npm - codex-plugin-doctor - Versions diffs - 1.10.0 → 1.12.1 - Mend

codex-plugin-doctor 1.10.0 → 1.12.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md +2 -2
package/dist/core/review-bundle.js +49 -6
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -358,9 +358,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: Esquetta/CodexPluginDoctor@v1.10.0
+      - uses: Esquetta/CodexPluginDoctor@v1.12.1
         with:
-          version: "1.10.0"
+          version: "1.12.1"
           path: .
           runtime: "true"
           policy: codex-publish

package/dist/core/review-bundle.js CHANGED Viewed

@@ -1,5 +1,5 @@
 import { createHash } from "node:crypto";
-import { mkdir, readFile, stat, writeFile } from "node:fs/promises";
+import { mkdir, readFile, realpath, stat, writeFile } from "node:fs/promises";
 import path from "node:path";
 import { buildDoctorAttestation, renderDoctorAttestationJson, verifyDoctorAttestation } from "./attestation.js";
 import { buildDoctorReleaseEvidenceReport, renderDoctorReleaseEvidenceJson, verifyDoctorReleaseEvidence } from "./release-evidence.js";
@@ -46,6 +46,25 @@ function relativeBundleFiles() {
         releaseEvidenceJson: "release-evidence.json"
     };
 }
+function isPathInsideDirectory(candidatePath, directoryPath) {
+    const relativePath = path.relative(directoryPath, candidatePath);
+    return relativePath === "" || (!relativePath.startsWith("..") && !path.isAbsolute(relativePath));
+}
+async function resolveBundleArtifactPath(bundleDirectory, relativePath) {
+    const resolvedBundleDirectory = path.resolve(bundleDirectory);
+    const artifactPath = path.resolve(resolvedBundleDirectory, relativePath);
+    if (!isPathInsideDirectory(artifactPath, resolvedBundleDirectory)) {
+        throw new Error("Bundle artifact path resolves outside the bundle directory.");
+    }
+    const [canonicalBundleDirectory, canonicalArtifactPath] = await Promise.all([
+        realpath(resolvedBundleDirectory),
+        realpath(artifactPath)
+    ]);
+    if (!isPathInsideDirectory(canonicalArtifactPath, canonicalBundleDirectory)) {
+        throw new Error("Bundle artifact canonical path resolves outside the bundle directory.");
+    }
+    return canonicalArtifactPath;
+}
 function bundleStatus(runtimePolicy, releaseEvidence) {
     if (runtimePolicy.status === "fail" || releaseEvidence.status === "fail") {
         return "fail";
@@ -167,7 +186,7 @@ export function renderDoctorReviewBundleJson(bundle) {
     return JSON.stringify(bundle.manifest, null, 2);
 }
 async function readBundleJsonFile(bundleDirectory, relativePath) {
-    return readJsonFile(path.join(bundleDirectory, relativePath));
+    return readJsonFile(await resolveBundleArtifactPath(bundleDirectory, relativePath));
 }
 async function readBundleDiffSnapshot(bundleDirectory) {
     const manifestArtifact = await readBundleJsonFile(bundleDirectory, "manifest.json");
@@ -344,7 +363,8 @@ export async function verifyDoctorReviewBundle(bundleDirectory, options) {
     const files = manifest?.files ?? relativeBundleFiles();
     for (const [fileKey, relativePath] of Object.entries(files)) {
         try {
-            const fileStat = await stat(path.join(resolvedBundleDirectory, relativePath));
+            const artifactPath = await resolveBundleArtifactPath(resolvedBundleDirectory, relativePath);
+            const fileStat = await stat(artifactPath);
             checks.push({
                 id: `review_bundle.file.${fileKey}`,
                 status: fileStat.isFile() ? "pass" : "fail",
@@ -404,7 +424,28 @@ export async function verifyDoctorReviewBundle(bundleDirectory, options) {
                 continue;
             }
             try {
-                const content = await readFile(path.join(resolvedBundleDirectory, expected.path));
+                const declaredPath = files[fileKey];
+                if (expected.path !== declaredPath) {
+                    integrityStatus = "fail";
+                    checks.push({
+                        id: `review_bundle.integrity.${fileKey}.path`,
+                        status: "fail",
+                        message: `${expected.path} does not match the declared bundle file path.`
+                    });
+                    continue;
+                }
+                const resolvedIntegrityPath = path.resolve(resolvedBundleDirectory, expected.path);
+                if (!isPathInsideDirectory(resolvedIntegrityPath, resolvedBundleDirectory)) {
+                    integrityStatus = "fail";
+                    checks.push({
+                        id: `review_bundle.integrity.${fileKey}.path`,
+                        status: "fail",
+                        message: `${expected.path} resolves outside the review bundle directory.`
+                    });
+                    continue;
+                }
+                const integrityPath = await resolveBundleArtifactPath(resolvedBundleDirectory, expected.path);
+                const content = await readFile(integrityPath);
                 const digest = sha256(content);
                 const matches = digest === expected.digest && content.byteLength === expected.bytes;
                 if (!matches) {
@@ -472,7 +513,8 @@ export async function verifyDoctorReviewBundle(bundleDirectory, options) {
         });
     }
     try {
-        attestation = await verifyDoctorAttestation(path.join(resolvedBundleDirectory, files.attestationJson), targetPath, { signingKey: options.signingKey });
+        const attestationPath = await resolveBundleArtifactPath(resolvedBundleDirectory, files.attestationJson);
+        attestation = await verifyDoctorAttestation(attestationPath, targetPath, { signingKey: options.signingKey });
         checks.push({
             id: "review_bundle.attestation",
             status: attestation.status,
@@ -489,7 +531,8 @@ export async function verifyDoctorReviewBundle(bundleDirectory, options) {
         });
     }
     try {
-        releaseEvidence = await verifyDoctorReleaseEvidence(path.join(resolvedBundleDirectory, files.releaseEvidenceJson), {
+        const releaseEvidencePath = await resolveBundleArtifactPath(resolvedBundleDirectory, files.releaseEvidenceJson);
+        releaseEvidence = await verifyDoctorReleaseEvidence(releaseEvidencePath, {
             signingKey: options.signingKey,
             targetPath
         });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "codex-plugin-doctor",
-  "version": "1.10.0",
+  "version": "1.12.1",
   "description": "CLI-first validator for Codex plugins, skills, and MCP package surfaces with runtime MCP protocol validation.",
   "type": "module",
   "main": "./dist/index.js",