npm - oh-my-adhd - Versions diffs - 0.2.14 → 0.2.15 - Mend

oh-my-adhd 0.2.14 → 0.2.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/mcp/mcp/tools/wiki-import.js +19 -0
package/package.json +1 -1

package/dist/mcp/mcp/tools/wiki-import.js CHANGED Viewed

@@ -2,6 +2,9 @@ import { z } from "zod";
 import { ensureBrainDirs, BRAIN_DIR, SCHEMA_VERSION, UUID_RE, withBrainLock } from "../../lib/brain.js";
 import fs from "fs/promises";
 import path from "path";
+import os from "os";
+const SENSITIVE_DIRS = [".ssh", ".aws", ".gnupg", ".kube", ".docker",
+    path.join(".config", "git"), path.join(".config", "gh")];
 const SLUG_RE = /^[a-z0-9가-힣][a-z0-9가-힣_-]{0,127}$/;
 const MAX_CONTENT_BYTES = 5 * 1024 * 1024; // 5MB per thread
 const MAX_ITEMS = 10000; // max threads or pages per import
@@ -18,6 +21,21 @@ export function registerWikiImport(server) {
                     isError: true,
                 };
             }
+            // Block reads from sensitive dirs — mirrors wiki_export denylist
+            const homeDir = os.homedir();
+            let realInputDir = path.dirname(resolved);
+            try {
+                realInputDir = await fs.realpath(realInputDir);
+            }
+            catch { /* dir may not exist */ }
+            const realHome = await fs.realpath(homeDir).catch(() => homeDir);
+            const relInputDir = path.relative(realHome, realInputDir).toLowerCase();
+            if (SENSITIVE_DIRS.some(d => relInputDir === d.toLowerCase() || relInputDir.startsWith(d.toLowerCase() + path.sep))) {
+                return {
+                    content: [{ type: "text", text: "오류: 보안상 해당 경로에서는 가져올 수 없습니다." }],
+                    isError: true,
+                };
+            }
             // Check file size before reading into memory
             try {
                 const stat = await fs.stat(resolved);
@@ -132,6 +150,7 @@ export function registerWikiImport(server) {
                         manifest[idx] = meta;
                     else
                         manifest.push(meta);
+                    existingIds.add(id); // prevent duplicate IDs within same import
                     importedThreads++;
                 }
                 // Write updated manifest atomically inside lock

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "oh-my-adhd",
-  "version": "0.2.14",
+  "version": "0.2.15",
   "description": "ADHD second brain — zero-friction capture, auto context restore, unstick. MCP-native Claude Code plugin.",
   "author": "Yeachan Heo",
   "repository": {