ship-safe 4.1.0 → 4.2.0

package/cli/commands/doctor.js

@@ -0,0 +1,149 @@
+/**
+ * Doctor Command — Environment Diagnostics
+ * ==========================================
+ *
+ * Checks Node.js version, git, npm, API keys, ignore files,
+ * cache directory, and package version.
+ *
+ * USAGE:
+ *   npx ship-safe doctor
+ */
+
+import { execFileSync } from 'child_process';
+import fs from 'fs';
+import path from 'path';
+import chalk from 'chalk';
+import { readFileSync } from 'fs';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const PACKAGE_VERSION = JSON.parse(readFileSync(join(__dirname, '../../package.json'), 'utf8')).version;
+
+export async function doctorCommand() {
+  console.log();
+  console.log(chalk.cyan.bold('  Ship Safe Doctor'));
+  console.log(chalk.gray('  ' + '─'.repeat(50)));
+  console.log();
+
+  let allGood = true;
+
+  // 1. Node.js version
+  const nodeVersion = process.version;
+  const nodeMajor = parseInt(nodeVersion.slice(1), 10);
+  if (nodeMajor >= 18) {
+    pass(`Node.js ${nodeVersion} (requires ≥18)`);
+  } else {
+    fail(`Node.js ${nodeVersion} — requires ≥18`);
+    allGood = false;
+  }
+
+  // 2. Git
+  try {
+    const gitVersion = execFileSync('git', ['--version'], { encoding: 'utf-8' }).trim();
+    pass(gitVersion.replace('git version ', 'git v'));
+  } catch {
+    fail('git not found (needed for guard, git-history-scanner)');
+    allGood = false;
+  }
+
+  // 3. Package manager
+  const managers = ['npm', 'yarn', 'pnpm'];
+  let foundPm = false;
+  for (const pm of managers) {
+    try {
+      const ver = execFileSync(pm, ['--version'], { encoding: 'utf-8', shell: true }).trim();
+      pass(`${pm} v${ver}`);
+      foundPm = true;
+      break;
+    } catch { /* try next */ }
+  }
+  if (!foundPm) {
+    fail('No package manager found (npm/yarn/pnpm)');
+    allGood = false;
+  }
+
+  // 4. API keys
+  const apiKeys = [
+    { name: 'Anthropic API key', env: 'ANTHROPIC_API_KEY', required: false },
+    { name: 'OpenAI API key', env: 'OPENAI_API_KEY', required: false },
+    { name: 'Google AI API key', env: 'GOOGLE_API_KEY', required: false },
+  ];
+  for (const key of apiKeys) {
+    if (process.env[key.env]) {
+      pass(`${key.name} configured`);
+    } else {
+      info(`${key.name} not set (optional — for AI classification)`);
+    }
+  }
+
+  // 5. .ship-safeignore
+  const cwd = process.cwd();
+  const ignorePath = path.join(cwd, '.ship-safeignore');
+  if (fs.existsSync(ignorePath)) {
+    try {
+      const patterns = fs.readFileSync(ignorePath, 'utf-8')
+        .split('\n').filter(l => l.trim() && !l.startsWith('#')).length;
+      pass(`.ship-safeignore found (${patterns} patterns)`);
+    } catch {
+      pass('.ship-safeignore found');
+    }
+  } else {
+    info('.ship-safeignore not found (run: ship-safe init)');
+  }
+
+  // 6. Cache directory
+  const cacheDir = path.join(cwd, '.ship-safe');
+  if (fs.existsSync(cacheDir)) {
+    try {
+      const testFile = path.join(cacheDir, '.doctor-test');
+      fs.writeFileSync(testFile, 'test');
+      fs.unlinkSync(testFile);
+      pass('Cache directory writable');
+    } catch {
+      fail('Cache directory not writable');
+      allGood = false;
+    }
+  } else {
+    info('Cache directory does not exist yet (created on first scan)');
+  }
+
+  // 7. Version check
+  pass(`ship-safe v${PACKAGE_VERSION}`);
+  try {
+    const latest = execFileSync('npm', ['view', 'ship-safe', 'version'], {
+      encoding: 'utf-8', timeout: 5000, shell: true,
+    }).trim();
+    if (latest && latest !== PACKAGE_VERSION) {
+      const msg = ['v', latest, ' available (current: v', PACKAGE_VERSION, ')'].join('');
+      info(msg);
+    } else if (latest) {
+      pass('Up to date');
+    }
+  } catch {
+    // Skip version check if npm view fails
+  }
+
+  console.log();
+  if (allGood) {
+    console.log(chalk.green.bold('  All checks passed!'));
+  } else {
+    console.log(chalk.yellow.bold('  Some checks failed. See above for details.'));
+  }
+  console.log();
+}
+
+function pass(msg) {
+  console.log(chalk.green('  ✔ ') + chalk.white(msg));
+}
+
+function fail(msg) {
+  console.log(chalk.red('  ✗ ') + chalk.red(msg));
+}
+
+function info(msg) {
+  console.log(chalk.gray('  ○ ') + chalk.gray(msg));
+}
+
+export default doctorCommand;

package/cli/commands/remediate.js

@@ -34,7 +34,7 @@ import fs from 'fs';
 import path from 'path';
 import os from 'os';
 import { createInterface } from 'readline';
-import { execSync } from 'child_process';
+import { execSync, execFileSync } from 'child_process';
 import chalk from 'chalk';
 import ora from 'ora';
 import pkg from 'write-file-atomic';
@@ -270,6 +270,11 @@ function createBackupDir(rootPath) {
 function backupFile(filePath, backupDir, rootPath) {
   const rel = path.relative(rootPath, filePath);
   const dest = path.join(backupDir, rel);
+  const resolvedDest = path.resolve(dest);
+  const resolvedBackupDir = path.resolve(backupDir);
+  if (!resolvedDest.startsWith(resolvedBackupDir + path.sep) && resolvedDest !== resolvedBackupDir) {
+    throw new Error(`Path traversal detected: ${rel} escapes backup directory`);
+  }
   fs.mkdirSync(path.dirname(dest), { recursive: true });
   fs.copyFileSync(filePath, dest);
 }
@@ -414,8 +419,7 @@ function checkPublicRepo(rootPath) {
 function stageFiles(files, rootPath) {
   if (files.length === 0) return;
   try {
-    const quoted = files.map(f => `"${f}"`).join(' ');
-    execSync(`git add ${quoted}`, { cwd: rootPath, stdio: 'inherit' }); // ship-safe-ignore — paths come from our own file scan
+    execFileSync('git', ['add', ...files], { cwd: rootPath, stdio: 'inherit' });
     output.success(`Staged ${files.length} file(s) with git add`);
   } catch {
     output.warning('Could not stage files — run git add manually.');

package/cli/index.js

@@ -1,53 +1,56 @@
-/**
- * Ship Safe CLI - Module Entry Point
- * ===================================
- *
- * This file exports the CLI commands and agents for programmatic use.
- * For normal CLI usage, run: npx ship-safe
- */
-
-// ── Core Commands ─────────────────────────────────────────────────────────────
-export { scanCommand } from './commands/scan.js';
-export { checklistCommand } from './commands/checklist.js';
-export { initCommand } from './commands/init.js';
-export { agentCommand } from './commands/agent.js';
-export { depsCommand, runDepsAudit } from './commands/deps.js';
-export { scoreCommand } from './commands/score.js';
-
-// ── v4.0 Commands ─────────────────────────────────────────────────────────────
-export { auditCommand } from './commands/audit.js';
-export { redTeamCommand } from './commands/red-team.js';
-export { watchCommand } from './commands/watch.js';
-
-// ── Patterns ──────────────────────────────────────────────────────────────────
-export { SECRET_PATTERNS, SECURITY_PATTERNS, SKIP_DIRS, SKIP_EXTENSIONS } from './utils/patterns.js';
-
-// ── Agent Framework ───────────────────────────────────────────────────────────
-export { BaseAgent, createFinding } from './agents/base-agent.js';
-export { Orchestrator } from './agents/orchestrator.js';
-export { buildOrchestrator } from './agents/index.js';
-
-// ── Individual Agents ─────────────────────────────────────────────────────────
-export { ReconAgent } from './agents/recon-agent.js';
-export { InjectionTester } from './agents/injection-tester.js';
-export { AuthBypassAgent } from './agents/auth-bypass-agent.js';
-export { SSRFProber } from './agents/ssrf-prober.js';
-export { SupplyChainAudit } from './agents/supply-chain-agent.js';
-export { ConfigAuditor } from './agents/config-auditor.js';
-export { LLMRedTeam } from './agents/llm-redteam.js';
-export { MobileScanner } from './agents/mobile-scanner.js';
-export { GitHistoryScanner } from './agents/git-history-scanner.js';
-export { CICDScanner } from './agents/cicd-scanner.js';
-export { APIFuzzer } from './agents/api-fuzzer.js';
-
-// ── Supporting Modules ────────────────────────────────────────────────────────
-export { ScoringEngine, GRADES, CATEGORIES } from './agents/scoring-engine.js';
-export { SBOMGenerator } from './agents/sbom-generator.js';
-export { PolicyEngine } from './agents/policy-engine.js';
-export { HTMLReporter } from './agents/html-reporter.js';
-
-// ── Caching ──────────────────────────────────────────────────────────────────
-export { CacheManager } from './utils/cache-manager.js';
-
-// ── LLM Providers ─────────────────────────────────────────────────────────────
-export { createProvider, autoDetectProvider } from './providers/llm-provider.js';
+/**
+ * Ship Safe CLI - Module Entry Point
+ * ===================================
+ *
+ * This file exports the CLI commands and agents for programmatic use.
+ * For normal CLI usage, run: npx ship-safe
+ */
+
+// ── Core Commands ─────────────────────────────────────────────────────────────
+export { scanCommand } from './commands/scan.js';
+export { checklistCommand } from './commands/checklist.js';
+export { initCommand } from './commands/init.js';
+export { agentCommand } from './commands/agent.js';
+export { depsCommand, runDepsAudit } from './commands/deps.js';
+export { scoreCommand } from './commands/score.js';
+
+// ── v4.0 Commands ─────────────────────────────────────────────────────────────
+export { auditCommand } from './commands/audit.js';
+export { redTeamCommand } from './commands/red-team.js';
+export { watchCommand } from './commands/watch.js';
+
+// ── v4.2 Commands ─────────────────────────────────────────────────────────────
+export { doctorCommand } from './commands/doctor.js';
+
+// ── Patterns ──────────────────────────────────────────────────────────────────
+export { SECRET_PATTERNS, SECURITY_PATTERNS, SKIP_DIRS, SKIP_EXTENSIONS } from './utils/patterns.js';
+
+// ── Agent Framework ───────────────────────────────────────────────────────────
+export { BaseAgent, createFinding } from './agents/base-agent.js';
+export { Orchestrator } from './agents/orchestrator.js';
+export { buildOrchestrator } from './agents/index.js';
+
+// ── Individual Agents ─────────────────────────────────────────────────────────
+export { ReconAgent } from './agents/recon-agent.js';
+export { InjectionTester } from './agents/injection-tester.js';
+export { AuthBypassAgent } from './agents/auth-bypass-agent.js';
+export { SSRFProber } from './agents/ssrf-prober.js';
+export { SupplyChainAudit } from './agents/supply-chain-agent.js';
+export { ConfigAuditor } from './agents/config-auditor.js';
+export { LLMRedTeam } from './agents/llm-redteam.js';
+export { MobileScanner } from './agents/mobile-scanner.js';
+export { GitHistoryScanner } from './agents/git-history-scanner.js';
+export { CICDScanner } from './agents/cicd-scanner.js';
+export { APIFuzzer } from './agents/api-fuzzer.js';
+
+// ── Supporting Modules ────────────────────────────────────────────────────────
+export { ScoringEngine, GRADES, CATEGORIES } from './agents/scoring-engine.js';
+export { SBOMGenerator } from './agents/sbom-generator.js';
+export { PolicyEngine } from './agents/policy-engine.js';
+export { HTMLReporter } from './agents/html-reporter.js';
+
+// ── Caching ──────────────────────────────────────────────────────────────────
+export { CacheManager } from './utils/cache-manager.js';
+
+// ── LLM Providers ─────────────────────────────────────────────────────────────
+export { createProvider, autoDetectProvider } from './providers/llm-provider.js';