mobbdev 1.1.2 → 1.1.3

package/dist/index.mjs

@@ -19141,10 +19141,15 @@ var PatchApplicationService = class {
    */
   static writeFileWithFixComment({
     filePath,
+    repositoryPath,
     content,
     fix,
     scanContext
   }) {
+    const { normalizedPath: normalizedFilePath } = this.resolvePathWithinRepo({
+      repositoryPath,
+      targetPath: filePath
+    });
     let finalContent = content;
     if (MCP_AUTO_FIX_DEBUG_MODE) {
       const fixType = fix.safeIssueType || "Security Issue";
@@ -19176,10 +19181,28 @@ var PatchApplicationService = class {
         }
       );
     }
-    const dirPath = path20.dirname(filePath);
+    const dirPath = path20.dirname(normalizedFilePath);
     mkdirSync(dirPath, { recursive: true });
-    writeFileSync(filePath, finalContent, "utf8");
-    return filePath;
+    writeFileSync(normalizedFilePath, finalContent, "utf8");
+    return normalizedFilePath;
+  }
+  static resolvePathWithinRepo({
+    repositoryPath,
+    targetPath
+  }) {
+    const repoRoot = path20.resolve(repositoryPath);
+    const normalizedPath = path20.resolve(repoRoot, targetPath);
+    const repoRootWithSep = repoRoot.endsWith(path20.sep) ? repoRoot : `${repoRoot}${path20.sep}`;
+    if (normalizedPath !== repoRoot && !normalizedPath.startsWith(repoRootWithSep)) {
+      throw new Error(
+        `Security violation: target path ${targetPath} resolves outside repository`
+      );
+    }
+    return {
+      repoRoot,
+      normalizedPath,
+      relativePath: path20.relative(repoRoot, normalizedPath)
+    };
   }
   /**
    * Extracts target file path from a fix
@@ -19649,21 +19672,17 @@ var PatchApplicationService = class {
     repositoryPath,
     scanContext
   }) {
-    const sanitizedRepoPath = String(repositoryPath || "").replace("\0", "").replace(/^(\.\.(\/|\\))+/, "");
-    const sanitizedTargetFile = String(targetFile || "").replace("\0", "").replace(/^(\.\.(\/|\\))+/, "");
-    const absoluteFilePath = path20.resolve(
-      sanitizedRepoPath,
-      sanitizedTargetFile
-    );
-    const relativePath = path20.relative(sanitizedRepoPath, absoluteFilePath);
-    if (relativePath.startsWith("..")) {
-      throw new Error(
-        `Security violation: target file ${targetFile} resolves outside repository`
-      );
-    }
+    const {
+      repoRoot,
+      normalizedPath: absoluteFilePath,
+      relativePath
+    } = this.resolvePathWithinRepo({
+      repositoryPath,
+      targetPath: targetFile
+    });
     logDebug(`[${scanContext}] Resolving file path for ${targetFile}`, {
-      repositoryPath: sanitizedRepoPath,
-      targetFile: sanitizedTargetFile,
+      repositoryPath: repoRoot,
+      targetFile,
       absoluteFilePath,
       relativePath,
       exists: existsSync6(absoluteFilePath)
@@ -19685,6 +19704,7 @@ var PatchApplicationService = class {
     const newContent = this.applyHunksToEmptyFile(fileDiff.chunks);
     const actualPath = this.writeFileWithFixComment({
       filePath: absoluteFilePath,
+      repositoryPath,
       content: newContent,
       fix,
       scanContext
@@ -19733,6 +19753,7 @@ var PatchApplicationService = class {
     if (modifiedContent !== originalContent) {
       const actualPath = this.writeFileWithFixComment({
         filePath: absoluteFilePath,
+        repositoryPath,
         content: modifiedContent,
         fix,
         scanContext

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "1.1.2",
+  "version": "1.1.3",
   "description": "Automated secure code remediation tool",
   "repository": "git+https://github.com/mobb-dev/bugsy.git",
   "main": "dist/index.mjs",
@@ -75,7 +75,7 @@
     "http-proxy-agent": "7.0.2",
     "https-proxy-agent": "7.0.6",
     "ignore": "7.0.5",
-    "inquirer": "9.3.7",
+    "inquirer": "9.3.8",
     "isomorphic-ws": "5.0.0",
     "istextorbinary": "9.5.0",
     "libsodium-wrappers": "0.7.15",