keystone-cli 0.4.4 → 0.5.1

package/src/runner/mcp-client.audit.test.ts

@@ -0,0 +1,79 @@
+import { afterEach, beforeEach, describe, expect, it, mock, spyOn } from 'bun:test';
+import * as child_process from 'node:child_process';
+import { MCPClient } from './mcp-client';
+
+import { Readable, Writable } from 'node:stream';
+
+describe('MCPClient Audit Fixes', () => {
+  let spawnSpy: ReturnType<typeof spyOn>;
+
+  beforeEach(() => {
+    spawnSpy = spyOn(child_process, 'spawn').mockReturnValue({
+      stdout: new Readable({ read() {} }),
+      stdin: new Writable({
+        write(c, e, cb) {
+          cb();
+        },
+      }),
+      kill: () => {},
+      on: () => {},
+      // biome-ignore lint/suspicious/noExplicitAny: Mocking complex object
+    } as any);
+  });
+
+  afterEach(() => {
+    spawnSpy.mockRestore();
+  });
+
+  it('should filter sensitive environment variables', async () => {
+    // Set temp environment variables
+    process.env.TEST_API_KEY_LEAK = 'secret_value';
+    process.env.TEST_SAFE_VAR = 'safe_value';
+    process.env.TEST_TOKEN_XYZ = 'secret_token';
+
+    try {
+      await MCPClient.createLocal('node', [], { EXPLICIT_SECRET: 'allowed' });
+
+      // Assert spawn arguments
+      // args: [0]=command, [1]=args, [2]=options
+      const call = spawnSpy.mock.lastCall;
+      if (!call) throw new Error('spawn not called');
+
+      const envArg = call[2].env;
+
+      // Safe vars should remain
+      expect(envArg.TEST_SAFE_VAR).toBe('safe_value');
+
+      // Explicitly passed vars should remain
+      expect(envArg.EXPLICIT_SECRET).toBe('allowed');
+
+      // Sensitive vars should be filtered
+      expect(envArg.TEST_API_KEY_LEAK).toBeUndefined();
+      expect(envArg.TEST_TOKEN_XYZ).toBeUndefined();
+    } finally {
+      // Cleanup
+      process.env.TEST_API_KEY_LEAK = undefined;
+      process.env.TEST_SAFE_VAR = undefined;
+      process.env.TEST_TOKEN_XYZ = undefined;
+    }
+  });
+
+  it('should allow whitelisted sensitive vars if explicitly provided', async () => {
+    process.env.TEST_API_KEY_LEAK = 'secret_value';
+
+    try {
+      // User explicitly asks to pass this env var
+      await MCPClient.createLocal('node', [], {
+        TEST_API_KEY_LEAK: process.env.TEST_API_KEY_LEAK as string,
+      });
+
+      const call = spawnSpy.mock.lastCall;
+      if (!call) throw new Error('spawn not called');
+      const envArg = call[2].env;
+
+      expect(envArg.TEST_API_KEY_LEAK).toBe('secret_value');
+    } finally {
+      process.env.TEST_API_KEY_LEAK = undefined;
+    }
+  });
+});

package/src/runner/mcp-client.ts

@@ -2,6 +2,12 @@ import { type ChildProcess, spawn } from 'node:child_process';
 import { type Interface, createInterface } from 'node:readline';
 import pkg from '../../package.json' with { type: 'json' };
 
+// MCP Protocol version - update when upgrading to newer MCP spec
+export const MCP_PROTOCOL_VERSION = '2024-11-05';
+
+// Maximum buffer size for incoming messages (10MB) to prevent memory exhaustion
+const MAX_BUFFER_SIZE = 10 * 1024 * 1024;
+
 interface MCPTool {
   name: string;
   description?: string;
@@ -33,8 +39,19 @@ class StdConfigTransport implements MCPTransport {
   private rl: Interface;
 
   constructor(command: string, args: string[] = [], env: Record<string, string> = {}) {
+    // Filter out sensitive environment variables from the host process
+    // unless they are explicitly provided in the 'env' argument
+    const safeEnv: Record<string, string> = {};
+    const sensitivePattern = /(?:key|token|secret|password|credential|auth|private)/i;
+
+    for (const [key, value] of Object.entries(process.env)) {
+      if (value && !sensitivePattern.test(key)) {
+        safeEnv[key] = value;
+      }
+    }
+
     this.process = spawn(command, args, {
-      env: { ...process.env, ...env },
+      env: { ...safeEnv, ...env },
       stdio: ['pipe', 'pipe', 'inherit'],
     });
 
@@ -53,6 +70,14 @@ class StdConfigTransport implements MCPTransport {
 
   onMessage(callback: (message: MCPResponse) => void): void {
     this.rl.on('line', (line) => {
+      // Safety check for extremely long lines that might have bypassed readline's internal limits
+      if (line.length > MAX_BUFFER_SIZE) {
+        process.stderr.write(
+          `[MCP Error] Received line exceeding maximum size (${line.length} bytes), ignoring.\n`
+        );
+        return;
+      }
+
       try {
         const response = JSON.parse(line) as MCPResponse;
         callback(response);
@@ -78,6 +103,7 @@ class SSETransport implements MCPTransport {
   private onMessageCallback?: (message: MCPResponse) => void;
   private abortController: AbortController | null = null;
   private sessionId?: string;
+  private activeReaders: Set<ReadableStreamDefaultReader<Uint8Array>> = new Set();
 
   constructor(url: string, headers: Record<string, string> = {}) {
     this.url = url;
@@ -140,6 +166,9 @@ class SSETransport implements MCPTransport {
             return;
           }
 
+          // Track reader for cleanup
+          this.activeReaders.add(reader);
+
           // Process the stream in the background
           (async () => {
             let buffer = '';
@@ -160,14 +189,26 @@ class SSETransport implements MCPTransport {
                     resolve();
                   }
                 } else if (!currentEvent.event || currentEvent.event === 'message') {
-                  // If we get a message before an endpoint, assume the URL itself is the endpoint
+                  // If we get a message before an endpoint, verify it's a valid JSON-RPC message
+                  // before assuming the URL itself is the endpoint.
                   // (Common in some MCP over SSE implementations like GitHub's)
                   if (!this.endpoint) {
-                    this.endpoint = this.url;
-                    if (!isResolved) {
-                      isResolved = true;
-                      clearTimeout(timeoutId);
-                      resolve();
+                    try {
+                      const msg = JSON.parse(currentEvent.data || '{}');
+                      if (
+                        msg &&
+                        typeof msg === 'object' &&
+                        (msg.jsonrpc === '2.0' || msg.id !== undefined)
+                      ) {
+                        this.endpoint = this.url;
+                        if (!isResolved) {
+                          isResolved = true;
+                          clearTimeout(timeoutId);
+                          resolve();
+                        }
+                      }
+                    } catch (e) {
+                      // Not a valid JSON message, ignore for endpoint discovery
                     }
                   }
 
@@ -193,7 +234,12 @@ class SSETransport implements MCPTransport {
                   break;
                 }
 
-                buffer += decoder.decode(value, { stream: true });
+                const decoded = decoder.decode(value, { stream: true });
+                if (buffer.length + decoded.length > MAX_BUFFER_SIZE) {
+                  throw new Error(`SSE buffer size limit exceeded (${MAX_BUFFER_SIZE} bytes)`);
+                }
+                buffer += decoded;
+
                 const lines = buffer.split(/\r\n|\r|\n/);
                 buffer = lines.pop() || '';
 
@@ -207,6 +253,12 @@ class SSETransport implements MCPTransport {
                     currentEvent.event = line.substring(6).trim();
                   } else if (line.startsWith('data:')) {
                     const data = line.substring(5).trim();
+                    if (
+                      currentEvent.data &&
+                      currentEvent.data.length + data.length > MAX_BUFFER_SIZE
+                    ) {
+                      throw new Error(`SSE data size limit exceeded (${MAX_BUFFER_SIZE} bytes)`);
+                    }
                     currentEvent.data = currentEvent.data ? `${currentEvent.data}\n${data}` : data;
                   }
                 }
@@ -229,6 +281,8 @@ class SSETransport implements MCPTransport {
                 clearTimeout(timeoutId);
                 reject(err);
               }
+            } finally {
+              this.activeReaders.delete(reader);
             }
           })();
         } catch (err) {
@@ -244,7 +298,7 @@ class SSETransport implements MCPTransport {
       throw new Error('SSE transport not connected or endpoint not received');
     }
 
-    const headers = {
+    const headers: Record<string, string> = {
       'Content-Type': 'application/json',
       ...this.headers,
     };
@@ -273,6 +327,8 @@ class SSETransport implements MCPTransport {
     if (contentType?.includes('text/event-stream')) {
       const reader = response.body?.getReader();
       if (reader) {
+        // Track reader for cleanup
+        this.activeReaders.add(reader);
         (async () => {
           let buffer = '';
           const decoder = new TextDecoder();
@@ -302,7 +358,12 @@ class SSETransport implements MCPTransport {
                 break;
               }
 
-              buffer += decoder.decode(value, { stream: true });
+              const decoded = decoder.decode(value, { stream: true });
+              if (buffer.length + decoded.length > MAX_BUFFER_SIZE) {
+                throw new Error(`SSE buffer size limit exceeded (${MAX_BUFFER_SIZE} bytes)`);
+              }
+              buffer += decoded;
+
               const lines = buffer.split(/\r\n|\r|\n/);
               buffer = lines.pop() || '';
 
@@ -316,12 +377,20 @@ class SSETransport implements MCPTransport {
                   currentEvent.event = line.substring(6).trim();
                 } else if (line.startsWith('data:')) {
                   const data = line.substring(5).trim();
+                  if (
+                    currentEvent.data &&
+                    currentEvent.data.length + data.length > MAX_BUFFER_SIZE
+                  ) {
+                    throw new Error(`SSE data size limit exceeded (${MAX_BUFFER_SIZE} bytes)`);
+                  }
                   currentEvent.data = currentEvent.data ? `${currentEvent.data}\n${data}` : data;
                 }
               }
             }
           } catch (e) {
             // Ignore stream errors
+          } finally {
+            this.activeReaders.delete(reader);
           }
         })();
       }
@@ -333,6 +402,11 @@ class SSETransport implements MCPTransport {
   }
 
   close(): void {
+    // Cancel all active readers to prevent memory leaks
+    for (const reader of this.activeReaders) {
+      reader.cancel().catch(() => {});
+    }
+    this.activeReaders.clear();
     this.abortController?.abort();
   }
 }
@@ -401,25 +475,29 @@ export class MCPClient {
     };
 
     return new Promise((resolve, reject) => {
-      this.pendingRequests.set(id, resolve);
-      this.transport.send(message).catch((err) => {
-        this.pendingRequests.delete(id);
-        reject(err);
-      });
-
-      // Add a timeout
-      setTimeout(() => {
+      const timeoutId = setTimeout(() => {
         if (this.pendingRequests.has(id)) {
           this.pendingRequests.delete(id);
           reject(new Error(`MCP request timeout: ${method}`));
         }
       }, this.timeout);
+
+      this.pendingRequests.set(id, (response) => {
+        clearTimeout(timeoutId);
+        resolve(response);
+      });
+
+      this.transport.send(message).catch((err) => {
+        clearTimeout(timeoutId);
+        this.pendingRequests.delete(id);
+        reject(err);
+      });
     });
   }
 
   async initialize() {
     return this.request('initialize', {
-      protocolVersion: '2024-11-05',
+      protocolVersion: MCP_PROTOCOL_VERSION,
       capabilities: {},
       clientInfo: {
         name: 'keystone-cli',
@@ -445,6 +523,11 @@ export class MCPClient {
   }
 
   stop() {
+    // Reject all pending requests to prevent hanging callers
+    for (const [id, resolve] of this.pendingRequests) {
+      resolve({ id, error: { code: -1, message: 'MCP client stopped' } });
+    }
+    this.pendingRequests.clear();
     this.transport.close();
   }
 }

package/src/runner/shell-executor.test.ts

@@ -25,6 +25,7 @@ describe('shell-executor', () => {
       const step: ShellStep = {
         id: 'test',
         type: 'shell',
+        needs: [],
         run: 'echo "hello world"',
       };
 
@@ -37,6 +38,7 @@ describe('shell-executor', () => {
       const step: ShellStep = {
         id: 'test',
         type: 'shell',
+        needs: [],
         run: 'echo "${{ inputs.name }}"',
       };
       const customContext: ExpressionContext = {
@@ -52,6 +54,7 @@ describe('shell-executor', () => {
       const step: ShellStep = {
         id: 'test',
         type: 'shell',
+        needs: [],
         run: 'echo $TEST_VAR',
         env: {
           TEST_VAR: 'env-value',
@@ -66,6 +69,7 @@ describe('shell-executor', () => {
       const step: ShellStep = {
         id: 'test',
         type: 'shell',
+        needs: [],
         run: 'pwd',
         dir: '/tmp',
       };
@@ -78,6 +82,7 @@ describe('shell-executor', () => {
       const step: ShellStep = {
         id: 'test',
         type: 'shell',
+        needs: [],
         run: 'echo "error" >&2',
       };
 
@@ -89,6 +94,7 @@ describe('shell-executor', () => {
       const step: ShellStep = {
         id: 'test',
         type: 'shell',
+        needs: [],
         run: 'exit 1',
       };
 
@@ -96,28 +102,40 @@ describe('shell-executor', () => {
       expect(result.exitCode).toBe(1);
     });
 
-    it('should warn about shell injection risk', async () => {
-      const spy = console.warn;
-      let warned = false;
-      console.warn = (...args: unknown[]) => {
-        const msg = args[0];
-        if (
-          typeof msg === 'string' &&
-          msg.includes('WARNING: Command contains shell metacharacters')
-        ) {
-          warned = true;
-        }
+    it('should throw error on shell injection risk', async () => {
+      const step: ShellStep = {
+        id: 'test',
+        type: 'shell',
+        needs: [],
+        run: 'echo "hello" ; rm -rf /tmp/foo',
       };
 
+      await expect(executeShell(step, context)).rejects.toThrow(/Security Error/);
+    });
+
+    it('should allow legitimate shell variable expansion like ${HOME}', async () => {
       const step: ShellStep = {
         id: 'test',
         type: 'shell',
-        run: 'echo "hello" ; rm -rf /tmp/foo',
+        needs: [],
+        run: 'echo ${HOME}',
+      };
+
+      // Should NOT throw - ${HOME} is legitimate
+      const result = await executeShell(step, context);
+      expect(result.exitCode).toBe(0);
+      expect(result.stdout.trim()).toBe(Bun.env.HOME || '');
+    });
+
+    it('should still block dangerous parameter expansion like ${IFS}', async () => {
+      const step: ShellStep = {
+        id: 'test',
+        type: 'shell',
+        needs: [],
+        run: 'echo ${IFS}',
       };
 
-      await executeShell(step, context);
-      expect(warned).toBe(true);
-      console.warn = spy; // Restore
+      await expect(executeShell(step, context)).rejects.toThrow(/Security Error/);
     });
   });
 });

package/src/runner/shell-executor.ts

@@ -60,23 +60,47 @@ export interface ShellResult {
  * Check if a command contains potentially dangerous shell metacharacters
  * Returns true if the command looks like it might contain unescaped user input
  */
+// Pre-compiled dangerous patterns for performance
+// These patterns are designed to detect likely injection attempts while minimizing false positives
+const DANGEROUS_PATTERNS: RegExp[] = [
+  /;\s*\w/, // Command chaining with semicolon (e.g., `; rm -rf /`)
+  /\|\s*(?:sh|bash|zsh|ksh|dash|csh|python|python[23]?|node|ruby|perl|php|lua)\b/, // Piping to shell/interpreter (download-and-execute pattern)
+  /\|\s*(?:sudo|su)\b/, // Piping to privilege escalation
+  /&&\s*(?:rm|chmod|chown|mkfs|dd)\b/, // AND chaining with destructive commands
+  /\|\|\s*(?:rm|chmod|chown|mkfs|dd)\b/, // OR chaining with destructive commands
+  /`[^`]+`/, // Command substitution with backticks
+  /\$\([^)]+\)/, // Command substitution with $()
+  />\s*\/dev\/null\s*2>&1\s*&/, // Backgrounding with hidden output (often malicious)
+  /rm\s+(-rf?|--recursive)\s+[\/~]/, // Dangerous recursive deletion
+  />\s*\/etc\//, // Writing to /etc
+  /curl\s+.*\|\s*(?:sh|bash)/, // Download and execute pattern
+  /wget\s+.*\|\s*(?:sh|bash)/, // Download and execute pattern
+  // Additional patterns for more comprehensive detection
+  /base64\s+(-d|--decode)\s*\|/, // Base64 decode piped to another command
+  /\beval\s+["'\$]/, // eval with variable/string (likely injection)
+  /\bexec\s+\d+[<>]/, // exec with file descriptor redirection
+  /python[23]?\s+-c\s*["']/, // Python one-liner with quoted code
+  /node\s+(-e|--eval)\s*["']/, // Node.js one-liner with quoted code
+  /perl\s+-e\s*["']/, // Perl one-liner with quoted code
+  /ruby\s+-e\s*["']/, // Ruby one-liner with quoted code
+  /\bdd\s+.*\bof=\//, // dd write operation to root paths
+  /chmod\s+[0-7]{3,4}\s+\/(?!tmp)/, // chmod on root paths (except /tmp)
+  /mkfs\./, // Filesystem formatting commands
+  // Targeted parameter expansion patterns (not all ${} usage)
+  /\$\{IFS[}:]/, // IFS manipulation (common injection technique)
+  /\$\{[^}]*\$\([^}]*\}/, // Command substitution inside parameter expansion
+  /\$\{[^}]*:-[^}]*\$\(/, // Default value with command substitution
+  /\$\{[^}]*[`][^}]*\}/, // Backtick inside parameter expansion
+  /\\x[0-9a-fA-F]{2}/, // Hex escaping attempts
+  /\\[0-7]{3}/, // Octal escaping attempts
+  /<<<\s*/, // Here-strings (can be used for injection)
+  /\d*<&\s*\d*/, // File descriptor duplication
+  /\d*>&-\s*/, // Closing file descriptors
+];
+
 export function detectShellInjectionRisk(command: string): boolean {
-  // Common shell metacharacters that indicate potential injection
-  const dangerousPatterns = [
-    /;[\s]*\w/, // Command chaining with semicolon
-    /\|[\s]*\w/, // Piping (legitimate uses exist, but worth warning)
-    /&&[\s]*\w/, // AND chaining
-    /\|\|[\s]*\w/, // OR chaining
-    /`[^`]+`/, // Command substitution with backticks
-    /\$\([^)]+\)/, // Command substitution with $()
-    />\s*\/dev\/null/, // Output redirection (common in attacks)
-    /rm\s+-rf/, // Dangerous deletion command
-    />\s*[~\/]/, // File redirection to suspicious paths
-    /curl\s+.*\|\s*sh/, // Download and execute pattern
-    /wget\s+.*\|\s*sh/, // Download and execute pattern
-  ];
-
-  return dangerousPatterns.some((pattern) => pattern.test(command));
+  // Check against pre-compiled patterns
+  return DANGEROUS_PATTERNS.some((pattern) => pattern.test(command));
 }
 
 /**
@@ -91,9 +115,9 @@ export async function executeShell(
   const command = ExpressionEvaluator.evaluateString(step.run, context);
 
   // Check for potential shell injection risks
-  if (detectShellInjectionRisk(command)) {
-    logger.warn(
-      `\n⚠️  WARNING: Command contains shell metacharacters that may indicate injection risk:\n   Command: ${command.substring(0, 100)}${command.length > 100 ? '...' : ''}\n   To safely interpolate user inputs, use the escape() function.\n   Example: run: echo \${{ escape(inputs.user_input) }}\n`
+  if (!step.allowInsecure && detectShellInjectionRisk(command)) {
+    throw new Error(
+      `Security Error: Command contains shell metacharacters that may indicate injection risk:\n   Command: ${command.substring(0, 100)}${command.length > 100 ? '...' : ''}\n   To execute this command safely, ensure all user inputs are wrapped in \${{ escape(input) }}.\n\n   If you trust this workflow and its inputs, you may need to refactor the step to avoid complex shell chains or use a stricter input validation.\n   Or, if you really trust this command, you can set 'allowInsecure: true' in the step definition.`
     );
   }
 
@@ -107,31 +131,78 @@ export async function executeShell(
 
   // Set working directory if specified
   const cwd = step.dir ? ExpressionEvaluator.evaluateString(step.dir, context) : undefined;
+  const mergedEnv = Object.keys(env).length > 0 ? { ...Bun.env, ...env } : Bun.env;
+
+  // Safe Fast Path: If command contains only safe characters (alphanumeric, -, _, ., /) and spaces,
+  // we can split it and execute directly without a shell.
+  // This completely eliminates shell injection risks for simple commands.
+  const isSimpleCommand = /^[a-zA-Z0-9_\-./]+(?: [a-zA-Z0-9_\-./]+)*$/.test(command);
+
+  // Common shell builtins that must run in a shell
+  const splitArgs = command.split(/\s+/);
+  const cmd = splitArgs[0];
+  const isBuiltin = [
+    'exit',
+    'cd',
+    'export',
+    'unset',
+    'source',
+    '.',
+    'alias',
+    'unalias',
+    'eval',
+    'set',
+  ].includes(cmd);
 
   try {
-    // Execute command using sh -c to allow shell parsing
-    let proc = $`sh -c ${command}`.quiet();
-
-    // Apply environment variables - merge with Bun.env to preserve system PATH and other variables
-    if (Object.keys(env).length > 0) {
-      proc = proc.env({ ...Bun.env, ...env });
-    }
-
-    // Apply working directory
-    if (cwd) {
-      proc = proc.cwd(cwd);
+    let stdoutString = '';
+    let stderrString = '';
+    let exitCode = 0;
+
+    if (isSimpleCommand && !isBuiltin) {
+      // split by spaces
+      const args = splitArgs.slice(1);
+      if (!cmd) throw new Error('Empty command');
+
+      const proc = Bun.spawn([cmd, ...args], {
+        cwd,
+        env: mergedEnv,
+        stdout: 'pipe',
+        stderr: 'pipe',
+      });
+
+      const stdoutText = await new Response(proc.stdout).text();
+      const stderrText = await new Response(proc.stderr).text();
+
+      // Wait for exit
+      exitCode = await proc.exited;
+      stdoutString = stdoutText;
+      stderrString = stderrText;
+    } else {
+      // Fallback to sh -c for complex commands (pipes, redirects, quotes)
+      // Execute command using sh -c to allow shell parsing
+      let proc = $`sh -c ${command}`.quiet();
+
+      // Apply environment variables - merge with Bun.env to preserve system PATH and other variables
+      if (Object.keys(env).length > 0) {
+        proc = proc.env({ ...Bun.env, ...env });
+      }
+
+      // Apply working directory
+      if (cwd) {
+        proc = proc.cwd(cwd);
+      }
+
+      // Execute and capture result
+      const result = await proc;
+      stdoutString = await result.text();
+      stderrString = result.stderr ? result.stderr.toString() : '';
+      exitCode = result.exitCode;
     }
 
-    // Execute and capture result
-    const result = await proc;
-
-    const stdout = await result.text();
-    const stderr = result.stderr ? result.stderr.toString() : '';
-    const exitCode = result.exitCode;
-
     return {
-      stdout,
-      stderr,
+      stdout: stdoutString,
+      stderr: stderrString,
       exitCode,
     };
   } catch (error) {