@hominis/fireforge 0.16.1 → 0.16.2

package/CHANGELOG.md

@@ -2,6 +2,13 @@
 
 ## 0.16.0
 
+### Security — eval-driven hardening for 0.16.0
+
+- **Release workflow — shell injection via `${{ inputs.version }}` interpolation.** `.github/workflows/release.yml` previously interpolated `${{ inputs.version }}` directly into `npm version "${{ inputs.version }}" --no-git-tag-version`, so anyone with `actions:write` could trigger `workflow_dispatch` with a crafted version string (e.g. `1.0.0"; <command> #`) and execute arbitrary shell inside the job. The release job carries `contents: write`, `id-token: write`, and the `npm` trusted-publishing environment, so that shell would have had an open door to the publish credentials. The fix routes `${{ inputs.version }}` through an `env: INPUT_VERSION:` block on the `Bump version` step and references `"$INPUT_VERSION"` inside the `run:` script, so GitHub Actions substitutes the value into the process environment rather than into the shell source. The `Tag and push` step gets the same treatment for `${{ steps.version.outputs.version }}` — defense-in-depth, since `npm version`'s semver check already filters that interpolation, but the pattern is consistent and cheap.
+- **`fireforge config` — prototype pollution via sentinel key segments.** `mutateConfig` in `src/core/config-mutate.ts` walks a dot-separated key through `getOrCreateChildRecord(parent, segment)` with no filter on `__proto__`, `constructor`, or `prototype`. `fireforge config __proto__.polluted 1 --force` therefore reached `parent["__proto__"]` and wrote a plain property onto `Object.prototype`, polluting every object in the Node process for the rest of the run. `--force` was the motivating pathway (the strict path guard rejects unknown top-level keys for non-sentinels), but the raw sink was also publicly re-exported from `src/core/config.ts`, widening the blast radius to any future caller. The fix rejects sentinel segments up-front in `mutateConfig` with a `ConfigError` before any clone or mutation — a single guard at the entry point covers both the descent loop and the final leaf assignment, and surfaces to the CLI as a normal "invalid key" failure rather than a crash. `readJson`'s existing reviver already strips the sentinels from loads, so input configs can't arrive pre-polluted.
+- **`fireforge wire --dom` — asymmetric newline marker parser projection drift.** `parseHunksForFile` in `src/core/patch-parse.ts` tracked `` as a single `noNewlineAtEnd: boolean` — collapsing the old-side and new-side markers into one flag. Asymmetric trailing-newline changes (e.g. removing the newline from the old side while the new side keeps one, or vice versa) were indistinguishable from the symmetric case, so `applyPatchToContent` produced content that disagreed with `git apply` on whether to emit a trailing newline. The projection drift surfaced as phantom entries in `fireforge status` and wipe-safe reprojection work in `fireforge import` for patches that were otherwise clean. The fix splits the field into `noNewlineAtEndOld` / `noNewlineAtEndNew` and peeks the body line that the marker trails (`-` → old-only, `+` → new-only, ` ` context → both), and `applyPatchToContent` now reads `noNewlineAtEndNew` for the output-side newline decision because the content we emit corresponds to the new side. `extractNewFileContentFromDiff` is unchanged — new-file patches only contain `+` lines, so its separate `hasNoNewlineMarker` local is already correct by construction.
+- **`fireforge wire --dom` — engine-relative inputs probed against CWD.** `src/commands/wire.ts` passed the raw `stripEnginePrefix(options.dom)` result to `pathExists` without joining `paths.engine` first, so a relative `--dom browser/base/content/foo.inc.xhtml` was probed inside the operator's shell directory and failed "DOM fragment file not found" even when the file existed in the correct engine location. The follow-on `isPathInsideRoot` and `toRootRelativePath` calls worked by coincidence — they internally `resolve(paths.engine, candidate)`, which masked the bug past the existence probe but only because those calls never hit the filesystem. The fix mirrors the pattern already in use in `src/commands/register.ts`: when the candidate is absolute probe it as-is, otherwise `join(paths.engine, candidate)` first. The error message still echoes the original operator input (not the internal joined path) so it remains copy-pasteable back into the CLI.
+
 ### Config — `--force`-written keys are now readable
 
 - `fireforge config <key>` (read mode) now consults the raw `fireforge.json` document instead of the validated, typed config that `loadConfig` produces. Before this change, `fireforge config totallyUnknown value --force` succeeded (the key was persisted to disk via `writeConfigDocument`), but the corresponding `fireforge config totallyUnknown` read threw `Unknown config key: totallyUnknown` because `validateConfig` rebuilds a clean object containing only the schema-known fields — the forced key survived on disk but was invisible to the typed read path. A new `loadRawConfigDocument` helper in `src/core/config.ts` returns the raw JSON record, and the command's read branch now traverses that document. Writes are unaffected: schema validation still enforces shape for known keys, and `--force` continues to be the escape hatch for unknown keys.

package/dist/src/commands/wire.js

@@ -135,7 +135,20 @@ export async function wireCommand(projectRoot, name, options = {}) {
         const domCandidate = isExplicitAbsolutePath(options.dom)
             ? options.dom
             : stripEnginePrefix(options.dom);
-        if (!(await pathExists(domCandidate))) {
+        // `pathExists` resolves relative paths against CWD, so an engine-
+        // relative `domCandidate` (e.g. `browser/base/content/foo.inc.xhtml`)
+        // would be probed inside the operator's shell directory rather than
+        // the engine root and fail "DOM fragment file not found" even when
+        // the file is sitting at engine/<path>. Mirror `register.ts`: probe
+        // the absolute path as-is, otherwise join with `paths.engine` first.
+        // The `isPathInsideRoot` / `toRootRelativePath` calls below keep
+        // operating on `domCandidate` because they internally resolve
+        // relative candidates against the engine root, which matches the
+        // probe path we just built.
+        const domProbePath = isExplicitAbsolutePath(domCandidate)
+            ? domCandidate
+            : join(paths.engine, domCandidate);
+        if (!(await pathExists(domProbePath))) {
             throw new InvalidArgumentError(`DOM fragment file not found: ${options.dom}`, 'dom');
         }
         if (!isPathInsideRoot(paths.engine, domCandidate)) {

package/dist/src/core/config-mutate.js

@@ -14,6 +14,23 @@ function cloneConfigDocument(config) {
     }
     return cloned;
 }
+/**
+ * Key segments that would walk into or rewrite the object prototype chain
+ * if used as plain property names. Blocked up-front so the descent in
+ * {@link mutateConfig} cannot be weaponized to mutate `Object.prototype`
+ * process-wide — e.g. `fireforge config __proto__.polluted 1 --force`
+ * would otherwise land in `getOrCreateChildRecord(raw, "__proto__")`.
+ */
+const SENTINEL_KEY_SEGMENTS = new Set(['__proto__', 'constructor', 'prototype']);
+function assertNoSentinelSegments(key, parts) {
+    for (const part of parts) {
+        if (SENTINEL_KEY_SEGMENTS.has(part)) {
+            throw new ConfigError(`Config key "${key}" contains a reserved segment "${part}". ` +
+                'Segments "__proto__", "constructor", and "prototype" are not permitted ' +
+                'because they would mutate the object prototype chain.');
+        }
+    }
+}
 function getOrCreateChildRecord(parent, key) {
     const existing = parent[key];
     if (isObject(existing)) {
@@ -24,8 +41,13 @@ function getOrCreateChildRecord(parent, key) {
     return child;
 }
 export function mutateConfig(config, key, value, skipValidation = false) {
-    const raw = cloneConfigDocument(config);
     const parts = key.split('.');
+    // Reject prototype-chain sentinel segments before any write so
+    // `--force` cannot be used to mutate Object.prototype. This guard must
+    // run against the original key parts, not any subset — the final leaf
+    // assignment `current[lastPart] = value` would otherwise stay vulnerable.
+    assertNoSentinelSegments(key, parts);
+    const raw = cloneConfigDocument(config);
     let current = raw;
     for (let i = 0; i < parts.length - 1; i++) {
         const part = parts[i];

package/dist/src/core/patch-parse.d.ts

@@ -24,19 +24,30 @@ export declare function isNewFileInPatch(patchContent: string, targetFile: strin
  */
 export declare function extractAffectedFiles(diffContent: string): string[];
 /**
- * Parses hunks from a patch file for a specific target file.
- * @param patchContent - The full patch content
- * @param targetFile - The file path to extract hunks for
- * @returns Array of hunk objects with line info and changes
+ * A single parsed hunk. `noNewlineAtEndOld` / `noNewlineAtEndNew` track the
+ * `` marker per side — the marker is a trailing
+ * annotation on the immediately preceding body line, and a `-` precedent
+ * sets only the old-side flag, a `+` sets only the new-side flag, and a
+ * context ` ` line sets both. Collapsing the two into one boolean makes the
+ * projection disagree with `git apply` on asymmetric trailing-newline
+ * changes (e.g. removing a newline on one side but not the other).
  */
-export declare function parseHunksForFile(patchContent: string, targetFile: string): Array<{
+export interface ParsedHunk {
     oldStart: number;
     oldCount: number;
     newStart: number;
     newCount: number;
     lines: string[];
-    noNewlineAtEnd: boolean;
-}>;
+    noNewlineAtEndOld: boolean;
+    noNewlineAtEndNew: boolean;
+}
+/**
+ * Parses hunks from a patch file for a specific target file.
+ * @param patchContent - The full patch content
+ * @param targetFile - The file path to extract hunks for
+ * @returns Array of hunk objects with line info and changes
+ */
+export declare function parseHunksForFile(patchContent: string, targetFile: string): ParsedHunk[];
 /**
  * Extracts conflicting file paths from git apply error message.
  */

package/dist/src/core/patch-parse.js

@@ -104,14 +104,36 @@ export function parseHunksForFile(patchContent, targetFile) {
                 newStart: parseInt(hunkMatch[3] ?? '0', 10),
                 newCount: parseInt(hunkMatch[4] ?? '1', 10),
                 lines: [],
-                noNewlineAtEnd: false,
+                noNewlineAtEndOld: false,
+                noNewlineAtEndNew: false,
             };
             continue;
         }
         // Collect hunk lines
         if (currentHunk) {
             if (line === '\') {
-                currentHunk.noNewlineAtEnd = true;
+                // The marker is an annotation on the immediately preceding body
+                // line. Peek the last collected line to decide which side(s) the
+                // annotation applies to — a single boolean cannot represent the
+                // asymmetric case where only one side lacks the trailing newline.
+                const previous = currentHunk.lines[currentHunk.lines.length - 1] ?? '';
+                if (previous.startsWith('-')) {
+                    currentHunk.noNewlineAtEndOld = true;
+                }
+                else if (previous.startsWith('+')) {
+                    currentHunk.noNewlineAtEndNew = true;
+                }
+                else if (previous.startsWith(' ')) {
+                    // Context line: present in both sides, so the trailing-newline
+                    // absence applies to both. This is rare (it only happens when
+                    // the hunk ends on an unchanged line that itself is the last
+                    // line of the file) but real — git emits it.
+                    currentHunk.noNewlineAtEndOld = true;
+                    currentHunk.noNewlineAtEndNew = true;
+                }
+                // If the marker appears with no preceding body line (malformed
+                // diff), leave both flags false — the downstream apply logic
+                // will still produce a defined result.
             }
             else if (line.startsWith('+') || line.startsWith('-') || line.startsWith(' ')) {
                 currentHunk.lines.push(line);

package/dist/src/core/patch-transform.js

@@ -105,7 +105,10 @@ export async function applyPatchToContent(content, patchPath, targetFile) {
     const sortedHunks = [...hunks].sort((a, b) => b.oldStart - a.oldStart);
     // The "no newline at end" marker applies to the last hunk in file order
     // (highest oldStart), which is the *first* hunk in our reverse-sorted array.
-    const lastHunkNoNewline = sortedHunks[0]?.noNewlineAtEnd ?? false;
+    // We read the new-side flag because the output we produce corresponds to
+    // the new side; asymmetric diffs (old lacks newline, new has one — or
+    // vice versa) would otherwise disagree with `git apply`.
+    const lastHunkNoNewline = sortedHunks[0]?.noNewlineAtEndNew ?? false;
     for (const hunk of sortedHunks) {
         const newLines = [];
         // Compute actual old-line count from hunk body for cross-check

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hominis/fireforge",
-  "version": "0.16.1",
+  "version": "0.16.2",
   "description": "FireForge — a build tool for customizing Firefox",
   "type": "module",
   "main": "./dist/src/index.js",