@yuaone/tools 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +663 -0
- package/README.md +15 -0
- package/dist/__tests__/file-edit.test.d.ts +8 -0
- package/dist/__tests__/file-edit.test.d.ts.map +1 -0
- package/dist/__tests__/file-edit.test.js +125 -0
- package/dist/__tests__/file-edit.test.js.map +1 -0
- package/dist/__tests__/registry.test.d.ts +7 -0
- package/dist/__tests__/registry.test.d.ts.map +1 -0
- package/dist/__tests__/registry.test.js +83 -0
- package/dist/__tests__/registry.test.js.map +1 -0
- package/dist/__tests__/validators.test.d.ts +8 -0
- package/dist/__tests__/validators.test.d.ts.map +1 -0
- package/dist/__tests__/validators.test.js +189 -0
- package/dist/__tests__/validators.test.js.map +1 -0
- package/dist/base-tool.d.ts +45 -0
- package/dist/base-tool.d.ts.map +1 -0
- package/dist/base-tool.js +87 -0
- package/dist/base-tool.js.map +1 -0
- package/dist/browser-tool.d.ts +39 -0
- package/dist/browser-tool.d.ts.map +1 -0
- package/dist/browser-tool.js +518 -0
- package/dist/browser-tool.js.map +1 -0
- package/dist/code-search.d.ts +42 -0
- package/dist/code-search.d.ts.map +1 -0
- package/dist/code-search.js +298 -0
- package/dist/code-search.js.map +1 -0
- package/dist/design-tools.d.ts +70 -0
- package/dist/design-tools.d.ts.map +1 -0
- package/dist/design-tools.js +471 -0
- package/dist/design-tools.js.map +1 -0
- package/dist/dev-server-manager.d.ts +32 -0
- package/dist/dev-server-manager.d.ts.map +1 -0
- package/dist/dev-server-manager.js +183 -0
- package/dist/dev-server-manager.js.map +1 -0
- package/dist/file-edit.d.ts +19 -0
- package/dist/file-edit.d.ts.map +1 -0
- package/dist/file-edit.js +217 -0
- package/dist/file-edit.js.map +1 -0
- package/dist/file-read.d.ts +19 -0
- package/dist/file-read.d.ts.map +1 -0
- package/dist/file-read.js +142 -0
- package/dist/file-read.js.map +1 -0
- package/dist/file-write.d.ts +18 -0
- package/dist/file-write.d.ts.map +1 -0
- package/dist/file-write.js +139 -0
- package/dist/file-write.js.map +1 -0
- package/dist/git-ops.d.ts +25 -0
- package/dist/git-ops.d.ts.map +1 -0
- package/dist/git-ops.js +219 -0
- package/dist/git-ops.js.map +1 -0
- package/dist/glob.d.ts +18 -0
- package/dist/glob.d.ts.map +1 -0
- package/dist/glob.js +91 -0
- package/dist/glob.js.map +1 -0
- package/dist/grep.d.ts +19 -0
- package/dist/grep.d.ts.map +1 -0
- package/dist/grep.js +177 -0
- package/dist/grep.js.map +1 -0
- package/dist/index.d.ts +27 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +29 -0
- package/dist/index.js.map +1 -0
- package/dist/security-scan.d.ts +62 -0
- package/dist/security-scan.d.ts.map +1 -0
- package/dist/security-scan.js +445 -0
- package/dist/security-scan.js.map +1 -0
- package/dist/shell-exec.d.ts +20 -0
- package/dist/shell-exec.d.ts.map +1 -0
- package/dist/shell-exec.js +206 -0
- package/dist/shell-exec.js.map +1 -0
- package/dist/test-run.d.ts +51 -0
- package/dist/test-run.d.ts.map +1 -0
- package/dist/test-run.js +359 -0
- package/dist/test-run.js.map +1 -0
- package/dist/tool-registry.d.ts +70 -0
- package/dist/tool-registry.d.ts.map +1 -0
- package/dist/tool-registry.js +181 -0
- package/dist/tool-registry.js.map +1 -0
- package/dist/types.d.ts +137 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +8 -0
- package/dist/types.js.map +1 -0
- package/dist/validators.d.ts +57 -0
- package/dist/validators.d.ts.map +1 -0
- package/dist/validators.js +218 -0
- package/dist/validators.js.map +1 -0
- package/package.json +42 -0
|
@@ -0,0 +1,445 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @module security-scan
|
|
3
|
+
* @description Security scanning tool for YUAN agent.
|
|
4
|
+
* Checks for common security vulnerabilities in code:
|
|
5
|
+
* - Hardcoded secrets (API keys, passwords, tokens, AWS keys, private keys)
|
|
6
|
+
* - Dangerous code patterns (eval, innerHTML, SQL injection, command injection)
|
|
7
|
+
* - Dependency vulnerabilities (npm/pnpm audit)
|
|
8
|
+
* - File permission issues
|
|
9
|
+
*
|
|
10
|
+
* No external dependencies -- pure TypeScript + node:fs + node:child_process.
|
|
11
|
+
*/
|
|
12
|
+
import { readdir, readFile, access, constants as fsConstants } from 'node:fs/promises';
|
|
13
|
+
import { join, relative, extname } from 'node:path';
|
|
14
|
+
import { execFile } from 'node:child_process';
|
|
15
|
+
import { promisify } from 'node:util';
|
|
16
|
+
import { BaseTool } from './base-tool.js';
|
|
17
|
+
const execFileAsync = promisify(execFile);
|
|
18
|
+
// ─── Patterns ───────────────────────────────────────────────────────
|
|
19
|
+
/** Hardcoded secret detection patterns */
|
|
20
|
+
const SECRET_PATTERNS = [
|
|
21
|
+
{
|
|
22
|
+
name: 'api_key',
|
|
23
|
+
pattern: /(api[_-]?key|apikey)\s*[:=]\s*['"][^'"]{10,}['"]/i,
|
|
24
|
+
severity: 'critical',
|
|
25
|
+
description: 'Hardcoded API key detected',
|
|
26
|
+
recommendation: 'Move API keys to environment variables and use .env files (excluded from git).',
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
name: 'password',
|
|
30
|
+
pattern: /(password|passwd|pwd)\s*[:=]\s*['"][^'"]+['"]/i,
|
|
31
|
+
severity: 'critical',
|
|
32
|
+
description: 'Hardcoded password detected',
|
|
33
|
+
recommendation: 'Use environment variables or a secrets manager for passwords.',
|
|
34
|
+
},
|
|
35
|
+
{
|
|
36
|
+
name: 'token_secret',
|
|
37
|
+
pattern: /(token|secret|auth)\s*[:=]\s*['"][^'"]{10,}['"]/i,
|
|
38
|
+
severity: 'critical',
|
|
39
|
+
description: 'Hardcoded token or secret detected',
|
|
40
|
+
recommendation: 'Store tokens in environment variables or a vault service.',
|
|
41
|
+
},
|
|
42
|
+
{
|
|
43
|
+
name: 'aws_key',
|
|
44
|
+
pattern: /AKIA[0-9A-Z]{16}/,
|
|
45
|
+
severity: 'critical',
|
|
46
|
+
description: 'AWS access key ID detected',
|
|
47
|
+
recommendation: 'Remove AWS key and rotate credentials immediately. Use IAM roles or env vars.',
|
|
48
|
+
},
|
|
49
|
+
{
|
|
50
|
+
name: 'private_key',
|
|
51
|
+
pattern: /-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----/,
|
|
52
|
+
severity: 'critical',
|
|
53
|
+
description: 'Private key embedded in source code',
|
|
54
|
+
recommendation: 'Remove private keys from source. Use file references or secrets managers.',
|
|
55
|
+
},
|
|
56
|
+
];
|
|
57
|
+
/** Dangerous code pattern detection */
|
|
58
|
+
const DANGEROUS_CODE_PATTERNS = [
|
|
59
|
+
{
|
|
60
|
+
name: 'eval',
|
|
61
|
+
pattern: /\beval\s*\(/,
|
|
62
|
+
severity: 'high',
|
|
63
|
+
description: 'Use of eval() detected -- potential code injection',
|
|
64
|
+
recommendation: 'Replace eval() with safer alternatives like JSON.parse() or Function constructors with validated input.',
|
|
65
|
+
},
|
|
66
|
+
{
|
|
67
|
+
name: 'new_function',
|
|
68
|
+
pattern: /\bnew\s+Function\s*\(|[^.]\bFunction\s*\(/,
|
|
69
|
+
severity: 'high',
|
|
70
|
+
description: 'Dynamic Function constructor detected -- potential code injection',
|
|
71
|
+
recommendation: 'Avoid Function() constructor. Use static code paths instead.',
|
|
72
|
+
},
|
|
73
|
+
{
|
|
74
|
+
name: 'innerhtml',
|
|
75
|
+
pattern: /\.innerHTML\s*=/,
|
|
76
|
+
severity: 'high',
|
|
77
|
+
description: 'Direct innerHTML assignment -- potential XSS vulnerability',
|
|
78
|
+
recommendation: 'Use textContent, createElement/appendChild, or a sanitizer like DOMPurify.',
|
|
79
|
+
},
|
|
80
|
+
{
|
|
81
|
+
name: 'document_write',
|
|
82
|
+
pattern: /document\.write\s*\(/,
|
|
83
|
+
severity: 'high',
|
|
84
|
+
description: 'document.write() detected -- potential XSS vulnerability',
|
|
85
|
+
recommendation: 'Use DOM manipulation methods instead of document.write().',
|
|
86
|
+
},
|
|
87
|
+
{
|
|
88
|
+
name: 'sql_injection',
|
|
89
|
+
pattern: /query\s*\(.*\+.*req\.|query\s*\(.*\$\{/,
|
|
90
|
+
severity: 'critical',
|
|
91
|
+
description: 'Potential SQL injection -- string concatenation in query',
|
|
92
|
+
recommendation: 'Use parameterized queries or an ORM. Never concatenate user input into SQL.',
|
|
93
|
+
},
|
|
94
|
+
{
|
|
95
|
+
name: 'command_injection',
|
|
96
|
+
pattern: /child_process\.exec\s*\(/,
|
|
97
|
+
severity: 'high',
|
|
98
|
+
description: 'child_process.exec() detected -- potential command injection',
|
|
99
|
+
recommendation: 'Use child_process.execFile() with an explicit argument array instead of exec().',
|
|
100
|
+
},
|
|
101
|
+
{
|
|
102
|
+
name: 'chmod_777',
|
|
103
|
+
pattern: /fs\.chmod\s*\(.*777/,
|
|
104
|
+
severity: 'medium',
|
|
105
|
+
description: 'Setting file permissions to 777 (world-readable/writable/executable)',
|
|
106
|
+
recommendation: 'Use least-privilege permissions. Typically 644 for files, 755 for directories.',
|
|
107
|
+
},
|
|
108
|
+
{
|
|
109
|
+
name: 'insecure_http',
|
|
110
|
+
pattern: /['"]http:\/\/(?!localhost|127\.0\.0\.1|0\.0\.0\.0)[^'"]+['"]/,
|
|
111
|
+
severity: 'medium',
|
|
112
|
+
description: 'Insecure HTTP URL detected (not HTTPS)',
|
|
113
|
+
recommendation: 'Use HTTPS for all external API calls and resource URLs.',
|
|
114
|
+
},
|
|
115
|
+
];
|
|
116
|
+
/** Directories to skip during scanning */
|
|
117
|
+
const SKIP_DIRS = new Set([
|
|
118
|
+
'node_modules', '.git', 'dist', 'build', '.next', '.nuxt',
|
|
119
|
+
'coverage', '.cache', '__pycache__', '.venv', 'venv',
|
|
120
|
+
'.turbo', '.output',
|
|
121
|
+
]);
|
|
122
|
+
/** File extensions to scan */
|
|
123
|
+
const SCANNABLE_EXTENSIONS = new Set([
|
|
124
|
+
'.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs',
|
|
125
|
+
'.py', '.rb', '.go', '.rs', '.java', '.kt',
|
|
126
|
+
'.c', '.cpp', '.cs', '.swift',
|
|
127
|
+
'.json', '.yaml', '.yml', '.toml',
|
|
128
|
+
'.html', '.htm', '.vue', '.svelte',
|
|
129
|
+
'.sh', '.bash',
|
|
130
|
+
'.sql',
|
|
131
|
+
'.env', '.cfg', '.ini', '.conf',
|
|
132
|
+
]);
|
|
133
|
+
/** Files that should be in .gitignore */
|
|
134
|
+
const SHOULD_BE_GITIGNORED = ['.env', '.env.local', '.env.production', 'credentials.json', 'secrets.json'];
|
|
135
|
+
// ─── SecurityScanTool ───────────────────────────────────────────────
|
|
136
|
+
export class SecurityScanTool extends BaseTool {
|
|
137
|
+
name = 'security_scan';
|
|
138
|
+
description = 'Scan a project directory for security vulnerabilities: ' +
|
|
139
|
+
'hardcoded secrets, dangerous code patterns, dependency vulnerabilities, ' +
|
|
140
|
+
'and file permission issues. Returns a structured security report with score.';
|
|
141
|
+
riskLevel = 'low';
|
|
142
|
+
parameters = {
|
|
143
|
+
workDir: {
|
|
144
|
+
type: 'string',
|
|
145
|
+
description: 'Project directory to scan (defaults to current workDir)',
|
|
146
|
+
required: false,
|
|
147
|
+
},
|
|
148
|
+
skipAudit: {
|
|
149
|
+
type: 'boolean',
|
|
150
|
+
description: 'Skip dependency audit (faster scan)',
|
|
151
|
+
required: false,
|
|
152
|
+
default: false,
|
|
153
|
+
},
|
|
154
|
+
};
|
|
155
|
+
async execute(args, workDir) {
|
|
156
|
+
const toolCallId = args._toolCallId ?? '';
|
|
157
|
+
const skipAudit = args.skipAudit ?? false;
|
|
158
|
+
// Validate scanDir to prevent directory traversal (C3 fix)
|
|
159
|
+
let scanDir = workDir;
|
|
160
|
+
if (args.workDir && typeof args.workDir === 'string') {
|
|
161
|
+
try {
|
|
162
|
+
scanDir = this.validatePath(args.workDir, workDir);
|
|
163
|
+
}
|
|
164
|
+
catch (err) {
|
|
165
|
+
return this.fail(toolCallId, err.message);
|
|
166
|
+
}
|
|
167
|
+
}
|
|
168
|
+
try {
|
|
169
|
+
const report = await runSecurityScan(scanDir, skipAudit);
|
|
170
|
+
const output = formatReport(report);
|
|
171
|
+
return this.ok(toolCallId, output, { report });
|
|
172
|
+
}
|
|
173
|
+
catch (err) {
|
|
174
|
+
return this.fail(toolCallId, `Security scan failed: ${err.message}`);
|
|
175
|
+
}
|
|
176
|
+
}
|
|
177
|
+
}
|
|
178
|
+
// ─── Scan Engine ────────────────────────────────────────────────────
|
|
179
|
+
/**
|
|
180
|
+
* Run a full security scan on the given directory.
|
|
181
|
+
*
|
|
182
|
+
* @param scanDir - Directory to scan recursively
|
|
183
|
+
* @param skipAudit - If true, skip npm/pnpm audit
|
|
184
|
+
* @returns SecurityReport
|
|
185
|
+
*/
|
|
186
|
+
export async function runSecurityScan(scanDir, skipAudit = false) {
|
|
187
|
+
const findings = [];
|
|
188
|
+
// 1. Scan files for secrets and dangerous patterns
|
|
189
|
+
const files = await collectFiles(scanDir);
|
|
190
|
+
for (const filePath of files) {
|
|
191
|
+
const relPath = relative(scanDir, filePath);
|
|
192
|
+
const fileFindings = await scanFile(filePath, relPath);
|
|
193
|
+
findings.push(...fileFindings);
|
|
194
|
+
}
|
|
195
|
+
// 2. Dependency audit (optional)
|
|
196
|
+
if (!skipAudit) {
|
|
197
|
+
const auditFindings = await runDependencyAudit(scanDir);
|
|
198
|
+
findings.push(...auditFindings);
|
|
199
|
+
}
|
|
200
|
+
// 3. Check for missing .gitignore entries
|
|
201
|
+
const gitignoreFindings = await checkGitignore(scanDir);
|
|
202
|
+
findings.push(...gitignoreFindings);
|
|
203
|
+
// 4. Classify findings by severity
|
|
204
|
+
const critical = findings.filter((f) => f.severity === 'critical').map(stripSeverity);
|
|
205
|
+
const high = findings.filter((f) => f.severity === 'high').map(stripSeverity);
|
|
206
|
+
const medium = findings.filter((f) => f.severity === 'medium').map(stripSeverity);
|
|
207
|
+
const low = findings.filter((f) => f.severity === 'low').map(stripSeverity);
|
|
208
|
+
// 5. Calculate score
|
|
209
|
+
const score = calculateScore(critical.length, high.length, medium.length, low.length);
|
|
210
|
+
// 6. Build summary
|
|
211
|
+
const totalFindings = findings.length;
|
|
212
|
+
const summary = totalFindings === 0
|
|
213
|
+
? 'No security issues found. Score: 100/100.'
|
|
214
|
+
: `Found ${totalFindings} issue(s): ${critical.length} critical, ${high.length} high, ${medium.length} medium, ${low.length} low. Score: ${score}/100.`;
|
|
215
|
+
return { score, critical, high, medium, low, summary };
|
|
216
|
+
}
|
|
217
|
+
// ─── File Collection ────────────────────────────────────────────────
|
|
218
|
+
async function collectFiles(dir, maxDepth = 10) {
|
|
219
|
+
if (maxDepth <= 0)
|
|
220
|
+
return [];
|
|
221
|
+
const files = [];
|
|
222
|
+
let entries;
|
|
223
|
+
try {
|
|
224
|
+
entries = await readdir(dir, { withFileTypes: true });
|
|
225
|
+
}
|
|
226
|
+
catch {
|
|
227
|
+
return files;
|
|
228
|
+
}
|
|
229
|
+
for (const entry of entries) {
|
|
230
|
+
if (entry.name.startsWith('.') && SKIP_DIRS.has(entry.name))
|
|
231
|
+
continue;
|
|
232
|
+
if (SKIP_DIRS.has(entry.name))
|
|
233
|
+
continue;
|
|
234
|
+
const fullPath = join(dir, entry.name);
|
|
235
|
+
if (entry.isDirectory()) {
|
|
236
|
+
const subFiles = await collectFiles(fullPath, maxDepth - 1);
|
|
237
|
+
files.push(...subFiles);
|
|
238
|
+
}
|
|
239
|
+
else if (entry.isFile()) {
|
|
240
|
+
const ext = extname(entry.name).toLowerCase();
|
|
241
|
+
// Scan files with known extensions or dotfiles like .env
|
|
242
|
+
if (SCANNABLE_EXTENSIONS.has(ext) || entry.name.startsWith('.env')) {
|
|
243
|
+
files.push(fullPath);
|
|
244
|
+
}
|
|
245
|
+
}
|
|
246
|
+
}
|
|
247
|
+
return files;
|
|
248
|
+
}
|
|
249
|
+
// ─── File Scanning ──────────────────────────────────────────────────
|
|
250
|
+
async function scanFile(filePath, relPath) {
|
|
251
|
+
const findings = [];
|
|
252
|
+
let content;
|
|
253
|
+
try {
|
|
254
|
+
content = await readFile(filePath, 'utf-8');
|
|
255
|
+
}
|
|
256
|
+
catch {
|
|
257
|
+
return findings;
|
|
258
|
+
}
|
|
259
|
+
const lines = content.split('\n');
|
|
260
|
+
for (let i = 0; i < lines.length; i++) {
|
|
261
|
+
const line = lines[i];
|
|
262
|
+
const lineNum = i + 1;
|
|
263
|
+
// Check secret patterns
|
|
264
|
+
for (const sp of SECRET_PATTERNS) {
|
|
265
|
+
if (sp.pattern.test(line)) {
|
|
266
|
+
findings.push({
|
|
267
|
+
type: `hardcoded_secret:${sp.name}`,
|
|
268
|
+
file: relPath,
|
|
269
|
+
line: lineNum,
|
|
270
|
+
code: redactLine(line),
|
|
271
|
+
description: sp.description,
|
|
272
|
+
recommendation: sp.recommendation,
|
|
273
|
+
severity: sp.severity,
|
|
274
|
+
});
|
|
275
|
+
}
|
|
276
|
+
}
|
|
277
|
+
// Check dangerous code patterns
|
|
278
|
+
for (const dp of DANGEROUS_CODE_PATTERNS) {
|
|
279
|
+
if (dp.pattern.test(line)) {
|
|
280
|
+
findings.push({
|
|
281
|
+
type: dp.name,
|
|
282
|
+
file: relPath,
|
|
283
|
+
line: lineNum,
|
|
284
|
+
code: line.trim().slice(0, 200),
|
|
285
|
+
description: dp.description,
|
|
286
|
+
recommendation: dp.recommendation,
|
|
287
|
+
severity: dp.severity,
|
|
288
|
+
});
|
|
289
|
+
}
|
|
290
|
+
}
|
|
291
|
+
}
|
|
292
|
+
return findings;
|
|
293
|
+
}
|
|
294
|
+
/**
|
|
295
|
+
* Redact secret values in a line for safe display.
|
|
296
|
+
* Replaces the actual value with asterisks.
|
|
297
|
+
*/
|
|
298
|
+
function redactLine(line) {
|
|
299
|
+
return line
|
|
300
|
+
.replace(/(['"])[^'"]{8,}(['"])/g, (_, q1, q2) => `${q1}****REDACTED****${q2}`)
|
|
301
|
+
.trim()
|
|
302
|
+
.slice(0, 200);
|
|
303
|
+
}
|
|
304
|
+
// ─── Dependency Audit ───────────────────────────────────────────────
|
|
305
|
+
async function runDependencyAudit(dir) {
|
|
306
|
+
const findings = [];
|
|
307
|
+
// Detect package manager
|
|
308
|
+
const hasPnpmLock = await fileExists(join(dir, 'pnpm-lock.yaml'));
|
|
309
|
+
const hasPackageLock = await fileExists(join(dir, 'package-lock.json'));
|
|
310
|
+
const hasPackageJson = await fileExists(join(dir, 'package.json'));
|
|
311
|
+
if (!hasPackageJson)
|
|
312
|
+
return findings;
|
|
313
|
+
const cmd = hasPnpmLock ? 'pnpm' : hasPackageLock ? 'npm' : 'npm';
|
|
314
|
+
const args = ['audit', '--json'];
|
|
315
|
+
try {
|
|
316
|
+
const { stdout } = await execFileAsync(cmd, args, {
|
|
317
|
+
cwd: dir,
|
|
318
|
+
timeout: 30_000,
|
|
319
|
+
maxBuffer: 10 * 1024 * 1024,
|
|
320
|
+
});
|
|
321
|
+
const auditData = JSON.parse(stdout);
|
|
322
|
+
const vulnerabilities = (auditData.vulnerabilities ?? auditData.advisories ?? {});
|
|
323
|
+
for (const [pkg, info] of Object.entries(vulnerabilities)) {
|
|
324
|
+
const severity = mapAuditSeverity(info.severity ?? 'low');
|
|
325
|
+
findings.push({
|
|
326
|
+
type: 'dependency_vulnerability',
|
|
327
|
+
file: 'package.json',
|
|
328
|
+
line: 0,
|
|
329
|
+
code: `${pkg}${info.range ? `@${info.range}` : ''}`,
|
|
330
|
+
description: info.title ?? `Vulnerability in ${pkg}`,
|
|
331
|
+
recommendation: info.recommendation ?? `Update ${pkg} to a patched version.`,
|
|
332
|
+
severity,
|
|
333
|
+
});
|
|
334
|
+
}
|
|
335
|
+
}
|
|
336
|
+
catch {
|
|
337
|
+
// Audit command failed or not available -- skip silently
|
|
338
|
+
// npm audit exits non-zero when vulnerabilities are found
|
|
339
|
+
}
|
|
340
|
+
return findings;
|
|
341
|
+
}
|
|
342
|
+
function mapAuditSeverity(severity) {
|
|
343
|
+
switch (severity.toLowerCase()) {
|
|
344
|
+
case 'critical':
|
|
345
|
+
return 'critical';
|
|
346
|
+
case 'high':
|
|
347
|
+
return 'high';
|
|
348
|
+
case 'moderate':
|
|
349
|
+
case 'medium':
|
|
350
|
+
return 'medium';
|
|
351
|
+
default:
|
|
352
|
+
return 'low';
|
|
353
|
+
}
|
|
354
|
+
}
|
|
355
|
+
// ─── Gitignore Check ────────────────────────────────────────────────
|
|
356
|
+
async function checkGitignore(dir) {
|
|
357
|
+
const findings = [];
|
|
358
|
+
// Read .gitignore
|
|
359
|
+
let gitignoreContent = '';
|
|
360
|
+
try {
|
|
361
|
+
gitignoreContent = await readFile(join(dir, '.gitignore'), 'utf-8');
|
|
362
|
+
}
|
|
363
|
+
catch {
|
|
364
|
+
// No .gitignore
|
|
365
|
+
if (await fileExists(join(dir, '.git'))) {
|
|
366
|
+
findings.push({
|
|
367
|
+
type: 'missing_gitignore',
|
|
368
|
+
file: '.gitignore',
|
|
369
|
+
line: 0,
|
|
370
|
+
code: '',
|
|
371
|
+
description: 'Git repository has no .gitignore file',
|
|
372
|
+
recommendation: 'Create a .gitignore to exclude sensitive files, build artifacts, and dependencies.',
|
|
373
|
+
severity: 'medium',
|
|
374
|
+
});
|
|
375
|
+
}
|
|
376
|
+
return findings;
|
|
377
|
+
}
|
|
378
|
+
// Check that sensitive files are gitignored
|
|
379
|
+
for (const sensitiveFile of SHOULD_BE_GITIGNORED) {
|
|
380
|
+
const exists = await fileExists(join(dir, sensitiveFile));
|
|
381
|
+
if (exists && !gitignoreContent.includes(sensitiveFile)) {
|
|
382
|
+
findings.push({
|
|
383
|
+
type: 'sensitive_not_gitignored',
|
|
384
|
+
file: sensitiveFile,
|
|
385
|
+
line: 0,
|
|
386
|
+
code: '',
|
|
387
|
+
description: `Sensitive file "${sensitiveFile}" exists but is not in .gitignore`,
|
|
388
|
+
recommendation: `Add "${sensitiveFile}" to .gitignore and remove from git tracking.`,
|
|
389
|
+
severity: 'high',
|
|
390
|
+
});
|
|
391
|
+
}
|
|
392
|
+
}
|
|
393
|
+
return findings;
|
|
394
|
+
}
|
|
395
|
+
// ─── Score Calculation ──────────────────────────────────────────────
|
|
396
|
+
function calculateScore(critical, high, medium, low) {
|
|
397
|
+
// Deductions: critical=-25, high=-10, medium=-3, low=-1
|
|
398
|
+
const deductions = critical * 25 + high * 10 + medium * 3 + low * 1;
|
|
399
|
+
return Math.max(0, 100 - deductions);
|
|
400
|
+
}
|
|
401
|
+
// ─── Helpers ────────────────────────────────────────────────────────
|
|
402
|
+
function stripSeverity(f) {
|
|
403
|
+
const { severity: _, ...rest } = f;
|
|
404
|
+
return rest;
|
|
405
|
+
}
|
|
406
|
+
async function fileExists(path) {
|
|
407
|
+
try {
|
|
408
|
+
await access(path, fsConstants.F_OK);
|
|
409
|
+
return true;
|
|
410
|
+
}
|
|
411
|
+
catch {
|
|
412
|
+
return false;
|
|
413
|
+
}
|
|
414
|
+
}
|
|
415
|
+
// ─── Report Formatting ─────────────────────────────────────────────
|
|
416
|
+
function formatReport(report) {
|
|
417
|
+
const lines = [];
|
|
418
|
+
lines.push(`## Security Scan Report`);
|
|
419
|
+
lines.push(`Score: ${report.score}/100`);
|
|
420
|
+
lines.push('');
|
|
421
|
+
lines.push(report.summary);
|
|
422
|
+
lines.push('');
|
|
423
|
+
const sections = [
|
|
424
|
+
['CRITICAL', report.critical],
|
|
425
|
+
['HIGH', report.high],
|
|
426
|
+
['MEDIUM', report.medium],
|
|
427
|
+
['LOW', report.low],
|
|
428
|
+
];
|
|
429
|
+
for (const [label, findings] of sections) {
|
|
430
|
+
if (findings.length === 0)
|
|
431
|
+
continue;
|
|
432
|
+
lines.push(`### ${label} (${findings.length})`);
|
|
433
|
+
for (const f of findings) {
|
|
434
|
+
const loc = f.line > 0 ? `${f.file}:${f.line}` : f.file;
|
|
435
|
+
lines.push(`- [${f.type}] ${loc}`);
|
|
436
|
+
lines.push(` ${f.description}`);
|
|
437
|
+
if (f.code)
|
|
438
|
+
lines.push(` Code: ${f.code}`);
|
|
439
|
+
lines.push(` Fix: ${f.recommendation}`);
|
|
440
|
+
}
|
|
441
|
+
lines.push('');
|
|
442
|
+
}
|
|
443
|
+
return lines.join('\n');
|
|
444
|
+
}
|
|
445
|
+
//# sourceMappingURL=security-scan.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"security-scan.js","sourceRoot":"","sources":["../src/security-scan.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAQ,MAAM,EAAE,SAAS,IAAI,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC7F,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpD,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAGtC,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAE1C,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAuC1C,uEAAuE;AAEvE,0CAA0C;AAC1C,MAAM,eAAe,GAMhB;IACH;QACE,IAAI,EAAE,SAAS;QACf,OAAO,EAAE,mDAAmD;QAC5D,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,4BAA4B;QACzC,cAAc,EAAE,gFAAgF;KACjG;IACD;QACE,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,gDAAgD;QACzD,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,6BAA6B;QAC1C,cAAc,EAAE,+DAA+D;KAChF;IACD;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,kDAAkD;QAC3D,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,oCAAoC;QACjD,cAAc,EAAE,2DAA2D;KAC5E;IACD;QACE,IAAI,EAAE,SAAS;QACf,OAAO,EAAE,kBAAkB;QAC3B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,4BAA4B;QACzC,cAAc,EAAE,+EAA+E;KAChG;IACD;QACE,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,6CAA6C;QACtD,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,qCAAqC;QAClD,cAAc,EAAE,2EAA2E;KAC5F;CACF,CAAC;AAEF,uCAAuC;AACvC,MAAM,uBAAuB,GAMxB;IACH;QACE,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,aAAa;QACtB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,oDAAoD;QACjE,cAAc,EAAE,yGAAyG;KAC1H;IACD;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,2CAA2C;QACpD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,mEAAmE;QAChF,cAAc,EAAE,8DAA8D;KAC/E;IACD;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,iBAAiB;QAC1B,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,4DAA4D;QACzE,cAAc,EAAE,4EAA4E;KAC7F;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,sBAAsB;QAC/B,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,0DAA0D;QACvE,cAAc,EAAE,2DAA2D;KAC5E;IACD;QACE,IAAI,EAAE,eAAe;QACrB,OAAO,EAAE,wCAAwC;QACjD,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,0DAA0D;QACvE,cAAc,EAAE,6EAA6E;KAC9F;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,8DAA8D;QAC3E,cAAc,EAAE,iFAAiF;KAClG;IACD;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,qBAAqB;QAC9B,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,sEAAsE;QACnF,cAAc,EAAE,gFAAgF;KACjG;IACD;QACE,IAAI,EAAE,eAAe;QACrB,OAAO,EAAE,8DAA8D;QACvE,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,wCAAwC;QACrD,cAAc,EAAE,yDAAyD;KAC1E;CACF,CAAC;AAEF,0CAA0C;AAC1C,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC;IACxB,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO;IACzD,UAAU,EAAE,QAAQ,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM;IACpD,QAAQ,EAAE,SAAS;CACpB,CAAC,CAAC;AAEH,8BAA8B;AAC9B,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC;IACnC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IAC5C,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK;IAC1C,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ;IAC7B,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO;IACjC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS;IAClC,KAAK,EAAE,OAAO;IACd,MAAM;IACN,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO;CAChC,CAAC,CAAC;AAEH,yCAAyC;AACzC,MAAM,oBAAoB,GAAG,CAAC,MAAM,EAAE,YAAY,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,cAAc,CAAC,CAAC;AAE3G,uEAAuE;AAEvE,MAAM,OAAO,gBAAiB,SAAQ,QAAQ;IACnC,IAAI,GAAG,eAAe,CAAC;IACvB,WAAW,GAClB,yDAAyD;QACzD,0EAA0E;QAC1E,8EAA8E,CAAC;IACxE,SAAS,GAAc,KAAK,CAAC;IAE7B,UAAU,GAAiC;QAClD,OAAO,EAAE;YACP,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,yDAAyD;YACtE,QAAQ,EAAE,KAAK;SAChB;QACD,SAAS,EAAE;YACT,IAAI,EAAE,SAAS;YACf,WAAW,EAAE,qCAAqC;YAClD,QAAQ,EAAE,KAAK;YACf,OAAO,EAAE,KAAK;SACf;KACF,CAAC;IAEF,KAAK,CAAC,OAAO,CAAC,IAA6B,EAAE,OAAe;QAC1D,MAAM,UAAU,GAAI,IAAI,CAAC,WAAsB,IAAI,EAAE,CAAC;QACtD,MAAM,SAAS,GAAI,IAAI,CAAC,SAAqB,IAAI,KAAK,CAAC;QAEvD,2DAA2D;QAC3D,IAAI,OAAO,GAAG,OAAO,CAAC;QACtB,IAAI,IAAI,CAAC,OAAO,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;YACrD,IAAI,CAAC;gBACH,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,OAAiB,EAAE,OAAO,CAAC,CAAC;YAC/D,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,IAAI,CAAC,IAAI,CAAC,UAAU,EAAG,GAAa,CAAC,OAAO,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;YACzD,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YACpC,OAAO,IAAI,CAAC,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QACjD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,yBAA0B,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAClF,CAAC;IACH,CAAC;CACF;AAED,uEAAuE;AAEvE;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,OAAe,EAAE,SAAS,GAAG,KAAK;IACtE,MAAM,QAAQ,GAA2D,EAAE,CAAC;IAE5E,mDAAmD;IACnD,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;IAC1C,KAAK,MAAM,QAAQ,IAAI,KAAK,EAAE,CAAC;QAC7B,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC5C,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACvD,QAAQ,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;IACjC,CAAC;IAED,iCAAiC;IACjC,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,aAAa,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QACxD,QAAQ,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,CAAC;IAClC,CAAC;IAED,0CAA0C;IAC1C,MAAM,iBAAiB,GAAG,MAAM,cAAc,CAAC,OAAO,CAAC,CAAC;IACxD,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,CAAC;IAEpC,mCAAmC;IACnC,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IACtF,MAAM,IAAI,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IAC9E,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IAClF,MAAM,GAAG,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IAE5E,qBAAqB;IACrB,MAAM,KAAK,GAAG,cAAc,CAAC,QAAQ,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAEtF,mBAAmB;IACnB,MAAM,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAC;IACtC,MAAM,OAAO,GACX,aAAa,KAAK,CAAC;QACjB,CAAC,CAAC,2CAA2C;QAC7C,CAAC,CAAC,SAAS,aAAa,cAAc,QAAQ,CAAC,MAAM,cAAc,IAAI,CAAC,MAAM,UAAU,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,MAAM,gBAAgB,KAAK,OAAO,CAAC;IAE5J,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;AACzD,CAAC;AAED,uEAAuE;AAEvE,KAAK,UAAU,YAAY,CAAC,GAAW,EAAE,QAAQ,GAAG,EAAE;IACpD,IAAI,QAAQ,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IAC7B,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,IAAI,OAAO,CAAC;IACZ,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC;YAAE,SAAS;QACtE,IAAI,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC;YAAE,SAAS;QAExC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QAEvC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,QAAQ,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC;YAC5D,KAAK,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;QAC1B,CAAC;aAAM,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YAC1B,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;YAC9C,yDAAyD;YACzD,IAAI,oBAAoB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBACnE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,uEAAuE;AAEvE,KAAK,UAAU,QAAQ,CACrB,QAAgB,EAChB,OAAe;IAEf,MAAM,QAAQ,GAA2D,EAAE,CAAC;IAE5E,IAAI,OAAe,CAAC;IACpB,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;QAEtB,wBAAwB;QACxB,KAAK,MAAM,EAAE,IAAI,eAAe,EAAE,CAAC;YACjC,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC1B,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,oBAAoB,EAAE,CAAC,IAAI,EAAE;oBACnC,IAAI,EAAE,OAAO;oBACb,IAAI,EAAE,OAAO;oBACb,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC;oBACtB,WAAW,EAAE,EAAE,CAAC,WAAW;oBAC3B,cAAc,EAAE,EAAE,CAAC,cAAc;oBACjC,QAAQ,EAAE,EAAE,CAAC,QAAQ;iBACtB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,gCAAgC;QAChC,KAAK,MAAM,EAAE,IAAI,uBAAuB,EAAE,CAAC;YACzC,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC1B,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,EAAE,CAAC,IAAI;oBACb,IAAI,EAAE,OAAO;oBACb,IAAI,EAAE,OAAO;oBACb,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC/B,WAAW,EAAE,EAAE,CAAC,WAAW;oBAC3B,cAAc,EAAE,EAAE,CAAC,cAAc;oBACjC,QAAQ,EAAE,EAAE,CAAC,QAAQ;iBACtB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;GAGG;AACH,SAAS,UAAU,CAAC,IAAY;IAC9B,OAAO,IAAI;SACR,OAAO,CAAC,wBAAwB,EAAE,CAAC,CAAC,EAAE,EAAU,EAAE,EAAU,EAAE,EAAE,CAAC,GAAG,EAAE,mBAAmB,EAAE,EAAE,CAAC;SAC9F,IAAI,EAAE;SACN,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;AACnB,CAAC;AAED,uEAAuE;AAEvE,KAAK,UAAU,kBAAkB,CAC/B,GAAW;IAEX,MAAM,QAAQ,GAA2D,EAAE,CAAC;IAE5E,yBAAyB;IACzB,MAAM,WAAW,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC,CAAC;IAClE,MAAM,cAAc,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,mBAAmB,CAAC,CAAC,CAAC;IACxE,MAAM,cAAc,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,CAAC;IAEnE,IAAI,CAAC,cAAc;QAAE,OAAO,QAAQ,CAAC;IAErC,MAAM,GAAG,GAAG,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC;IAClE,MAAM,IAAI,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAEjC,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,GAAG,EAAE,IAAI,EAAE;YAChD,GAAG,EAAE,GAAG;YACR,OAAO,EAAE,MAAM;YACf,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;SAC5B,CAAC,CAAC;QAEH,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAA4B,CAAC;QAChE,MAAM,eAAe,GAAG,CAAC,SAAS,CAAC,eAAe,IAAI,SAAS,CAAC,UAAU,IAAI,EAAE,CAG/E,CAAC;QAEF,KAAK,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;YAC1D,MAAM,QAAQ,GAAG,gBAAgB,CAAC,IAAI,CAAC,QAAQ,IAAI,KAAK,CAAC,CAAC;YAC1D,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,0BAA0B;gBAChC,IAAI,EAAE,cAAc;gBACpB,IAAI,EAAE,CAAC;gBACP,IAAI,EAAE,GAAG,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE;gBACnD,WAAW,EAAE,IAAI,CAAC,KAAK,IAAI,oBAAoB,GAAG,EAAE;gBACpD,cAAc,EAAE,IAAI,CAAC,cAAc,IAAI,UAAU,GAAG,wBAAwB;gBAC5E,QAAQ;aACT,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,yDAAyD;QACzD,0DAA0D;IAC5D,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAgB;IACxC,QAAQ,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC;QAC/B,KAAK,UAAU;YACb,OAAO,UAAU,CAAC;QACpB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB,KAAK,UAAU,CAAC;QAChB,KAAK,QAAQ;YACX,OAAO,QAAQ,CAAC;QAClB;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAED,uEAAuE;AAEvE,KAAK,UAAU,cAAc,CAC3B,GAAW;IAEX,MAAM,QAAQ,GAA2D,EAAE,CAAC;IAE5E,kBAAkB;IAClB,IAAI,gBAAgB,GAAG,EAAE,CAAC;IAC1B,IAAI,CAAC;QACH,gBAAgB,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,EAAE,OAAO,CAAC,CAAC;IACtE,CAAC;IAAC,MAAM,CAAC;QACP,gBAAgB;QAChB,IAAI,MAAM,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,EAAE,CAAC;YACxC,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,mBAAmB;gBACzB,IAAI,EAAE,YAAY;gBAClB,IAAI,EAAE,CAAC;gBACP,IAAI,EAAE,EAAE;gBACR,WAAW,EAAE,uCAAuC;gBACpD,cAAc,EAAE,oFAAoF;gBACpG,QAAQ,EAAE,QAAQ;aACnB,CAAC,CAAC;QACL,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,4CAA4C;IAC5C,KAAK,MAAM,aAAa,IAAI,oBAAoB,EAAE,CAAC;QACjD,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC,CAAC;QAC1D,IAAI,MAAM,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;YACxD,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,0BAA0B;gBAChC,IAAI,EAAE,aAAa;gBACnB,IAAI,EAAE,CAAC;gBACP,IAAI,EAAE,EAAE;gBACR,WAAW,EAAE,mBAAmB,aAAa,mCAAmC;gBAChF,cAAc,EAAE,QAAQ,aAAa,+CAA+C;gBACpF,QAAQ,EAAE,MAAM;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,uEAAuE;AAEvE,SAAS,cAAc,CAAC,QAAgB,EAAE,IAAY,EAAE,MAAc,EAAE,GAAW;IACjF,wDAAwD;IACxD,MAAM,UAAU,GAAG,QAAQ,GAAG,EAAE,GAAG,IAAI,GAAG,EAAE,GAAG,MAAM,GAAG,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC;IACpE,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,GAAG,UAAU,CAAC,CAAC;AACvC,CAAC;AAED,uEAAuE;AAEvE,SAAS,aAAa,CAAC,CAAkD;IACvE,MAAM,EAAE,QAAQ,EAAE,CAAC,EAAE,GAAG,IAAI,EAAE,GAAG,CAAC,CAAC;IACnC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,IAAY;IACpC,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,EAAE,WAAW,CAAC,IAAI,CAAC,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,sEAAsE;AAEtE,SAAS,YAAY,CAAC,MAAsB;IAC1C,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;IACtC,KAAK,CAAC,IAAI,CAAC,UAAU,MAAM,CAAC,KAAK,MAAM,CAAC,CAAC;IACzC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,MAAM,QAAQ,GAAuC;QACnD,CAAC,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC;QAC7B,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC;QACrB,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC;QACzB,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC;KACpB,CAAC;IAEF,KAAK,MAAM,CAAC,KAAK,EAAE,QAAQ,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QACpC,KAAK,CAAC,IAAI,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;QAChD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,MAAM,GAAG,GAAG,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YACxD,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,KAAK,GAAG,EAAE,CAAC,CAAC;YACnC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;YACjC,IAAI,CAAC,CAAC,IAAI;gBAAE,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YAC5C,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,cAAc,EAAE,CAAC,CAAC;QAC3C,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @yuaone/tools — shell_exec tool
|
|
3
|
+
*
|
|
4
|
+
* Executes a command using execFile (no shell interpretation).
|
|
5
|
+
* - executable + args[] pattern (not a string command)
|
|
6
|
+
* - Shell metacharacter validation
|
|
7
|
+
* - Blocked commands (rm -rf /, sudo, chmod 777, etc.)
|
|
8
|
+
* - 30-second default timeout
|
|
9
|
+
* - stdout/stderr separate return
|
|
10
|
+
*/
|
|
11
|
+
import type { ParameterDef, RiskLevel, ToolResult } from './types.js';
|
|
12
|
+
import { BaseTool } from './base-tool.js';
|
|
13
|
+
export declare class ShellExecTool extends BaseTool {
|
|
14
|
+
readonly name = "shell_exec";
|
|
15
|
+
readonly description: string;
|
|
16
|
+
readonly riskLevel: RiskLevel;
|
|
17
|
+
readonly parameters: Record<string, ParameterDef>;
|
|
18
|
+
execute(args: Record<string, unknown>, workDir: string, abortSignal?: AbortSignal): Promise<ToolResult>;
|
|
19
|
+
}
|
|
20
|
+
//# sourceMappingURL=shell-exec.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"shell-exec.d.ts","sourceRoot":"","sources":["../src/shell-exec.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AACtE,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAO1C,qBAAa,aAAc,SAAQ,QAAQ;IACzC,QAAQ,CAAC,IAAI,gBAAgB;IAC7B,QAAQ,CAAC,WAAW,SAEiC;IACrD,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAc;IAE3C,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CA4B/C;IAEI,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC;CAwJ9G"}
|