skillscokac 1.4.3 → 1.5.0

package/bin/skillscokac.js

@@ -57,24 +57,134 @@ function validateSkillName(skillName) {
   return trimmed
 }
 
+/**
+ * Preprocess frontmatter to fix common YAML issues
+ * Automatically quotes values that contain special characters
+ */
+function preprocessFrontmatter(frontmatterText) {
+  const lines = frontmatterText.split('\n')
+
+  // Limit line count to prevent DoS
+  if (lines.length > 1000) {
+    throw new Error('Frontmatter too complex (max 1000 lines)')
+  }
+
+  const processedLines = []
+
+  for (const line of lines) {
+    // Limit line length to prevent ReDoS
+    if (line.length > 2000) {
+      throw new Error('Frontmatter line too long (max 2000 characters)')
+    }
+
+    // Skip empty lines or comments
+    if (!line.trim() || line.trim().startsWith('#')) {
+      processedLines.push(line)
+      continue
+    }
+
+    // Match key-value pairs with non-greedy match to prevent ReDoS
+    // Key must start with letter, value limited to prevent backtracking
+    const match = line.match(/^(\s*)([a-zA-Z][a-zA-Z0-9_-]*):\s*([^\n\r]{0,1500})$/)
+
+    if (!match || match.length !== 4) {
+      // Not a simple key-value pair, keep as is
+      processedLines.push(line)
+      continue
+    }
+
+    const indent = match[1]
+    const key = match[2]
+    const value = match[3]
+
+    // Skip if value is empty
+    if (!value.trim()) {
+      processedLines.push(line)
+      continue
+    }
+
+    // Skip if already quoted (starts and ends with quotes)
+    const trimmedValue = value.trim()
+    if ((trimmedValue.startsWith('"') && trimmedValue.endsWith('"')) ||
+        (trimmedValue.startsWith("'") && trimmedValue.endsWith("'"))) {
+      processedLines.push(line)
+      continue
+    }
+
+    // Skip if it's a block scalar (| or >)
+    if (trimmedValue === '|' || trimmedValue === '>') {
+      processedLines.push(line)
+      continue
+    }
+
+    // Skip if it's an array or object
+    if (trimmedValue.startsWith('[') || trimmedValue.startsWith('{')) {
+      processedLines.push(line)
+      continue
+    }
+
+    // Check if value contains special YAML characters that need quoting
+    const needsQuoting = /[:{}[\]|>@`&*!%#]/.test(value)
+
+    if (needsQuoting) {
+      // Proper escaping for YAML double-quoted strings
+      let escapedValue = value
+        .replace(/\\/g, '\\\\')  // Escape backslashes first
+        .replace(/"/g, '\\"')     // Escape double quotes
+        .replace(/\n/g, '\\n')    // Escape newlines
+        .replace(/\r/g, '\\r')    // Escape carriage returns
+        .replace(/\t/g, '\\t')    // Escape tabs
+
+      processedLines.push(`${indent}${key}: "${escapedValue}"`)
+    } else {
+      processedLines.push(line)
+    }
+  }
+
+  return processedLines.join('\n')
+}
+
 /**
  * Parse frontmatter from markdown content
+ * Handles both Unix (\n) and Windows (\r\n) line endings
  */
 function parseFrontmatter(content) {
+  // Normalize line endings to handle both CRLF and LF
+  const normalizedContent = content.replace(/\r\n/g, '\n')
   const frontmatterRegex = /^---\n([\s\S]*?)\n---/
-  const match = content.match(frontmatterRegex)
+  const match = normalizedContent.match(frontmatterRegex)
 
   if (!match) {
-    return { metadata: {}, content }
+    return { metadata: {}, content: normalizedContent }
   }
 
   try {
-    const metadata = yaml.parse(match[1])
-    const markdownContent = content.slice(match[0].length).trim()
+    // Limit frontmatter size to prevent YAML bombs
+    if (match[1].length > 10000) {
+      throw new Error('Frontmatter too large (max 10KB)')
+    }
+
+    // Preprocess frontmatter to fix common YAML issues
+    const preprocessed = preprocessFrontmatter(match[1])
+
+    // Parse with strict options to prevent YAML bombs
+    const metadata = yaml.parse(preprocessed, {
+      maxAliasCount: 10,      // Limit alias expansion to prevent Billion Laughs
+      strict: true,           // Strict YAML parsing
+      uniqueKeys: true,       // Reject duplicate keys
+      version: '1.2'          // Use YAML 1.2 spec
+    })
+
+    // Validate metadata is a plain object
+    if (typeof metadata !== 'object' || metadata === null || Array.isArray(metadata)) {
+      throw new Error('Invalid frontmatter: must be an object')
+    }
+
+    const markdownContent = normalizedContent.slice(match[0].length).trim()
     return { metadata, content: markdownContent }
   } catch (error) {
     console.error(chalk.red('Error parsing frontmatter:'), error.message)
-    return { metadata: {}, content }
+    return { metadata: {}, content: normalizedContent }
   }
 }
 
@@ -127,9 +237,17 @@ async function fetchSkill(skillName, options = {}) {
       headers: {
         'User-Agent': `skillscokac-cli/${VERSION}`
       },
-      timeout: AXIOS_TIMEOUT
+      timeout: AXIOS_TIMEOUT,
+      maxRedirects: 5,  // Limit redirects
+      validateStatus: (status) => status === 200  // Only accept 200 OK
     })
 
+    // Validate content type
+    const contentType = marketplaceResponse.headers['content-type']
+    if (!contentType || !contentType.includes('application/json')) {
+      throw new Error('Invalid response type from server (expected JSON)')
+    }
+
     const marketplace = marketplaceResponse.data
 
     // Validate marketplace data structure
@@ -185,11 +303,50 @@ async function fetchSkill(skillName, options = {}) {
     const zip = new AdmZip(Buffer.from(zipResponse.data))
     const zipEntries = zip.getEntries()
 
-    // Check total uncompressed size
+    // Check total uncompressed size and validate entries
     let totalSize = 0
+    const MAX_COMPRESSION_RATIO = 100  // 100:1 max ratio to prevent zip bombs
+
     for (const entry of zipEntries) {
+      const entryName = entry.entryName
+
+      // Validate entry name for security
+      // Reject absolute paths
+      if (path.isAbsolute(entryName)) {
+        throw new Error(`Invalid zip entry: absolute path not allowed: ${entryName}`)
+      }
+
+      // Reject path traversal attempts
+      const normalized = path.normalize(entryName).replace(/\\/g, '/')
+      if (normalized.includes('..') || normalized.startsWith('.')) {
+        throw new Error(`Invalid zip entry: path traversal detected: ${entryName}`)
+      }
+
+      // Reject entries with null bytes
+      if (entryName.includes('\0')) {
+        throw new Error('Invalid zip entry: null byte in filename')
+      }
+
+      // Validate file entries
       if (!entry.isDirectory) {
-        totalSize += entry.header.size
+        const uncompressedSize = entry.header.size
+        const compressedSize = entry.header.compressedSize
+
+        // Check individual file size
+        if (uncompressedSize > MAX_FILE_SIZE * 2) {
+          throw new Error(`File too large in package: ${entryName} (${Math.round(uncompressedSize / 1024 / 1024)}MB)`)
+        }
+
+        // Check compression ratio to detect zip bombs
+        if (compressedSize > 0) {
+          const ratio = uncompressedSize / compressedSize
+          if (ratio > MAX_COMPRESSION_RATIO) {
+            throw new Error(`Suspicious compression ratio detected in ${entryName} (possible zip bomb)`)
+          }
+        }
+
+        // Check total uncompressed size
+        totalSize += uncompressedSize
         if (totalSize > MAX_ZIP_SIZE * 2) {
           throw new Error('Skill package contains too much data (possible zip bomb)')
         }
@@ -202,10 +359,21 @@ async function fetchSkill(skillName, options = {}) {
     )
 
     if (!skillMdEntry) {
-      throw new Error('Invalid skill package')
+      throw new Error('Invalid skill package: SKILL.md not found')
+    }
+
+    // Validate SKILL.md size before reading
+    if (skillMdEntry.header.size > MAX_FILE_SIZE) {
+      throw new Error(`SKILL.md too large (${Math.round(skillMdEntry.header.size / 1024)}KB). Maximum: ${Math.round(MAX_FILE_SIZE / 1024)}KB`)
     }
 
     const skillMdContent = skillMdEntry.getData().toString('utf8')
+
+    // Validate content length after conversion
+    if (skillMdContent.length > MAX_FILE_SIZE) {
+      throw new Error('SKILL.md content too large after conversion')
+    }
+
     const { metadata } = parseFrontmatter(skillMdContent)
 
     // Get additional files (excluding SKILL.md)
@@ -396,15 +564,32 @@ async function installSkillCommand(skillName) {
  * Install collection command handler
  */
 async function installCollectionCommand(collectionId) {
+  // Validate collection ID to prevent SSRF
+  if (!collectionId || typeof collectionId !== 'string') {
+    console.log(chalk.red('✗ Invalid collection ID'))
+    process.exit(1)
+  }
+
+  const trimmedId = collectionId.trim()
+
+  // Collection IDs should be alphanumeric with hyphens/underscores only
+  if (!/^[a-zA-Z0-9_-]+$/.test(trimmedId) || trimmedId.length > 100) {
+    console.log(chalk.red('✗ Invalid collection ID format'))
+    console.log(chalk.dim('Collection ID must contain only letters, numbers, hyphens, and underscores'))
+    process.exit(1)
+  }
+
   const spinner = ora('Fetching collection...').start()
 
   try {
-    // Fetch collection
-    const response = await axios.get(`${API_BASE_URL}/api/collections/${collectionId}`, {
+    // Fetch collection (using validated ID)
+    const response = await axios.get(`${API_BASE_URL}/api/collections/${trimmedId}`, {
       headers: {
         'User-Agent': `skillscokac-cli/${VERSION}`
       },
-      timeout: AXIOS_TIMEOUT
+      timeout: AXIOS_TIMEOUT,
+      maxRedirects: 5,  // Limit redirects
+      validateStatus: (status) => status >= 200 && status < 300  // Only accept 2xx
     })
 
     const collection = response.data
@@ -462,8 +647,23 @@ async function installCollectionCommand(collectionId) {
     // Install each skill
     for (let i = 0; i < skills.length; i++) {
       const skillPost = skills[i]
+
+      // Validate skillPost structure
+      if (!skillPost || typeof skillPost !== 'object') {
+        console.log(chalk.red('  ✗') + chalk.dim(' Invalid skill data'))
+        failCount++
+        continue
+      }
+
       const skillName = skillPost.skillName
 
+      // Validate skill name before processing
+      if (!skillName || typeof skillName !== 'string' || skillName.length > 100) {
+        console.log(chalk.red('  ✗') + chalk.dim(' Invalid skill name in collection'))
+        failCount++
+        continue
+      }
+
       try {
         // Fetch and install skill in silent mode
         const skill = await fetchSkill(skillName, { silent: true })

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "skillscokac",
-  "version": "1.4.3",
+  "version": "1.5.0",
   "description": "CLI tool to install and manage Claude Code skills from skills.cokac.com",
   "main": "bin/skillscokac.js",
   "bin": {