agentsmesh 0.20.0 → 0.21.0

package/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## 0.21.0
+
+### Minor Changes
+
+- b1efca1: Harden install pipeline against third-party supply-chain attacks.
+  - **Strip elevated artifacts from non-local sources by default.** `hooks.yaml`, `permissions.yaml`, and `mcp.json` are now removed from any pack installed from a `github:`, `gitlab:`, or `git+...` source unless you opt in. These three files control your agent's tool settings (shell hooks, granted permissions, MCP launch specs) and a malicious pack shipping any of them could otherwise execute arbitrary local commands the next time the matching event fires. Opt in per-artifact with `--accept-hooks`, `--accept-permissions`, `--accept-mcp`, or all three with `--accept-elevated`. Local sources remain trusted as before.
+  - **Skill supporting-file traversal no longer follows symlinks.** A pack containing `skills/foo/keys -> /Users/victim/.ssh` previously pulled external bytes (private keys, etc.) into the canonical skill content. Skill traversal now uses the existing `readDirRecursiveNoSymlinks` helper, mirroring the hardening already applied to install-manifest hashing.
+  - **Redact credentials from remote-fetch error output.** `oauth2:<token>@`, `x-access-token:<token>@`, and any other userinfo-bearing URLs are now masked (`https://***@host/...`) in console warnings and thrown error messages so GitHub PATs and GitLab tokens never leak into CI logs, terminal scrollback, or log shippers.
+  - **Gate `git+file://` sources behind `AGENTSMESH_ALLOW_LOCAL_GIT=1`.** On shared/multi-tenant hosts a `git+file:///tmp/world-writable-repo` `extends:` clause could silently consume a repo planted by another user; combined with downstream elevated-artifact emission this was a local priv-esc vector. Set `AGENTSMESH_ALLOW_LOCAL_GIT=1` to enable for closed-network development.
+  - **Allowlist tar entry types on GitHub tarball extraction.** Previously only `Link` and `SymbolicLink` were rejected (denylist). Now only `File` and `Directory` entries extract; FIFOs, devices, hardlinks, and any future/exotic tar variant are rejected by default.
+
+  These changes apply to `agentsmesh install`, `agentsmesh refresh`, and any `extends:` resolution against a non-local source. They are behavior changes for users who were silently inheriting hooks/permissions/mcp from a remote pack — re-run with the matching `--accept-*` flag (or `--accept-elevated`) to preserve previous behavior intentionally.
+
 ## 0.20.0
 
 ### Minor Changes

package/README.md

@@ -233,6 +233,7 @@ agentsmesh check [--global]
 agentsmesh merge [--global]
 agentsmesh matrix [--global] [--targets <csv>] [--verbose]
 agentsmesh install <source> [--sync] [--path <dir>] [--target <id>] [--as <kind>] [--name <id>] [--extends] [--all] [--dry-run] [--global] [--force]
+                            [--accept-hooks|--accept-permissions|--accept-mcp|--accept-elevated]
 agentsmesh uninstall <name>[,<name>...] [--all] [--keep-pack] [--keep-generated] [--dry-run] [--global] [--force]
 agentsmesh installs list [--global]
 agentsmesh refresh [<name>[,<name>...]] [--dry-run] [--force] [--json] [--global]

package/dist/canonical.js

@@ -185,6 +185,33 @@ async function readDirRecursive(dir, visited, branchSegments) {
     );
   }
 }
+async function readDirRecursiveNoSymlinks(dir, branchSegments) {
+  const currentBranchSegments = branchSegments ?? [basename(dir)];
+  try {
+    const entries = await readdir(dir, { withFileTypes: true });
+    const files = [];
+    for (const ent of entries) {
+      if (ent.isSymbolicLink()) continue;
+      const full = join(dir, ent.name);
+      if (ent.isDirectory()) {
+        const nextSegments = [...currentBranchSegments, ent.name];
+        if (shouldSkipRecursiveBranch(nextSegments)) continue;
+        files.push(...await readDirRecursiveNoSymlinks(full, nextSegments));
+      } else if (ent.isFile()) {
+        files.push(full);
+      }
+    }
+    return files;
+  } catch (err) {
+    const e = err;
+    if (e.code === "ENOENT" || e.code === "ENOTDIR" || e.code === "EACCES") return [];
+    throw new FileSystemError(
+      dir,
+      `Failed to read directory ${dir}: ${e.message}. Check permissions.`,
+      { cause: err, errnoCode: e.code }
+    );
+  }
+}
 var MAX_RECURSIVE_DEPTH, MAX_SEGMENT_REPETITIONS;
 var init_fs_traverse = __esm({
   "src/utils/filesystem/fs-traverse.ts"() {
@@ -18731,6 +18758,19 @@ init_fs();
 
 // src/config/remote/git-remote.ts
 init_fs();
+
+// src/utils/output/redact-url-secrets.ts
+var URL_WITH_CREDENTIALS = /([a-zA-Z][a-zA-Z0-9+.-]*:\/\/)([^/@\s"'<>]+)@([^\s"'<>]+)/g;
+function redactUrlSecrets(message) {
+  return message.replace(
+    URL_WITH_CREDENTIALS,
+    (_full, scheme, _userinfo, rest) => {
+      return `${scheme}***@${rest}`;
+    }
+  );
+}
+
+// src/config/remote/git-remote.ts
 var execFileAsync = promisify(execFile);
 var REPO_DIRNAME = "repo";
 function ensureNotFlag(value, kind) {
@@ -18764,12 +18804,13 @@ async function fetchGitRemoteExtend(parsed, extendName, options, cacheDir, build
     await rm(stagedRoot, { recursive: true, force: true });
     const allowFallback = options.allowOfflineFallback !== false;
     if (allowFallback && await hasCachedRepo(cacheRepoDir)) {
+      const rawMsg = err instanceof Error ? err.message : String(err);
       console.warn(
-        `[agentsmesh] Remote fetch failed for ${extendName}; using cached version. Error: ${err instanceof Error ? err.message : String(err)}`
+        `[agentsmesh] Remote fetch failed for ${extendName}; using cached version. Error: ${redactUrlSecrets(rawMsg)}`
       );
       return readCachedRepo(cacheRepoDir);
     }
-    throw err;
+    throw err instanceof Error ? Object.assign(new Error(redactUrlSecrets(err.message)), { cause: err.cause }) : err;
   }
 }
 async function readCachedRepo(repoDir) {
@@ -18930,13 +18971,14 @@ async function fetchGithubRemoteExtend(parsed, extendName, options, cacheDir, bu
     if (allowFallback && await exists(extractDir)) {
       const topDir2 = await findExtractTopDir(extractDir);
       if (topDir2) {
+        const rawMsg = err instanceof Error ? err.message : String(err);
         console.warn(
-          `[agentsmesh] Network failed for ${extendName}; using cached version. Error: ${err instanceof Error ? err.message : String(err)}`
+          `[agentsmesh] Network failed for ${extendName}; using cached version. Error: ${redactUrlSecrets(rawMsg)}`
         );
         return { resolvedPath: join(extractDir, topDir2), version: tag };
       }
     }
-    throw err;
+    throw err instanceof Error ? Object.assign(new Error(redactUrlSecrets(err.message)), { cause: err.cause }) : err;
   }
   await rm(extractDir, { recursive: true, force: true });
   await mkdir(extractDir, { recursive: true });
@@ -18947,12 +18989,14 @@ async function fetchGithubRemoteExtend(parsed, extendName, options, cacheDir, bu
       file: tarPath,
       cwd: extractDir,
       strict: true,
+      // Allowlist entry types instead of denylist: only `File` and `Directory`
+      // can be extracted. Hardlinks (`Link`), symlinks (`SymbolicLink`), FIFOs,
+      // character/block devices, and any future/exotic tar entry type are
+      // rejected. A denylist would silently let an unknown variant through.
       filter: (entryPath, entry) => {
         if (isZipSlipPath(entryPath)) return false;
-        if (entry && "type" in entry && (entry.type === "Link" || entry.type === "SymbolicLink")) {
-          return false;
-        }
-        return true;
+        const type = entry && "type" in entry ? entry.type : void 0;
+        return type === "File" || type === "Directory";
       }
     });
   } finally {
@@ -19050,8 +19094,11 @@ function parseGitSource(source) {
     return null;
   }
   const allowInsecure = process.env.AGENTSMESH_ALLOW_INSECURE_GIT === "1" || process.env.AGENTSMESH_ALLOW_INSECURE_GIT === "true";
-  const allowedProtocols = allowInsecure ? ["https:", "http:", "ssh:", "file:"] : ["https:", "ssh:", "file:"];
-  if (!allowedProtocols.includes(parsedUrl.protocol)) {
+  const allowLocalGit = process.env.AGENTSMESH_ALLOW_LOCAL_GIT === "1" || process.env.AGENTSMESH_ALLOW_LOCAL_GIT === "true";
+  const allowed = ["https:", "ssh:"];
+  if (allowInsecure) allowed.push("http:");
+  if (allowLocalGit) allowed.push("file:");
+  if (!allowed.includes(parsedUrl.protocol)) {
     return null;
   }
   return { url, ref };
@@ -19576,6 +19623,7 @@ async function parseAgents(agentsDir, opts = {}) {
 
 // src/canonical/features/skills.ts
 init_fs();
+init_fs_traverse();
 init_markdown();
 init_boilerplate_filter();
 async function readContent(path) {
@@ -19594,7 +19642,7 @@ function sanitizeSkillName(raw) {
   return raw.toLowerCase().replace(/[^a-z0-9-]+/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
 }
 async function listSupportingFiles(skillDir) {
-  const files = await readDirRecursive(skillDir);
+  const files = await readDirRecursiveNoSymlinks(skillDir);
   const result = [];
   for (const absPath of files) {
     const raw = absPath.slice(skillDir.length + 1);