@vibecheckai/cli 3.3.0 → 3.5.0

package/bin/runners/lib/firewall/path-validator.js

@@ -0,0 +1,256 @@
+/**
+ * Path Validator
+ * 
+ * Validates file paths against:
+ * - Forbidden paths (secrets, configs, credentials)
+ * - Allowed paths (source directories)
+ * - Scope violations (writing outside allowed areas)
+ * 
+ * Uses glob pattern matching for flexible path rules.
+ */
+
+"use strict";
+
+const path = require("path");
+
+/**
+ * PathValidator class for validating file paths
+ */
+class PathValidator {
+  /**
+   * Create a path validator
+   * @param {object} config - Firewall configuration
+   */
+  constructor(config) {
+    this.config = config;
+    
+    // Extract path configuration
+    const paths = config.paths || {};
+    this.forbiddenPaths = paths.forbidden || [];
+    this.allowedPaths = paths.allowed || [];
+    this.enforceAllowList = paths.enforceAllowList || false;
+    
+    // Compile patterns for performance
+    this.forbiddenPatterns = this.forbiddenPaths.map(p => this.compilePattern(p));
+    this.allowedPatterns = this.allowedPaths.map(p => this.compilePattern(p));
+  }
+  
+  /**
+   * Compile a glob pattern to regex
+   * @param {string} pattern - Glob pattern
+   * @returns {RegExp} Compiled regex
+   */
+  compilePattern(pattern) {
+    // Escape special regex characters except glob wildcards
+    let regex = pattern
+      .replace(/[.+^${}()|[\]\\]/g, '\\$&')
+      .replace(/\*\*/g, '{{GLOBSTAR}}')
+      .replace(/\*/g, '[^/]*')
+      .replace(/{{GLOBSTAR}}/g, '.*')
+      .replace(/\?/g, '.');
+    
+    return new RegExp(`^${regex}$`, 'i');
+  }
+  
+  /**
+   * Check if path matches a pattern
+   * @param {string} filePath - Path to check
+   * @param {string} pattern - Glob pattern
+   * @returns {boolean} True if matches
+   */
+  matches(filePath, pattern) {
+    const regex = this.compilePattern(pattern);
+    
+    // Normalize path separators
+    const normalizedPath = filePath.replace(/\\/g, '/');
+    
+    // Check both full path and basename
+    return regex.test(normalizedPath) || regex.test(path.basename(normalizedPath));
+  }
+  
+  /**
+   * Check if path matches any pattern in list
+   * @param {string} filePath - Path to check
+   * @param {string[]} patterns - List of patterns
+   * @returns {string|null} Matching pattern or null
+   */
+  matchesAny(filePath, patterns) {
+    const normalizedPath = filePath.replace(/\\/g, '/');
+    
+    for (const pattern of patterns) {
+      if (this.matches(normalizedPath, pattern)) {
+        return pattern;
+      }
+    }
+    
+    return null;
+  }
+  
+  /**
+   * Validate a file path
+   * @param {object} params - Validation parameters
+   * @param {string} params.action - Action type (write, delete, execute)
+   * @param {string} params.path - File path to validate
+   * @returns {object} Validation result
+   */
+  validate({ action, path: filePath }) {
+    // Skip if no path provided
+    if (!filePath) {
+      return { valid: true };
+    }
+    
+    // Normalize path
+    const normalizedPath = filePath.replace(/\\/g, '/');
+    
+    // Check forbidden paths
+    const forbiddenMatch = this.matchesAny(normalizedPath, this.forbiddenPaths);
+    if (forbiddenMatch) {
+      return {
+        valid: false,
+        rule: "forbidden-path",
+        severity: "critical",
+        message: `Path "${filePath}" matches forbidden pattern "${forbiddenMatch}"`,
+        details: {
+          path: filePath,
+          pattern: forbiddenMatch,
+          reason: this.getForbiddenReason(forbiddenMatch),
+        },
+      };
+    }
+    
+    // Check allowed paths if enforcing allow list
+    if (this.enforceAllowList && this.allowedPaths.length > 0) {
+      const allowedMatch = this.matchesAny(normalizedPath, this.allowedPaths);
+      if (!allowedMatch) {
+        return {
+          valid: false,
+          rule: "scope-violation",
+          severity: "high",
+          message: `Path "${filePath}" is outside allowed scope`,
+          details: {
+            path: filePath,
+            allowedPaths: this.allowedPaths,
+            suggestion: "Add the path to 'paths.allowed' in firewall config or move file to allowed directory",
+          },
+        };
+      }
+    }
+    
+    // Check for sensitive patterns even if not in forbidden list
+    const sensitiveCheck = this.checkSensitivePatterns(normalizedPath);
+    if (sensitiveCheck) {
+      return sensitiveCheck;
+    }
+    
+    return { valid: true };
+  }
+  
+  /**
+   * Get reason why a path is forbidden
+   * @param {string} pattern - Forbidden pattern
+   * @returns {string} Human-readable reason
+   */
+  getForbiddenReason(pattern) {
+    const reasons = {
+      ".env": "Environment files may contain secrets",
+      ".env.*": "Environment files may contain secrets",
+      "*.pem": "Certificate files are sensitive",
+      "*.key": "Private key files are sensitive",
+      "secrets/**": "Secrets directory is protected",
+      ".git/**": "Git internals should not be modified",
+      "package-lock.json": "Lock files should be managed by package manager",
+      "config/production.*": "Production config may contain secrets",
+    };
+    
+    for (const [key, reason] of Object.entries(reasons)) {
+      if (pattern.includes(key) || key.includes(pattern)) {
+        return reason;
+      }
+    }
+    
+    return "Path matches forbidden pattern";
+  }
+  
+  /**
+   * Check for sensitive patterns that might indicate credentials
+   * @param {string} filePath - Path to check
+   * @returns {object|null} Violation if found
+   */
+  checkSensitivePatterns(filePath) {
+    const sensitivePatterns = [
+      { pattern: /credentials?/i, name: "credentials" },
+      { pattern: /secrets?/i, name: "secrets" },
+      { pattern: /password/i, name: "password" },
+      { pattern: /private.*key/i, name: "private-key" },
+      { pattern: /\.pem$/i, name: "certificate" },
+      { pattern: /\.p12$/i, name: "certificate" },
+      { pattern: /\.pfx$/i, name: "certificate" },
+      { pattern: /id_rsa/i, name: "ssh-key" },
+      { pattern: /id_ed25519/i, name: "ssh-key" },
+    ];
+    
+    for (const { pattern, name } of sensitivePatterns) {
+      if (pattern.test(filePath)) {
+        // Check if this is explicitly allowed
+        const isAllowed = this.allowedPaths.some(p => this.matches(filePath, p));
+        if (!isAllowed) {
+          return {
+            valid: false,
+            rule: "sensitive-path",
+            severity: "high",
+            message: `Path "${filePath}" appears to contain sensitive data (${name})`,
+            details: {
+              path: filePath,
+              sensitiveType: name,
+              suggestion: "If this is intentional, add the path to 'paths.allowed' in firewall config",
+            },
+          };
+        }
+      }
+    }
+    
+    return null;
+  }
+  
+  /**
+   * Batch validate multiple paths
+   * @param {string[]} paths - Paths to validate
+   * @returns {object[]} Validation results
+   */
+  validateBatch(paths) {
+    return paths.map(p => ({
+      path: p,
+      ...this.validate({ path: p }),
+    }));
+  }
+  
+  /**
+   * Get all forbidden paths
+   * @returns {string[]} Forbidden paths
+   */
+  getForbiddenPaths() {
+    return [...this.forbiddenPaths];
+  }
+  
+  /**
+   * Get all allowed paths
+   * @returns {string[]} Allowed paths
+   */
+  getAllowedPaths() {
+    return [...this.allowedPaths];
+  }
+  
+  /**
+   * Check if path is in a protected directory
+   * @param {string} filePath - Path to check
+   * @returns {boolean} True if protected
+   */
+  isProtected(filePath) {
+    const result = this.validate({ path: filePath });
+    return !result.valid;
+  }
+}
+
+module.exports = {
+  PathValidator,
+};