alvin-bot 5.2.0 → 5.4.0

package/dist/services/ssrf-guard.js

@@ -0,0 +1,162 @@
+/**
+ * SSRF Guard — rejects requests to private/internal network destinations.
+ *
+ * Blocks:
+ *   - Non-http(s) schemes (file://, ftp://, etc.)
+ *   - IPv4 loopback (127.0.0.0/8), link-local (169.254.0.0/16 — incl. cloud
+ *     metadata endpoint 169.254.169.254), RFC-1918 private ranges
+ *     (10/8, 172.16/12, 192.168/16), and the catch-all 0.0.0.0
+ *   - IPv6 loopback (::1), ULA (fc00::/7), link-local (fe80::/10)
+ *
+ * Opt-out: set ALLOW_PRIVATE_FETCH=1 to disable blocking (for local dev /
+ * self-hosted setups). Default = blocked.
+ *
+ * No new runtime dependencies — uses Node's built-in `dns` and `net` modules.
+ */
+import dns from "dns";
+import net from "net";
+export class SsrfBlockedError extends Error {
+    url;
+    constructor(url, reason) {
+        super(`SSRF blocked: ${reason} (url: ${url})`);
+        this.name = "SsrfBlockedError";
+        this.url = url;
+    }
+}
+/**
+ * Return true if the given IPv4 address string falls into a private/reserved
+ * range (RFC-1918, loopback, link-local, unspecified).
+ *
+ * Ranges blocked:
+ *   0.0.0.0/8        — "this" network
+ *   10.0.0.0/8       — RFC-1918 class A
+ *   127.0.0.0/8      — loopback
+ *   169.254.0.0/16   — link-local (incl. IMDS 169.254.169.254)
+ *   172.16.0.0/12    — RFC-1918 class B (172.16–172.31)
+ *   192.168.0.0/16   — RFC-1918 class C
+ */
+function isPrivateIPv4(ip) {
+    const parts = ip.split(".").map(Number);
+    if (parts.length !== 4 || parts.some(p => isNaN(p) || p < 0 || p > 255)) {
+        return false; // not a valid IPv4 — let DNS resolve decide
+    }
+    const [a, b] = parts;
+    if (a === 0)
+        return true; // 0.0.0.0/8
+    if (a === 10)
+        return true; // 10.0.0.0/8
+    if (a === 127)
+        return true; // 127.0.0.0/8 loopback
+    if (a === 169 && b === 254)
+        return true; // 169.254.0.0/16 link-local
+    if (a === 172 && b >= 16 && b <= 31)
+        return true; // 172.16.0.0/12
+    if (a === 192 && b === 168)
+        return true; // 192.168.0.0/16
+    return false;
+}
+/**
+ * Return true if the given IPv6 address string falls into a blocked range.
+ *
+ * Ranges blocked:
+ *   ::1              — loopback
+ *   fc00::/7         — ULA (fc00:: – fdff::)
+ *   fe80::/10        — link-local
+ */
+function isPrivateIPv6(ip) {
+    // Node net.isIPv6 normalises the address but we need the raw string
+    // for prefix checks. Use the compressed form from net.
+    const normalized = ip.toLowerCase().replace(/^\[|\]$/g, "");
+    // Loopback
+    if (normalized === "::1")
+        return true;
+    // For prefix checks, expand just the first 16-bit group
+    const firstGroup = normalized.split(":")[0];
+    const value = parseInt(firstGroup || "0", 16);
+    // fc00::/7 — fc00 to fdff (bit 7 of first byte = 1, bit 6 = 1, bit 5 doesn't matter… easier: 0xfc00–0xfdff range for the first 16 bits)
+    // The /7 prefix means: binary prefix 1111110x — so 0xfc00 to 0xfdff
+    if (value >= 0xfc00 && value <= 0xfdff)
+        return true;
+    // fe80::/10 — fe80 to febf
+    if (value >= 0xfe80 && value <= 0xfebf)
+        return true;
+    return false;
+}
+/**
+ * Check whether a raw IP string (v4 or v6) is a private/internal address.
+ */
+function isPrivateIP(ip) {
+    const stripped = ip.replace(/^\[|\]$/g, ""); // strip IPv6 brackets
+    if (net.isIPv4(stripped))
+        return isPrivateIPv4(stripped);
+    if (net.isIPv6(stripped))
+        return isPrivateIPv6(stripped);
+    return false;
+}
+/**
+ * Check the hostname from a URL — if it's a literal IP, classify immediately.
+ * If it's a hostname, resolve it via DNS and check every returned address.
+ *
+ * Throws SsrfBlockedError if any resolved address is private.
+ * Resolves void if all addresses are public (or DNS fails — fail-open on DNS
+ * errors so a temporary resolver blip doesn't DoS the bot; the risk is low
+ * because the per-host literal-IP checks run before DNS).
+ */
+async function checkHost(hostname, url) {
+    const bare = hostname.replace(/^\[|\]$/g, ""); // strip IPv6 brackets for net.isIP
+    // Literal IP — no DNS needed
+    if (net.isIP(bare)) {
+        if (isPrivateIP(bare)) {
+            throw new SsrfBlockedError(url, `destination ${bare} is a private/loopback/link-local address`);
+        }
+        return;
+    }
+    // Named hostname — also catch obvious loopback hostnames without DNS
+    const lower = bare.toLowerCase();
+    if (lower === "localhost" || lower.endsWith(".localhost") || lower === "::1") {
+        throw new SsrfBlockedError(url, `destination hostname '${bare}' resolves to loopback`);
+    }
+    // DNS resolution — check every returned address
+    try {
+        const { promises: dnsPromises } = dns;
+        const addresses = await dnsPromises.resolve(bare);
+        for (const addr of addresses) {
+            if (isPrivateIP(addr)) {
+                throw new SsrfBlockedError(url, `destination hostname '${bare}' resolves to private address ${addr}`);
+            }
+        }
+    }
+    catch (err) {
+        // Re-throw our own error; swallow DNS failures (fail-open)
+        if (err instanceof SsrfBlockedError)
+            throw err;
+        // DNS error (ENOTFOUND, etc.) — let the actual fetch fail naturally
+    }
+}
+/**
+ * Assert that `url` is safe to fetch (not SSRF-risky).
+ *
+ * - Rejects non-http(s) schemes immediately (synchronous check).
+ * - Resolves hostnames to detect private IP destinations.
+ * - Respects ALLOW_PRIVATE_FETCH=1 for operator opt-out.
+ *
+ * Throws SsrfBlockedError when blocked.
+ * Resolves void when safe.
+ */
+export async function assertSsrfSafe(url) {
+    // Opt-out for trusted local / self-hosted environments
+    if (process.env.ALLOW_PRIVATE_FETCH === "1")
+        return;
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        throw new SsrfBlockedError(url, "invalid URL");
+    }
+    const scheme = parsed.protocol; // includes trailing ':'
+    if (scheme !== "http:" && scheme !== "https:") {
+        throw new SsrfBlockedError(url, `scheme '${parsed.protocol}' is not allowed (only http/https)`);
+    }
+    await checkHost(parsed.hostname, url);
+}

package/dist/services/steer-channel.js

@@ -0,0 +1,46 @@
+const DEFAULT_CAP = 20;
+export class SteerChannel {
+    cap;
+    buf = [];
+    closed = false;
+    resolveNext = null;
+    constructor(cap = DEFAULT_CAP) {
+        this.cap = cap;
+    }
+    /** Push a message into the channel.
+     *  Returns true if the message was accepted, false if it was dropped
+     *  (channel closed or buffer cap reached). Callers must check the
+     *  return value to decide whether to send a 📨 ack or a bufferFull notice. */
+    push(text) {
+        if (this.closed)
+            return false;
+        if (this.buf.length >= this.cap) {
+            console.warn(`[steer-channel] cap ${this.cap} reached — dropping steer message`);
+            return false;
+        }
+        this.buf.push({ type: "user", message: { role: "user", content: text }, parent_tool_use_id: null });
+        const r = this.resolveNext;
+        this.resolveNext = null;
+        r?.();
+        return true;
+    }
+    close() {
+        if (this.closed)
+            return;
+        this.closed = true;
+        const r = this.resolveNext;
+        this.resolveNext = null;
+        r?.();
+    }
+    async *[Symbol.asyncIterator]() {
+        while (true) {
+            if (this.buf.length > 0) {
+                yield this.buf.shift();
+                continue;
+            }
+            if (this.closed)
+                return;
+            await new Promise((res) => { this.resolveNext = res; });
+        }
+    }
+}

package/dist/services/voice.js

@@ -21,9 +21,6 @@ export async function transcribeAudio(audioPath) {
     const bodyEnd = Buffer.from(`\r\n--${boundary}\r\n` +
         `Content-Disposition: form-data; name="model"\r\n\r\n` +
         `whisper-large-v3-turbo\r\n` +
-        `--${boundary}\r\n` +
-        `Content-Disposition: form-data; name="language"\r\n\r\n` +
-        `de\r\n` +
         `--${boundary}--\r\n`, "utf-8");
     const fullBody = Buffer.concat([bodyStart, fileBuffer, bodyEnd]);
     return new Promise((resolve, reject) => {

package/dist/web/server.js

@@ -77,6 +77,18 @@ function checkAuth(req) {
     const token = cookie.match(/alvinbot_token=([a-f0-9]+)/)?.[1];
     return token ? activeSessions.has(token) : false;
 }
+/** Returns true when the server is exposed to non-loopback addresses but
+ *  WEB_PASSWORD is empty.  In that state every mutating / exec endpoint is
+ *  hard-refused regardless of any session cookie. */
+function isExposedWithoutPassword() {
+    if (WEB_PASSWORD)
+        return false; // password set → normal auth path
+    const h = config.webHost;
+    // loopback addresses are safe even without a password
+    if (!h || h === "127.0.0.1" || h === "::1" || h === "localhost")
+        return false;
+    return true; // non-loopback + no password = exposed
+}
 // ── REST API ────────────────────────────────────────────
 async function handleAPI(req, res, urlPath, body) {
     res.setHeader("Content-Type", "application/json");
@@ -84,7 +96,14 @@ async function handleAPI(req, res, urlPath, body) {
     if (urlPath === "/api/login" && req.method === "POST") {
         try {
             const { password } = JSON.parse(body);
-            if (!WEB_PASSWORD || password === WEB_PASSWORD) {
+            // v5.x — refuse login entirely when WEB_PASSWORD is not set.
+            // Previously `!WEB_PASSWORD || password === WEB_PASSWORD` minted a
+            // session for ANY input (including "") when the env var was absent,
+            // effectively making every unauthenticated request a valid session.
+            // timingSafeBearerMatch already rejects empty expectedToken → reuse it
+            // by wrapping the provided password as a synthetic "Bearer <pw>" header.
+            const authOk = timingSafeBearerMatch(`Bearer ${password}`, WEB_PASSWORD);
+            if (authOk) {
                 const token = generateToken();
                 activeSessions.add(token);
                 res.setHeader("Set-Cookie", `alvinbot_token=${token}; Path=/; HttpOnly; SameSite=Strict; Max-Age=86400`);
@@ -141,6 +160,66 @@ async function handleAPI(req, res, urlPath, body) {
         res.end(JSON.stringify({ error: "Not authenticated" }));
         return;
     }
+    // Hard gate: when the web server is reachable from non-loopback addresses
+    // and WEB_PASSWORD is empty, mutating/exec endpoints are refused outright.
+    // Local dev (127.0.0.1 + no password) is intentionally unaffected.
+    // Endpoints that write files, execute commands, or modify configuration
+    // are in scope; read-only status/config endpoints are not gated.
+    const EXPOSED_DANGEROUS_ROUTES = new Set([
+        "/api/terminal",
+        "/api/skills/create",
+        "/api/skills/update",
+        "/api/skills/delete",
+        "/api/files/save",
+        "/api/files/delete",
+        "/api/env/set",
+        "/api/setup-wizard",
+        "/api/soul/save",
+        "/api/memory/save",
+        "/api/memory/delete",
+        "/api/session/reset",
+        // cron — /api/cron/add was wrong; real route is /api/cron/create
+        "/api/cron/create",
+        "/api/cron/update",
+        "/api/cron/delete",
+        "/api/cron/toggle",
+        "/api/cron/run",
+        "/api/plugin/install",
+        "/api/plugin/uninstall",
+        // shell / process exec
+        "/api/tools/execute",
+        "/api/sudo/exec",
+        "/api/sudo/setup",
+        "/api/sudo/admin-dialog",
+        "/api/sudo/revoke",
+        // key / env writes
+        "/api/providers/set-key",
+        "/api/providers/set-primary",
+        "/api/providers/set-fallbacks",
+        "/api/providers/add-custom",
+        "/api/providers/remove-custom",
+        // platform config writes (writes ENV vars / runs npm install)
+        "/api/platforms/configure",
+        "/api/platforms/install-deps",
+        // provider / fallback order writes
+        "/api/fallback",
+        "/api/fallback/move",
+        // MCP config writes
+        "/api/mcp/add",
+        "/api/mcp/remove",
+        // process restart (DoS vector)
+        "/api/restart",
+        // model switching (affects all users)
+        "/api/models/switch",
+        // WhatsApp auth / config writes
+        "/api/whatsapp/disconnect",
+        "/api/whatsapp/group-rules",
+    ]);
+    if (isExposedWithoutPassword() && EXPOSED_DANGEROUS_ROUTES.has(urlPath)) {
+        res.statusCode = 403;
+        res.end(JSON.stringify({ error: "refused: web exposed without WEB_PASSWORD" }));
+        return;
+    }
     // ── Setup APIs (platforms + models) ─────────────────
     const handled = await handleSetupAPI(req, res, urlPath, body);
     if (handled)
@@ -201,6 +280,9 @@ async function handleAPI(req, res, urlPath, body) {
             const envPath = ENV_FILE;
             let content = fs.existsSync(envPath) ? fs.readFileSync(envPath, "utf-8") : "";
             const setEnv = (key, value) => {
+                // M6 (centralized): reject values containing newline characters
+                if (/[\n\r]/.test(value))
+                    throw new Error("env value must not contain newline characters");
                 const regex = new RegExp(`^${key}=.*$`, "m");
                 if (regex.test(content)) {
                     content = content.replace(regex, `${key}=${value}`);
@@ -509,6 +591,12 @@ async function handleAPI(req, res, urlPath, body) {
     }
     // DELETE /api/users/:id — Kill session + delete user data
     if (urlPath.startsWith("/api/users/") && req.method === "DELETE") {
+        // Pattern route — gate here since EXPOSED_DANGEROUS_ROUTES can't express :id
+        if (isExposedWithoutPassword()) {
+            res.statusCode = 403;
+            res.end(JSON.stringify({ error: "refused: web exposed without WEB_PASSWORD" }));
+            return;
+        }
         const userId = parseInt(urlPath.split("/").pop() || "0");
         if (!userId) {
             res.statusCode = 400;
@@ -701,8 +789,27 @@ async function handleAPI(req, res, urlPath, body) {
                 res.end(JSON.stringify({ error: "id and name required" }));
                 return;
             }
+            // Security: reject id values that could escape SKILLS_DIR.
+            // Mirror the resolve+startsWith containment pattern used in /api/files/save (server.ts ~:921).
+            // Also guard against ids with path separators or absolute paths before
+            // resolve() ever runs, so the raw string never reaches the filesystem.
+            if (typeof id !== "string" ||
+                id.includes("..") ||
+                id.includes("/") ||
+                id.includes("\\") ||
+                path.isAbsolute(id)) {
+                res.statusCode = 400;
+                res.end(JSON.stringify({ error: "Invalid skill id" }));
+                return;
+            }
             const skillsDir = SKILLS_DIR;
             const skillDir = resolve(skillsDir, id);
+            // Belt-and-suspenders: resolved path must still be inside SKILLS_DIR
+            if (!skillDir.startsWith(skillsDir)) {
+                res.statusCode = 400;
+                res.end(JSON.stringify({ error: "Invalid skill id" }));
+                return;
+            }
             if (!fs.existsSync(skillDir))
                 fs.mkdirSync(skillDir, { recursive: true });
             const frontmatter = [
@@ -730,6 +837,22 @@ async function handleAPI(req, res, urlPath, body) {
     if (urlPath === "/api/skills/update" && req.method === "POST") {
         try {
             const { id, content } = JSON.parse(body);
+            // Security: same id containment as /api/skills/create
+            if (typeof id !== "string" ||
+                id.includes("..") ||
+                id.includes("/") ||
+                id.includes("\\") ||
+                path.isAbsolute(id)) {
+                res.statusCode = 400;
+                res.end(JSON.stringify({ error: "Invalid skill id" }));
+                return;
+            }
+            // Belt-and-suspenders: resolved path must still be inside SKILLS_DIR
+            if (!resolve(SKILLS_DIR, id).startsWith(SKILLS_DIR)) {
+                res.statusCode = 400;
+                res.end(JSON.stringify({ error: "Invalid skill id" }));
+                return;
+            }
             const skillPath = resolve(SKILLS_DIR, id, "SKILL.md");
             if (!fs.existsSync(skillPath)) {
                 // Try flat file
@@ -760,6 +883,16 @@ async function handleAPI(req, res, urlPath, body) {
     if (urlPath === "/api/skills/delete" && req.method === "POST") {
         try {
             const { id } = JSON.parse(body);
+            // Security: same raw-string id containment as /api/skills/create + /api/skills/update
+            if (typeof id !== "string" ||
+                id.includes("..") ||
+                id.includes("/") ||
+                id.includes("\\") ||
+                path.isAbsolute(id)) {
+                res.statusCode = 400;
+                res.end(JSON.stringify({ error: "Invalid skill id" }));
+                return;
+            }
             const skillDir = resolve(SKILLS_DIR, id);
             const flatFile = resolve(SKILLS_DIR, id + ".md");
             if (fs.existsSync(skillDir)) {
@@ -1036,6 +1169,13 @@ async function handleAPI(req, res, urlPath, body) {
                 res.end(JSON.stringify({ error: "Invalid key name" }));
                 return;
             }
+            // M6: reject values containing newline characters — they allow injecting
+            // extra .env lines (e.g. value="good\nEVIL=injected").
+            if (typeof value === "string" && /[\n\r]/.test(value)) {
+                res.statusCode = 400;
+                res.end(JSON.stringify({ error: "Invalid value: newline characters not allowed" }));
+                return;
+            }
             let envContent = fs.existsSync(ENV_FILE) ? fs.readFileSync(ENV_FILE, "utf-8") : "";
             const regex = new RegExp(`^${key}=.*$`, "m");
             if (regex.test(envContent)) {
@@ -1182,6 +1322,12 @@ async function handleAPI(req, res, urlPath, body) {
     }
     // DELETE /api/whatsapp/group-rules/:id — delete a group rule
     if (urlPath.match(/^\/api\/whatsapp\/group-rules\//) && req.method === "DELETE") {
+        // Pattern route — gate here since EXPOSED_DANGEROUS_ROUTES can't express :id
+        if (isExposedWithoutPassword()) {
+            res.statusCode = 403;
+            res.end(JSON.stringify({ error: "refused: web exposed without WEB_PASSWORD" }));
+            return;
+        }
         const groupId = decodeURIComponent(urlPath.split("/").slice(4).join("/"));
         const { deleteGroupRule } = await import("../platforms/whatsapp.js");
         const ok = deleteGroupRule(groupId);
@@ -1498,7 +1644,7 @@ function handleWebRequest(req, res) {
  */
 export function startWebServer() {
     stopRequested = false;
-    scheduleBindAttempt(WEB_PORT, 0);
+    scheduleBindAttempt(parseInt(process.env.WEB_PORT || "3100", 10), 0);
 }
 function scheduleBindAttempt(port, attempt) {
     if (stopRequested)
@@ -1598,9 +1744,13 @@ function scheduleBindAttempt(port, attempt) {
             if (actualWebPort !== originalPort) {
                 console.log(`   (Port ${originalPort} was busy, using ${actualWebPort} instead)`);
             }
-            if (bindHost === "0.0.0.0" && !process.env.WEB_PASSWORD) {
-                console.warn("⚠️ Web UI is bound to 0.0.0.0 but WEB_PASSWORD is empty — anyone on the LAN can log in. " +
-                    "Set WEB_PASSWORD in ~/.alvin-bot/.env or set WEB_HOST=127.0.0.1.");
+            if (isExposedWithoutPassword()) {
+                // Upgrade from warn to a clear one-time log: the hard gate (above in
+                // handleAPI) already blocks every mutating/exec route in this state,
+                // so this message explains why those calls are being refused.
+                console.log("[web] Non-loopback host with no WEB_PASSWORD: mutating/exec endpoints are disabled " +
+                    "(hard-refused 403). Set WEB_PASSWORD in ~/.alvin-bot/.env to unlock them, " +
+                    "or restrict to loopback with WEB_HOST=127.0.0.1.");
             }
         });
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "alvin-bot",
-  "version": "5.2.0",
+  "version": "5.4.0",
   "description": "Alvin Bot — Your personal AI agent on Telegram, WhatsApp, Discord, Signal, and Web.",
   "type": "module",
   "main": "dist/index.js",
@@ -166,11 +166,9 @@
     "url": "git+https://github.com/alvbln/Alvin-Bot.git"
   },
   "dependencies": {
-    "@anthropic-ai/claude-agent-sdk": "^0.2.97",
+    "@anthropic-ai/claude-agent-sdk": "0.3.142",
     "@hapi/boom": "^10.0.1",
     "@slack/bolt": "^4.6.0",
-    "@types/node": "^22.0.0",
-    "@types/ws": "^8.18.1",
     "@whiskeysockets/baileys": "^6.7.21",
     "better-sqlite3": "^12.9.0",
     "dotenv": "^16.4.0",
@@ -179,16 +177,18 @@
     "node-edge-tts": "^1.2.10",
     "pino": "^10.3.1",
     "playwright": "^1.58.2",
-    "typescript": "^5.9.3",
     "whatsapp-web.js": "^1.34.6",
     "ws": "^8.19.0"
   },
   "devDependencies": {
     "@types/better-sqlite3": "^7.6.13",
+    "@types/node": "^22.0.0",
+    "@types/ws": "^8.18.1",
     "@vitest/ui": "^4.1.4",
     "electron": "^35.7.5",
     "electron-builder": "^26.8.1",
     "tsx": "^4.19.0",
+    "typescript": "^5.9.3",
     "vitest": "^4.1.4"
   },
   "homepage": "https://github.com/alvbln/Alvin-Bot",
@@ -196,9 +196,10 @@
     "node": ">=18.0.0"
   },
   "bugs": {
-    "url": "https://github.com/alvbln/alvin-bot/issues"
+    "url": "https://github.com/alvbln/Alvin-Bot/issues"
   },
   "overrides": {
-    "axios": "^1.15.0"
+    "axios": ">=1.8.2",
+    "protobufjs": ">=7.5.6"
   }
 }