openwriter 0.37.0 → 0.37.1

package/dist/server/connections.js

@@ -4,13 +4,45 @@
  */
 import { readConfig, getActiveProfile } from './helpers.js';
 const DEFAULT_API_URL = 'https://publish.openwriter.io';
+// MCP-6: the platform Bearer key is attached to every request sent to
+// `api-url`. Because plugin config is writable (and was writable unauth before
+// the MCP-5 gate), a hijacked `api-url` could redirect the next authenticated
+// call to an attacker host and exfiltrate the key. We PIN the destination: the
+// Bearer key only ever ships to an OpenWriter-controlled host (or loopback for
+// local platform dev). Anything else falls back to the default host.
+const ALLOWED_PUBLISH_HOSTS = new Set(['publish.openwriter.io', 'openwriter.io']);
+/** True when `url` is a safe destination for the platform Bearer key. */
+export function isAllowedPublishApiUrl(url) {
+    let u;
+    try {
+        u = new URL(url);
+    }
+    catch {
+        return false;
+    }
+    const host = u.hostname.toLowerCase();
+    // Local platform development over loopback (either scheme).
+    if (host === 'localhost' || host === '127.0.0.1' || host === '::1')
+        return true;
+    // Production: HTTPS only, OpenWriter-controlled host (incl. subdomains).
+    if (u.protocol !== 'https:')
+        return false;
+    return ALLOWED_PUBLISH_HOSTS.has(host) || host.endsWith('.openwriter.io');
+}
 /** Get API key and URL from plugin config */
 function getPublishConfig() {
     const config = readConfig();
     const publishConfig = config.plugins?.['@openwriter/plugin-publish']?.config || {};
+    const rawUrl = publishConfig['api-url'] || DEFAULT_API_URL;
+    // Pin to an allowed destination — never let a redirected api-url carry the
+    // Bearer key off-host. MCP-6.
+    const apiUrl = isAllowedPublishApiUrl(rawUrl) ? rawUrl : DEFAULT_API_URL;
+    if (apiUrl !== rawUrl) {
+        console.warn('[connections] publish api-url not on allowlist — pinned to default host');
+    }
     return {
         apiKey: publishConfig['api-key'] || '',
-        apiUrl: publishConfig['api-url'] || DEFAULT_API_URL,
+        apiUrl,
     };
 }
 /** Authenticated fetch to the platform API */

package/dist/server/image-upload.js

@@ -7,9 +7,151 @@ import multer from 'multer';
 import { existsSync, mkdirSync } from 'fs';
 import { join, extname } from 'path';
 import { randomUUID } from 'crypto';
+import { isIP } from 'net';
+import { lookup } from 'dns/promises';
 import { getDataDir, ensureDataDir } from './helpers.js';
 import express from 'express';
 function getImagesDir() { return join(getDataDir(), '_images'); }
+// ── SSRF guard for /api/download-image (MCP-8) ──────────────────────────────
+// The endpoint server-side-fetches a caller-supplied URL. Without a guard an
+// attacker can point it at internal services, the cloud metadata endpoint
+// (169.254.169.254), or loopback — a classic SSRF. We allow only https, block
+// every private / loopback / link-local / reserved IP range (resolving DNS
+// first), follow redirects manually with re-validation at each hop, and cap
+// both response size and request time.
+const MAX_IMAGE_BYTES = 10 * 1024 * 1024; // 10MB, matches the upload limit
+const FETCH_TIMEOUT_MS = 15_000;
+const MAX_REDIRECTS = 3;
+function isBlockedIpv4(ip) {
+    const parts = ip.split('.').map(Number);
+    if (parts.length !== 4 || parts.some((n) => Number.isNaN(n) || n < 0 || n > 255))
+        return true;
+    const [a, b] = parts;
+    if (a === 0)
+        return true; // 0.0.0.0/8 "this host"
+    if (a === 10)
+        return true; // 10.0.0.0/8 private
+    if (a === 127)
+        return true; // 127.0.0.0/8 loopback
+    if (a === 169 && b === 254)
+        return true; // 169.254.0.0/16 link-local (incl. metadata 169.254.169.254)
+    if (a === 172 && b >= 16 && b <= 31)
+        return true; // 172.16.0.0/12 private
+    if (a === 192 && b === 168)
+        return true; // 192.168.0.0/16 private
+    if (a === 100 && b >= 64 && b <= 127)
+        return true; // 100.64.0.0/10 CGNAT
+    if (a >= 224)
+        return true; // 224.0.0.0/4 multicast + 240/4 reserved + 255 broadcast
+    return false;
+}
+function isBlockedIpv6(ip) {
+    const s = ip.toLowerCase().replace(/^\[|\]$/g, '');
+    // IPv4-mapped (::ffff:a.b.c.d) — classify on the embedded v4 address.
+    const mapped = s.match(/(?:^|:)((?:\d{1,3}\.){3}\d{1,3})$/);
+    if (mapped)
+        return isBlockedIpv4(mapped[1]);
+    if (s === '::1' || s === '::')
+        return true; // loopback / unspecified
+    if (s.startsWith('fe8') || s.startsWith('fe9') || s.startsWith('fea') || s.startsWith('feb'))
+        return true; // fe80::/10 link-local
+    if (s.startsWith('fc') || s.startsWith('fd'))
+        return true; // fc00::/7 unique-local
+    if (s.startsWith('ff'))
+        return true; // ff00::/8 multicast
+    return false;
+}
+function isBlockedAddress(ip) {
+    const fam = isIP(ip);
+    if (fam === 4)
+        return isBlockedIpv4(ip);
+    if (fam === 6)
+        return isBlockedIpv6(ip);
+    return true; // not a recognizable IP → refuse
+}
+/** Throw unless `rawUrl` is an https URL whose host resolves only to public addresses. */
+async function assertSafeImageUrl(rawUrl) {
+    let parsed;
+    try {
+        parsed = new URL(rawUrl);
+    }
+    catch {
+        throw new Error('blocked');
+    }
+    if (parsed.protocol !== 'https:')
+        throw new Error('blocked');
+    const host = parsed.hostname.replace(/^\[|\]$/g, '');
+    if (isIP(host)) {
+        if (isBlockedAddress(host))
+            throw new Error('blocked');
+        return;
+    }
+    let addrs;
+    try {
+        addrs = await lookup(host, { all: true });
+    }
+    catch {
+        throw new Error('blocked');
+    }
+    if (addrs.length === 0)
+        throw new Error('blocked');
+    for (const a of addrs) {
+        if (isBlockedAddress(a.address))
+            throw new Error('blocked');
+    }
+}
+/** Fetch an image with SSRF guards: https-only, public-IP-only, manual
+ *  redirect re-validation, size cap, and timeout. Returns the response for a
+ *  caller to read (the caller still enforces the byte cap while streaming). */
+async function safeImageFetch(initialUrl) {
+    let current = initialUrl;
+    for (let hop = 0; hop <= MAX_REDIRECTS; hop++) {
+        await assertSafeImageUrl(current);
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+        let response;
+        try {
+            response = await fetch(current, { redirect: 'manual', signal: controller.signal });
+        }
+        finally {
+            clearTimeout(timer);
+        }
+        if (response.status >= 300 && response.status < 400) {
+            const location = response.headers.get('location');
+            if (!location)
+                return response;
+            current = new URL(location, current).toString(); // re-validated at loop top
+            continue;
+        }
+        return response;
+    }
+    throw new Error('blocked');
+}
+/** Read a response body into a Buffer, aborting (returns null) once `max` bytes
+ *  are exceeded so a server that lies about content-length can't blow past the cap. */
+async function readCapped(response, max) {
+    if (!response.body) {
+        const buf = Buffer.from(await response.arrayBuffer());
+        return buf.length > max ? null : buf;
+    }
+    const reader = response.body.getReader();
+    const chunks = [];
+    let total = 0;
+    while (true) {
+        const { done, value } = await reader.read();
+        if (done)
+            break;
+        if (value) {
+            total += value.length;
+            if (total > max) {
+                await reader.cancel().catch(() => { });
+                return null;
+            }
+            chunks.push(value);
+        }
+    }
+    return Buffer.concat(chunks);
+}
 function ensureImagesDir() {
     ensureDataDir();
     const dir = getImagesDir();
@@ -61,8 +203,17 @@ export function createImageRouter() {
             res.status(400).json({ error: 'No URL provided' });
             return;
         }
+        let response;
+        try {
+            response = await safeImageFetch(url);
+        }
+        catch {
+            // SSRF guard rejected the URL (bad scheme, private/blocked host, too many
+            // redirects). Generic message — never echo the resolved host or reason.
+            res.status(400).json({ error: 'URL not allowed' });
+            return;
+        }
         try {
-            const response = await fetch(url);
             if (!response.ok) {
                 res.status(400).json({ error: 'Failed to fetch image' });
                 return;
@@ -72,14 +223,25 @@ export function createImageRouter() {
                 res.status(400).json({ error: 'URL is not an image' });
                 return;
             }
+            // Reject early if the server declares an over-limit size.
+            const declaredLen = Number(response.headers.get('content-length'));
+            if (Number.isFinite(declaredLen) && declaredLen > MAX_IMAGE_BYTES) {
+                res.status(400).json({ error: 'Image too large' });
+                return;
+            }
             const ext = contentType.includes('jpeg') || contentType.includes('jpg') ? '.jpg'
                 : contentType.includes('gif') ? '.gif'
                     : contentType.includes('webp') ? '.webp'
                         : '.png';
+            // Stream with a hard byte cap so a lying/streaming server can't exhaust disk.
+            const buffer = await readCapped(response, MAX_IMAGE_BYTES);
+            if (!buffer) {
+                res.status(400).json({ error: 'Image too large' });
+                return;
+            }
             ensureImagesDir();
             const filename = `${randomUUID().slice(0, 8)}${ext}`;
             const filePath = join(getImagesDir(), filename);
-            const buffer = Buffer.from(await response.arrayBuffer());
             const { writeFileSync } = await import('fs');
             writeFileSync(filePath, buffer);
             const src = `/_images/${filename}`;

package/dist/server/index.js

@@ -45,6 +45,109 @@ const __dirname = dirname(__filename);
 let runtimePort = 5050;
 export function getRuntimePort() { return runtimePort; }
 export function getBaseUrl() { return `http://localhost:${runtimePort}`; }
+// ---- Trust boundary (anti-DNS-rebinding + CSRF) — MCP-5 ----
+// The HTTP API binds to loopback and historically trusted "localhost = the
+// user." That is false: with no Host/Origin validation a remote website can
+// reach this API via DNS rebinding (its page rebinds a hostname to 127.0.0.1,
+// the browser keeps sending the attacker's Host/Origin) and drive every
+// mutating route — switch profiles, enable plugins, rewrite plugin config.
+// The middleware below is the single gate for ALL routes. adr: see MCP-5.
+const LOOPBACK_HOSTS = new Set(['localhost', '127.0.0.1', '::1']);
+/** Split a Host header into hostname + optional port, handling [::1]:port. */
+function splitHostHeader(hostHeader) {
+    if (hostHeader.startsWith('[')) {
+        const close = hostHeader.indexOf(']');
+        if (close === -1)
+            return { host: hostHeader };
+        const host = hostHeader.slice(1, close);
+        const rest = hostHeader.slice(close + 1);
+        return { host, port: rest.startsWith(':') ? rest.slice(1) : undefined };
+    }
+    const colon = hostHeader.lastIndexOf(':');
+    if (colon === -1)
+        return { host: hostHeader };
+    return { host: hostHeader.slice(0, colon), port: hostHeader.slice(colon + 1) };
+}
+/** True when the Host header names loopback on the port we are serving. */
+function isAllowedHost(hostHeader, port) {
+    if (!hostHeader)
+        return false;
+    const { host, port: p } = splitHostHeader(hostHeader.trim());
+    if (!LOOPBACK_HOSTS.has(host.toLowerCase()))
+        return false;
+    if (p !== undefined && p !== String(port))
+        return false;
+    return true;
+}
+/** True when an Origin/Referer URL is same-origin (loopback on our port). */
+function isAllowedOrigin(value, port) {
+    if (!value)
+        return false;
+    try {
+        const u = new URL(value);
+        if (!LOOPBACK_HOSTS.has(u.hostname.toLowerCase()))
+            return false;
+        if (u.port && u.port !== String(port))
+            return false;
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+const STATE_CHANGING = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
+/**
+ * Global security gate, applied before any route or body parsing.
+ *  (a) Host allowlist — the anti-DNS-rebinding control.
+ *  (b) Origin/Referer same-origin check on state-changing methods (CSRF).
+ *      Browsers always send Origin on cross-origin POST, so a rebound page is
+ *      rejected here too. A *missing* Origin is allowed only for state-changing
+ *      requests from non-browser local clients (the client-mode MCP-over-HTTP
+ *      proxy uses curl-style requests with no Origin); the Host gate still
+ *      bounds those to loopback.
+ *  (c) Restrictive security headers on every response.
+ */
+function securityGate(port) {
+    return (req, res, next) => {
+        res.setHeader('X-Content-Type-Options', 'nosniff');
+        res.setHeader('X-Frame-Options', 'DENY');
+        res.setHeader('Referrer-Policy', 'no-referrer');
+        res.setHeader('Content-Security-Policy', [
+            "default-src 'self'",
+            "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
+            "style-src 'self' 'unsafe-inline'",
+            "img-src 'self' data: blob: https:",
+            "font-src 'self' data:",
+            "connect-src 'self' ws: wss:",
+            "frame-ancestors 'none'",
+            "base-uri 'self'",
+            "object-src 'none'",
+        ].join('; '));
+        if (!isAllowedHost(req.headers.host, port)) {
+            res.status(403).json({ error: 'Forbidden' });
+            return;
+        }
+        if (STATE_CHANGING.has(req.method)) {
+            const origin = req.headers.origin;
+            const referer = req.headers.referer;
+            if (origin) {
+                if (!isAllowedOrigin(origin, port)) {
+                    res.status(403).json({ error: 'Forbidden' });
+                    return;
+                }
+            }
+            else if (referer) {
+                if (!isAllowedOrigin(referer, port)) {
+                    res.status(403).json({ error: 'Forbidden' });
+                    return;
+                }
+            }
+            // No Origin and no Referer: non-browser local client; Host gate above
+            // already constrained it to loopback. Allow.
+        }
+        next();
+    };
+}
 export async function startHttpServer(options = {}) {
     const port = options.port || 5050;
     runtimePort = port;
@@ -55,6 +158,11 @@ export async function startHttpServer(options = {}) {
     initLogger();
     logger.info('state', 'server-boot', `OpenWriter starting on port ${port}`, { port });
     const app = express();
+    // Trust boundary FIRST — reject cross-host / cross-origin before body
+    // parsing or any route handler runs. Covers every route, including the
+    // unauth state-changers /api/profiles/switch, /api/plugins/enable,
+    // /api/plugins/config, and the universal /api/mcp-call dispatcher. MCP-5.
+    app.use(securityGate(port));
     app.use(express.json({ limit: '10mb' }));
     // API routes for direct HTTP access (fallback if WS not available)
     app.get('/api/status', (_req, res) => {
@@ -69,7 +177,13 @@ export async function startHttpServer(options = {}) {
         }));
         res.json({ tools });
     });
-    // MCP-over-HTTP: allows client-mode terminals to proxy tool calls
+    // MCP-over-HTTP: allows client-mode terminals to proxy tool calls.
+    // MCP-4: this dispatches ANY MCP tool with the user's platform credentials,
+    // so it MUST never be reachable cross-origin. That guarantee is provided by
+    // the global securityGate above (Host allowlist + Origin/Referer check on
+    // POST) — a DNS-rebound page cannot satisfy either. No tool is intentionally
+    // exposed beyond same-origin/local callers here; any future tool that must
+    // never be driven over HTTP should be denylisted at this entry point.
     app.post('/api/mcp-call', async (req, res) => {
         const { tool: toolName, arguments: args } = req.body;
         // Wrap the call in a request ID scope so every event logged during

package/dist/server/mcp.js

@@ -201,6 +201,13 @@ const READ_PAD_MAX_WORDS = 2000;
  *  learns the new behavior without repeating the explanation. Resets on
  *  server restart. */
 let firstTruncationShown = false;
+/** MCP-9: metadata keys an agent must NEVER set via set_metadata. `autoAccept`
+ *  governs the human accept/reject gate — letting the agent write it via
+ *  open-ended frontmatter would self-grant auto-accept and bypass human review.
+ *  These are operator-only (set through the UI toggle path). The metadata
+ *  surface is otherwise intentionally open-ended, so this is a denylist of the
+ *  finite, enumerable privileged keys rather than an allowlist of content keys. */
+const AGENT_FORBIDDEN_METADATA_KEYS = new Set(['autoAccept']);
 export const TOOL_REGISTRY = [
     {
         name: 'read_pad',
@@ -913,8 +920,23 @@ export const TOOL_REGISTRY = [
             docId: z.string().describe('Target document by docId (8-char hex from list_documents).'),
             metadata: z.record(z.any()).describe('Key-value pairs to merge into frontmatter. Set a key to null to remove it.'),
         },
-        handler: async ({ docId, metadata: updates }) => {
+        handler: async ({ docId, metadata: rawUpdates }) => {
             const target = resolveDocTarget(docId);
+            // MCP-9: strip control keys. `autoAccept` governs the human accept/reject
+            // gate — an agent that could set it via set_metadata would self-grant
+            // auto-accept and bypass human review entirely. The approval-mode flag is
+            // operator-only (UI toggle → setDocAutoAccept / setWorkspaceAutoAccept).
+            // Stripping covers both set AND remove: deleting an explicit
+            // `autoAccept: false` would re-enable workspace-inherited auto-accept.
+            const updates = {};
+            const blockedKeys = [];
+            for (const [key, value] of Object.entries(rawUpdates)) {
+                if (AGENT_FORBIDDEN_METADATA_KEYS.has(key)) {
+                    blockedKeys.push(key);
+                    continue;
+                }
+                updates[key] = value;
+            }
             const setKeys = [];
             const removed = [];
             for (const [key, value] of Object.entries(updates)) {
@@ -988,6 +1010,8 @@ export const TOOL_REGISTRY = [
                 parts.push(`set: ${keys.join(', ')}`);
             if (removed.length > 0)
                 parts.push(`removed: ${removed.join(', ')}`);
+            if (blockedKeys.length > 0)
+                parts.push(`ignored (operator-only): ${blockedKeys.join(', ')}`);
             return { content: [{ type: 'text', text: `Metadata updated (${parts.join('; ')})` }] };
         },
     },

package/dist/server/plugin-manager.js

@@ -7,6 +7,23 @@ import { discoverPlugins, loadPluginModule } from './plugin-discovery.js';
 import { registerPluginTools, removePluginTools } from './mcp.js';
 import { readConfig, saveConfig, getDataDir } from './helpers.js';
 import { broadcastPluginsChanged } from './ws.js';
+import { isAllowedPublishApiUrl } from './connections.js';
+// MCP-2: plugin config holds raw secrets (publish ow_live_ key, X OAuth1
+// tokens, GitHub PAT, Gemini key). These must never cross the HTTP API. We
+// redact any config value whose KEY names a secret before it leaves the
+// server. Returned in place of the value is a sentinel that the settings UI
+// renders as "set"; updateConfig() treats an echoed sentinel as "unchanged"
+// so a naive save round-trip can never clobber the real secret with the mask.
+const SECRET_KEY_RE = /(key|secret|token|pat|password|auth|credential|bearer)/i;
+const REDACTED_SECRET = '__OW_SECRET_REDACTED__';
+/** Mask secret-valued config fields for safe transport over the API. */
+function redactConfig(config) {
+    const out = {};
+    for (const [k, v] of Object.entries(config)) {
+        out[k] = SECRET_KEY_RE.test(k) && v ? REDACTED_SECRET : v;
+    }
+    return out;
+}
 export class PluginManager {
     app;
     plugins = new Map();
@@ -101,7 +118,22 @@ export class PluginManager {
         const managed = this.plugins.get(name);
         if (!managed)
             return { success: false, error: `Plugin "${name}" not found` };
-        managed.config = { ...managed.config, ...values };
+        // Drop echoed redaction sentinels — the API never hands out real secrets
+        // (see redactConfig), so a value equal to the sentinel means "unchanged".
+        // Keeping the spread merge then preserves the stored secret. MCP-2.
+        const incoming = {};
+        for (const [k, v] of Object.entries(values)) {
+            if (v === REDACTED_SECRET)
+                continue;
+            incoming[k] = v;
+        }
+        // MCP-6: a hijacked publish `api-url` redirects the Bearer key off-host.
+        // Reject writes that point it anywhere but an allowed destination. The
+        // load-bearing pin lives in connections.ts; this rejects bad writes early.
+        if (typeof incoming['api-url'] === 'string' && incoming['api-url'] && !isAllowedPublishApiUrl(incoming['api-url'])) {
+            return { success: false, error: 'Invalid api-url: must point to an OpenWriter publish host' };
+        }
+        managed.config = { ...managed.config, ...incoming };
         this.savePluginState();
         return { success: true };
     }
@@ -113,7 +145,7 @@ export class PluginManager {
             description: m.discovered.description,
             enabled: m.enabled,
             configSchema: m.configSchema,
-            config: m.config,
+            config: redactConfig(m.config), // MCP-2: never leak raw secrets over the API
             source: m.discovered.source,
             displayName: m.discovered.displayName,
             category: m.discovered.category,

package/dist/server/workspaces.js

@@ -4,7 +4,7 @@
  * Manifests live in ~/.openwriter/_workspaces/*.json.
  */
 import { existsSync, readFileSync, writeFileSync, readdirSync } from 'fs';
-import { join } from 'path';
+import { join, resolve, isAbsolute, sep } from 'path';
 import { randomUUID } from 'crypto';
 import matter from 'gray-matter';
 import trash from 'trash';
@@ -17,8 +17,44 @@ import { addDocToContainer, addContainer as addContainerToTree, removeNode, move
 // ============================================================================
 // INTERNAL HELPERS
 // ============================================================================
+/**
+ * Resolve a workspace manifest filename to an absolute path that is GUARANTEED
+ * to live inside the active profile's `_workspaces/` directory.
+ *
+ * The `filename` originates from MCP tool args (`wsFile`, `filename`), so it is
+ * untrusted. Without this guard a value like `../../OtherProfile/_workspaces/x.json`
+ * or an absolute path would escape the active profile and read/write/delete
+ * another profile's manifests (and, via the doc files they reference, another
+ * profile's documents). Profile scoping in OpenWriter is enforced by anchoring
+ * every manifest path under `getWorkspacesDir()` (which encodes the active
+ * profile) — so containment IS profile scoping. Escaping containment is the
+ * only way to cross profiles, and this resolver makes that impossible.
+ *
+ * Rules: no separators, no `..`, not absolute, no null byte, must end in
+ * `.json`, never the reserved `_order.json`. Then a `path.resolve` +
+ * prefix-containment assert is the authoritative backstop.
+ *
+ * adr: (MCP-7 — workspace path traversal + profile scoping)
+ */
 function workspacePath(filename) {
-    return join(getWorkspacesDir(), filename);
+    if (!filename || typeof filename !== 'string') {
+        throw new Error('Invalid workspace identifier');
+    }
+    if (filename.includes('\0') ||
+        filename.includes('/') ||
+        filename.includes('\\') ||
+        filename.includes('..') ||
+        isAbsolute(filename) ||
+        !filename.endsWith('.json') ||
+        filename === '_order.json') {
+        throw new Error('Invalid workspace identifier');
+    }
+    const baseDir = resolve(getWorkspacesDir());
+    const resolved = resolve(baseDir, filename);
+    if (resolved !== baseDir && !resolved.startsWith(baseDir + sep)) {
+        throw new Error('Invalid workspace identifier');
+    }
+    return resolved;
 }
 /**
  * Migrate workspace-level tags into document frontmatter.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openwriter",
-  "version": "0.37.0",
+  "version": "0.37.1",
   "description": "The open-source writing surface for AI agents. Markdown-native editor with pending change review — your agent writes, you accept or reject.",
   "type": "module",
   "license": "MIT",