seo-intel 1.4.8 → 1.4.9

package/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## 1.4.9 (2026-04-10)
+
+### Security
+- Fixed arbitrary file write via `--out` query param in dashboard terminal API — write paths now server-controlled only
+- Fixed path traversal in froggo config loader — project names validated to `[a-z0-9_-]`
+- Added project name validation to export and terminal API endpoints
+
+### URL Normalization
+- Pages are now normalized before storage: fragments stripped (`/#pricing` → `/`), `index.html` collapsed
+- Internal link targets also normalized for consistent orphan/link analysis
+- Re-crawl to clean up existing fragment duplicates in your database
+
 ## 1.4.8 (2026-04-10)
 
 ### Export: own site only, zero competitor bloat

package/db/db.js

@@ -268,7 +268,19 @@ export function upsertDomain(db, { domain, project, role }) {
   `).run(domain, project, role, now, now);
 }
 
+function normalizePageUrl(rawUrl) {
+  try {
+    const u = new URL(rawUrl);
+    u.hash = '';                              // strip fragments (#pricing, #faq, etc.)
+    let path = u.pathname;
+    path = path.replace(/\/index\.html?$/i, '/');  // /en/index.html → /en/
+    u.pathname = path;
+    return u.toString();
+  } catch { return rawUrl; }
+}
+
 export function upsertPage(db, { domainId, url, statusCode, wordCount, loadMs, isIndexable, clickDepth = 0, publishedDate = null, modifiedDate = null, contentHash = null, title = null, metaDesc = null, bodyText = null }) {
+  url = normalizePageUrl(url);
   const now = Date.now();
   db.prepare(`
     INSERT INTO pages (domain_id, url, crawled_at, first_seen_at, status_code, word_count, load_ms, is_indexable, click_depth, published_date, modified_date, content_hash, title, meta_desc, body_text)
@@ -350,7 +362,7 @@ export function insertLinks(db, sourceId, links) {
   const stmt = db.prepare(`INSERT INTO links (source_id, target_url, anchor_text, is_internal) VALUES (?, ?, ?, ?)`);
   db.exec('BEGIN');
   try {
-    for (const l of links) stmt.run(sourceId, l.url, l.anchor, l.isInternal ? 1 : 0);
+    for (const l of links) stmt.run(sourceId, normalizePageUrl(l.url), l.anchor, l.isInternal ? 1 : 0);
     db.exec('COMMIT');
   } catch (e) { db.exec('ROLLBACK'); throw e; }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "seo-intel",
-  "version": "1.4.8",
+  "version": "1.4.9",
   "description": "Local Ahrefs-style SEO competitor intelligence. Crawl → SQLite → cloud analysis.",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE",

package/server.js

@@ -596,7 +596,7 @@ async function handleRequest(req, res) {
       const format = url.searchParams.get('format') || 'json';
       const profile = url.searchParams.get('profile'); // dev | content | ai-pipeline
 
-      if (!project) { json(res, 400, { error: 'Missing project' }); return; }
+      if (!project || !/^[a-z0-9_-]+$/i.test(project)) { json(res, 400, { error: 'Invalid project name' }); return; }
 
       const { getDb } = await import('./db/db.js');
       const db = getDb(join(__dirname, 'seo-intel.db'));
@@ -1164,6 +1164,10 @@ async function handleRequest(req, res) {
     const params = url.searchParams;
     const command = params.get('command');
     const project = params.get('project') || '';
+    if (project && !/^[a-z0-9_-]+$/i.test(project)) {
+      json(res, 400, { error: 'Invalid project name' });
+      return;
+    }
 
     // Whitelist allowed commands
     const ALLOWED = ['crawl', 'extract', 'analyze', 'export-actions', 'competitive-actions',
@@ -1190,7 +1194,7 @@ async function handleRequest(req, res) {
     if (params.get('type')) args.push('--type', params.get('type'));
     if (params.get('limit')) args.push('--limit', params.get('limit'));
     if (params.has('raw')) args.push('--raw');
-    if (params.get('out')) args.push('--out', params.get('out'));
+    // --out is NOT passed from dashboard — write paths are server-controlled only (see auto-save below)
 
     // Auto-save exports from dashboard to reports/
     const EXPORT_CMDS = ['export-actions', 'suggest-usecases', 'competitive-actions'];