@morphllm/morphmcp 0.8.27 → 0.8.28
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +3 -29
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -10,7 +10,6 @@ import { z } from "zod";
|
|
|
10
10
|
import { zodToJsonSchema } from "zod-to-json-schema";
|
|
11
11
|
import { createTwoFilesPatch } from 'diff';
|
|
12
12
|
import { minimatch } from 'minimatch';
|
|
13
|
-
import { isPathWithinAllowedDirectories } from './path-validation.js';
|
|
14
13
|
import { getValidRootDirectories } from './roots-utils.js';
|
|
15
14
|
import { executeEditFile } from '@morphllm/morphsdk/tools/fastapply';
|
|
16
15
|
import { runWarpGrep, LocalRipgrepProvider } from '@morphllm/morphsdk/tools/warp-grep';
|
|
@@ -154,31 +153,10 @@ await Promise.all(args.map(async (dir) => {
|
|
|
154
153
|
// Security utilities
|
|
155
154
|
async function validatePath(requestedPath) {
|
|
156
155
|
const expandedPath = expandHome(requestedPath);
|
|
157
|
-
|
|
158
|
-
let absolute;
|
|
159
|
-
if (path.isAbsolute(expandedPath)) {
|
|
160
|
-
absolute = path.resolve(expandedPath);
|
|
161
|
-
}
|
|
162
|
-
else {
|
|
163
|
-
// Use workspace root if available and in workspace mode, otherwise use cwd
|
|
164
|
-
const contextDir = (ENABLE_WORKSPACE_MODE && allowedDirectories.length > 0)
|
|
165
|
-
? allowedDirectories[0]
|
|
166
|
-
: process.cwd();
|
|
167
|
-
absolute = path.resolve(contextDir, expandedPath);
|
|
168
|
-
}
|
|
169
|
-
const normalizedRequested = normalizePath(absolute);
|
|
170
|
-
// Check if path is within allowed directories
|
|
171
|
-
const isAllowed = isPathWithinAllowedDirectories(normalizedRequested, allowedDirectories);
|
|
172
|
-
if (!isAllowed) {
|
|
173
|
-
throw new Error(`Access denied - path outside allowed directories: ${absolute} not in ${allowedDirectories.join(', ')}`);
|
|
174
|
-
}
|
|
156
|
+
const absolute = path.resolve(expandedPath);
|
|
175
157
|
// Handle symlinks by checking their real path
|
|
176
158
|
try {
|
|
177
159
|
const realPath = await fs.realpath(absolute);
|
|
178
|
-
const normalizedReal = normalizePath(realPath);
|
|
179
|
-
if (!isPathWithinAllowedDirectories(normalizedReal, allowedDirectories)) {
|
|
180
|
-
throw new Error(`Access denied - symlink target outside allowed directories: ${realPath} not in ${allowedDirectories.join(', ')}`);
|
|
181
|
-
}
|
|
182
160
|
return realPath;
|
|
183
161
|
}
|
|
184
162
|
catch (error) {
|
|
@@ -186,12 +164,8 @@ async function validatePath(requestedPath) {
|
|
|
186
164
|
if (error.code === 'ENOENT') {
|
|
187
165
|
const parentDir = path.dirname(absolute);
|
|
188
166
|
try {
|
|
189
|
-
const
|
|
190
|
-
|
|
191
|
-
if (!isPathWithinAllowedDirectories(normalizedParent, allowedDirectories)) {
|
|
192
|
-
throw new Error(`Access denied - parent directory outside allowed directories: ${realParentPath} not in ${allowedDirectories.join(', ')}`);
|
|
193
|
-
}
|
|
194
|
-
return absolute;
|
|
167
|
+
const realParent = await fs.realpath(parentDir);
|
|
168
|
+
return path.join(realParent, path.basename(absolute));
|
|
195
169
|
}
|
|
196
170
|
catch {
|
|
197
171
|
throw new Error(`Parent directory does not exist: ${parentDir}`);
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@morphllm/morphmcp",
|
|
3
|
-
"version": "0.8.
|
|
3
|
+
"version": "0.8.28",
|
|
4
4
|
"description": "Fast & accurate MCP server with AI-powered file editing and intelligent code search. Prevents context pollution and saves time for a better user experience.",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"author": "Morph (https://morphllm.com)",
|