mcp-maestro-mobile-ai 1.3.1 → 1.4.0

package/src/mcp-server/utils/maestro.js

@@ -1,6 +1,9 @@
 /**
  * Maestro Utility Functions
  * Execute Maestro CLI commands and handle results
+ *
+ * Security: All command executions are validated against security policies
+ * defined in security.js before execution.
  */
 
 import { spawn, execSync } from "child_process";
@@ -10,6 +13,20 @@ import os from "os";
 import { fileURLToPath } from "url";
 import { dirname, join } from "path";
 import { logger } from "./logger.js";
+import {
+  SecurityError,
+  isSafeModeEnabled,
+  getSecurityConfig,
+  validateDeviceId,
+  validateAppId,
+  isMaestroCommandAllowed,
+  isAdbCommandAllowed,
+  containsBlockedPattern,
+  assertNoBlockedPatterns,
+  checkYamlSecurity,
+  logSecurityEvent,
+  sanitizeInput,
+} from "./security.js";
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
@@ -47,45 +64,135 @@ function getAdbPath() {
 
 /**
  * Execute Maestro CLI command with optional device targeting
+ * Includes security validation before execution
+ *
+ * @param {Array<string>} args - Command arguments
+ * @param {string} deviceId - Optional device ID
+ * @returns {Promise<object>} Execution result
+ * @throws {SecurityError} If command is not allowed
  */
 export function executeMaestro(args, deviceId = null) {
-  return new Promise((resolve) => {
-    // Use specified device, selected device, or let Maestro choose
-    const targetDevice = deviceId || selectedDeviceId;
-    const finalArgs = targetDevice ? ["--device", targetDevice, ...args] : args;
-
-    const maestro = spawn("maestro", finalArgs, {
-      shell: true,
-      env: { ...process.env },
-    });
+  return new Promise((resolve, reject) => {
+    try {
+      // Security: Validate the Maestro command
+      const baseCommand = args[0];
+      const commandCheck = isMaestroCommandAllowed(baseCommand);
+
+      if (!commandCheck.allowed) {
+        logSecurityEvent("MAESTRO_COMMAND_REJECTED", {
+          command: baseCommand,
+          args,
+          reason: commandCheck.reason,
+        });
+
+        reject(
+          new SecurityError(commandCheck.reason, "BLOCKED_COMMAND", {
+            command: baseCommand,
+            args,
+          })
+        );
+        return;
+      }
 
-    let stdout = "";
-    let stderr = "";
+      // Security: Validate device ID if provided
+      const targetDevice = deviceId || selectedDeviceId;
+      if (targetDevice) {
+        try {
+          validateDeviceId(targetDevice);
+        } catch (error) {
+          reject(error);
+          return;
+        }
+      }
 
-    maestro.stdout.on("data", (data) => {
-      stdout += data.toString();
-    });
+      // Security: Check for blocked patterns in arguments
+      for (const arg of args) {
+        if (typeof arg === "string") {
+          const patternCheck = containsBlockedPattern(arg, "shellCommand");
+          if (patternCheck.detected) {
+            logSecurityEvent("MAESTRO_ARG_BLOCKED_PATTERN", {
+              arg,
+              patternType: patternCheck.type,
+            });
+
+            reject(
+              new SecurityError(
+                `Blocked pattern detected in argument: ${patternCheck.description}`,
+                "BLOCKED_PATTERN",
+                { arg, patternType: patternCheck.type }
+              )
+            );
+            return;
+          }
+        }
+      }
 
-    maestro.stderr.on("data", (data) => {
-      stderr += data.toString();
-    });
+      // Log the execution for audit trail
+      logSecurityEvent("MAESTRO_COMMAND_EXECUTE", {
+        command: baseCommand,
+        argsCount: args.length,
+        device: targetDevice || "default",
+        safeMode: isSafeModeEnabled(),
+      });
 
-    maestro.on("close", (exitCode) => {
-      resolve({ exitCode, stdout, stderr });
-    });
+      const finalArgs = targetDevice
+        ? ["--device", targetDevice, ...args]
+        : args;
 
-    maestro.on("error", (error) => {
-      resolve({ exitCode: 1, stdout, stderr: error.message });
-    });
+      const maestro = spawn("maestro", finalArgs, {
+        shell: true,
+        env: { ...process.env },
+      });
+
+      let stdout = "";
+      let stderr = "";
+
+      maestro.stdout.on("data", (data) => {
+        stdout += data.toString();
+      });
+
+      maestro.stderr.on("data", (data) => {
+        stderr += data.toString();
+      });
+
+      maestro.on("close", (exitCode) => {
+        resolve({ exitCode, stdout, stderr });
+      });
+
+      maestro.on("error", (error) => {
+        resolve({ exitCode: 1, stdout, stderr: error.message });
+      });
+    } catch (error) {
+      reject(error);
+    }
   });
 }
 
 /**
  * List all connected devices with detailed information
+ * Includes security validation for ADB command
  */
 export async function listDevices() {
   try {
     const adbPath = getAdbPath();
+
+    // Security: Validate ADB command
+    const adbCommand = "devices -l";
+    const adbCheck = isAdbCommandAllowed(adbCommand);
+    if (!adbCheck.allowed) {
+      logger.error(`ADB command blocked: ${adbCommand}`);
+      return {
+        success: false,
+        error: "Security policy prevented device listing",
+        devices: [],
+      };
+    }
+
+    logSecurityEvent("ADB_COMMAND_EXECUTE", {
+      command: adbCommand,
+      operation: "list_devices",
+    });
+
     let adbOutput;
     try {
       adbOutput = execSync(`"${adbPath}" devices -l`, {
@@ -155,13 +262,34 @@ export async function listDevices() {
 
 /**
  * Select a device for running tests
+ * Includes security validation of device ID
+ *
+ * @param {string} deviceId - Device ID to select
+ * @returns {object} Result with selected device
+ * @throws {SecurityError} If device ID is invalid
  */
 export function selectDevice(deviceId) {
-  selectedDeviceId = deviceId;
-  logger.info(`Device selected: ${deviceId}`);
+  // Security: Validate device ID format
+  try {
+    validateDeviceId(deviceId);
+  } catch (error) {
+    logger.warn(`Invalid device ID rejected: ${deviceId}`);
+    throw error;
+  }
+
+  // Sanitize the device ID
+  const sanitizedDeviceId = sanitizeInput(deviceId);
+
+  selectedDeviceId = sanitizedDeviceId;
+  logger.info(`Device selected: ${sanitizedDeviceId}`);
+
+  logSecurityEvent("DEVICE_SELECTED", {
+    deviceId: sanitizedDeviceId,
+  });
+
   return {
     success: true,
-    selectedDevice: deviceId,
+    selectedDevice: sanitizedDeviceId,
   };
 }
 
@@ -253,6 +381,11 @@ export async function checkDeviceConnection() {
 
 /**
  * Check if app is installed on device (optionally on specific device)
+ * Includes security validation of app ID and device ID
+ *
+ * @param {string} appId - App package ID to check
+ * @param {string} deviceId - Optional device ID
+ * @returns {object} Installation status
  */
 export async function checkAppInstalled(appId, deviceId = null) {
   if (!appId) {
@@ -263,12 +396,57 @@ export async function checkAppInstalled(appId, deviceId = null) {
     };
   }
 
+  // Security: Validate app ID format
+  try {
+    validateAppId(appId);
+  } catch (error) {
+    logger.warn(`Invalid app ID rejected: ${appId}`);
+    return {
+      installed: false,
+      error: error.message,
+      hint: "App ID must be in format: com.example.app",
+    };
+  }
+
+  // Security: Validate device ID if provided
   const targetDevice = deviceId || selectedDeviceId;
+  if (targetDevice) {
+    try {
+      validateDeviceId(targetDevice);
+    } catch (error) {
+      return {
+        installed: false,
+        error: error.message,
+        hint: "Invalid device ID format",
+      };
+    }
+  }
+
   const adbPath = getAdbPath();
+
+  // Security: Build command safely without string interpolation vulnerabilities
+  const adbArgs = targetDevice ? ["-s", targetDevice] : [];
   const adbPrefix = targetDevice
     ? `"${adbPath}" -s ${targetDevice}`
     : `"${adbPath}"`;
 
+  // Security: Validate the ADB command we're about to execute
+  const adbCommand = "shell pm list packages";
+  const adbCheck = isAdbCommandAllowed(adbCommand);
+  if (!adbCheck.allowed) {
+    logger.error(`ADB command blocked: ${adbCommand}`);
+    return {
+      installed: false,
+      error: "Security policy prevented app check",
+    };
+  }
+
+  logSecurityEvent("ADB_COMMAND_EXECUTE", {
+    command: adbCommand,
+    appId,
+    device: targetDevice || "default",
+  });
+
   try {
     const result = execSync(`${adbPrefix} shell pm list packages ${appId}`, {
       encoding: "utf8",
@@ -327,18 +505,73 @@ export async function checkAppInstalled(appId, deviceId = null) {
 
 /**
  * Run a Maestro flow from YAML content with retry support
+ * Includes security validation of YAML content
+ *
+ * @param {string} yamlContent - YAML flow content
+ * @param {string} testName - Name of the test
+ * @param {object} options - Execution options
+ * @returns {Promise<object>} Test result
  */
 export async function runMaestroFlow(yamlContent, testName, options = {}) {
   const maxRetries = options.retries ?? DEFAULT_RETRIES;
   const deviceId = options.deviceId || selectedDeviceId;
   const startTime = Date.now();
 
+  // Security: Validate YAML content for dangerous patterns
+  const yamlSecurityCheck = checkYamlSecurity(yamlContent);
+  if (!yamlSecurityCheck.safe) {
+    logger.error(`YAML security check failed for test: ${testName}`, {
+      issues: yamlSecurityCheck.issues,
+    });
+
+    logSecurityEvent("YAML_SECURITY_REJECTED", {
+      testName,
+      issues: yamlSecurityCheck.issues,
+    });
+
+    return {
+      success: false,
+      name: testName,
+      error: `YAML security check failed: ${yamlSecurityCheck.issues.join(
+        ", "
+      )}`,
+      securityIssues: yamlSecurityCheck.issues,
+    };
+  }
+
+  // Log warnings if any
+  if (yamlSecurityCheck.warnings && yamlSecurityCheck.warnings.length > 0) {
+    logger.warn(`YAML security warnings for test: ${testName}`, {
+      warnings: yamlSecurityCheck.warnings,
+    });
+  }
+
+  // Security: Validate test name (used in file path)
+  try {
+    assertNoBlockedPatterns(testName, "test name", "filePath");
+  } catch (error) {
+    return {
+      success: false,
+      name: testName,
+      error: `Invalid test name: ${error.message}`,
+    };
+  }
+
+  // Sanitize test name for file system
+  const safeTestName = testName.replace(/[^a-zA-Z0-9_-]/g, "_");
+
+  logSecurityEvent("TEST_EXECUTION_START", {
+    testName: safeTestName,
+    device: deviceId || "default",
+    safeMode: isSafeModeEnabled(),
+  });
+
   // Ensure directories exist
   await fs.mkdir(TEMP_DIR, { recursive: true });
   await fs.mkdir(SCREENSHOTS_DIR, { recursive: true });
 
-  // Write YAML to temp file
-  const tempFile = join(TEMP_DIR, `${testName}-${Date.now()}.yaml`);
+  // Write YAML to temp file with sanitized name
+  const tempFile = join(TEMP_DIR, `${safeTestName}-${Date.now()}.yaml`);
   await fs.writeFile(tempFile, yamlContent, "utf8");
 
   let lastResult = null;
@@ -483,14 +716,17 @@ export async function captureScreenshot(name, deviceId = null) {
 }
 
 /**
- * Get configuration values
+ * Get configuration values including security settings
  */
 export function getConfig() {
+  const securityConfig = getSecurityConfig();
+
   return {
     defaultTimeout: DEFAULT_TIMEOUT,
     defaultRetries: DEFAULT_RETRIES,
     maxResults: MAX_RESULTS,
     selectedDevice: selectedDeviceId,
+    security: securityConfig,
   };
 }