agentgui 1.0.791 → 1.0.793

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/lib/routes-util.js +5 -1
  2. package/package.json +1 -1
  3. package/static/js/client.js +2 -2
  4. package/static/js/streaming-renderer.js +1 -1
package/lib/routes-util.js CHANGED
@@ -57,7 +57,11 @@ export function register(deps) {
57
57
  const body = await parseBody(req);
58
58
  const folderPath = body.path || STARTUP_CWD;
59
59
  try {
60
- const expandedPath = folderPath.startsWith('~') ? folderPath.replace('~', os.homedir()) : folderPath;
60
+ const expandedPath = path.resolve(folderPath.startsWith('~') ? folderPath.replace('~', os.homedir()) : folderPath);
61
+ if (!expandedPath.startsWith(os.homedir()) && !expandedPath.startsWith(STARTUP_CWD) && expandedPath !== '/') {
62
+ sendJSON(req, res, 403, { error: 'Path outside allowed directories' });
63
+ return;
64
+ }
61
65
  const entries = fs.readdirSync(expandedPath, { withFileTypes: true });
62
66
  const folders = entries
63
67
  .filter(e => e.isDirectory() && !e.name.startsWith('.'))
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "agentgui",
3
- "version": "1.0.791",
3
+ "version": "1.0.793",
4
4
  "description": "Multi-agent ACP client with real-time communication",
5
5
  "type": "module",
6
6
  "main": "electron/main.js",
package/static/js/client.js CHANGED
@@ -2233,7 +2233,7 @@ class AgentGUIClient {
2233
2233
  const uDiv = document.createElement('div');
2234
2234
  uDiv.className = 'message message-user';
2235
2235
  uDiv.setAttribute('data-msg-id', m.id);
2236
- uDiv.innerHTML = `<div class="message-role">User<button class="msg-edit-btn" data-edit-msg="${m.id}" title="Edit and re-run">&#9998;</button></div>${this.renderMessageContent(m.content)}<div class="message-timestamp">${new Date(m.created_at).toLocaleString()}</div>`;
2236
+ uDiv.innerHTML = `<div class="message-role">User<button class="msg-edit-btn" data-edit-msg="${this.escapeHtml(m.id)}" title="Edit and re-run">&#9998;</button></div>${this.renderMessageContent(m.content)}<div class="message-timestamp">${new Date(m.created_at).toLocaleString()}</div>`;
2237
2237
  frag.appendChild(uDiv);
2238
2238
  }
2239
2239
  const isActive = sid === activeSessionId;
@@ -2270,7 +2270,7 @@ class AgentGUIClient {
2270
2270
  const uDiv = document.createElement('div');
2271
2271
  uDiv.className = 'message message-user';
2272
2272
  uDiv.setAttribute('data-msg-id', m.id);
2273
- uDiv.innerHTML = `<div class="message-role">User</div>${this.renderMessageContent(m.content)}<div class="message-timestamp">${new Date(m.created_at).toLocaleString()}</div>`;
2273
+ uDiv.innerHTML = `<div class="message-role">User<button class="msg-edit-btn" data-edit-msg="${this.escapeHtml(m.id)}" title="Edit and re-run">&#9998;</button></div>${this.renderMessageContent(m.content)}<div class="message-timestamp">${new Date(m.created_at).toLocaleString()}</div>`;
2274
2274
  frag.appendChild(uDiv);
2275
2275
  }
2276
2276
  messagesContainer.appendChild(frag);
package/static/js/streaming-renderer.js CHANGED
@@ -1425,7 +1425,7 @@ class StreamingRenderer {
1425
1425
  div.innerHTML = `
1426
1426
  <div style="display:flex;align-items:center;gap:0.5rem;padding:0.25rem 0.5rem;font-size:0.75rem;color:var(--color-text-secondary)">
1427
1427
  ${statusIcons[status] || statusIcons.pending}
1428
- <span>${statusLabels[status] || status}</span>
1428
+ <span>${statusLabels[status] || this.escapeHtml(status)}</span>
1429
1429
  </div>
1430
1430
  `;
1431
1431
  return div;