npm - vibe-and-thrive - Versions diffs - 1.7.3 → 1.7.4 - Mend

vibe-and-thrive 1.7.3 → 1.7.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "vibe-and-thrive",
-  "version": "1.7.3",
+  "version": "1.7.4",
   "description": "Ship quality code faster with AI - RALPH autonomous loop, Claude Code hooks, and pre-commit checks",
   "author": "Allie Jones <allie@allthrive.ai>",
   "license": "MIT",

package/ralph/prd.sh CHANGED Viewed

@@ -33,8 +33,9 @@ ralph_prd() {
     notes=$(cat "$from_file") || { print_error "Failed to read $from_file"; return 1; }
   fi
-  # Trim whitespace
-  notes=$(echo "$notes" | xargs)
+  # Trim leading/trailing whitespace (safer than xargs)
+  notes="${notes#"${notes%%[![:space:]]*}"}"  # trim leading
+  notes="${notes%"${notes##*[![:space:]]}"}"  # trim trailing
   if [[ -z "$notes" ]]; then
     print_error "No notes provided. Usage: ralph prd <description>"

package/ralph/signs.sh CHANGED Viewed

@@ -47,7 +47,7 @@ ralph_sign() {
   local tmpfile
   tmpfile=$(mktemp)
-  jq --arg id "$sign_id" \
+  if jq --arg id "$sign_id" \
      --arg pattern "$pattern" \
      --arg category "$category" \
      --arg learnedFrom "$learned_from" \
@@ -58,9 +58,7 @@ ralph_sign() {
        category: $category,
        learnedFrom: (if $learnedFrom == "" then null else $learnedFrom end),
        createdAt: $createdAt
-     }]' "$RALPH_DIR/signs.json" > "$tmpfile"
-  if [[ $? -eq 0 ]]; then
+     }]' "$RALPH_DIR/signs.json" > "$tmpfile" && jq -e . "$tmpfile" >/dev/null 2>&1; then
     mv "$tmpfile" "$RALPH_DIR/signs.json"
     print_success "Added sign: [$category] $pattern"
     log_progress "SIGN" "ADDED" "$sign_id: $pattern"

package/ralph/utils.sh CHANGED Viewed

@@ -235,27 +235,45 @@ trap cleanup EXIT
 # Validate a command doesn't contain dangerous patterns
 # Returns 0 if safe, 1 if dangerous
+# Note: This is defense-in-depth. Commands come from user config, so user must trust their own config.
 validate_command() {
   local cmd="$1"
-  # Block dangerous patterns
+  # Block obviously dangerous patterns (defense-in-depth, not security boundary)
   local dangerous_patterns=(
-    'rm[[:space:]]+-rf[[:space:]]+/'      # rm -rf /
-    'rm[[:space:]]+-rf[[:space:]]+\*'     # rm -rf *
-    'curl.*\|.*bash'                       # curl | bash
-    'curl.*\|.*sh'                         # curl | sh
-    'wget.*\|.*bash'                       # wget | bash
-    'wget.*\|.*sh'                         # wget | sh
-    '\$\([^)]*eval'                        # $(eval ...)
-    'eval[[:space:]]+\$'                   # eval $var
-    '>[[:space:]]*/dev/sd'                 # write to disk devices
-    'mkfs\.'                               # format filesystems
-    'dd[[:space:]]+if='                    # dd commands
+    # Destructive file operations
+    'rm[[:space:]]+-rf[[:space:]]+/'              # rm -rf /
+    'rm[[:space:]]+-rf[[:space:]]+~'              # rm -rf ~ (home dir)
+    'rm[[:space:]]+-rf[[:space:]]+\*'             # rm -rf *
+    'rm[[:space:]]+-rf[[:space:]]+\.\.'           # rm -rf ..
+    'rm[[:space:]].*--no-preserve-root'           # rm with --no-preserve-root
+    # Remote code execution
+    'curl.*\|.*bash'                               # curl | bash
+    'curl.*\|.*sh[[:space:]]*$'                    # curl | sh
+    'wget.*\|.*bash'                               # wget | bash
+    'wget.*\|.*sh[[:space:]]*$'                    # wget | sh
+    'curl.*>[[:space:]]*/tmp/.*&&.*bash'           # curl > /tmp/x && bash
+    # Code injection
+    '\$\([^)]*eval'                                # $(eval ...)
+    'eval[[:space:]]+\$'                           # eval $var
+    'eval[[:space:]]+["\x27]'                      # eval "..." or eval '...'
+    # System damage
+    '>[[:space:]]*/dev/sd'                         # write to disk devices
+    '>[[:space:]]*/dev/nvme'                       # write to nvme devices
+    'mkfs\.'                                       # format filesystems
+    'dd[[:space:]]+if='                            # dd commands
+    ':(){:|:&};:'                                  # fork bomb
+    # Credential theft
+    'cat.*\.ssh/id_'                               # read SSH keys
+    'cat.*/etc/shadow'                             # read shadow file
+    'cat.*\.aws/credentials'                       # read AWS creds
+    'cat.*\.env'                                   # read env files (often has secrets)
   )
   for pattern in "${dangerous_patterns[@]}"; do
     if [[ "$cmd" =~ $pattern ]]; then
-      print_error "Command contains dangerous pattern: $cmd"
+      print_error "Command blocked (dangerous pattern): $cmd"
+      log_progress "BLOCKED dangerous command: $cmd"
       return 1
     fi
   done