icoa-cli 2.1.8 → 2.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/commands/env.js +10 -0
- package/dist/index.js +1 -1
- package/dist/lib/ctfd-client.d.ts +1 -0
- package/dist/lib/ctfd-client.js +25 -0
- package/dist/repl.js +14 -1
- package/package.json +1 -1
package/dist/commands/env.js
CHANGED
|
@@ -289,6 +289,16 @@ function showStatus() {
|
|
|
289
289
|
console.log(chalk.gray(' Then run icoa inside WSL for 100% tool compatibility'));
|
|
290
290
|
}
|
|
291
291
|
console.log(chalk.gray(' ─────────────────────────────────────────────'));
|
|
292
|
+
// Node.js version check
|
|
293
|
+
const nodeVer = process.versions.node;
|
|
294
|
+
const nodeMajor = parseInt(nodeVer.split('.')[0]);
|
|
295
|
+
if (nodeMajor >= 20) {
|
|
296
|
+
console.log(chalk.green(` ✓ Node.js ${nodeVer}`));
|
|
297
|
+
}
|
|
298
|
+
else {
|
|
299
|
+
console.log(chalk.red(` ✗ Node.js ${nodeVer}`) + chalk.gray(' (v20+ required)'));
|
|
300
|
+
console.log(chalk.gray(' Upgrade: https://nodejs.org/ or nvm install 22'));
|
|
301
|
+
}
|
|
292
302
|
// Python version check
|
|
293
303
|
const pyVer = getPythonMajorMinor();
|
|
294
304
|
const fullVer = getPythonFullVersion();
|
package/dist/index.js
CHANGED
|
@@ -36,7 +36,7 @@ ${LINE}
|
|
|
36
36
|
${chalk.white('Sydney, Australia')} ${chalk.gray('Jun 27 - Jul 2, 2026')}
|
|
37
37
|
${chalk.cyan.underline('https://icoa2026.au')}
|
|
38
38
|
|
|
39
|
-
${chalk.gray('CLI-Native Competition Terminal v2.1
|
|
39
|
+
${chalk.gray('CLI-Native Competition Terminal v2.2.1')}
|
|
40
40
|
|
|
41
41
|
${LINE}
|
|
42
42
|
`;
|
|
@@ -22,6 +22,7 @@ export declare class CTFdClient {
|
|
|
22
22
|
}>;
|
|
23
23
|
getChallengeFiles(id: number): Promise<string[]>;
|
|
24
24
|
downloadFile(filePath: string, destDir: string): Promise<string>;
|
|
25
|
+
getTokenViaIcoaApi(username: string, password: string): Promise<string | null>;
|
|
25
26
|
loginWithCredentials(username: string, password: string): Promise<{
|
|
26
27
|
token: string;
|
|
27
28
|
session: string;
|
package/dist/lib/ctfd-client.js
CHANGED
|
@@ -136,7 +136,32 @@ export class CTFdClient {
|
|
|
136
136
|
await pipeline(Readable.fromWeb(res.body), fileStream);
|
|
137
137
|
return destPath;
|
|
138
138
|
}
|
|
139
|
+
async getTokenViaIcoaApi(username, password) {
|
|
140
|
+
// Try ICOA token API (port 9090) first
|
|
141
|
+
try {
|
|
142
|
+
const res = await fetch(`${this.baseUrl}:9090/api/icoa/token`, {
|
|
143
|
+
method: 'POST',
|
|
144
|
+
headers: { 'Content-Type': 'application/json' },
|
|
145
|
+
body: JSON.stringify({ name: username, password }),
|
|
146
|
+
signal: AbortSignal.timeout(5000),
|
|
147
|
+
});
|
|
148
|
+
if (res.ok) {
|
|
149
|
+
const json = await res.json();
|
|
150
|
+
if (json.success && json.data?.token) {
|
|
151
|
+
return json.data.token;
|
|
152
|
+
}
|
|
153
|
+
}
|
|
154
|
+
}
|
|
155
|
+
catch { /* API not available, try standard flow */ }
|
|
156
|
+
return null;
|
|
157
|
+
}
|
|
139
158
|
async loginWithCredentials(username, password) {
|
|
159
|
+
// Try ICOA token API first (fastest path)
|
|
160
|
+
const icoaToken = await this.getTokenViaIcoaApi(username, password);
|
|
161
|
+
if (icoaToken) {
|
|
162
|
+
return { token: icoaToken, session: '', csrf: '' };
|
|
163
|
+
}
|
|
164
|
+
// Fallback: standard CTFd login flow
|
|
140
165
|
// Step 1: GET /login to get nonce
|
|
141
166
|
const loginPageRes = await fetch(`${this.baseUrl}/login`);
|
|
142
167
|
const loginHtml = await loginPageRes.text();
|
package/dist/repl.js
CHANGED
|
@@ -27,7 +27,7 @@ const BLOCKED_COMMANDS = new Set([
|
|
|
27
27
|
'iptables', 'ufw', // firewall
|
|
28
28
|
]);
|
|
29
29
|
const INTERCEPT = '__REPL_NO_EXIT__';
|
|
30
|
-
const VERSION = '2.1
|
|
30
|
+
const VERSION = '2.2.1';
|
|
31
31
|
export async function startRepl(program, resumeMode) {
|
|
32
32
|
const config = getConfig();
|
|
33
33
|
const connected = isConnected();
|
|
@@ -222,6 +222,19 @@ export async function startRepl(program, resumeMode) {
|
|
|
222
222
|
rl.prompt();
|
|
223
223
|
return;
|
|
224
224
|
}
|
|
225
|
+
// Block path escape attempts
|
|
226
|
+
if (/(?:^|\s)(?:\/(?!home\/|Users\/|tmp\/)|\.\.\/|~\/)/.test(input) && !input.startsWith('cd ')) {
|
|
227
|
+
// Allow relative paths within workspace, block absolute paths outside
|
|
228
|
+
const hasAbsPath = /(?:^|\s)\/(?!home\/\w+\/icoa-workspace|Users\/\w+\/icoa-workspace|tmp\/)/.test(input);
|
|
229
|
+
const hasParentPath = /\.\./.test(input);
|
|
230
|
+
if (hasAbsPath || hasParentPath) {
|
|
231
|
+
console.log(chalk.red(' Blocked: access outside workspace is not allowed.'));
|
|
232
|
+
console.log(chalk.gray(` Workspace: ${WORKSPACE}`));
|
|
233
|
+
console.log();
|
|
234
|
+
rl.prompt();
|
|
235
|
+
return;
|
|
236
|
+
}
|
|
237
|
+
}
|
|
225
238
|
// Force Python 3.12 — rewrite python/python3 to correct binary
|
|
226
239
|
let resolvedInput = input;
|
|
227
240
|
if (process.platform === 'darwin') {
|