@zoobbe/cli 1.1.0 → 1.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/commands/auth.js +11 -2
- package/src/lib/client.js +5 -0
- package/src/lib/config.js +16 -1
package/package.json
CHANGED
package/src/commands/auth.js
CHANGED
|
@@ -16,7 +16,16 @@ auth
|
|
|
16
16
|
.action(async (options) => {
|
|
17
17
|
try {
|
|
18
18
|
if (options.url) {
|
|
19
|
-
|
|
19
|
+
// Validate URL format and enforce HTTPS
|
|
20
|
+
try {
|
|
21
|
+
const parsed = new URL(options.url);
|
|
22
|
+
if (parsed.protocol !== 'https:' && !parsed.hostname.match(/^(localhost|127\.0\.0\.1)$/)) {
|
|
23
|
+
return error('API URL must use HTTPS. Only localhost is allowed over HTTP.');
|
|
24
|
+
}
|
|
25
|
+
config.set('apiUrl', options.url);
|
|
26
|
+
} catch {
|
|
27
|
+
return error('Invalid URL format.');
|
|
28
|
+
}
|
|
20
29
|
}
|
|
21
30
|
|
|
22
31
|
let apiKey = options.token;
|
|
@@ -107,7 +116,7 @@ auth
|
|
|
107
116
|
.action(() => {
|
|
108
117
|
const apiKey = config.get('apiKey');
|
|
109
118
|
if (apiKey) {
|
|
110
|
-
success(`Authenticated (key: ${apiKey.substring(0,
|
|
119
|
+
success(`Authenticated (key: ${apiKey.substring(0, 10)}...)`);
|
|
111
120
|
info(`API URL: ${config.get('apiUrl')}`);
|
|
112
121
|
if (config.get('activeWorkspaceName')) {
|
|
113
122
|
info(`Workspace: ${config.get('activeWorkspaceName')}`);
|
package/src/lib/client.js
CHANGED
|
@@ -26,6 +26,11 @@ class ZoobbeClient {
|
|
|
26
26
|
async request(method, path, body = null) {
|
|
27
27
|
this.ensureAuth();
|
|
28
28
|
|
|
29
|
+
// Reject path traversal attempts
|
|
30
|
+
if (path.includes('..') || path.includes('//')) {
|
|
31
|
+
throw new Error('Invalid request path');
|
|
32
|
+
}
|
|
33
|
+
|
|
29
34
|
const url = `${this.baseUrl}/v1${path}`;
|
|
30
35
|
const options = {
|
|
31
36
|
method,
|
package/src/lib/config.js
CHANGED
|
@@ -1,10 +1,18 @@
|
|
|
1
1
|
const Conf = require('conf');
|
|
2
2
|
const path = require('path');
|
|
3
3
|
const os = require('os');
|
|
4
|
+
const fs = require('fs');
|
|
5
|
+
|
|
6
|
+
const configDir = path.join(os.homedir(), '.zoobbe');
|
|
7
|
+
|
|
8
|
+
// Ensure config directory exists with restricted permissions (owner-only)
|
|
9
|
+
if (!fs.existsSync(configDir)) {
|
|
10
|
+
fs.mkdirSync(configDir, { mode: 0o700, recursive: true });
|
|
11
|
+
}
|
|
4
12
|
|
|
5
13
|
const config = new Conf({
|
|
6
14
|
projectName: 'zoobbe',
|
|
7
|
-
cwd:
|
|
15
|
+
cwd: configDir,
|
|
8
16
|
schema: {
|
|
9
17
|
apiKey: { type: 'string', default: '' },
|
|
10
18
|
apiUrl: { type: 'string', default: 'https://api.zoobbe.com' },
|
|
@@ -17,4 +25,11 @@ const config = new Conf({
|
|
|
17
25
|
},
|
|
18
26
|
});
|
|
19
27
|
|
|
28
|
+
// Lock down the config file (owner read/write only)
|
|
29
|
+
try {
|
|
30
|
+
fs.chmodSync(config.path, 0o600);
|
|
31
|
+
} catch {
|
|
32
|
+
// Ignore if chmod fails (e.g., Windows)
|
|
33
|
+
}
|
|
34
|
+
|
|
20
35
|
module.exports = config;
|