PyPI - invar-tools - Versions diffs - 1.16.0__py3-none-any.whl → 1.17.0__py3-none-any.whl - Mend

invar-tools 1.16.0py3-none-any.whl → 1.17.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

invar/core/format_strategies.py CHANGED Viewed

@@ -159,11 +159,13 @@ def text_with_pattern(
     )
     noise_lines = st.lists(noise_line, min_size=0, max_size=10)
+    # Note: Hypothesis will automatically explore different orderings of the lines,
+    # so explicit shuffling is unnecessary. The concatenation order is sufficient.
     return st.builds(
         lambda p, n: "\n".join(p + n),
         pattern_lines,
         noise_lines,
-    ).map(lambda x: "\n".join(sorted(x.split("\n"), key=lambda _: __import__("random").random())))
+    )
 @pre(lambda pattern: len(pattern) > 0)

invar/mcp/handlers.py CHANGED Viewed

@@ -24,6 +24,11 @@ def _validate_path(path: str) -> tuple[bool, str]:
     Returns (is_valid, error_message).
     Rejects paths that could be interpreted as shell commands or flags.
+    Note: This validation is for MCP (Model Context Protocol) handlers, which
+    are designed to provide AI agents with access to the project filesystem.
+    We validate format and reject shell injection patterns, but do not restrict
+    to working directory (unlike CLI tools) since MCP is a trusted local protocol.
     """
     if not path:
         return True, ""  # Empty path defaults to "." in handlers
@@ -38,9 +43,13 @@ def _validate_path(path: str) -> tuple[bool, str]:
         if char in path:
             return False, f"Invalid path: contains forbidden character: {char!r}"
-    # Try to resolve path - this catches malformed paths
+    # Resolve path to canonical form, following symlinks
+    # This ensures path is valid and catches directory traversal attempts
     try:
         Path(path).resolve()
+        # Note: We don't restrict to cwd here because MCP handlers are designed
+        # to access the full project. If path restriction is needed, implement
+        # at the MCP server level, not per-handler.
     except (OSError, ValueError) as e:
         return False, f"Invalid path: {e}"

invar/node_tools/eslint-plugin/cli.js CHANGED Viewed

@@ -16,6 +16,7 @@
 import { ESLint } from 'eslint';
 import { resolve, dirname } from 'path';
 import { fileURLToPath } from 'url';
+import { statSync, realpathSync } from 'fs';
 import plugin from './index.js';
 // Get directory containing this CLI script (for resolving node_modules)
 const __filename = fileURLToPath(import.meta.url);
@@ -58,15 +59,32 @@ async function main() {
         process.exit(0);
     }
     const projectPath = resolve(args.projectPath);
-    // Validate resolved path is within current working directory or explicit allowed paths
+    // Validate resolved path is within current working directory
     // This prevents path traversal attacks via "../../../etc/passwd" patterns
+    // and symlink-based bypasses (e.g., "./symlink_inside/../../../etc/passwd")
     const cwd = process.cwd();
-    if (!projectPath.startsWith(cwd) && !projectPath.startsWith('/')) {
-        console.error(`Error: Project path must be within current directory`);
-        console.error(`  Requested: ${args.projectPath}`);
-        console.error(`  Resolved: ${projectPath}`);
-        console.error(`  Working dir: ${cwd}`);
-        process.exit(1);
+    try {
+        // Use realpath to resolve symlinks and prevent bypass attacks
+        const realProjectPath = realpathSync(projectPath);
+        const realCwd = realpathSync(cwd);
+        if (!realProjectPath.startsWith(realCwd)) {
+            console.error(`Error: Project path must be within current directory`);
+            console.error(`  Requested: ${args.projectPath}`);
+            console.error(`  Resolved: ${realProjectPath}`);
+            console.error(`  Working dir: ${realCwd}`);
+            process.exit(1);
+        }
+    }
+    catch (error) {
+        // If realpath fails (path doesn't exist), fall back to string comparison
+        // This allows error messages to be more specific
+        if (!projectPath.startsWith(cwd)) {
+            console.error(`Error: Project path must be within current directory`);
+            console.error(`  Requested: ${args.projectPath}`);
+            console.error(`  Resolved: ${projectPath}`);
+            console.error(`  Working dir: ${cwd}`);
+            process.exit(1);
+        }
     }
     try {
         // Get the rules config for the selected mode
@@ -93,8 +111,36 @@ async function main() {
                 '@invar': plugin, // Register our plugin programmatically
             },
         }); // Type assertion for ESLint config complexity
-        // Lint the project
-        const results = await eslint.lintFiles([projectPath]);
+        // Lint the project - detect if path is a file or directory
+        // ESLint defaults to .js only, so we need glob patterns for .ts/.tsx
+        let filesToLint;
+        try {
+            const stats = statSync(projectPath);
+            // Note: Advisory check for optimization - TOCTOU race condition is acceptable
+            // because ESLint will handle file system changes gracefully during actual linting
+            if (stats.isFile()) {
+                // Single file - lint it directly
+                filesToLint = [projectPath];
+            }
+            else if (stats.isDirectory()) {
+                // Directory - use glob patterns for TypeScript files primarily
+                // Note: Focus on TypeScript files as this is a TypeScript Guard tool
+                filesToLint = [
+                    `${projectPath}/**/*.ts`,
+                    `${projectPath}/**/*.tsx`,
+                ];
+            }
+            else {
+                console.error(`Error: Path is neither a file nor a directory: ${projectPath}`);
+                process.exit(1);
+            }
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+            console.error(`Error: Cannot access path: ${errorMessage}`);
+            process.exit(1);
+        }
+        const results = await eslint.lintFiles(filesToLint);
         // Output in standard ESLint JSON format (compatible with guard_ts.py)
         const formatter = await eslint.loadFormatter('json');
         const resultText = await Promise.resolve(formatter.format(results, {

invar-tools 1.16.0__py3-none-any.whl → 1.17.0__py3-none-any.whl

invar-tools 1.16.0py3-none-any.whl → 1.17.0py3-none-any.whl