npm - @solongate/proxy - Versions diffs - 0.17.3 → 0.19.0 - Mend

@solongate/proxy 0.17.3 → 0.19.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/hooks/guard.mjs +81 -42
package/package.json +1 -1

package/hooks/guard.mjs CHANGED Viewed

@@ -452,61 +452,49 @@ process.stdin.on('end', async () => {
       }
     }
-    // ── Layer 7: Dangerous execution pattern detection ──
-    // These can construct ANY string at runtime — block when touching protected dirs
+    // ── Layer 7: Block ALL inline code execution & dangerous patterns ──
+    // Runtime string construction (atob, Buffer.from, fromCharCode, array.join)
+    // makes static analysis impossible. Blanket-block these patterns.
     const fullCmd = rawStrings.join(' ');
-    // 7a. Inline interpreter execution: node -e, python -c, perl -e, ruby -e
-    // Extract the -e/-c argument and scan it
-    const interpreterPatterns = [
-      /\bnode\s+(?:-e|--eval)\s+["']([^"']+)["']/gi,
-      /\bnode\s+(?:-e|--eval)\s+([^;&|"']+)/gi,
-      /\bpython[23]?\s+-c\s+["']([^"']+)["']/gi,
-      /\bperl\s+-e\s+["']([^"']+)["']/gi,
-      /\bruby\s+-e\s+["']([^"']+)["']/gi,
+    // 7a. Inline interpreter execution — TOTAL BLOCK (no content scan needed)
+    // These can construct ANY string at runtime, bypassing all static analysis
+    const blockedInterpreters = [
+      [/\bnode\s+(?:-e|--eval)\b/i, 'node -e/--eval'],
+      [/\bnode\s+-p\b/i, 'node -p'],
+      [/\bpython[23]?\s+-c\b/i, 'python -c'],
+      [/\bperl\s+-e\b/i, 'perl -e'],
+      [/\bruby\s+-e\b/i, 'ruby -e'],
+      [/\bpowershell(?:\.exe)?\s+.*-(?:EncodedCommand|e|ec)\b/i, 'powershell -EncodedCommand'],
+      [/\bpwsh(?:\.exe)?\s+.*-(?:EncodedCommand|e|ec)\b/i, 'pwsh -EncodedCommand'],
+      [/\bpowershell(?:\.exe)?\s+-c(?:ommand)?\b/i, 'powershell -Command'],
+      [/\bpwsh(?:\.exe)?\s+-c(?:ommand)?\b/i, 'pwsh -Command'],
     ];
-    for (const pat of interpreterPatterns) {
-      for (const m of fullCmd.matchAll(pat)) {
-        const code = m[1].toLowerCase();
-        for (const p of protectedPaths) {
-          if (code.includes(p)) {
-            await blockSelfProtection('SOLONGATE: Interpreter code targets "' + p + '" — blocked');
-          }
-        }
-        // Also check the normalized version
-        const normCode = normalizeShell(code);
-        for (const p of protectedPaths) {
-          if (normCode.includes(p)) {
-            await blockSelfProtection('SOLONGATE: Interpreter code targets "' + p + '" — blocked');
-          }
-        }
+    for (const [pat, name] of blockedInterpreters) {
+      if (pat.test(fullCmd)) {
+        await blockSelfProtection('SOLONGATE: Inline code execution blocked (' + name + ')');
       }
     }
-    // 7b. Base64 decode piped to execution — always block
-    if (/\bbase64\s+-d\b.*\|\s*(?:bash|sh|node|python|perl|ruby)\b/i.test(fullCmd) ||
-        /\bbase64\s+--decode\b.*\|\s*(?:bash|sh|node|python|perl|ruby)\b/i.test(fullCmd)) {
-      await blockSelfProtection('SOLONGATE: base64 decode piped to interpreter — blocked');
+    // 7b. Pipe-to-interpreter — TOTAL BLOCK
+    // Any content piped to an interpreter can construct arbitrary commands at runtime
+    const pipeToInterpreter = /\|\s*(?:node|bash|sh|python[23]?|perl|ruby|php)\b/i;
+    if (pipeToInterpreter.test(fullCmd)) {
+      await blockSelfProtection('SOLONGATE: Pipe to interpreter blocked — runtime bypass risk');
     }
-    // 7c. Temp script file execution: bash /path/file, sh /path/file
-    // If "bash <file>" or "sh <file>" and the file is not a well-known script
-    if (/\b(?:bash|sh)\s+(?:\/tmp\/|\/var\/tmp\/|~\/\.|\.\/[^.s])/i.test(fullCmd)) {
-      await blockSelfProtection('SOLONGATE: Temp script execution detected — blocked');
+    // 7c. Base64 decode in ANY context — block when piped to anything
+    if (/\bbase64\s+(?:-d|--decode)\b/i.test(fullCmd) && /\|/i.test(fullCmd)) {
+      await blockSelfProtection('SOLONGATE: base64 decode in pipe chain — blocked');
     }
-    // 7d. Process substitution and here-strings that could construct protected paths
-    if (/>\s*\(\s*(?:rm|mv|cp|cat)\b/i.test(fullCmd) || /<<<.*(?:rm|mv|cp|cat)\b/i.test(fullCmd)) {
-      for (const p of protectedPaths) {
-        const prefix = p.slice(0, 4); // e.g. ".sol", ".cla"
-        if (fullCmd.includes(prefix)) {
-          await blockSelfProtection('SOLONGATE: Process substitution near protected path "' + p + '" — blocked');
-        }
-      }
+    // 7d. Temp/arbitrary script file execution
+    if (/\b(?:bash|sh)\s+(?:\/tmp\/|\/var\/tmp\/|~\/|\/dev\/)/i.test(fullCmd)) {
+      await blockSelfProtection('SOLONGATE: Script execution from temp path — blocked');
     }
     // 7e. xargs with destructive operations
-    if (/\bxargs\b.*\b(?:rm|mv|cp|rmdir|unlink)\b/i.test(fullCmd)) {
+    if (/\bxargs\b.*\b(?:rm|mv|cp|rmdir|unlink|del)\b/i.test(fullCmd)) {
       for (const p of protectedPaths) {
         if (fullCmd.includes(p.slice(0, 4))) {
           await blockSelfProtection('SOLONGATE: xargs with destructive op near "' + p + '" — blocked');
@@ -514,6 +502,57 @@ process.stdin.on('end', async () => {
       }
     }
+    // 7f. cmd.exe /c with encoded/constructed commands
+    if (/\bcmd(?:\.exe)?\s+\/c\b/i.test(fullCmd)) {
+      for (const p of protectedPaths) {
+        if (fullCmd.includes(p) || fullCmd.includes(p.slice(0, 4))) {
+          await blockSelfProtection('SOLONGATE: cmd.exe /c near protected path — blocked');
+        }
+      }
+    }
+    // 7g. Script file execution — scan file content for discovery+destruction combo
+    // Catches: bash script.sh / node script.mjs where the script uses readdirSync + rmSync
+    const scriptExecMatch = fullCmd.match(/\b(?:bash|sh|node|python[23]?|perl|ruby)\s+([^\s;&|]+)/i);
+    if (scriptExecMatch) {
+      const scriptPath = scriptExecMatch[1];
+      try {
+        const hookCwdForScript = data.cwd || process.cwd();
+        const absPath = scriptPath.startsWith('/') || scriptPath.includes(':')
+          ? scriptPath
+          : resolve(hookCwdForScript, scriptPath);
+        if (existsSync(absPath)) {
+          const scriptContent = readFileSync(absPath, 'utf-8').toLowerCase();
+          // Check for discovery+destruction combo
+          const hasDiscovery = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bscandir\b|\bglob(?:sync)?\b|\bls\s+-[adl]|\bls\s+\.\b|\bopendir\b|\bdir\.entries\b|\bwalkdir\b|\bls\b.*\.\[/.test(scriptContent);
+          const hasDestruction = /\brmsync\b|\brm\s+-rf\b|\bunlinksync\b|\brmdirsync\b|\bunlink\s*\(|\brimraf\b|\bremovesync\b|\bremove_tree\b|\bshutil\.rmtree\b|\bwritefilesync\b|\bexecsync\b.*\brm\b|\bchild_process\b|\bfs\.\s*(?:rm|unlink|rmdir|write)/.test(scriptContent);
+          if (hasDiscovery && hasDestruction) {
+            await blockSelfProtection('SOLONGATE: Script contains directory discovery + destructive ops — blocked');
+          }
+          // Also check for protected path names in script content (existing check, now centralized)
+          for (const p of protectedPaths) {
+            if (scriptContent.includes(p)) {
+              await blockSelfProtection('SOLONGATE: Script references protected path "' + p + '" — blocked');
+            }
+          }
+        }
+      } catch {} // File read error — skip
+    }
+    // 7h. Write tool content scanning — detect discovery+destruction in file content being written
+    // Catches: Write tool creating a script that uses readdirSync('.') + rmSync
+    const toolName_ = data.tool_name || '';
+    if (toolName_.toLowerCase() === 'write' || toolName_.toLowerCase() === 'edit') {
+      const fileContent = (args.content || args.new_string || '').toLowerCase();
+      if (fileContent.length > 0) {
+        const hasDiscovery = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bscandir\b|\bglob(?:sync)?\b|\bls\s+-[adl]|\bls\s+\.\b|\bopendir\b|\bdir\.entries\b|\bwalkdir\b|\bls\b.*\.\[/.test(fileContent);
+        const hasDestruction = /\brmsync\b|\brm\s+-rf\b|\bunlinksync\b|\brmdirsync\b|\bunlink\b|\brimraf\b|\bremovesync\b|\bremove_tree\b|\bshutil\.rmtree\b|\bwritefilesync\b|\bexecsync\b.*\brm\b|\bchild_process\b.*\brm\b|\bfs\.\s*(?:rm|unlink|rmdir)/.test(fileContent);
+        if (hasDiscovery && hasDestruction) {
+          await blockSelfProtection('SOLONGATE: File content contains discovery + destructive ops — write blocked');
+        }
+      }
+    }
     // ── Fetch PI config from Cloud ──
     let piCfg = { piEnabled: true, piThreshold: 0.5, piMode: 'block', piWhitelist: [], piToolConfig: {}, piCustomPatterns: [], piWebhookUrl: null };
     if (API_KEY && API_KEY.startsWith('sg_live_')) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@solongate/proxy",
-  "version": "0.17.3",
+  "version": "0.19.0",
   "description": "MCP security proxy — protect any MCP server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
   "type": "module",
   "bin": {