npm - cdpilot - Versions diffs - 0.1.1 → 0.1.2 - Mend

cdpilot 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md +10 -0
package/package.json +3 -3
package/src/cdpilot.py +25 -12
package/src/__pycache__/cdpilot.cpython-314.pyc +0 -0

package/README.md CHANGED Viewed

@@ -261,6 +261,16 @@ Future paid offerings:
 - **Team dashboard** — Shared sessions, audit logs, usage analytics
 - **Priority support** — Direct help for enterprise integrations
+## Security
+- **Isolated browser profile** — cdpilot runs in `~/.cdpilot/profile`, separate from your daily browser. Your cookies, passwords, and history are never exposed.
+- **No arbitrary file access** — MCP screenshot filenames are sanitized and restricted to the screenshots directory. Path traversal is blocked.
+- **Safe CSS selectors** — All selectors passed to `querySelector` are JSON-escaped to prevent injection.
+- **No network exposure** — CDP listens on `127.0.0.1` only. Remote connections are not possible by default.
+- **No dependencies** — Zero npm/Python runtime dependencies means zero supply-chain attack surface.
+Found a vulnerability? Please email the maintainer directly instead of opening a public issue.
 ## Contributing
 ```bash

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cdpilot",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "description": "Zero-dependency browser automation from your terminal. One command, full control.",
   "bin": {
     "cdpilot": "./bin/cdpilot.js",
@@ -15,7 +15,7 @@
     "devtools", "headless", "screenshot", "testing", "web-scraping",
     "ai-agent", "mcp", "claude", "brave"
   ],
-  "author": "",
+  "author": "Mehmet Nadir",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -26,7 +26,7 @@
   },
   "files": [
     "bin/",
-    "src/",
+    "src/cdpilot.py",
     "README.md",
     "LICENSE"
   ]

package/src/cdpilot.py CHANGED Viewed

@@ -11,10 +11,10 @@ Usage:
 Environment:
   CDP_PORT             CDP debugging port (default: 9222)
   CHROME_BIN           Browser binary path (auto-detected if not set)
-  BROWSERCTL_PROFILE   Isolated browser profile directory
+  CDPILOT_PROFILE      Isolated browser profile directory
 """
-__version__ = "0.1.1"
+__version__ = "0.1.2"
 import asyncio
 import json
@@ -903,9 +903,10 @@ async def cmd_eval(js_code):
 async def cmd_click(selector):
     ws, _ = get_page_ws()
+    safe_sel = json.dumps(selector)
     js = f"""(function() {{
-        const el = document.querySelector('{selector}');
-        if (!el) return 'Not found: {selector}';
+        const el = document.querySelector({safe_sel});
+        if (!el) return 'Not found: ' + {safe_sel};
         el.scrollIntoView({{behavior:'smooth', block:'center'}});
         el.click();
         return 'Clicked: ' + el.tagName + ' ' + (el.textContent || '').substring(0, 60).trim();
@@ -917,10 +918,11 @@ async def cmd_click(selector):
 async def cmd_fill(selector, value):
     """Fill an input field (React/Vue compatible)."""
     ws, _ = get_page_ws()
+    safe_sel = json.dumps(selector)
     safe_value = json.dumps(value)
     js = f"""(function() {{
-        const el = document.querySelector('{selector}');
-        if (!el) return 'Not found: {selector}';
+        const el = document.querySelector({safe_sel});
+        if (!el) return 'Not found: ' + {safe_sel};
         el.focus();
         const nativeSet = Object.getOwnPropertyDescriptor(
             window.HTMLInputElement.prototype, 'value'
@@ -936,9 +938,10 @@ async def cmd_fill(selector, value):
 async def cmd_submit(selector="form"):
     ws, _ = get_page_ws()
+    safe_sel = json.dumps(selector)
     js = f"""(function() {{
-        const form = document.querySelector('{selector}');
-        if (!form) return 'Form not found: {selector}';
+        const form = document.querySelector({safe_sel});
+        if (!form) return 'Form not found: ' + {safe_sel};
         const btn = form.querySelector('button[type=submit], input[type=submit], button:last-of-type');
         if (btn) {{ btn.click(); return 'Submit clicked: ' + btn.textContent.trim(); }}
         form.submit();
@@ -950,15 +953,16 @@ async def cmd_submit(selector="form"):
 async def cmd_wait(selector, timeout=5):
     ws, _ = get_page_ws()
+    safe_sel = json.dumps(selector)
     js = f"""new Promise((resolve) => {{
-        const el = document.querySelector('{selector}');
+        const el = document.querySelector({safe_sel});
         if (el) return resolve('Found: ' + el.tagName + ' ' + (el.textContent||'').substring(0,60).trim());
         const obs = new MutationObserver(() => {{
-            const el = document.querySelector('{selector}');
+            const el = document.querySelector({safe_sel});
             if (el) {{ obs.disconnect(); resolve('Found: ' + el.tagName + ' ' + (el.textContent||'').substring(0,60).trim()); }}
         }});
         obs.observe(document.body, {{childList:true, subtree:true}});
-        setTimeout(() => {{ obs.disconnect(); resolve('Timeout: {selector} not found ({timeout}s)'); }}, {int(timeout)*1000});
+        setTimeout(() => {{ obs.disconnect(); resolve('Timeout: ' + {safe_sel} + ' not found ({timeout}s)'); }}, {int(timeout)*1000});
     }})"""
     r = await cdp_send(ws, [(1, "Runtime.evaluate", {"expression": js, "returnByValue": True, "awaitPromise": True})])
     print(r.get(1, {}).get("result", {}).get("value", "?"))
@@ -2270,11 +2274,20 @@ class MCPServer:
         else:
             return {"jsonrpc": "2.0", "id": req_id, "error": {"code": -32601, "message": f"Method not found: {method}"}}
+    @staticmethod
+    def _safe_filename(name):
+        import re
+        base = os.path.basename(name)
+        base = re.sub(r'[^\w.\-]', '_', base)
+        if not base.lower().endswith('.png'):
+            base += '.png'
+        return os.path.join(SCREENSHOT_DIR, base)
     def _execute_tool(self, req_id, tool_name, args):
         import io, subprocess
         tool_map = {
             "browser_navigate": lambda a: ["go", a.get("url", "")],
-            "browser_screenshot": lambda a: ["shot"] + ([a["filename"]] if a.get("filename") else []),
+            "browser_screenshot": lambda a: ["shot"] + ([self._safe_filename(a["filename"])] if a.get("filename") else []),
             "browser_click": lambda a: ["click", a.get("selector", "")],
             "browser_type": lambda a: ["type", a.get("selector", ""), a.get("text", "")],
             "browser_content": lambda a: ["content"],

package/src/__pycache__/cdpilot.cpython-314.pyc DELETED Viewed

Binary file