@grainulation/mill 1.0.4 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/lib/exporters/pdf.js +5 -2
  2. package/lib/serve-mcp.js +17 -1
  3. package/package.json +1 -1
package/lib/exporters/pdf.js CHANGED
@@ -71,13 +71,16 @@ async function exportFromMarkdown(inputPath, outputPath) {
71
71
  async function exportFromHtml(inputPath, outputPath) {
72
72
  const out = deriveOutputPath(inputPath, outputPath);
73
73
  // Use a small inline puppeteer script via npx
74
+ // Escape single quotes, backticks, and ${} to prevent template literal injection
75
+ const escapePath = (p) =>
76
+ p.replace(/'/g, "\\'").replace(/`/g, "\\`").replace(/\$\{/g, "\\${");
74
77
  const script = `
75
78
  const puppeteer = require('puppeteer');
76
79
  (async () => {
77
80
  const browser = await puppeteer.launch({ headless: 'new' });
78
81
  const page = await browser.newPage();
79
- await page.goto('file://${inputPath.replace(/'/g, "\\'")}', { waitUntil: 'networkidle0' });
80
- await page.pdf({ path: '${out.replace(/'/g, "\\'")}', format: 'A4', printBackground: true });
82
+ await page.goto('file://${escapePath(inputPath)}', { waitUntil: 'networkidle0' });
83
+ await page.pdf({ path: '${escapePath(out)}', format: 'A4', printBackground: true });
81
84
  await browser.close();
82
85
  })();
83
86
  `;
package/lib/serve-mcp.js CHANGED
@@ -96,7 +96,16 @@ async function toolConvert(dir, args) {
96
96
  }
97
97
 
98
98
  // Resolve source file
99
- const sourceFile = source || path.join(dir, "compilation.json");
99
+ const sourceFile = source
100
+ ? path.resolve(dir, source)
101
+ : path.join(dir, "compilation.json");
102
+ // Prevent path traversal — source must stay within workspace
103
+ if (sourceFile !== dir && !sourceFile.startsWith(dir + path.sep)) {
104
+ return {
105
+ status: "error",
106
+ message: `Source path escapes workspace directory.`,
107
+ };
108
+ }
100
109
  const fallbackFile = path.join(dir, "claims.json");
101
110
  let dataPath = sourceFile;
102
111
 
@@ -174,6 +183,13 @@ async function toolConvert(dir, args) {
174
183
  // Write output if path provided
175
184
  if (output) {
176
185
  const outPath = path.resolve(dir, output);
186
+ // Prevent path traversal — output must stay within workspace
187
+ if (outPath !== dir && !outPath.startsWith(dir + path.sep)) {
188
+ return {
189
+ status: "error",
190
+ message: `Output path "${output}" escapes workspace directory.`,
191
+ };
192
+ }
177
193
  const outDir = path.dirname(outPath);
178
194
  if (!fs.existsSync(outDir)) fs.mkdirSync(outDir, { recursive: true });
179
195
  fs.writeFileSync(outPath, result);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@grainulation/mill",
3
- "version": "1.0.4",
3
+ "version": "1.1.0",
4
4
  "description": "Turn wheat sprint artifacts into shareable formats",
5
5
  "main": "lib/index.js",
6
6
  "bin": {