wogiflow 1.5.13 → 1.5.14

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wogiflow",
-  "version": "1.5.13",
+  "version": "1.5.14",
   "description": "AI-powered development workflow management system with multi-model support",
   "main": "lib/index.js",
   "bin": {

package/scripts/flow-community.js

@@ -13,11 +13,11 @@
 const fs = require('fs');
 const path = require('path');
 const https = require('https');
-const http = require('http');
 const crypto = require('crypto');
 const os = require('os');
+const { execFileSync } = require('child_process');
 
-const { getConfig, PATHS, safeJsonParse } = require('./flow-utils');
+const { PATHS, safeJsonParse, safeJsonParseString } = require('./flow-utils');
 
 // ~/.wogiflow/ directory for user-level state (persists across projects)
 const WOGIFLOW_HOME = path.join(os.homedir(), '.wogiflow');
@@ -28,6 +28,7 @@ const LAST_PUSH_PATH = path.join(WOGIFLOW_HOME, 'last-community-push');
 const CONSENT_PATH = path.join(WOGIFLOW_HOME, 'consent-acknowledged');
 
 const REQUEST_TIMEOUT_MS = 5000;
+const MAX_RESPONSE_BYTES = 512 * 1024; // 512KB max response size
 
 // ──────────────────────────────────────────────
 // Anonymous ID
@@ -146,7 +147,6 @@ function stripPII(data, config) {
   let gitUser = '';
   let gitEmail = '';
   try {
-    const { execFileSync } = require('child_process');
     gitUser = execFileSync('git', ['config', 'user.name'], { encoding: 'utf-8', timeout: 2000 }).trim();
     gitEmail = execFileSync('git', ['config', 'user.email'], { encoding: 'utf-8', timeout: 2000 }).trim();
   } catch {
@@ -159,7 +159,7 @@ function stripPII(data, config) {
     let result = str;
 
     // Replace absolute paths (Unix and Windows)
-    result = result.replace(/(?:\/(?:Users|home|var|tmp|opt|etc|usr)\/[^\s,;:'")\]}>]+)/g, '[PATH]');
+    result = result.replace(/(?:\/(?:Users|home|var|tmp|opt|etc|usr|root|app|srv|run|mnt|media|proc|data)\/[^\s,;:'")\]}>]+)/g, '[PATH]');
     result = result.replace(/(?:[A-Z]:\\[^\s,;:'")\]}>]+)/gi, '[PATH]');
 
     // Replace home directory references
@@ -266,13 +266,17 @@ function collectShareableData(config) {
  * Get WogiFlow version from package.json.
  * @returns {string}
  */
+let _cachedVersion = null;
 function getWogiFlowVersion() {
+  if (_cachedVersion) return _cachedVersion;
   try {
     const pkgPath = path.join(__dirname, '..', 'package.json');
-    const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
-    return pkg.version || 'unknown';
+    const pkg = safeJsonParse(pkgPath, {});
+    _cachedVersion = pkg.version || 'unknown';
+    return _cachedVersion;
   } catch {
-    return 'unknown';
+    _cachedVersion = 'unknown';
+    return _cachedVersion;
   }
 }
 
@@ -505,6 +509,42 @@ function collectSkillLearnings() {
 // HTTP Helpers
 // ──────────────────────────────────────────────
 
+/**
+ * Validate server URL to prevent SSRF attacks.
+ * Enforces HTTPS-only and blocks private/internal addresses.
+ * @param {string} urlStr
+ * @returns {boolean}
+ */
+function isAllowedServerUrl(urlStr) {
+  try {
+    const url = new URL(urlStr);
+    // Enforce HTTPS only
+    if (url.protocol !== 'https:') return false;
+    // Block localhost and loopback
+    // URL.hostname returns IPv6 with bracket delimiters (e.g., '[::1]') — strip them
+    const rawHostname = url.hostname.toLowerCase();
+    const hostname = rawHostname.startsWith('[') ? rawHostname.slice(1, -1) : rawHostname;
+    if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '::1') return false;
+    // Block IPv6 private/loopback ranges
+    if (hostname.startsWith('::ffff:')) return false;      // IPv4-mapped IPv6
+    if (hostname.startsWith('fe80:') || hostname.startsWith('fe80::')) return false;  // Link-local
+    if (hostname.startsWith('fc00:') || hostname.startsWith('fd00:')) return false;   // Unique local (RFC 4193)
+    // Block private IP ranges (RFC-1918 + link-local)
+    const ipMatch = hostname.match(/^(\d+)\.(\d+)\.\d+\.\d+$/);
+    if (ipMatch) {
+      const a = parseInt(ipMatch[1], 10);
+      const b = parseInt(ipMatch[2], 10);
+      if (a === 10) return false;                          // 10.0.0.0/8
+      if (a === 172 && b >= 16 && b <= 31) return false;  // 172.16.0.0/12
+      if (a === 192 && b === 168) return false;            // 192.168.0.0/16
+      if (a === 169 && b === 254) return false;            // 169.254.0.0/16 (link-local)
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+
 /**
  * Make an HTTPS request with timeout. Fire-and-forget pattern.
  * @param {string} method - HTTP method
@@ -516,13 +556,19 @@ function collectSkillLearnings() {
 function httpRequest(method, urlStr, body = null, timeoutMs = REQUEST_TIMEOUT_MS) {
   return new Promise((resolve) => {
     try {
-      const url = new URL(urlStr);
-      const isHttps = url.protocol === 'https:';
-      const transport = isHttps ? https : http;
+      if (!isAllowedServerUrl(urlStr)) {
+        if (process.env.DEBUG) {
+          console.error(`[flow-community] Blocked request to disallowed URL: ${urlStr}`);
+        }
+        resolve(null);
+        return;
+      }
 
+      const url = new URL(urlStr);
+      // isAllowedServerUrl already enforces HTTPS — use https directly
       const options = {
         hostname: url.hostname,
-        port: url.port || (isHttps ? 443 : 80),
+        port: url.port || 443,
         path: url.pathname + url.search,
         method,
         headers: {
@@ -533,9 +579,17 @@ function httpRequest(method, urlStr, body = null, timeoutMs = REQUEST_TIMEOUT_MS
         timeout: timeoutMs
       };
 
-      const req = transport.request(options, (res) => {
+      const req = https.request(options, (res) => {
         let data = '';
-        res.on('data', (chunk) => { data += chunk; });
+        res.on('data', (chunk) => {
+          // Check size BEFORE appending to prevent single oversized chunk from buffering
+          if (data.length + chunk.length > MAX_RESPONSE_BYTES) {
+            req.destroy();
+            resolve(null);
+            return;
+          }
+          data += chunk;
+        });
         res.on('end', () => {
           resolve({ statusCode: res.statusCode, body: data });
         });
@@ -626,7 +680,8 @@ async function pullFromServer(config) {
 
     if (result && result.statusCode >= 200 && result.statusCode < 300) {
       try {
-        const knowledge = JSON.parse(result.body);
+        const knowledge = safeJsonParseString(result.body);
+        if (!knowledge || typeof knowledge !== 'object') return cached || null;
         knowledge._cachedAt = new Date().toISOString();
         saveCommunityCache(knowledge);
         return knowledge;
@@ -663,10 +718,13 @@ async function submitSuggestion(text, type, config) {
   const validTypes = ['idea', 'bug', 'improvement'];
   const suggestionType = validTypes.includes(type) ? type : 'idea';
 
+  // Strip PII from suggestion text before sending
+  const strippedText = stripPII(text.trim(), config);
+
   const suggestion = {
     anonId: getOrCreateAnonId(),
     type: suggestionType,
-    content: text.trim(),
+    content: typeof strippedText === 'string' ? strippedText : text.trim(),
     wogiflowVersion: getWogiFlowVersion(),
     submittedAt: new Date().toISOString()
   };
@@ -701,7 +759,7 @@ function queuePendingSuggestion(suggestion) {
     if (fs.existsSync(PENDING_SUGGESTIONS_PATH)) {
       try {
         const content = fs.readFileSync(PENDING_SUGGESTIONS_PATH, 'utf-8');
-        const parsed = JSON.parse(content);
+        const parsed = safeJsonParseString(content, []);
         if (Array.isArray(parsed)) {
           pending = parsed;
         }
@@ -737,7 +795,7 @@ async function retryPendingSuggestions(config) {
     const content = fs.readFileSync(PENDING_SUGGESTIONS_PATH, 'utf-8');
     let pending;
     try {
-      pending = JSON.parse(content);
+      pending = safeJsonParseString(content, null);
     } catch {
       return;
     }
@@ -785,7 +843,7 @@ function loadCommunityCache() {
   try {
     if (!fs.existsSync(COMMUNITY_CACHE_PATH)) return null;
     const content = fs.readFileSync(COMMUNITY_CACHE_PATH, 'utf-8');
-    return JSON.parse(content);
+    return safeJsonParseString(content, null);
   } catch {
     return null;
   }
@@ -887,25 +945,29 @@ function mergeModelIntelligence(items) {
       if (!fs.existsSync(filePath)) continue;
 
       const content = fs.readFileSync(filePath, 'utf-8');
+      const detail = (item.adjustments || item.strengths || item.weaknesses || '').slice(0, 500);
+      if (!detail) continue;
 
       // Check if community section already exists
       if (content.includes(COMMUNITY_MARKER)) {
-        // Section exists — check for this specific item
-        const detail = item.adjustments || item.strengths || item.weaknesses || '';
-        if (!detail || content.includes(detail.slice(0, 80))) {
+        // Scope dedup check to community section only (not full file)
+        const markerIndex = content.indexOf(COMMUNITY_MARKER);
+        const communitySection = content.slice(markerIndex);
+        if (communitySection.includes(detail)) {
           continue; // Already merged
         }
-        // Append to existing section
-        const markerIndex = content.indexOf(COMMUNITY_MARKER);
-        const insertPoint = content.indexOf('\n', markerIndex) + 1;
+        // Append at END of community section (next ## heading or EOF) for chronological order
+        const afterMarker = content.slice(markerIndex);
+        const nextHeadingMatch = afterMarker.match(/\n## /);
+        const insertPoint = nextHeadingMatch
+          ? markerIndex + nextHeadingMatch.index
+          : content.length;
         const newLine = `- ${detail}\n`;
         const updated = content.slice(0, insertPoint) + newLine + content.slice(insertPoint);
         fs.writeFileSync(filePath, updated, 'utf-8');
         merged++;
       } else {
         // Add new community section at end of file
-        const detail = item.adjustments || item.strengths || item.weaknesses || '';
-        if (!detail) continue;
         const section = `\n\n## Community Learnings\n${COMMUNITY_MARKER}\n- ${detail}\n`;
         fs.writeFileSync(filePath, content.trimEnd() + section, 'utf-8');
         merged++;
@@ -1013,7 +1075,7 @@ function mergePatterns(items) {
     // Check if this community pattern already exists
     if (content.includes(patternName)) continue;
 
-    const description = item.description.replace(/\|/g, '/'); // Escape pipes for table
+    const description = item.description.slice(0, 500).replace(/\|/g, '/'); // Escape pipes for table, cap length
     const occurrences = item.occurrences || 1;
     newRows.push(`| ${today} | ${patternName} | Community: ${description} | ${occurrences} | Informational |`);
     merged++;

package/scripts/flow-regression.js

@@ -16,9 +16,9 @@
 
 const fs = require('fs');
 const path = require('path');
-const { execSync } = require('child_process');
-const { getProjectRoot, colors, getConfig } = require('./flow-utils');
-const { getExec, getCommand } = require('./flow-script-resolver');
+const { execFileSync } = require('child_process');
+const { getProjectRoot, colors, getConfig, safeJsonParse } = require('./flow-utils');
+const { getExecParts, getCommand } = require('./flow-script-resolver');
 
 const PROJECT_ROOT = getProjectRoot();
 const STATE_DIR = path.join(PROJECT_ROOT, '.workflow', 'state');
@@ -37,7 +37,7 @@ function getCompletedTasks() {
   }
 
   try {
-    const ready = JSON.parse(fs.readFileSync(READY_PATH, 'utf8'));
+    const ready = safeJsonParse(READY_PATH, {});
     return ready.recentlyCompleted || [];
   } catch (err) {
     log('yellow', `Warning: Could not parse ready.json: ${err.message}`);
@@ -51,9 +51,17 @@ function getCompletedTasks() {
 function findTestFiles(taskId, taskData) {
   const testFiles = [];
 
-  // Check if task has explicit test files
+  // Check if task has explicit test files (validate paths to prevent injection)
   if (taskData?.testFiles) {
-    testFiles.push(...taskData.testFiles);
+    const SAFE_PATH = /^[a-zA-Z0-9_.\-/]+$/;
+    for (const tf of taskData.testFiles) {
+      if (typeof tf === 'string' && SAFE_PATH.test(tf) && !tf.includes('..')) {
+        const resolved = path.resolve(PROJECT_ROOT, tf);
+        if (resolved.startsWith(PROJECT_ROOT + path.sep) || resolved === PROJECT_ROOT) {
+          testFiles.push(tf);
+        }
+      }
+    }
     return testFiles;
   }
 
@@ -81,7 +89,12 @@ function findTestFiles(taskId, taskData) {
   // Also look in request-log for files changed
   const logPath = path.join(STATE_DIR, 'request-log.md');
   if (fs.existsSync(logPath)) {
-    const logContent = fs.readFileSync(logPath, 'utf8');
+    let logContent;
+    try {
+      logContent = fs.readFileSync(logPath, 'utf8');
+    } catch {
+      return [...new Set(testFiles)]; // Dedupe and return what we have
+    }
     // Escape special regex characters in taskId
     const escapedTaskId = taskId.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
     const taskPattern = new RegExp(`### R-\\d+.*${escapedTaskId}[\\s\\S]*?Files:\\s*([^\\n]+)`, 'i');
@@ -127,9 +140,9 @@ function runTaskTests(taskId, taskData) {
   log('white', `   Running tests: ${testFiles.join(', ')}`);
 
   try {
-    // Try to run tests with common test runners
-    const testCommand = detectTestRunner(testFiles);
-    execSync(testCommand, {
+    // Try to run tests with common test runners (using execFileSync for injection safety)
+    const { cmd, args } = detectTestRunner(testFiles);
+    execFileSync(cmd, args, {
       cwd: PROJECT_ROOT,
       stdio: 'pipe',
       timeout: 60000 // 1 minute timeout per task
@@ -151,44 +164,49 @@ function runTaskTests(taskId, taskData) {
 }
 
 /**
- * Detect which test runner to use
+ * Detect which test runner to use.
+ * Returns { cmd, args } for use with execFileSync (prevents shell injection).
+ * @returns {{ cmd: string, args: string[] }}
  */
 function detectTestRunner(testFiles) {
   const packageJson = path.join(PROJECT_ROOT, 'package.json');
 
   if (fs.existsSync(packageJson)) {
     try {
-      const pkg = JSON.parse(fs.readFileSync(packageJson, 'utf8'));
+      const pkg = safeJsonParse(packageJson, {});
 
       // Check scripts
       if (pkg.scripts?.test) {
         // If specific files, pass them
         if (testFiles.length > 0) {
-          const fileArgs = testFiles.join(' ');
           // Jest-style
           if (pkg.devDependencies?.jest || pkg.dependencies?.jest) {
-            return `${getExec('jest')} ${fileArgs} --passWithNoTests`;
+            return getExecParts('jest', [...testFiles, '--passWithNoTests']);
           }
           // Vitest
           if (pkg.devDependencies?.vitest || pkg.dependencies?.vitest) {
-            return `${getExec('vitest')} run ${fileArgs}`;
+            return getExecParts('vitest', ['run', ...testFiles]);
           }
           // Mocha
           if (pkg.devDependencies?.mocha || pkg.dependencies?.mocha) {
-            return `${getExec('mocha')} ${fileArgs}`;
+            return getExecParts('mocha', testFiles);
           }
         }
-        // Fallback to resolved test command
-        const testCmd = getCommand('test') || 'npm test';
-        return `${testCmd} -- --passWithNoTests`;
+        // Fallback to resolved test command via package manager
+        const testCmd = getCommand('test');
+        if (testCmd) {
+          const parts = testCmd.split(/\s+/);
+          return { cmd: parts[0], args: [...parts.slice(1), '--', '--passWithNoTests'] };
+        }
+        return { cmd: 'npm', args: ['test', '--', '--passWithNoTests'] };
       }
-    } catch (err) {
+    } catch {
       // package.json is malformed, fall through to default
     }
   }
 
   // Default to jest via exec resolver
-  return `${getExec('jest')} ${testFiles.join(' ')} --passWithNoTests`;
+  return getExecParts('jest', [...testFiles, '--passWithNoTests']);
 }
 
 /**

package/scripts/flow-script-resolver.js

@@ -27,7 +27,7 @@ const path = require('path');
  * Validate a script name is safe for shell usage.
  * Rejects names containing shell metacharacters.
  */
-const UNSAFE_CHARS = /[;&|$`()"'\\<>!\n\r]/;
+const UNSAFE_CHARS = /[;&|$`()"'\\<>!\n\r/]/;
 function isSafeScriptName(name) {
   return typeof name === 'string' && name.length > 0 && name.length < 100 && !UNSAFE_CHARS.test(name);
 }
@@ -183,8 +183,9 @@ function getCommand(name, options = {}) {
   // 1. Check config override
   const configScripts = config.scripts || {};
   if (configScripts[name] && typeof configScripts[name] === 'string') {
-    // Validate config override is safe
-    if (!isSafeScriptName(configScripts[name].split(' ')[0])) return null;
+    // Validate entire config override — reject if any part contains shell metacharacters
+    const overrideParts = configScripts[name].trim().split(/\s+/).filter(Boolean);
+    if (!overrideParts.every(part => isSafeScriptName(part))) return null;
     return configScripts[name];
   }
 

package/scripts/flow-utils.js

@@ -750,17 +750,19 @@ function safeJsonParse(filePath, defaultValue = null) {
 }
 
 /**
- * Safely parse a JSON string with prototype pollution protection
- * Use this when you already have the JSON content as a string
+ * Safely parse a JSON string with prototype pollution protection.
+ * Use this when you already have the JSON content as a string.
+ * Note: Unlike safeJsonParse (file-based), this allows arrays through
+ * since it validates typeof === 'object' which is true for arrays.
  * @param {string} jsonString - JSON string to parse
  * @param {*} [defaultValue=null] - Default value if parsing fails
- * @returns {object|null} Parsed JSON or defaultValue on error
+ * @returns {object|Array|null} Parsed JSON (object or array) or defaultValue on error
  */
 function safeJsonParseString(jsonString, defaultValue = null) {
   try {
     const parsed = JSON.parse(jsonString);
 
-    // Validate it's an object (not array or primitive for config files)
+    // Validate it's an object or array (not primitive for config files)
     if (typeof parsed !== 'object' || parsed === null) {
       return defaultValue;
     }

package/scripts/hooks/core/extension-registry.js

@@ -17,14 +17,21 @@
 
 const registeredExtensions = new Map();
 
+// Extension names must be DNS-label-like: lowercase alphanumeric + hyphens, no trailing hyphens, max 64 chars
+const VALID_EXTENSION_NAME = /^[a-z0-9]([a-z0-9-]{0,62}[a-z0-9])?$/;
+
 /**
  * Register an extension's hook module.
+ * Note: This registry is in-process only — each hook invocation runs in a fresh
+ * Node.js process, so registrations do not persist across hook calls.
+ * For cross-invocation extension state, use settings.json (as postinstall.js does).
+ *
  * @param {string} name - Extension name (e.g., 'teams')
  * @param {Object} hookModule - Module object with hook functions
  * @returns {boolean} True if registered, false if already exists
  */
 function register(name, hookModule) {
-  if (!name || typeof name !== 'string') {
+  if (!name || typeof name !== 'string' || !VALID_EXTENSION_NAME.test(name)) {
     if (process.env.DEBUG) {
       console.error(`[extension-registry] Invalid extension name: ${name}`);
     }

package/scripts/hooks/entry/claude-code/session-start.js

@@ -11,6 +11,7 @@ const { gatherSessionContext } = require('../../core/session-context');
 const { claudeCodeAdapter } = require('../../adapters/claude-code');
 const { setCliSessionId, clearStaleCurrentTaskAsync } = require('../../../flow-session-state');
 const { checkAndResetStalePhase } = require('../../core/phase-gate');
+const { safeJsonParseString } = require('../../../flow-utils');
 
 // Lazy-load bridge state to avoid circular dependencies
 let autoSyncBridge = null;
@@ -42,7 +43,7 @@ async function main() {
       inputData += chunk;
     }
 
-    const input = inputData ? JSON.parse(inputData) : {};
+    const input = inputData ? (safeJsonParseString(inputData, {}) || {}) : {};
     const parsedInput = claudeCodeAdapter.parseInput(input);
 
     // Store CLI session ID for tracking (CLI-agnostic via session-state)
@@ -109,17 +110,20 @@ async function main() {
         // Retry pending suggestions (fire-and-forget)
         community.retryPendingSuggestions(config).catch(() => {});
 
-        // Pull community knowledge (fire-and-forget, updates cache)
-        const knowledge = await community.pullFromServer(config);
-        if (knowledge && coreResult && coreResult.context) {
-          coreResult.context.communityKnowledge = knowledge;
-
-          // Merge community knowledge into local state files (Phase C2)
-          try {
-            community.mergeCommunityKnowledge(knowledge, config);
-          } catch (mergeErr) {
-            if (process.env.DEBUG) {
-              console.error(`[session-start] Community merge failed: ${mergeErr.message}`);
+        // Pull community knowledge (respects pullOnSessionStart toggle)
+        if (config.community?.pullOnSessionStart !== false) {
+          // Non-blocking pull with 5s timeout — uses cache if unavailable
+          const knowledge = await community.pullFromServer(config);
+          if (knowledge && coreResult && coreResult.context) {
+            coreResult.context.communityKnowledge = knowledge;
+
+            // Merge community knowledge into local state files (Phase C2)
+            try {
+              community.mergeCommunityKnowledge(knowledge, config);
+            } catch (mergeErr) {
+              if (process.env.DEBUG) {
+                console.error(`[session-start] Community merge failed: ${mergeErr.message}`);
+              }
             }
           }
         }