@vellumai/credential-executor 0.4.55 → 0.4.56

package/src/__tests__/toolstore.test.ts

@@ -1,7 +1,8 @@
 import { describe, expect, test, beforeEach, afterEach } from "bun:test";
-import { mkdirSync, rmSync, existsSync, readFileSync } from "node:fs";
+import { mkdirSync, rmSync, existsSync, readFileSync, writeFileSync, symlinkSync } from "node:fs";
 import { join } from "node:path";
 import { tmpdir } from "node:os";
+import { randomUUID } from "node:crypto";
 
 import {
   type SecureCommandManifest,
@@ -26,20 +27,73 @@ import {
 // Test fixtures
 // ---------------------------------------------------------------------------
 
-/** Sample bundle bytes (just some arbitrary content for testing). */
-const SAMPLE_BUNDLE_BYTES = Buffer.from(
-  "#!/usr/bin/env bash\necho hello\n",
-  "utf-8",
-);
+/**
+ * Create a tar.gz archive containing a shell script at the given entrypoint path.
+ * Returns the archive bytes.
+ */
+function createTestArchive(
+  entrypoint: string,
+  scriptContent = "#!/usr/bin/env bash\necho hello\n",
+): Buffer {
+  const stagingDir = join(tmpdir(), `ces-test-archive-${randomUUID()}`);
+  try {
+    const entrypointPath = join(stagingDir, entrypoint);
+    mkdirSync(join(stagingDir, entrypoint, ".."), { recursive: true });
+    writeFileSync(entrypointPath, scriptContent, { mode: 0o755 });
+
+    const archivePath = join(stagingDir, "bundle.tar.gz");
+    const proc = Bun.spawnSync(
+      ["tar", "czf", archivePath, "-C", stagingDir, entrypoint],
+      { stdout: "pipe", stderr: "pipe" },
+    );
+    if (proc.exitCode !== 0) {
+      throw new Error(`Failed to create test archive: ${new TextDecoder().decode(proc.stderr).trim()}`);
+    }
+    return Buffer.from(readFileSync(archivePath));
+  } finally {
+    try { rmSync(stagingDir, { recursive: true, force: true }); } catch { /* best effort */ }
+  }
+}
+
+/**
+ * Create a tar.gz archive containing a symlink entrypoint that points to an external path.
+ * This simulates a malicious bundle that attempts symlink escape.
+ */
+function createSymlinkArchive(
+  entrypoint: string,
+  symlinkTarget: string,
+): Buffer {
+  const stagingDir = join(tmpdir(), `ces-test-symlink-archive-${randomUUID()}`);
+  try {
+    const entrypointPath = join(stagingDir, entrypoint);
+    mkdirSync(join(stagingDir, entrypoint, ".."), { recursive: true });
+    // Create a symlink at the entrypoint path pointing to the external target
+    symlinkSync(symlinkTarget, entrypointPath);
+
+    const archivePath = join(stagingDir, "bundle.tar.gz");
+    // Use -h flag to follow symlinks during archive creation would defeat the
+    // purpose; instead we archive the symlink itself using default tar behavior
+    const proc = Bun.spawnSync(
+      ["tar", "czf", archivePath, "-C", stagingDir, entrypoint],
+      { stdout: "pipe", stderr: "pipe" },
+    );
+    if (proc.exitCode !== 0) {
+      throw new Error(`Failed to create symlink test archive: ${new TextDecoder().decode(proc.stderr).trim()}`);
+    }
+    return Buffer.from(readFileSync(archivePath));
+  } finally {
+    try { rmSync(stagingDir, { recursive: true, force: true }); } catch { /* best effort */ }
+  }
+}
+
+/** Sample bundle bytes as a valid tar.gz archive containing bin/test-cli. */
+const SAMPLE_BUNDLE_BYTES = createTestArchive("bin/test-cli");
 
 /** The correct SHA-256 digest of SAMPLE_BUNDLE_BYTES. */
 const SAMPLE_BUNDLE_DIGEST = computeDigest(SAMPLE_BUNDLE_BYTES);
 
-/** A different set of bytes to test digest mismatches. */
-const TAMPERED_BUNDLE_BYTES = Buffer.from(
-  "#!/usr/bin/env bash\nrm -rf /\n",
-  "utf-8",
-);
+/** A different archive to test digest mismatches. */
+const TAMPERED_BUNDLE_BYTES = createTestArchive("bin/test-cli", "#!/usr/bin/env bash\nrm -rf /\n");
 
 /**
  * Build a minimal valid SecureCommandManifest for testing.
@@ -299,7 +353,6 @@ describe("publishBundle — digest mismatch rejection", () => {
   });
 
   test("no files are written when digest mismatches", () => {
-    const wrongDigest = computeDigest(TAMPERED_BUNDLE_BYTES);
     publishBundle(
       buildPublishRequest({
         bundleBytes: TAMPERED_BUNDLE_BYTES,
@@ -351,15 +404,20 @@ describe("publishBundle — immutable and deduplicated by digest", () => {
     expect(second.bundlePath).toBe(first.bundlePath);
   });
 
-  test("published bundle content is readable and matches original bytes", () => {
+  test("published bundle contains extracted entrypoint (not raw archive)", () => {
     const result = publishBundle(buildPublishRequest());
     expect(result.success).toBe(true);
 
+    // After extraction, bundle.bin is removed and replaced by extracted contents
     const bundleContentPath = join(result.bundlePath, "bundle.bin");
-    expect(existsSync(bundleContentPath)).toBe(true);
+    expect(existsSync(bundleContentPath)).toBe(false);
+
+    // The entrypoint should exist and be executable
+    const entrypointPath = join(result.bundlePath, "bin", "test-cli");
+    expect(existsSync(entrypointPath)).toBe(true);
 
-    const readBack = readFileSync(bundleContentPath);
-    expect(Buffer.compare(readBack, SAMPLE_BUNDLE_BYTES)).toBe(0);
+    const content = readFileSync(entrypointPath, "utf-8");
+    expect(content).toContain("echo hello");
   });
 
   test("published manifest is readable and has correct fields", () => {
@@ -391,8 +449,8 @@ describe("publishBundle — immutable and deduplicated by digest", () => {
     const firstResult = publishBundle(buildPublishRequest());
     expect(firstResult.success).toBe(true);
 
-    // Publish a second, different bundle
-    const otherBytes = Buffer.from("#!/usr/bin/env bash\necho other\n", "utf-8");
+    // Publish a second, different bundle (real tar.gz archive)
+    const otherBytes = createTestArchive("bin/test-cli", "#!/usr/bin/env bash\necho other\n");
     const otherDigest = computeDigest(otherBytes);
     const otherManifest = buildSecureManifest({
       bundleDigest: otherDigest,
@@ -537,3 +595,134 @@ describe("publishBundle — manifest validation", () => {
     expect(result.error).toContain("Invalid secure command manifest");
   });
 });
+
+// ---------------------------------------------------------------------------
+// Publisher: symlink escape prevention
+// ---------------------------------------------------------------------------
+
+describe("publishBundle — symlink escape prevention", () => {
+  test("rejects bundle with symlink entrypoint pointing outside bundle", () => {
+    // Create a tar.gz with a symlink entrypoint: bin/test-cli -> /usr/bin/curl
+    const symlinkBytes = createSymlinkArchive("bin/test-cli", "/usr/bin/curl");
+    const symlinkDigest = computeDigest(symlinkBytes);
+
+    const manifest = buildSecureManifest({
+      bundleDigest: symlinkDigest,
+    });
+
+    const result = publishBundle({
+      bundleBytes: symlinkBytes,
+      expectedDigest: symlinkDigest,
+      bundleId: "test-cli",
+      version: "1.0.0",
+      sourceUrl: "https://releases.example.com/test-cli/v1.0.0/bundle.tar.gz",
+      secureCommandManifest: manifest,
+    });
+
+    expect(result.success).toBe(false);
+    expect(result.error).toContain("symlink");
+  });
+
+  test("rejects bundle with non-entrypoint symlink pointing outside bundle", () => {
+    // Create an archive where a non-entrypoint file is a symlink to an external path.
+    // The entrypoint itself is a real file, but the bundle contains a sneaky symlink.
+    const stagingDir = join(tmpdir(), `ces-test-mixed-symlink-${randomUUID()}`);
+    try {
+      // Create a real entrypoint
+      const entrypointPath = join(stagingDir, "bin/test-cli");
+      mkdirSync(join(stagingDir, "bin"), { recursive: true });
+      writeFileSync(entrypointPath, "#!/usr/bin/env bash\necho hello\n", { mode: 0o755 });
+
+      // Create a symlink that escapes
+      symlinkSync("/etc/passwd", join(stagingDir, "bin/evil-link"));
+
+      const archivePath = join(stagingDir, "bundle.tar.gz");
+      const proc = Bun.spawnSync(
+        ["tar", "czf", archivePath, "-C", stagingDir, "bin"],
+        { stdout: "pipe", stderr: "pipe" },
+      );
+      expect(proc.exitCode).toBe(0);
+
+      const bundleBytes = Buffer.from(readFileSync(archivePath));
+      const digest = computeDigest(bundleBytes);
+
+      const manifest = buildSecureManifest({
+        bundleDigest: digest,
+      });
+
+      const result = publishBundle({
+        bundleBytes,
+        expectedDigest: digest,
+        bundleId: "test-cli",
+        version: "1.0.0",
+        sourceUrl: "https://releases.example.com/test-cli/v1.0.0/bundle.tar.gz",
+        secureCommandManifest: manifest,
+      });
+
+      expect(result.success).toBe(false);
+      expect(result.error).toContain("symlink");
+      expect(result.error).toContain("outside the bundle directory");
+    } finally {
+      try { rmSync(stagingDir, { recursive: true, force: true }); } catch { /* best effort */ }
+    }
+  });
+
+  test("accepts bundle with internal symlinks (not escaping)", () => {
+    // Create an archive with a symlink that points within the bundle
+    const stagingDir = join(tmpdir(), `ces-test-internal-symlink-${randomUUID()}`);
+    try {
+      mkdirSync(join(stagingDir, "bin"), { recursive: true });
+      writeFileSync(join(stagingDir, "bin/test-cli"), "#!/usr/bin/env bash\necho hello\n", { mode: 0o755 });
+      // Create a symlink within the bundle: bin/alias -> test-cli (relative)
+      symlinkSync("test-cli", join(stagingDir, "bin/alias"));
+
+      const archivePath = join(stagingDir, "bundle.tar.gz");
+      const proc = Bun.spawnSync(
+        ["tar", "czf", archivePath, "-C", stagingDir, "bin"],
+        { stdout: "pipe", stderr: "pipe" },
+      );
+      expect(proc.exitCode).toBe(0);
+
+      const bundleBytes = Buffer.from(readFileSync(archivePath));
+      const digest = computeDigest(bundleBytes);
+
+      const manifest = buildSecureManifest({
+        bundleDigest: digest,
+      });
+
+      const result = publishBundle({
+        bundleBytes,
+        expectedDigest: digest,
+        bundleId: "test-cli",
+        version: "1.0.0",
+        sourceUrl: "https://releases.example.com/test-cli/v1.0.0/bundle.tar.gz",
+        secureCommandManifest: manifest,
+      });
+
+      expect(result.success).toBe(true);
+    } finally {
+      try { rmSync(stagingDir, { recursive: true, force: true }); } catch { /* best effort */ }
+    }
+  });
+
+  test("no files are left in toolstore when symlink escape is detected", () => {
+    const symlinkBytes = createSymlinkArchive("bin/test-cli", "/usr/bin/curl");
+    const symlinkDigest = computeDigest(symlinkBytes);
+
+    const manifest = buildSecureManifest({
+      bundleDigest: symlinkDigest,
+    });
+
+    publishBundle({
+      bundleBytes: symlinkBytes,
+      expectedDigest: symlinkDigest,
+      bundleId: "test-cli",
+      version: "1.0.0",
+      sourceUrl: "https://releases.example.com/test-cli/v1.0.0/bundle.tar.gz",
+      secureCommandManifest: manifest,
+    });
+
+    // The bundle should not be published
+    expect(isBundlePublished(symlinkDigest)).toBe(false);
+  });
+});

package/src/__tests__/transport.test.ts

@@ -163,12 +163,12 @@ describe("health probes", () => {
     expect(src).toMatch(/startHealthServer\(healthPort/);
   });
 
-  test("getHealthPort defaults to 7841", () => {
+  test("getHealthPort defaults to 8090", () => {
     // Save and clear env
     const saved = process.env["CES_HEALTH_PORT"];
     delete process.env["CES_HEALTH_PORT"];
     try {
-      expect(getHealthPort()).toBe(7841);
+      expect(getHealthPort()).toBe(8090);
     } finally {
       if (saved !== undefined) process.env["CES_HEALTH_PORT"] = saved;
     }
@@ -351,8 +351,28 @@ describe("CES data paths", () => {
     expect(root).toMatch(/protected[/\\]credential-executor$/);
   });
 
-  test("managed mode data root is /ces-data", () => {
-    expect(getCesDataRoot("managed")).toBe("/ces-data");
+  test("managed mode data root defaults to /ces-data", () => {
+    const savedDir = process.env["CES_DATA_DIR"];
+    delete process.env["CES_DATA_DIR"];
+    try {
+      expect(getCesDataRoot("managed")).toBe("/ces-data");
+    } finally {
+      if (savedDir !== undefined) process.env["CES_DATA_DIR"] = savedDir;
+    }
+  });
+
+  test("managed mode data root respects CES_DATA_DIR env var", () => {
+    const savedDir = process.env["CES_DATA_DIR"];
+    process.env["CES_DATA_DIR"] = "/custom/ces-data";
+    try {
+      expect(getCesDataRoot("managed")).toBe("/custom/ces-data");
+    } finally {
+      if (savedDir !== undefined) {
+        process.env["CES_DATA_DIR"] = savedDir;
+      } else {
+        delete process.env["CES_DATA_DIR"];
+      }
+    }
   });
 
   test("local data root is under the Vellum root, not the workspace", () => {
@@ -362,11 +382,11 @@ describe("CES data paths", () => {
     expect(root).not.toMatch(/workspace/);
   });
 
-  test("getBootstrapSocketPath defaults to /run/ces/ces.sock", () => {
+  test("getBootstrapSocketPath defaults to /run/ces-bootstrap/ces.sock", () => {
     const saved = process.env["CES_BOOTSTRAP_SOCKET"];
     delete process.env["CES_BOOTSTRAP_SOCKET"];
     try {
-      expect(getBootstrapSocketPath()).toBe("/run/ces/ces.sock");
+      expect(getBootstrapSocketPath()).toBe("/run/ces-bootstrap/ces.sock");
     } finally {
       if (saved !== undefined) process.env["CES_BOOTSTRAP_SOCKET"] = saved;
     }

package/src/commands/auth-adapters.ts

@@ -143,10 +143,10 @@ export function validateAuthAdapterConfig(
     case AuthAdapterType.TempFile:
       if (
         config.fileMode !== undefined &&
-        config.fileMode > 0o600
+        (config.fileMode > 0o600 || (config.fileMode & 0o077) !== 0)
       ) {
         errors.push(
-          `temp_file adapter fileMode must be <= 0600 (owner-only), got ${config.fileMode.toString(8)}`,
+          `temp_file adapter fileMode must be <= 0600 (owner-only) with no group/other bits, got ${config.fileMode.toString(8)}`,
         );
       }
       break;

package/src/commands/egress-hooks.ts

@@ -0,0 +1,203 @@
+/**
+ * CES egress proxy hooks.
+ *
+ * Provides a lightweight `SessionStartHooks` implementation for the
+ * credential execution service. Unlike the assistant's session-manager
+ * (which wires credential resolution, MITM interception, and policy
+ * decisions), CES only needs to enforce the manifest's
+ * `allowedNetworkTargets` allowlist. No credential injection or CA
+ * setup happens at the proxy layer — CES injects credentials through
+ * auth adapters in the command environment.
+ *
+ * The proxy server is a plain HTTP CONNECT proxy that:
+ * - Allows connections matching the session's `allowedTargets` (host, port, protocol)
+ * - Blocks all other outbound connections
+ */
+
+import { request as httpRequest, createServer, type IncomingMessage, type ServerResponse } from "node:http";
+import { request as httpsRequest } from "node:https";
+import { connect, type Socket } from "node:net";
+
+import type { AllowedTarget, ManagedSession, SessionStartHooks } from "@vellumai/egress-proxy";
+
+// ---------------------------------------------------------------------------
+// Host-pattern matching
+// ---------------------------------------------------------------------------
+
+/**
+ * Match a hostname against a glob pattern.
+ *
+ * Supported patterns:
+ * - Exact match: `"api.github.com"` matches `"api.github.com"`
+ * - Wildcard subdomain: `"*.github.com"` matches `"api.github.com"`,
+ *   `"foo.bar.github.com"`, and also `"github.com"` (apex)
+ *
+ * Note: `"*"` (match-everything) is intentionally NOT supported. The
+ * manifest validator rejects overbroad patterns at registration time.
+ */
+function matchesHostPattern(hostname: string, pattern: string): boolean {
+  if (pattern === hostname) return true;
+  if (pattern.startsWith("*.")) {
+    const suffix = pattern.slice(1); // e.g. ".github.com"
+    const apex = pattern.slice(2);   // e.g. "github.com"
+    return hostname.endsWith(suffix) || hostname === apex;
+  }
+  return false;
+}
+
+/**
+ * Check if a request target is allowed by any of the provided allowed targets.
+ *
+ * Validates host, port, and protocol against each allowed target entry.
+ * - Host must match the glob pattern.
+ * - If the target specifies `ports`, the request port must be in the list.
+ * - If the target specifies `protocols`, the request protocol must be in the list.
+ */
+function isTargetAllowed(
+  hostname: string,
+  port: number,
+  protocol: "http" | "https",
+  allowedTargets: AllowedTarget[],
+): boolean {
+  for (const target of allowedTargets) {
+    if (!matchesHostPattern(hostname, target.host)) continue;
+    if (target.ports && target.ports.length > 0 && !target.ports.includes(port)) continue;
+    if (target.protocols && target.protocols.length > 0 && !target.protocols.includes(protocol)) continue;
+    return true;
+  }
+  return false;
+}
+
+// ---------------------------------------------------------------------------
+// CONNECT tunnel handler
+// ---------------------------------------------------------------------------
+
+/**
+ * Parse a CONNECT target of the form `host:port`.
+ */
+function parseConnectTarget(
+  url: string | undefined,
+): { host: string; port: number } | null {
+  if (!url) return null;
+  const colonIdx = url.lastIndexOf(":");
+  if (colonIdx <= 0) return null;
+  let host = url.slice(0, colonIdx);
+  const portStr = url.slice(colonIdx + 1);
+  if (!host || !portStr) return null;
+  const port = Number(portStr);
+  if (!Number.isInteger(port) || port < 1 || port > 65535) return null;
+  if (host.startsWith("[") && host.endsWith("]")) {
+    host = host.slice(1, -1);
+    if (!host) return null;
+  }
+  return { host, port };
+}
+
+// ---------------------------------------------------------------------------
+// Hooks factory
+// ---------------------------------------------------------------------------
+
+/**
+ * Build `SessionStartHooks` for CES egress enforcement.
+ *
+ * The created proxy server enforces the `allowedTargets` from the
+ * session's config. If no `allowedTargets` are configured, all
+ * connections are blocked (fail-closed).
+ */
+export function buildCesEgressHooks(): SessionStartHooks {
+  return {
+    // No CA setup needed — CES does not do MITM interception
+    createServer: async (managed: ManagedSession) => {
+      const allowedTargets = managed.config.allowedTargets ?? [];
+
+      const server = createServer((req: IncomingMessage, res: ServerResponse) => {
+        // Plain HTTP proxy requests — parse the absolute URL and check host/port/protocol
+        if (req.url && req.method) {
+          try {
+            const target = new URL(req.url);
+            const protocol = target.protocol === "https:" ? "https" : "http" as const;
+            const port = target.port
+              ? Number(target.port)
+              : protocol === "https" ? 443 : 80;
+            if (!isTargetAllowed(target.hostname, port, protocol, allowedTargets)) {
+              res.writeHead(403, { "Content-Type": "text/plain" });
+              res.end(`Blocked by CES egress policy: ${target.hostname}:${port} (${protocol}) is not in the allowed targets list`);
+              return;
+            }
+
+            // Forward the request using the appropriate protocol
+            const doRequest = target.protocol === "https:" ? httpsRequest : httpRequest;
+            const proxyReq = doRequest(
+              req.url,
+              {
+                method: req.method,
+                headers: { ...req.headers, host: target.host },
+              },
+              (proxyRes) => {
+                res.writeHead(proxyRes.statusCode ?? 502, proxyRes.headers);
+                proxyRes.pipe(res);
+              },
+            );
+
+            proxyReq.on("error", () => {
+              if (!res.headersSent) {
+                res.writeHead(502, { "Content-Type": "text/plain" });
+              }
+              res.end("Proxy connection error");
+            });
+
+            req.pipe(proxyReq);
+          } catch {
+            res.writeHead(400, { "Content-Type": "text/plain" });
+            res.end("Bad request");
+          }
+          return;
+        }
+
+        res.writeHead(400, { "Content-Type": "text/plain" });
+        res.end("Bad request");
+      });
+
+      // Handle CONNECT for HTTPS tunnelling
+      server.on("connect", (req: IncomingMessage, clientSocket: Socket, head: Buffer) => {
+        const target = parseConnectTarget(req.url);
+        if (!target) {
+          clientSocket.write("HTTP/1.1 400 Bad Request\r\n\r\n");
+          clientSocket.destroy();
+          return;
+        }
+
+        // CONNECT is used for HTTPS tunnelling — assume "https" protocol
+        if (!isTargetAllowed(target.host, target.port, "https", allowedTargets)) {
+          clientSocket.write(
+            "HTTP/1.1 403 Forbidden\r\n" +
+            "Content-Type: text/plain\r\n\r\n" +
+            `Blocked by CES egress policy: ${target.host}:${target.port} (https) is not in the allowed targets list`,
+          );
+          clientSocket.destroy();
+          return;
+        }
+
+        // Tunnel to the allowed target
+        const upstream = connect(target.port, target.host, () => {
+          clientSocket.write("HTTP/1.1 200 Connection Established\r\n\r\n");
+          if (head.length > 0) {
+            upstream.write(head);
+          }
+          upstream.pipe(clientSocket);
+          clientSocket.pipe(upstream);
+        });
+
+        upstream.on("error", () => {
+          clientSocket.destroy();
+        });
+
+        clientSocket.on("error", () => {
+          upstream.destroy();
+        });
+      });
+
+      return server;
+    },
+  };
+}