@taewooopark/agent-blackbox 0.46.2 → 0.46.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/agent-blackbox.plugin.mjs +8 -2
- package/dist/cli.js +3 -2
- package/package.json +1 -1
|
@@ -184,7 +184,10 @@ var defaultRedactionRules = [
|
|
|
184
184
|
},
|
|
185
185
|
{
|
|
186
186
|
name: "private-key",
|
|
187
|
-
|
|
187
|
+
// Tempered quantifier: the body cannot cross another BEGIN marker. Without it, a
|
|
188
|
+
// lone BEGIN with no END forces a scan to end-of-string from every BEGIN — O(n²)
|
|
189
|
+
// backtracking on untrusted tool output peppered with BEGIN markers (slow-path DoS).
|
|
190
|
+
pattern: /-----BEGIN [A-Z ]*PRIVATE KEY-----(?:(?!-----BEGIN )[\s\S])*?-----END [A-Z ]*PRIVATE KEY-----/g,
|
|
188
191
|
replacement: "[REDACTED_PRIVATE_KEY]"
|
|
189
192
|
}
|
|
190
193
|
];
|
|
@@ -1064,7 +1067,10 @@ function createOpenCodeEventFactory(options) {
|
|
|
1064
1067
|
const current = typeof output.output === "string" ? output.output : "";
|
|
1065
1068
|
if (!current)
|
|
1066
1069
|
return;
|
|
1067
|
-
const
|
|
1070
|
+
const args = input.args && typeof input.args === "object" ? input.args : {};
|
|
1071
|
+
const offset = typeof args.offset === "number" ? args.offset : "";
|
|
1072
|
+
const limit = typeof args.limit === "number" ? args.limit : "";
|
|
1073
|
+
const key = `${readString2(input, "sessionID") ?? "s"}::${path}::${offset}:${limit}`;
|
|
1068
1074
|
const hash = hashContent(current);
|
|
1069
1075
|
const decision = decideReadServe(readCache.get(key), { hash, content: current }, compactionGen, path);
|
|
1070
1076
|
readCache.set(key, { hash, content: current, gen: compactionGen });
|
package/dist/cli.js
CHANGED
|
@@ -1109,9 +1109,10 @@ function upsertManagedBlock(content, block) {
|
|
|
1109
1109
|
${block}
|
|
1110
1110
|
`;
|
|
1111
1111
|
}
|
|
1112
|
+
var managedBlockSeamRegExp = () => new RegExp(`\\n*${escapeRegExp(EFFICIENCY_MEMORY_START)}[\\s\\S]*?${escapeRegExp(EFFICIENCY_MEMORY_END)}\\n*`, "g");
|
|
1112
1113
|
function removeManagedBlock(content) {
|
|
1113
1114
|
if (!hasManagedBlock(content)) return content;
|
|
1114
|
-
const stripped = content.replace(
|
|
1115
|
+
const stripped = content.replace(managedBlockSeamRegExp(), "\n\n").trimEnd();
|
|
1115
1116
|
return stripped.length === 0 ? "" : `${stripped}
|
|
1116
1117
|
`;
|
|
1117
1118
|
}
|
|
@@ -1858,7 +1859,7 @@ async function handleRequest(request, response, eventsFile, clients, suggestConf
|
|
|
1858
1859
|
sendEmpty(response, 204);
|
|
1859
1860
|
return;
|
|
1860
1861
|
}
|
|
1861
|
-
if (request.method === "POST") {
|
|
1862
|
+
if (request.method === "POST" || url.pathname === "/suggest") {
|
|
1862
1863
|
const origin = request.headers.origin;
|
|
1863
1864
|
if (typeof origin === "string" && !isLoopbackOrigin(origin)) {
|
|
1864
1865
|
sendJson(response, 403, { ok: false, error: { message: "cross-site request blocked" } });
|
package/package.json
CHANGED