@claude-flow/cli 3.6.24 → 3.6.25
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude/helpers/github-safe.js +64 -49
- package/.claude/helpers/statusline.cjs +11 -13
- package/.claude/helpers/statusline.js +11 -6
- package/README.md +8 -2
- package/bin/cli.js +21 -0
- package/bin/mcp-server.js +16 -0
- package/dist/src/commands/appliance.d.ts.map +1 -1
- package/dist/src/commands/appliance.js +8 -10
- package/dist/src/commands/appliance.js.map +1 -1
- package/dist/src/commands/guidance.d.ts.map +1 -1
- package/dist/src/commands/guidance.js +1 -5
- package/dist/src/commands/guidance.js.map +1 -1
- package/dist/src/commands/performance.d.ts.map +1 -1
- package/dist/src/commands/performance.js +3 -3
- package/dist/src/commands/performance.js.map +1 -1
- package/dist/src/commands/process.d.ts.map +1 -1
- package/dist/src/commands/process.js +6 -7
- package/dist/src/commands/process.js.map +1 -1
- package/dist/src/commands/verify.d.ts.map +1 -1
- package/dist/src/commands/verify.js +24 -3
- package/dist/src/commands/verify.js.map +1 -1
- package/dist/src/encryption/vault.d.ts +94 -0
- package/dist/src/encryption/vault.d.ts.map +1 -0
- package/dist/src/encryption/vault.js +172 -0
- package/dist/src/encryption/vault.js.map +1 -0
- package/dist/src/fs-secure.d.ts +67 -0
- package/dist/src/fs-secure.d.ts.map +1 -0
- package/dist/src/fs-secure.js +74 -0
- package/dist/src/fs-secure.js.map +1 -0
- package/dist/src/mcp-tools/github-tools.d.ts.map +1 -1
- package/dist/src/mcp-tools/github-tools.js +122 -31
- package/dist/src/mcp-tools/github-tools.js.map +1 -1
- package/dist/src/mcp-tools/hooks-tools.js +2 -2
- package/dist/src/mcp-tools/hooks-tools.js.map +1 -1
- package/dist/src/mcp-tools/memory-tools.d.ts.map +1 -1
- package/dist/src/mcp-tools/memory-tools.js +7 -12
- package/dist/src/mcp-tools/memory-tools.js.map +1 -1
- package/dist/src/mcp-tools/session-tools.d.ts.map +1 -1
- package/dist/src/mcp-tools/session-tools.js +24 -12
- package/dist/src/mcp-tools/session-tools.js.map +1 -1
- package/dist/src/mcp-tools/terminal-tools.d.ts.map +1 -1
- package/dist/src/mcp-tools/terminal-tools.js +22 -7
- package/dist/src/mcp-tools/terminal-tools.js.map +1 -1
- package/dist/src/mcp-tools/validate-input.d.ts +12 -0
- package/dist/src/mcp-tools/validate-input.d.ts.map +1 -1
- package/dist/src/mcp-tools/validate-input.js +56 -0
- package/dist/src/mcp-tools/validate-input.js.map +1 -1
- package/dist/src/memory/memory-initializer.d.ts.map +1 -1
- package/dist/src/memory/memory-initializer.js +17 -16
- package/dist/src/memory/memory-initializer.js.map +1 -1
- package/dist/src/transfer/ipfs/upload.d.ts.map +1 -1
- package/dist/src/transfer/ipfs/upload.js +2 -0
- package/dist/src/transfer/ipfs/upload.js.map +1 -1
- package/dist/src/update/executor.d.ts +1 -0
- package/dist/src/update/executor.d.ts.map +1 -1
- package/dist/src/update/executor.js +43 -7
- package/dist/src/update/executor.js.map +1 -1
- package/dist/tsconfig.tsbuildinfo +1 -1
- package/package.json +1 -1
|
@@ -2,11 +2,27 @@
|
|
|
2
2
|
* Update executor - performs actual package updates
|
|
3
3
|
* Includes rollback capability
|
|
4
4
|
*/
|
|
5
|
-
import {
|
|
5
|
+
import { execFileSync } from 'child_process';
|
|
6
6
|
import * as fs from 'fs';
|
|
7
7
|
import * as path from 'path';
|
|
8
8
|
import * as os from 'os';
|
|
9
9
|
import { validateUpdate } from './validator.js';
|
|
10
|
+
/**
|
|
11
|
+
* audit_1776853149979: package name and version come from npm-view output and
|
|
12
|
+
* the update-history.json file (writable by anyone with FS access). Both
|
|
13
|
+
* previously interpolated straight into a shell string for `npm install`.
|
|
14
|
+
* These regexes pre-flight values so a hostile package name can't slip
|
|
15
|
+
* shell metacharacters through, even though execFileSync below already
|
|
16
|
+
* eliminates the shell.
|
|
17
|
+
*/
|
|
18
|
+
// First char of the unscoped name forbids `-` to defang CLI-flag confusion
|
|
19
|
+
// when the spec is passed to npm (npm install -evil@1.0.0 looks flag-shaped).
|
|
20
|
+
const SAFE_PKG_RE = /^(@[a-zA-Z0-9_\-]+\/)?[a-zA-Z0-9_][a-zA-Z0-9_\-.]{0,213}$/;
|
|
21
|
+
// semver / dist-tag / range chars only — no shell metas.
|
|
22
|
+
const SAFE_VERSION_RE = /^[a-zA-Z0-9._\-+~^*xX]{1,64}$/;
|
|
23
|
+
export function isSafePackageSpec(pkg, version) {
|
|
24
|
+
return SAFE_PKG_RE.test(pkg) && SAFE_VERSION_RE.test(version);
|
|
25
|
+
}
|
|
10
26
|
const HISTORY_FILE = path.join(os.homedir(), '.claude-flow', 'update-history.json');
|
|
11
27
|
const MAX_HISTORY_ENTRIES = 100;
|
|
12
28
|
function ensureDir() {
|
|
@@ -58,13 +74,25 @@ export async function executeUpdate(update, installedPackages, dryRun = false) {
|
|
|
58
74
|
validation,
|
|
59
75
|
};
|
|
60
76
|
}
|
|
77
|
+
// audit_1776853149979: validate package + version regex before any exec.
|
|
78
|
+
if (!isSafePackageSpec(update.package, update.latestVersion)) {
|
|
79
|
+
return {
|
|
80
|
+
success: false,
|
|
81
|
+
package: update.package,
|
|
82
|
+
version: update.latestVersion,
|
|
83
|
+
error: `Refusing to install: package or version contains disallowed characters (pkg="${update.package}", version="${update.latestVersion}")`,
|
|
84
|
+
validation,
|
|
85
|
+
};
|
|
86
|
+
}
|
|
61
87
|
try {
|
|
62
|
-
//
|
|
63
|
-
|
|
64
|
-
|
|
88
|
+
// audit_1776853149979: switched to execFileSync('npm', argv) — no shell,
|
|
89
|
+
// so even if validation regressed, metas in update.package would stay
|
|
90
|
+
// literal in the argv slot.
|
|
91
|
+
execFileSync('npm', ['install', `${update.package}@${update.latestVersion}`, '--save-exact'], {
|
|
65
92
|
encoding: 'utf-8',
|
|
66
93
|
stdio: 'pipe',
|
|
67
94
|
timeout: 60000, // 1 minute timeout
|
|
95
|
+
shell: false,
|
|
68
96
|
});
|
|
69
97
|
// Record successful update
|
|
70
98
|
recordUpdate({
|
|
@@ -139,13 +167,21 @@ export async function rollbackUpdate(packageName) {
|
|
|
139
167
|
: 'No rollback available',
|
|
140
168
|
};
|
|
141
169
|
}
|
|
170
|
+
// audit_1776853149979: history entries can be tampered with by anyone who
|
|
171
|
+
// can write update-history.json — gate before exec.
|
|
172
|
+
if (!isSafePackageSpec(lastUpdate.package, lastUpdate.fromVersion)) {
|
|
173
|
+
return {
|
|
174
|
+
success: false,
|
|
175
|
+
message: `Refusing to rollback: package or version contains disallowed characters (pkg="${lastUpdate.package}", version="${lastUpdate.fromVersion}")`,
|
|
176
|
+
};
|
|
177
|
+
}
|
|
142
178
|
try {
|
|
143
|
-
//
|
|
144
|
-
|
|
145
|
-
execSync(installCmd, {
|
|
179
|
+
// execFileSync, no shell.
|
|
180
|
+
execFileSync('npm', ['install', `${lastUpdate.package}@${lastUpdate.fromVersion}`, '--save-exact'], {
|
|
146
181
|
encoding: 'utf-8',
|
|
147
182
|
stdio: 'pipe',
|
|
148
183
|
timeout: 60000,
|
|
184
|
+
shell: false,
|
|
149
185
|
});
|
|
150
186
|
// Record the rollback
|
|
151
187
|
recordUpdate({
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"executor.js","sourceRoot":"","sources":["../../../src/update/executor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"executor.js","sourceRoot":"","sources":["../../../src/update/executor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AAEzB,OAAO,EAAE,cAAc,EAAoB,MAAM,gBAAgB,CAAC;AAElE;;;;;;;GAOG;AACH,2EAA2E;AAC3E,8EAA8E;AAC9E,MAAM,WAAW,GAAG,2DAA2D,CAAC;AAChF,yDAAyD;AACzD,MAAM,eAAe,GAAG,+BAA+B,CAAC;AAExD,MAAM,UAAU,iBAAiB,CAAC,GAAW,EAAE,OAAe;IAC5D,OAAO,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAChE,CAAC;AAoBD,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,cAAc,EAAE,qBAAqB,CAAC,CAAC;AACpF,MAAM,mBAAmB,GAAG,GAAG,CAAC;AAEhC,SAAS,SAAS;IAChB,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IACvC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,CAAC;AACH,CAAC;AAED,MAAM,UAAU,WAAW;IACzB,IAAI,CAAC;QACH,IAAI,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YAChC,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;YACvD,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAyB,CAAC;QACrD,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,iBAAiB;IACnB,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,WAAW,CAAC,OAA6B;IAChD,SAAS,EAAE,CAAC;IACZ,2BAA2B;IAC3B,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,mBAAmB,CAAC,CAAC;IACpD,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AACnE,CAAC;AAED,SAAS,YAAY,CAAC,KAAyB;IAC7C,MAAM,OAAO,GAAG,WAAW,EAAE,CAAC;IAC9B,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpB,WAAW,CAAC,OAAO,CAAC,CAAC;AACvB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAAyB,EACzB,iBAAyC,EACzC,MAAM,GAAG,KAAK;IAEd,iBAAiB;IACjB,MAAM,UAAU,GAAG,cAAc,CAC/B,MAAM,CAAC,OAAO,EACd,MAAM,CAAC,cAAc,EACrB,MAAM,CAAC,aAAa,EACpB,iBAAiB,CAClB,CAAC;IAEF,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;QACtB,OAAO;YACL,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,OAAO,EAAE,MAAM,CAAC,aAAa;YAC7B,KAAK,EAAE,sBAAsB,UAAU,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YACtE,UAAU;SACX,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,OAAO;YACL,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,OAAO,EAAE,MAAM,CAAC,aAAa;YAC7B,UAAU;SACX,CAAC;IACJ,CAAC;IAED,yEAAyE;IACzE,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC;QAC7D,OAAO;YACL,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,OAAO,EAAE,MAAM,CAAC,aAAa;YAC7B,KAAK,EAAE,gFAAgF,MAAM,CAAC,OAAO,eAAe,MAAM,CAAC,aAAa,IAAI;YAC5I,UAAU;SACX,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,yEAAyE;QACzE,sEAAsE;QACtE,4BAA4B;QAC5B,YAAY,CACV,KAAK,EACL,CAAC,SAAS,EAAE,GAAG,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,aAAa,EAAE,EAAE,cAAc,CAAC,EACxE;YACE,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,MAAM;YACb,OAAO,EAAE,KAAK,EAAE,mBAAmB;YACnC,KAAK,EAAE,KAAK;SACb,CACF,CAAC;QAEF,2BAA2B;QAC3B,YAAY,CAAC;YACX,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,WAAW,EAAE,MAAM,CAAC,cAAc;YAClC,SAAS,EAAE,MAAM,CAAC,aAAa;YAC/B,OAAO,EAAE,IAAI;YACb,iBAAiB,EAAE,IAAI;SACxB,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,OAAO,EAAE,MAAM,CAAC,aAAa;YAC7B,UAAU;SACX,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,GAAG,GAAG,KAAc,CAAC;QAE3B,uBAAuB;QACvB,YAAY,CAAC;YACX,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,WAAW,EAAE,MAAM,CAAC,cAAc;YAClC,SAAS,EAAE,MAAM,CAAC,aAAa;YAC/B,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,GAAG,CAAC,OAAO;YAClB,iBAAiB,EAAE,KAAK;SACzB,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,OAAO,EAAE,MAAM,CAAC,aAAa;YAC7B,KAAK,EAAE,GAAG,CAAC,OAAO;YAClB,UAAU;SACX,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,OAA4B,EAC5B,iBAAyC,EACzC,MAAM,GAAG,KAAK;IAEd,MAAM,OAAO,GAA4B,EAAE,CAAC;IAE5C,kDAAkD;IAClD,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,iBAAiB,EAAE,MAAM,CAAC,CAAC;QACtE,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAErB,gDAAgD;QAChD,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,iBAAiB,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC,aAAa,CAAC;QAC3D,CAAC;QAED,4BAA4B;QAC5B,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;YACtD,MAAM;QACR,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,WAAoB;IAEpB,MAAM,OAAO,GAAG,WAAW,EAAE,CAAC;IAE9B,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,6BAA6B,EAAE,CAAC;IACpE,CAAC;IAED,6EAA6E;IAC7E,MAAM,UAAU,GAAG,WAAW;QAC5B,CAAC,CAAC,OAAO;aACJ,OAAO,EAAE;aACT,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,WAAW,IAAI,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,iBAAiB,CAAC;QAC/E,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,iBAAiB,CAAC,CAAC;IAEpE,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO;YACL,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,WAAW;gBAClB,CAAC,CAAC,6BAA6B,WAAW,EAAE;gBAC5C,CAAC,CAAC,uBAAuB;SAC5B,CAAC;IACJ,CAAC;IAED,0EAA0E;IAC1E,oDAAoD;IACpD,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,OAAO,EAAE,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QACnE,OAAO;YACL,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,iFAAiF,UAAU,CAAC,OAAO,eAAe,UAAU,CAAC,WAAW,IAAI;SACtJ,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,0BAA0B;QAC1B,YAAY,CACV,KAAK,EACL,CAAC,SAAS,EAAE,GAAG,UAAU,CAAC,OAAO,IAAI,UAAU,CAAC,WAAW,EAAE,EAAE,cAAc,CAAC,EAC9E;YACE,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,MAAM;YACb,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,KAAK;SACb,CACF,CAAC;QAEF,sBAAsB;QACtB,YAAY,CAAC;YACX,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,OAAO,EAAE,UAAU,CAAC,OAAO;YAC3B,WAAW,EAAE,UAAU,CAAC,SAAS;YACjC,SAAS,EAAE,UAAU,CAAC,WAAW;YACjC,OAAO,EAAE,IAAI;YACb,iBAAiB,EAAE,KAAK,EAAE,4BAA4B;SACvD,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,eAAe,UAAU,CAAC,OAAO,SAAS,UAAU,CAAC,SAAS,OAAO,UAAU,CAAC,WAAW,EAAE;SACvG,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,GAAG,GAAG,KAAc,CAAC;QAC3B,OAAO;YACL,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,oBAAoB,GAAG,CAAC,OAAO,EAAE;SAC3C,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,KAAK,GAAG,EAAE;IACzC,MAAM,OAAO,GAAG,WAAW,EAAE,CAAC;IAC9B,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,YAAY;IAC1B,IAAI,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAChC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;IAC9B,CAAC;AACH,CAAC"}
|