alvin-bot 5.3.0 → 5.4.0

package/dist/web/server.js

@@ -77,6 +77,18 @@ function checkAuth(req) {
     const token = cookie.match(/alvinbot_token=([a-f0-9]+)/)?.[1];
     return token ? activeSessions.has(token) : false;
 }
+/** Returns true when the server is exposed to non-loopback addresses but
+ *  WEB_PASSWORD is empty.  In that state every mutating / exec endpoint is
+ *  hard-refused regardless of any session cookie. */
+function isExposedWithoutPassword() {
+    if (WEB_PASSWORD)
+        return false; // password set → normal auth path
+    const h = config.webHost;
+    // loopback addresses are safe even without a password
+    if (!h || h === "127.0.0.1" || h === "::1" || h === "localhost")
+        return false;
+    return true; // non-loopback + no password = exposed
+}
 // ── REST API ────────────────────────────────────────────
 async function handleAPI(req, res, urlPath, body) {
     res.setHeader("Content-Type", "application/json");
@@ -84,7 +96,14 @@ async function handleAPI(req, res, urlPath, body) {
     if (urlPath === "/api/login" && req.method === "POST") {
         try {
             const { password } = JSON.parse(body);
-            if (!WEB_PASSWORD || password === WEB_PASSWORD) {
+            // v5.x — refuse login entirely when WEB_PASSWORD is not set.
+            // Previously `!WEB_PASSWORD || password === WEB_PASSWORD` minted a
+            // session for ANY input (including "") when the env var was absent,
+            // effectively making every unauthenticated request a valid session.
+            // timingSafeBearerMatch already rejects empty expectedToken → reuse it
+            // by wrapping the provided password as a synthetic "Bearer <pw>" header.
+            const authOk = timingSafeBearerMatch(`Bearer ${password}`, WEB_PASSWORD);
+            if (authOk) {
                 const token = generateToken();
                 activeSessions.add(token);
                 res.setHeader("Set-Cookie", `alvinbot_token=${token}; Path=/; HttpOnly; SameSite=Strict; Max-Age=86400`);
@@ -141,6 +160,66 @@ async function handleAPI(req, res, urlPath, body) {
         res.end(JSON.stringify({ error: "Not authenticated" }));
         return;
     }
+    // Hard gate: when the web server is reachable from non-loopback addresses
+    // and WEB_PASSWORD is empty, mutating/exec endpoints are refused outright.
+    // Local dev (127.0.0.1 + no password) is intentionally unaffected.
+    // Endpoints that write files, execute commands, or modify configuration
+    // are in scope; read-only status/config endpoints are not gated.
+    const EXPOSED_DANGEROUS_ROUTES = new Set([
+        "/api/terminal",
+        "/api/skills/create",
+        "/api/skills/update",
+        "/api/skills/delete",
+        "/api/files/save",
+        "/api/files/delete",
+        "/api/env/set",
+        "/api/setup-wizard",
+        "/api/soul/save",
+        "/api/memory/save",
+        "/api/memory/delete",
+        "/api/session/reset",
+        // cron — /api/cron/add was wrong; real route is /api/cron/create
+        "/api/cron/create",
+        "/api/cron/update",
+        "/api/cron/delete",
+        "/api/cron/toggle",
+        "/api/cron/run",
+        "/api/plugin/install",
+        "/api/plugin/uninstall",
+        // shell / process exec
+        "/api/tools/execute",
+        "/api/sudo/exec",
+        "/api/sudo/setup",
+        "/api/sudo/admin-dialog",
+        "/api/sudo/revoke",
+        // key / env writes
+        "/api/providers/set-key",
+        "/api/providers/set-primary",
+        "/api/providers/set-fallbacks",
+        "/api/providers/add-custom",
+        "/api/providers/remove-custom",
+        // platform config writes (writes ENV vars / runs npm install)
+        "/api/platforms/configure",
+        "/api/platforms/install-deps",
+        // provider / fallback order writes
+        "/api/fallback",
+        "/api/fallback/move",
+        // MCP config writes
+        "/api/mcp/add",
+        "/api/mcp/remove",
+        // process restart (DoS vector)
+        "/api/restart",
+        // model switching (affects all users)
+        "/api/models/switch",
+        // WhatsApp auth / config writes
+        "/api/whatsapp/disconnect",
+        "/api/whatsapp/group-rules",
+    ]);
+    if (isExposedWithoutPassword() && EXPOSED_DANGEROUS_ROUTES.has(urlPath)) {
+        res.statusCode = 403;
+        res.end(JSON.stringify({ error: "refused: web exposed without WEB_PASSWORD" }));
+        return;
+    }
     // ── Setup APIs (platforms + models) ─────────────────
     const handled = await handleSetupAPI(req, res, urlPath, body);
     if (handled)
@@ -201,6 +280,9 @@ async function handleAPI(req, res, urlPath, body) {
             const envPath = ENV_FILE;
             let content = fs.existsSync(envPath) ? fs.readFileSync(envPath, "utf-8") : "";
             const setEnv = (key, value) => {
+                // M6 (centralized): reject values containing newline characters
+                if (/[\n\r]/.test(value))
+                    throw new Error("env value must not contain newline characters");
                 const regex = new RegExp(`^${key}=.*$`, "m");
                 if (regex.test(content)) {
                     content = content.replace(regex, `${key}=${value}`);
@@ -509,6 +591,12 @@ async function handleAPI(req, res, urlPath, body) {
     }
     // DELETE /api/users/:id — Kill session + delete user data
     if (urlPath.startsWith("/api/users/") && req.method === "DELETE") {
+        // Pattern route — gate here since EXPOSED_DANGEROUS_ROUTES can't express :id
+        if (isExposedWithoutPassword()) {
+            res.statusCode = 403;
+            res.end(JSON.stringify({ error: "refused: web exposed without WEB_PASSWORD" }));
+            return;
+        }
         const userId = parseInt(urlPath.split("/").pop() || "0");
         if (!userId) {
             res.statusCode = 400;
@@ -701,8 +789,27 @@ async function handleAPI(req, res, urlPath, body) {
                 res.end(JSON.stringify({ error: "id and name required" }));
                 return;
             }
+            // Security: reject id values that could escape SKILLS_DIR.
+            // Mirror the resolve+startsWith containment pattern used in /api/files/save (server.ts ~:921).
+            // Also guard against ids with path separators or absolute paths before
+            // resolve() ever runs, so the raw string never reaches the filesystem.
+            if (typeof id !== "string" ||
+                id.includes("..") ||
+                id.includes("/") ||
+                id.includes("\\") ||
+                path.isAbsolute(id)) {
+                res.statusCode = 400;
+                res.end(JSON.stringify({ error: "Invalid skill id" }));
+                return;
+            }
             const skillsDir = SKILLS_DIR;
             const skillDir = resolve(skillsDir, id);
+            // Belt-and-suspenders: resolved path must still be inside SKILLS_DIR
+            if (!skillDir.startsWith(skillsDir)) {
+                res.statusCode = 400;
+                res.end(JSON.stringify({ error: "Invalid skill id" }));
+                return;
+            }
             if (!fs.existsSync(skillDir))
                 fs.mkdirSync(skillDir, { recursive: true });
             const frontmatter = [
@@ -730,6 +837,22 @@ async function handleAPI(req, res, urlPath, body) {
     if (urlPath === "/api/skills/update" && req.method === "POST") {
         try {
             const { id, content } = JSON.parse(body);
+            // Security: same id containment as /api/skills/create
+            if (typeof id !== "string" ||
+                id.includes("..") ||
+                id.includes("/") ||
+                id.includes("\\") ||
+                path.isAbsolute(id)) {
+                res.statusCode = 400;
+                res.end(JSON.stringify({ error: "Invalid skill id" }));
+                return;
+            }
+            // Belt-and-suspenders: resolved path must still be inside SKILLS_DIR
+            if (!resolve(SKILLS_DIR, id).startsWith(SKILLS_DIR)) {
+                res.statusCode = 400;
+                res.end(JSON.stringify({ error: "Invalid skill id" }));
+                return;
+            }
             const skillPath = resolve(SKILLS_DIR, id, "SKILL.md");
             if (!fs.existsSync(skillPath)) {
                 // Try flat file
@@ -760,6 +883,16 @@ async function handleAPI(req, res, urlPath, body) {
     if (urlPath === "/api/skills/delete" && req.method === "POST") {
         try {
             const { id } = JSON.parse(body);
+            // Security: same raw-string id containment as /api/skills/create + /api/skills/update
+            if (typeof id !== "string" ||
+                id.includes("..") ||
+                id.includes("/") ||
+                id.includes("\\") ||
+                path.isAbsolute(id)) {
+                res.statusCode = 400;
+                res.end(JSON.stringify({ error: "Invalid skill id" }));
+                return;
+            }
             const skillDir = resolve(SKILLS_DIR, id);
             const flatFile = resolve(SKILLS_DIR, id + ".md");
             if (fs.existsSync(skillDir)) {
@@ -1036,6 +1169,13 @@ async function handleAPI(req, res, urlPath, body) {
                 res.end(JSON.stringify({ error: "Invalid key name" }));
                 return;
             }
+            // M6: reject values containing newline characters — they allow injecting
+            // extra .env lines (e.g. value="good\nEVIL=injected").
+            if (typeof value === "string" && /[\n\r]/.test(value)) {
+                res.statusCode = 400;
+                res.end(JSON.stringify({ error: "Invalid value: newline characters not allowed" }));
+                return;
+            }
             let envContent = fs.existsSync(ENV_FILE) ? fs.readFileSync(ENV_FILE, "utf-8") : "";
             const regex = new RegExp(`^${key}=.*$`, "m");
             if (regex.test(envContent)) {
@@ -1182,6 +1322,12 @@ async function handleAPI(req, res, urlPath, body) {
     }
     // DELETE /api/whatsapp/group-rules/:id — delete a group rule
     if (urlPath.match(/^\/api\/whatsapp\/group-rules\//) && req.method === "DELETE") {
+        // Pattern route — gate here since EXPOSED_DANGEROUS_ROUTES can't express :id
+        if (isExposedWithoutPassword()) {
+            res.statusCode = 403;
+            res.end(JSON.stringify({ error: "refused: web exposed without WEB_PASSWORD" }));
+            return;
+        }
         const groupId = decodeURIComponent(urlPath.split("/").slice(4).join("/"));
         const { deleteGroupRule } = await import("../platforms/whatsapp.js");
         const ok = deleteGroupRule(groupId);
@@ -1498,7 +1644,7 @@ function handleWebRequest(req, res) {
  */
 export function startWebServer() {
     stopRequested = false;
-    scheduleBindAttempt(WEB_PORT, 0);
+    scheduleBindAttempt(parseInt(process.env.WEB_PORT || "3100", 10), 0);
 }
 function scheduleBindAttempt(port, attempt) {
     if (stopRequested)
@@ -1598,9 +1744,13 @@ function scheduleBindAttempt(port, attempt) {
             if (actualWebPort !== originalPort) {
                 console.log(`   (Port ${originalPort} was busy, using ${actualWebPort} instead)`);
             }
-            if (bindHost === "0.0.0.0" && !process.env.WEB_PASSWORD) {
-                console.warn("⚠️ Web UI is bound to 0.0.0.0 but WEB_PASSWORD is empty — anyone on the LAN can log in. " +
-                    "Set WEB_PASSWORD in ~/.alvin-bot/.env or set WEB_HOST=127.0.0.1.");
+            if (isExposedWithoutPassword()) {
+                // Upgrade from warn to a clear one-time log: the hard gate (above in
+                // handleAPI) already blocks every mutating/exec route in this state,
+                // so this message explains why those calls are being refused.
+                console.log("[web] Non-loopback host with no WEB_PASSWORD: mutating/exec endpoints are disabled " +
+                    "(hard-refused 403). Set WEB_PASSWORD in ~/.alvin-bot/.env to unlock them, " +
+                    "or restrict to loopback with WEB_HOST=127.0.0.1.");
             }
         });
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "alvin-bot",
-  "version": "5.3.0",
+  "version": "5.4.0",
   "description": "Alvin Bot — Your personal AI agent on Telegram, WhatsApp, Discord, Signal, and Web.",
   "type": "module",
   "main": "dist/index.js",
@@ -166,11 +166,9 @@
     "url": "git+https://github.com/alvbln/Alvin-Bot.git"
   },
   "dependencies": {
-    "@anthropic-ai/claude-agent-sdk": "^0.2.97",
+    "@anthropic-ai/claude-agent-sdk": "0.3.142",
     "@hapi/boom": "^10.0.1",
     "@slack/bolt": "^4.6.0",
-    "@types/node": "^22.0.0",
-    "@types/ws": "^8.18.1",
     "@whiskeysockets/baileys": "^6.7.21",
     "better-sqlite3": "^12.9.0",
     "dotenv": "^16.4.0",
@@ -179,16 +177,18 @@
     "node-edge-tts": "^1.2.10",
     "pino": "^10.3.1",
     "playwright": "^1.58.2",
-    "typescript": "^5.9.3",
     "whatsapp-web.js": "^1.34.6",
     "ws": "^8.19.0"
   },
   "devDependencies": {
     "@types/better-sqlite3": "^7.6.13",
+    "@types/node": "^22.0.0",
+    "@types/ws": "^8.18.1",
     "@vitest/ui": "^4.1.4",
     "electron": "^35.7.5",
     "electron-builder": "^26.8.1",
     "tsx": "^4.19.0",
+    "typescript": "^5.9.3",
     "vitest": "^4.1.4"
   },
   "homepage": "https://github.com/alvbln/Alvin-Bot",
@@ -196,9 +196,10 @@
     "node": ">=18.0.0"
   },
   "bugs": {
-    "url": "https://github.com/alvbln/alvin-bot/issues"
+    "url": "https://github.com/alvbln/Alvin-Bot/issues"
   },
   "overrides": {
-    "axios": "^1.15.0"
+    "axios": ">=1.8.2",
+    "protobufjs": ">=7.5.6"
   }
 }