crypto-swap 1.1.2 → 1.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/SKILL.md +16 -9
- package/package.json +1 -1
- package/swap.js +10 -0
package/SKILL.md
CHANGED
|
@@ -2,15 +2,22 @@
|
|
|
2
2
|
name: crypto-swap
|
|
3
3
|
description: Lightning-fast crypto swaps. 240+ coins, best rates, done in minutes. Chat, CLI, or web — however you prefer.
|
|
4
4
|
metadata:
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
5
|
+
{
|
|
6
|
+
"openclaw":
|
|
7
|
+
{
|
|
8
|
+
"requires": { "bins": ["crypto-swap"] },
|
|
9
|
+
"install":
|
|
10
|
+
[
|
|
11
|
+
{
|
|
12
|
+
"id": "node",
|
|
13
|
+
"kind": "node",
|
|
14
|
+
"package": "crypto-swap",
|
|
15
|
+
"bins": ["crypto-swap"],
|
|
16
|
+
"label": "Install Crypto Swap CLI (npm)"
|
|
17
|
+
}
|
|
18
|
+
]
|
|
19
|
+
}
|
|
20
|
+
}
|
|
14
21
|
---
|
|
15
22
|
|
|
16
23
|
# Crypto Swap Skill (LightningEX)
|
package/package.json
CHANGED
package/swap.js
CHANGED
|
@@ -822,6 +822,16 @@ async function cmdUI(args) {
|
|
|
822
822
|
// Remove query string from URL
|
|
823
823
|
const urlPath = req.url.split('?')[0];
|
|
824
824
|
let filePath = path.join(uiDir, urlPath === '/' ? 'index.html' : urlPath);
|
|
825
|
+
|
|
826
|
+
// Prevent path traversal: ensure filePath is within uiDir
|
|
827
|
+
const resolvedPath = path.resolve(filePath);
|
|
828
|
+
const resolvedUiDir = path.resolve(uiDir);
|
|
829
|
+
if (!resolvedPath.startsWith(resolvedUiDir)) {
|
|
830
|
+
res.writeHead(403);
|
|
831
|
+
res.end('Forbidden');
|
|
832
|
+
return;
|
|
833
|
+
}
|
|
834
|
+
|
|
825
835
|
const ext = path.extname(filePath);
|
|
826
836
|
const contentType = {
|
|
827
837
|
'.html': 'text/html',
|