npm - @dreamlogic-ai/cli - Versions diffs - 2.0.4 → 2.0.5 - Mend

@dreamlogic-ai/cli 2.0.4 → 2.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/commands/update.js CHANGED Viewed

@@ -47,9 +47,15 @@ export async function updateCommand(opts) {
             continue;
         }
         const normalizeVer = (v) => v.replace(/^v/, "");
-        if (normalizeVer(local.version) === normalizeVer(remote.latest_version)) {
+        const localVer = normalizeVer(local.version);
+        const remoteVer = normalizeVer(remote.latest_version);
+        if (localVer === remoteVer) {
             ui.line(`${chalk.green("✓")} ${remote.name} ${local.version} — 已是最新`);
         }
+        else if (remoteVer < localVer) {
+            // R4-C02 FIX: Block version downgrade attacks
+            ui.line(`${ui.warn("⚠")} ${remote.name} — 服务器版本 ${remote.latest_version} 低于本地 ${local.version}（可能的降级攻击，已跳过）`);
+        }
         else {
             ui.line(`${chalk.yellow("⬆")} ${chalk.bold(remote.name)} ${local.version} → ${chalk.green(remote.latest_version)}`);
             updates.push({

package/dist/lib/agents.js CHANGED Viewed

@@ -90,6 +90,11 @@ export function registerSkillWithAgents(skillId, skillPath, agents) {
         return [{ agent: "all", path: "", status: "error", error: "Invalid skill ID" }];
     }
     const resolvedSkillPath = resolve(skillPath);
+    // R4-H02 FIX: Validate skillPath is within user home directory
+    const home = homedir();
+    if (!resolvedSkillPath.startsWith(resolve(home))) {
+        return [{ agent: "all", path: "", status: "error", error: "Skill path must be within home directory" }];
+    }
     // Deduplicate by resolved dir (universal agents share .agents/skills)
     const seenDirs = new Set();
     for (const agent of agents) {

package/dist/lib/config.js CHANGED Viewed

@@ -78,8 +78,9 @@ export function getApiKey() {
 /** R1-07: Enforce HTTPS (localhost/127.0.0.1 exempt for dev) */
 export function getServer() {
     const url = process.env.DREAMLOGIC_SERVER || loadConfig()?.server || DEFAULT_SERVER;
-    // R1-07 + R2-03: HTTPS enforcement (localhost/127.0.0.1 exempt with strict boundary)
-    if (!/^https:\/\//i.test(url) && !/^http:\/\/(localhost|127\.0\.0\.1)(:[0-9]+)?(\/|$)/i.test(url)) {
+    // R1-07 + R2-03 + R4-H06: HTTPS enforcement (localhost/127.x.x.x/[::1] exempt)
+    const LOCALHOST_RE = /^http:\/\/(localhost|127(?:\.\d{1,3}){3}|\[::1\]|0\.0\.0\.0)(:[0-9]+)?(\/|$)/i;
+    if (!/^https:\/\//i.test(url) && !LOCALHOST_RE.test(url)) {
         throw new Error("Server URL must use HTTPS (http://localhost allowed for dev)");
     }
     return url;

package/dist/lib/installer.js CHANGED Viewed

@@ -6,7 +6,7 @@
  * R1-03: Zip bomb protection (total size + entry count limits)
  * R1-10: SIGINT/SIGTERM cleanup handler
  */
-import { createWriteStream, existsSync, mkdirSync, readdirSync, renameSync, rmSync, statSync } from "fs";
+import { createWriteStream, existsSync, lstatSync, mkdirSync, readdirSync, renameSync, rmSync, statSync, unlinkSync } from "fs";
 import { join, normalize, resolve as pathResolve, sep } from "path";
 import { Transform as TransformStream } from "stream";
 import yauzl from "yauzl";
@@ -309,7 +309,19 @@ function extractZip(buffer, targetDir) {
                         });
                         const writeStream = createWriteStream(fullPath);
                         readStream.pipe(countingStream).pipe(writeStream);
-                        writeStream.on("finish", () => zipfile.readEntry());
+                        writeStream.on("finish", () => {
+                            // R4-C01 FIX: Post-write symlink verification (defense-in-depth)
+                            try {
+                                if (lstatSync(fullPath).isSymbolicLink()) {
+                                    unlinkSync(fullPath);
+                                    zipfile.close();
+                                    reject(new Error(`Post-extract symlink detected: ${entry.fileName}`));
+                                    return;
+                                }
+                            }
+                            catch { /* stat failed = file doesn't exist, ok to continue */ }
+                            zipfile.readEntry();
+                        });
                         writeStream.on("error", (e) => { zipfile.close(); reject(e); });
                         countingStream.on("error", (e) => { zipfile.close(); reject(e); });
                         readStream.on("error", (e) => { zipfile.close(); reject(e); });

package/dist/types.d.ts CHANGED Viewed

@@ -33,6 +33,6 @@ export interface InstalledRegistry {
 export declare const DEFAULT_SERVER = "https://skill.dreamlogic-claw.com";
 export declare const DEFAULT_INSTALL_DIR_NAME = "dreamlogic-skills";
 export declare const CONFIG_DIR_NAME = ".dreamlogic";
-export declare const CLI_VERSION = "2.0.4";
+export declare const CLI_VERSION = "2.0.5";
 export declare const CLI_NAME = "Dreamlogic CLI";
 export declare const CLI_AUTHOR = "Dreamlogic-ai by MAJORNINE";

package/dist/types.js CHANGED Viewed

@@ -2,6 +2,6 @@
 export const DEFAULT_SERVER = "https://skill.dreamlogic-claw.com";
 export const DEFAULT_INSTALL_DIR_NAME = "dreamlogic-skills";
 export const CONFIG_DIR_NAME = ".dreamlogic";
-export const CLI_VERSION = "2.0.4";
+export const CLI_VERSION = "2.0.5";
 export const CLI_NAME = "Dreamlogic CLI";
 export const CLI_AUTHOR = "Dreamlogic-ai by MAJORNINE";

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@dreamlogic-ai/cli",
-  "version": "2.0.4",
+  "version": "2.0.5",
   "description": "Dreamlogic AI Skill Manager — Install, update and manage AI agent skills",
   "type": "module",
   "bin": {