
     if (url.protocol !== 'http:' && url.protocol !== 'https:') {
       throw new Error('non-HTTP scheme');
     }
+    baseUrlHostname = url.hostname;
   } catch {
     throw new Error(`Invalid baseUrl: must be a valid HTTP(S) URL`);
   }
+
+  // Domain-lock: baseUrl hostname must match or be a subdomain of domain (C1 fix)
+  const domainStr = obj.domain as string;
+  if (baseUrlHostname !== domainStr && !baseUrlHostname.endsWith('.' + domainStr)) {
+    throw new Error(
+      `baseUrl hostname "${baseUrlHostname}" does not match domain "${domainStr}". ` +
+      `Skill files cannot redirect requests to unrelated hosts.`
+    );
+  }
+
   if (options?.checkSsrf) {
     const ssrf = validateUrl(obj.baseUrl);
     if (!ssrf.safe) {
@@ -66,6 +78,42 @@ export function validateSkillFile(raw: unknown, options?: { checkSsrf?: boolean
     if (e.path.length > 2000) {
       throw new Error(`Endpoint ${i}: path exceeds 2000 characters`);
     }
+
+    // M11: Deep type validation on nested structures
+    if ('headers' in e && e.headers !== undefined) {
+      if (typeof e.headers !== 'object' || e.headers === null || Array.isArray(e.headers)) {
+        throw new Error(`Endpoint ${i}: headers must be an object`);
+      }
+      for (const [hk, hv] of Object.entries(e.headers as Record<string, unknown>)) {
+        if (typeof hv !== 'string') {
+          throw new Error(`Endpoint ${i}: header "${hk}" value must be a string`);
+        }
+      }
+    }
+
+    if ('queryParams' in e && e.queryParams !== undefined) {
+      if (typeof e.queryParams !== 'object' || e.queryParams === null || Array.isArray(e.queryParams)) {
+        throw new Error(`Endpoint ${i}: queryParams must be an object`);
+      }
+      for (const [qk, qv] of Object.entries(e.queryParams as Record<string, unknown>)) {
+        if (typeof qv !== 'object' || qv === null || typeof (qv as any).example !== 'string') {
+          throw new Error(`Endpoint ${i}: queryParam "${qk}" must have a string example`);
+        }
+      }
+    }
+
+    if ('requestBody' in e && e.requestBody !== undefined) {
+      const rb = e.requestBody as Record<string, unknown>;
+      if (typeof rb !== 'object' || rb === null) {
+        throw new Error(`Endpoint ${i}: requestBody must be an object`);
+      }
+      if (typeof rb.contentType !== 'string') {
+        throw new Error(`Endpoint ${i}: requestBody.contentType must be a string`);
+      }
+      if (rb.variables !== undefined && !Array.isArray(rb.variables)) {
+        throw new Error(`Endpoint ${i}: requestBody.variables must be an array`);
+      }
+    }
   }
 
   return raw as SkillFile;