npm - @yeaft/webchat-agent - Versions diffs - 0.0.168 → 0.0.169 - Mend

@yeaft/webchat-agent 0.0.168 → 0.0.169

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/connection.js CHANGED Viewed

@@ -23,7 +23,7 @@ import {
 import {
   createCrewSession, handleCrewHumanInput, handleCrewControl,
   addRoleToSession, removeRoleFromSession,
-  handleListCrewSessions, handleCheckCrewExists, resumeCrewSession, removeFromCrewIndex
+  handleListCrewSessions, handleCheckCrewExists, handleDeleteCrewDir, resumeCrewSession, removeFromCrewIndex
 } from './crew.js';
 // 需要在断连期间缓冲的消息类型（Claude 输出相关的关键消息）
@@ -304,6 +304,10 @@ async function handleMessage(msg) {
       await handleCheckCrewExists(msg);
       break;
+    case 'delete_crew_dir':
+      await handleDeleteCrewDir(msg);
+      break;
     case 'resume_crew_session':
       await resumeCrewSession(msg);
       break;

package/crew.js CHANGED Viewed

@@ -14,7 +14,7 @@
 import { query, Stream } from './sdk/index.js';
 import { promises as fs } from 'fs';
-import { join } from 'path';
+import { join, isAbsolute } from 'path';
 import { homedir } from 'os';
 import { execFile as execFileCb } from 'child_process';
 import { promisify } from 'util';
@@ -383,12 +383,22 @@ export async function handleListCrewSessions(msg) {
   });
 }
+/**
+ * 验证 projectDir 路径安全性：必须是绝对路径且不包含路径遍历
+ */
+function isValidProjectDir(dir) {
+  if (!dir || typeof dir !== 'string') return false;
+  if (!isAbsolute(dir)) return false;
+  if (/(?:^|[\\/])\.\.(?:[\\/]|$)/.test(dir)) return false;
+  return true;
+}
 /**
  * 检查工作目录下是否存在 .crew 目录
  */
 export async function handleCheckCrewExists(msg) {
   const { projectDir, requestId, _requestClientId } = msg;
-  if (!projectDir) {
+  if (!projectDir || !isValidProjectDir(projectDir)) {
     ctx.sendToServer({
       type: 'crew_exists_result',
       requestId,
@@ -440,6 +450,20 @@ export async function handleCheckCrewExists(msg) {
   }
 }
+/**
+ * 删除工作目录下的 .crew 目录
+ */
+export async function handleDeleteCrewDir(msg) {
+  const { projectDir, _requestClientId } = msg;
+  if (!isValidProjectDir(projectDir)) return;
+  const crewDir = join(projectDir, '.crew');
+  try {
+    await fs.rm(crewDir, { recursive: true, force: true });
+  } catch {
+    // ignore errors (dir may not exist)
+  }
+}
 /**
  * 恢复已停止的 crew session
  */

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@yeaft/webchat-agent",
-  "version": "0.0.168",
+  "version": "0.0.169",
   "description": "Remote agent for Yeaft WebChat — connects worker machines to the central server",
   "main": "index.js",
   "type": "module",