@trops/dash-core 0.1.485 → 0.1.487

package/dist/electron/index.js

@@ -4,7 +4,7 @@ var require$$0$1 = require('electron');
 var require$$1$1 = require('electron-store');
 var require$$1$2 = require('path');
 var require$$0$2 = require('fs');
-var require$$5$1 = require('objects-to-csv');
+var require$$6$1 = require('objects-to-csv');
 var require$$1$3 = require('readline');
 var require$$2 = require('xtreamer');
 var require$$3$1 = require('xml2js');
@@ -12,12 +12,12 @@ var require$$4 = require('JSONStream');
 var require$$5 = require('stream');
 var require$$6 = require('csv-parser');
 var require$$0$3 = require('quickjs-emscripten');
-var require$$7 = require('https');
+var require$$8$1 = require('https');
 var require$$0$5 = require('@modelcontextprotocol/sdk/client/index.js');
 var require$$1$4 = require('@modelcontextprotocol/sdk/client/stdio.js');
 var require$$0$4 = require('pkce-challenge');
 var require$$2$1 = require('os');
-var require$$7$1 = require('child_process');
+var require$$7 = require('child_process');
 var require$$3$2 = require('adm-zip');
 var require$$4$1 = require('url');
 var require$$2$2 = require('vm');
@@ -28,7 +28,7 @@ var require$$0$6 = require('openai');
 require('live-plugin-manager');
 var require$$0$9 = require('@anthropic-ai/sdk');
 var require$$3$4 = require('crypto');
-var require$$8$1 = require('zod');
+var require$$8$2 = require('zod');
 var require$$0$7 = require('http');
 var require$$1$6 = require('http2');
 var require$$2$4 = require('node-forge');
@@ -1107,7 +1107,7 @@ var secureStoreController$1 = {
   getData: getData$1,
 };
 
-const path$j = require$$1$2;
+const path$k = require$$1$2;
 const {
   readFileSync,
   writeFileSync: writeFileSync$4,
@@ -1125,7 +1125,7 @@ const {
 function ensureDirectoryExistence$2(filePath) {
   try {
     // isDirectory
-    var dirname = path$j.dirname(filePath);
+    var dirname = path$k.dirname(filePath);
     // check if the directory exists...return true
     // if not, we can pass in the dirname as the filepath
     // and check each directory recursively.
@@ -1240,7 +1240,7 @@ function removeFilesFromDirectory(directory, excludeFiles = []) {
 
       for (const file of files) {
         if (!excludeFiles.includes(file)) {
-          unlinkSync(path$j.join(directory, file), (err) => {
+          unlinkSync(path$k.join(directory, file), (err) => {
             if (err) throw err;
           });
         }
@@ -1257,8 +1257,8 @@ var file = {
   checkDirectory: checkDirectory$1,
 };
 
-const { app: app$b } = require$$0$1;
-const path$i = require$$1$2;
+const { app: app$c } = require$$0$1;
+const path$j = require$$1$2;
 const { writeFileSync: writeFileSync$3 } = require$$0$2;
 const { getFileContents: getFileContents$7 } = file;
 
@@ -1305,8 +1305,8 @@ const workspaceController$3 = {
   saveWorkspaceForApplication: (win, appId, workspaceObject) => {
     try {
       // filename to the pages file (live pages)
-      const filename = path$i.join(
-        app$b.getPath("userData"),
+      const filename = path$j.join(
+        app$c.getPath("userData"),
         appName$7,
         appId,
         configFilename$5,
@@ -1354,8 +1354,8 @@ const workspaceController$3 = {
   saveMenuItemsForApplication: (win, appId, menuItems) => {
     try {
       // filename to the workspaces file
-      const filename = path$i.join(
-        app$b.getPath("userData"),
+      const filename = path$j.join(
+        app$c.getPath("userData"),
         appName$7,
         appId,
         configFilename$5,
@@ -1403,8 +1403,8 @@ const workspaceController$3 = {
    */
   deleteWorkspaceForApplication: (win, appId, workspaceId) => {
     try {
-      const filename = path$i.join(
-        app$b.getPath("userData"),
+      const filename = path$j.join(
+        app$c.getPath("userData"),
         appName$7,
         appId,
         configFilename$5,
@@ -1437,8 +1437,8 @@ const workspaceController$3 = {
 
   listWorkspacesForApplication: (win, appId) => {
     try {
-      const filename = path$i.join(
-        app$b.getPath("userData"),
+      const filename = path$j.join(
+        app$c.getPath("userData"),
         appName$7,
         appId,
         configFilename$5,
@@ -1465,8 +1465,8 @@ const workspaceController$3 = {
 
   listMenuItemsForApplication: (win, appId) => {
     try {
-      const filename = path$i.join(
-        app$b.getPath("userData"),
+      const filename = path$j.join(
+        app$c.getPath("userData"),
         appName$7,
         appId,
         configFilename$5,
@@ -1509,8 +1509,8 @@ const workspaceController$3 = {
 
 var workspaceController_1 = workspaceController$3;
 
-const { app: app$a } = require$$0$1;
-const path$h = require$$1$2;
+const { app: app$b } = require$$0$1;
+const path$i = require$$1$2;
 const { writeFileSync: writeFileSync$2 } = require$$0$2;
 const { getFileContents: getFileContents$6 } = file;
 
@@ -1530,8 +1530,8 @@ const themeController$5 = {
   saveThemeForApplication: (win, appId, name, obj) => {
     try {
       // filename to the pages file (live pages)
-      const filename = path$h.join(
-        app$a.getPath("userData"),
+      const filename = path$i.join(
+        app$b.getPath("userData"),
         appName$6,
         appId,
         configFilename$4,
@@ -1576,8 +1576,8 @@ const themeController$5 = {
    */
   listThemesForApplication: (win, appId) => {
     try {
-      const filename = path$h.join(
-        app$a.getPath("userData"),
+      const filename = path$i.join(
+        app$b.getPath("userData"),
         appName$6,
         appId,
         configFilename$4,
@@ -1618,8 +1618,8 @@ const themeController$5 = {
    */
   deleteThemeForApplication: (win, appId, themeKey) => {
     try {
-      const filename = path$h.join(
-        app$a.getPath("userData"),
+      const filename = path$i.join(
+        app$b.getPath("userData"),
         appName$6,
         appId,
         configFilename$4,
@@ -1650,6 +1650,179 @@ const themeController$5 = {
 
 var themeController_1 = themeController$5;
 
+/**
+ * safePath.js
+ *
+ * Path-traversal containment for IPC handlers that accept renderer-
+ * supplied paths.
+ *
+ * Why: dash-core exposes IPC handlers (mainApi.data.saveData,
+ * mainApi.data.parseXMLStream, mainApi.algolia.createBatchesFromFile,
+ * etc.) that historically passed renderer-controlled paths directly to
+ * fs.writeFileSync / fs.createReadStream. A widget could pass
+ * "../../etc/passwd" and the handler would write/read OUTSIDE the
+ * intended app data directory because path.join doesn't reject `..`
+ * segments. See docs/security/ipc-filesystem-audit.md for the full
+ * finding set.
+ *
+ * This utility resolves the requested path, walks symlinks, and asserts
+ * containment within at least one explicitly-allowed root. Any handler
+ * that takes a renderer path runs it through `safePath(p, roots)` and
+ * either gets back a validated absolute real-path, or throws.
+ *
+ * Public API:
+ *
+ *   safePath(requested, allowedRoots[]) → string
+ *     Throws on traversal, missing input, or empty roots. Returns the
+ *     resolved real-path (which is what the caller should pass to fs).
+ *
+ *   getAllowedRoots(category) → string[]
+ *     Canonical roots per category. Categories:
+ *       "data"     — userData/Dashboard/data + user-configured override
+ *       "themes"   — userData/Dashboard/themes
+ *       "widgets"  — userData/widgets
+ *       "plugins"  — userData/plugins
+ *       "downloads"— OS Downloads folder
+ *
+ * Defense layers:
+ *   1. path.resolve() to absolute form.
+ *   2. fs.realpathSync() through any symlinks. If the path doesn't
+ *      exist yet, realpath the parent directory (so a symlink-in-parent
+ *      can't trick a future create operation).
+ *   3. startsWith(realRoot + path.sep) test — single-equals check
+ *      handles "exactly the root" case, prefix-with-sep handles
+ *      "inside the root" without false-matching `/data-evil/` against
+ *      `/data/`.
+ */
+
+const path$h = require$$1$2;
+const fs$c = require$$0$2;
+const { app: app$a } = require$$0$1;
+
+const APP_NAME = "Dashboard";
+
+/**
+ * @param {string} category
+ * @returns {string[]} ordered allowed roots for that category
+ */
+function getAllowedRoots$2(category) {
+  const userData = app$a.getPath("userData");
+  switch (category) {
+    case "data": {
+      const def = path$h.join(userData, APP_NAME, "data");
+      // The user can configure a custom data directory in
+      // Settings → General → Data Directory. If set, that
+      // location is ALSO an allowed root. We don't replace the
+      // default — both are valid because legacy data may still
+      // live in the default while new data goes to the override.
+      const override = readDataDirectoryFromSettings();
+      return override ? [def, override] : [def];
+    }
+    case "themes":
+      return [path$h.join(userData, APP_NAME, "themes")];
+    case "widgets":
+      return [path$h.join(userData, "widgets")];
+    case "plugins":
+      return [path$h.join(userData, "plugins")];
+    case "downloads":
+      return [app$a.getPath("downloads")];
+    default:
+      throw new Error("safePath: unknown allowed-roots category: " + category);
+  }
+}
+
+/**
+ * Read the user-configured data directory from settings.json. Returns
+ * undefined if not set or unreadable.
+ *
+ * Inlined to avoid a circular require with settingsController. Reads
+ * the same settings.json file directly.
+ */
+function readDataDirectoryFromSettings() {
+  try {
+    const settingsPath = path$h.join(
+      app$a.getPath("userData"),
+      APP_NAME,
+      "settings.json",
+    );
+    if (!fs$c.existsSync(settingsPath)) return undefined;
+    const raw = fs$c.readFileSync(settingsPath, "utf8");
+    const settings = JSON.parse(raw);
+    const dir = settings && settings.dataDirectory;
+    if (typeof dir === "string" && dir) return dir;
+  } catch (_e) {
+    // best-effort — fall through to default
+  }
+  return undefined;
+}
+
+/**
+ * Resolve and validate a path against allowed roots.
+ *
+ * @param {string} requested  the path the renderer asked for
+ * @param {string[]} allowedRoots  list of absolute paths the result must be inside
+ * @returns {string} validated absolute real-path
+ * @throws if requested is not contained within any allowed root
+ */
+function safePath$2(requested, allowedRoots) {
+  if (typeof requested !== "string" || !requested) {
+    throw new Error("safePath: requested must be a non-empty string");
+  }
+  if (!Array.isArray(allowedRoots) || allowedRoots.length === 0) {
+    throw new Error("safePath: allowedRoots must be a non-empty array");
+  }
+
+  const resolved = path$h.resolve(requested);
+
+  // Real-path through symlinks. If the file doesn't exist yet (a
+  // create-new operation), real-path the parent so a symlink in the
+  // parent chain can't trick us.
+  let real = resolved;
+  try {
+    real = fs$c.realpathSync(resolved);
+  } catch (_e) {
+    try {
+      const parent = fs$c.realpathSync(path$h.dirname(resolved));
+      real = path$h.join(parent, path$h.basename(resolved));
+    } catch (_e2) {
+      // Parent doesn't exist either. Use the resolved-but-not-
+      // real path; the caller's mkdirSync will happen inside the
+      // validated root, and any symlinks underneath will be
+      // re-checked the next time safePath sees the same path.
+    }
+  }
+
+  for (const root of allowedRoots) {
+    let realRoot = root;
+    try {
+      if (fs$c.existsSync(root)) realRoot = fs$c.realpathSync(root);
+    } catch (_e) {
+      // root doesn't exist or isn't reachable — keep as-is for
+      // the comparison below
+    }
+    // Exact match OR strictly-inside (with separator to prevent
+    // /data-evil/ matching /data/).
+    if (real === realRoot || real.startsWith(realRoot + path$h.sep)) {
+      return real;
+    }
+  }
+
+  throw new Error(
+    "safePath: requested path is not within any allowed root. " +
+      "Requested: " +
+      requested +
+      " (resolved to " +
+      real +
+      "). Allowed roots: " +
+      allowedRoots.join(", "),
+  );
+}
+
+var safePath_1 = {
+  safePath: safePath$2,
+  getAllowedRoots: getAllowedRoots$2,
+};
+
 /**
  * safeJsExecutor.js
  *
@@ -2337,11 +2510,12 @@ var fs$a = require$$0$2;
 const path$f = require$$1$2;
 const events$5 = events$8;
 const { getFileContents: getFileContents$5, writeToFile: writeToFile$2 } = file;
+const { safePath: safePath$1, getAllowedRoots: getAllowedRoots$1 } = safePath_1;
 
 // Convert Json to Csv
-const ObjectsToCsv = require$$5$1;
+const ObjectsToCsv = require$$6$1;
 const Transform = transform;
-const https$3 = require$$7;
+const https$3 = require$$8$1;
 const appName$5 = "Dashboard";
 
 const dataController$1 = {
@@ -2355,14 +2529,25 @@ const dataController$1 = {
    */
   convertJsonToCsvFile: (win, appId, jsonObject, toFilename = "test.csv") => {
     try {
-      // filename to the pages file (live pages)
-      const filename = path$f.join(
+      // Validate the renderer-supplied filename is contained within
+      // the data directory. path.join doesn't reject `..` segments;
+      // safePath does.
+      const candidate = path$f.join(
         app$8.getPath("userData"),
         appName$5,
         appId,
         "data",
         toFilename,
       );
+      let filename;
+      try {
+        filename = safePath$1(candidate, getAllowedRoots$1("data"));
+      } catch (pathErr) {
+        win.webContents.send(events$5.DATA_JSON_TO_CSV_FILE_ERROR, {
+          error: pathErr.message,
+        });
+        return;
+      }
 
       // make sure the file exists...
       const fileContents = getFileContents$5(filename, "");
@@ -2420,8 +2605,17 @@ const dataController$1 = {
 
   readLinesFromFile: (win, filepath, lineCount) => {
     try {
+      let validated;
+      try {
+        validated = safePath$1(filepath, getAllowedRoots$1("data"));
+      } catch (pathErr) {
+        win.webContents.send(events$5.READ_LINES_ERROR, {
+          error: pathErr.message,
+        });
+        return;
+      }
       const t = new Transform();
-      t.readLinesFromFile(win, filepath, lineCount, events$5.READ_LINES_UPDATE)
+      t.readLinesFromFile(win, validated, lineCount, events$5.READ_LINES_UPDATE)
         .then((res) => {
           win.webContents.send(events$5.READ_LINES_COMPLETE, {
             success: true,
@@ -2445,9 +2639,18 @@ const dataController$1 = {
 
   readJSONFromFile: (win, filepath, objectCount = null) => {
     try {
-      console.log("reading json from file ", filepath, objectCount);
+      let validated;
+      try {
+        validated = safePath$1(filepath, getAllowedRoots$1("data"));
+      } catch (pathErr) {
+        win.webContents.send(events$5.READ_JSON_ERROR, {
+          error: pathErr.message,
+        });
+        return;
+      }
+      console.log("reading json from file ", validated, objectCount);
       const t = new Transform();
-      t.readJSONFromFile(win, filepath, objectCount, events$5.READ_JSON_UPDATE)
+      t.readJSONFromFile(win, validated, objectCount, events$5.READ_JSON_UPDATE)
         .then((res) => {
           win.webContents.send(events$5.READ_JSON_COMPLETE, {
             success: true,
@@ -2483,14 +2686,10 @@ const dataController$1 = {
         );
       }
 
-      // Validate toFilepath is within the app data directory
-      const appDataDir = path$f.join(app$8.getPath("userData"), appName$5);
-      const resolvedFilepath = path$f.resolve(toFilepath);
-      if (!resolvedFilepath.startsWith(appDataDir + path$f.sep)) {
-        throw new Error(
-          "File path must be within the application data directory",
-        );
-      }
+      // Validate toFilepath is within the app data directory.
+      // safePath replaces the previous inline check; same containment
+      // intent, plus realpath/symlink protection.
+      const resolvedFilepath = safePath$1(toFilepath, getAllowedRoots$1("data"));
 
       const writeStream = fs$a.createWriteStream(resolvedFilepath);
 
@@ -2537,10 +2736,21 @@ const dataController$1 = {
     objectIdKey = null,
   ) => {
     try {
+      let validatedIn, validatedOut;
+      try {
+        const roots = getAllowedRoots$1("data");
+        validatedIn = safePath$1(filepath, roots);
+        validatedOut = safePath$1(outpath, roots);
+      } catch (pathErr) {
+        win.webContents.send(events$5.PARSE_XML_STREAM_ERROR, {
+          error: pathErr.message,
+        });
+        return;
+      }
       const t = new Transform();
       t.parseXMLStream(
-        filepath,
-        outpath,
+        validatedIn,
+        validatedOut,
         start,
         // recordNode,
         // objectIdKey,
@@ -2586,10 +2796,21 @@ const dataController$1 = {
     limit = null,
   ) => {
     try {
+      let validatedIn, validatedOut;
+      try {
+        const roots = getAllowedRoots$1("data");
+        validatedIn = safePath$1(filepath, roots);
+        validatedOut = safePath$1(outpath, roots);
+      } catch (pathErr) {
+        win.webContents.send(events$5.PARSE_CSV_STREAM_ERROR, {
+          error: pathErr.message,
+        });
+        return;
+      }
       const t = new Transform();
       t.parseCSVStream(
-        filepath,
-        outpath,
+        validatedIn,
+        validatedOut,
         delimiter,
         objectIdKey,
         headers,
@@ -2632,13 +2853,25 @@ const dataController$1 = {
   saveToFile: (win, data, filename, append, returnEmpty = {}) => {
     try {
       if (data) {
-        // filename to the pages file (live pages)
-        const toFilename = path$f.join(
+        // Validate filename is contained within the data directory.
+        // path.join doesn't reject `..` segments; safePath does.
+        const candidate = path$f.join(
           app$8.getPath("userData"),
           appName$5,
           "data",
           filename,
         );
+        let toFilename;
+        try {
+          toFilename = safePath$1(candidate, getAllowedRoots$1("data"));
+        } catch (pathErr) {
+          win.webContents.send(events$5.DATA_SAVE_TO_FILE_ERROR, {
+            success: false,
+            filename,
+            message: pathErr.message,
+          });
+          return;
+        }
 
         //console.log("saving to file ", toFilename);
 
@@ -21078,7 +21311,7 @@ function getShellPath$1() {
     return _shellPath$1;
   }
 
-  const { execSync } = require$$7$1;
+  const { execSync } = require$$7;
   const fallbackDirs = ["/usr/local/bin", "/opt/homebrew/bin"];
 
   // Scan nvm versions, tracking both latest and best compatible version
@@ -21258,7 +21491,7 @@ async function refreshGoogleOAuthToken(tokenRefresh) {
 
   console.log("[mcpController] Refreshing Google OAuth token...");
 
-  const https = require$$7;
+  const https = require$$8$1;
   const postData = [
     `client_id=${encodeURIComponent(keyData.client_id)}`,
     `client_secret=${encodeURIComponent(keyData.client_secret)}`,
@@ -21951,7 +22184,7 @@ const mcpController$3 = {
    * @returns {{ success } | { error, message }}
    */
   runAuth: async (win, mcpConfig, credentials, authCommand) => {
-    const { spawn } = require$$7$1;
+    const { spawn } = require$$7;
 
     const env = cleanEnvForChildProcess();
 
@@ -25973,6 +26206,7 @@ const algoliasearch = require$$2$3;
 const events$3 = events$8;
 const AlgoliaIndex = algolia;
 var fs$3 = require$$0$2;
+const { safePath, getAllowedRoots } = safePath_1;
 
 const algoliaController$1 = {
   /**
@@ -26129,10 +26363,19 @@ const algoliaController$1 = {
     createIfNotExists = false,
   ) {
     try {
+      let validatedDir;
+      try {
+        validatedDir = safePath(dir, getAllowedRoots("data"));
+      } catch (pathErr) {
+        win.webContents.send(events$3.ALGOLIA_PARTIAL_UPDATE_OBJECTS_ERROR, {
+          error: pathErr.message,
+        });
+        return;
+      }
       const a = new AlgoliaIndex(appId, apiKey, indexName);
       // now we can make the call to the utility and we are passing in the createIfNotExists FALSE by default
       a.partialUpdateObjectsFromDirectorySync(
-        dir,
+        validatedDir,
         createIfNotExists,
         (data) => {
           win.webContents.send(
@@ -26172,10 +26415,21 @@ const algoliaController$1 = {
     batchSize = 500,
   ) => {
     try {
+      let validatedIn, validatedOut;
+      try {
+        const roots = getAllowedRoots("data");
+        validatedIn = safePath(filepath, roots);
+        validatedOut = safePath(batchFilepath, roots);
+      } catch (pathErr) {
+        win.webContents.send(events$3.ALGOLIA_CREATE_BATCH_ERROR, {
+          error: pathErr.message,
+        });
+        return;
+      }
       const a = new AlgoliaIndex();
       a.createBatchesFromJSONFile(
-        filepath,
-        batchFilepath,
+        validatedIn,
+        validatedOut,
         batchSize,
         (data) => {
           win.webContents.send(events$3.ALGOLIA_CREATE_BATCH_UPDATE, data);
@@ -43641,7 +43895,7 @@ const completable_js_1 = completable;
 const uriTemplate_js_1 = uriTemplate;
 const toolNameValidation_js_1 = toolNameValidation;
 const mcp_server_js_1 = mcpServer$1;
-const zod_1 = require$$8$1;
+const zod_1 = require$$8$2;
 /**
  * High-level MCP server that provides a simpler API for working with resources, tools, and prompts.
  * For advanced usage (like sending notifications or setting custom request handlers), use the underlying
@@ -46274,7 +46528,7 @@ var tlsCert = { getOrCreateCert: getOrCreateCert$1 };
  * for Zod schemas in tool input validation (safeParseAsync).
  */
 
-const z$1 = require$$8$1;
+const z$1 = require$$8$2;
 
 /**
  * Convert a JSON Schema property definition to a Zod v3 schema.
@@ -46367,7 +46621,7 @@ var jsonSchemaToZod_1 = { jsonSchemaToZod: jsonSchemaToZod$1, jsonSchemaProperty
  *   - Rate limiting via token bucket (60 req/min)
  */
 
-const https$1 = require$$7;
+const https$1 = require$$8$1;
 const { randomUUID } = require$$3$4;
 const { BrowserWindow: BrowserWindow$1 } = require$$0$1;
 const { McpServer } = mcp;
@@ -46498,7 +46752,7 @@ function registerPrompt$1(promptDef) {
   registeredPrompts.push(promptDef);
 }
 
-const z = require$$8$1;
+const z = require$$8$2;
 const { jsonSchemaToZod } = jsonSchemaToZod_1;
 
 /**
@@ -46879,7 +47133,7 @@ var mcpDashServerController_1 = mcpDashServerController$4;
  * can use the Chat widget without a separate API key.
  */
 
-const { spawn, execSync } = require$$7$1;
+const { spawn, execSync } = require$$7;
 const {
   LLM_STREAM_DELTA: LLM_STREAM_DELTA$2,
   LLM_STREAM_TOOL_CALL: LLM_STREAM_TOOL_CALL$2,
@@ -48176,7 +48430,7 @@ var themeFromUrlErrors$1 = {
 
 const css = require$$0$8;
 const { Vibrant } = require$$1$7;
-const https = require$$7;
+const https = require$$8$1;
 const http = require$$0$7;
 const { URL: URL$1 } = require$$4$1;
 const {