npm - @solongate/proxy - Versions diffs - 0.15.4 → 0.16.0 - Mend

@solongate/proxy 0.15.4 → 0.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/hooks/guard.mjs +124 -57
package/package.json +1 -1

package/hooks/guard.mjs CHANGED Viewed

@@ -296,92 +296,159 @@ process.stdin.on('end', async () => {
       'policy.json', '.mcp.json',
     ];
-    // Strip shell quotes/escapes: .sol'on'gate → .solongate, .sol"on"gate → .solongate
+    // Block helper — logs to cloud + exits with code 2
+    async function blockSelfProtection(reason) {
+      if (API_KEY && API_KEY.startsWith('sg_live_')) {
+        try {
+          await fetch(API_URL + '/api/v1/audit-logs', {
+            method: 'POST',
+            headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+              tool: data.tool_name || '', arguments: args,
+              decision: 'DENY', reason,
+              source: 'claude-code-guard',
+            }),
+            signal: AbortSignal.timeout(3000),
+          });
+        } catch {}
+      }
+      process.stderr.write(reason);
+      process.exit(2);
+    }
+    // ── Normalization layers ──
+    // 1. Decode ANSI-C quoting: $'\x72' → r, $'\162' → r, $'\n' → newline
+    function decodeAnsiC(s) {
+      return s.replace(/\$'([^']*)'/g, (_, content) => {
+        return content
+          .replace(/\\x([0-9a-fA-F]{2})/g, (__, hex) => String.fromCharCode(parseInt(hex, 16)))
+          .replace(/\\([0-7]{1,3})/g, (__, oct) => String.fromCharCode(parseInt(oct, 8)))
+          .replace(/\\u([0-9a-fA-F]{4})/g, (__, hex) => String.fromCharCode(parseInt(hex, 16)))
+          .replace(/\\n/g, '\n').replace(/\\t/g, '\t').replace(/\\r/g, '\r')
+          .replace(/\\(.)/g, '$1');
+      });
+    }
+    // 2. Strip all shell quoting: empty quotes, single, double, backslash escapes
     function stripShellQuotes(s) {
-      return s.replace(/\\(.)/g, '$1').replace(/'/g, '').replace(/"/g, '');
+      let r = s;
+      r = r.replace(/""/g, '');    // empty double quotes
+      r = r.replace(/''/g, '');    // empty single quotes
+      r = r.replace(/\\(.)/g, '$1'); // backslash escapes
+      r = r.replace(/'/g, '');     // remaining single quotes
+      r = r.replace(/"/g, '');     // remaining double quotes
+      return r;
+    }
+    // 3. Full normalization pipeline
+    function normalizeShell(s) {
+      return stripShellQuotes(decodeAnsiC(s));
     }
-    // Check if a glob/wildcard pattern could match any protected path
-    // e.g. ".antig*" matches ".antigravity", "/path/.sol*" matches ".solongate"
+    // 4. Extract inner commands from eval, bash -c, sh -c, pipe to bash/sh
+    function extractInnerCommands(s) {
+      const inner = [];
+      // eval "cmd" or eval 'cmd' or eval cmd
+      for (const m of s.matchAll(/\beval\s+["']([^"']+)["']/gi)) inner.push(m[1]);
+      for (const m of s.matchAll(/\beval\s+([^;"'|&]+)/gi)) inner.push(m[1]);
+      // bash -c "cmd" or sh -c "cmd"
+      for (const m of s.matchAll(/\b(?:bash|sh)\s+-c\s+["']([^"']+)["']/gi)) inner.push(m[1]);
+      // echo "cmd" | bash/sh or printf "cmd" | bash/sh
+      for (const m of s.matchAll(/(?:echo|printf)\s+["']([^"']+)["']\s*\|\s*(?:bash|sh)\b/gi)) inner.push(m[1]);
+      // find ... -name "pattern" ... -exec ...
+      for (const m of s.matchAll(/-name\s+["']?([^\s"']+)["']?/gi)) inner.push(m[1]);
+      return inner;
+    }
+    // 5. Check variable assignments for protected path fragments
+    // e.g. X=".solon" && rm -rf ${X}gate → detects ".solon" as prefix of ".solongate"
+    function checkVarAssignments(s) {
+      const assignments = [...s.matchAll(/(\w+)=["']?([^"'\s&|;]+)["']?/g)];
+      for (const [, , value] of assignments) {
+        const v = value.toLowerCase();
+        if (v.length < 3) continue; // avoid false positives
+        for (const p of protectedPaths) {
+          if (p.startsWith(v) || p.includes(v)) return p;
+        }
+      }
+      return null;
+    }
+    // 6. Check if a glob/wildcard could match any protected path
     function globMatchesProtected(s) {
       if (!s.includes('*') && !s.includes('?')) return null;
-      // Extract all path segments and the full string to test
       const segments = s.split('/').filter(Boolean);
       const candidates = [s, ...segments];
       for (const candidate of candidates) {
         if (!candidate.includes('*') && !candidate.includes('?')) continue;
-        for (const p of protectedPaths) {
-          // Build regex from glob: * → .*, ? → .
-          const escaped = candidate.replace(/[.+^${}()|[\]\\]/g, '\\$&').replace(/\\\*/g, '.*').replace(/\\\?/g, '.');
-          try {
-            if (new RegExp('^' + escaped + '$', 'i').test(p)) return p;
-          } catch { /* invalid regex, skip */ }
+        // Prefix match: ".antig*" → prefix ".antig"
+        const starIdx = candidate.indexOf('*');
+        const qIdx = candidate.indexOf('?');
+        const firstWild = starIdx === -1 ? qIdx : qIdx === -1 ? starIdx : Math.min(starIdx, qIdx);
+        const prefix = candidate.slice(0, firstWild).toLowerCase();
+        if (prefix.length > 0) {
+          for (const p of protectedPaths) {
+            if (p.startsWith(prefix)) return p;
+          }
         }
+        // Regex match for patterns like ".cl?ude"
+        try {
+          const escaped = candidate.replace(/[.+^${}()|[\]\\]/g, '\\$&').replace(/\\\*/g, '.*').replace(/\\\?/g, '.');
+          const re = new RegExp('^' + escaped + '$', 'i');
+          for (const p of protectedPaths) {
+            if (re.test(p)) return p;
+          }
+        } catch {}
       }
       return null;
     }
-    // Normalize: lowercase, forward slashes, strip shell quotes
+    // ── Build all candidate strings from tool input ──
     const rawStrings = scanStrings(args).map(s => s.replace(/\\/g, '/').toLowerCase());
-    const allStrings = [];
+    const allStrings = new Set();
     for (const s of rawStrings) {
-      allStrings.push(s);
-      // Also add quote-stripped version
-      const stripped = stripShellQuotes(s);
-      if (stripped !== s) allStrings.push(stripped);
-      // Split by spaces (for commands like "rm -rf .sol'on'gate .cl*")
-      for (const tok of s.split(/\s+/)) {
-        if (tok !== s) {
-          allStrings.push(tok);
-          const strippedTok = stripShellQuotes(tok);
-          if (strippedTok !== tok) allStrings.push(strippedTok);
+      // Raw string
+      allStrings.add(s);
+      // Normalized (ANSI-C decoded, quotes stripped)
+      const norm = normalizeShell(s);
+      allStrings.add(norm);
+      // Extract inner commands (eval, bash -c, pipe to bash, find -name)
+      for (const inner of extractInnerCommands(s)) {
+        allStrings.add(inner.toLowerCase());
+        allStrings.add(normalizeShell(inner.toLowerCase()));
+      }
+      // Split by spaces + shell operators for token-level checks
+      for (const tok of s.split(/[\s;&|]+/)) {
+        if (tok) {
+          allStrings.add(tok);
+          allStrings.add(normalizeShell(tok));
         }
       }
+      // Also split normalized version
+      for (const tok of norm.split(/[\s;&|]+/)) {
+        if (tok) allStrings.add(tok);
+      }
     }
+    // ── Check all candidates ──
     for (const s of allStrings) {
       // Direct match
       for (const p of protectedPaths) {
         if (s.includes(p)) {
-          const msg = 'SOLONGATE: Access to protected file "' + p + '" is blocked';
-          if (API_KEY && API_KEY.startsWith('sg_live_')) {
-            try {
-              await fetch(API_URL + '/api/v1/audit-logs', {
-                method: 'POST',
-                headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
-                body: JSON.stringify({
-                  tool: data.tool_name || '', arguments: args,
-                  decision: 'DENY', reason: msg,
-                  source: 'claude-code-guard',
-                }),
-                signal: AbortSignal.timeout(3000),
-              });
-            } catch {}
-          }
-          process.stderr.write(msg);
-          process.exit(2);
+          await blockSelfProtection('SOLONGATE: Access to protected path "' + p + '" is blocked');
         }
       }
       // Wildcard/glob match
       const globHit = globMatchesProtected(s);
       if (globHit) {
-        const msg = 'SOLONGATE: Wildcard pattern "' + s + '" matches protected path "' + globHit + '" — blocked';
-        if (API_KEY && API_KEY.startsWith('sg_live_')) {
-          try {
-            await fetch(API_URL + '/api/v1/audit-logs', {
-              method: 'POST',
-              headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
-              body: JSON.stringify({
-                tool: data.tool_name || '', arguments: args,
-                decision: 'DENY', reason: msg,
-                source: 'claude-code-guard',
-              }),
-              signal: AbortSignal.timeout(3000),
-            });
-          } catch {}
-        }
-        process.stderr.write(msg);
-        process.exit(2);
+        await blockSelfProtection('SOLONGATE: Wildcard "' + s + '" matches protected "' + globHit + '" — blocked');
+      }
+      // Variable assignment targeting protected paths
+      const varHit = checkVarAssignments(s);
+      if (varHit) {
+        await blockSelfProtection('SOLONGATE: Variable assignment targets protected "' + varHit + '" — blocked');
       }
     }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@solongate/proxy",
-  "version": "0.15.4",
+  "version": "0.16.0",
   "description": "MCP security proxy — protect any MCP server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
   "type": "module",
   "bin": {