npm - latticesql - Versions diffs - 1.1.2 → 1.2.2 - Mend

latticesql 1.1.2 → 1.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/cli.js CHANGED Viewed

@@ -1182,7 +1182,17 @@ var RenderEngine = class {
       }
       for (const entityRow of allRows) {
         const slug = def.slug(entityRow);
+        if (/[^a-zA-Z0-9.\-_ @(),#&'+]/.test(slug)) {
+          throw new Error(
+            `Invalid slug "${slug}": contains characters outside the allowed set (alphanumeric, dot, hyphen, underscore, space, @, parens, comma, #, &, ', +)`
+          );
+        }
         const entityDir = def.directory ? join5(outputDir, def.directory(entityRow)) : join5(outputDir, directoryRoot, slug);
+        const resolvedDir = resolve3(entityDir);
+        const resolvedBase = resolve3(outputDir);
+        if (!resolvedDir.startsWith(resolvedBase + "/") && resolvedDir !== resolvedBase) {
+          throw new Error(`Path traversal detected: slug "${slug}" escapes output directory`);
+        }
         mkdirSync3(entityDir, { recursive: true });
         if (def.attachFileColumn) {
           const filePath = entityRow[def.attachFileColumn];
@@ -1219,8 +1229,10 @@ var RenderEngine = class {
             counters.skipped++;
           }
         }
-        if (def.combined && renderedFiles.size > 0) {
-          const excluded = new Set(def.combined.exclude ?? []);
+        const fileKeys = Object.keys(def.files);
+        const effectiveCombined = def.combined ?? (fileKeys.length > 1 && renderedFiles.size > 1 ? { outputFile: fileKeys[0] } : void 0);
+        if (effectiveCombined && renderedFiles.size > 0) {
+          const excluded = new Set(effectiveCombined.exclude ?? []);
           const parts = [];
           for (const filename of Object.keys(def.files)) {
             if (!excluded.has(filename) && renderedFiles.has(filename)) {
@@ -1229,14 +1241,14 @@ var RenderEngine = class {
           }
           if (parts.length > 0) {
             const combinedContent = parts.join("\n\n---\n\n");
-            const combinedPath = join5(entityDir, def.combined.outputFile);
+            const combinedPath = join5(entityDir, effectiveCombined.outputFile);
             if (atomicWrite(combinedPath, combinedContent)) {
               filesWritten.push(combinedPath);
             } else {
               counters.skipped++;
             }
-            renderedFiles.set(def.combined.outputFile, combinedContent);
-            entityFileHashes[def.combined.outputFile] = { hash: contentHash(combinedContent) };
+            renderedFiles.set(effectiveCombined.outputFile, combinedContent);
+            entityFileHashes[effectiveCombined.outputFile] = { hash: contentHash(combinedContent) };
           }
         }
         manifestEntry.entities[slug] = entityFileHashes;
@@ -1343,6 +1355,9 @@ var ReverseSyncEngine = class {
         const pkCols = Object.keys(update.pk);
         if (pkCols.length === 0) continue;
         const colPattern = /^[a-zA-Z0-9_]+$/;
+        if (!colPattern.test(update.table)) {
+          throw new Error(`Invalid table name in reverse-sync update: ${update.table}`);
+        }
         for (const col of [...setCols, ...pkCols]) {
           if (!colPattern.test(col)) {
             throw new Error(`Invalid column name in reverse-sync update: ${col}`);

package/dist/index.cjs CHANGED Viewed

@@ -942,7 +942,17 @@ var RenderEngine = class {
       }
       for (const entityRow of allRows) {
         const slug = def.slug(entityRow);
+        if (/[^a-zA-Z0-9.\-_ @(),#&'+]/.test(slug)) {
+          throw new Error(
+            `Invalid slug "${slug}": contains characters outside the allowed set (alphanumeric, dot, hyphen, underscore, space, @, parens, comma, #, &, ', +)`
+          );
+        }
         const entityDir = def.directory ? (0, import_node_path4.join)(outputDir, def.directory(entityRow)) : (0, import_node_path4.join)(outputDir, directoryRoot, slug);
+        const resolvedDir = (0, import_node_path4.resolve)(entityDir);
+        const resolvedBase = (0, import_node_path4.resolve)(outputDir);
+        if (!resolvedDir.startsWith(resolvedBase + "/") && resolvedDir !== resolvedBase) {
+          throw new Error(`Path traversal detected: slug "${slug}" escapes output directory`);
+        }
         (0, import_node_fs4.mkdirSync)(entityDir, { recursive: true });
         if (def.attachFileColumn) {
           const filePath = entityRow[def.attachFileColumn];
@@ -979,8 +989,10 @@ var RenderEngine = class {
             counters.skipped++;
           }
         }
-        if (def.combined && renderedFiles.size > 0) {
-          const excluded = new Set(def.combined.exclude ?? []);
+        const fileKeys = Object.keys(def.files);
+        const effectiveCombined = def.combined ?? (fileKeys.length > 1 && renderedFiles.size > 1 ? { outputFile: fileKeys[0] } : void 0);
+        if (effectiveCombined && renderedFiles.size > 0) {
+          const excluded = new Set(effectiveCombined.exclude ?? []);
           const parts = [];
           for (const filename of Object.keys(def.files)) {
             if (!excluded.has(filename) && renderedFiles.has(filename)) {
@@ -989,14 +1001,14 @@ var RenderEngine = class {
           }
           if (parts.length > 0) {
             const combinedContent = parts.join("\n\n---\n\n");
-            const combinedPath = (0, import_node_path4.join)(entityDir, def.combined.outputFile);
+            const combinedPath = (0, import_node_path4.join)(entityDir, effectiveCombined.outputFile);
             if (atomicWrite(combinedPath, combinedContent)) {
               filesWritten.push(combinedPath);
             } else {
               counters.skipped++;
             }
-            renderedFiles.set(def.combined.outputFile, combinedContent);
-            entityFileHashes[def.combined.outputFile] = { hash: contentHash(combinedContent) };
+            renderedFiles.set(effectiveCombined.outputFile, combinedContent);
+            entityFileHashes[effectiveCombined.outputFile] = { hash: contentHash(combinedContent) };
           }
         }
         manifestEntry.entities[slug] = entityFileHashes;
@@ -1103,6 +1115,9 @@ var ReverseSyncEngine = class {
         const pkCols = Object.keys(update.pk);
         if (pkCols.length === 0) continue;
         const colPattern = /^[a-zA-Z0-9_]+$/;
+        if (!colPattern.test(update.table)) {
+          throw new Error(`Invalid table name in reverse-sync update: ${update.table}`);
+        }
         for (const col of [...setCols, ...pkCols]) {
           if (!colPattern.test(col)) {
             throw new Error(`Invalid column name in reverse-sync update: ${col}`);
@@ -3154,9 +3169,14 @@ async function autoUpdate(opts) {
   if (!installed) return result;
   const latest = await getLatestVersion("latticesql");
   if (!latest || !isNewer(latest, installed)) return result;
+  const SEMVER_RE = /^\d+\.\d+\.\d+(-[\w.]+)?$/;
+  if (!SEMVER_RE.test(latest)) {
+    console.error(`[latticesql] Rejecting invalid version: "${latest}"`);
+    return result;
+  }
   log(`[latticesql] Updating: latticesql@${installed} \u2192 ${latest}`);
   try {
-    (0, import_node_child_process.execSync)(`npm install latticesql@${latest}`, {
+    (0, import_node_child_process.execFileSync)("npm", ["install", `latticesql@${latest}`], {
       cwd: process.cwd(),
       stdio: opts?.quiet ? "ignore" : "inherit",
       timeout: 6e4

package/dist/index.js CHANGED Viewed

@@ -874,7 +874,17 @@ var RenderEngine = class {
       }
       for (const entityRow of allRows) {
         const slug = def.slug(entityRow);
+        if (/[^a-zA-Z0-9.\-_ @(),#&'+]/.test(slug)) {
+          throw new Error(
+            `Invalid slug "${slug}": contains characters outside the allowed set (alphanumeric, dot, hyphen, underscore, space, @, parens, comma, #, &, ', +)`
+          );
+        }
         const entityDir = def.directory ? join4(outputDir, def.directory(entityRow)) : join4(outputDir, directoryRoot, slug);
+        const resolvedDir = resolve(entityDir);
+        const resolvedBase = resolve(outputDir);
+        if (!resolvedDir.startsWith(resolvedBase + "/") && resolvedDir !== resolvedBase) {
+          throw new Error(`Path traversal detected: slug "${slug}" escapes output directory`);
+        }
         mkdirSync2(entityDir, { recursive: true });
         if (def.attachFileColumn) {
           const filePath = entityRow[def.attachFileColumn];
@@ -911,8 +921,10 @@ var RenderEngine = class {
             counters.skipped++;
           }
         }
-        if (def.combined && renderedFiles.size > 0) {
-          const excluded = new Set(def.combined.exclude ?? []);
+        const fileKeys = Object.keys(def.files);
+        const effectiveCombined = def.combined ?? (fileKeys.length > 1 && renderedFiles.size > 1 ? { outputFile: fileKeys[0] } : void 0);
+        if (effectiveCombined && renderedFiles.size > 0) {
+          const excluded = new Set(effectiveCombined.exclude ?? []);
           const parts = [];
           for (const filename of Object.keys(def.files)) {
             if (!excluded.has(filename) && renderedFiles.has(filename)) {
@@ -921,14 +933,14 @@ var RenderEngine = class {
           }
           if (parts.length > 0) {
             const combinedContent = parts.join("\n\n---\n\n");
-            const combinedPath = join4(entityDir, def.combined.outputFile);
+            const combinedPath = join4(entityDir, effectiveCombined.outputFile);
             if (atomicWrite(combinedPath, combinedContent)) {
               filesWritten.push(combinedPath);
             } else {
               counters.skipped++;
             }
-            renderedFiles.set(def.combined.outputFile, combinedContent);
-            entityFileHashes[def.combined.outputFile] = { hash: contentHash(combinedContent) };
+            renderedFiles.set(effectiveCombined.outputFile, combinedContent);
+            entityFileHashes[effectiveCombined.outputFile] = { hash: contentHash(combinedContent) };
           }
         }
         manifestEntry.entities[slug] = entityFileHashes;
@@ -1035,6 +1047,9 @@ var ReverseSyncEngine = class {
         const pkCols = Object.keys(update.pk);
         if (pkCols.length === 0) continue;
         const colPattern = /^[a-zA-Z0-9_]+$/;
+        if (!colPattern.test(update.table)) {
+          throw new Error(`Invalid table name in reverse-sync update: ${update.table}`);
+        }
         for (const col of [...setCols, ...pkCols]) {
           if (!colPattern.test(col)) {
             throw new Error(`Invalid column name in reverse-sync update: ${col}`);
@@ -3044,7 +3059,7 @@ function applyWriteEntry(db, entry) {
 }
 // src/auto-update.ts
-import { execSync } from "child_process";
+import { execFileSync } from "child_process";
 import { readFileSync as readFileSync6 } from "fs";
 import { join as join7 } from "path";
 function getInstalledVersion(pkgName) {
@@ -3086,9 +3101,14 @@ async function autoUpdate(opts) {
   if (!installed) return result;
   const latest = await getLatestVersion("latticesql");
   if (!latest || !isNewer(latest, installed)) return result;
+  const SEMVER_RE = /^\d+\.\d+\.\d+(-[\w.]+)?$/;
+  if (!SEMVER_RE.test(latest)) {
+    console.error(`[latticesql] Rejecting invalid version: "${latest}"`);
+    return result;
+  }
   log(`[latticesql] Updating: latticesql@${installed} \u2192 ${latest}`);
   try {
-    execSync(`npm install latticesql@${latest}`, {
+    execFileSync("npm", ["install", `latticesql@${latest}`], {
       cwd: process.cwd(),
       stdio: opts?.quiet ? "ignore" : "inherit",
       timeout: 6e4

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "latticesql",
-  "version": "1.1.2",
+  "version": "1.2.2",
   "description": "Persistent structured memory for AI agent systems — SQLite ↔ LLM context bridge",
   "type": "module",
   "main": "./dist/index.js",