oh-my-adhd 0.2.14 → 0.2.16
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/mcp/lib/brain.js
CHANGED
|
@@ -12,6 +12,8 @@ const LOG_FILE = path.join(BRAIN_DIR, "logs", "brain.log");
|
|
|
12
12
|
const VERSION_FILE = path.join(BRAIN_DIR, "VERSION");
|
|
13
13
|
export const SCHEMA_VERSION = 1;
|
|
14
14
|
export const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
|
|
15
|
+
export const SENSITIVE_DIRS = [".ssh", ".aws", ".gnupg", ".kube", ".docker",
|
|
16
|
+
path.join(".config", "git"), path.join(".config", "gh")];
|
|
15
17
|
async function appendLog(level, msg) {
|
|
16
18
|
try {
|
|
17
19
|
const entry = `${new Date().toISOString()} [${level}] ${msg}\n`;
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { z } from "zod";
|
|
2
|
-
import { getThreads, getThread, getPages } from "../../lib/brain.js";
|
|
2
|
+
import { getThreads, getThread, getPages, SENSITIVE_DIRS } from "../../lib/brain.js";
|
|
3
3
|
import fs from "fs/promises";
|
|
4
4
|
import path from "path";
|
|
5
5
|
import os from "os";
|
|
@@ -31,8 +31,6 @@ export function registerWikiExport(server) {
|
|
|
31
31
|
};
|
|
32
32
|
}
|
|
33
33
|
// Block writes into known sensitive dirs — use realpath for symlink safety
|
|
34
|
-
const SENSITIVE_DIRS = [".ssh", ".aws", ".gnupg", ".kube", ".docker",
|
|
35
|
-
path.join(".config", "git"), path.join(".config", "gh")];
|
|
36
34
|
const homeDir = os.homedir();
|
|
37
35
|
let realResolved = resolved;
|
|
38
36
|
try {
|
|
@@ -1,7 +1,8 @@
|
|
|
1
1
|
import { z } from "zod";
|
|
2
|
-
import { ensureBrainDirs, BRAIN_DIR, SCHEMA_VERSION, UUID_RE, withBrainLock } from "../../lib/brain.js";
|
|
2
|
+
import { ensureBrainDirs, BRAIN_DIR, SCHEMA_VERSION, UUID_RE, SENSITIVE_DIRS, withBrainLock } from "../../lib/brain.js";
|
|
3
3
|
import fs from "fs/promises";
|
|
4
4
|
import path from "path";
|
|
5
|
+
import os from "os";
|
|
5
6
|
const SLUG_RE = /^[a-z0-9가-힣][a-z0-9가-힣_-]{0,127}$/;
|
|
6
7
|
const MAX_CONTENT_BYTES = 5 * 1024 * 1024; // 5MB per thread
|
|
7
8
|
const MAX_ITEMS = 10000; // max threads or pages per import
|
|
@@ -18,6 +19,21 @@ export function registerWikiImport(server) {
|
|
|
18
19
|
isError: true,
|
|
19
20
|
};
|
|
20
21
|
}
|
|
22
|
+
// Block reads from sensitive dirs — mirrors wiki_export denylist
|
|
23
|
+
const homeDir = os.homedir();
|
|
24
|
+
let realInputDir = path.dirname(resolved);
|
|
25
|
+
try {
|
|
26
|
+
realInputDir = await fs.realpath(realInputDir);
|
|
27
|
+
}
|
|
28
|
+
catch { /* dir may not exist */ }
|
|
29
|
+
const realHome = await fs.realpath(homeDir).catch(() => homeDir);
|
|
30
|
+
const relInputDir = path.relative(realHome, realInputDir).toLowerCase();
|
|
31
|
+
if (SENSITIVE_DIRS.some(d => relInputDir === d.toLowerCase() || relInputDir.startsWith(d.toLowerCase() + path.sep))) {
|
|
32
|
+
return {
|
|
33
|
+
content: [{ type: "text", text: "오류: 보안상 해당 경로에서는 가져올 수 없습니다." }],
|
|
34
|
+
isError: true,
|
|
35
|
+
};
|
|
36
|
+
}
|
|
21
37
|
// Check file size before reading into memory
|
|
22
38
|
try {
|
|
23
39
|
const stat = await fs.stat(resolved);
|
|
@@ -132,6 +148,7 @@ export function registerWikiImport(server) {
|
|
|
132
148
|
manifest[idx] = meta;
|
|
133
149
|
else
|
|
134
150
|
manifest.push(meta);
|
|
151
|
+
existingIds.add(id); // prevent duplicate IDs within same import
|
|
135
152
|
importedThreads++;
|
|
136
153
|
}
|
|
137
154
|
// Write updated manifest atomically inside lock
|
|
@@ -148,6 +165,8 @@ export function registerWikiImport(server) {
|
|
|
148
165
|
const content = typeof page.content === "string" ? page.content : "";
|
|
149
166
|
if (!SLUG_RE.test(slug) || !content)
|
|
150
167
|
continue;
|
|
168
|
+
if (Buffer.byteLength(content, "utf-8") > MAX_CONTENT_BYTES)
|
|
169
|
+
continue;
|
|
151
170
|
const pageFile = path.join(pagesDir, `${slug}.md`);
|
|
152
171
|
const pageTmp = pageFile + ".tmp";
|
|
153
172
|
await fs.writeFile(pageTmp, content, "utf-8");
|
package/package.json
CHANGED