@wrongstack/tools 0.5.7 → 0.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/builtin.js +19 -7
- package/dist/builtin.js.map +1 -1
- package/dist/exec.js +9 -2
- package/dist/exec.js.map +1 -1
- package/dist/fetch.js.map +1 -1
- package/dist/grep.js +9 -4
- package/dist/grep.js.map +1 -1
- package/dist/index.js +19 -7
- package/dist/index.js.map +1 -1
- package/dist/logs.js +9 -4
- package/dist/logs.js.map +1 -1
- package/dist/pack.js +19 -7
- package/dist/pack.js.map +1 -1
- package/dist/replace.js +9 -4
- package/dist/replace.js.map +1 -1
- package/dist/scaffold.js +2 -1
- package/dist/scaffold.js.map +1 -1
- package/package.json +2 -2
package/dist/builtin.js
CHANGED
|
@@ -1347,14 +1347,21 @@ var BLOCKED_ARG_PATTERNS = {
|
|
|
1347
1347
|
// go run could execute arbitrary .go files; -ldflags could inject build-time code
|
|
1348
1348
|
go: [/^-ldflags$/],
|
|
1349
1349
|
// bun --preload is similar to node --require
|
|
1350
|
-
bun: [/^--preload$/],
|
|
1350
|
+
bun: [/^--preload$/, /^run$/, /^bunx$/, /^create$/, /^init$/],
|
|
1351
1351
|
// docker build/run can create containers with host access;
|
|
1352
1352
|
// only allow read-only commands (ps, images, version)
|
|
1353
1353
|
docker: [/^build$/, /^run$/, /^exec$/, /^push$/, /^pull$/],
|
|
1354
1354
|
// find -exec/-ok/-execdir execute arbitrary commands
|
|
1355
1355
|
find: [/^-exec$/, /^-exec;$/, /^-ok$/, /^-ok;$/, /^-execdir$/, /^-execdir;$/, /^-exec=/, /^-ok=/, /^-execdir=/],
|
|
1356
1356
|
// rm -rf / is catastrophic — block root and home targets
|
|
1357
|
-
rm: [/^\/$/, /^\/\*$/, /^~$/]
|
|
1357
|
+
rm: [/^\/$/, /^\/\*$/, /^~$/],
|
|
1358
|
+
// npm run/exec/create/pack/publish can execute arbitrary scripts or publish malware
|
|
1359
|
+
npm: [/^run$/, /^exec$/, /^create$/, /^init$/, /^pack$/, /^publish$/, /^deploy$/],
|
|
1360
|
+
// pnpm run/dlx/exec/create can execute arbitrary scripts
|
|
1361
|
+
pnpm: [/^run$/, /^dlx$/, /^exec$/, /^create$/, /^init$/, /^pack$/, /^publish$/, /^deploy$/],
|
|
1362
|
+
// npx should only be used for --version; any package name is a vector for
|
|
1363
|
+
// malicious package execution (typosquatting, dependency confusion)
|
|
1364
|
+
npx: [/^[^\s]+$/]
|
|
1358
1365
|
};
|
|
1359
1366
|
function validateArgs(cmd, args) {
|
|
1360
1367
|
const blocked = BLOCKED_ARG_PATTERNS[cmd];
|
|
@@ -2145,12 +2152,17 @@ async function readGitignore(dir) {
|
|
|
2145
2152
|
}
|
|
2146
2153
|
|
|
2147
2154
|
// src/_regex.ts
|
|
2148
|
-
var MAX_PATTERN_LEN =
|
|
2155
|
+
var MAX_PATTERN_LEN = 256;
|
|
2149
2156
|
var DANGEROUS_PATTERNS = [
|
|
2150
|
-
/(\([^)]*[+*][^)]*\))[+*]/,
|
|
2151
2157
|
// (a+)+, (.*)+, etc — nested quantifier on a group with internal quantifier
|
|
2152
|
-
/(\(
|
|
2153
|
-
|
|
2158
|
+
/(\([^)]*[+*][^)]*\))[+*]/,
|
|
2159
|
+
/(\(\?:[^)]*[+*][^)]*\))[+*]/,
|
|
2160
|
+
// Adjacent quantifiers: a++ a*+
|
|
2161
|
+
/[+*]{2,}/,
|
|
2162
|
+
// Quantifier on alternation with length 2+
|
|
2163
|
+
/\([^|)]+\|[^)]+\)[+*][+*]/,
|
|
2164
|
+
// Greedy quantifier inside lookahead/lookbehind — (?!.*a+)
|
|
2165
|
+
/[\(\[][^)\]]*[+*][^)\]]*[\)\]][^)]*\?\??/
|
|
2154
2166
|
];
|
|
2155
2167
|
function compileUserRegex(pattern, flags) {
|
|
2156
2168
|
if (typeof pattern !== "string") {
|
|
@@ -3728,7 +3740,7 @@ async function handleBuiltIn(name, templateFiles, cwd, ctx, dryRun, vars) {
|
|
|
3728
3740
|
const fullPath = target;
|
|
3729
3741
|
if (!dryRun) {
|
|
3730
3742
|
await fs9.mkdir(path.dirname(fullPath), { recursive: true });
|
|
3731
|
-
await
|
|
3743
|
+
await atomicWrite(fullPath, substituteVars(content, name, vars));
|
|
3732
3744
|
}
|
|
3733
3745
|
files.push(resolvedPath);
|
|
3734
3746
|
filesCreated++;
|