npm - @solongate/proxy - Versions diffs - 0.21.0 → 0.23.0 - Mend

@solongate/proxy 0.21.0 → 0.23.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.js CHANGED Viewed

@@ -487,6 +487,30 @@ function unlockProtectedDirs() {
     } catch {
     }
   }
+  const protectedFiles = [".env", ".gitignore", ".mcp.json", "policy.json"];
+  for (const file of protectedFiles) {
+    const fullPath = resolve2(file);
+    if (!existsSync3(fullPath)) continue;
+    try {
+      if (process.platform === "win32") {
+        try {
+          execSync(`powershell.exe -Command "icacls '${fullPath}' /remove:d '*S-1-1-0' /Q"`, { stdio: "ignore" });
+        } catch {
+        }
+        try {
+          execSync(`attrib -R "${fullPath}"`, { stdio: "ignore" });
+        } catch {
+        }
+      } else {
+        try {
+          execSync(`chattr -i "${fullPath}"`, { stdio: "ignore" });
+        } catch {
+        }
+        execSync(`chmod u+w "${fullPath}"`, { stdio: "ignore" });
+      }
+    } catch {
+    }
+  }
 }
 function installHooks(selectedTools = []) {
   unlockProtectedDirs();
@@ -542,49 +566,10 @@ function installHooks(selectedTools = []) {
     console.log(`  Created ${settingsPath}`);
     activatedNames.push(client.name);
   }
-  const protectedDirs = [".solongate", ...clients.map((c3) => c3.dir)];
-  try {
-    if (process.platform === "win32") {
-      for (const dir of protectedDirs) {
-        const fullDir = resolve2(dir);
-        if (existsSync3(fullDir)) {
-          try {
-            try {
-              execSync(`powershell.exe -Command "icacls '${fullDir}' /remove:d '*S-1-1-0' /T /Q"`, { stdio: "ignore" });
-            } catch {
-            }
-            try {
-              execSync(`powershell.exe -Command "icacls '${fullDir}' /deny '*S-1-1-0:(OI)(CI)(DE,DC,WD,AD,WA)' /T /Q"`, { stdio: "ignore" });
-            } catch {
-            }
-            execSync(`attrib +R /S /D "${fullDir}"`, { stdio: "ignore" });
-          } catch {
-          }
-        }
-      }
-    } else {
-      for (const dir of protectedDirs) {
-        const fullDir = resolve2(dir);
-        if (existsSync3(fullDir)) {
-          try {
-            execSync(`chmod -R a-w "${fullDir}"`, { stdio: "ignore" });
-          } catch {
-          }
-          try {
-            execSync(`chattr +i -R "${fullDir}"`, { stdio: "ignore" });
-          } catch {
-          }
-        }
-      }
-    }
-    console.log("  OS-level DENY protection applied (icacls/chmod)");
-  } catch {
-  }
   console.log("");
   console.log("  Hooks installed:");
   console.log("  guard.mjs  \u2192 blocks policy-violating calls (pre-execution)");
   console.log("  audit.mjs  \u2192 logs all calls to dashboard (post-execution)");
-  console.log("  File system \u2192 read-only (OS-level protection)");
   console.log(`  Activated for: ${activatedNames.join(", ")}`);
 }
 function ensureEnvFile() {

package/dist/init.js CHANGED Viewed

@@ -194,6 +194,30 @@ function unlockProtectedDirs() {
     } catch {
     }
   }
+  const protectedFiles = [".env", ".gitignore", ".mcp.json", "policy.json"];
+  for (const file of protectedFiles) {
+    const fullPath = resolve(file);
+    if (!existsSync(fullPath)) continue;
+    try {
+      if (process.platform === "win32") {
+        try {
+          execSync(`powershell.exe -Command "icacls '${fullPath}' /remove:d '*S-1-1-0' /Q"`, { stdio: "ignore" });
+        } catch {
+        }
+        try {
+          execSync(`attrib -R "${fullPath}"`, { stdio: "ignore" });
+        } catch {
+        }
+      } else {
+        try {
+          execSync(`chattr -i "${fullPath}"`, { stdio: "ignore" });
+        } catch {
+        }
+        execSync(`chmod u+w "${fullPath}"`, { stdio: "ignore" });
+      }
+    } catch {
+    }
+  }
 }
 function installHooks(selectedTools = []) {
   unlockProtectedDirs();
@@ -249,49 +273,10 @@ function installHooks(selectedTools = []) {
     console.log(`  Created ${settingsPath}`);
     activatedNames.push(client.name);
   }
-  const protectedDirs = [".solongate", ...clients.map((c) => c.dir)];
-  try {
-    if (process.platform === "win32") {
-      for (const dir of protectedDirs) {
-        const fullDir = resolve(dir);
-        if (existsSync(fullDir)) {
-          try {
-            try {
-              execSync(`powershell.exe -Command "icacls '${fullDir}' /remove:d '*S-1-1-0' /T /Q"`, { stdio: "ignore" });
-            } catch {
-            }
-            try {
-              execSync(`powershell.exe -Command "icacls '${fullDir}' /deny '*S-1-1-0:(OI)(CI)(DE,DC,WD,AD,WA)' /T /Q"`, { stdio: "ignore" });
-            } catch {
-            }
-            execSync(`attrib +R /S /D "${fullDir}"`, { stdio: "ignore" });
-          } catch {
-          }
-        }
-      }
-    } else {
-      for (const dir of protectedDirs) {
-        const fullDir = resolve(dir);
-        if (existsSync(fullDir)) {
-          try {
-            execSync(`chmod -R a-w "${fullDir}"`, { stdio: "ignore" });
-          } catch {
-          }
-          try {
-            execSync(`chattr +i -R "${fullDir}"`, { stdio: "ignore" });
-          } catch {
-          }
-        }
-      }
-    }
-    console.log("  OS-level DENY protection applied (icacls/chmod)");
-  } catch {
-  }
   console.log("");
   console.log("  Hooks installed:");
   console.log("  guard.mjs  \u2192 blocks policy-violating calls (pre-execution)");
   console.log("  audit.mjs  \u2192 logs all calls to dashboard (post-execution)");
-  console.log("  File system \u2192 read-only (OS-level protection)");
   console.log(`  Activated for: ${activatedNames.join(", ")}`);
 }
 function ensureEnvFile() {

package/hooks/guard.mjs CHANGED Viewed

@@ -589,6 +589,107 @@ process.stdin.on('end', async () => {
       await blockSelfProtection('SOLONGATE: Script execution + destructive command in chain — blocked');
     }
+    // 7-pre6. Nested script substitution: node clean.mjs $(node scan.mjs)
+    // Two "harmless" scripts chained via command substitution — no rm in the command itself
+    const nestedScriptSub = /\b(?:node|python[23]?|perl|ruby|bash|sh)\s+\S+\.\S+\s+.*\$\(\s*(?:node|python[23]?|perl|ruby|bash|sh)\b/i;
+    const backtickNestedScript = /\b(?:node|python[23]?|perl|ruby|bash|sh)\s+\S+\.\S+\s+.*`\s*(?:node|python[23]?|perl|ruby|bash|sh)\b/i;
+    if (nestedScriptSub.test(fullCmd) || backtickNestedScript.test(fullCmd)) {
+      await blockSelfProtection('SOLONGATE: Nested script substitution — blocked (script output as args to another script)');
+    }
+    // 7-pre7. NODE_OPTIONS injection — block commands with NODE_OPTIONS env var
+    // NODE_OPTIONS="--require malicious.cjs" can inject code into any node process
+    if (/\bNODE_OPTIONS\s*=/i.test(fullCmd)) {
+      await blockSelfProtection('SOLONGATE: NODE_OPTIONS injection — blocked');
+    }
+    // 7-pre8. npm lifecycle scripts — scan package.json before npm install/run
+    // npm install can trigger postinstall/preinstall/prepare scripts
+    if (/\bnpm\s+(?:install|i|ci|run|start|test|publish|pack)\b/i.test(fullCmd) || /\bnpx\s+/i.test(fullCmd)) {
+      try {
+        const hookCwdForNpm = data.cwd || process.cwd();
+        const pkgPath = resolve(hookCwdForNpm, 'package.json');
+        if (existsSync(pkgPath)) {
+          const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+          const scripts = pkg.scripts || {};
+          const lifecycleKeys = ['preinstall', 'install', 'postinstall', 'prepare', 'prepublish', 'prepublishOnly', 'prepack', 'postpack'];
+          const allScripts = Object.entries(scripts);
+          for (const [key, val] of allScripts) {
+            if (typeof val !== 'string') continue;
+            const scriptLower = val.toLowerCase();
+            // Check lifecycle scripts for dangerous patterns
+            const isLifecycle = lifecycleKeys.includes(key);
+            const isExplicitRun = fullCmd.includes(key); // npm run <key>
+            if (isLifecycle || isExplicitRun) {
+              // Check for protected path names
+              for (const p of [...protectedPaths, ...writeProtectedPaths]) {
+                if (scriptLower.includes(p)) {
+                  await blockSelfProtection('SOLONGATE: npm script "' + key + '" references protected "' + p + '" — blocked');
+                }
+              }
+              // Check for string construction patterns
+              if (/fromcharcode|atob\s*\(|buffer\.from|\\x[0-9a-f]{2}/i.test(scriptLower)) {
+                await blockSelfProtection('SOLONGATE: npm script "' + key + '" contains string construction — blocked');
+              }
+              // Check for discovery+destruction combo
+              const hasDisc = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bscandir\b|\bglob\b|\bls\s+-[adl]/i.test(scriptLower);
+              const hasDest = /\brmsync\b|\brm\s+-rf\b|\bunlinksync\b|\brmdirsync\b|\bunlink\b|\brimraf\b/i.test(scriptLower);
+              if (hasDisc && hasDest) {
+                await blockSelfProtection('SOLONGATE: npm script "' + key + '" has discovery+destruction — blocked');
+              }
+              // Follow node/bash <file> references in npm scripts — deep scan the target file
+              const scriptFileMatch = scriptLower.match(/\b(?:node|bash|sh|python[23]?)\s+([^\s;&|$]+)/i);
+              if (scriptFileMatch) {
+                try {
+                  const targetPath = resolve(hookCwdForNpm, scriptFileMatch[1]);
+                  if (existsSync(targetPath)) {
+                    const targetContent = readFileSync(targetPath, 'utf-8').toLowerCase();
+                    // Check target file for protected paths
+                    for (const pp of [...protectedPaths, ...writeProtectedPaths]) {
+                      if (targetContent.includes(pp)) {
+                        await blockSelfProtection('SOLONGATE: npm script "' + key + '" runs file referencing "' + pp + '" — blocked');
+                      }
+                    }
+                    // Check target for discovery+destruction
+                    const tDisc = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bglob\b/i.test(targetContent);
+                    const tDest = /\brmsync\b|\bunlinksync\b|\brmdirsync\b|\bunlink\b|\brimraf\b|\bfs\.\s*(?:rm|unlink|rmdir)/i.test(targetContent);
+                    if (tDisc && tDest) {
+                      await blockSelfProtection('SOLONGATE: npm script "' + key + '" runs file with discovery+destruction — blocked');
+                    }
+                    // Check target for string construction + destruction
+                    const tStrCon = /\bfromcharcode\b|\batob\s*\(|\bbuffer\.from\b/i.test(targetContent);
+                    if (tStrCon && tDest) {
+                      await blockSelfProtection('SOLONGATE: npm script "' + key + '" runs file with string construction+destruction — blocked');
+                    }
+                    // Follow imports in the target file
+                    const tDir = targetPath.replace(/[/\\][^/\\]+$/, '');
+                    const tImports = [...targetContent.matchAll(/(?:import\s+.*?\s+from\s+|import\s+|require\s*\()['"]\.\/([^'"]+)['"]/gi)];
+                    for (const [, imp] of tImports) {
+                      try {
+                        const impAbs = resolve(tDir, imp);
+                        const candidates = [impAbs, impAbs + '.mjs', impAbs + '.js', impAbs + '.cjs'];
+                        for (const c of candidates) {
+                          if (existsSync(c)) {
+                            const impContent = readFileSync(c, 'utf-8').toLowerCase();
+                            const iDisc = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bglob\b/i.test(impContent);
+                            const iDest = /\brmsync\b|\bunlinksync\b|\bfs\.\s*(?:rm|unlink|rmdir)/i.test(impContent);
+                            if ((iDisc && tDest) || (tDisc && iDest)) {
+                              await blockSelfProtection('SOLONGATE: npm script "' + key + '" — cross-module discovery+destruction — blocked');
+                            }
+                            break;
+                          }
+                        }
+                      } catch {}
+                    }
+                  }
+                } catch {}
+              }
+            }
+          }
+        }
+      } catch {} // Package.json read error — skip
+    }
     // 7a. Inline interpreter execution — TOTAL BLOCK (no content scan needed)
     // These can construct ANY string at runtime, bypassing all static analysis
     const blockedInterpreters = [
@@ -646,7 +747,7 @@ process.stdin.on('end', async () => {
     // 7g. Script file execution — scan file content for discovery+destruction combo
     // Catches: bash script.sh / node script.mjs where the script uses readdirSync + rmSync
-    const scriptExecMatch = fullCmd.match(/\b(?:bash|sh|node|python[23]?|perl|ruby)\s+([^\s;&|]+)/i);
+    const scriptExecMatch = fullCmd.match(/\b(?:bash|sh|node|python[23]?|perl|ruby)\s+([^\s;&|$`]+)/i);
     if (scriptExecMatch) {
       const scriptPath = scriptExecMatch[1];
       try {
@@ -658,12 +759,50 @@ process.stdin.on('end', async () => {
           const scriptContent = readFileSync(absPath, 'utf-8').toLowerCase();
           // Check for discovery+destruction combo
           const hasDiscovery = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bscandir\b|\bglob(?:sync)?\b|\bls\s+-[adl]|\bls\s+\.\b|\bopendir\b|\bdir\.entries\b|\bwalkdir\b|\bls\b.*\.\[/.test(scriptContent);
-          const hasDestruction = /\brmsync\b|\brm\s+-rf\b|\bunlinksync\b|\brmdirsync\b|\bunlink\s*\(|\brimraf\b|\bremovesync\b|\bremove_tree\b|\bshutil\.rmtree\b|\bwritefilesync\b|\bexecsync\b.*\brm\b|\bchild_process\b|\bfs\.\s*(?:rm|unlink|rmdir|write)/.test(scriptContent);
+          const hasDestruction = /\brmsync\b|\brm\s+-rf\b|\bunlinksync\b|\brmdirsync\b|\bunlink\b|\brimraf\b|\bremovesync\b|\bremove_tree\b|\bshutil\.rmtree\b|\bwritefilesync\b|\bexecsync\b.*\brm\b|\bchild_process\b|\bfs\.\s*(?:rm|unlink|rmdir|write)/.test(scriptContent);
           if (hasDiscovery && hasDestruction) {
             await blockSelfProtection('SOLONGATE: Script contains directory discovery + destructive ops — blocked');
           }
-          // Also check for protected path names in script content (existing check, now centralized)
-          for (const p of protectedPaths) {
+          // String construction + destructive = BLOCK
+          // Runtime string construction (fromCharCode, atob, Buffer.from) bypasses literal name checks
+          const hasStringConstruction = /\bfromcharcode\b|\batob\s*\(|\bbuffer\.from\b|\\x[0-9a-f]{2}|\bstring\.fromcodepoin/i.test(scriptContent);
+          if (hasStringConstruction && hasDestruction) {
+            await blockSelfProtection('SOLONGATE: Script uses string construction + destructive ops — blocked');
+          }
+          // Import/require chain: if script imports other local files, scan them too
+          const scriptDir = absPath.replace(/[/\\][^/\\]+$/, '');
+          const imports = [...scriptContent.matchAll(/(?:import\s+.*?\s+from\s+|import\s+|require\s*\()['"]\.\/([^'"]+)['"]/gi)];
+          for (const [, importPath] of imports) {
+            try {
+              const importAbs = resolve(scriptDir, importPath);
+              const candidates = [importAbs, importAbs + '.mjs', importAbs + '.js', importAbs + '.cjs'];
+              for (const candidate of candidates) {
+                if (existsSync(candidate)) {
+                  const importContent = readFileSync(candidate, 'utf-8').toLowerCase();
+                  // Cross-module: check if imported module has discovery/destruction/string construction
+                  const importDisc = /\breaddirsync\b|\breaddir\b|\bos\.listdir\b|\bscandir\b|\bglob(?:sync)?\b/i.test(importContent);
+                  const importDest = /\brmsync\b|\bunlinksync\b|\brmdirsync\b|\bunlink\b|\brimraf\b|\bfs\.\s*(?:rm|unlink|rmdir)/i.test(importContent);
+                  const importStrCon = /\bfromcharcode\b|\batob\s*\(|\bbuffer\.from\b/i.test(importContent);
+                  // Cross-module discovery in import + destruction in main (or vice versa)
+                  if ((importDisc && hasDestruction) || (hasDiscovery && importDest)) {
+                    await blockSelfProtection('SOLONGATE: Cross-module discovery+destruction detected — blocked');
+                  }
+                  if ((importStrCon && hasDestruction) || (hasStringConstruction && importDest)) {
+                    await blockSelfProtection('SOLONGATE: Cross-module string construction+destruction — blocked');
+                  }
+                  // Check imported module for protected paths
+                  for (const p of [...protectedPaths, ...writeProtectedPaths]) {
+                    if (importContent.includes(p)) {
+                      await blockSelfProtection('SOLONGATE: Imported module references protected "' + p + '" — blocked');
+                    }
+                  }
+                  break;
+                }
+              }
+            } catch {}
+          }
+          // Check for protected path names in script content
+          for (const p of [...protectedPaths, ...writeProtectedPaths]) {
             if (scriptContent.includes(p)) {
               await blockSelfProtection('SOLONGATE: Script references protected path "' + p + '" — blocked');
             }
@@ -683,6 +822,39 @@ process.stdin.on('end', async () => {
         if (hasDiscovery && hasDestruction) {
           await blockSelfProtection('SOLONGATE: File content contains discovery + destructive ops — write blocked');
         }
+        // String construction + destructive = BLOCK
+        const hasStringConstruction = /\bfromcharcode\b|\batob\s*\(|\bbuffer\.from\b|\\x[0-9a-f]{2}|\bstring\.fromcodepoin/i.test(fileContent);
+        if (hasStringConstruction && hasDestruction) {
+          await blockSelfProtection('SOLONGATE: File uses string construction + destructive ops — write blocked');
+        }
+      }
+    }
+    // 7i. Write tool — detect package.json scripts with dangerous patterns
+    if (toolName_.toLowerCase() === 'write' || toolName_.toLowerCase() === 'edit') {
+      const filePath = (args.file_path || '').toLowerCase();
+      if (filePath.endsWith('package.json')) {
+        const content = args.content || args.new_string || '';
+        try {
+          // Try parsing as JSON to check scripts
+          const pkg = JSON.parse(content);
+          const scripts = pkg.scripts || {};
+          for (const [key, val] of Object.entries(scripts)) {
+            if (typeof val !== 'string') continue;
+            const v = val.toLowerCase();
+            for (const p of [...protectedPaths, ...writeProtectedPaths]) {
+              if (v.includes(p)) {
+                await blockSelfProtection('SOLONGATE: package.json script "' + key + '" references protected "' + p + '" — blocked');
+              }
+            }
+            if (/fromcharcode|atob\s*\(|buffer\.from/i.test(v)) {
+              const hasDest = /\brmsync\b|\brm\b|\bunlink\b|\brimraf\b/i.test(v);
+              if (hasDest) {
+                await blockSelfProtection('SOLONGATE: package.json script "' + key + '" has string construction + destruction — blocked');
+              }
+            }
+          }
+        } catch {} // Not valid JSON or parse error — skip
       }
     }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@solongate/proxy",
-  "version": "0.21.0",
+  "version": "0.23.0",
   "description": "MCP security proxy — protect any MCP server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
   "type": "module",
   "bin": {