juggernaut-bedrock 4.2.3 → 4.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/index.js +42 -10
  2. package/package.json +6 -6
package/index.js CHANGED
@@ -2,7 +2,7 @@
2
2
  "use strict";
3
3
 
4
4
  var path = require("path");
5
- var child_process = require("child_process");
5
+ var childProcess = require("node:child_process");
6
6
  var fs = require("fs");
7
7
 
8
8
  var PLATFORM_MAP = {
@@ -41,7 +41,6 @@ function containsPackage(pkgName) {
41
41
 
42
42
  /**
43
43
  * @param {string} pkgName
44
- * @param {string} platform
45
44
  * @returns {string}
46
45
  */
47
46
  function resolvePkgDir(pkgName) {
@@ -60,6 +59,33 @@ function getBinaryPath(pkgName, platform) {
60
59
  return path.join(resolvePkgDir(pkgName), "bin", binaryName); // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
61
60
  }
62
61
 
62
+ /**
63
+ * Resolves bin to a real absolute path and asserts it stays within
64
+ * __dirname, preventing any tainted or traversed path from executing.
65
+ * @param {string} binPath
66
+ * @returns {string}
67
+ */
68
+ function safeResolveBin(binPath) {
69
+ var real = fs.realpathSync(binPath); // nosemgrep: javascript_pathtraversal_rule-non-literal-fs-filename, javascript.lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename
70
+ var base = fs.realpathSync(__dirname); // nosemgrep: javascript_pathtraversal_rule-non-literal-fs-filename
71
+ if (!real.startsWith(base + path.sep) && real !== base) {
72
+ throw new Error("binary path escapes package directory: " + real);
73
+ }
74
+ return real;
75
+ }
76
+
77
+ function safeForwardArgs(args) {
78
+ var forwarded = [];
79
+ for (var i = 0; i < args.length; i++) {
80
+ var arg = String(args[i]);
81
+ if (arg.indexOf("\u0000") !== -1) {
82
+ throw new Error("invalid NUL byte in argument");
83
+ }
84
+ forwarded.push(arg);
85
+ }
86
+ return forwarded;
87
+ }
88
+
63
89
  if (require.main === module) {
64
90
  var pkg = getPlatformPackage(process.platform, process.arch);
65
91
  if (!pkg) {
@@ -70,23 +96,29 @@ if (require.main === module) {
70
96
  process.exit(1);
71
97
  }
72
98
 
73
- var bin = getBinaryPath(pkg, process.platform);
74
- // nosemgrep: javascript_pathtraversal_rule-non-literal-fs-filename, javascript.lang.security.audit.detect-non-literal-fs-filename
75
- if (!fs.existsSync(bin)) {
99
+ var binRaw = getBinaryPath(pkg, process.platform);
100
+ if (!fs.existsSync(binRaw)) { // nosemgrep: javascript_pathtraversal_rule-non-literal-fs-filename, javascript.lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename
76
101
  process.stderr.write(
77
- "juggernaut-bedrock: binary not found at " + bin + "\n" +
102
+ "juggernaut-bedrock: binary not found at " + binRaw + "\n" +
78
103
  "Try reinstalling: npm install -g juggernaut-bedrock\n" +
79
104
  "If the problem persists, file an issue: https://github.com/jpvelasco/juggernaut/issues\n"
80
105
  );
81
106
  process.exit(1);
82
107
  }
83
108
 
84
- // nosemgrep: javascript.lang.security.detect-child-process, javascript_exec_rule-child-process
85
- var result = child_process.spawnSync(bin, process.argv.slice(2), {
109
+ var bin = safeResolveBin(binRaw);
110
+ var args = safeForwardArgs(process.argv.slice(2));
111
+ var result = childProcess.spawnSync(bin, args, {
86
112
  stdio: "inherit",
87
- env: process.env
113
+ env: Object.assign({}, process.env),
114
+ shell: false,
115
+ windowsHide: true
88
116
  });
89
117
  process.exit(result.status !== null ? result.status : 1);
90
118
  }
91
119
 
92
- module.exports = { getPlatformPackage: getPlatformPackage, getBinaryPath: getBinaryPath };
120
+ module.exports = {
121
+ getPlatformPackage: getPlatformPackage,
122
+ getBinaryPath: getBinaryPath,
123
+ safeForwardArgs: safeForwardArgs
124
+ };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "juggernaut-bedrock",
3
- "version": "4.2.3",
3
+ "version": "4.2.5",
4
4
  "description": "Route Claude Code through Amazon Bedrock in one command — IAM, SSO, or API key. Cross-platform CLI for GenAI developers.",
5
5
  "bin": {
6
6
  "juggernaut": "./index.js"
@@ -9,11 +9,11 @@
9
9
  "test": "node --test index.test.js"
10
10
  },
11
11
  "optionalDependencies": {
12
- "juggernaut-bedrock-linux-x64": "4.2.3",
13
- "juggernaut-bedrock-linux-arm64": "4.2.3",
14
- "juggernaut-bedrock-darwin-x64": "4.2.3",
15
- "juggernaut-bedrock-darwin-arm64": "4.2.3",
16
- "juggernaut-bedrock-win32-x64": "4.2.3"
12
+ "juggernaut-bedrock-linux-x64": "4.2.5",
13
+ "juggernaut-bedrock-linux-arm64": "4.2.5",
14
+ "juggernaut-bedrock-darwin-x64": "4.2.5",
15
+ "juggernaut-bedrock-darwin-arm64": "4.2.5",
16
+ "juggernaut-bedrock-win32-x64": "4.2.5"
17
17
  },
18
18
  "os": [
19
19
  "darwin",