npm - magector - Versions diffs - 2.15.0 → 2.15.1 - Mend

magector 2.15.0 → 2.15.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -136,6 +136,37 @@ flowchart LR
 ---
+## Security
+Magector operates on source code indexed from potentially-untrusted `vendor/` dependencies and is driven by an LLM that may be manipulated via prompt injection in indexed comments, docblocks, or markdown. The following hardening applies as of **v2.15.1**:
+### Path traversal protection
+All tools that accept a `path` argument (`magento_read`, `magento_grep`, `magento_ast_search`, `magento_find_dataobject_issues`) route the input through `safePath()` / `safeRelPath()` helpers in `src/mcp-server.js`. These:
+1. Resolve the argument against `MAGENTO_ROOT` with `path.resolve()` (normalizes `..`, symlinks are not followed during validation).
+2. Reject any resolved path that does not lie inside `MAGENTO_ROOT`.
+This prevents a hostile `vendor/` comment from instructing the LLM to e.g. `magento_read` `../../home/user/.ssh/id_rsa`. Both the standalone case handlers and their `magento_batch` counterparts share the same chokepoint.
+### Shell injection hardening in auto-update
+`src/update.js` fetches the `latest` field from the npm registry and re-execs itself with the new version string. Previously this was interpolated into a shell command; a tampered registry response could inject shell metacharacters. As of v2.15.1:
+- The re-exec passes argv as an **array** to a no-shell spawner (no intermediate shell).
+- A semver-strict `isSafeVersion()` validator rejects any version string containing metacharacters or that does not match `X.Y.Z` / `X.Y.Z-prerelease` form.
+- Fails closed: the auto-update is silently skipped rather than run a malformed version.
+### Unix socket permissions
+The serve-proxy Unix socket at `.magector/serve.sock` is created with `chmod 0600` immediately after `listen()`. On multi-user systems, another local account can no longer connect and query the vector index (which would leak indexed source snippets). The chmod is best-effort on platforms that don't support it (logged to `.magector/magector.log`).
+### Reporting vulnerabilities
+If you find a security issue, please open an issue on the GitHub repo and mark it as security-related. Do not post reproducers that leak actual source contents from private codebases.
+---
 ## Quick Start
 ### Prerequisites

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "magector",
-  "version": "2.15.0",
+  "version": "2.15.1",
   "description": "Semantic code search for Magento 2 — index, search, MCP server",
   "type": "module",
   "main": "src/mcp-server.js",
@@ -33,10 +33,10 @@
     "ruvector": "^0.1.96"
   },
   "optionalDependencies": {
-    "@magector/cli-darwin-arm64": "2.15.0",
-    "@magector/cli-linux-x64": "2.15.0",
-    "@magector/cli-linux-arm64": "2.15.0",
-    "@magector/cli-win32-x64": "2.15.0"
+    "@magector/cli-darwin-arm64": "2.15.1",
+    "@magector/cli-linux-x64": "2.15.1",
+    "@magector/cli-linux-arm64": "2.15.1",
+    "@magector/cli-win32-x64": "2.15.1"
   },
   "keywords": [
     "magento",

package/src/mcp-server.js CHANGED Viewed

@@ -17,7 +17,7 @@ import {
 import { execFileSync, spawn } from 'child_process';
 import { createInterface } from 'readline';
 import { createServer as createNetServer, createConnection } from 'net';
-import { existsSync, statSync, unlinkSync, copyFileSync, renameSync, appendFileSync, writeFileSync, readFileSync, mkdirSync, openSync, closeSync, constants as fsConstants } from 'fs';
+import { existsSync, statSync, unlinkSync, copyFileSync, renameSync, appendFileSync, writeFileSync, readFileSync, mkdirSync, openSync, closeSync, chmodSync, constants as fsConstants } from 'fs';
 import { stat } from 'fs/promises';
 import { glob } from 'glob';
 import path from 'path';
@@ -149,6 +149,38 @@ const SOCK_PATH = path.join(config.magentoRoot, '.magector', 'serve.sock');
 const FORMAT_CACHE_PATH = path.join(config.magentoRoot, '.magector', 'format-ok.json');
 const PRIMARY_LOCK_PATH = path.join(config.magentoRoot, '.magector', 'primary.lock');
+// ─── Path Safety ────────────────────────────────────────────────
+// All tool handlers accept user-supplied paths relative to MAGENTO_ROOT.
+// Without validation, `../../../etc/passwd` would escape the project.
+// A hostile indexed file could prompt-inject the LLM into requesting such a
+// path and leak host files. These helpers are the single chokepoint.
+/**
+ * Resolve a user-supplied path against a trusted root and verify it stays
+ * inside the root. Returns the absolute resolved path or null on escape.
+ */
+function safePath(root, rel) {
+  if (rel === undefined || rel === null) return null;
+  const rootAbs = path.resolve(root);
+  const joined = path.resolve(rootAbs, String(rel));
+  if (joined !== rootAbs && !joined.startsWith(rootAbs + path.sep)) {
+    return null;
+  }
+  return joined;
+}
+/**
+ * Like safePath but returns the relative form (used for tools that invoke
+ * external processes with cwd=root and want a relative path argument).
+ * '.' means "the root itself".
+ */
+function safeRelPath(root, rel) {
+  const abs = safePath(root, rel);
+  if (!abs) return null;
+  const r = path.relative(path.resolve(root), abs);
+  return r === '' ? '.' : r;
+}
 /**
  * Expand brace patterns in include globs for GNU grep compatibility.
  * GNU grep --include does NOT support brace expansion (that's a shell feature).
@@ -737,7 +769,13 @@ function startSocketProxy() {
     logToFile('WARN', `Socket proxy error: ${err.message}`);
   });
   socketServer.listen(SOCK_PATH, () => {
-    logToFile('INFO', `Socket proxy listening on ${SOCK_PATH}`);
+    // Restrict socket to the owning user — without this, on multi-user
+    // systems any local account could connect to the serve proxy and query
+    // the index (leaking indexed code snippets to other local users).
+    try { chmodSync(SOCK_PATH, 0o600); } catch (err) {
+      logToFile('WARN', `Failed to chmod socket to 0600: ${err.message}`);
+    }
+    logToFile('INFO', `Socket proxy listening on ${SOCK_PATH} (mode 0600)`);
   });
 }
@@ -3663,7 +3701,11 @@ async function astSearch(pattern, searchPath, lang, maxResults) {
   const root = config.magentoRoot;
   if (!root) throw new Error('MAGENTO_ROOT not set');
-  const targetPath = searchPath ? path.join(root, searchPath) : root;
+  const targetPath = searchPath ? safePath(root, searchPath) : path.resolve(root);
+  if (!targetPath) {
+    logToFile('WARN', `ast_search: rejected path traversal attempt: "${searchPath}"`);
+    throw new Error(`Path escapes project root: ${searchPath}`);
+  }
   const semgrepLang = lang || 'php';
   const limit = Math.min(maxResults || 50, 200);
@@ -6466,7 +6508,12 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
                 break;
               }
               case 'magento_read': {
-                const filePath = path.join(config.magentoRoot, a.path);
+                const filePath = safePath(config.magentoRoot, a.path);
+                if (!filePath) {
+                  logToFile('WARN', `batch read: rejected path traversal attempt: "${a.path}"`);
+                  text = `Path escapes project root: ${a.path}`;
+                  break;
+                }
                 let fileContent;
                 try { fileContent = readFileSync(filePath, 'utf-8'); } catch {
                   text = `File not found: ${a.path}`;
@@ -6491,7 +6538,12 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
                 break;
               }
               case 'magento_grep': {
-                const searchPath = a.path || '.';
+                const searchPath = safeRelPath(config.magentoRoot, a.path || '.');
+                if (!searchPath) {
+                  logToFile('WARN', `batch grep: rejected path traversal attempt: "${a.path}"`);
+                  text = `Path escapes project root: ${a.path}`;
+                  break;
+                }
                 const include = a.include || '*.php';
                 const maxRes = Math.min(a.maxResults || 30, 100);
                 const batchCtx = a.context !== undefined ? a.context : 4;
@@ -6569,7 +6621,11 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
       case 'magento_grep': {
         const root = config.magentoRoot;
         if (!root) return { content: [{ type: 'text', text: 'MAGENTO_ROOT not set.' }], isError: true };
-        const searchPath = args.path || '.';
+        const searchPath = safeRelPath(root, args.path || '.');
+        if (!searchPath) {
+          logToFile('WARN', `grep: rejected path traversal attempt: "${args.path}"`);
+          return { content: [{ type: 'text', text: `Path escapes project root: ${args.path}` }], isError: true };
+        }
         const include = args.include || '*.php';
         const maxResults = Math.min(args.maxResults || 50, 200);
         const ctxLines = args.context !== undefined ? args.context : 4;
@@ -6756,7 +6812,11 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
       case 'magento_read': {
         const root = config.magentoRoot;
         if (!root) return { content: [{ type: 'text', text: 'MAGENTO_ROOT not set.' }], isError: true };
-        const filePath = path.join(root, args.path);
+        const filePath = safePath(root, args.path);
+        if (!filePath) {
+          logToFile('WARN', `read: rejected path traversal attempt: "${args.path}"`);
+          return { content: [{ type: 'text', text: `Path escapes project root: ${args.path}` }], isError: true };
+        }
         let content;
         try { content = readFileSync(filePath, 'utf-8'); } catch (err) {
           logToFile('WARN', `read: file not found: ${args.path} (${err.code || err.message})`);

package/src/update.js CHANGED Viewed

@@ -8,7 +8,7 @@
  * Never blocks the CLI on failure — network errors are silently ignored.
  */
 import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs';
-import { execSync } from 'child_process';
+import { execFileSync } from 'child_process';
 import { homedir } from 'os';
 import path from 'path';
 import { fileURLToPath } from 'url';
@@ -140,14 +140,29 @@ export async function checkForUpdate(command, originalArgs) {
   }
 }
+/**
+ * Validate a semver string to prevent shell injection via malicious registry
+ * responses. Only digits, dots, dashes and alphanumerics allowed (semver prerelease).
+ * Example: "1.2.3", "1.2.3-beta.1", "2.0.0-rc.9" — yes. "1; rm -rf ~" — no.
+ */
+function isSafeVersion(v) {
+  return typeof v === 'string' && /^[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z.-]+)?$/.test(v);
+}
 /**
  * Re-exec the current command with the latest version.
  */
 function reExec(current, latest, originalArgs) {
+  // Defensive: reject anything that doesn't look like a real semver so a
+  // compromised npm registry response can't inject shell metacharacters.
+  if (!isSafeVersion(latest)) {
+    return; // silently skip — never block CLI on update check
+  }
   console.log(`\n⬆  Updating magector: v${current} → v${latest}...\n`);
   try {
-    const cmd = `npx -y magector@${latest} ${originalArgs.join(' ')}`;
-    execSync(cmd, {
+    // execFileSync with an argv array (no shell) — originalArgs are passed as
+    // individual argv entries, so spaces/metachars in them can't expand.
+    execFileSync('npx', ['-y', `magector@${latest}`, ...originalArgs], {
       stdio: 'inherit',
       env: { ...process.env, MAGECTOR_NO_UPDATE: '1' }
     });